Re: COA default configuration...Need help to test radclient
Hi Alan, Thanks for the reply. Pardon my ignorance but as you mentioned I did not find raddb/sites-available/coa. In 2.1.8, there's an example CoA server in raddb/sites-available/coa I only see, # ls -lart sites-available/ total 124 -rw-r- 1 root root 2538 May 14 15:37 vmps -rw-r- 1 root root 849 May 14 15:37 virtual.example.com -rw-r- 1 root root 4042 May 14 15:37 status -rw-r- 1 root root 5057 May 14 15:37 robust-proxy-accounting -rw-r- 1 root root 8543 May 14 15:37 README -rw-r- 1 root root 982 May 14 15:37 proxy-inner-tunnel -rw-r- 1 root root 11757 May 14 15:37 inner-tunnel -rw-r- 1 root root 3340 May 14 15:37 example -rw-r- 1 root root 4544 May 14 15:37 dynamic-clients -rw-r- 1 root root 4506 May 14 15:37 dhcp -rw-r- 1 root root 16544 May 14 15:37 default -rw-r- 1 root root 3508 May 14 15:37 decoupled-accounting -rw-r- 1 root root 5342 May 14 15:37 copy-acct-to-home-server -rw-r- 1 root root 4095 May 14 15:37 buffered-sql -rw-r- 1 root root 2040 May 14 15:37 control-socket -rw-r- 1 root root 5266 May 14 15:56 originate-coa drwxr-x--- 2 root root 4096 May 15 12:42 . drwxr-xr-x 7 root root 4096 May 15 12:58 .. # Thanks and Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: COA default configuration...Need help to test radclient
Awesome. Thanks Alan. That did the trick. I will ask more implementation questions if any issues. Sun May 16 01:43:19 2010 : Debug: Listening on authentication address * port 1812 Sun May 16 01:43:19 2010 : Debug: Listening on accounting address * port 1813 Sun May 16 01:43:19 2010 : Debug: Listening on coa address * port 3799 as server coa Sun May 16 01:43:19 2010 : Debug: Listening on command file /home/test/freeradius-2.1.9/var/run/radiusd/radiusd.sock Sun May 16 01:43:19 2010 : Debug: Listening on proxy address * port 1814 Sun May 16 01:43:19 2010 : Info: Ready to process requests. rad_recv: CoA-Request packet from host 127.0.0.1 port 33844, id=90, length=106 User-Name = cisco User-Password = ,\247\262\374\222\\\345\321\36543\201:\001 Cisco-AVPair = subscriber:command=account-logon Cisco-Account-Info = S172.16.xx.xx Sun May 16 01:43:22 2010 : Info: server coa { Sun May 16 01:43:22 2010 : Info: +- entering group recv-coa {...} Sun May 16 01:43:22 2010 : Info: ++[ok] returns ok Sun May 16 01:43:22 2010 : Info: +- entering group send-coa {...} Sun May 16 01:43:22 2010 : Info: ++[ok] returns ok Sun May 16 01:43:22 2010 : Info: } # server coa Sending CoA-ACK of id 90 to 127.0.0.1 port 33844 Sun May 16 01:43:22 2010 : Info: Finished request 0. Sun May 16 01:43:22 2010 : Debug: Going to the next request Sun May 16 01:43:22 2010 : Info: Cleaning up request 0 ID 90 with timestamp +3 Sun May 16 01:43:22 2010 : Info: Ready to process requests. Thanks. --- On Sat, 5/15/10, Alan DeKok al...@deployingradius.com wrote: From: Alan DeKok al...@deployingradius.com Subject: Re: COA default configuration...Need help to test radclient To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Saturday, May 15, 2010, 9:43 AM Eric Martell wrote: Hi Alan, Thanks for the reply. Pardon my ignorance but as you mentioned I did not find raddb/sites-available/coa. In 2.1.8, there's an example CoA server in raddb/sites-available/coa Ah... it's in 2.1.9, then. See http://git.freeradius.org/pre/ for a pre-release of 2.1.9. Use that instead of 2.1.8. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Modify User-Name to upper Case (rewrite/unlang)
Hi, I am searching through the forum and did not got a right suggestion. I am doing LDAP authentication and getting macaddress as User-Name in the following format. User-Name = 001e.5283.34aa I want to convert that to 001E528334AA = convert to uppercase.and remove the dots. Is there any function I can use such as, ldap { User-Name := User-Name.toUpperCase().replace('.',''); } Please guide me to the documentation. Thanks and Regards. Eric. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regex remove realm from username
Thanks so much for the reply. I tried as Alex mentioned as realm base routing and it is working fine. realm google.com { type= radius authhost= LOCAL accthost= LOCAL strip } Thanks so much. Regards. --- On Sat, 10/11/08, Arran Cudbard-Bell [EMAIL PROTECTED] wrote: From: Arran Cudbard-Bell [EMAIL PROTECTED] Subject: Re: Regex remove realm from username To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Cc: [EMAIL PROTECTED] Date: Saturday, October 11, 2008, 2:12 PM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alex French wrote: 2008/10/10 Eric Martell [EMAIL PROTECTED]: Hi.. I searched thru the forums but not getting the right username after using regex. The request I am getting is : [EMAIL PROTECTED] and I need to strip everything after @ and pass the username as test. Is there some reason you don't just create a local realm in proxy.conf and use the 'strip' keyword? realm google.com { type= radius authhost= LOCAL accthost= LOCAL strip } Thanks, We use: if(%{User-Name}){ if(%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/){ update request { Stripped-User-Name := %{1} } # User Names not containing a domain default to # default update request { Stripped-User-Domain = %{%{3}:-default} } } # Username in unrecognised format else{ reject } } Thanks, Arran Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - -- Arran Cudbard-Bell ([EMAIL PROTECTED]), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjw7HgACgkQcaklux5oVKIwGgCfZovEGnbvxft69Td8PcfRw5oK Y78An0KNXZYmeXh2kb6IuSsOBQZhbbAt =LKbU -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regex remove realm from username
Hi.. I searched thru the forums but not getting the right username after using regex. The request I am getting is : [EMAIL PROTECTED] and I need to strip everything after @ and pass the username as test. I am using ldap for auth. This is the config I have in ldap. if (User-Name =~ /^([EMAIL PROTECTED])(@.*)$/) { // just want to dblchck is the right regex update request { Stripped-User-Name := %{0} } } filter = (uid=%{Stripped-User-Name}) //filter = (uid=%{Stripped-User-Name:-%{User-Name}}) //filter = (uid=%{Stripped-User-Name}) encryption_scheme = crypt I get the following while ldap lookup expand: (uid=%{Stripped-User-Name}) - (uid=) Here is the radius -X log ; rad_recv: Access-Request packet from host 216.2.193.1 port 55751, id=107, length=65 User-Name = [EMAIL PROTECTED] User-Password = test123 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm google.com for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm google.com ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++- entering group rlm_ldap: - authorize rlm_ldap: performing user authorization for [EMAIL PROTECTED] expand: (uid=%{Stripped-User-Name}) - (uid=) expand: dc=xyz,dc=net,o=internet - dc=xyz,dc=net,o=internet rlm_ldap: ldap_get_conn: Checking Id: 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius reply multivalue VSA question.
