Re: Freeradius help to update /etc/hosts?
Dave wrote: Ive been using freeradius for years to authenticate pppoe users for my WISP., Customers get dynamic IP addresses from an IP pool. Im going to be implementing a new monitoring system, and I need to use hostnames to check on customer status. Anyone have ideas how freeradius can update a DNS server such as BIND or other linux DNS server? Use PowerDNS. Put the host names into SQL. Use FreeRADIUS (2.1.6) to do SQL inserts. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
invoke userdefine module
hi, i installed freeradius2.1.6 i added one user define module .. but i need to invoke this module..to test username and password. could u plz let me know how to invoke that userdefine module regardi's shiva shankar -- View this message in context: http://www.nabble.com/invoke-userdefine-module-tp25111274p25111274.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invoke userdefine module
See http://wiki.freeradius.org/Modules2 On 23 August 2009, at 23:45, shivashankar wrote: hi, i installed freeradius2.1.6 i added one user define module .. but i need to invoke this module..to test username and password. could u plz let me know how to invoke that userdefine module regardi's shiva shankar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl / libtool / libltdl problem
Does this mean you are also having this problem with 2.2.6a of libtool/libltdl? Yes. There isn't a permanent solution that I know of yet. However, there is a workaround that you can use for now: LD_PRELOAD=path_to_libperl.so /usr/local/sbin/radiusd Thanks. It works. Where path_to_libperl.so is the full path for that file (e.g., it's /usr/local/lib/perl5/5.8.9/mach/CORE/libperl.so on one of my systems). -Original Message- From: freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org [mailto:freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org] On Behalf Of Anton Brinyov Sent: Sunday, August 23, 2009 6:17 PM To: FreeRadius users mailing list Subject: Re: rlm_perl / libtool / libltdl problem Hi, It means, there isn't solution for this problem now? Thanks, Anton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed to add duplicate client problem
We have a vpn gateway with different URLs for different user groups. For each URL a specific radius server has to be defined. Up to now those different radius servers have been installed on different machines. When trying to consolidate those servers within different virtual servers on one single machine freeradius refuses to start with the Failed to add duplicate client xx to clients list. Maybe there's a duplicate? message. Yes, there is a duplicate and it is on purpose. Is there a way to cirumvent this? Mit freundlichen Grüßen Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to add duplicate client problem
Wegener, Norbert wrote: We have a vpn gateway with different URLs for different user groups. For each URL a specific radius server has to be defined. Up to now those different radius servers have been installed on different machines. When trying to consolidate those servers within different virtual servers on one single machine freeradius refuses to start with the Failed to add duplicate client xx to clients list. Maybe there's a duplicate? message. Yes, there is a duplicate and it is on purpose. Is there a way to cirumvent this? List the clients under different virtual servers, and have the virtual servers listen on different IP addresses. The list of clients is based off of a virtual server. Within each virtual server, the client IP addresses *must* be unique. If you post your config, my guess is that you have *global* clients, and then are defining the same client IP twice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Failed to add duplicate client problem
If you post your config, my guess is that you have *global* clients, and then are defining the same client IP twice. The clients are read from an sql database. As every client has a corresponding server attached in that database it could be assumed that every client is local to the that virtual server. This obviously is not true. Having distinct sql*conf files for each server and different nas_query in dialup*.conf solves the problem. Thank you. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invoke userdefine module
hi DOu Hardie, i added module thorugh this link only. the thing is i need to check username password in newly created module 2009/8/24 Doug Hardie bc...@lafn.org See http://wiki.freeradius.org/Modules2 On 23 August 2009, at 23:45, shivashankar wrote: hi, i installed freeradius2.1.6 i added one user define module .. but i need to invoke this module..to test username and password. could u plz let me know how to invoke that userdefine module regardi's shiva shankar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- regard's shiva shankar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invoke userdefine module
