FreeRadius between VPN Users and Safeword/RSA Servers
Hi, I need to configure the Free Radius (as proxy) to forward the authentication request to safeword and RSA Servers from AT T VPN Users based on user@norealm and user@realm condition. Users - VPN - Free Radius - Safeword RSA Example: User - VPN - Free Radius (no realm, so nostrip) and pass the authentication to safeword servers. u...@ab.abc.com - VPN - Free Radius (strip realm name) and pass the authentication to RSA servers. How do I configure the Free Radius as a proxy to achieve this. Also I need to configure 2 FreeRadius (as proxy) Server to achive High Availability, can I configure the same on both the servers. If the above is not possible can I use an NPS Radius Proxy to achive this, but in this case where should I place the FreeRadius, between VPN and NPS or between NPS and safeword. My Safeword does not support EAP, so I cannot achieve this by NPS Radius proxy directly forwarding request to safeword. Thank you in advance. Nair - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius failover-through proxy or other way?
I'm really beginner in freeradius realm, and in advance sorry if the question is immature... After rading all wiki - freeradius, still is not clear to me, is it possible to do failover-through proxy, and how to organize the things that I want to accomplish. Explanation fallow: Now I have the fallowing setup: node 1 - NAS (pptp, openvpn) - server 2 (freeradius + mysql as backed) I red in documentation about 2 or 3 mysql db and how to do fail-over, load-balancing and redundancy, but If I do it like that when freeradius server fail, the whole setup is down. I want to add another node as second NAS so the things will become like this: node 1 - NAS (pptp, openvpn) - server 2 AAA (freeradius+mysql) node 3 - NAS ( l2tp) -^ I want to have redundancy in case server 2 AAA (freeradius + mysql as backend) fail, second server 4 AAA to take over with exactly the same setup (freeradius + mysql backend).. Should I use freeradius proxy on every node??? other solution? So the thigs needs to become like this: node 1 - NAS (+freeradius proxy?)--| Internet |---server 2 master (freeradius+mysql, location ex.US ) node 3 - NAS (+freeradius proxy?)--| Internet |---server 4 slave (freeradius+mysql, location ex.EU ) I want to have mysql db to be updated (to have mirror copy) on booth server 2,4 in real time. The purpose of this set up is redundancy if one of the AAA server is down the other one to take over without impact over node 1,3 ( temporary user disconnect is acceptable ) Or may be there is other way to do so? Any advices are welcomed, correction or hints anything that can help me see better :) Best Regards, Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Counter Escape String !
Hi Alan,
Did you managed to look into the issue ?
or maybe any hints on how to use DATETIME in Expiration instead of String ?
Regads
Suman
On 3/15/2011 4:04 PM, Suman Dash wrote:
Dear Alan,
I have not removed any debug messages. I will try to put everything
once again . I was not aware that i sent you a mail. I am having a
nightmare and accidently i clicked Send All instead of selecting the
mailing list.
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT SUM(acctsessiontime) FROM tbl_acct where \
username = '%{%k}' AND acctstarttime BETWEEN \
(SELECT STR_TO_DATE((SELECT value FROM tbl_check \
WHERE username = '%{%k}' AND attribute =
'Activation'), 'd M Y H:i:s')) \
AND (SELECT STR_TO_DATE((SELECT value FROM tbl_check
WHERE username = '%{%k}' \
AND attribute = 'Expiration'), 'd M Y
H:i:s'))
}
DEBUG
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 122.175.85.117 port 21658,
id=10, length=59
User-Name = suman
User-Password = duman12
Calling-Station-Id = 001122334455
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = suman, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} - suman
[sql] sql_set_user escaped user -- 'suman'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op
FROM tbl_check WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM tbl_check WHERE username = 'suman' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op
FROM tbl_reply WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM tbl_reply WHERE username = 'suman' ORDER BY id
[sql] expand: SELECT groupname FROM
tbl_usergroup WHERE username = '%{SQL-User-Name}'
ORDER BY priority - SELECT groupname FROM
tbl_usergroup WHERE username = 'suman' ORDER BY
priority
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM tbl_groupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, Value, op FROM tbl_groupcheck
WHERE groupname = 'Biz1Mbps-UL' ORDER BY id
[sql] User found in group Biz1Mbps-UL
[sql] expand: SELECT id, groupname, attribute, value,
op FROM tbl_groupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, value, op FROM tbl_groupreply
WHERE groupname = 'Biz1Mbps-UL' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(acctsessiontime) FROM tbl_acct
where username = '%{User-Name}' AND acctstarttime
BETWEEN (SELECT STR_TO_DATE((SELECT value FROM
tbl_check WHERE username = '%{User-Name}' AND
attribute = 'Activation'), '%0%0d %0%0M %0%0Y
%0%0H:%0%0i:%0%0s')) AND (SELECT STR_TO_DATE((SELECT
value FROM tbl_check WHERE username = '%{User-Name}'
AND attribute = 'Expiration'), '%0%0d %0%0M %0%0Y %0%0H:%0%0i:%0%0s'))'
[monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt'
[monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt'
Re: SQL Counter Escape String !
Suman Dash wrote:
Hi Alan,
Did you managed to look into the issue ?
No.
or maybe any hints on how to use DATETIME in Expiration instead of String ?
Honestly, in 2.1.10, you can just write SELECT statements directly in
unlang.
update reply {
Session-Timeout := %{sql: SELECT ...}
}
Couple that with a few other things, and you should be able to replace
the sqlcounter module entirely.
i.e. I don't use that module, and I know little or nothing about it.
I have little time to do anything with it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Counter Escape String !
Much thanks Alan,
That was some really good advice on how to make the thing work.
So now i have to write unlang statement in preprocess so that it
directly gives the Session-Timeout . Please correct me if i am wrong.
Thanks Again
On 3/16/2011 4:09 PM, Alan DeKok wrote:
Suman Dash wrote:
Hi Alan,
Did you managed to look into the issue ?
