Re: COA default configuration...Need help to test radclient
Hi Alan, Thanks for the reply. Pardon my ignorance but as you mentioned I did not find raddb/sites-available/coa. In 2.1.8, there's an example CoA server in raddb/sites-available/coa I only see, # ls -lart sites-available/ total 124 -rw-r- 1 root root 2538 May 14 15:37 vmps -rw-r- 1 root root 849 May 14 15:37 virtual.example.com -rw-r- 1 root root 4042 May 14 15:37 status -rw-r- 1 root root 5057 May 14 15:37 robust-proxy-accounting -rw-r- 1 root root 8543 May 14 15:37 README -rw-r- 1 root root 982 May 14 15:37 proxy-inner-tunnel -rw-r- 1 root root 11757 May 14 15:37 inner-tunnel -rw-r- 1 root root 3340 May 14 15:37 example -rw-r- 1 root root 4544 May 14 15:37 dynamic-clients -rw-r- 1 root root 4506 May 14 15:37 dhcp -rw-r- 1 root root 16544 May 14 15:37 default -rw-r- 1 root root 3508 May 14 15:37 decoupled-accounting -rw-r- 1 root root 5342 May 14 15:37 copy-acct-to-home-server -rw-r- 1 root root 4095 May 14 15:37 buffered-sql -rw-r- 1 root root 2040 May 14 15:37 control-socket -rw-r- 1 root root 5266 May 14 15:56 originate-coa drwxr-x--- 2 root root 4096 May 15 12:42 . drwxr-xr-x 7 root root 4096 May 15 12:58 .. # Thanks and Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: COA default configuration...Need help to test radclient
Awesome. Thanks Alan. That did the trick. I will ask more implementation
questions if any issues.
Sun May 16 01:43:19 2010 : Debug: Listening on authentication address * port
1812
Sun May 16 01:43:19 2010 : Debug: Listening on accounting address * port 1813
Sun May 16 01:43:19 2010 : Debug: Listening on coa address * port 3799 as
server coa
Sun May 16 01:43:19 2010 : Debug: Listening on command file
/home/test/freeradius-2.1.9/var/run/radiusd/radiusd.sock
Sun May 16 01:43:19 2010 : Debug: Listening on proxy address * port 1814
Sun May 16 01:43:19 2010 : Info: Ready to process requests.
rad_recv: CoA-Request packet from host 127.0.0.1 port 33844, id=90, length=106
User-Name = cisco
User-Password = ,\247\262\374\222\\\345\321\36543\201:\001
Cisco-AVPair = subscriber:command=account-logon
Cisco-Account-Info = S172.16.xx.xx
Sun May 16 01:43:22 2010 : Info: server coa {
Sun May 16 01:43:22 2010 : Info: +- entering group recv-coa {...}
Sun May 16 01:43:22 2010 : Info: ++[ok] returns ok
Sun May 16 01:43:22 2010 : Info: +- entering group send-coa {...}
Sun May 16 01:43:22 2010 : Info: ++[ok] returns ok
Sun May 16 01:43:22 2010 : Info: } # server coa
Sending CoA-ACK of id 90 to 127.0.0.1 port 33844
Sun May 16 01:43:22 2010 : Info: Finished request 0.
Sun May 16 01:43:22 2010 : Debug: Going to the next request
Sun May 16 01:43:22 2010 : Info: Cleaning up request 0 ID 90 with timestamp +3
Sun May 16 01:43:22 2010 : Info: Ready to process requests.
Thanks.
--- On Sat, 5/15/10, Alan DeKok al...@deployingradius.com wrote:
From: Alan DeKok al...@deployingradius.com
Subject: Re: COA default configuration...Need help to test radclient
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Date: Saturday, May 15, 2010, 9:43 AM
Eric Martell wrote:
Hi Alan,
Thanks for the reply. Pardon my ignorance but as you mentioned I did
not find raddb/sites-available/coa.
In 2.1.8, there's an example CoA server in raddb/sites-available/coa
Ah... it's in 2.1.9, then.
See http://git.freeradius.org/pre/ for a pre-release of 2.1.9.
Use that instead of 2.1.8.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Modify User-Name to upper Case (rewrite/unlang)
Hi,
I am searching through the forum and did not got a right suggestion.
I am doing LDAP authentication and getting macaddress as User-Name in the
following format.
User-Name = 001e.5283.34aa
I want to convert that to 001E528334AA = convert to uppercase.and remove
the dots.
Is there any function I can use such as,
ldap {
User-Name := User-Name.toUpperCase().replace('.','');
}
Please guide me to the documentation.
Thanks and Regards.
Eric.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regex remove realm from username
Thanks so much for the reply.
I tried as Alex mentioned as realm base routing and it is working fine.
realm google.com {
type= radius
authhost= LOCAL
accthost= LOCAL
strip
}
Thanks so much.
Regards.
--- On Sat, 10/11/08, Arran Cudbard-Bell [EMAIL PROTECTED] wrote:
From: Arran Cudbard-Bell [EMAIL PROTECTED]
Subject: Re: Regex remove realm from username
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Cc: [EMAIL PROTECTED]
Date: Saturday, October 11, 2008, 2:12 PM
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Alex French wrote:
2008/10/10 Eric Martell [EMAIL PROTECTED]:
Hi..
I searched thru the forums but not getting the right username after
using
regex.
The request I am getting is : [EMAIL PROTECTED] and I need to strip
everything
after @ and pass the username as test.
Is there some reason you don't just create a local realm in proxy.conf
and use the 'strip' keyword?
realm google.com {
type= radius
authhost= LOCAL
accthost= LOCAL
strip
}
Thanks,
We use:
if(%{User-Name}){
if(%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/){
update request {
Stripped-User-Name := %{1}
}
# User Names not containing a domain default to
# default
update request {
Stripped-User-Domain = %{%{3}:-default}
}
}
# Username in unrecognised format
else{
reject
}
}
Thanks,
Arran
Alex
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- --
Arran Cudbard-Bell ([EMAIL PROTECTED]),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjw7HgACgkQcaklux5oVKIwGgCfZovEGnbvxft69Td8PcfRw5oK
Y78An0KNXZYmeXh2kb6IuSsOBQZhbbAt
=LKbU
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regex remove realm from username
Hi..
I searched thru the forums but not getting the right username after using
regex.
The request I am getting is : [EMAIL PROTECTED] and I need to strip everything
after @ and pass the username as test.
