Re: Ascend-Data-Filter with srcip from ippool
Andreas Kalb (akalb) wrote:
Now I'm back to my original problem, where I wanted to use an
Ascend-filter with entries matching IP-address from pool. I still don't
know, how to change order of modules to make the IP-address known to the
files-module and appreciated your uidance again.
You don't have to. You can add the ascend data filter via unlang,
in the post-auth section, right after the test_pool module is called:
post-auth {
...
test-pool
if (ok) {
update reply {
...
Ascend-Data-Filter := ip in forward srcip
%{reply:Framed-IP-Address}/32 dstip 1.1.1.2/32
...
}
}
Again, this is documented. See man unlang, and the examples.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy to 2 servers
Mikhail Novikov wrote: You have to configure the server to log to the detail file (or multiple detail files), and then read that, and proxy those requests to another server. How can I confugure the server to read the log file and proxy the requests to another server? raddb/sites-available/copy-acct-to-home-server Which options exactly should I write in configuration files? The options are documented in the configuration files and in the examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ascend-Data-Filter with srcip from ippool
Hello Alan,
as I see your result I better understand unlang and the mighty of it.
Thx for your patience. All working perfectly well now.
Kind Regards,
Andreas
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Alan DeKok
Sent: Mittwoch, 2. April 2008 08:19
To: FreeRadius users mailing list
Subject: Re: Ascend-Data-Filter with srcip from ippool
Andreas Kalb (akalb) wrote:
Now I'm back to my original problem, where I wanted to use an
Ascend-filter with entries matching IP-address from pool. I still
don't know, how to change order of modules to make the IP-address
known to the files-module and appreciated your uidance again.
You don't have to. You can add the ascend data filter via unlang,
in the post-auth section, right after the test_pool module is
called:
post-auth {
...
test-pool
if (ok) {
update reply {
...
Ascend-Data-Filter := ip in forward srcip
%{reply:Framed-IP-Address}/32 dstip 1.1.1.2/32
...
}
}
Again, this is documented. See man unlang, and the examples.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: frammed ip adress
Thanks Ivan So if i understand clear a i need to name and configure ip pool parts in radius.conf and than use this name as a Pool-Name in LDAp P? Is there a chance to specify range directly in LDAP and not in ip pool? Thanks! D. 2008/3/26 Ivan Kalik [EMAIL PROTECTED]: Pool-Name. Have a look at ippool section of radiusd.conf. Ivan Kalik Kalik Informatika ISP Dana 25/3/2008, David Hláčik [EMAIL PROTECTED] piše: Hi, in my working solution, i have pptp (vpn) configured with radius using LDAP. Each user has a value Framed IP Adress which will assign him exact IP adress. Currently i am rebuilding ldap structure to groups. And i want the users which will be members of group foo , to have dynamically assignet ip adresses from pool 10.123.40.0/255.255.255.0 . How can i achieve ? Which radius attributes should i use? Thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius ISP and windows domain logins
Their DUN password is empty.
Ivan Kalik
Kalik Informatika ISP
Dana 2/4/2008, Andrew D (Webzone) [EMAIL PROTECTED] piše:
Hi there,
We are using freeradius 1.1.4 on fbsd5.5 for auth as an ISP.
We occasionally have dialup users that auth with a windows domain login
(without the domain set)
It is connected to a mssql server.
As I understand it, the following options are supposed to remove the
windows domain bizo
In SQL.conf we have.
sql_user_name = %{Stripped-User-Name:-%{User-Name:-DEFAULT}}
in proxy.conf we have
realm LOCAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm DEFAULT {
type= radius
authhost= LOCAL
accthost= LOCAL
}
in radiusd.conf
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
The client will have logged on successfully a couple of hours earlier,
but then we see this in the logs.
Wed Apr 2 14:32:54 2008 : Info: rlm_sql (sql): No matching entry in the
database for request from user [donb]
Wed Apr 2 14:32:54 2008 : Auth: Login incorrect: [donb/] (from client
patton1 port 19 cli 0882648219)
And they get knocked back.
Is there anything I may have missed or misinterpreted?
Thanks in Advance.
Cheers
cya
Andrew
--
Network Administrator / Manager
Webzone Internet
1st Floor (Oakley Street Entrance)
167 Grote Street
Adelaide SA, 5000
Phone 1300 303 932
Fax 08 8221 6204
Email [EMAIL PROTECTED]
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with old mysql version and PEAP/MSCHAPV2
Hi, Hi, for wpa2 integration in our wireless network i have installed freeradius 1.1.7 und mysql 5.0 under ubuntu and for PEAP/MSCHAPV2 every things working fine. you've configured SQL to use the group stuff too - do you have the required group tables setup and configured? if not, ONLY use the user check stuff initially. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: frammed ip adress
So if i understand clear a i need to name and configure ip pool parts in radius.conf and than use this name as a Pool-Name in LDAp P? Yes. Is there a chance to specify range directly in LDAP and not in ip pool? No, but there is sqlippool. Or use DHCP on your NAS. Or define IP pools on the NAS and select them with Framed-Pool if your NAS supports it. Cisco doesn't but you can set IP pool with avpairs. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with old mysql version and PEAP/MSCHAPV2
Hi, for wpa2 integration in our wireless network i have installed freeradius 1.1.7 und mysql 5.0 under ubuntu and for PEAP/MSCHAPV2 every things working fine. mysql-db: 10| test | NT-Password| := | 7C53CFA5EA7D0F9B3B968AA0FB51A3F5 when i change the db connection to the database with the real userdata, which runs under solaris 10 and mysql Version 3.2.23 the debug shows: module sql returns notfound for request 0 when i use the mysql monitor, both DBs show the same results for the sql commands, which are listed in the debug. It is very unfortunate, but there is for me no easy way to switch to mysql version 5.0 Debug: rad_recv: Access-Request packet from host 123.123.123.123:32769, id=125, length=180 User-Name = test Calling-Station-Id = 00-19-D2-CF-E5-50 Called-Station-Id = 00-0B-85-9A-2D-30:ITMC-WPA2 NAS-Port = 29 NAS-IP-Address = 123.123.123.123 NAS-Identifier = mh-wlc4 Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3503 EAP-Message = 0x0212000d016d68616e626f726e Message-Authenticator = 0xcb4bf5a66469aaa4185dd17788f2498b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 18 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user -- 'test' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): No matching entry in the database for request from user [test] modcall[authorize]: module sql returns notfound for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP . Kind Regards Hans -- Hans Bornemann Universitaet Dortmund - ITMC Tel. ++49 231 755 2132 Fax. ++49 231 755 2731 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
session-timeout for disconnect at fixed time
hi,
i want to disconnect user at midnight. So I've read the April 2004's forum
and found some solutions. But there isn't anything about where to put
Session-Timeout attribute. I've tried to put into users file.
DEFAULT Group := 'static', Session-Timeout := `%{expr: ((%l + 86399) %%
86400) - %l}`
Service-Type == Framed-User ...