You call the module like any other: by listing it in virtual server configuration. That link explains how can the module get attributes from the request. Ivan Kalik Kalik Informatika ISP i added module thorugh this link only. the thing is i need to check username password in newly created module 2009/8/24 Doug Hardie bc...@lafn.org See http://wiki.freeradius.org/Modules2 On 23 August 2009, at 23:45, shivashankar wrote: hi, i installed freeradius2.1.6 i added one user define module .. but i need to invoke this module..to test username and password. could u plz let me know how to invoke that userdefine module regardi's shiva shankar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- regard's shiva shankar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Failed to add duplicate client problem
Wegener, Norbert wrote: If you post your config, my guess is that you have *global* clients, and then are defining the same client IP twice. The clients are read from an sql database. As every client has a corresponding server attached in that database it could be assumed that every client is local to the that virtual server. This obviously is not true. Ah... that code isn't written. The add client routine needs to catch the case of SQL adding clients with servers. It doesn't do that right now. Having distinct sql*conf files for each server and different nas_query in dialup*.conf solves the problem. Thank you. OK. We'll take a look at fixing it in the next release. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CoA-Ack and radclient/radiusd
Alan DeKok ?: Anton G. wrote: get today git/stable and tried - same result.. ( Are you sure you're using *that* version, and that you don't have multiple versions of the software installed? Yes, checked it twice.. Alan, can you please provide me some tips to do further debug of this? It involves looking through the hashes in src/lib/packet.c. It's not pretty... well, i have no choice, i should dig it out Not mentioning radiusd CoA, i`m pretty puzzled why radclient doesn`t want to handle CoA-ACK from nas.. I don't know... others have got this to work. i understand, radclient have coa support for a long time.. What's the OS / CPU? FreeBSD 7.1-RELEASE-p3 jail Could it be OS specific? or NAS specific ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Echo the radius accounting request
Hi, Thanks for your mail. I want to send the radius accounting packets to home server but the home server is not radius server. It will take that accounting packet and procees for billing and I also need the following thing in echo request username= us...@doamain.com calling-station-id= user1 username= us...@doamain.com calling-station-id= user2 Is it possible? Cheers Ganesh --- On Fri, 8/21/09, Ivan Kalik t...@kalik.net wrote: From: Ivan Kalik t...@kalik.net Subject: Re: Echo the radius accounting request To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Friday, August 21, 2009, 9:32 PM RAS --- Free radius Proxy Radius 1) I want to echo the free radius accounting request with modified two radius attributes to another proxy radius server. See copy-acct-to-home-server virtual server. 2) but another radius server will not send any aknowledgement back to freeradius server. And freeradius will mark it as dead and stop sending packets to it. Why would you want to break the home server so it would stop responding? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: files: How to choose SQL entry for users?
Hi. I tried to use sql_auth-SQL-Group like ldap example (DEFAULT sql_auth-SQL-Group == Group1), but FR-server failed with error 'users[1]: Parse error (check) for entry DEFAULT: Invalid octet string Group1 for attribute name sql_auth-SQL-Group'. This error says that attribute is not defined into dictionary. I had got success when 'sql_auth' was defined as last entry into instantiate { }. But I think that this solution is unsecure and wrong. On Fri, Aug 21, 2009 at 07:14:32PM +0100, Ivan Kalik wrote: users: DEFAULT SQL-Group == 'Group1' ... But files chooses sql_acct (alphabetic first) as sql entry. How to choose sql_auth? http://wiki.freeradius.org/Rlm_ldap#Group_Support Same applies to sql groups. On Fri, Aug 21, 2009 at 07:14:32PM +0100, Ivan Kalik wrote: users: DEFAULT SQL-Group == 'Group1' ... But files chooses sql_acct (alphabetic first) as sql entry. How to choose sql_auth? http://wiki.freeradius.org/Rlm_ldap#Group_Support Same applies to sql groups. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: files: How to choose SQL entry for users?
George Koulyabin wrote: I had got success when 'sql_auth' was defined as last entry into instantiate { }. But I think that this solution is unsecure and wrong. Why is that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: files: How to choose SQL entry for users?