I am using ldap for auth. This is the config I have in ldap.
if (User-Name =~ /^([EMAIL PROTECTED])(@.*)$/) { // just want
to dblchck is the right regex
update request {
Stripped-User-Name := %{0}
}
}
filter = (uid=%{Stripped-User-Name})
//filter = (uid=%{Stripped-User-Name:-%{User-Name}})
//filter = (uid=%{Stripped-User-Name})
encryption_scheme = crypt
I get the following while ldap lookup expand: (uid=%{Stripped-User-Name}) -
(uid=)
Here is the radius -X log ;
rad_recv: Access-Request packet from host 216.2.193.1 port 55751, id=107,
length=65
User-Name = [EMAIL PROTECTED]
User-Password = test123
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Looking up realm google.com for User-Name = [EMAIL PROTECTED]
rlm_realm: No such realm google.com
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++- entering group
rlm_ldap: - authorize
rlm_ldap: performing user authorization for [EMAIL PROTECTED]
expand: (uid=%{Stripped-User-Name}) - (uid=)
expand: dc=xyz,dc=net,o=internet - dc=xyz,dc=net,o=internet
rlm_ldap: ldap_get_conn: Checking Id: 0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius reply multivalue VSA question.
Hi Ivan, Thanks for the reply. After changing the operator += I am still seeing all the VARRAY in the reply. It should reply back only Sending Access-Accept of id 65 to 216.121.193.1 port 49266 rEntitlements += WIFILOC1 rAttribute1 = 1 rCidx = 1 and not as it is happening now auth: type LDAP +- entering group LDAP rlm_ldap: - authenticate rlm_ldap: login attempt by etest300 with password test123 rlm_ldap: user DN: uid=test1212121 rlm_ldap: (re)connect to x:389, authentication 1 rlm_ldap: bind as uid=test1212121/test123 to xxx:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user etest300 authenticated succesfully ++[ldap1] returns ok +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 65 to 216.2.193.1 port 49266 rEntitlements += webhosting rEntitlements += 2UP15DWN rEntitlements += 5UP30DWN rEntitlements += WIFILOC1 rAttribute1 = 1 rCidx = 1 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 65 with timestamp +1 Ready to process requests. Please let me know. Thanks so much in advance. Regards. --- On Wed, 10/8/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: Radius reply multivalue VSA question. To: freeradius-users@lists.freeradius.org Date: Wednesday, October 8, 2008, 7:18 PM += http://wiki.freeradius.org/Operators Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, Eric Martell [EMAIL PROTECTED] piše: Hi, We are defining custom VSA's for our company. We have ldap configured in freeradius which returns back the VSA's. I defined custom VSA in $freeradius/share/freeradius/dictionary.abc ATTRIBUTE rEntitlements 113 string entitlements is multivalue attribute (vARRAY) in LDAP. In the ldap.attrmap it is defined as replyItem rEntitlements entitlements == So after the successful authentication, I am getting the rEntitlements back as Sending Access-Accept of id 50 to 69.74.69.31 port 1814 Session-Timeout = 7200 rEntitlements == ADMALL rEntitlements == STORE rEntitlements == WEPG rEntitlements == WADM rEntitlements == SDNLD rEntitlements == WIFILOC1 BUT I am looking for ONLY WIFILOC1 for the NAS. NAS will redirect if WIFILOC1 exists. Can I do regex in the rEntitlements so freeradius ONLY returns rEntitlements = WIFILOC1 and ignore the rest? Please let me know. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius reply multivalue VSA question.
Hi Ivan, I agree with you. But I am reading those attributes from LDAP. In LDAP entitlements attribute is defined as Multivalue (array). I can't not change the existing LDAP structure. I am mapping entitlements attribute from LDAP with the radius attribute rEntitlements in the ldap.attrmap replyItem rEntitlements entitlements += which is good so far. But I don't need entire array from LDAP as reply just looking for WIFILOC1 and send that as reply. Please let me know if you need more information. Thanks so much. Regards. --- On Thu, 10/9/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: Radius reply multivalue VSA question. To: freeradius-users@lists.freeradius.org Date: Thursday, October 9, 2008, 11:40 AM Thanks for the reply. After changing the operator += I am still seeing all the VARRAY in the reply. It should reply back only Sending Access-Accept of id 65 to 216.121.193.1 port 49266 rEntitlements += WIFILOC1 rAttribute1 = 1 rCidx = 1 and not as it is happening now So why did you put those other rEntitlements into the user profile. If they are not the same thing they shold have different attribute names. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius reply multivalue VSA question.
Ivan, I told the management but looks like no go. is there any way I can change the rlm_ldap.c? I am not proficient in c, so might need additional help. Or there are any other options. Let me know. Thanks in advance. --- On Thu, 10/9/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: Radius reply multivalue VSA question. To: freeradius-users@lists.freeradius.org Date: Thursday, October 9, 2008, 1:54 PM I agree with you. But I am reading those attributes from LDAP. In LDAP entitlements attribute is defined as Multivalue (array). Which is of no use to you. I can't not change the existing LDAP structure. Are you a developer or not? If you are, then you say what LDAP structure should look like. If your superiors are in love with that multivalue field insist that data that you need should be kept in a separate attribute as well. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius reply multivalue VSA question.
Thanks Ivan.
Not sure which file should I add the update reply? Getting familiar with unlang
so pardon my dumb questions.
I added in ldap.attrmap.
update reply {
rEntitlements -= entitlements
}
replyItem rEntitlements entitlements +=
is that right? Also you mentioned about script..is that shell/perl script?
please enlighten.
Thanks in advance.
--- On Thu, 10/9/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
From: [EMAIL PROTECTED] [EMAIL PROTECTED]
Subject: Re: Radius reply multivalue VSA question.
To: freeradius-users@lists.freeradius.org
Date: Thursday, October 9, 2008, 4:37 PM
is there any way I can change the rlm_ldap.c?
I am not proficient in c, so might need additional help.
Or there are any other options.
Well, before resorting to source code alterations try using unlang. Have
a look at update reply with -= operator. You can't use regex with that
operator so you will probably need to run a script that will filter what
needs to be removed.
http://freeradius.org/radiusd/man/unlang.html
Ivan Kalik
Kalik Informatika
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius reply multivalue VSA question.
Hi, We are defining custom VSA's for our company. We have ldap configured in freeradius which returns back the VSA's. I defined custom VSA in $freeradius/share/freeradius/dictionary.abc ATTRIBUTE rEntitlements 113 string entitlements is multivalue attribute (vARRAY) in LDAP. In the ldap.attrmap it is defined as replyItem rEntitlements entitlements == So after the successful authentication, I am getting the rEntitlements back as Sending Access-Accept of id 50 to 69.74.69.31 port 1814 Session-Timeout = 7200 rEntitlements == ADMALL rEntitlements == STORE rEntitlements == WEPG rEntitlements == WADM rEntitlements == SDNLD rEntitlements == WIFILOC1 BUT I am looking for ONLY WIFILOC1 for the NAS. NAS will redirect if WIFILOC1 exists. Can I do regex in the rEntitlements so freeradius ONLY returns rEntitlements = WIFILOC1 and ignore the rest? Please let me know. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pop3 and LDAP authentication...Multiple radius servers
Thanks Ivan.