No.
or maybe any hints on how to use DATETIME in Expiration instead of String ?
Honestly, in 2.1.10, you can just write SELECT statements directly in
unlang.
update reply {
Session-Timeout := %{sql: SELECT ...}
}
Couple that with a few other things, and you should be able to replace
the sqlcounter module entirely.
i.e. I don't use that module, and I know little or nothing about it.
I have little time to do anything with it.
Alan DeKok.
__ Information from ESET NOD32 Antivirus, version of virus signature
database 5924 (20110303) __
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius failover-through proxy or other way?
Martin Lambev wrote: After rading all wiki - freeradius, still is not clear to me, is it possible to do failover-through proxy, and how to organize the things that I want to accomplish. Explanation fallow: See raddb/proxy.conf. Now I have the fallowing setup: node 1 - NAS (pptp, openvpn) - server 2 (freeradius + mysql as backed) I red in documentation about 2 or 3 mysql db and how to do fail-over, load-balancing and redundancy, but If I do it like that when freeradius server fail, the whole setup is down. Exactly. I want to add another node as second NAS so the things will become like this: node 1 - NAS (pptp, openvpn) - server 2 AAA (freeradius+mysql) node 3 - NAS ( l2tp) -^ I want to have redundancy in case server 2 AAA (freeradius + mysql as backend) fail, second server 4 AAA to take over with exactly the same setup (freeradius + mysql backend).. Should I use freeradius proxy on every node??? other solution? So the thigs needs to become like this: The NASes should do fail-over by listing a primary secondary RADIUs server. node 1 - NAS (+freeradius proxy?)--| Internet |---server 2 master (freeradius+mysql, location ex.US ) node 3 - NAS (+freeradius proxy?)--| Internet |---server 4 slave (freeradius+mysql, location ex.EU ) I want to have mysql db to be updated (to have mirror copy) on booth server 2,4 in real time. The purpose of this set up is redundancy if one of the AAA server is down the other one to take over without impact over node 1,3 ( temporary user disconnect is acceptable ) See raddb/sites-enabled/copy-acct-to-home-server Or may be there is other way to do so? There are lots of ways to do it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The story of PAP, CHAP and the blank password
Greetings all,
Instead of auth'ing a user on the 'User-Name' / 'Cleartext-Password'
method we are using the 'Caller-Station-Id' with a blank password.
...
# /etc/freeradius/sql/mysql/dialup.conf
sql_user_name = %{Calling-Station-Id}
...
We are using a mysql backend
Here are a few challenges that came up:
Using PAP:
* The blank password transmitted is picked up by the RADIUS as void
(an actual string value of 4 charaters)
* To authenticate the 'blank password' the radcheck is set to [ user123
| Cleartext-Password | := | void]
* Here are snippets of a successful connection
...
rad_recv: Access-Request packet from host x.x.x.x port 57772, id=75,
length=156
User-Name = void
User-Password = void
NAS-IP-Address = x.x.x.x
NAS-Identifier = rbggs2
Called-Station-Id = apn.xxx.net
Framed-Protocol = GPRS-PDP-Context
Service-Type = Framed-User
NAS-Port-Type = Virtual
NAS-Port = 230647144
Calling-Station-Id = 00121231234
3GPP-PDP-Type = 0
3GPP-SGSN-Address = x.x.x.x
3GPP-GGSN-Address = x.x.x.x
+- entering group authorize {...}
...
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password void
[pap] Using clear text password void
[pap] User authenticated successfully
++[pap] returns ok
expand: The elders of the internet have granted you access - The
elders of the internet have granted you access
Login OK: [void/void] (from client XXX_APN port 230647144 cli
00121231234) The elders of the internet have granted you access
+- entering group post-auth {...}
...
Using CHAP:
* The blank password transmitted is picked up by the RADIUS as a challenge
* To authenticate the 'blank password' the radcheck is set to [ user123
| Cleartext-Password | := | ]
* Here are snippets of a successful connection
rad_recv: Access-Request packet from host x.x.x.x port 50312, id=67,
length=175
User-Name = void
CHAP-Challenge = 0x48e2fc18c8f16b825cc4ce7c06b4bdea
CHAP-Password = 0x012a6931a816773e44873124ecd7701e57
NAS-IP-Address = x.x.x.x
NAS-Identifier = rbggs2
Called-Station-Id = apn.xxx.net
Framed-Protocol = GPRS-PDP-Context
Service-Type = Framed-User
NAS-Port-Type = Virtual
NAS-Port = 123703984
Calling-Station-Id = 00121231234
3GPP-PDP-Type = 0
3GPP-SGSN-Address = x.x.x.x
3GPP-GGSN-Address = x.x.x.x
+- entering group authorize {...}
...
++[logintime] returns noop
[pap] No clear-text password in the request. Not performing PAP.
++[pap] returns noop
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
CHAP-Password is correct.
expand: The elders of the internet have granted you access - The
elders of the internet have granted you access
Login OK: [void/CHAP-Password] (from client XXX_APN port 100795256 cli
00121231234) The elders of the internet have granted you access
+- entering group post-auth {...}
...
Is the transmission of the 'blank password' the responsibility of the
NAS or can the password be manipulated in the FR settings / configs?