I tried to use sql_auth-SQL-Group like ldap example (DEFAULT sql_auth-SQL-Group == Group1), but FR-server failed with error 'users[1]: Parse error (check) for entry DEFAULT: Invalid octet string Group1 for attribute name sql_auth-SQL-Group'. This error says that attribute is not defined into dictionary. I had got success when 'sql_auth' was defined as last entry into instantiate { }. Yes, you do need to list them in instatiate if files are instatiated first in startup sequence. But you can change the order the modules are listed. But I think that this solution is unsecure and wrong. Why? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Echo the radius accounting request
On Mon, Aug 24, 2009 at 5:35 PM, ganesh nagpuregnagpure_m...@yahoo.com wrote: Hi, Thanks for your mail. I want to send the radius accounting packets to home server but the home server is not radius server. It will take that accounting packet and procees for billing In that case why bother proxying radius packets? Why not simply write the acct packets to a database and have your billing application read the database? and I also need the following thing in echo request username= us...@doamain.com calling-station-id= user1 username= us...@doamain.com calling-station-id= user2 should be easy from freeradius' default radacct table. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
check username and password
hi how to check username and password in rlm_wipromodule(user-define) module. plz help -- View this message in context: http://www.nabble.com/check-username-and-password-tp25114745p25114745.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: check username and password
how to check username and password in rlm_wipromodule(user-define) module. Did you actually read this? http://wiki.freeradius.org/Modules2#Accessing_Radius_Request_Attributes Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius die-ing without any reason or log
Hi, I have a production server running freeradius 2.0.5 on debian lenny. Basic description as follows: Server has been up for about a year. Not too busy. Approx 1.6 million interim accounting updates per month. Server runs rlm_perl only. Perl talks to sql database. All packets stored in sql, auth/start/stop/interim. Some queries do need a bit of optimization, it's on my todo list. Above info is basically so you can get an idea of how busy the server is. Now my problem: It has now happened three times that the server has just died. All three times in the past 3 months. Server is getting busier over time, and it didn't happen in the beginning, so it could be load related. When it dies there is nothing in the logs whatsoever. Just my last log entry that I made from perl, and nothing else. I also checked the system log files for things like oomkiller, nothing. Any ideas on where to start troubleshooting as to why this happens, as the logs contain nothing whatsoever? I realise this is vague, please let me know if you need more info. Obviuosly posting the full log is not going to work, as the server lasts 4-6 weeks before crashing. I have in the meantime upgraded to freeradius downloaded and compiled from git on about 2009-05-27 (identifies itself as 2.1.6, but from git about a week after the release of 2.1.6). No idea if this will resolve the issue. Thanks! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a 'tee'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 23/08/2009 18:17, Fajar A. Nugraha wrote: On Sun, Aug 23, 2009 at 11:54 PM, Ivan Kalikt...@kalik.net wrote: On Sat, Aug 22, 2009 at 5:53 PM, Arran Cudbard-Bella.cudbard-b...@sussex.ac.uk wrote: Fajar A. Nugraha wrote: In that setup, where does one get AcctStartTime and AcctStopTime values? Or just use whatever functions are available in your scripting environment. - is it from the NAS? No, the NAS doesn't include any timestamps. Your answer is the complete opposite of Ivan's response :D So which one is correct? His. Packet timestamp is generated by radius server. So %S in dialup.conf is packet timestamp, and if I'm reading from detail file I should make use of the attribute Packet-Original-Timestamp (or similar) to get the real packet timestamp? No, that'll get you the timestamp of when the packet was read back into the server. The only way to calculate the original received timestamp is to write the original Acct-Delay-Time into a custom attribute (say Acct-Delay-Time-Orig), subtract that from the current Acct-Delay-Time, then that from the current UNIX timestamp. received_time = current_unix_ts - (Acct-Delay-Time - Acct-Delay-Time-Orig) If you just want an accurate start time, you need to subtract Acct-Delay-Time from the current timestamp. start_time = current_unix_ts - Acct-Delay-Time See it's all pretty simple :) You can do the above calculations with the expressions module (expr) which operates in pretty much the same way as the TCL expressions module. Thanks for the help. I'm trying to deploy a setup similar to John's, proxying acct packets only, where proxying failure should not affect response to the NAS. Decoupled accounting along with getting the original packet timestamp seems to be the key of getting this right. Yeah it's a pretty common setup, we do it too. One thing you have to watch out for is packets with fatal errors. Where the remote accounting server never acknowledged receipt of the packet, so it gets stuck in an infinite loop in the proxying queue. I haven't figured out how to solve this properly with the current setup, so it'd be good to see some discussion on list about it. - -- Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqSh58ACgkQcaklux5oVKJ2dwCfRfTa/8sX9l1UzzGOmErC0d6E pfYAn2cJc/RZvOog6r2mAW2xbo96upaV =/n/e -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: files: How to choose SQL entry for users?