It didn't return Session-Timeout. But when I remove Group section from
users file then it returns Session-Timeout.
Also I've tried to put this into expr section in the radiusd.conf. Then
put expr into authorize section. But it says authorize section couldn't
read expr.
How can I do this?
I want to put this attribute into mysql radgroupreply table. What should I
enter in the Value field?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: session-timeout for disconnect at fixed time
Try SQL-Group == static in user file entry. You are not using Unix
groups.
Ivan Kalik
Kalik Informatika ISP
Dana 2/4/2008, [EMAIL PROTECTED]
[EMAIL PROTECTED] piše:
hi,
i want to disconnect user at midnight. So I've read the April 2004's forum
and found some solutions. But there isn't anything about where to put
Session-Timeout attribute. I've tried to put into users file.
DEFAULT Group := 'static', Session-Timeout := `%{expr: ((%l + 86399) %%
86400) - %l}`
Service-Type == Framed-User ...
It didn't return Session-Timeout. But when I remove Group section from
users file then it returns Session-Timeout.
Also I've tried to put this into expr section in the radiusd.conf. Then
put expr into authorize section. But it says authorize section couldn't
read expr.
How can I do this?
I want to put this attribute into mysql radgroupreply table. What should I
enter in the Value field?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vmps documentation?
Phil Mayers wrote:
server vmps {
... stuff
vmps {
... stuff
mac2vlan.authorize
If (!ok) {
update reply {
VMPS-VLAN-Name = Public
}
}
}
}
If is wrong - it should be if
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Ahhh, your right. Freeradius started right up after I fixed that. All
those english classes ruined my programming skills :) Everything seems to
be working, thanks Phil, Alan for all the help!
--
View this message in context:
http://www.nabble.com/vmps-documentation--tp16315996p16446927.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unable to authenticate with rlm_perl
hi,
I am trying to used the rlm_perl for authentication, I've found reading
all the perl modules, but wouldn't able to handle the username from the
client. For the testing purpose I've put this simple script in the perl
program
if ($RAD_REQUEST{'User-Name'} eq john)
{
$RAD_REPLY{'A message'} = Accepting John;
return RLM_MODULE_OK;
}
else
{
$RAD_REPLY{'A message'} = Rececting users;
return RLM_MODULE_REJECT;
}
unfortunately everytime i try to authenticate the user john regardless of
the password, the server rejects all the time
here is the piece of output after rejecting the users
rad_recv: Access-Request packet from host 127.0.0.1 port 32866, id=177,
length=56
User-Name = john
User-Password = password
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
perl_pool: item 0x9e63c98 asigned new request. Handled so far: 1
found interpetator at address 0x9e63c98
rlm_perl: Added pair User-Name = john
rlm_perl: Added pair User-Password = password
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x9e63c98
++[perl] returns ok
rlm_realm: No '@' in User-Name = john, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
users: Matched entry DEFAULT at line 203
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type Perl
auth: type Perl
+- entering group Perl
perl_pool: item 0xa08e5d8 asigned new request. Handled so far: 1
found interpetator at address 0xa08e5d8
1,bill,Cleartext-Password,bill,:=
Use of uninitialized value in string eq at
/usr/local/etc/raddb/example.pmline 126.
rlm_perl: Added pair User-Name = john
rlm_perl: Added pair User-Password = password
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Auth-Type = Perl
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0xa08e5d8
++[perl] returns reject
auth: Failed to validate the user.
Login incorrect: [john/password] (from client localhost port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - john
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 177 to 127.0.0.1 port 32866
Waking up in 4.9 seconds.
Cleaning up request 0 ID 177 with timestamp +10
Ready to process requests.
Regards,
Elangbam Johnson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius push attribute to wireless connection
Hi,
I'm using Freeradius 2.0, I configurated it with an sql database and the
principal job of the radius server is to authorize and authenticate my
wireless user over my network. What I want to do is to give some
attribute to the user when is connected. Like Session-Timeout, bandwith
and some other stuff. Here some entry in my database
usergroup
1,guillaume,dynamic
2,jacques,dynamic
Radcheck
1,guillaume,Cleartext-Password,xx,:=
2,jacques,Cleartext-Password,x,:=
Radreply
3,guillaume,Session-Timeout,30,:=
It's an Mssql database
Here the debug info with radiusd -X
rlm_sql (sql): sql_set_user escaped user -- 'guillaume'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
I have access but my session didn't disconnect after 30 sec. So can I do
that with wireless configuration? My goal is to give some guest user
a limited time and an expiration date.
Thanks
Guillaume Chartrand
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Signal -HUP
Alan DeKok wrote: Dmitry A. Sysoev wrote: Good afternoon! Why the radiusd (ver 2.0.3+ cvs) with killall -HUP radiusd is not reload configuration files? Because it doesn't. It's hard to do right. And no, Apache doesn't handle HUP, either. It just *looks* like it handles HUP. It really re-starts itself from scratch. If you need FreeRADIUS to reload the configuration files, then stop re-start it. How can I check for syntax errors on configuration files without starting FreeRADIUS? There exists something like ISC DHCPD -T option? smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius push attribute to wireless connection
What is in the Access-Accept packet?
Ivan Kalik
Kalik Informatika ISP
Dana 2/4/2008, Guillaume Chartrand
[EMAIL PROTECTED] piše:
Hi,
I'm using Freeradius 2.0, I configurated it with an sql database and the
principal job of the radius server is to authorize and authenticate my
wireless user over my network. What I want to do is to give some
attribute to the user when is connected. Like Session-Timeout, bandwith
and some other stuff. Here some entry in my database
usergroup
1,guillaume,dynamic
2,jacques,dynamic
Radcheck
1,guillaume,Cleartext-Password,xx,:=
2,jacques,Cleartext-Password,x,:=
Radreply
3,guillaume,Session-Timeout,30,:=
It's an Mssql database
Here the debug info with radiusd -X
rlm_sql (sql): sql_set_user escaped user -- 'guillaume'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
I have access but my session didn't disconnect after 30 sec. So can I do
that with wireless configuration? My goal is to give some guest user
a limited time and an expiration date.