Hi Ivan, Thanks for the reply. After changing the operator += I am still seeing all the VARRAY in the reply. It should reply back only Sending Access-Accept of id 65 to 216.121.193.1 port 49266 rEntitlements += WIFILOC1 rAttribute1 = 1 rCidx = 1 and not as it is happening now auth: type LDAP +- entering group LDAP rlm_ldap: - authenticate rlm_ldap: login attempt by etest300 with password test123 rlm_ldap: user DN: uid=test1212121 rlm_ldap: (re)connect to x:389, authentication 1 rlm_ldap: bind as uid=test1212121/test123 to xxx:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user etest300 authenticated succesfully ++[ldap1] returns ok +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 65 to 216.2.193.1 port 49266 rEntitlements += webhosting rEntitlements += 2UP15DWN rEntitlements += 5UP30DWN rEntitlements += WIFILOC1 rAttribute1 = 1 rCidx = 1 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 65 with timestamp +1 Ready to process requests. Please let me know. Thanks so much in advance. Regards. --- On Wed, 10/8/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: Radius reply multivalue VSA question. To: freeradius-users@lists.freeradius.org Date: Wednesday, October 8, 2008, 7:18 PM += http://wiki.freeradius.org/Operators Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, Eric Martell [EMAIL PROTECTED] piše: Hi, We are defining custom VSA's for our company. We have ldap configured in freeradius which returns back the VSA's. I defined custom VSA in $freeradius/share/freeradius/dictionary.abc ATTRIBUTE rEntitlements 113 string entitlements is multivalue attribute (vARRAY) in LDAP. In the ldap.attrmap it is defined as replyItem rEntitlements entitlements == So after the successful authentication, I am getting the rEntitlements back as Sending Access-Accept of id 50 to 69.74.69.31 port 1814 Session-Timeout = 7200 rEntitlements == ADMALL rEntitlements == STORE rEntitlements == WEPG rEntitlements == WADM rEntitlements == SDNLD rEntitlements == WIFILOC1 BUT I am looking for ONLY WIFILOC1 for the NAS. NAS will redirect if WIFILOC1 exists. Can I do regex in the rEntitlements so freeradius ONLY returns rEntitlements = WIFILOC1 and ignore the rest? Please let me know. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius reply multivalue VSA question.
Hi Ivan, I agree with you. But I am reading those attributes from LDAP. In LDAP entitlements attribute is defined as Multivalue (array). I can't not change the existing LDAP structure. I am mapping entitlements attribute from LDAP with the radius attribute rEntitlements in the ldap.attrmap replyItem rEntitlements entitlements += which is good so far. But I don't need entire array from LDAP as reply just looking for WIFILOC1 and send that as reply. Please let me know if you need more information. Thanks so much. Regards. --- On Thu, 10/9/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: Radius reply multivalue VSA question. To: freeradius-users@lists.freeradius.org Date: Thursday, October 9, 2008, 11:40 AM Thanks for the reply. After changing the operator += I am still seeing all the VARRAY in the reply. It should reply back only Sending Access-Accept of id 65 to 216.121.193.1 port 49266 rEntitlements += WIFILOC1 rAttribute1 = 1 rCidx = 1 and not as it is happening now So why did you put those other rEntitlements into the user profile. If they are not the same thing they shold have different attribute names. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius reply multivalue VSA question.
Ivan, I told the management but looks like no go. is there any way I can change the rlm_ldap.c? I am not proficient in c, so might need additional help. Or there are any other options. Let me know. Thanks in advance. --- On Thu, 10/9/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: Radius reply multivalue VSA question. To: freeradius-users@lists.freeradius.org Date: Thursday, October 9, 2008, 1:54 PM I agree with you. But I am reading those attributes from LDAP. In LDAP entitlements attribute is defined as Multivalue (array). Which is of no use to you. I can't not change the existing LDAP structure. Are you a developer or not? If you are, then you say what LDAP structure should look like. If your superiors are in love with that multivalue field insist that data that you need should be kept in a separate attribute as well. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius reply multivalue VSA question.
Thanks Ivan. Not sure which file should I add the update reply? Getting familiar with unlang so pardon my dumb questions. I added in ldap.attrmap. update reply { rEntitlements -= entitlements } replyItem rEntitlements entitlements += is that right? Also you mentioned about script..is that shell/perl script? please enlighten. Thanks in advance. --- On Thu, 10/9/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: Radius reply multivalue VSA question. To: freeradius-users@lists.freeradius.org Date: Thursday, October 9, 2008, 4:37 PM is there any way I can change the rlm_ldap.c? I am not proficient in c, so might need additional help. Or there are any other options. Well, before resorting to source code alterations try using unlang. Have a look at update reply with -= operator. You can't use regex with that operator so you will probably need to run a script that will filter what needs to be removed. http://freeradius.org/radiusd/man/unlang.html Ivan Kalik Kalik Informatika - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius reply multivalue VSA question.