On Mon, Aug 24, 2009 at 01:45:11PM +0200, Alan DeKok wrote: George Koulyabin wrote: I had got success when 'sql_auth' was defined as last entry into instantiate { }. But I think that this solution is unsecure and wrong. Why is that? For example, I added new sql-module into sql.conf and forgot to fix order of loading of sql-modules into instantiate { }. I tried to do it. The 'users' used last sql-module of sql.conf. Variable 'sqlmod-inst' is used by 'sqlcounter'-module, but why isn't such variable used into 'files'-module? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a 'tee'
Arran Cudbard-Bell wrote: No, that'll get you the timestamp of when the packet was read back into the server. The only way to calculate the original received timestamp is to write the original Acct-Delay-Time into a custom attribute (say Acct-Delay-Time-Orig), subtract that from the current Acct-Delay-Time, then that from the current UNIX timestamp. The detail file reader creates/updates the Acct-Delay-Time based on how long the packet has been sitting in the detail file. There's no need to update it manually. Yeah it's a pretty common setup, we do it too. One thing you have to watch out for is packets with fatal errors. Where the remote accounting server never acknowledged receipt of the packet, so it gets stuck in an infinite loop in the proxying queue. I haven't figured out how to solve this properly with the current setup, so it'd be good to see some discussion on list about it. Hmm... it should continue sending a packet from the detail file until the upstream server has responded. It shouldn't write packets to the detail file if they've been read from the detail file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius die-ing without any reason or log
Johan Meiring wrote: I have a production server running freeradius 2.0.5 on debian lenny. ... It has now happened three times that the server has just died. All three times in the past 3 months. It's 2.0.5 there have been a number of issues fixed since then. Any ideas on where to start troubleshooting as to why this happens, as the logs contain nothing whatsoever? See doc/bugs in 2.1.x. It contains instructions for running it under gdb. There are no performance impacts of doing this. I have in the meantime upgraded to freeradius downloaded and compiled from git on about 2009-05-27 (identifies itself as 2.1.6, but from git about a week after the release of 2.1.6). Grab the latest from stable git. It has even more issues fixed... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: files: How to choose SQL entry for users?
George Koulyabin wrote: On Mon, Aug 24, 2009 at 01:45:11PM +0200, Alan DeKok wrote: George Koulyabin wrote: I had got success when 'sql_auth' was defined as last entry into instantiate { }. But I think that this solution is unsecure and wrong. Why is that? For example, I added new sql-module into sql.conf and forgot to fix order of loading of sql-modules into instantiate { }. I tried to do it. The 'users' used last sql-module of sql.conf. Variable 'sqlmod-inst' is used by 'sqlcounter'-module, but why isn't such variable used into 'files'-module? (a) That doesn't make it unsecure. (b) you may have MULTIPLE sql modules, and may be doing MULTIPLE sql group comparisons in the files module. Adding one sqlmod-inst to the files module won't help you try to use MULTIPLE sql modules. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: files: How to choose SQL entry for users?
On Mon, Aug 24, 2009 at 01:45:11PM +0200, Alan DeKok wrote: George Koulyabin wrote: I had got success when 'sql_auth' was defined as last entry into instantiate { }. But I think that this solution is unsecure and wrong. Why is that? For example, I added new sql-module into sql.conf and forgot to fix order of loading of sql-modules into instantiate { }. So you think freeradius is faulty and unsecure because it didn't work the way you wanted when you didn't configure it properly? Variable 'sqlmod-inst' is used by 'sqlcounter'-module, but why isn't such variable used into 'files'-module? sqlcounter will instatiate sql instance it needs before it is instantiated. Files module will not instatiate all possible sql, ldap, counter and whatever instances that might field attributes in it. You will have to add them to instatiate if they are not loaded *before* files module on server startup. If you list those instances before files in authorize they should also be instantiated before files on startup. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius die-ing without any reason or log
Hi, I have a production server running freeradius 2.0.5 on debian lenny. there have been several changes in the 2.1.x tree to stop random crashes occurring - these are often the results of handlers being stripped, memory leaks/overwrites and some veyr corner cases. i would try the 2.1.6 release ('git' release if you are feeling brave) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TTLS to require client cert
I have similar problem I also try to force TTLs to request client certificate but it just does not happen. The radius does not send the request. Maybe the reason is that I added EAP-TLS-Require-client-cert = YES in the wrong section? I uncommented it in the tls section of eap.conf Thanks for your help. -Original Message- From: freeradius-users-bounces+yoni.levin=altair-semi@lists.freeradius.org [mailto:freeradius-users-bounces+yoni.levin=altair-semi@lists.freera dius.org] On Behalf Of Petar Marinkovic Sent: Thursday, July 16, 2009 12:43 AM To: t...@kalik.net; FreeRadius users mailing list Subject: Re: TTLS to require client cert Yes, it does, but something isnt working, he is just not checking the client certificate On 07/15/2009, Ivan Kalik t...@kalik.net wrote: Hi all, I need help once again. I want TTLS to require client cert. I put EAP-TLS-Require-client-cert = YES in ttls { part of eap.conf but it's not working. What I am doing wrong here? What isn't working? Freeradius can request a certificate - does your supplicant support that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLAN attribute in LDAP or AD?