Thanks
Guillaume Chartrand
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Signal -HUP
Giovanni Lovato wrote: How can I check for syntax errors on configuration files without starting FreeRADIUS? There exists something like ISC DHCPD -T option? Read the man radiusd documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius push attribute to wireless connection
Guillaume Chartrand wrote: ... I have access but my session didn’t disconnect after 30 sec. So can I do that with wireless configuration? My goal is to give some « guest user » a limited time and an expiration date. Many systems won't support a Session-Timeout less than 10 minutes. Some NAS equipment doesn't even support Session-Timeout at all. If the NAS doesn't do what the RADIUS server says, then fix the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate with rlm_perl
Hi,
client. For the testing purpose I've put this simple script in the perl
program
if ($RAD_REQUEST{'User-Name'} eq john)
{
$RAD_REPLY{'A message'} = Accepting John;
return RLM_MODULE_OK;
}
else
{
$RAD_REPLY{'A message'} = Rececting users;
return RLM_MODULE_REJECT;
}
and in which subroutine is this sat? and are you calling perl
for that subroutine? freeradius is also spewing out that your
perl example.pm has an error in in. this basic example
might work for you
# examplev2 - version 0.0.1a
# Author: Alan Buxey
# Date: 02/04/2008
# (c) alan buxey 2008 - you may modify/reuse this code so long
# as the known origin is marked - licenced under GPL etc
use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */
use constantRLM_MODULE_FAIL= 1;# /* module failed, don't reply */
use constantRLM_MODULE_OK=2;# /* the module is OK, continue */
use constantRLM_MODULE_HANDLED= 3;# /* the module handled the request,
so stop. */
use constantRLM_MODULE_INVALID= 4;# /* the module considers the request
invalid. */
use constantRLM_MODULE_USERLOCK= 5;# /* reject the request (user is
locked out) */
use constantRLM_MODULE_NOTFOUND= 6;# /* user not found */
use constantRLM_MODULE_NOOP= 7;# /* module succeeded without doing
anything */
use constantRLM_MODULE_UPDATED= 8;# /* OK (pairs modified) */
use constantRLM_MODULE_NUMCODES= 9;# /* How many return codes there are
*/
sub authorize {
if ($RAD_REQUEST{'User-Name'} eq john)
{
$RAD_REPLY{'Reply-Message'} = Accepting John;
return RLM_MODULE_OK;
}
else
{
$RAD_REPLY{'Reply-Message'} = Rejcecting users;
return RLM_MODULE_REJECT;
}
# end of the authorize subsection
}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please advise : Freeradius 2.0.3 on FreeBSD 7.0 Crashing ... Signal 11 ...
Greetings,
Can someone please assist me with Freeradius 2.0.3 crashes on FreeBSD
7.0 .
Below is the outputs from radiusd -X and backtraces from the core files
Crash 1
Wed Apr 2 15:22:44 2008 : Debug: Going to the next request
Wed Apr 2 15:22:44 2008 : Debug: Waking up in 9.6 seconds.
Wed Apr 2 15:22:54 2008 : Error: Rejecting request 258 due to lack of
any response from home server xxx.xxx.xxx.xxx port 1646
Wed Apr 2 15:22:54 2008 : Debug: Finished request 258.
Wed Apr 2 15:22:54 2008 : Debug: Cleaning up request 258 ID 26 with
timestamp +2133
Segmentation fault (core dumped)
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for
details.
This GDB was configured as i386-marcel-freebsd...
Core was generated by `radiusd'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from
/usr/local/lib/libfreeradius-radius-2.0.3.so...done.
Loaded symbols for /usr/local/lib/libfreeradius-radius-2.0.3.so
SNIP
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0 0x0806416d in cleanup_delay (ctx=0x28571060) at event.c:477
477 DEBUG2(Cleaning up request %d ID %d with timestamp
+%d,
[New Thread 0x28401100 (LWP 100774)]
(gdb) bt
#0 0x0806416d in cleanup_delay (ctx=0x28571060) at event.c:477
#1 0x0806519c in wait_a_bit (ctx=0x28571060) at event.c:947
#2 0x08064ddc in post_proxy_fail_handler (request=0x28571060) at
event.c:794
#3 0x08064e95 in no_response_to_proxied_request (ctx=0x28571060)
at event.c:819
#4 0x280c8a9d in fr_event_run (el=0x2856e000, when=0xbfbfe838) at
event.c:214
#5 0x280c9078 in fr_event_loop (el=0x2856e000) at event.c:381
#6 0x0806814d in radius_event_process () at event.c:2660
#7 0x0805d366 in main (argc=2, argv=0xbfbfe93c) at radiusd.c:394
(gdb) frame 7
#7 0x0805d366 in main (argc=2, argv=0xbfbfe93c) at radiusd.c:394
394 while ((rcode = radius_event_process()) == 0x80) {
(gdb) q
Crash 2
--
Wed Apr 2 15:46:06 2008 : Debug: Going to the next request
Wed Apr 2 15:46:06 2008 : Debug: Waking up in 1.8 seconds.
Wed Apr 2 15:46:08 2008 : Error: Rejecting request 49 due to lack of
any response from home server xxx.xxx.xxx.xxx port 1646
Wed Apr 2 15:46:08 2008 : Debug: Finished request 49.
Wed Apr 2 15:46:08 2008 : Debug: Cleaning up request 49 ID 93 with
timestamp +673
Segmentation fault (core dumped)
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for
details.
This GDB was configured as i386-marcel-freebsd...
Core was generated by `radiusd'.
Program terminated with signal 11, Segmentation fault.
SNIP
#0 0x0806416d in cleanup_delay (ctx=0x28571060) at event.c:477
477 DEBUG2(Cleaning up request %d ID %d with timestamp
+%d,
[New Thread 0x28401100 (LWP 100467)]
(gdb) bt
#0 0x0806416d in cleanup_delay (ctx=0x28571060) at event.c:477
#1 0x0806519c in wait_a_bit (ctx=0x28571060) at event.c:947
#2 0x08064ddc in post_proxy_fail_handler (request=0x28571060) at
event.c:794
#3 0x08064e95 in no_response_to_proxied_request (ctx=0x28571060)
at event.c:819
#4 0x280c8a9d in fr_event_run (el=0x2856e000, when=0xbfbfe838) at
event.c:214
#5 0x280c9078 in fr_event_loop (el=0x2856e000) at event.c:381
#6 0x0806814d in radius_event_process () at event.c:2660
#7 0x0805d366 in main (argc=2, argv=0xbfbfe93c) at radiusd.c:394
(gdb) frame 7
#7 0x0805d366 in main (argc=2, argv=0xbfbfe93c) at radiusd.c:394
394 while ((rcode = radius_event_process()) == 0x80) {
Please let me know if more information is required
Thanks
Vikash
Please note: This email and its content are subject to the disclaimer as
displayed at the following link
http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm.
Should you not have Web access, send a mail to [EMAIL PROTECTED] and a copy
will be emailed to you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy to 2 servers
How can I confugure the server to read the log file and proxy the requests to another server? raddb/sites-available/copy-acct-to-home-server freeradius proxy server has to send all requests to 2 radius servers but proxy server has to modify attributes (by rule in hints file) in requests to 1 server and hasn't to modify attributes in requests to 2 server. Is this possible? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy to 2 servers
Mikhail Novikov wrote: freeradius proxy server has to send all requests to 2 radius servers but proxy server has to modify attributes (by rule in hints file) in requests to 1 server and hasn't to modify attributes in requests to 2 server. Is this possible? Yes. You can run the requests through different virtual servers. This is documented. There are examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please advise : Freeradius 2.0.3 on FreeBSD 7.0 Crashing ... Signal 11 ...