Now I have 2 radius servers running on same machine as radiusa (port 1812) and
radiusb (port 1912). I configured radiusa to do ldap auth and radiusb to do
POP3 auth which works fine individually thru radclient.
I setup proxy.conf in radiusa as
realm xyz.net {
type = radius
authhost = radiusb.test1.net:1912
accthost = radiusb.test1.net:1913
secret = testing
}
I am sending request thru radclient on radiusa. But for some reason the request
does not get proxied to radiusb.
This is the radius -X log.
rad_recv: Access-Request packet from host 167.206.23.94:1054, id=14, length=59
User-Name = [EMAIL PROTECTED]
User-Password = test
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: Looking up realm xyz.net for User-Name = [EMAIL PROTECTED]
rlm_realm: Found realm xyz.net
rlm_realm: Adding Stripped-User-Name = testaccount
rlm_realm: Proxying request from user testaccount to realm xyz.net
rlm_realm: Adding Realm = xyz.net
rlm_realm: Preparing to proxy authentication request to realm xyz.net
modcall[authorize]: module suffix returns updated for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 75
users: Matched entry DEFAULT at line 180
users: Matched entry DEFAULT at line 184
modcall[authorize]: module files returns ok for request 0
modcall: entering group group for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testaccount
radius_xlat: '(uid=testaccount)'
radius_xlat: 'dc=test1,dc=net,o=internet'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
Please let me know if I am missing something.
Thanks and Regards.
--- On Mon, 8/25/08, Ivan Kalik [EMAIL PROTECTED] wrote:
From: Ivan Kalik [EMAIL PROTECTED]
Subject: Re: Pop3 and LDAP authentication...Multiple radius servers
To: freeradius-users@lists.freeradius.org
Date: Monday, August 25, 2008, 1:39 PM
http://radiuswiki.suntel.com.tr/Proxy.conf
Ivan Kalik
Kalik Informatika ISP
Dana 25/8/2008, Eric Martell [EMAIL PROTECTED] piše:
Hi,
We have radius server which is inhouse which does the LDAP
authentication We got a new request from third party to do authentication for
their users using POP3.
So the request comes to radiusA (our inhouse radius).
If the user has realm as @xyz.net ..then we forward the request to third
party to authenticate which might be radiusB which does the authentication using
POP3.
If there is no realm attached, radiusA does the LDAP auth and return the
response.
Not sure how to specify in our radiusd.conf.
I could not find any thread in the list. Please let me know the link if
this is already discuss.
Really Appreciated your quick response.
Thanks and Regards.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pop3 and LDAP authentication...Multiple radius servers
Here is the entire log. rad_recv: Access-Request packet from host 167.206.23.94:1054, id=14, length=59 User-Name = [EMAIL PROTECTED] User-Password = test Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm xyz.net for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm xyz.net rlm_realm: Adding Stripped-User-Name = testaccount rlm_realm: Proxying request from user testaccount to realm xyz.net rlm_realm: Adding Realm = xyz.net rlm_realm: Preparing to proxy authentication request to realm xyz.net modcall[authorize]: module suffix returns updated for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 75 users: Matched entry DEFAULT at line 180 users: Matched entry DEFAULT at line 184 modcall[authorize]: module files returns ok for request 0 modcall: entering group group for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '(uid=testaccount)' radius_xlat: 'dc=test1,dc=net,o=internet' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to test1dir.net:389, authentication 0 rlm_ldap: bind as uid=mmpProxy,o=internet/MMP to test1dir.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=test1,dc=net,o=internet, with filter (uid=testaccount) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '((uid=testaccount)(entitlements=WIFILOC1))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://asdadasdt:389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/Paadaad to ldap://adasdasdas:389 rlm_ldap: uid=appuser,ou=appadm,o=entitlement bind to ldap://vadsdsdsad:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap2 returns fail for request 0 modcall: group group returns reject for request 0 modcall: group authorize returns reject for request 0 Invalid user (rlm_ldap: User not found): [EMAIL PROTECTED] (from client adasdas port 0) Cancelling proxy as request was already rejected Request 0 rejected in proxy_send. Server rejecting request 0. Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 14 to 167.206.23.94:1054 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 14 with timestamp 48b41aaf Nothing to do. Sleeping until we see a request. --- On Tue, 8/26/08, Alan DeKok [EMAIL PROTECTED] wrote: From: Alan DeKok [EMAIL PROTECTED] Subject: Re: Pop3 and LDAP authentication...Multiple radius servers To: [EMAIL PROTECTED], FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tuesday, August 26, 2008, 11:13 AM Eric Martell wrote: I am sending request thru radclient on radiusa. But for some reason the request does not get proxied to radiusb. This is the radius -X log. You've edited it so that most of it is missing. i.e. the part where it either decides to proxy, or to authenticate locally. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pop3 and LDAP authentication...Multiple radius servers
Alan thanks for the reply. I already have radiusa which does the LDAP authentication ( which has ldap1 and ldap2 groups) . New business request came to add POP3 authentication for third party. so I added new radius server radiusb which does the POP3 auth. I am using radiusa to do proxy depends on the realm xyz.net to forward to radiusb and all other requests (no realm in the usernames) still go to radiusa. I am running radiusa on 1812 and radiusb on 1912. I did not see any log messages in radiusb server. I thought when using radiusa proxy, it forwards the request to radiusb. The user [EMAIL PROTECTED] is configured in radiusb which does pop3 auth. No [EMAIL PROTECTED] user exists in radiusa ( in ldap). Hope this helps. Let me know if I am doing it right. Here is the radius -X log, rad_recv: Access-Request packet from host 167.206.23.94:1357, id=15, length=59 User-Name = [EMAIL PROTECTED] User-Password = test Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm xyz.net for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm xyz.net rlm_realm: Adding Stripped-User-Name = testaccount rlm_realm: Proxying request from user testaccount to realm xyz.net rlm_realm: Adding Realm = xyz.net rlm_realm: Preparing to proxy authentication request to realm xyz.net modcall[authorize]: module suffix returns updated for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 75 users: Matched entry DEFAULT at line 180 users: Matched entry DEFAULT at line 184 modcall[authorize]: module files returns ok for request 0 modcall: entering group group for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '(uid=testaccount)' radius_xlat: 'dc=opt,dc=net,o=internet' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1:389, authentication 0 rlm_ldap: bind as uid=mmpProxy,o=internet/MMPass to ldap1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=opt,dc=net,o=internet, with filter (uid=testaccount) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '((uid=testaccount)(entitlements=WIFILOC1))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://ldap2:1389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/PaBlAn0 to ldap://ldap2:1389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=roles,o=entitlement, with filter ((uid=testaccount)(entitlements=WIFILOC1)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap2 returns notfound for request 0 modcall: group group returns reject for request 0 modcall: group authorize returns reject for request 0 Invalid user (rlm_ldap: User not found): [EMAIL PROTECTED] (from client test1 port 0) Cancelling proxy as request was already rejected Request 0 rejected in proxy_send. Server rejecting request 0. Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 15 to 167.206.23.94:1357 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 15 with timestamp 48b424b1 Nothing to do. Sleeping until we see a request. --- On Tue, 8/26/08, Alan DeKok [EMAIL PROTECTED] wrote: From: Alan DeKok [EMAIL PROTECTED] Subject: Re: Pop3 and LDAP authentication...Multiple radius servers To: [EMAIL PROTECTED], FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tuesday, August 26, 2008, 12:00 PM Eric Martell wrote: Here is the entire log. ... rlm_ldap: performing search in dc=test1,dc=net,o=internet, with filter (uid=testaccount) If you're proxying the request, why have you configured the server to do lookups in LDAP? ldap://vadsdsdsad:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module
Pop3 and LDAP authentication...Multiple radius servers
Hi, We have radius server which is inhouse which does the LDAP authentication. We got a new request from third party to do authentication for their users using POP3. So the request comes to radiusA (our inhouse radius). If the user has realm as @xyz.net ..then we forward the request to third party to authenticate which might be radiusB which does the authentication using POP3. If there is no realm attached, radiusA does the LDAP auth and return the response. Not sure how to specify in our radiusd.conf. I could not find any thread in the list. Please let me know the link if this is already discuss. Really Appreciated your quick response. Thanks and Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping ldap attribute with radius attribute...howto?
