use realms to access different mysql tables
Hi Freeradius-Mailing-List, does anyone of you differentiate sql database table with realms? E.g.: Auth-Requests for [EMAIL PROTECTED] will be checked against table db_radius1 Auth-Requests for [EMAIL PROTECTED] will be checked against table db_radius2 .and so on. I already found out that it is possible to use multiple sql instances, but for what i understand is that they would be asked/checked one after another. That would be nice for failover scenarios but if there are about 20-30 realms to check it would be result in a very slow performance (depending on mysql host speed). So is there a better way to solve this Problem? All users in one database is at the time unfortunately no option... Thanks in advance Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
add realm to user based on NAS-IP
Hi all, i wonder if it is possible to add a realm to a username based on the NAS-IP the request come from. For instance: - user abc logs on router 10.0.0.1 - router 10.0.0.1 asks a freeradius proxy for user abc - freeradius-proxy recognize the ip and add @realm to the username and proxy the request to another freeradius-server based on realm-entry in proxy.conf Unfortunatly I found many solutions in the past 2 hours (like proxy-to-realm, attr_rewrite, hints...), I cant't decide which is the right one for me. %) So help would be much appreciated. Thanks in advance Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
Hi Arran, hi Alexander and hi Freeradius-List, I ran into problems regarding to the Proxy-to-realm thing... :( My Setup: 10.0.0.1 A cisco Router 10.0.1.20 My Terminal 192.168.0.1 Radius (Home Server) 192.168.0.2 Radius (Proxy) At first a successful login with username [EMAIL PROTECTED]: --snip1-- User-Name = [EMAIL PROTECTED] Reply-Message = Password: User-Password = testtest NAS-Port = 2 NAS-Port-Id = tty2 NAS-Port-Type = Virtual Calling-Station-Id = 10.0.1.20 NAS-IP-Address = 10.0.0.1 Tue Apr 10 19:41:10 2007 : Debug: Processing the authorize section of radiusd.conf Tue Apr 10 19:41:10 2007 : Debug: modcall: entering group authorize for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module preprocess returns ok for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module chap returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module mschap returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Looking up realm realm for User-Name = [EMAIL PROTECTED] Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Found realm realm Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Proxying request from user abc to realm realm Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Adding Realm = realm Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Preparing to proxy authentication request to realm realm Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module suffix returns updated for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: rlm_eap: No EAP-Message, not doing EAP Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module eap returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module files returns notfound for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall: leaving group authorize (returns updated) for request 0 Tue Apr 10 19:41:10 2007 : Debug: proxy: creating 688187c3:1812 Tue Apr 10 19:41:10 2007 : Debug: proxy: allocating 688187c3:1812 0 Sending Access-Request of id 0 to 192.168.0.1 port 1812 User-Name = [EMAIL PROTECTED] Reply-Message = Password: User-Password = testtest NAS-Port = 2 NAS-Port-Id = tty2 NAS-Port-Type = Virtual Calling-Station-Id = 10.0.1.20 NAS-IP-Address = 10.0.0.1 Proxy-State = 0x3836 Tue Apr 10 19:41:10 2007 : Debug: Thread 1 waiting to be assigned a request rad_recv: Access-Accept packet from host 192.168.0.1:1812, id=0, length=24 Tue Apr 10 19:41:10 2007 : Debug: proxy: de-allocating 688187c3:1812 0 Tue Apr 10 19:41:10 2007 : Debug: rl_next: returning NULL Tue Apr 10 19:41:10 2007 : Debug: Thread 2 got semaphore Tue Apr 10 19:41:10 2007 : Debug: Thread 2 handling request 0, (1 handled so far) Proxy-State = 0x3836 Tue Apr 10 19:41:10 2007 : Debug: Processing the post-proxy section of radiusd.conf Tue Apr 10 19:41:10 2007 : Debug: modcall: entering group post-proxy for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[post-proxy]: calling eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[post-proxy]: returned from eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[post-proxy]: module eap returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall: leaving group post-proxy (returns noop) for request 0 Tue Apr 10 19:41:10 2007 : Debug: authorize: Skipping authorize in post-proxy stage Tue Apr 10 19:41:10 2007 : Debug: rad_check_password: Found Auth-Type Tue Apr 10 19:41:10 2007 : Debug: rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 86 to 10.0.0.1 port 1645 Tue Apr 10
Re: add realm to user based on NAS-IP
Arran Cudbard-Bell schrieb: rlm_realm instances do much the same job as the Proxy-To-Realm reply item, just they also handle splitting the username into it's component parts. Usually you would use one or the other, but not both. Okay I tested both ways: 1st with suffix disabled in authorize section of radiusd.conf and: DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm = realm User-Name = [EMAIL PROTECTED] 2nd with suffix enabled and: DEFAULT NAS-IP-Address == 10.0.0.1 User-Name = [EMAIL PROTECTED] In both cases the request didn't reach the home server. Erm I thought your original question was, how do I proxy a user to a realm based on the NAS-IP-Address and how do I rewrite that username with that realm name If thats the case ... why are you using [EMAIL PROTECTED] as your test user??? I logged on with [EMAIL PROTECTED] to proof the proxy function of the proxy server. For the other tests my login was only abc... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log on device directly in priviledged mode