Vikash Badal wrote: Greetings, Can someone please assist me with Freeradius 2.0.3 crashes on FreeBSD 7.0 . It seems to be crashing in the same place, but it's not clear why. Did you have an earlier version of FreeRADIUS installed on that machine? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Please advise : Freeradius 2.0.3 on FreeBSD 7.0 Crashing ...Signal 11 ...
-Original Message- From: [EMAIL PROTECTED] s.org [mailto:[EMAIL PROTECTED] reeradius.org] On Behalf Of Alan DeKok Sent: 02 April 2008 04:50 PM To: FreeRadius users mailing list Subject: Re: Please advise : Freeradius 2.0.3 on FreeBSD 7.0 Crashing ...Signal 11 ... Vikash Badal wrote: Greetings, Can someone please assist me with Freeradius 2.0.3 crashes on FreeBSD 7.0 . It seems to be crashing in the same place, but it's not clear why. Did you have an earlier version of FreeRADIUS installed on that machine? I had radius 2.0.1 installed and then removed ( via the ports tree ) Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to [EMAIL PROTECTED] and a copy will be emailed to you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping ldap attribute with radius attribute...howto?
Hi Alan, Can you please reply me about LDAP multiple attributes in the radius reply response on this? Will really appreciated. I searched the following thread for ldap multiple attributes but it did not have right logic without changing data. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg19275.html As we do not control the change of ldap data as it is legacy. For ldap multiple attributes I am getting ONLY first value. rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test1 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test2 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test3 rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user 0014F846C199 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [0014F846C199/via Auth-Type = Accept] (from client samir port 0) Sending Access-Accept of id 21 to 216.2.193.1 port 20070 rEntitlements = test1 rCidx = 11 Alan DeKok [EMAIL PROTECTED] wrote: Eric Martell wrote: I am using NTRadPing to test the authorization. I see in the log, radius attribute is mapped to ldap attribute and returning valid value rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 but I did not see it in the Sending Access-Accept reply to NAS. Attributes between 1 and 255 can go into a packet. Attributes greater than that cannot go into a packet. You will need to define a vendor-specific dictionary for your attribute. See share/dictionary.* Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please advise : Freeradius 2.0.3 on FreeBSD 7.0 Crashing ...Signal 11 ...
Hi, I had radius 2.0.1 installed and then removed ( via the ports tree ) s'cuse my ignorance - been a while since i dipped into the world of BSD ports - does the uninstall remove libraries that have been installed and unlink them etc? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Please advise : Freeradius 2.0.3 on FreeBSD 7.0 Crashing...Signal 11 ...
-Original Message- From: [EMAIL PROTECTED] s.org [mailto:[EMAIL PROTECTED] reeradius.org] On Behalf Of [EMAIL PROTECTED] Sent: 02 April 2008 05:11 PM To: FreeRadius users mailing list Subject: Re: Please advise : Freeradius 2.0.3 on FreeBSD 7.0 Crashing...Signal 11 ... Hi, I had radius 2.0.1 installed and then removed ( via the ports tree ) s'cuse my ignorance - been a while since i dipped into the world of BSD ports - does the uninstall remove libraries that have been installed and unlink them etc? Old libraries are moved to /usr/local/lib/compat I cleaned out /usr/local/lib/compat and the problem still exists. Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to [EMAIL PROTECTED] and a copy will be emailed to you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius, EAP-PEAP, LDAP and users file...
[i'm not subscribed to this list, so, please, put me on CC] I've just setup a 'test installation' of freeradius in a debian etch box (using freeradius with 1.1.3 recompiled by me to support EAP-TLS). In my environments there's ever a LDAP server that serve, among other thinks, also a samba3 server using standard stuff (smbldap-tools, ...). Clearly my users are mostly (ahem, totally ;( ) windows XPsp2. Firstly i've setup all the stuff using winbind/ntlm_auth to do the MS-CHAP auth, but because i know that in LDAP the NT-Password hare simply stored, and looking at the (deprecated) /etc/smbpasswd module with the aid of some google, i've finally reached a good (for me) working point: ldap module extract NT-Password and give it to mschap module for authentication, with the bonus of group filtering, all in LDAP (i've disabled 'unix')... The strange, the only strangeness i've found, are that i was forced to insert an explicitly 'deny' rule in users file, eg my users are: DEFAULT Service-Type == Framed-User, Ldap-Group == ced DEFAULT Service-Type == Framed-User, Ldap-Group == diramm DEFAULT Service-Type == Framed-User, Ldap-Group == ricerca DEFAULT Service-Type == Framed-User, Ldap-Group == *, Auth-Type := Reject Reply-Message = Gruppo non autorizzato if i remove the last entry, user got authenticated. But users file was 'no match, no party'? What i'm missing? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
build freeradius 2.0.3 on ubuntu(debian)
Hello, After installation freeradius server 2.0.3 on Ubuntu 7.10 with: ./configure ./make ./make install I got this message: $ radiusd x radiusd: error while loading shared libraries: libfreeradius-radius-2.0.3.so: cannot open shared object file: No such file or directory How can I fix that? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: build freeradius 2.0.3 on ubuntu(debian)
Am 02.04.2008 um 18:28 schrieb Mikhail Novikov: Hello, After installation freeradius server 2.0.3 on Ubuntu 7.10 with: ./configure ./make ./make install I got this message: $ radiusd x radiusd: error while loading shared libraries: libfreeradius-radius-2.0.3.so: cannot open shared object file: No such file or directory How can I fix that? If you have installed under /usr/local be sure that dynamic libraries are found there too. (For security reasons, it is not always the case unter Linux.) Have a nice day! Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
Marco Gaiarin wrote:
[i'm not subscribed to this list, so, please, put me on CC]
I've just setup a 'test installation' of freeradius in a debian etch
box (using freeradius with 1.1.3 recompiled by me to support EAP-TLS).
Upgrade to 1.1.7 at least
In my environments there's ever a LDAP server that serve, among other
thinks, also a samba3 server using standard stuff (smbldap-tools, ...).
Clearly my users are mostly (ahem, totally ;( ) windows XPsp2.
Firstly i've setup all the stuff using winbind/ntlm_auth to do the
MS-CHAP auth, but because i know that in LDAP the NT-Password hare
simply stored, and looking at the (deprecated) /etc/smbpasswd module
with the aid of some google, i've finally reached a good (for me)
working point: ldap module extract NT-Password and give it to mschap
module for authentication, with the bonus of group filtering, all in
LDAP (i've disabled 'unix')...
The strange, the only strangeness i've found, are that i was forced to
insert an explicitly 'deny' rule in users file, eg my users are:
DEFAULT Service-Type == Framed-User, Ldap-Group == ced
DEFAULT Service-Type == Framed-User, Ldap-Group == diramm
DEFAULT Service-Type == Framed-User, Ldap-Group == ricerca
DEFAULT Service-Type == Framed-User, Ldap-Group == *, Auth-Type := Reject
Reply-Message = Gruppo non autorizzato
if i remove the last entry, user got authenticated.