Thanks
Wynand
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The story of PAP, CHAP and the blank password
Hi, WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. i'd follow that advice. FR knows what to do when it sees suitable things. anyway, the 'void' is being sent by the NAS - and its being sent CHAP'd too can your kit not do the usual naff thing of sending the CSI as the password so you just have a simple pair 00121231234:00121231234 ? thats whats usually done in these sorts of 'just let them on' environments alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting - Acct-Interim-Interval
Greetings, * We have added the attribute Acct-Interim-Interval = 150 to the radgroupreply * However we are not getting accounting packets back on a 150sec frequency * We are getting the accounting packets on the start and stop of the connection * The reporting back (accounting packets), is that the responsibility og the NAS / RADIUS / Client ? Thanks Wynand - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting - Acct-Interim-Interval
On 16/03/11 11:15, Wynand Meijer wrote: Greetings, * We have added the attribute Acct-Interim-Interval = 150 to the radgroupreply Ok. That's a lot shorter than most people set (300 is common, 1800 in some cases) but it's legal. It MUST NOT be 60. * However we are not getting accounting packets back on a 150sec frequency Are you sure the Acct-Interim-Interval is actually being sent in the reply? Have you checked by running under debug mode, or with a packet sniffer? * We are getting the accounting packets on the start and stop of the connection Are you sure the NAS supports interim accounting? * The reporting back (accounting packets), is that the responsibility og the NAS / RADIUS / Client ? The NAS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting - Acct-Interim-Interval
Phil Mayers wrote: * The reporting back (accounting packets), is that the responsibility og the NAS / RADIUS / Client ? The NAS. Blame the NAS for *everything*. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The story of PAP, CHAP and the blank password
Thanks for the feedback, We have made contact with the NAS 'provider' and requested they resolve the issue by replacing the string void with nothing. As the passed string is the 'cause' of the problem we would rather them fix it than we try and hack around it. If these errors keep persisting we will look into a solution as you suggested like 00121231234:00121231234 or 00121231234: Thanks Wynand On 16/03/2011 13:12, Alan Buxey wrote: Hi, WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. i'd follow that advice. FR knows what to do when it sees suitable things. anyway, the 'void' is being sent by the NAS - and its being sent CHAP'd too can your kit not do the usual naff thing of sending the CSI as the password so you just have a simple pair 00121231234:00121231234 ? thats whats usually done in these sorts of 'just let them on' environments alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Unlang !
I am looking forward for a short example on how to store a SQL query to
a variable which can be used in next condition in UNLANG.
I have no knowledge of unlang but i got a fair amount of idea with the
condition checks , just need a little insight on the result stores .
For Ex.
result1 = {some sql query}
result2 = {some sql query}
update control
Session-Timeout := Result1 - Result 2
Thanks in advance
Suman
On 3/16/2011 4:09 PM, Alan DeKok wrote:
Suman Dash wrote:
Hi Alan,
Did you managed to look into the issue ?
No.
or maybe any hints on how to use DATETIME in Expiration instead of String ?
Honestly, in 2.1.10, you can just write SELECT statements directly in
unlang.
update reply {
Session-Timeout := %{sql: SELECT ...}
}
Couple that with a few other things, and you should be able to replace
the sqlcounter module entirely.
i.e. I don't use that module, and I know little or nothing about it.
I have little time to do anything with it.
Alan DeKok.
__ Information from ESET NOD32 Antivirus, version of virus signature
database 5924 (20110303) __
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The story of PAP, CHAP and the blank password
Hi, Need a doc/pointer on FreeRadius+OpenLDAP+Mobile-OTP configuration, I would be implementing this in a SuSE server. Can any one help me how to do it? Regards, Neo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Unlang !
On 16/03/11 12:44, Suman Dash wrote:
I am looking forward for a short example on how to store a SQL query
to a variable which can be used in next condition in UNLANG.
I have no knowledge of unlang but i got a fair amount of idea with the
condition checks , just need a little insight on the result stores .
FreeRadius comes with several Tmp-X variables defined (see
dictionary.freeradius.internal) or you can define your own.
e.g.
authorize {
...
update request {
Tmp-Integer-0 := %{sql: ...}
}
update request {
Tmp-Integer-1 := %{sql: ...}
}
update reply {
Session-Timeout := %{expr:%{Tmp-Integer-0} - %{Tmp-Integer-1}}
}
...
}
Or do the maths in the SQL query itself.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The story of PAP, CHAP and the blank password
On Wed, Mar 16, 2011 at 06:19:08PM +0530, pradyumna dash wrote: Hi, Need a doc/pointer on FreeRadius+OpenLDAP+Mobile-OTP configuration, I would be implementing this in a SuSE server. Can any one help me how to do it? Regards, Neo I thought there was a link to a how-to for this on the mobile-otp website. I am getting ready to do it here as well with Redhat. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(Fwd) Seg Fault - 3.0
--- Forwarded message follows ---
From: Breuer Nicolas nicolas.bre...@belcenter.biz
To: freeradius-de...@lists.freeradius.org
Subject:Seg Fault - 3.0
Date sent: Wed, 16 Mar 2011 15:23:22 +0100
Hello
I discovered a Seg Fault on the release 3.0 on the GIT server.
Seems happening on the first auth.
(30) Login OK: [XXX] (from client XXX)
(30) # Executing section post-auth from file /etc/XXX.conf
(30) +- entering group post-auth {...}
(30) ++? if (reply:Framed-IP-Address)
(30) ? Evaluating (reply:Framed-IP-Address) - FALSE
(30) ++? if (reply:Framed-IP-Address) - FALSE
(30) ++- entering else else {...}
rlm_sql (ACCOUNTING-01): Reserving sql socket id: 14
(30) [IP-POOLING-01] expand: %{User-Name} - XXX
(30) [IP-POOLING-01] sql_set_user escaped user -- 'XXX'
(30) [IP-POOLING-01] expand: BEGIN - BEGIN
(30) [IP-POOLING-01] expand: COMMIT - COMMIT
(30) [IP-POOLING-01] expand: SELECT ip_address FROM radippool WHERE pool_name
= '%{reply:Pool-Suffix}*%{Huntgroup-Name}' AND expiry_time NOW() ORDER BY
rand(),
pool_name, expiry_time LIMIT 1 FOR UPDATE - SELECT ip_address FROM radippool
WHERE pool_name = 'BC*' AND expiry_time NOW() ORDER BY rand(), pool_name,
expiry_time LIMIT 1 FOR UPDATE
Segmentation fault
I see the expand of variable HuntGroup-Name didn't get any values...
Maybe the reason of Seg fault ?