I'm assuming I can do roughly the same thing with NTLM_AUTH? I have to use NTLM_Auth for 8021x (right? - at least all docs say this), so if I don't HAVE to use LDAP all the better. TIA! Gary -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.or g] On Behalf Of Jason Alderfer Sent: Tuesday, August 18, 2009 2:18 PM To: FreeRadius users mailing list Subject: Re: Dynamic VLAN attribute in LDAP or AD? So, I'm trying to use 802.1x dynamic VLAN assignment. I have this working when I conf the users file. However, I don't want to create/maintain the users file for 2,000 users! Is there an attribute in AD / LDAP I can use for the dynamic VLAN? Ideally I could do this at the Group level, such that when a user moves from one group to another their automagically assigned to the correct VLAN. If you're using version 2.0.5 or higher you can do this with unlang as follows. This example sets the vlan based on the user's DN, but you should be able to modify it to look at your group membership attribute. Repeat for all relevant ldap groups. if (control:Ldap-UserDn =~ /ou=div,o=org/i) { update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := 9 } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a 'tee'
On Sat, Aug 22, 2009 at 01:59:00AM +0100, Arran Cudbard-Bell wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 21/08/2009 21:15, John Morrissey wrote: On Sun, Aug 16, 2009 at 10:11:02AM +0200, Alan DeKok wrote: vol...@ufamts.ru wrote: If home server does not respond, FR does not respond too - NAS repeats request - FR writes request data to SQL again. So... configure the server to respond. See the file raddb/sites-available/decoupled-accounting Is decoupled-accounting (writing all detail to disk and replaying it serialized with a detail listener) the only way to configure FreeRADIUS to respond to the NAS? Yes. Otherwise it'll wait for the response from the proxy server, and proxy the Accounting-Response from the proxy server back to the NAS. It's the only way the NAS could be sure the remote server received the Accounting-Request. Right. I was hoping there was a way for robust-proxy-accounting to respond to the NAS when the proxy isn't responding, since the accounting request has been successfully processed (i.e., written to the detail log and saved for later proxying). I'm adapting robust-proxy-accounting for our environment and can't figure out how (or if it's possible) to get FreeRADIUS to respond to the originating NAS when proxying fails and the detail is logged for later proxying. Yep that's a good idea if the data is time critical, it also allows multiple requests to be forwarded in parallel. nod, this is my preference. Unfortunately (as I mentioned above), I haven't been able to figure out if/how it's possible to have FreeRADIUS always respond to the NAS, even when the proxy isn't responding and accounting is spooled to the detail file for later processing. john -- John Morrissey _o/\ __o j...@horde.net_- \_ / \ \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TTLS to require client cert
Hi. After configuring the parameter in user configuration file I get the following log However sniffing show that no request was sent to get the certificate. Are any of you familiar with this problem? [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] TLS 1.0 Handshake [length 005f], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] TLS 1.0 Handshake [length 0aab], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] TLS 1.0 Handshake [length 030d], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate -Original Message- From: freeradius-users-bounces+yoni.levin=altair-semi@lists.freeradius.org [mailto:freeradius-users-bounces+yoni.levin=altair-semi@lists.freera dius.org] On Behalf Of Yoni Levin Sent: Monday, August 24, 2009 5:38 PM To: FreeRadius users mailing list; t...@kalik.net Subject: RE: TTLS to require client cert I have similar problem I also try to force TTLs to request client certificate but it just does not happen. The radius does not send the request. Maybe the reason is that I added EAP-TLS-Require-client-cert = YES in the wrong section? I uncommented it in the tls section of eap.conf Thanks for your help. -Original Message- From: freeradius-users-bounces+yoni.levin=altair-semi@lists.freeradius.org [mailto:freeradius-users-bounces+yoni.levin=altair-semi@lists.freera dius.org] On Behalf Of Petar Marinkovic Sent: Thursday, July 16, 2009 12:43 AM To: t...@kalik.net; FreeRadius users mailing list Subject: Re: TTLS to require client cert Yes, it does, but something isnt working, he is just not checking the client certificate On 07/15/2009, Ivan Kalik t...@kalik.net wrote: Hi all, I need help once again. I want TTLS to require client cert. I put EAP-TLS-Require-client-cert = YES in ttls { part of eap.conf but it's not working. What I am doing wrong here? What isn't working? Freeradius can request a certificate - does your supplicant support that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLAN attribute in LDAP or AD?