Hi, We are defining custom VSA's for our company. We have ldap configured in freeradius which returns back the VSA's. I defined custom VSA in $freeradius/share/freeradius/dictionary.abc ATTRIBUTE rEntitlements 113 string entitlements is multivalue attribute (vARRAY) in LDAP. In the ldap.attrmap it is defined as replyItem rEntitlements entitlements == So after the successful authentication, I am getting the rEntitlements back as Sending Access-Accept of id 50 to 69.74.69.31 port 1814 Session-Timeout = 7200 rEntitlements == ADMALL rEntitlements == STORE rEntitlements == WEPG rEntitlements == WADM rEntitlements == SDNLD rEntitlements == WIFILOC1 BUT I am looking for ONLY WIFILOC1 for the NAS. NAS will redirect if WIFILOC1 exists. Can I do regex in the rEntitlements so freeradius ONLY returns rEntitlements = WIFILOC1 and ignore the rest? Please let me know. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pop3 and LDAP authentication...Multiple radius servers
Thanks Ivan. Now I have 2 radius servers running on same machine as radiusa (port 1812) and radiusb (port 1912). I configured radiusa to do ldap auth and radiusb to do POP3 auth which works fine individually thru radclient. I setup proxy.conf in radiusa as realm xyz.net { type = radius authhost = radiusb.test1.net:1912 accthost = radiusb.test1.net:1913 secret = testing } I am sending request thru radclient on radiusa. But for some reason the request does not get proxied to radiusb. This is the radius -X log. rad_recv: Access-Request packet from host 167.206.23.94:1054, id=14, length=59 User-Name = [EMAIL PROTECTED] User-Password = test Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm xyz.net for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm xyz.net rlm_realm: Adding Stripped-User-Name = testaccount rlm_realm: Proxying request from user testaccount to realm xyz.net rlm_realm: Adding Realm = xyz.net rlm_realm: Preparing to proxy authentication request to realm xyz.net modcall[authorize]: module suffix returns updated for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 75 users: Matched entry DEFAULT at line 180 users: Matched entry DEFAULT at line 184 modcall[authorize]: module files returns ok for request 0 modcall: entering group group for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '(uid=testaccount)' radius_xlat: 'dc=test1,dc=net,o=internet' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection Please let me know if I am missing something. Thanks and Regards. --- On Mon, 8/25/08, Ivan Kalik [EMAIL PROTECTED] wrote: From: Ivan Kalik [EMAIL PROTECTED] Subject: Re: Pop3 and LDAP authentication...Multiple radius servers To: freeradius-users@lists.freeradius.org Date: Monday, August 25, 2008, 1:39 PM http://radiuswiki.suntel.com.tr/Proxy.conf Ivan Kalik Kalik Informatika ISP Dana 25/8/2008, Eric Martell [EMAIL PROTECTED] piše: Hi, We have radius server which is inhouse which does the LDAP authentication We got a new request from third party to do authentication for their users using POP3. So the request comes to radiusA (our inhouse radius). If the user has realm as @xyz.net ..then we forward the request to third party to authenticate which might be radiusB which does the authentication using POP3. If there is no realm attached, radiusA does the LDAP auth and return the response. Not sure how to specify in our radiusd.conf. I could not find any thread in the list. Please let me know the link if this is already discuss. Really Appreciated your quick response. Thanks and Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pop3 and LDAP authentication...Multiple radius servers
Here is the entire log. rad_recv: Access-Request packet from host 167.206.23.94:1054, id=14, length=59 User-Name = [EMAIL PROTECTED] User-Password = test Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm xyz.net for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm xyz.net rlm_realm: Adding Stripped-User-Name = testaccount rlm_realm: Proxying request from user testaccount to realm xyz.net rlm_realm: Adding Realm = xyz.net rlm_realm: Preparing to proxy authentication request to realm xyz.net modcall[authorize]: module suffix returns updated for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 75 users: Matched entry DEFAULT at line 180 users: Matched entry DEFAULT at line 184 modcall[authorize]: module files returns ok for request 0 modcall: entering group group for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '(uid=testaccount)' radius_xlat: 'dc=test1,dc=net,o=internet' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to test1dir.net:389, authentication 0 rlm_ldap: bind as uid=mmpProxy,o=internet/MMP to test1dir.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=test1,dc=net,o=internet, with filter (uid=testaccount) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '((uid=testaccount)(entitlements=WIFILOC1))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://asdadasdt:389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/Paadaad to ldap://adasdasdas:389 rlm_ldap: uid=appuser,ou=appadm,o=entitlement bind to ldap://vadsdsdsad:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap2 returns fail for request 0 modcall: group group returns reject for request 0 modcall: group authorize returns reject for request 0 Invalid user (rlm_ldap: User not found): [EMAIL PROTECTED] (from client adasdas port 0) Cancelling proxy as request was already rejected Request 0 rejected in proxy_send. Server rejecting request 0. Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 14 to 167.206.23.94:1054 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 14 with timestamp 48b41aaf Nothing to do. Sleeping until we see a request. --- On Tue, 8/26/08, Alan DeKok [EMAIL PROTECTED] wrote: From: Alan DeKok [EMAIL PROTECTED] Subject: Re: Pop3 and LDAP authentication...Multiple radius servers To: [EMAIL PROTECTED], FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tuesday, August 26, 2008, 11:13 AM Eric Martell wrote: I am sending request thru radclient on radiusa. But for some reason the request does not get proxied to radiusb. This is the radius -X log. You've edited it so that most of it is missing. i.e. the part where it either decides to proxy, or to authenticate locally. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pop3 and LDAP authentication...Multiple radius servers