Molteni Davide wrote: Finally I successfully managed to log into the cisco switch (thanks to your help) using freeradius. Now I want that the radius users can directly enter into enable mode of the cisco device. I set this in the users file test Auth-Type := Local, User-Password == test Cisco-AVPair = shell:priv-lvl=15 but it doesn't work, the user test log into the cisco as unpriviledged. Is there something missing in the config? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi, you need something like that in your switch config: aaa authorization exec default group [YOURSERVERGROUPHERE] local - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: log on device directly in priviledged mode
Molteni Davide wrote: -Messaggio originale- Da: [EMAIL PROTECTED] per conto di Alexander Papenburg Inviato: mer 11/04/2007 15.41 A: FreeRadius users mailing list Oggetto: Re: log on device directly in priviledged mode Molteni Davide wrote: Finally I successfully managed to log into the cisco switch (thanks to your help) using freeradius. Now I want that the radius users can directly enter into enable mode of the cisco device. I set this in the users file test Auth-Type := Local, User-Password == test Cisco-AVPair = shell:priv-lvl=15 but it doesn't work, the user test log into the cisco as unpriviledged. Is there something missing in the config? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi, you need something like that in your switch config: aaa authorization exec default group [YOURSERVERGROUPHERE] local I have tried but with the line you suggested Authorization fails and device won't let me in Oh I am sorry, seems like this will work only on cisco router, for switches you need tacacs for exec mode. cisconfusion %) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Size Limitations on clients.conf
Hi, iam just wondering if there are any size limitations on the clients.conf file. Background is: The current file consist of many /24 net-ranges and is currently 22k big ;) For the past days I recognised some strange activities but unfortunately only saw the following in the log: . Auth: Login incorrect (Home Server says so): [aaliyah] (from client INET-X.X.X.X/16 port 2 cli A.B.C.D) . Obviously A.B.C.D tries a Word-List-Attack on one device in the range but I can't figure out on which one without going into debugging mode. So I hacked a quick and dirty perl script which generate a clients.conf with single ip's which is about 17M big ^^ Is there a better way? Thanks, Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Huntgroups for one User?
Hi Freeradius-List, is it possible to give/deny access to multiple huntgroups for a single user/group? E.g.: User/group is denied to access hosts 10.0.0.1, 10.0.0.2 and 10.0.0.3 but is allowed to access all the other hosts in 10.0.0.0/24. Something like hostpools would be nice (e.g.: user/group1 can access pool1, pool2 and pool3. user2 can access pools 1+2 but is denied to access pool3). Thanks in advance, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Huntgroups for one User? 2nd Try
2nd Try, just in case my 1st message was not recognized ;-) Hi Freeradius-List, is it possible to give/deny access to multiple huntgroups for a single user/group? E.g.: User/group is denied to access hosts 10.0.0.1, 10.0.0.2 and 10.0.0.3 but is allowed to access all the other hosts in 10.0.0.0/24. Something like hostpools would be nice (e.g.: user/group1 can access pool1, pool2 and pool3. user2 can access pools 1+2 but is denied to access pool3). Thanks in advance, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Huntgroups for one User? 2nd Try
[EMAIL PROTECTED] schrieb: huntgroups file: pool3 NAS-IP-Address == NAS1IPAddress pool3 NAS-IP-Address == NAS2IPAddress pool3 NAS-IP-Address == NAS3IPAddress DEFAULT Huntgroup-Name == pool3, User-Name == user2, Auth-Type := Reject in users file. Huntgroups *are* what you refer to as hostpools. Ivan Kalik Kalik Informatika ISP You're right with the hostpools... %) Maybe this will more exactly explain my question: I have 4 groups of users: Admins (which are allowed to access all hosts) - okay quite easy, simply no huntgroup FW-Admins (which are allowed to access only FW-IPs) - easy too, huntgroup FW-IPs RTR-Admins (which are allowed to access all CPE-IPs) - difficult (big net) so I want to use REGEX wildcards, which unfortunatly covers the FW-IPs Apprentice (which are allowed to access only TEST-IPs) - again easy, huntgroup TEST-IPs So what I want is something like in an example 10.0.0.0/16 net (with aprox.: 400-500 Devices in this Range) ... huntgroups: FW-IPs NAS-IP-Address == 10.0.0.1 FW-IPs NAS-IP-Address == 10.0.0.2 FW-IPs NAS-IP-Address == 10.0.0.3 CPE-IPs NAS-IP-Address =~ '10\.0\..*\..*' TEST-IPs NAS-IP-Address == 10.0.255.1 TEST-IPs NAS-IP-Address == 10.0.255.2 TEST-IPs NAS-IP-Address == 10.0.255.3 users: anderson Huntgroup-Name == CPE-IPs, Huntgroup-Name != FW-IPs (Is this possible ?!?) - for a user who should access all the 10.0.0.0/16 net except the FW IP's. smith Huntgroup-Name == TEST-IPs - a simple apprentice entry and so on ... Any ideas? Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html