Hi Alan, Can you please reply me about LDAP multiple attributes in the radius reply response on this? Will really appreciated. I searched the following thread for ldap multiple attributes but it did not have right logic without changing data. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg19275.html As we do not control the change of ldap data as it is legacy. For ldap multiple attributes I am getting ONLY first value. rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test1 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test2 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test3 rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user 0014F846C199 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [0014F846C199/via Auth-Type = Accept] (from client samir port 0) Sending Access-Accept of id 21 to 216.2.193.1 port 20070 rEntitlements = test1 rCidx = 11 Alan DeKok [EMAIL PROTECTED] wrote: Eric Martell wrote: I am using NTRadPing to test the authorization. I see in the log, radius attribute is mapped to ldap attribute and returning valid value rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 but I did not see it in the Sending Access-Accept reply to NAS. Attributes between 1 and 255 can go into a packet. Attributes greater than that cannot go into a packet. You will need to define a vendor-specific dictionary for your attribute. See share/dictionary.* Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping ldap attribute with radius attribute...howto?
Hi Alan, Thanks so much. Really appreciated. It works ! One more simple/stupid question regarding duplicate entries in the LDAP. We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. If there a way when ldap query (irrespective of how I use) finds multiple resultset, gets the first result and returns success instead of sending reject. The dn is not the uid as ldap tree is structured with roleid as dn and uid/did is an attribute. Also changing ldap tree is not possible. Please let me know. Thanks in advance. Alan DeKok [EMAIL PROTECTED] wrote: Eric Martell wrote: Can you please reply me about LDAP multiple attributes in the radius reply response on this? Will really appreciated. raddb/ldap.attrmap See the operator field, which is an operator just like in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mapping ldap attribute with radius attribute...howto?
Hi,
I mapped my ldap attribute in the ldap.attrmap file as
replyItem rCidx roleid
And in the dictionary file I mapped it as
ATTRIBUTE rCidx 3000string
I am using NTRadPing to test the authorization.
I see in the log, radius attribute is mapped to ldap attribute and returning
valid value
rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11
but I did not see it in the Sending Access-Accept reply to NAS.
I read rlm_ldap doc but not quite sure how to configure this. Please help.
Thanks and Regards.
rad_recv: Access-Request packet from host 216.2.193.1 port 42523, id=2,
length=34
User-Name = 0014F846C199
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = 0014F846C199, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 0014F846C199
expand: %{Stripped-User-Name} -
expand: %{User-Name} - 0014F846C199
expand: ((did=%{%{Stripped-User-Name}:-%{User-Name}})) -
((did=0014F846C199))
expand: ou=roles,o=entitlement - ou=roles,o=entitlement
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap://e.net:1389, authentication 0
rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/ to ldap://e.net:1389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=roles,o=entitlement, with filter
((did=0014F846C199))
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute radiusAuthType as RADIUS attribute Auth-Type == Accept
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
rlm_ldap: user 0014F846C199 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [0014F846C199/via Auth-Type = Accept] (from client samir port 0)
Sending Access-Accept of id 2 to 216.2.193.1 port 42523
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 4.0 seconds.
Cleaning up request 0 ID 2 with timestamp +3
Ready to process requests.
-
You rock. That's why Blockbuster's offering you one month of Blockbuster Total
Access, No Cost.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping ldap attribute with radius attribute...howto?
Thanks so much Alan. Really Appreciated your help. It did work for single return value. Please check the log. I searched the following thread for multiple attributes but it did not have right logic without changing data. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg19275.html As we do not control the change of ldap data as it is legacy. For ldap multiple attributes I am getting ONLY first value. rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test1 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test2 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test3 rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user 0014F846C199 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [0014F846C199/via Auth-Type = Accept] (from client samir port 0) Sending Access-Accept of id 21 to 216.2.193.1 port 20070 rEntitlements = test1 rCidx = 11 Alan DeKok [EMAIL PROTECTED] wrote: Eric Martell wrote: I am using NTRadPing to test the authorization. I see in the log, radius attribute is mapped to ldap attribute and returning valid value rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 but I did not see it in the Sending Access-Accept reply to NAS. Attributes between 1 and 255 can go into a packet. Attributes greater than that cannot go into a packet. You will need to define a vendor-specific dictionary for your attribute. See share/dictionary.* Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - OMG, Sweet deal for Yahoo! users/friends: Get A Month of Blockbuster Total Access, No Cost. W00t- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. Please let me know. Thanks and Regards. Ivan Kalik [EMAIL PROTECTED] wrote: After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, We already have this existing Legacy system setup in production ldap and not sure we can change that anymore as we don't use did as dn. No change in existing ldap tree. If there a way when ldap query finds multiple resultset, gets the first result and returns success instead of sending reject. Please let me know if this is doable. Thanks and Regards. Ivan Kalik [EMAIL PROTECTED] wrote: Your did needs to be a distinguished name. Ivan Kalik Kalik Informatika ISP Dana 26/3/2008, Eric Martell pi¹e: Hi Ivan, We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. Please let me know. Thanks and Regards. Ivan Kalik wrote: After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Thanks so much Ivan. Alan DeKok, is there a way if the ldap filter query returns multiple resultset, we can send radius Accept on the reply? Please let me know. Thanks and Regards. Ivan Kalik [EMAIL PROTECTED] wrote: Sorry. Don't know much about ldap. Ivan Kalik Dana 26/3/2008, Eric Martell pi¹e: Hi Ivan, We already have this existing Legacy system setup in production ldap and not sure we can change that anymore as we don't use did as dn. No change in existing ldap tree. If there a way when ldap query finds multiple resultset, gets the first result and returns success instead of sending reject. Please let me know if this is doable. Thanks and Regards. Ivan Kalik wrote: Your did needs to be a distinguished name. Ivan Kalik Kalik Informatika ISP Dana 26/3/2008, Eric Martell pi¹e: Hi Ivan, We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. Please let me know. Thanks and Regards. Ivan Kalik wrote: After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Never miss a thing. Make Yahoo your homepage.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan,
Sorry to get back to you early as I did not had ldap access :(
After adding radiusAuthType on ONE uid it is working fine now.