--- End of forwarded message ---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (Fwd) Seg Fault - 3.0
Breuer Nicolas wrote: ... Segmentation fault See doc/bugs I see the expand of variable HuntGroup-Name didn't get any values... Maybe the reason of Seg fault ? We don't know. You need to supply more information for us to know. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help required in Free Radius Debug Output
Hi, I am using Free readius version 1.1.7 on Ubuntu9.1, After installation I tried to check by editing the users file(etc/freeradius/users) by typing the following on the top and saved it testing Cleartext-Password := password Next i did radtest testing password 127.0.0.1 0 testing123 and follwing is my debug output Packet 0 rad_recv: Access-Request packet from host 127.0.0.1:45704, id=54, length=59 User-Name = testing User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module files returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 54 to 127.0.0.1 port 45704 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 54 with timestamp 4d80c9e9 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help required in Free Radius Debug Output
hi, you havent given the full output of radiusd -X you also appear to have done more than just add that user to the users file something is setting the authentication to 'System' - do you have some DEFAULT Auth-Type = System at line 153 of the users file? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with mac auth and huntgroups
Hi
i m using freeradius 2.1.10
i have setup mac auth based authentication like it s written here
http://wiki.freeradius.org/Mac-Auth
it works quite well
my problems is now i want to combine that with huntgroups
i have put in my /etc/raddb/huntgroups
the following line
radfiltuxmacs NAS-IP-Address == 157.159.7.108, NAS-Port-Id == 19-21
and i have modified the authorized_macs this way
00188bd041e4Huntgroup-Name == radfiltuxmacs
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Tunnel-Private-Group-Id := 15,
Fall-Through = no
with the Huntgroup-Name it doesn't works
here is the log
Wed Mar 16 16:19:55 2011 : Debug: [thread] Received Access-Request
packet from host 157.159.7.108 port 1025, id=38, leng
th=197
Wed Mar 16 16:19:55 2011 : Debug: [thread] Framed-MTU = 1466
Wed Mar 16 16:19:55 2011 : Debug: [thread] NAS-IP-Address = 157.159.7.108
Wed Mar 16 16:19:55 2011 : Debug: [thread] NAS-Identifier = radfilsw
Wed Mar 16 16:19:55 2011 : Debug: [thread] User-Name = 00188bd041e4
Wed Mar 16 16:19:55 2011 : Debug: [thread] Service-Type = Framed-User
Wed Mar 16 16:19:55 2011 : Debug: [thread] Framed-Protocol = PPP
Wed Mar 16 16:19:55 2011 : Debug: [thread] NAS-Port = 20
Wed Mar 16 16:19:55 2011 : Debug: [thread] NAS-Port-Type = Ethernet
Wed Mar 16 16:19:55 2011 : Debug: [thread] NAS-Port-Id = 20
Wed Mar 16 16:19:55 2011 : Debug: [thread] Called-Station-Id =
00-23-47-33-7e-ec
Wed Mar 16 16:19:55 2011 : Debug: [thread] Calling-Station-Id =
00-18-8b-d0-41-e4
Wed Mar 16 16:19:55 2011 : Debug: [thread] Connect-Info = CONNECT
Ethernet 100Mbps Full duplex
Wed Mar 16 16:19:55 2011 : Debug: [thread] CHAP-Password =
0x14d8e8e4d846868af6005c652fa9294207
Wed Mar 16 16:19:55 2011 : Debug: [thread] Message-Authenticator =
0x3f7d3084a4e8c0e1507b1b196132d645
Wed Mar 16 16:19:55 2011 : Debug: [thread] # Executing section
authorize from file /etc/raddb/sites-enabled/default
Wed Mar 16 16:19:55 2011 : Debug: [thread] +- entering group authorize
{...}
Wed Mar 16 16:19:55 2011 : Debug: ++[preprocess] returns ok
Wed Mar 16 16:19:55 2011 : Debug: ++- entering policy
rewrite_calling_station_id {...}
Wed Mar 16 16:19:55 2011 : Debug: +++? if (request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2}
)[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
Wed Mar 16 16:19:55 2011 : Debug: ? Evaluating
(request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-
f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) - TRUE
Wed Mar 16 16:19:55 2011 : Debug: +++? if (request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2}
)[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) - TRUE
Wed Mar 16 16:19:55 2011 : Debug: +++- entering if
(request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0
-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) {...}
Wed Mar 16 16:19:55 2011 : Debug: expand: %{1}%{2}%{3}%{4}%{5}%{6} -
00188bd041e4
Wed Mar 16 16:19:55 2011 : Debug: [request] returns ok
Wed Mar 16 16:19:55 2011 : Debug: +++- if (request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2}
)[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) returns ok
Wed Mar 16 16:19:55 2011 : Debug: +++ ... skipping else for request 0:
Preceding if was taken
Wed Mar 16 16:19:55 2011 : Debug: ++- policy rewrite_calling_station_id
returns ok
Wed Mar 16 16:19:55 2011 : Debug: ++? if (User-Name =~
/^%{Calling-Station-ID}$/i)
Wed Mar 16 16:19:55 2011 : Debug: expand: ^%{Calling-Station-ID}$ -
^00188bd041e4$
Wed Mar 16 16:19:55 2011 : Debug: ? Evaluating (User-Name =~
/^%{Calling-Station-ID}$/i) - TRUE
Wed Mar 16 16:19:55 2011 : Debug: ++? if (User-Name =~
/^%{Calling-Station-ID}$/i) - TRUE
Wed Mar 16 16:19:55 2011 : Debug: ++- entering if (User-Name =~
/^%{Calling-Station-ID}$/i) {...}
Wed Mar 16 16:19:55 2011 : Debug: +++[control] returns ok
Wed Mar 16 16:19:55 2011 : Debug: ++- if (User-Name =~
/^%{Calling-Station-ID}$/i) returns ok
Wed Mar 16 16:19:55 2011 : Debug: [auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/157.159.7.108/auth-detail-20110316
Wed Mar 16 16:19:55 2011 : Debug: [auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /v
ar/log/radius/radacct/157.159.7.108/auth-detail-20110316
Wed Mar 16 16:19:55 2011 : Debug: [auth_log] expand: %t - Wed Mar 16
16:19:55 2011
Wed Mar 16 16:19:55 2011 : Debug: ++[auth_log] returns ok
Wed Mar 16 16:19:55 2011 : Debug: [chap] WARNING: Auth-Type already set.