Alan thanks for the reply. I already have radiusa which does the LDAP authentication ( which has ldap1 and ldap2 groups) . New business request came to add POP3 authentication for third party. so I added new radius server radiusb which does the POP3 auth. I am using radiusa to do proxy depends on the realm xyz.net to forward to radiusb and all other requests (no realm in the usernames) still go to radiusa. I am running radiusa on 1812 and radiusb on 1912. I did not see any log messages in radiusb server. I thought when using radiusa proxy, it forwards the request to radiusb. The user [EMAIL PROTECTED] is configured in radiusb which does pop3 auth. No [EMAIL PROTECTED] user exists in radiusa ( in ldap). Hope this helps. Let me know if I am doing it right. Here is the radius -X log, rad_recv: Access-Request packet from host 167.206.23.94:1357, id=15, length=59 User-Name = [EMAIL PROTECTED] User-Password = test Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm xyz.net for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm xyz.net rlm_realm: Adding Stripped-User-Name = testaccount rlm_realm: Proxying request from user testaccount to realm xyz.net rlm_realm: Adding Realm = xyz.net rlm_realm: Preparing to proxy authentication request to realm xyz.net modcall[authorize]: module suffix returns updated for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 75 users: Matched entry DEFAULT at line 180 users: Matched entry DEFAULT at line 184 modcall[authorize]: module files returns ok for request 0 modcall: entering group group for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '(uid=testaccount)' radius_xlat: 'dc=opt,dc=net,o=internet' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1:389, authentication 0 rlm_ldap: bind as uid=mmpProxy,o=internet/MMPass to ldap1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=opt,dc=net,o=internet, with filter (uid=testaccount) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '((uid=testaccount)(entitlements=WIFILOC1))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://ldap2:1389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/PaBlAn0 to ldap://ldap2:1389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=roles,o=entitlement, with filter ((uid=testaccount)(entitlements=WIFILOC1)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap2 returns notfound for request 0 modcall: group group returns reject for request 0 modcall: group authorize returns reject for request 0 Invalid user (rlm_ldap: User not found): [EMAIL PROTECTED] (from client test1 port 0) Cancelling proxy as request was already rejected Request 0 rejected in proxy_send. Server rejecting request 0. Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 15 to 167.206.23.94:1357 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 15 with timestamp 48b424b1 Nothing to do. Sleeping until we see a request. --- On Tue, 8/26/08, Alan DeKok [EMAIL PROTECTED] wrote: From: Alan DeKok [EMAIL PROTECTED] Subject: Re: Pop3 and LDAP authentication...Multiple radius servers To: [EMAIL PROTECTED], FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tuesday, August 26, 2008, 12:00 PM Eric Martell wrote: Here is the entire log. ... rlm_ldap: performing search in dc=test1,dc=net,o=internet, with filter (uid=testaccount) If you're proxying the request, why have you configured the server to do lookups in LDAP? ldap://vadsdsdsad:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module
Pop3 and LDAP authentication...Multiple radius servers
Hi, We have radius server which is inhouse which does the LDAP authentication. We got a new request from third party to do authentication for their users using POP3. So the request comes to radiusA (our inhouse radius). If the user has realm as @xyz.net ..then we forward the request to third party to authenticate which might be radiusB which does the authentication using POP3. If there is no realm attached, radiusA does the LDAP auth and return the response. Not sure how to specify in our radiusd.conf. I could not find any thread in the list. Please let me know the link if this is already discuss. Really Appreciated your quick response. Thanks and Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping ldap attribute with radius attribute...howto?
Hi Alan, Can you please reply me about LDAP multiple attributes in the radius reply response on this? Will really appreciated. I searched the following thread for ldap multiple attributes but it did not have right logic without changing data. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg19275.html As we do not control the change of ldap data as it is legacy. For ldap multiple attributes I am getting ONLY first value. rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test1 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test2 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test3 rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user 0014F846C199 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [0014F846C199/via Auth-Type = Accept] (from client samir port 0) Sending Access-Accept of id 21 to 216.2.193.1 port 20070 rEntitlements = test1 rCidx = 11 Alan DeKok [EMAIL PROTECTED] wrote: Eric Martell wrote: I am using NTRadPing to test the authorization. I see in the log, radius attribute is mapped to ldap attribute and returning valid value rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 but I did not see it in the Sending Access-Accept reply to NAS. Attributes between 1 and 255 can go into a packet. Attributes greater than that cannot go into a packet. You will need to define a vendor-specific dictionary for your attribute. See share/dictionary.* Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping ldap attribute with radius attribute...howto?
Hi Alan, Thanks so much. Really appreciated. It works ! One more simple/stupid question regarding duplicate entries in the LDAP. We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. If there a way when ldap query (irrespective of how I use) finds multiple resultset, gets the first result and returns success instead of sending reject. The dn is not the uid as ldap tree is structured with roleid as dn and uid/did is an attribute. Also changing ldap tree is not possible. Please let me know. Thanks in advance. Alan DeKok [EMAIL PROTECTED] wrote: Eric Martell wrote: Can you please reply me about LDAP multiple attributes in the radius reply response on this? Will really appreciated. raddb/ldap.attrmap See the operator field, which is an operator just like in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mapping ldap attribute with radius attribute...howto?
Hi, I mapped my ldap attribute in the ldap.attrmap file as replyItem rCidx roleid And in the dictionary file I mapped it as ATTRIBUTE rCidx 3000string I am using NTRadPing to test the authorization. I see in the log, radius attribute is mapped to ldap attribute and returning valid value rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 but I did not see it in the Sending Access-Accept reply to NAS. I read rlm_ldap doc but not quite sure how to configure this. Please help. Thanks and Regards. rad_recv: Access-Request packet from host 216.2.193.1 port 42523, id=2, length=34 User-Name = 0014F846C199 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = 0014F846C199, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for 0014F846C199 expand: %{Stripped-User-Name} - expand: %{User-Name} - 0014F846C199 expand: ((did=%{%{Stripped-User-Name}:-%{User-Name}})) - ((did=0014F846C199)) expand: ou=roles,o=entitlement - ou=roles,o=entitlement rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://e.net:1389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/ to ldap://e.net:1389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=roles,o=entitlement, with filter ((did=0014F846C199)) rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusAuthType as RADIUS attribute Auth-Type == Accept rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user 0014F846C199 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [0014F846C199/via Auth-Type = Accept] (from client samir port 0) Sending Access-Accept of id 2 to 216.2.193.1 port 42523 Finished request 0. Going to the next request Waking up in 0.9 seconds. Waking up in 4.0 seconds. Cleaning up request 0 ID 2 with timestamp +3 Ready to process requests. - You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping ldap attribute with radius attribute...howto?