But now the issue is, I have some cases where the MAC address are stored
multiple times in Ldap. Thus the ldap query is failing.
Please check the log below. Can you please suggest me any workaround? Will
really appreciate.
Thanks and Regards.
Test Case 1 :: 1 UID
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = 0014F846C199, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 0014F846C199
expand: %{Stripped-User-Name} -
expand: %{User-Name} - 0014F846C199
expand: ((did=%{%{Stripped-User-Name}:-%{User-Name}})) -
((did=0014F846C199))
expand: ou=roles,o=entitlement - ou=roles,o=entitlement
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=roles,o=entitlement, with filter
((did=0014F846C199))
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute radiusAuthType as RADIUS attribute Auth-Type == Accept
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
rlm_ldap: user 0014F846C199 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [0014F846C199/via Auth-Type = Accept] (from client samir port 0)
Sending Access-Accept of id 39 to 216.2.193.1 port 38625
Finished request 3.
Test Case 2 :: Multiple UIDs
rad_recv: Access-Request packet from host 216.2.193.1 port 37788, id=38,
length=34
User-Name = 0014F846C199
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = 0014F846C199, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 0014F846C199
expand: %{Stripped-User-Name} -
expand: %{User-Name} - 0014F846C199
expand: ((uid=%{%{Stripped-User-Name}:-%{User-Name}})) -
((uid=0014F846C199))
expand: ou=roles,o=entitlement - ou=roles,o=entitlement
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=roles,o=entitlement, with filter
((uid=0014F846C199))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
auth: Failed to validate the user.
Login incorrect (rlm_ldap: User not found): [0014F846C199/no User-Password
attribute] (from client samir port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - 0014F846C199
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
- Original Message
From: Ivan Kalik [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Thursday, March 20, 2008 1:01:11 PM
Subject: Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Bit confusing..do you want me to create entries in
ldap as,
No:
uid = 001122334455
radiusAuthType = Accept
Forget about the device entries. radius authenticates users. Have a look
at the filter configured in ldap section of radiusd.conf
If yes, what additional changes I have to do in
freeradius and how I can return devicename along the
freeradius reply?
And what would you do with that? Groups? Than create a group entries for
them and use memberof in (mac) user entry.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ-
List
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, Thanks for the response. I am newbie for freeradius. Not sure which file I should configure this? I have ldap module configured in radiusd.conf. Can you please be more specific? I will really appreciate that. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] pi¹e: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, Bit confusing..do you want me to create entries in ldap as, deviceid = 111 macaddress = 001122334455 username = 001122334455 radiusAuthType = Accept devicename = Personal PC. deviceid = 222 macaddress = 001199887766 username = 001199887766 radiusAuthType = Accept devicename = SIP Phone. If yes, what additional changes I have to do in freeradius and how I can return devicename along the freeradius reply? Please reply. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: No file. These are ldap entries which you need to make. You have entries as devices - now make entries as users. Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Eric Martell [EMAIL PROTECTED] pi¹e: Hi Ivan, Thanks for the response. I am newbie for freeradius. Not sure which file I should configure this? I have ldap module configured in radiusd.conf. Can you please be more specific? I will really appreciate that. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] pi¹e: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MACAddress silent authentication in LDAP using freeradius2.0.2
Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Hi Alan,
I am trying to do ldap query lookup in the authorize
section and after successful authorization ( if ldap
entry exists on search query) reply with
Access-Accept if not reject.
I do not want to do authentication in LDAP as we are
not storing userPassword attribute in ldap schema.
So in a way trying to do..
if(ldap search success) {
Access-Accept
} else {
Access-Reject
}
Please check the thread below what Phil told me to
do...
Hi Phil,
Here is the detail configs and logs. Please let me
know.
Thanks and Regards.
modules {
ldap {
server = ldap://x:1389;
identity =
uid=appuser,ou=appadm,o=entitlement
password = **
basedn = ou=roles,o=entitlement
dictionary_mapping =
${raddbdir}/ldap.attrmap
filter =
((uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password}))
start_tls = no
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
set_auth_type = no
}
}
authorize {
..
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
.
}
In the users files
#DEFAULT Auth-Type := Local
#Session-Timeout = 7200,
#Fall-Through = Yes
#DEFAULT Auth-Type := System
#Session-Timeout = 7200,
#Fall-Through = Yes
Here is the detail log.
rad_recv: Access-Request packet from host
216.2.193.1:55729, id=2, length=48
User-Name = test1
User-Password = 1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok
for request 0
modcall[authorize]: module chap returns noop for
request 0
modcall[authorize]: module mschap returns noop for
request 0
rlm_realm: No '@' in User-Name = test1, looking
up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for
request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test1
radius_xlat:
'((uid=test1)(entitlements=WIFILOC1)(attribute1=1))'
radius_xlat: 'ou=roles,o=entitlement'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap://:1389,
authentication 0
rlm_ldap: bind as
uid=appuser,ou=appadm,o=entitlement/ to
ldap://xxx:1389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=roles,o=entitlement,
with filter
((uid=test1)(entitlements=WIFILOC1)(attribute1=1))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for
request 0
rlm_pap: WARNING! No known good password found for
the user. Authentication may fail because of this.
modcall[authorize]: module pap returns noop for
request 0
modcall: leaving group authorize (returns ok) for
request 0
auth: No authenticate method (Auth-Type) configuration
found for the request: Rejecting the user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 2 to 216.2.193.1 port
55729
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 2 with timestamp 4761660e
Nothing to do. Sleeping until we see a request.
--- Phil Mayers p.mayers at imperial.ac.uk wrote:
rlm_ldap: user test1 authorized to use remote
access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for
request 0
rlm_pap: WARNING! No known good password found
for
the user. Authentication may fail because of
this.
That's the problem.
Your LDAP module should be copying the LDAP
attribute containing the
password to the relevant check item.
Slightly confusing, there are two ways to do this:
1. ldap.attrmap
2. password_attribute password_header config
items of ldap module
What are those setup to do?
A full -X debug would help at this point.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Assuming you are using a recent version of FreeRadius,
you can do one of
the following:
modules {
ldap {
...
set_auth_type = no
}
}
authorize {
preprocess
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
}
--- Alan DeKok [EMAIL PROTECTED] wrote:
Eric Martell wrote:
Hi Alan,
Can you please help me out with the LDAP query?