So, by looking at this more carefully I'll have to do a bunch of if/else's or cases? What if for instance I have 500 departments/groups - 500 different vlans? I'll have to test each one? I guess what I was hoping to do was something like: Get attribute n for user y (where n = a value used for Tunnel-Private-Group-Id THEN do the processing you mentioned: update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := n } Thoughts? G -Original Message- From: Gary Gatten Sent: Monday, August 24, 2009 10:34 AM To: 'FreeRadius users mailing list' Cc: 'Jason Alderfer' Subject: RE: Dynamic VLAN attribute in LDAP or AD? I'm assuming I can do roughly the same thing with NTLM_AUTH? I have to use NTLM_Auth for 8021x (right? - at least all docs say this), so if I don't HAVE to use LDAP all the better. TIA! Gary -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.or g] On Behalf Of Jason Alderfer Sent: Tuesday, August 18, 2009 2:18 PM To: FreeRadius users mailing list Subject: Re: Dynamic VLAN attribute in LDAP or AD? So, I'm trying to use 802.1x dynamic VLAN assignment. I have this working when I conf the users file. However, I don't want to create/maintain the users file for 2,000 users! Is there an attribute in AD / LDAP I can use for the dynamic VLAN? Ideally I could do this at the Group level, such that when a user moves from one group to another their automagically assigned to the correct VLAN. If you're using version 2.0.5 or higher you can do this with unlang as follows. This example sets the vlan based on the user's DN, but you should be able to modify it to look at your group membership attribute. Repeat for all relevant ldap groups. if (control:Ldap-UserDn =~ /ou=div,o=org/i) { update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := 9 } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP MSCHAP error
LOL, K. Just found it interesting that with so little data you were able to devine our schema. The problem here is our LDAP tree will not or cannot change (political reasons... Long story sucks for me, but as they say wish in one hand and poop in the other, get back to me when you figure out which on fills first...) So yeah I am stuck with Binary NT hash's to use for MSCHAP auth. The odd thing is it works for 95% of our users, it seems there is a character combo that causes the truncation. So I was thinking I would use a perl script (thank you rlm_perl, and PERL-LDAP modules) to perform the LDAP query and then convert the data to ASCII and insert the converted String Data into the NT-Password variable. With that strategy in mind I have a couple questions. 1: Sanity check. Before I begin down this path, does this sound plausible? 2: Suggestions or samples would be greatly appreciated. Thank you Larry -Original Message- From: freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org [mailto:freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, August 21, 2009 11:35 PM To: FreeRadius users mailing list Subject: Re: LDAP MSCHAP error Larry Ross wrote: Hmm interesting, how were you able to divine that that is how we are storing the has values... C programming 101. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MSCHAP error
Larry Ross wrote: LOL, K. Just found it interesting that with so little data you were able to devine our schema. The problem here is our LDAP tree will not or cannot change (political reasons... Long story sucks for me, but as they say wish in one hand and poop in the other, get back to me when you figure out which on fills first...) As I said... it's C programming 101. It's trivial for anyone who's spent 10 minutes with C. So yeah I am stuck with Binary NT hash's to use for MSCHAP auth. The odd thing is it works for 95% of our users, it seems there is a character combo that causes the truncation. Yes. 00. This is C 101. So I was thinking I would use a perl script (thank you rlm_perl, and PERL-LDAP modules) to perform the LDAP query and then convert the data to ASCII and insert the converted String Data into the NT-Password variable. That might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP MSCHAP error
passwords that are effected do not contain 00 FYI -Original Message- From: freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org [mailto:freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, August 24, 2009 11:03 AM To: FreeRadius users mailing list Subject: Re: LDAP MSCHAP error Larry Ross wrote: LOL, K. Just found it interesting that with so little data you were able to devine our schema. The problem here is our LDAP tree will not or cannot change (political reasons... Long story sucks for me, but as they say wish in one hand and poop in the other, get back to me when you figure out which on fills first...) As I said... it's C programming 101. It's trivial for anyone who's spent 10 minutes with C. So yeah I am stuck with Binary NT hash's to use for MSCHAP auth. The odd thing is it works for 95% of our users, it seems there is a character combo that causes the truncation. Yes. 00. This is C 101. So I was thinking I would use a perl script (thank you rlm_perl, and PERL-LDAP modules) to perform the LDAP query and then convert the data to ASCII and insert the converted String Data into the NT-Password variable. That might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP MSCHAP error
Also any ideas as to how I may insert the variable from perl would be nice. -Original Message- From: freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org [mailto:freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, August 24, 2009 11:03 AM To: FreeRadius users mailing list Subject: Re: LDAP MSCHAP error Larry Ross wrote: LOL, K. Just found it interesting that with so little data you were able to devine our schema. The problem here is our LDAP tree will not or cannot change (political reasons... Long story sucks for me, but as they say wish in one hand and poop in the other, get back to me when you figure out which on fills first...) As I said... it's C programming 101. It's trivial for anyone who's spent 10 minutes with C. So yeah I am stuck with Binary NT hash's to use for MSCHAP auth. The odd thing is it works for 95% of our users, it seems there is a character combo that causes the truncation. Yes. 00. This is C 101. So I was thinking I would use a perl script (thank you rlm_perl, and PERL-LDAP modules) to perform the LDAP query and then convert the data to ASCII and insert the converted String Data into the NT-Password variable. That might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLAN attribute in LDAP or AD?