Yes
But users file was 'no match, no party'? What i'm missing?
What does no match no party mean?
In all probability, you've got something like:
authorize {
preprocess
eap
mschap
ldap
files
}
authenticate {
Auth-Type MSCHAP {
mschap
}
eap
}
...if so, mschap (or eap, for the outer module) finds the relevant
attributes, sets Auth-Type to itself, and processes the request; if the
user has a password, they're authenticated. If you want to deny people
you need to do that.
Since you're not subscribed to the mailing list and haven't read the
documents, you have failed to see the advice repeated daily; namely, to
run radiusd under debugging with radiusd -X, examine the output and if
you can't figure out what it's saying, post that output here.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Users cant connect Freeradius 2.0.2
Hi to all. Firstly, i have to install a new server and my freeradius 2.0.2 it's running now. Bur I have a new problem. With last version, my freeradius work fine, but with this new version, the users can't connect. I'm attaching the raddiusd -X Please help me. LOG Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
Mandi! Phil Mayers
In chel di` si favelave...
box (using freeradius with 1.1.3 recompiled by me to support EAP-TLS).
Upgrade to 1.1.7 at least
...as a debian user, i prefer to keep on 'debian stable' ad using the
offical packet, even if repackaged...
But users file was 'no match, no party'? What i'm missing?
What does no match no party mean?
On users file, last line say:
# On no match, the user is denied access.
(so no match imply deny, that imply no WLAN-party ;).
In all probability, you've got something like:
Precisely:
authorize {
preprocess
chap
mschap
ntdomain
eap
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
(indeed probably a bit more than needed...)
...if so, mschap (or eap, for the outer module) finds the relevant
attributes, sets Auth-Type to itself, and processes the request; if the
user has a password, they're authenticated. If you want to deny people you
need to do that.
Probably i'm missing something... i've tried to type a wrong password
and works (eg, radius refuse to auth me), i've not clear what you mean
with 'if the user has a password, they're authenticated' and expecially
with 'you need to do that': 'that' what? Explicitly neglet access?
More deeper, i've not clear if this is a configuration error by me, or
with this setup things NEED to be done in this way.
Since you're not subscribed to the mailing list and haven't read the
List refuse posts from non-subscribed user, so now i'm subscribed.
I've read tons of docs, expecially the FAQ (with no clue at all),
expecially the freeradius.org site where some doc say something and
some other doc say the converse (or at least this seems to me, clearly
i'm ignorant and stupid).
documents, you have failed to see the advice repeated daily; namely, to run
radiusd under debugging with radiusd -X, examine the output and if you
can't figure out what it's saying, post that output here.
It is two days that i run with 'freeradius -X' in my hand. I've solved
at least half a dozen of trouble myself using the FAQ and other docs on
the net.
Because this is not a trouble (at least for me, again remember i'm
ignorant and stupid), i think that was not the case to start sending
tons of attachments.
I've shut off my test system, and i've accumulated too many 'freeradius
-X' logs to remember where was the culprit, so please wait tomorrow for
the config file and associated log.
good night.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping ldap attribute with radius attribute...howto?
Eric Martell wrote: Can you please reply me about LDAP multiple attributes in the radius reply response on this? Will really appreciated. raddb/ldap.attrmap See the operator field, which is an operator just like in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
Marco Gaiarin wrote: ...as a debian user, i prefer to keep on 'debian stable' ad using the offical packet, even if repackaged... ... with all of the bugs that were found fixed in a later version. (so no match imply deny, that imply no WLAN-party ;). Please don't be cute. It just makes it harder to help you. More deeper, i've not clear if this is a configuration error by me, or with this setup things NEED to be done in this way. The default configuration works. There is very little you need to do in order to make PEAP and LDAP work. It is two days that i run with 'freeradius -X' in my hand. I've solved at least half a dozen of trouble myself using the FAQ and other docs on the net. A common problem is that people change a LOT in the configuration files. Don't do that. The default configuration works. I've shut off my test system, and i've accumulated too many 'freeradius -X' logs to remember where was the culprit, so please wait tomorrow for the config file and associated log. Please don't send config files. Please don't send log files from configurations where you have made large changes. We KNOW that large changes break the server. We also know that the default configuration works. Start with the default configuration and make small changes. Test them. You WILL get it working very quickly. If you're spending a lot of time reading documentation, debug outputs, and fighting with the server, it means that you have made too many changes to the default configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
On users file, last line say:
# On no match, the user is denied access.
In the default config, that's correct, since the default config says:
authorize {
preprocess
chap
mschap
suffix
eap
files
pap
}
i.e. files is the only data source and no match means no password.
You are not running the default config. You've added the ldap module,
so even though files doesn't match, ldap does.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: build freeradius 2.0.3 on ubuntu(debian)
after $ ldconfig it works fine now. On Wed, Apr 2, 2008 at 8:38 PM, Nicolas Goutte [EMAIL PROTECTED] wrote: Am 02.04.2008 um 18:28 schrieb Mikhail Novikov: Hello, After installation freeradius server 2.0.3 on Ubuntu 7.10 with: ./configure ./make ./make install I got this message: $ radiusd x radiusd: error while loading shared libraries: libfreeradius-radius-2.0.3.so: cannot open shared object file: No such file or directory How can I fix that? If you have installed under /usr/local be sure that dynamic libraries are found there too. (For security reasons, it is not always the case unter Linux.) Have a nice day! Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy to 2 servers
I found example:
listen {
...
}
client one {
...
virtual_server = server_one
}
client two {
...
virtual_server = server_two
}
server server_one {
authorize {
...
}
...
}
server server_two {
authorize {
...
}
...
}
How can I specify:
1) server_one has to modify and proxy requests to 192.168.0.10:1812
2) server_two has to proxy requests to 192.168.0.11:1812
?
On Wed, Apr 2, 2008 at 6:42 PM, Alan DeKok [EMAIL PROTECTED] wrote:
Mikhail Novikov wrote:
freeradius proxy server has to send all requests to 2 radius servers but
proxy server has to modify attributes (by rule in hints file) in
requests to 1 server and hasn't to modify attributes in requests to 2
server.
Is this possible?
Yes. You can run the requests through different virtual servers.