I
am still stuck with the issue.
What problem is left to solve?
i.e. I read and answer a *lot
Re: Configuring LDAP for query ONLY...
Hi Ivan,
Actually in the implementation we are going to treat
on the website zipcode as a password field. we are
asking people to enter username and zipcode which is
store in the LDAP Schema.
In the radius, I am going to receive username
(User-Name) and zipcode ( User-Password). In the ldap
module do query
filter =
((uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(zipcode=%{User-Password}))
and depends on the resultset, give access or reject.
Please let me know if this clear and any other better
way to handle this in radius.
Thanks and Regards.
Eric.
--- [EMAIL PROTECTED] wrote:
OK, so password is not in LDAP. Where is it then?
Are you trying to
accept users without passwords? Consider using a
perl script to
implement that logic and forget about LDAP module in
Freeradius.
Ivan Kalik
Kalik Informatika ISP
Dana 4/1/2008, Eric Martell
[EMAIL PROTECTED] pi¹e:
Hi Alan,
I am trying to do ldap query lookup in the
authorize
section and after successful authorization ( if
ldap
entry exists on search query) reply with
Access-Accept if not reject.
I do not want to do authentication in LDAP as we
are
not storing userPassword attribute in ldap
schema.
So in a way trying to do..
if(ldap search success) {
Access-Accept
} else {
Access-Reject
}
Please check the thread below what Phil told me to
do...
Hi Phil,
Here is the detail configs and logs. Please let
me
know.
Thanks and Regards.
modules {
ldap {
server = ldap://x:1389;
identity =
uid=appuser,ou=appadm,o=entitlement
password = **
basedn = ou=roles,o=entitlement
dictionary_mapping =
${raddbdir}/ldap.attrmap
filter =
((uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password}))
start_tls = no
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
set_auth_type = no
}
}
authorize {
...
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
..
}
In the users files
#DEFAULT Auth-Type := Local
#Session-Timeout = 7200,
#Fall-Through = Yes
#DEFAULT Auth-Type := System
#Session-Timeout = 7200,
#Fall-Through = Yes
Here is the detail log.
rad_recv: Access-Request packet from host
216.2.193.1:55729, id=2, length=48
User-Name = test1
User-Password = 1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns
ok
for request 0
modcall[authorize]: module chap returns noop
for
request 0
modcall[authorize]: module mschap returns noop
for
request 0
rlm_realm: No '@' in User-Name = test1,
looking
up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop
for
request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test1
radius_xlat:
'((uid=test1)(entitlements=WIFILOC1)(attribute1=1))'
radius_xlat: 'ou=roles,o=entitlement'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap://:1389,
authentication 0
rlm_ldap: bind as
uid=appuser,ou=appadm,o=entitlement/ to
ldap://xxx:1389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in
ou=roles,o=entitlement,
with filter
((uid=test1)(entitlements=WIFILOC1)(attribute1=1))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test1 authorized to use remote
access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for
request 0
rlm_pap: WARNING! No known good password found
for
the user. Authentication may fail because of this.
modcall[authorize]: module pap returns noop for
request 0
modcall: leaving group authorize (returns ok) for
request 0
auth: No authenticate method (Auth-Type)
configuration
found for the request: Rejecting the user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 2 to 216.2.193.1 port
55729
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 2 with timestamp 4761660e
Nothing to do. Sleeping until we see a request.
--- Phil Mayers p.mayers at imperial.ac.uk wrote:
rlm_ldap: user test1 authorized to use remote
access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall
Re: Configuring LDAP for query ONLY...
Hi Alan, Can you please help me out with the LDAP query? I am still stuck with the issue. Your response will be greatly appreciated. Thanks and Regards, Eric. --- Alan DeKok [EMAIL PROTECTED] wrote: Phil Mayers wrote: Slightly confusing, there are two ways to do this: This should be fixed before 2.0. There should be only one way to do things. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Hi Phil, Please let me know if you need more info. I am still stuck with the problem. Thanks and Regards, Eric. --- Phil Mayers [EMAIL PROTECTED] wrote: rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. That's the problem. Your LDAP module should be copying the LDAP attribute containing the password to the relevant check item. Slightly confusing, there are two ways to do this: 1. ldap.attrmap 2. password_attribute password_header config items of ldap module What are those setup to do? A full -X debug would help at this point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Hi Phil,
Here is the detail configs and logs. Please let me
know.
Thanks and Regards.
modules {
ldap {
server = ldap://x:1389;
identity =
uid=appuser,ou=appadm,o=entitlement
password = **
basedn = ou=roles,o=entitlement
dictionary_mapping =
${raddbdir}/ldap.attrmap
filter =
((uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password}))
start_tls = no
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
set_auth_type = no
}
}
authorize {
..
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
.
}
In the users files
#DEFAULT Auth-Type := Local
#Session-Timeout = 7200,
#Fall-Through = Yes
#DEFAULT Auth-Type := System
#Session-Timeout = 7200,
#Fall-Through = Yes
Here is the detail log.
rad_recv: Access-Request packet from host
216.2.193.1:55729, id=2, length=48
User-Name = test1
User-Password = 1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok
for request 0
modcall[authorize]: module chap returns noop for
request 0
modcall[authorize]: module mschap returns noop for
request 0
rlm_realm: No '@' in User-Name = test1, looking
up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for
request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test1
radius_xlat:
'((uid=test1)(entitlements=WIFILOC1)(attribute1=1))'
radius_xlat: 'ou=roles,o=entitlement'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap://:1389,
authentication 0
rlm_ldap: bind as
uid=appuser,ou=appadm,o=entitlement/ to
ldap://xxx:1389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=roles,o=entitlement,
with filter
((uid=test1)(entitlements=WIFILOC1)(attribute1=1))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for
request 0
rlm_pap: WARNING! No known good password found for
the user. Authentication may fail because of this.
modcall[authorize]: module pap returns noop for
request 0
modcall: leaving group authorize (returns ok) for
request 0
auth: No authenticate method (Auth-Type) configuration
found for the request: Rejecting the user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 2 to 216.2.193.1 port
55729
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 2 with timestamp 4761660e
Nothing to do. Sleeping until we see a request.
--- Phil Mayers [EMAIL PROTECTED] wrote:
rlm_ldap: user test1 authorized to use remote
access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for
request 0
rlm_pap: WARNING! No known good password found
for
the user. Authentication may fail because of
this.
That's the problem.
Your LDAP module should be copying the LDAP
attribute containing the
password to the relevant check item.
Slightly confusing, there are two ways to do this:
1. ldap.attrmap
2. password_attribute password_header config
items of ldap module
What are those setup to do?
A full -X debug would help at this point.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Hi Phil, Yes I did.. Here is the config.
modules {
ldap {
set_auth_type = no
}
}
authorize {
preprocess
ldap
pap
}
authenticate {
#
# PAP authentication, when a back-end
database listed
# in the 'authorize' section supplies a
password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
}
I commented out everything from the users file as I am
not using Local or System Auth-Type. I think I am
might be missing something in the users file. Please
advice.