Not setting to CHAP
Wed Mar 16 16:19:55 2011 : Debug: ++[chap] returns noop
Wed Mar 16 16:19:55 2011 : Debug: ++[mschap] returns noop
Wed Mar 16 16:19:55 2011 : Debug: [suffix] No '@' in User-Name =
00188bd041e4, looking up realm NULL
Wed Mar 16 16:19:55 2011 : Debug: [suffix] Found realm NULL
Wed
RE: Sending attribute with sub-attributes
OK set up radsniff and am seeing the following access-accept:
Access-Request Id 34172.16.4.2:1812 - 172.16.4.14:1812 +28.495
User-Name = {sm=1}fa9855191e4832141998a03a7f827...@wimax.com
EAP-Message =
0x020600d0158000c61603010086108200804b0afe388db371ab697ea9a00c4f4e8b
57cf5def239b801972d3bb8131d327e0a4f84a78b4e1084e4b27439fb7b025013b1950689de6
c28997f09b34694141e0f81def057e61e6a4c069def68c0160419fc68d332f001ad29adcb7fa
462ee8b9ad2bb4b99edd890f51c8bea74d42d0b8b5a860e83aa02ee4397fdff5948166601403
01000101160301003033b07664e55c63d8c752131c02235aaf88bda8e166ba71080c17335e52
01d3aecccae5019bbde607b9dcb08d05733047
Message-Authenticator = 0xdf908effc4e4f5d3f7dfa19d28a9cca3
NAS-Identifier = 4motion
NAS-IP-Address = 172.16.4.2
Calling-Station-Id = 00-26-82-CA-6D-B0
WiMAX-BS-Id = 0xfff32901
NAS-Port-Type = 27
Framed-MTU = 2000
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 0
WiMAX-Release = 1.0
WiMAX-Accounting-Capabilities = IP-Session-Based
WiMAX-Hotlining-Capabilities = Hotline-Profile-Id
WiMAX-Attr-1793 = 0x028a
State = 0x71bea04575b8b51c6b3e400a0b7eaac2
Access-Challenge Id 34 172.16.4.14:1812 - 172.16.4.2:1812 +28.500
EAP-Message =
0x010700451580003b1403010001011603010030e524056fa3a81b105c96239b9e88d105
06e63b5a0b71257d6c3ddef0a93e0b1234af032a18ef2f0eff217596a2ec63a9
Message-Authenticator = 0xdd2059b4ee01295ee23b010784ad8e82
State = 0x71bea04574b9b51c6b3e400a0b7eaac2
Access-Request Id 35172.16.4.2:1812 - 172.16.4.14:1812 +28.625
User-Name = {sm=1}fa9855191e4832141998a03a7f827...@wimax.com
EAP-Message =
0x020700c015001703010020af88796d54ff518c6fc9c4cbd7c870e75d4a301b57a650afc8f9
564a6472ed0f1703010090e532047e4b7e0af770e6aef6dba034560c7e3980c204d866559d96
aebe29311030c0e58ee6356857be034b68a6ca8ed2a80fc02273152f1cb692ba6b3da1335d4e
5dd60e726f8d522321d3af5afc7e0dece805e70aeb1d1f20ae5f05bd9a0df4280abc9769311b
b0d64f7653367fb4f9e75ac99b1faf8da602b174f4a4bc7d3eabe8692c6dc71301c44fdfad2c
854c48
Message-Authenticator = 0xb1ceae83822d784a23d3e8614aca1367
NAS-Identifier = 4motion
NAS-IP-Address = 172.16.4.2
Calling-Station-Id = 00-26-82-CA-6D-B0
WiMAX-BS-Id = 0xfff32901
NAS-Port-Type = 27
Framed-MTU = 2000
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 0
WiMAX-Release = 1.0
WiMAX-Accounting-Capabilities = IP-Session-Based
WiMAX-Hotlining-Capabilities = Hotline-Profile-Id
WiMAX-Attr-1793 = 0x028a
State = 0x71bea04574b9b51c6b3e400a0b7eaac2
Access-Challenge Id 35 172.16.4.14:1812 - 172.16.4.2:1812 +28.626
EAP-Message =
0x0108005f15800055170301005062cea2e66a8eec902121e911deb72b6464b8ab4861b9
4730d4f9ccb21af518afe16c18f12f305041b2c6df60e6fdc02bad7849141eca3b6c3e27f9a1
2790af090615185f8270e3be4de91ec9343699c2
Message-Authenticator = 0xebe75e60f6789cde3b7dce50e64516ad
State = 0x71bea04577b6b51c6b3e400a0b7eaac2
Access-Request Id 36172.16.4.2:1812 - 172.16.4.14:1812 +28.689
User-Name = {sm=1}fa9855191e4832141998a03a7f827...@wimax.com
EAP-Message = 0x020800061500
Message-Authenticator = 0x5683416041e6648a72b51ef5d0d92c8e
NAS-Identifier = 4motion
NAS-IP-Address = 172.16.4.2
Calling-Station-Id = 00-26-82-CA-6D-B0
WiMAX-BS-Id = 0xfff32901
NAS-Port-Type = 27
Framed-MTU = 2000
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 0
WiMAX-Release = 1.0
WiMAX-Accounting-Capabilities = IP-Session-Based
WiMAX-Hotlining-Capabilities = Hotline-Profile-Id
WiMAX-Attr-1793 = 0x028a
State = 0x71bea04577b6b51c6b3e400a0b7eaac2
Access-Accept Id 36 172.16.4.14:1812 - 172.16.4.2:1812 +28.690
WiMAX-Attr-4381 = 0x010676707773020531323303040001
WiMAX-Packet-Data-Flow-Id = 1
WiMAX-Direction = Bi-Directional
WiMAX-Transport-Type = Ethernet
WiMAX-Uplink-QOS-Id = 1
WiMAX-Downlink-QOS-Id = 1
WiMAX-Attr-2844 = 0x01030202060001040303080600c8
WiMAX-QoS-Id = 1
WiMAX-Schedule-Type = Best-Effort
WiMAX-Traffic-Priority = 4
WiMAX-Maximum-Sustained-Traffic-Rate = 524288
EAP-Message = 0x03080004
Message-Authenticator = 0xd3e1212d3ef4d04b512b7212c58858f3
User-Name = {sm=1}FA9855191E4832141998A03A7F827633
WiMAX-MSK =
0x9dec7a253fe31755903407d2fac5130fa96e8fe4469dbb6d825fa7bc7f23a2a74fdba9a5d8
d2e0dbe34f89d54495895ce557134c92fe4fd2e9c8b9fb1bc90261f7865036ed45c03b5a4c61
73ac3d58afaff4
Is there more detail we can get from radsniff?