This is documented. There are examples.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using different LDAP queries to authorize for different services
I'm back. Small reminder, since it appears that list members are helping a sufficient number of folks that remembering my particular setup would be non-trivial: - I'm running FreeRADIUS-2.0.3 (rlm_pap is patched as was discussed on this mailing list), with TTLS/PAP using OpenLDAP as the source of user authorization and authentication. - My configuration files are nearly stock, with the exception of the necessary configuration to get the ldap module talking to the LDAP server. - This setup has been running like this now for a couple of days without any trouble. What I'm aiming to accomplish, however, is that the FreeRADIUS server will authorize users for different services based on a slightly different LDAP query. The users are in various groups, which can be checked by supplying an LDAP query filter that checks the memberOf attribute; Users in group wireless should be permitted to use the wireless service; users in group vpn should be able to use the VPN service; users in both groups could use either, and users in neither group should be refused for either, etc. I've been trying to configure this by adding instances of the ldap module configuration (ldap ldap_wireless for example) in the modules section of radiusd.conf, and setting Autz-Type in the users file based on the NAS-IP-Address (huntgroups would likely be more appropriate for our wireless access points, but at the moment I'm trying to do this one step at a time, and in fact am testing with only 127.0.0.1 as the NAS-IP-Address anyway). Running radiusd in debug mode shows that the ldap module is using the configuration for its un-named instance (the default one from the stock config files, with minimal configuration to permit it to lookup users in our LDAP). I can tell the difference in which LDAP module configuration stanza is used by the query filter shown in the debug output. If the correct way to accomplish what I'm trying for is documented somewhere, I may have overlooked it, so I would appreciate it if someone could point me at it. I'm happy to read documentation, especially if it leads me to better understand how to accomplish desired tasks. Otherwise, if someone can see from the above what I'm doing wrong, I'd certainly appreciate any advice, suggestions or other useful input. Thanks again in advance ... -- -- Sylvain Robitaille [EMAIL PROTECTED] Systems and Network analyst Concordia University Instructional Information TechnologyMontreal, Quebec, Canada -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users cant connect Freeradius 2.0.2
Hi, Firstly, i have to install a new server and my freeradius 2.0.2 it's running now. Bur I have a new problem. With last version, my freeradius work fine, but with this new version, the users can't connect. I'm attaching the raddiusd -X so, you've just installed 2.0.2 (why not 2.0.3???) - and your old version was working. what was your old version? did you just use the same config files? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Signal -HUP
Hi, How can I check for syntax errors on configuration files without starting FreeRADIUS? There exists something like ISC DHCPD -T option? with FreeRADIUS 2.0.2 [EMAIL PROTECTED] ~]$ radiusd -h Usage: radiusd [-d db_dir] [-l log_dir] [-i address] [-n name] [-fsvXx] Options: -C Check configuration and exit. -d raddb_dirConfiguration files are in raddbdir/*. -f Run as a foreground process, not a daemon. -h Print this help message. -i ipaddr Listen on ipaddr ONLY -n name Read raddb/name.conf instead of raddb/radiusd.conf -p port Listen on port ONLY -s Do not spawn child processes to handle requests. -v Print server version information. -X Turn on full debugging. -x Turn on additional debugging. (-xx gives more debugging). so, -C is the option you want. sure. could've been -T like some other software. but why copy when you can innovate? :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping ldap attribute with radius attribute...howto?
Hi Alan, Thanks so much. Really appreciated. It works ! One more simple/stupid question regarding duplicate entries in the LDAP. We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. If there a way when ldap query (irrespective of how I use) finds multiple resultset, gets the first result and returns success instead of sending reject. The dn is not the uid as ldap tree is structured with roleid as dn and uid/did is an attribute. Also changing ldap tree is not possible. Please let me know. Thanks in advance. Alan DeKok [EMAIL PROTECTED] wrote: Eric Martell wrote: Can you please reply me about LDAP multiple attributes in the radius reply response on this? Will really appreciated. raddb/ldap.attrmap See the operator field, which is an operator just like in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users cant connect Freeradius 2.0.2
Hi Alan. My old version is 1.1.3-1.2 and it's installed in other server. I think that 2.0.2 version is the newest but i have try to install 2.0.3 I don't use the same config files, i was to configure all files again. Regards. Message: 8 Date: Wed, 2 Apr 2008 19:05:47 +0100 From: [EMAIL PROTECTED] Subject: Re: Users cant connect Freeradius 2.0.2 To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Hi, Firstly, i have to install a new server and my freeradius 2.0.2 it's running now. Bur I have a new problem. With last version, my freeradius work fine, but with this new version, the users can't connect. I'm attaching the raddiusd -X so, you've just installed 2.0.2 (why not 2.0.3???) - and your old version was working. what was your old version? did you just use the same config files? alan -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 36, Issue 15 Gustavo Chavelas.vcf Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy to 2 servers
Hi, How can I specify: 1) server_one has to modify and proxy requests to 192.168.0.10:1812 2) server_two has to proxy requests to 192.168.0.11:1812 put the required attribute filters and rewrites into each server section. then they'll do the right thing. I'd use unlang to write the Proxy stuff for each server too. then proxy.conf is easy/easier - you just define the 2 REALMS and have those servers you mentioned within their correct realms. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy to 2 servers
How can I specify:
1) server_one has to modify and proxy requests to 192.168.0.10:1812
2) server_two has to proxy requests to 192.168.0.11:1812
put the required attribute filters and rewrites into
each server section. then they'll do the right thing. I'd use
unlang to write the Proxy stuff for each server too. then
proxy.conf is easy/easier - you just define the 2 REALMS
and have those servers you mentioned within their correct realms.
Iserver_one and server_two have to process all requests.
Are following realms correct?
realm DEFAULT {
type= radius
authhost= 192.168.0.10:1812
accthost= 192.168.0.10:1813
secret = testing123
}
realm DEFAULT {
type= radius
authhost= 192.168.0.11:1812
accthost= 192.168.0.11:1813
secret = testing123
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy to 2 servers
Hi,
Iserver_one and server_two have to process all requests.
Are following realms correct?
realm DEFAULT {
type= radius
authhost= 192.168.0.10:1812
accthost= 192.168.0.10:1813
secret = testing123
}
realm DEFAULT {
type= radius
authhost= 192.168.0.11:1812
accthost= 192.168.0.11:1813
secret = testing123
}
that would, on first inspection, tell your freeradius server to send
any default auth (DEFAULT) to either of those servers. depending
on which one it felt like using. probably NOT what you wanted.
as stated, if server 1 must send ALL to 192.168.0.10 and server 2
send ALL to 192.168.0.11 then really you'd
realm DEFAULT1 {
type= radius
authhost= 192.168.0.10:1812
accthost= 192.168.0.10:1813
secret = testing123
}
realm DEFAULT2 {
type= radius
authhost= 192.168.0.11:1812
accthost= 192.168.0.11:1813
secret = testing123
}
and use unlang to set the Proxy-To-Realm for each server
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy to 2 servers
realm DEFAULT1 {
type= radius
authhost= 192.168.0.10:1812
accthost= 192.168.0.10:1813
secret = testing123
}
realm DEFAULT2 {
type= radius
authhost= 192.168.0.11:1812
accthost= 192.168.0.11:1813
secret = testing123
}
and use unlang to set the Proxy-To-Realm for each server
Should I put the Proxy-To-Realm code to preacct section?
server server_one {
...
preacct {
preprocess
acct_unique
suffix
update control {
Proxy-To-Realm := DEFAULT1
}
files
}
}
server server_two {
...
preacct {
preprocess
acct_unique
suffix
update control {
Proxy-To-Realm := DEFAULT2
}
files
}
}
Thanks a lot.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users cant connect Freeradius 2.0.2
You (probably) haven't configured realm ntdomain {} so your username is
dom_cuernavaca\test and not test.