Interesting... I'm assuming I could use existing LDAP attribs and remap them as needed? Ie: Fax Number could be mapped to Tunnel ID? Extending the schema is like getting teeth pulled. Resist the temptation and extend the schema now instead of later. When you need the Fax Number, what will you do? If you don't want to tackle LDAP, you could write a script to generate a separate file of unlang if-then blocks and pull it into the FR conf file with an $INCLUDE statement. Also, no way to do this with NTLM auth is there? No. NTLM_auth is an authentication tool that returns 0 or 1 depending on the correctness of a password. This is an authorization question - what kind of access will the authenticated user be given? -Original Message- From: Jason Alderfer [mailto:j...@emu.edu] Sent: Monday, August 24, 2009 2:10 PM To: Gary Gatten Subject: RE: Dynamic VLAN attribute in LDAP or AD? So, by looking at this more carefully I'll have to do a bunch of if/else's or cases? What if for instance I have 500 departments/groups - 500 different vlans? I'll have to test each one? I guess what I was hoping to do was something like: Get attribute n for user y (where n = a value used for Tunnel-Private-Group-Id You will need to extend your LDAP schema to include the attributes needed for the VLAN and make sure they are properties of the objects that you want them to apply to. Then you will need to add these attributes to the FR ldap.attrmap file, e.g. replyItem Tunnel-Type radiusTunnelType replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId Now the LDAP module should be able to set these attributes automatically for each request if you enable it in the authorize or post-auth section. Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN attribute in LDAP or AD?
Agreed. I didn't know if I could do some group checking with ntlm_auth, more accurately get a list of groups a user belongs to? If I used FQDN I could prolly parse out the info I need from the user name as well: gary.neteng.waddell Ill try LDAP - good learning experience! - Original Message - From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Mon Aug 24 15:48:40 2009 Subject: RE: Dynamic VLAN attribute in LDAP or AD? Interesting... I'm assuming I could use existing LDAP attribs and remap them as needed? Ie: Fax Number could be mapped to Tunnel ID? Extending the schema is like getting teeth pulled. Resist the temptation and extend the schema now instead of later. When you need the Fax Number, what will you do? If you don't want to tackle LDAP, you could write a script to generate a separate file of unlang if-then blocks and pull it into the FR conf file with an $INCLUDE statement. Also, no way to do this with NTLM auth is there? No. NTLM_auth is an authentication tool that returns 0 or 1 depending on the correctness of a password. This is an authorization question - what kind of access will the authenticated user be given? -Original Message- From: Jason Alderfer [mailto:j...@emu.edu] Sent: Monday, August 24, 2009 2:10 PM To: Gary Gatten Subject: RE: Dynamic VLAN attribute in LDAP or AD? So, by looking at this more carefully I'll have to do a bunch of if/else's or cases? What if for instance I have 500 departments/groups - 500 different vlans? I'll have to test each one? I guess what I was hoping to do was something like: Get attribute n for user y (where n = a value used for Tunnel-Private-Group-Id You will need to extend your LDAP schema to include the attributes needed for the VLAN and make sure they are properties of the objects that you want them to apply to. Then you will need to add these attributes to the FR ldap.attrmap file, e.g. replyItem Tunnel-Type radiusTunnelType replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId Now the LDAP module should be able to set these attributes automatically for each request if you enable it in the authorize or post-auth section. Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLAN attribute in LDAP or AD?
So, by looking at this more carefully I'll have to do a bunch of if/else's or cases? What if for instance I have 500 departments/groups - 500 different vlans? I'll have to test each one? I guess what I was hoping to do was something like: Get attribute n for user y (where n = a value used for Tunnel-Private-Group-Id Thoughts? Use ms-RADIUS-FramedIntefaceId from AD schema and map it in ldap.attrmap. IAS uses that for VLAN id. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN attribute in LDAP or AD?