David
-Original Message-
From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
Seg Fault - 3.0 - More Info needed
Hello Alan,
Could you precise wich infos you need to go further ?
Thanks
--- End of forwarded message ---
Hello
I discovered a Seg Fault on the release 3.0 on the GIT server.
Seems happening on the first auth.
(30) Login OK: [XXX] (from client XXX)
(30) # Executing section post-auth from file /etc/XXX.conf
(30) +- entering group post-auth {...}
(30) ++? if (reply:Framed-IP-Address)
(30) ? Evaluating (reply:Framed-IP-Address) - FALSE
(30) ++? if (reply:Framed-IP-Address) - FALSE
(30) ++- entering else else {...}
rlm_sql (ACCOUNTING-01): Reserving sql socket id: 14
(30) [IP-POOLING-01] expand: %{User-Name} - XXX
(30) [IP-POOLING-01] sql_set_user escaped user -- 'XXX'
(30) [IP-POOLING-01] expand: BEGIN - BEGIN
(30) [IP-POOLING-01] expand: COMMIT - COMMIT
(30) [IP-POOLING-01] expand: SELECT ip_address FROM radippool WHERE pool_name
= '%{reply:Pool-Suffix}*%{Huntgroup-Name}' AND expiry_time NOW() ORDER BY
rand(),
pool_name, expiry_time LIMIT 1 FOR UPDATE - SELECT ip_address FROM radippool
WHERE pool_name = 'BC*' AND expiry_time NOW() ORDER BY rand(), pool_name,
expiry_time LIMIT 1 FOR UPDATE
Segmentation fault
I see the expand of variable HuntGroup-Name didn't get any values...
Maybe the reason of Seg fault ?
--- End of forwarded message ---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Sending attribute with sub-attributes
After some excellent tutelage from Mr. Wiechman, I am getting different
access-accept. However, it's showing Breezecom attributes which seem out of
place.
Access-Accept Id 86 172.16.4.14:1812 - 172.16.4.2:1812 +26.680
Breezecom-Attr1 = vpws
Breezecom-Attr1 = \000\000\000{
Breezecom-Attr1 = \000\001
WiMAX-Packet-Data-Flow-Id = 1
WiMAX-Direction = Bi-Directional
WiMAX-Transport-Type = Ethernet
WiMAX-Uplink-QOS-Id = 1
WiMAX-Downlink-QOS-Id = 1
Breezecom-Attr11 = \000\000\000\002
Breezecom-Attr11 = \000\000\000\001
Breezecom-Attr11 = \003
Breezecom-Attr8 = \000\000\000\310
WiMAX-QoS-Id = 1
WiMAX-Schedule-Type = Best-Effort
WiMAX-Traffic-Priority = 4
WiMAX-Maximum-Sustained-Traffic-Rate = 524288
EAP-Message = 0x03080004
Message-Authenticator = 0x8f55919c4b4c60477f2db19bb718991e
User-Name = {sm=1}002C4FF731202A48C2F17C5DB5C47019
WiMAX-MSK =
0x9981c3c5526316c7187b884c6877162d8158025a98d212500cfe1a9809fc011a7f12796947
7a38a93b493304783d6cbb4b581f3a50a011fd04b78cba8b3f20caed618b15c1a23af3d1bb03
4c6812d5ad822b
Is there another dictionary that is driving the Breezecom-Attr or does
Freeradius just figure out its Alvarion and assign that internally?