Thanks so much Alan. Really Appreciated your help. It did work for single return value. Please check the log. I searched the following thread for multiple attributes but it did not have right logic without changing data. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg19275.html As we do not control the change of ldap data as it is legacy. For ldap multiple attributes I am getting ONLY first value. rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test1 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test2 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test3 rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user 0014F846C199 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [0014F846C199/via Auth-Type = Accept] (from client samir port 0) Sending Access-Accept of id 21 to 216.2.193.1 port 20070 rEntitlements = test1 rCidx = 11 Alan DeKok [EMAIL PROTECTED] wrote: Eric Martell wrote: I am using NTRadPing to test the authorization. I see in the log, radius attribute is mapped to ldap attribute and returning valid value rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 but I did not see it in the Sending Access-Accept reply to NAS. Attributes between 1 and 255 can go into a packet. Attributes greater than that cannot go into a packet. You will need to define a vendor-specific dictionary for your attribute. See share/dictionary.* Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - OMG, Sweet deal for Yahoo! users/friends: Get A Month of Blockbuster Total Access, No Cost. W00t- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. Please let me know. Thanks and Regards. Ivan Kalik [EMAIL PROTECTED] wrote: After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, We already have this existing Legacy system setup in production ldap and not sure we can change that anymore as we don't use did as dn. No change in existing ldap tree. If there a way when ldap query finds multiple resultset, gets the first result and returns success instead of sending reject. Please let me know if this is doable. Thanks and Regards. Ivan Kalik [EMAIL PROTECTED] wrote: Your did needs to be a distinguished name. Ivan Kalik Kalik Informatika ISP Dana 26/3/2008, Eric Martell pi¹e: Hi Ivan, We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. Please let me know. Thanks and Regards. Ivan Kalik wrote: After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Thanks so much Ivan. Alan DeKok, is there a way if the ldap filter query returns multiple resultset, we can send radius Accept on the reply? Please let me know. Thanks and Regards. Ivan Kalik [EMAIL PROTECTED] wrote: Sorry. Don't know much about ldap. Ivan Kalik Dana 26/3/2008, Eric Martell pi¹e: Hi Ivan, We already have this existing Legacy system setup in production ldap and not sure we can change that anymore as we don't use did as dn. No change in existing ldap tree. If there a way when ldap query finds multiple resultset, gets the first result and returns success instead of sending reject. Please let me know if this is doable. Thanks and Regards. Ivan Kalik wrote: Your did needs to be a distinguished name. Ivan Kalik Kalik Informatika ISP Dana 26/3/2008, Eric Martell pi¹e: Hi Ivan, We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. Please let me know. Thanks and Regards. Ivan Kalik wrote: After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Never miss a thing. Make Yahoo your homepage.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, Sorry to get back to you early as I did not had ldap access :( After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Thanks and Regards. Test Case 1 :: 1 UID +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = 0014F846C199, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for 0014F846C199 expand: %{Stripped-User-Name} - expand: %{User-Name} - 0014F846C199 expand: ((did=%{%{Stripped-User-Name}:-%{User-Name}})) - ((did=0014F846C199)) expand: ou=roles,o=entitlement - ou=roles,o=entitlement rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=roles,o=entitlement, with filter ((did=0014F846C199)) rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusAuthType as RADIUS attribute Auth-Type == Accept rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user 0014F846C199 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [0014F846C199/via Auth-Type = Accept] (from client samir port 0) Sending Access-Accept of id 39 to 216.2.193.1 port 38625 Finished request 3. Test Case 2 :: Multiple UIDs rad_recv: Access-Request packet from host 216.2.193.1 port 37788, id=38, length=34 User-Name = 0014F846C199 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = 0014F846C199, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for 0014F846C199 expand: %{Stripped-User-Name} - expand: %{User-Name} - 0014F846C199 expand: ((uid=%{%{Stripped-User-Name}:-%{User-Name}})) - ((uid=0014F846C199)) expand: ou=roles,o=entitlement - ou=roles,o=entitlement rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=roles,o=entitlement, with filter ((uid=0014F846C199)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [0014F846C199/no User-Password attribute] (from client samir port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - 0014F846C199 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds - Original Message From: Ivan Kalik [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, March 20, 2008 1:01:11 PM Subject: Re: MACAddress silent authentication in LDAP using freeradius2.0.2 Bit confusing..do you want me to create entries in ldap as, No: uid = 001122334455 radiusAuthType = Accept Forget about the device entries. radius authenticates users. Have a look at the filter configured in ldap section of radiusd.conf If yes, what additional changes I have to do in freeradius and how I can return devicename along the freeradius reply? And what would you do with that? Groups? Than create a group entries for them and use memberof in (mac) user entry. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ- List