I get the following error.
rlm_ldap: user test1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for
request 0
rlm_pap: WARNING! No known good password found for
the user. Authentication may fail because of this.
modcall[authorize]: module pap returns noop for
request 0
modcall: leaving group authorize (returns ok) for
request 0
auth: No authenticate method (Auth-Type) configuration
found for the request: Rejecting the user
auth: Failed to validate the user.
--- Phil Mayers [EMAIL PROTECTED] wrote:
Eric Martell wrote:
Hi Phil,
I installed the latest freeradius-1.1.7. I put
the
line
set_auth_type = no in ldap module
to ignore the authentication. But for some reason
I
get the following error in the log.
rlm_ldap: user test1 authorized to use remote
access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for
request 0
modcall: leaving group authorize (returns ok) for
request 0
auth: No authenticate method (Auth-Type)
configuration
found for the request: Rejecting the user
auth: Failed to validate the user.
Did you add the pap module to the bottom of the
authorize section as
per my example?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Hi Phil,
I installed the latest freeradius-1.1.7. I put the
line
set_auth_type = no in ldap module
to ignore the authentication. But for some reason I
get the following error in the log.
rlm_ldap: user test1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for
request 0
modcall: leaving group authorize (returns ok) for
request 0
auth: No authenticate method (Auth-Type) configuration
found for the request: Rejecting the user
auth: Failed to validate the user.
I commented out
#DEFAULT Auth-Type := Local
#Session-Timeout = 7200,
#Fall-Through = Yes
and #DEFAULTAuth-Type = System
# Session-Timeout = 7200,
# Fall-Through = 1
from the users file as I don't have anything in the
local or in the system. All the checks are with ldap
lookups.
Please let me know if I am missing something.
Thanks and Regards,
Eric.
--- Eric Martell [EMAIL PROTECTED] wrote:
Thanks so much Phil. I am using freeradius-1.0.4
I am going to install the latest version and will
try
your suggestion.
Thanks and Regards.
Eric.
--- Phil Mayers [EMAIL PROTECTED] wrote:
Eric Martell wrote:
Hi,
Is it possible to altogether avoid
authenticate
section and just do ldap lookups in the
authorize
section?
authorize {
ldap {
notfound = reject
}
}
The problem is in the authenticate section,
radius
gets the userDN from the authorize and tries to
bind
ldap with password which we don't have.
I also tried in users file
Ldap-UserDN :=
`cn=Manager,dc=eng,dc=com/answer2`
Assuming you are using a recent version of
FreeRadius, you can do one of
the following:
modules {
ldap {
...
set_auth_type = no
}
}
authorize {
preprocess
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
}
Be a better pen pal.
Text or chat with friends inside Yahoo! Mail. See
how. http://overview.mail.yahoo.com/
Looking for last minute shopping deals?
Find them fast with Yahoo! Search.
http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Hi Phil,
I need some help again. Is there a way in the ldap
module we can specify to return only ONE result for
search filter. In my ldap tree when search with a
filter ((uid=test1)(phone=1231313128)) I get multiple
results.
And in the log I get message as search failed. I just
want to return whatever the first result.
rlm_ldap: performing search in dc=eng,dc=com, with
filter ((uid=test1)(phone=1231313128))
rlm_ldap: object not found or got ambiguous search
result
rlm_ldap: search failed
Please help.
Thanks and Regards,
Eric.
--- Eric Martell [EMAIL PROTECTED] wrote:
Thanks so much Phil. I am using freeradius-1.0.4
I am going to install the latest version and will
try
your suggestion.
Thanks and Regards.
Eric.
--- Phil Mayers [EMAIL PROTECTED] wrote:
Eric Martell wrote:
Hi,
Is it possible to altogether avoid
authenticate
section and just do ldap lookups in the
authorize
section?
authorize {
ldap {
notfound = reject
}
}
The problem is in the authenticate section,
radius
gets the userDN from the authorize and tries to
bind
ldap with password which we don't have.
I also tried in users file
Ldap-UserDN :=
`cn=Manager,dc=eng,dc=com/answer2`
Assuming you are using a recent version of
FreeRadius, you can do one of
the following:
modules {
ldap {
...
set_auth_type = no
}
}
authorize {
preprocess
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
}
Be a better pen pal.
Text or chat with friends inside Yahoo! Mail. See
how. http://overview.mail.yahoo.com/
Looking for last minute shopping deals?
Find them fast with Yahoo! Search.
http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Hi,
Is it possible to altogether avoid authenticate
section and just do ldap lookups in the authorize
section?
authorize {
ldap {
notfound = reject
}
}
The problem is in the authenticate section, radius
gets the userDN from the authorize and tries to bind
ldap with password which we don't have.
I also tried in users file
Ldap-UserDN := `cn=Manager,dc=eng,dc=com/answer2`
But for some reason it is not working.
Please help.
Let me know if you need more information or please
guide me to any documentation.
Thanks and Regards,
Eric.
--- Eric Martell [EMAIL PROTECTED] wrote:
I am little bit confused as how to configure
radiusd.conf in the authorize and/or authenticate
section. So password is going to act like ldap
attribute.
We are going to pass, username and ldap attribute
(home phone #) as input for each user.
The way it is configured now is in the modules,
ldap {
server = 10.11.12.2
identity = cn=Manager,dc=eng,dc=com
password = answer2
basedn = dc=eng,dc=com
filter =
((uid=%{Stripped-User-Name:-%{User-Name}})(phone=1231313128))
// just for testing
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize {
..
..
..
ldap
...
}
authenticate {
Auth-Type LDAP {
ldap
}
}
In the logs it says:
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test1
radius_xlat: '((uid=test1)(phone=1231313128))'
radius_xlat: 'dc=eng,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: bind as cn=Manager,dc=eng,dc=com/answer2
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=eng,dc=com, with
filter ((uid=test1)(phone=1231313128))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test1 authorized to use remote access
this is good
But in the authenticate section
rlm_ldap: - authenticate
rlm_ldap: login attempt by test1 with password
1231313128
rlm_ldap: user DN: id=1967816, dc=eng,dc=com
rlm_ldap: bind as id=1967816,
dc=eng,dc=com/1231313128
rlm_ldap: waiting for bind result ...
rlm_ldap: id=1967816, dc=eng,dc=com bind to
10.11.12.2:389 failed Inappropriate authentication
rlm_ldap: ldap_connect() failed
Not sure why it is trying to bind as id=1967816,
dc=eng,dc=com/1231313128
The only thing I want to do it, just authorize the
ldap and pass the user through.
Please let me know if I am missing something.
Thanks so much.
Regards,
Erik.
Be a better sports nut! Let your teams follow you
with Yahoo Mobile. Try it now.
http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ
Get easy, one-click access to your favorites.