David
-Original Message-
From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradiu
s.org] On Behalf Of David Peterson
Sent: Wednesday, March 16, 2011 1:42 PM
To: FreeRadius users mailing list
Subject: RE: Sending attribute with sub-attributes
OK set up radsniff and am seeing the following access-accept:
Access-Request Id 34172.16.4.2:1812 - 172.16.4.14:1812 +28.495
User-Name = {sm=1}fa9855191e4832141998a03a7f827...@wimax.com
EAP-Message =
0x020600d0158000c61603010086108200804b0afe388db371ab697ea9a00c4f4e8b
57cf5def239b801972d3bb8131d327e0a4f84a78b4e1084e4b27439fb7b025013b1950689de6
c28997f09b34694141e0f81def057e61e6a4c069def68c0160419fc68d332f001ad29adcb7fa
462ee8b9ad2bb4b99edd890f51c8bea74d42d0b8b5a860e83aa02ee4397fdff5948166601403
01000101160301003033b07664e55c63d8c752131c02235aaf88bda8e166ba71080c17335e52
01d3aecccae5019bbde607b9dcb08d05733047
Message-Authenticator = 0xdf908effc4e4f5d3f7dfa19d28a9cca3
NAS-Identifier = 4motion
NAS-IP-Address = 172.16.4.2
Calling-Station-Id = 00-26-82-CA-6D-B0
WiMAX-BS-Id = 0xfff32901
NAS-Port-Type = 27
Framed-MTU = 2000
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 0
WiMAX-Release = 1.0
WiMAX-Accounting-Capabilities = IP-Session-Based
WiMAX-Hotlining-Capabilities = Hotline-Profile-Id
WiMAX-Attr-1793 = 0x028a
State = 0x71bea04575b8b51c6b3e400a0b7eaac2
Access-Challenge Id 34 172.16.4.14:1812 - 172.16.4.2:1812 +28.500
EAP-Message =
0x010700451580003b1403010001011603010030e524056fa3a81b105c96239b9e88d105
06e63b5a0b71257d6c3ddef0a93e0b1234af032a18ef2f0eff217596a2ec63a9
Message-Authenticator = 0xdd2059b4ee01295ee23b010784ad8e82
State = 0x71bea04574b9b51c6b3e400a0b7eaac2
Access-Request Id 35172.16.4.2:1812 - 172.16.4.14:1812 +28.625
User-Name = {sm=1}fa9855191e4832141998a03a7f827...@wimax.com
EAP-Message =
0x020700c015001703010020af88796d54ff518c6fc9c4cbd7c870e75d4a301b57a650afc8f9
564a6472ed0f1703010090e532047e4b7e0af770e6aef6dba034560c7e3980c204d866559d96
aebe29311030c0e58ee6356857be034b68a6ca8ed2a80fc02273152f1cb692ba6b3da1335d4e
5dd60e726f8d522321d3af5afc7e0dece805e70aeb1d1f20ae5f05bd9a0df4280abc9769311b
b0d64f7653367fb4f9e75ac99b1faf8da602b174f4a4bc7d3eabe8692c6dc71301c44fdfad2c
854c48
Message-Authenticator = 0xb1ceae83822d784a23d3e8614aca1367
NAS-Identifier = 4motion
NAS-IP-Address = 172.16.4.2
Calling-Station-Id = 00-26-82-CA-6D-B0
WiMAX-BS-Id = 0xfff32901
NAS-Port-Type = 27
Framed-MTU = 2000
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 0
WiMAX-Release = 1.0
WiMAX-Accounting-Capabilities = IP-Session-Based
WiMAX-Hotlining-Capabilities = Hotline-Profile-Id
WiMAX-Attr-1793 = 0x028a
State = 0x71bea04574b9b51c6b3e400a0b7eaac2
Access-Challenge Id 35 172.16.4.14:1812 - 172.16.4.2:1812 +28.626
EAP-Message =
0x0108005f15800055170301005062cea2e66a8eec902121e911deb72b6464b8ab4861b9
4730d4f9ccb21af518afe16c18f12f305041b2c6df60e6fdc02bad7849141eca3b6c3e27f9a1
2790af090615185f8270e3be4de91ec9343699c2
Message-Authenticator = 0xebe75e60f6789cde3b7dce50e64516ad
State = 0x71bea04577b6b51c6b3e400a0b7eaac2
Access-Request Id 36172.16.4.2:1812 - 172.16.4.14:1812 +28.689
User-Name = {sm=1}fa9855191e4832141998a03a7f827...@wimax.com
EAP-Message = 0x020800061500
Re: The story of PAP, CHAP and the blank password
In Wed, Mar 16, 2011 at 10:21 AM, Kenneth Marshall k...@rice.edu wrote: On Wed, Mar 16, 2011 at 06:19:08PM +0530, pradyumna dash wrote: Hi, Need a doc/pointer on FreeRadius+OpenLDAP+Mobile-OTP configuration, I would be implementing this in a SuSE server. Can any one help me how to do it? Regards, Neo I thought there was a link to a how-to for this on the mobile-otp website. I am getting ready to do it here as well with Redhat. Here's one that I did for WiKID one-time password system. I bet that the first half on openldap and freeradius would be exactly the same: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-openldap-and-freeradius/?searchterm=freeradius HTH, Nick Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
same username different password on different NAS
I am just learning about freeradius now, and would like to see if I can use it to manage access and logging for users at a few hundred locations. Each remote office has between 1 and 50 users, and at first glance freeradius will do the job, but I just noticed a problem with overlapping usernames. I am not sure if I need to use virtual servers, or if there is a better / easier way. The problem is that each location may have a user with the same login name as a different location. For a simple example, each site could have a login of manager, but the manager username at each site would probably pair up with a different password. Without using virtual servers, is there a way to link the username manager to the NAS name or IP of the location? I'm picturing something like the radcheck table containing an additional field for NAS such that freeradius would key off the combined of NAS address and username fields, rather than just the username field. I am not opposed to using virtual servers if that is a better idea, but I'm worried about the overhead of several hundred of them... Any ideas or pointers to docs would be appreciated. -Richard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: same username different password on different NAS
hi, you have pretty much got the idea already - you have to pair the username with the NAS-IP-Address - in SQL with radcheck, in users file by putting the correct matching description on the first line (as per examples). alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: same username different password on different NAS
Sound like a configuration (a job for : ) realms. Each location would be a different realm, so the seemingly overlapping username manger would in fact be a unique manager@realm-X. Thoughts? -craig On Wednesday, March 16, 2011, Richard Thornton rtho...@yahoo.com wrote: I am just learning about freeradius now, and would like to see if I can use it to manage access and logging for users at a few hundred locations. Each remote office has between 1 and 50 users, and at first glance freeradius will do the job, but I just noticed a problem with overlapping usernames. I am not sure if I need to use virtual servers, or if there is a better / easier way. The problem is that each location may have a user with the same login name as a different location. For a simple example, each site could have a login of manager, but the manager username at each site would probably pair up with a different password. Without using virtual servers, is there a way to link the username manager to the NAS name or IP of the location? I'm picturing something like the radcheck table containing an additional field for NAS such that freeradius would key off the combined of NAS address and username fields, rather than just the username field. I am not opposed to using virtual servers if that is a better idea, but I'm worried about the overhead of several hundred of them... Any ideas or pointers to docs would be appreciated. -Richard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Seg Fault - 3.0 - More Info needed