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, Thanks for the response. I am newbie for freeradius. Not sure which file I should configure this? I have ldap module configured in radiusd.conf. Can you please be more specific? I will really appreciate that. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] pi¹e: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, Bit confusing..do you want me to create entries in ldap as, deviceid = 111 macaddress = 001122334455 username = 001122334455 radiusAuthType = Accept devicename = Personal PC. deviceid = 222 macaddress = 001199887766 username = 001199887766 radiusAuthType = Accept devicename = SIP Phone. If yes, what additional changes I have to do in freeradius and how I can return devicename along the freeradius reply? Please reply. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: No file. These are ldap entries which you need to make. You have entries as devices - now make entries as users. Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Eric Martell [EMAIL PROTECTED] pi¹e: Hi Ivan, Thanks for the response. I am newbie for freeradius. Not sure which file I should configure this? I have ldap module configured in radiusd.conf. Can you please be more specific? I will really appreciate that. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] pi¹e: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MACAddress silent authentication in LDAP using freeradius2.0.2
Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Hi Alan, I am trying to do ldap query lookup in the authorize section and after successful authorization ( if ldap entry exists on search query) reply with Access-Accept if not reject. I do not want to do authentication in LDAP as we are not storing userPassword attribute in ldap schema. So in a way trying to do.. if(ldap search success) { Access-Accept } else { Access-Reject } Please check the thread below what Phil told me to do... Hi Phil, Here is the detail configs and logs. Please let me know. Thanks and Regards. modules { ldap { server = ldap://x:1389; identity = uid=appuser,ou=appadm,o=entitlement password = ** basedn = ou=roles,o=entitlement dictionary_mapping = ${raddbdir}/ldap.attrmap filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password})) start_tls = no ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = no } } authorize { .. ldap pap } authenticate { Auth-Type PAP { pap } . } In the users files #DEFAULT Auth-Type := Local #Session-Timeout = 7200, #Fall-Through = Yes #DEFAULT Auth-Type := System #Session-Timeout = 7200, #Fall-Through = Yes Here is the detail log. rad_recv: Access-Request packet from host 216.2.193.1:55729, id=2, length=48 User-Name = test1 User-Password = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = test1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test1 radius_xlat: '((uid=test1)(entitlements=WIFILOC1)(attribute1=1))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://:1389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/ to ldap://xxx:1389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=roles,o=entitlement, with filter ((uid=test1)(entitlements=WIFILOC1)(attribute1=1)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to 216.2.193.1 port 55729 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 2 with timestamp 4761660e Nothing to do. Sleeping until we see a request. --- Phil Mayers p.mayers at imperial.ac.uk wrote: rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. That's the problem. Your LDAP module should be copying the LDAP attribute containing the password to the relevant check item. Slightly confusing, there are two ways to do this: 1. ldap.attrmap 2. password_attribute password_header config items of ldap module What are those setup to do? A full -X debug would help at this point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Assuming you are using a recent version of FreeRadius, you can do one of the following: modules { ldap { ... set_auth_type = no } } authorize { preprocess ldap pap } authenticate { Auth-Type PAP { pap } } --- Alan DeKok [EMAIL PROTECTED] wrote: Eric Martell wrote: Hi Alan, Can you please help me out with the LDAP query? I am still stuck with the issue. What problem is left to solve? i.e. I read and answer a *lot
Re: Configuring LDAP for query ONLY...
Hi Ivan, Actually in the implementation we are going to treat on the website zipcode as a password field. we are asking people to enter username and zipcode which is store in the LDAP Schema. In the radius, I am going to receive username (User-Name) and zipcode ( User-Password). In the ldap module do query filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(zipcode=%{User-Password})) and depends on the resultset, give access or reject. Please let me know if this clear and any other better way to handle this in radius. Thanks and Regards. Eric. --- [EMAIL PROTECTED] wrote: OK, so password is not in LDAP. Where is it then? Are you trying to accept users without passwords? Consider using a perl script to implement that logic and forget about LDAP module in Freeradius. Ivan Kalik Kalik Informatika ISP Dana 4/1/2008, Eric Martell [EMAIL PROTECTED] pi¹e: Hi Alan, I am trying to do ldap query lookup in the authorize section and after successful authorization ( if ldap entry exists on search query) reply with Access-Accept if not reject. I do not want to do authentication in LDAP as we are not storing userPassword attribute in ldap schema. So in a way trying to do.. if(ldap search success) { Access-Accept } else { Access-Reject } Please check the thread below what Phil told me to do... Hi Phil, Here is the detail configs and logs. Please let me know. Thanks and Regards. modules { ldap { server = ldap://x:1389; identity = uid=appuser,ou=appadm,o=entitlement password = ** basedn = ou=roles,o=entitlement dictionary_mapping = ${raddbdir}/ldap.attrmap filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password})) start_tls = no ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = no } } authorize { ... ldap pap } authenticate { Auth-Type PAP { pap } .. } In the users files #DEFAULT Auth-Type := Local #Session-Timeout = 7200, #Fall-Through = Yes #DEFAULT Auth-Type := System #Session-Timeout = 7200, #Fall-Through = Yes Here is the detail log. rad_recv: Access-Request packet from host 216.2.193.1:55729, id=2, length=48 User-Name = test1 User-Password = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = test1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test1 radius_xlat: '((uid=test1)(entitlements=WIFILOC1)(attribute1=1))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://:1389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/ to ldap://xxx:1389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=roles,o=entitlement, with filter ((uid=test1)(entitlements=WIFILOC1)(attribute1=1)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to 216.2.193.1 port 55729 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 2 with timestamp 4761660e Nothing to do. Sleeping until we see a request. --- Phil Mayers p.mayers at imperial.ac.uk wrote: rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall
Re: Configuring LDAP for query ONLY...