Ivan Kalik
Kalik InformatikaISP
Dana 2/4/2008, Gustavo Chavelas [EMAIL PROTECTED] piše:
Hi Alan.
My old version is 1.1.3-1.2 and it's installed in other server.
I think that 2.0.2 version is the newest but i have try to install 2.0.3
I don't use the same config files, i was to configure all files again.
Regards.
Message: 8
Date: Wed, 2 Apr 2008 19:05:47 +0100
From: [EMAIL PROTECTED]
Subject: Re: Users cant connect Freeradius 2.0.2
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=us-ascii
Hi,
Firstly, i have to install a new server and my freeradius 2.0.2 it's
running
now.
Bur I have a new problem.
With last version, my freeradius work fine, but with this new version, the
users can't connect.
I'm attaching the raddiusd -X
so, you've just installed 2.0.2 (why not 2.0.3???) - and your old
version was working. what was your old version? did you just use
the same config files?
alan
--
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 36, Issue 15
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
On users file, last line say: # On no match, the user is denied access. (so no match imply deny, that imply no WLAN-party ;). That applies if user details are stored (only) in files. Not if they are in ldap, sql ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius server cannot handle external request
Hi,
I have installed the latest freeradius server (version: 2.0.3) on my
Fedora Core 5 i386 PC. Now it can work ok when I use radtest test test
localhost 0 testing123 to test local user from local. And under debug mode
radiusd -X the server can print out relevant handle info. However,
Configure another machine as a RADIUS client and send out request, and the
server is silent, and stop Ready to process requests.. That means the
server cannot handle external radius request.
The start info as follows:
[EMAIL PROTECTED] raddb]# radiusd -X
FreeRADIUS Version 2.0.3, for host i686-redhat-linux-gnu, built on Mar 28
2008 at 18:56:20
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default.old
including configuration file /etc/raddb/sites-enabled/default
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
shortname = localhost
nastype = other
}
client 172.28.99.51 {
require_message_authenticator = no
secret = test
shortname = 172.28.99.51
}
client 172.28.137.233 {
require_message_authenticator = no
secret = tellabs
shortname = 172.28.137.233
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = /var/log/radius/radwtmp
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked
Re: radius server cannot handle external request
server is silent, and stop Ready to process requests.. That means the server cannot handle external radius request. I use Wireshark and can capture the radius request packet. And it is right request, but server cannot handle it and print anything on termination. I'm confused. Could you give me some suggestion. No. That means that request made it to the firewall but not through it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hints Huntgroups
Should I be able to either 1) Set a Huntgroup via the huntgroups file (matching on NAS-IP-Address) and use that in the Hints file as a match (Huntgroup-Name == blah) or 2) Set a Hint in the hints file and use that to define as the match for the Huntgroup Currently testing on FreeRADIUS Version 1.1.0 and the files seem to be parsed independently so attributes modified/added in one aren't visible in the other ? Essentially I'd like to set both a huntgroup and perform some username substitution in hints on queries from the same set of NAS. I can define the full set of NAS in both files of course but was hoping to only define the list of NAS-IP-Address once. Ideally set the Huntgroup first and then use the Huntgroup-Name in the Hints file. Thanks Dean Smith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login-Service = Telnet
I've to set up my FR to let a User telnet into my Cisco Router. Whithout further contact to my client until Friday, I will test my environment in advance. Accepting a session using this attributes will work fine. I'll get an IP and can connect to the router using telnet. Session-Timeout : 14400 Idle-Timeout : 600 AVPair : ip:wins-servers=10.1.1.223 Framed-IP-Address : 10.1.7.150 AVPair : ip:dns-servers=145.253.2.11 but accepting a session using the following attributes fails to connect. Login-IP-Host : 10.1.7.201 Framed-IP-Address : 10.1.7.155 Login-Service : Telnet Login-TCP-Port : 23 What application might I use to test this environment using a Windows XP system? I thought I have to dialup the normal way and then start my Telnet Client to configure the router? If I configure my dialup settings to use PPP, I got refused/disconnectes emmediately If I configure my dialup settings to use SLIP, I will be disconnected after about 22s. What is the expected differnece or the advantage of using Login-Service=Telnet? Thank You. Regards Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Hints Huntgroups [SEC=UNCLASSIFIED]
UNCLASSIFIED -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Dean Smith Sent: Thursday, 3 April 2008 09:20 To: freeradius-users@lists.freeradius.org Subject: Hints Huntgroups Should I be able to either 1) Set a Huntgroup via the huntgroups file (matching on NAS-IP-Address) and use that in the Hints file as a match (Huntgroup-Name == blah) or 2) Set a Hint in the hints file and use that to define as the match for the Huntgroup Currently testing on FreeRADIUS Version 1.1.0 and the files seem to be parsed independently so attributes modified/added in one aren't visible in the other ? Essentially I'd like to set both a huntgroup and perform some username substitution in hints on queries from the same set of NAS. I can define the full set of NAS in both files of course but was hoping to only define the list of NAS-IP-Address once. Ideally set the Huntgroup first and then use the Huntgroup-Name in the Hints file. Thanks Dean Smith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hints is processed first, then Huntgroups. You can set up 2 instances of preprocess, process huntgroups in the first instance and hints in the second. You can also set the Huntgroup item in hints as the result of an sql or ldap lookup. Once the huntgroup variable exists, further huntgroup sections exit immediately. Regards, Frank Ranner Classification=UNCLASSIFIED Precedence=ROUTINE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping ldap attribute with radius attribute...howto?
Eric Martell wrote: If there a way when ldap query (irrespective of how I use) finds multiple resultset, gets the first result and returns success instead of sending reject. Edit the source code to rlm_ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using different LDAP queries to authorize for different services
Sylvain Robitaille wrote: I'm back. Small reminder, since it appears that list members are helping a sufficient number of folks that remembering my particular setup would be non-trivial: I have trouble remembering messages from 10 minutes ago. It's easier that way. ... - My configuration files are nearly stock, with the exception of the necessary configuration to get the ldap module talking to the LDAP server. - This setup has been running like this now for a couple of days without any trouble. And yes, it really is that easy. (That's mostly for the people who think it's hard... because they butcher the default configs.) What I'm aiming to accomplish, however, is that the FreeRADIUS server will authorize users for different services based on a slightly different LDAP query. The users are in various groups, which can be checked by supplying an LDAP query filter that checks the memberOf attribute; Users in group wireless should be permitted to use the wireless service; users in group vpn should be able to use the VPN service; users in both groups could use either, and users in neither group should be refused for either, etc. You should be able to do this with multiple LDAP modules, or maybe by dynamically editing the ldap query. ... Running radiusd in debug mode shows that the ldap module is using the configuration for its un-named instance (the default one from the stock config files, with minimal configuration to permit it to lookup users in our LDAP). You have to change the reference to ldap in sites-available/default. to the instance name. e.g. ldap_wireless. I can tell the difference in which LDAP module configuration stanza is used by the query filter shown in the debug output. Thankfully. Isn't debug output nice? More people should use it... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius push attribute to wireless connection
What is in the Access-Accept packet?