Breuer Nicolas wrote: Hello Alan, Could you precise wich infos you need to go further ? Yes. I was precise. Read the file doc/bugs. This is documented. Follow the instructions there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending attribute with sub-attributes
David Peterson wrote: After some excellent tutelage from Mr. Wiechman, I am getting different access-accept. However, it's showing Breezecom attributes which seem out of place. edit the dictionary file, and delete the dictionary.alvarion reference. Also, do git pull from the master branch. Some fixes went in today. Is there another dictionary that is driving the Breezecom-Attr or does Freeradius just figure out its Alvarion and assign that internally? Alvarion has ~3 incompatible vendor-specific dictionaries. And each is broken in weird and wonderful ways. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: same username different password on different NAS
That gives me a good place to start. Sounds so much easier to manage. Much Thanks! -Richard From: Craig Campbell craig.campb...@ccraft.ca To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wed, March 16, 2011 2:44:01 PM Subject: Re: same username different password on different NAS Sound like a configuration (a job for : ) realms. Each location would be a different realm, so the seemingly overlapping username manger would in fact be a unique manager@realm-X. Thoughts? -craig On Wednesday, March 16, 2011, Richard Thornton rtho...@yahoo.com wrote: I am just learning about freeradius now, and would like to see if I can use it to manage access and logging for users at a few hundred locations. Each remote office has between 1 and 50 users, and at first glance freeradius will do the job, but I just noticed a problem with overlapping usernames. I am not sure if I need to use virtual servers, or if there is a better / easier way. The problem is that each location may have a user with the same login name as a different location. For a simple example, each site could have a login of manager, but the manager username at each site would probably pair up with a different password. Without using virtual servers, is there a way to link the username manager to the NAS name or IP of the location? I'm picturing something like the radcheck table containing an additional field for NAS such that freeradius would key off the combined of NAS address and username fields, rather than just the username field. I am not opposed to using virtual servers if that is a better idea, but I'm worried about the overhead of several hundred of them... Any ideas or pointers to docs would be appreciated. -Richard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius failover-through proxy or other way?
On 03/16/2011 07:00 PM, freeradius-users-requ...@lists.freeradius.org
wrote:
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: SQL Counter Escape String ! (Alan DeKok)
2. Re: SQL Counter Escape String ! (Suman Dash)
3. Re: freeradius failover-through proxy or other way? (Alan DeKok)
--
Message: 1
Date: Wed, 16 Mar 2011 11:39:54 +0100
From: Alan DeKokal...@deployingradius.com
Subject: Re: SQL Counter Escape String !
To: su...@clydontech.com, FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID:4d80937a.5010...@deployingradius.com
Content-Type: text/plain; charset=ISO-8859-1
Suman Dash wrote:
Hi Alan,
Did you managed to look into the issue ?
No.
or maybe any hints on how to use DATETIME in Expiration instead of String ?
Honestly, in 2.1.10, you can just write SELECT statements directly in
unlang.
update reply {
Session-Timeout := %{sql: SELECT ...}
}
Couple that with a few other things, and you should be able to replace
the sqlcounter module entirely.
i.e. I don't use that module, and I know little or nothing about it.
I have little time to do anything with it.
Alan DeKok.
--
Message: 2
Date: Wed, 16 Mar 2011 16:13:49 +0530
From: Suman Dashsu...@clydontech.com
Subject: Re: SQL Counter Escape String !
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID:4d809465.2050...@clydontech.com
Content-Type: text/plain; charset=iso-8859-1; Format=flowed
Much thanks Alan,
That was some really good advice on how to make the thing work.
So now i have to write unlang statement in preprocess so that it
directly gives the Session-Timeout . Please correct me if i am wrong.
Thanks Again
On 3/16/2011 4:09 PM, Alan DeKok wrote:
Suman Dash wrote:
Hi Alan,
Did you managed to look into the issue ?
No.
or maybe any hints on how to use DATETIME in Expiration instead of String ?
Honestly, in 2.1.10, you can just write SELECT statements directly in
unlang.
update reply {
Session-Timeout := %{sql: SELECT ...}
}
Couple that with a few other things, and you should be able to replace
the sqlcounter module entirely.
i.e. I don't use that module, and I know little or nothing about it.
I have little time to do anything with it.
Alan DeKok.
__ Information from ESET NOD32 Antivirus, version of virus signature
database 5924 (20110303) __
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
-- next part --
An HTML attachment was scrubbed...
URL:https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110316/6e29e23e/attachment.html
--
Message: 3
Date: Wed, 16 Mar 2011 11:50:00 +0100
From: Alan DeKokal...@deployingradius.com
Subject: Re: freeradius failover-through proxy or other way?
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID:4d8095d8.2080...@deployingradius.com
Content-Type: text/plain; charset=ISO-8859-1
Martin Lambev wrote:
After rading all wiki - freeradius, still is not clear to me, is it
possible to do failover-through proxy, and how to organize the things
that I want to accomplish. Explanation fallow:
See raddb/proxy.conf.
Now I have the fallowing setup: node 1 - NAS (pptp, openvpn) - server 2
(freeradius + mysql as backed)
I red in documentation about 2 or 3 mysql db and how to do fail-over,
load-balancing and redundancy, but If I do it like that when freeradius
server fail, the whole setup is down.
Exactly.
I want to add another node as second NAS so the things will become like
this:
node 1 - NAS (pptp, openvpn) - server 2 AAA (freeradius+mysql)
node 3 - NAS ( l2tp) -^
I want to have redundancy in case server 2 AAA (freeradius + mysql as
backend) fail, second server 4 AAA to take over with exactly the same
setup (freeradius + mysql backend).. Should I use freeradius proxy on
every node??? other solution? So the thigs needs to become like this:
The NASes should do fail-over by listing a primary secondary RADIUs
server.
node 1 - NAS (+freeradius proxy?)--| Internet |---server 2 master
(freeradius+mysql, location ex.US ) node 3 - NAS (+freeradius
proxy?)--| Internet |---server 4 slave (freeradius+mysql