Hi Alan, Can you please help me out with the LDAP query? I am still stuck with the issue. Your response will be greatly appreciated. Thanks and Regards, Eric. --- Alan DeKok [EMAIL PROTECTED] wrote: Phil Mayers wrote: Slightly confusing, there are two ways to do this: This should be fixed before 2.0. There should be only one way to do things. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Hi Phil, Please let me know if you need more info. I am still stuck with the problem. Thanks and Regards, Eric. --- Phil Mayers [EMAIL PROTECTED] wrote: rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. That's the problem. Your LDAP module should be copying the LDAP attribute containing the password to the relevant check item. Slightly confusing, there are two ways to do this: 1. ldap.attrmap 2. password_attribute password_header config items of ldap module What are those setup to do? A full -X debug would help at this point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Hi Phil, Here is the detail configs and logs. Please let me know. Thanks and Regards. modules { ldap { server = ldap://x:1389; identity = uid=appuser,ou=appadm,o=entitlement password = ** basedn = ou=roles,o=entitlement dictionary_mapping = ${raddbdir}/ldap.attrmap filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password})) start_tls = no ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = no } } authorize { .. ldap pap } authenticate { Auth-Type PAP { pap } . } In the users files #DEFAULT Auth-Type := Local #Session-Timeout = 7200, #Fall-Through = Yes #DEFAULT Auth-Type := System #Session-Timeout = 7200, #Fall-Through = Yes Here is the detail log. rad_recv: Access-Request packet from host 216.2.193.1:55729, id=2, length=48 User-Name = test1 User-Password = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = test1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test1 radius_xlat: '((uid=test1)(entitlements=WIFILOC1)(attribute1=1))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://:1389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/ to ldap://xxx:1389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=roles,o=entitlement, with filter ((uid=test1)(entitlements=WIFILOC1)(attribute1=1)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to 216.2.193.1 port 55729 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 2 with timestamp 4761660e Nothing to do. Sleeping until we see a request. --- Phil Mayers [EMAIL PROTECTED] wrote: rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. That's the problem. Your LDAP module should be copying the LDAP attribute containing the password to the relevant check item. Slightly confusing, there are two ways to do this: 1. ldap.attrmap 2. password_attribute password_header config items of ldap module What are those setup to do? A full -X debug would help at this point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Hi Phil, Yes I did.. Here is the config. modules { ldap { set_auth_type = no } } authorize { preprocess ldap pap } authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } } I commented out everything from the users file as I am not using Local or System Auth-Type. I think I am might be missing something in the users file. Please advice. I get the following error. rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. --- Phil Mayers [EMAIL PROTECTED] wrote: Eric Martell wrote: Hi Phil, I installed the latest freeradius-1.1.7. I put the line set_auth_type = no in ldap module to ignore the authentication. But for some reason I get the following error in the log. rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Did you add the pap module to the bottom of the authorize section as per my example? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Hi Phil, I installed the latest freeradius-1.1.7. I put the line set_auth_type = no in ldap module to ignore the authentication. But for some reason I get the following error in the log. rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. I commented out #DEFAULT Auth-Type := Local #Session-Timeout = 7200, #Fall-Through = Yes and #DEFAULTAuth-Type = System # Session-Timeout = 7200, # Fall-Through = 1 from the users file as I don't have anything in the local or in the system. All the checks are with ldap lookups. Please let me know if I am missing something. Thanks and Regards, Eric. --- Eric Martell [EMAIL PROTECTED] wrote: Thanks so much Phil. I am using freeradius-1.0.4 I am going to install the latest version and will try your suggestion. Thanks and Regards. Eric. --- Phil Mayers [EMAIL PROTECTED] wrote: Eric Martell wrote: Hi, Is it possible to altogether avoid authenticate section and just do ldap lookups in the authorize section? authorize { ldap { notfound = reject } } The problem is in the authenticate section, radius gets the userDN from the authorize and tries to bind ldap with password which we don't have. I also tried in users file Ldap-UserDN := `cn=Manager,dc=eng,dc=com/answer2` Assuming you are using a recent version of FreeRadius, you can do one of the following: modules { ldap { ... set_auth_type = no } } authorize { preprocess ldap pap } authenticate { Auth-Type PAP { pap } } Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Hi Phil, I need some help again. Is there a way in the ldap module we can specify to return only ONE result for search filter. In my ldap tree when search with a filter ((uid=test1)(phone=1231313128)) I get multiple results. And in the log I get message as search failed. I just want to return whatever the first result. rlm_ldap: performing search in dc=eng,dc=com, with filter ((uid=test1)(phone=1231313128)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed Please help. Thanks and Regards, Eric. --- Eric Martell [EMAIL PROTECTED] wrote: Thanks so much Phil. I am using freeradius-1.0.4 I am going to install the latest version and will try your suggestion. Thanks and Regards. Eric. --- Phil Mayers [EMAIL PROTECTED] wrote: Eric Martell wrote: Hi, Is it possible to altogether avoid authenticate section and just do ldap lookups in the authorize section? authorize { ldap { notfound = reject } } The problem is in the authenticate section, radius gets the userDN from the authorize and tries to bind ldap with password which we don't have. I also tried in users file Ldap-UserDN := `cn=Manager,dc=eng,dc=com/answer2` Assuming you are using a recent version of FreeRadius, you can do one of the following: modules { ldap { ... set_auth_type = no } } authorize { preprocess ldap pap } authenticate { Auth-Type PAP { pap } } Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Hi, Is it possible to altogether avoid authenticate section and just do ldap lookups in the authorize section? authorize { ldap { notfound = reject } } The problem is in the authenticate section, radius gets the userDN from the authorize and tries to bind ldap with password which we don't have. I also tried in users file Ldap-UserDN := `cn=Manager,dc=eng,dc=com/answer2` But for some reason it is not working. Please help. Let me know if you need more information or please guide me to any documentation. Thanks and Regards, Eric. --- Eric Martell [EMAIL PROTECTED] wrote: I am little bit confused as how to configure radiusd.conf in the authorize and/or authenticate section. So password is going to act like ldap attribute. We are going to pass, username and ldap attribute (home phone #) as input for each user. The way it is configured now is in the modules, ldap { server = 10.11.12.2 identity = cn=Manager,dc=eng,dc=com password = answer2 basedn = dc=eng,dc=com filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(phone=1231313128)) // just for testing ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } authorize { .. .. .. ldap ... } authenticate { Auth-Type LDAP { ldap } } In the logs it says: rlm_ldap: - authorize rlm_ldap: performing user authorization for test1 radius_xlat: '((uid=test1)(phone=1231313128))' radius_xlat: 'dc=eng,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: bind as cn=Manager,dc=eng,dc=com/answer2 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=eng,dc=com, with filter ((uid=test1)(phone=1231313128)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test1 authorized to use remote access this is good But in the authenticate section rlm_ldap: - authenticate rlm_ldap: login attempt by test1 with password 1231313128 rlm_ldap: user DN: id=1967816, dc=eng,dc=com rlm_ldap: bind as id=1967816, dc=eng,dc=com/1231313128 rlm_ldap: waiting for bind result ... rlm_ldap: id=1967816, dc=eng,dc=com bind to 10.11.12.2:389 failed Inappropriate authentication rlm_ldap: ldap_connect() failed Not sure why it is trying to bind as id=1967816, dc=eng,dc=com/1231313128 The only thing I want to do it, just authorize the ldap and pass the user through. Please let me know if I am missing something. Thanks so much. Regards, Erik. Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it now. http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ Get easy, one-click access to your favorites. Make Yahoo! your homepage. http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Thanks so much Phil. I am using freeradius-1.0.4 I am going to install the latest version and will try your suggestion. Thanks and Regards. Eric. --- Phil Mayers [EMAIL PROTECTED] wrote: Eric Martell wrote: Hi, Is it possible to altogether avoid authenticate section and just do ldap lookups in the authorize section? authorize { ldap { notfound = reject } } The problem is in the authenticate section, radius gets the userDN from the authorize and tries to bind ldap with password which we don't have. I also tried in users file Ldap-UserDN := `cn=Manager,dc=eng,dc=com/answer2` Assuming you are using a recent version of FreeRadius, you can do one of the following: modules { ldap { ... set_auth_type = no } } authorize { preprocess ldap pap } authenticate { Auth-Type PAP { pap } } Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring LDAP for query ONLY...