Agreed. I didn't know if I could do some group checking with ntlm_auth, more accurately get a list of groups a user belongs to? If I used FQDN I could prolly parse out the info I need from the user name as well: gary.neteng.waddell Ill try LDAP - good learning experience! No need. AD is sort of a Ldap server. You can define it in ldap module and it will respond to queries. You just need to adjust attribute names in ldap.attrmap to AD schema names (since MS broke specification). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP MSCHAP error
Also any ideas as to how I may insert the variable from perl would be nice. Read rlm_perl documentation. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a 'tee'
Right. I was hoping there was a way for robust-proxy-accounting to respond to the NAS when the proxy isn't responding, since the accounting request has been successfully processed (i.e., written to the detail log and saved for later proxying). So it's still waiting to be processed - it hasn't been successfully processed. I'm adapting robust-proxy-accounting for our environment and can't figure out how (or if it's possible) to get FreeRADIUS to respond to the originating NAS when proxying fails and the detail is logged for later proxying. Yep that's a good idea if the data is time critical, it also allows multiple requests to be forwarded in parallel. nod, this is my preference. Unfortunately (as I mentioned above), I haven't been able to figure out if/how it's possible to have FreeRADIUS always respond to the NAS, even when the proxy isn't responding and accounting is spooled to the detail file for later processing. Use appropriate policy (decoupled accounting). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to control users traffic ?
I was trying to dynamically limit the customers speed when they hit their download quota. I'm doing this for DSL users connected to a Cisco NAS. Aren't the WISPr only for wireless users? -- Andrew Paternoster GPK Computers Pty Ltd T 1300 854 223 F 1300 854 228 Senior System Engineer-Original Message- From: freeradius-users-bounces+andrew=gpk.net...@lists.freeradius.org [mailto:freeradius-users-bounces+andrew=gpk.net...@lists.freeradius.org] On Behalf Of Devinder Singh Sent: Tuesday, 18 August 2009 5:16 PM To: FreeRadius users mailing list Subject: Re: How to control users traffic ? Hi Have you tried using WISPr attributes to control bandwidth. These are set in the Radius database server. 2009/8/18 Andrew Paternoster and...@gpk.net.au: Does anyone have any Example policies that they can share. I'm trying to work out how to send attributes to my cisco NAS when the suers reach their traffic limit. I have looked around and cannot find how to make these policies mentioned below. Can any one point me in the right direction? Thanks -- Andrew Paternoster GPK Computers Pty Ltd T 1300 854 223 F 1300 854 228 --- The information contained in or accompanying this e-mail is intended only for the use of the stated recipient and may contain information that is confidential and/or privileged. If the reader is not the intended recipient or the agent thereof, you are hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited and may constitute a breach of confidence and/or privilege. If you have received this e-mail in error, please notify us immediately. Any views or opinions presented are those solely of the author and do not necessarily represent those of GPK Computers Pty Ltd.. Warning: Although the company has taken reasonable precautions to ensure no viruses are present in this e-mail, the company cannot accept responsibility for any loss or damage arising from the use of this e-mail or attachments --- Senior System Engineer-Original Message- From: freeradius-users-bounces+andrew=gpk.net...@lists.freeradius.org [mailto:freeradius-users-bounces+andrew=gpk.net...@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Tuesday, 7 July 2009 7:12 PM To: FreeRadius users mailing list Subject: Re: How to control users traffic ? Which is conventional way for checking online users traffic volume and disconnecting who reach to the limit of every user in freeradius: There are no standard radius attributes for this. Your NAS might have vendor specific attributes that can be used for data (sql)counters but many don't. 1- using acct-interim packets to update output or input octets in sql and if user reach to the max of its accounting permission disconnect him/her.(Is there any patch to do this ?) Again, this will depend on NAS supporting PoD or CoA. You can make a policy that sends instructions to NAS to disconnect the user if he goes over the limit on update packet. If it doesn't, you should still be able to disconnect the user using SNMP. 2- freeradius sends Session-Octets-Limit to the NAS and NAS can does this? If it has such VSA. You can then use standard (sql)counter. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: files: How to choose SQL entry for users?
Hi. On Mon, Aug 24, 2009 at 02:59:27PM +0200, Alan DeKok wrote: George Koulyabin wrote: On Mon, Aug 24, 2009 at 01:45:11PM +0200, Alan DeKok wrote: George Koulyabin wrote: I had got success when 'sql_auth' was defined as last entry into instantiate { }. But I think that this solution is unsecure and wrong. Why is that? For example, I added new sql-module into sql.conf and forgot to fix order of loading of sql-modules into instantiate { }. I tried to do it. The 'users' used last sql-module of sql.conf. Variable 'sqlmod-inst' is used by 'sqlcounter'-module, but why isn't such variable used into 'files'-module? (a) That doesn't make it unsecure. Your words are true. I can't say that rejecting of authorization is unsecure. (b) you may have MULTIPLE sql modules, and may be doing MULTIPLE sql group comparisons in the files module. Adding one sqlmod-inst to the files module won't help you try to use MULTIPLE sql modules. Supposing it were available to use MULTIPLE files modules and unlang, I could use different 'users'-files. In addition, I can use a few virtual servers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html