Make Yahoo! your homepage.
http://www.yahoo.com/r/hs
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Thanks so much Phil. I am using freeradius-1.0.4
I am going to install the latest version and will try
your suggestion.
Thanks and Regards.
Eric.
--- Phil Mayers [EMAIL PROTECTED] wrote:
Eric Martell wrote:
Hi,
Is it possible to altogether avoid authenticate
section and just do ldap lookups in the authorize
section?
authorize {
ldap {
notfound = reject
}
}
The problem is in the authenticate section, radius
gets the userDN from the authorize and tries to
bind
ldap with password which we don't have.
I also tried in users file
Ldap-UserDN := `cn=Manager,dc=eng,dc=com/answer2`
Assuming you are using a recent version of
FreeRadius, you can do one of
the following:
modules {
ldap {
...
set_auth_type = no
}
}
authorize {
preprocess
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
}
Be a better pen pal.
Text or chat with friends inside Yahoo! Mail. See how.
http://overview.mail.yahoo.com/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring LDAP for query ONLY...
I am little bit confused as how to configure
radiusd.conf in the authorize and/or authenticate
section. So password is going to act like ldap
attribute.
We are going to pass, username and ldap attribute
(home phone #) as input for each user.
The way it is configured now is in the modules,
ldap {
server = 10.11.12.2
identity = cn=Manager,dc=eng,dc=com
password = answer2
basedn = dc=eng,dc=com
filter =
((uid=%{Stripped-User-Name:-%{User-Name}})(phone=1231313128))
// just for testing
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize {
..
..
..
ldap
...
}
authenticate {
Auth-Type LDAP {
ldap
}
}
In the logs it says:
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test1
radius_xlat: '((uid=test1)(phone=1231313128))'
radius_xlat: 'dc=eng,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: bind as cn=Manager,dc=eng,dc=com/answer2
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=eng,dc=com, with
filter ((uid=test1)(phone=1231313128))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test1 authorized to use remote access
this is good
But in the authenticate section
rlm_ldap: - authenticate
rlm_ldap: login attempt by test1 with password
1231313128
rlm_ldap: user DN: id=1967816, dc=eng,dc=com
rlm_ldap: bind as id=1967816, dc=eng,dc=com/1231313128
rlm_ldap: waiting for bind result ...
rlm_ldap: id=1967816, dc=eng,dc=com bind to
10.11.12.2:389 failed Inappropriate authentication
rlm_ldap: ldap_connect() failed
Not sure why it is trying to bind as id=1967816,
dc=eng,dc=com/1231313128
The only thing I want to do it, just authorize the
ldap and pass the user through.
Please let me know if I am missing something.
Thanks so much.
Regards,
Erik.
Be a better sports nut! Let your teams follow you
with Yahoo Mobile. Try it now.
http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure multiple LDAPs with different DN's ?
I will be really appreciated if someone points me to the right direction or archive of the thread. Thanks in advance. Regards. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure multiple LDAPs with different DN's ?
Hi, We are trying to use LDAP group for authentication and authorization. Ldap1 = baseDN = dc=user,dc=net,o=internet This Ldap1 will have users and passwords store in it along with profile. Ldap2 = baseDN = dc=role,dc=system,o=internet This Ldap2 will have only users and associated roles. No passwords will be store in Ldap2. While accessing the service, Radius should check if the user/password matches in Ldap1. If its fine, check on Ldap2 which has different baseDN to see if the role for that user validated. If both conditions satisfies, permits the user to access the service. I am not sure how to configured this. Please kindly help in changing radiusd.conf and users file. Thanks so much in advance. Regards. Expecting? Get great news right away with email Auto-Check. Try the Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAP (Not failover) lookup...
Thanks Alan.
I figured it out. It should be
ldap2 {
notfound = reject
}
as ldap2 is returning notfound status.
Thanks so much again.
--- Alan DeKok [EMAIL PROTECTED] wrote:
Eric Martell [EMAIL PROTECTED] wrote:
Thanks so much Neal. You got it 95% right. The
problem
is FreeRadius always authorize first (no matter
what
the order in radiusd.conf) and then authenticate.
Yes, that's how the server works.
(This authorize should break the sequence and
return FAIL. I tried ldap2 { fail = return } but
no
help...still returns notfound )
See doc/configurable_failover. You may want:
...
ldap2 {
fail = reject
}
...
Technically it should authenticate and then
authorize
and send the group response (AND) of both.
Then... configure it to do that. The default
behavior is that a
notfound error is NOT fatal, because another
module or database may
find the user.
Alan DeKok.
--
http://deployingradius.com - The web site of
the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Cheap talk?
Check out Yahoo! Messenger's low PC-to-Phone call rates.
http://voice.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple LDAP (Not failover) lookup...
Hi...
I need to do multiple ldap lookups (2).. The
purpose of both the ldaps are different so it does not
abide with configurable_failover scenario in a way.
ldap1.
This ldap is solely used for authentication for
given user.
ldap2.
This ldap is solely used for checking ldap attribute
ex. productCode for given user.
User exists in BOTH The ldaps but in ldap2 we don't
store the password hash. So its just userid with given
attributes.
Here is what should happen for a given user.
If(authentication in ldap1 success) {
if(productCode attribute exists in ldap2 success) {
return Access-Accept.
} else {
return Access-Reject.
}
} else {
return Access-Reject.
}
Any inputs will be greatly appreciated.
Thanks in advance.
Sponsored Link
Try Netflix today! With plans starting at only $5.99 a month what are you
waiting for?
http://www.netflix.com/Signup?mqso=80010030
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple LDAP (Not failover) lookup...
Thanks so much Neal. You got it 95% right. The problem
is FreeRadius always authorize first (no matter what
the order in radiusd.conf) and then authenticate.
authorize {
.
.
.
ldap2
}
authenticate {
.
.
.
ldap1
}
So if the user fails in ldap2 ..module ldap2 returns
notfound for request user xyz and thus continues to
authentication module.
(This authorize should break the sequence and
return FAIL. I tried ldap2 { fail = return } but no
help...still returns notfound )
And same user in ldap1 returns ok for request user
xyz in authentication.
Finally FreeRadius returns Sending Access-Accept
(Status of ldap1 auth) to the request.
Technically it should authenticate and then authorize
and send the group response (AND) of both.
Please let me know.
Thanks in advance.
--- Garber, Neal [EMAIL PROTECTED] wrote:
If(authentication in ldap1 success) {
Use ldap1 in the authenticate stage of radiusd.conf
if(productCode attribute exists in ldap2 success)
{
Use ldap2 in the authorize stage of radiusd.conf
Authorize is performed first in FreeRadius (you show
authenticate
First), but it shouldn't matter for what you're
trying to do.
Configure ldap.attrmap to obtain the productCode
attribute.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail.
http://new.mail.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