I am little bit confused as how to configure radiusd.conf in the authorize and/or authenticate section. So password is going to act like ldap attribute. We are going to pass, username and ldap attribute (home phone #) as input for each user. The way it is configured now is in the modules, ldap { server = 10.11.12.2 identity = cn=Manager,dc=eng,dc=com password = answer2 basedn = dc=eng,dc=com filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(phone=1231313128)) // just for testing ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } authorize { .. .. .. ldap ... } authenticate { Auth-Type LDAP { ldap } } In the logs it says: rlm_ldap: - authorize rlm_ldap: performing user authorization for test1 radius_xlat: '((uid=test1)(phone=1231313128))' radius_xlat: 'dc=eng,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: bind as cn=Manager,dc=eng,dc=com/answer2 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=eng,dc=com, with filter ((uid=test1)(phone=1231313128)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test1 authorized to use remote access this is good But in the authenticate section rlm_ldap: - authenticate rlm_ldap: login attempt by test1 with password 1231313128 rlm_ldap: user DN: id=1967816, dc=eng,dc=com rlm_ldap: bind as id=1967816, dc=eng,dc=com/1231313128 rlm_ldap: waiting for bind result ... rlm_ldap: id=1967816, dc=eng,dc=com bind to 10.11.12.2:389 failed Inappropriate authentication rlm_ldap: ldap_connect() failed Not sure why it is trying to bind as id=1967816, dc=eng,dc=com/1231313128 The only thing I want to do it, just authorize the ldap and pass the user through. Please let me know if I am missing something. Thanks so much. Regards, Erik. Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it now. http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure multiple LDAPs with different DN's ?
I will be really appreciated if someone points me to the right direction or archive of the thread. Thanks in advance. Regards. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure multiple LDAPs with different DN's ?
Hi, We are trying to use LDAP group for authentication and authorization. Ldap1 = baseDN = dc=user,dc=net,o=internet This Ldap1 will have users and passwords store in it along with profile. Ldap2 = baseDN = dc=role,dc=system,o=internet This Ldap2 will have only users and associated roles. No passwords will be store in Ldap2. While accessing the service, Radius should check if the user/password matches in Ldap1. If its fine, check on Ldap2 which has different baseDN to see if the role for that user validated. If both conditions satisfies, permits the user to access the service. I am not sure how to configured this. Please kindly help in changing radiusd.conf and users file. Thanks so much in advance. Regards. Expecting? Get great news right away with email Auto-Check. Try the Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAP (Not failover) lookup...
Thanks Alan. I figured it out. It should be ldap2 { notfound = reject } as ldap2 is returning notfound status. Thanks so much again. --- Alan DeKok [EMAIL PROTECTED] wrote: Eric Martell [EMAIL PROTECTED] wrote: Thanks so much Neal. You got it 95% right. The problem is FreeRadius always authorize first (no matter what the order in radiusd.conf) and then authenticate. Yes, that's how the server works. (This authorize should break the sequence and return FAIL. I tried ldap2 { fail = return } but no help...still returns notfound ) See doc/configurable_failover. You may want: ... ldap2 { fail = reject } ... Technically it should authenticate and then authorize and send the group response (AND) of both. Then... configure it to do that. The default behavior is that a notfound error is NOT fatal, because another module or database may find the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Cheap talk? Check out Yahoo! Messenger's low PC-to-Phone call rates. http://voice.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple LDAP (Not failover) lookup...
Hi... I need to do multiple ldap lookups (2).. The purpose of both the ldaps are different so it does not abide with configurable_failover scenario in a way. ldap1. This ldap is solely used for authentication for given user. ldap2. This ldap is solely used for checking ldap attribute ex. productCode for given user. User exists in BOTH The ldaps but in ldap2 we don't store the password hash. So its just userid with given attributes. Here is what should happen for a given user. If(authentication in ldap1 success) { if(productCode attribute exists in ldap2 success) { return Access-Accept. } else { return Access-Reject. } } else { return Access-Reject. } Any inputs will be greatly appreciated. Thanks in advance. Sponsored Link Try Netflix today! With plans starting at only $5.99 a month what are you waiting for? http://www.netflix.com/Signup?mqso=80010030 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple LDAP (Not failover) lookup...
Thanks so much Neal. You got it 95% right. The problem is FreeRadius always authorize first (no matter what the order in radiusd.conf) and then authenticate. authorize { . . . ldap2 } authenticate { . . . ldap1 } So if the user fails in ldap2 ..module ldap2 returns notfound for request user xyz and thus continues to authentication module. (This authorize should break the sequence and return FAIL. I tried ldap2 { fail = return } but no help...still returns notfound ) And same user in ldap1 returns ok for request user xyz in authentication. Finally FreeRadius returns Sending Access-Accept (Status of ldap1 auth) to the request. Technically it should authenticate and then authorize and send the group response (AND) of both. Please let me know. Thanks in advance. --- Garber, Neal [EMAIL PROTECTED] wrote: If(authentication in ldap1 success) { Use ldap1 in the authenticate stage of radiusd.conf if(productCode attribute exists in ldap2 success) { Use ldap2 in the authorize stage of radiusd.conf Authorize is performed first in FreeRadius (you show authenticate First), but it shouldn't matter for what you're trying to do. Configure ldap.attrmap to obtain the productCode attribute. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail. http://new.mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html