Ivan Kalik
Kalik Informatika ISP
Sending Access-Accept of id 98 to 172.20.50.202 port 1037
Session-Timeout := 30
MS-MPPE-Recv-Key =
0x7a1997f1239667f0efeb3c4461711ac3467845bad3fc11db5ceaaae6b4161ec7
MS-MPPE-Send-Key =
0x23e0e4835b830081fe1b624d8f10fc7afa1459a87b814479a83f5fbcbab949ef
EAP-Message = 0x03620004
Message-Authenticator = 0x
User-Name = guillaume
Finished request 9.
Here the access-accept, the ip address shown below is the Access Point IP, is
it possible that the AP cannot send this kind of attribute?
Dana 2/4/2008, Guillaume Chartrand
[EMAIL PROTECTED] piše:
Hi,
I'm using Freeradius 2.0, I configurated it with an sql database and the
principal job of the radius server is to authorize and authenticate my
wireless user over my network. What I want to do is to give some
attribute to the user when is connected. Like Session-Timeout, bandwith
and some other stuff. Here some entry in my database
usergroup
1,guillaume,dynamic
2,jacques,dynamic
Radcheck
1,guillaume,Cleartext-Password,xx,:=
2,jacques,Cleartext-Password,x,:=
Radreply
3,guillaume,Session-Timeout,30,:=
It's an Mssql database
Here the debug info with radiusd -X
rlm_sql (sql): sql_set_user escaped user -- 'guillaume'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
I have access but my session didn't disconnect after 30 sec. So can I do
that with wireless configuration? My goal is to give some guest user
a limited time and an expiration date.
Thanks
Guillaume Chartrand
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: session-timeout for disconnect at fixed time
The result is still same. It doesn't return Session-Timeout.
How would be the Value field in radgroupreply, if I tried to use mysql
table instead of users file.
Try SQL-Group == static in user file entry. You are not using Unix
groups.
Ivan Kalik
Kalik Informatika ISP
Dana 2/4/2008, [EMAIL PROTECTED]
[EMAIL PROTECTED] pi¹e:
hi,
i want to disconnect user at midnight. So I've read the April 2004's
forum
and found some solutions. But there isn't anything about where to put
Session-Timeout attribute. I've tried to put into users file.
DEFAULT Group := 'static', Session-Timeout := `%{expr: ((%l + 86399) %%
86400) - %l}`
Service-Type == Framed-User ...
It didn't return Session-Timeout. But when I remove Group section from
users file then it returns Session-Timeout.
Also I've tried to put this into expr section in the radiusd.conf. Then
put expr into authorize section. But it says authorize section couldn't
read expr.
How can I do this?
I want to put this attribute into mysql radgroupreply table. What should
I
enter in the Value field?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP Authentication
Hi I have set up Free Radius to allows users to set up certificates on their notebook and get access to the Internet. When i set EAP i cant sem to allow monowall captiv portal users to login to the RADIUS Server. Is there any settings to be done in users.conf file or radiusd .conf file to allow users to login via the monowall captive portal login page. FREE Radisu rejects login from the caprive portal login. Shoud i be using MSCHAP or can i still use EAP. Thank you Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using different LDAP queries to authorize for different services
On Thu, 3 Apr 2008, Alan DeKok wrote:
I have trouble remembering messages from 10 minutes ago. It's easier
that way.
There were messages 10 minutes ago? ;-)
...
- My configuration files are nearly stock, with the exception of the
necessary configuration to get the ldap module talking to the LDAP
server.
- This setup has been running like this now for a couple of days
without any trouble.
And yes, it really is that easy. ...
And quite frankly, darned amazing! All (?!? nearly all?) the third-party
documentation out there makes it *seem* difficult. If nothing else,
not trying to set the Auth-Type anywhere (and letting the server do the
Right Thing) results in a noticeable improvement in RADIUS performance
(at least in the case here, where our old configuration explicitly sets
Auth-Type to LDAP, causing an LDAP-bind for every authentication
request, and we're getting LOTS of authentication requests).
Had I persisted more at getting this right (rather than simply working)
a couple of years ago when I originally set it up, I likely would have
saved myself many headaches!
What I'm aiming to accomplish, however, is that the FreeRADIUS server
will authorize users for different services based on a slightly
different LDAP query. ...
You should be able to do this with multiple LDAP modules, or maybe by
dynamically editing the ldap query.
Dynamically editting the query hadn't occurred to me. I've been trying
to configure multiple instances of the LDAP module. Even now
considering dynamically editing the ldap query, I suspect that the
multiple module approach is likely simpler to configure and maintain.
You have to change the reference to ldap in sites-available/default.
to the instance name. e.g. ldap_wireless.
In the authorize stanza, then? So I replace
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap
with
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap_wireless
or
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap ldap_wireless
?
Can I then add an ldap_vpn as well, in the same place?
Is this where I should be using
Autz-Type wireless {
ldap_wireless
}
Autz-Type vpn {
ldap_vpn
}
...
?
I'm placing the ldap module-instance configuration in radiusd.conf,
and setting Autz-Type in users. Are these the correct places for
those items?
Is there specific documentation I should be re-reading to properly
understand this? I feel as though I sort-of understand the sequence,
from examining debug output, but I don't feel I really know (yet) how to
make the server do my bidding.
--
--
Sylvain Robitaille [EMAIL PROTECTED]
Systems and Network analyst Concordia University
Instructional Information TechnologyMontreal, Quebec, Canada
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using different LDAP queries to authorize for different services
On Apr 2, 2008, at 5:52 PM, Alan DeKok wrote: Sylvain Robitaille wrote: What I'm aiming to accomplish, however, is that the FreeRADIUS server will authorize users for different services based on a slightly different LDAP query. The users are in various groups, which can be checked by supplying an LDAP query filter that checks the memberOf attribute; Users in group wireless should be permitted to use the wireless service; users in group vpn should be able to use the VPN service; users in both groups could use either, and users in neither group should be refused for either, etc. You should be able to do this with multiple LDAP modules, or maybe by dynamically editing the ldap query. ... Running radiusd in debug mode shows that the ldap module is using the configuration for its un-named instance (the default one from the stock config files, with minimal configuration to permit it to lookup users in our LDAP). You have to change the reference to ldap in sites-available/ default. to the instance name. e.g. ldap_wireless. I'm looking to do something similar. What is the proper way to call a specific LDAP module based on NAS-IP- Address (or huntgroup, probably)? I don't want anything other than files (for overriding LDAP for testing) then LDAP. Obviously, I want to stay as close to the default config as possible. :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
