Re: WLAN SSID:
Hello,
i think it can be done in many ways.
e.g. manage it with a external script:
sites-enabled/default:
post-auth {
if ( Colubris-AVPair == ssid=guest-wlan ) {
setvlan
}
}
module/setvlan:
exec setvlan {
wait = yes
program = .../setvlan
input_pairs = request
output_pairs = reply
shell_escape = yes
}
.../setvlan:
#!/usr/bin/perl
$vlan = vlan-id=111;
print Colubris-AVPair = $vlan;
regards
Helmut Troebs
I configured freeradius to authenticate my WLAN Clients over Active
Directory. Depending on the Group Membership. Also i configured multiple
SSIDs on my WLAN switch, so a client request in freeradis debug output
includes the following Attributes:
rad_recv: Access-Request packet from host 172.21.254.100 port 32775,
id=40, length=402
Acct-Multi-Session-Id =
00-0F-61-50-B7-B0-00-21-5C-40-BD-77-4C-6B-A5-8B-00-04-72-98
Acct-Session-Id = 4295d4b3-0118
NAS-Port = 275
NAS-Port-Type = Wireless-802.11
NAS-Identifier = msm710
NAS-IP-Address = 172.21.254.101
Framed-MTU = 1496
User-Name = myDomain\\myUser
Calling-Station-Id = 00-21-5C-40-BD-77
Called-Station-Id = 00-0F-61-50-B7-B0
Service-Type = Framed-User
EAP-Message =
0x0277002d1900170301002293ed3bcfbb751eb66e4c737a442b8a2cf55f4a7812bfc8829d4a00049e221bce4309
State = 0x50052ead557237c49cf458a2fbedd583
Colubris-AVPair = ssid=guest-wlan
Colubris-AVPair = incoming-vlan-id=152
Colubris-AVPair = group=internal
Colubris-AVPair = vsc-unique-id=1
Colubris-AVPair = phytype=IEEE802dot11g
Colubris-Attr-250 = 0x0002
Colubris-Attr-249 = 0xac157909
Message-Authenticator = 0x8d9162f1ae7f047641224f07213a
My goal is to move authorized users depending on the SSID to a different
VLAN, i tried the following in the hints file, but that does not work,
can somebody help me?
DEFAULT Colubris-AVPair =~ .*guest-wlan.*
Reply-Message = Hints,
Framed-Protocol = PPP,
Service-Type = Framed,
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Tunnel-Private-Group-Id := 120
I Expected that the Attributes set in the hints file and the ones set
in the users file are merged in the reply from freeradius, but that
seems not so.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Hello Andreas, No we want to participate in inter University roaming (eduroam) and thus have to proxy some requests a parent server. Everything works great except regarding the outer identity. If it's just anonymous everything is ok, but if it's anonymous@somerealm and somerealm is configured in proxy.conf the EAP-Request ist proxied instead of terminated. This is correct by configuration but not wanted. Is there a way to terminate the EAP regardless of the outer identity? why do you want this. The EAP Tunnel should terminate on the last RADIUS where the user belongs. On your RADIUS only the EAP-Tunnels for your users should be terminating. Read http://www.dfn.de/content/fileadmin/1Dienstleistungen/GWIN/sonstiges/Konfiguration-freeradius.pdf it is for DFN-Roaming, but it is the same as EDUROAM. regards Helmut - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Apache2 - PAM - freeRADIUS - users
Hello Michael, freeRADIUS works quite good and it's possible to authenticate via PAM, for example local logins, ssh-logins, su, chsh, gdm, ... are working quite fine. The only thing is the htaccess from apache2 which will not work. The Radius gets the request and permits the user: I would suggest finding out why Apache is requiring more from PAM than everyone else does. It's not really a pam_radius problem, because it works with everything else. we had similar problems with radius and Apache2 (it is not a RADIUS/PAM problem!) PAM didn't work for us neither, so a colleague found another radius module for Apache 2: http://www.outoforder.cc/projects/apache/mod_auth_xradius/ But it only works with Apache 2.0.x. With Apache 2.2.x we didn't manage to get any radius authentication working. Greetings - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with hints file when i use freeradius-1.0.1
Hello,
i want to upgrade from freeradius-0.8.1 to freeradius-1.0.1.
My hints file:
DEFAULT Prefix == t, Strip-User-Name = No
Hint = TUM
It works with freeradius-0.8.1, the username leaves unstripped.
With freeradius-1.0.1 the username is always be stripped, why?
Maybe i made a Syntax-Error?
i got a nightly CVS snapshot and this works how i supposed
(with the syntax above). But now i has problems with eap.
So i made a dirty source-patch for 1.0.1.
Delete the function presufcmp in .../src/main/valuepair.c and
copy this one in (from freeradius-snapshot-20050111/src/modules/
rlm_expr/paircmp.c):
static int presufcmp(void *instance,
REQUEST *req UNUSED,
VALUE_PAIR *request, VALUE_PAIR *check,
VALUE_PAIR *check_pairs, VALUE_PAIR **reply_pairs)
{
VALUE_PAIR *vp;
char *name = (char *)request-strvalue;
char rest[MAX_STRING_LEN];
int len, namelen;
int ret = -1;
instance = instance;
reply_pairs = reply_pairs; /* shut the compiler up */
#if 0 /* DEBUG */
printf(Comparing %s and %s, check-attr is %d\n,
name, check-strvalue, check-attribute);
#endif
len = strlen((char *)check-strvalue);
switch (check-attribute) {
case PW_PREFIX:
ret = strncmp(name, (char *)check-strvalue, len);
if (ret == 0 rest)
strcpy(rest, name + len);
break;
case PW_SUFFIX:
namelen = strlen(name);
if (namelen len)
break;
ret = strcmp(name + namelen - len,
(char *)check-strvalue);
if (ret == 0 rest) {
strNcpy(rest, name, namelen - len + 1);
}
break;
}
if (ret != 0)
return ret;
/*
* If Strip-User-Name == No, then don't do any more.
*/
vp = pairfind(check_pairs, PW_STRIP_USER_NAME);
if (vp !vp-lvalue) return ret;
/*
* See where to put the stripped user name.
*/
vp = pairfind(check_pairs, PW_STRIPPED_USER_NAME);
if (!vp) {
vp = paircreate(PW_STRIPPED_USER_NAME, PW_TYPE_STRING);
if (!vp) return ret; /* no memory, do anything? */
pairadd(request, vp);
}
strcpy((char *)vp-strvalue, rest);
vp-length = strlen(rest);
return ret;
}
regards
Helmut Troebs
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with hints file when i use freeradius-1.0.1
Am Dienstag, 4. Januar 2005 08:56 schrieb Helmut Tröbs: Hello, i want to upgrade from freeradius-0.8.1 to freeradius-1.0.1. My hints file: DEFAULT Prefix == t, Strip-User-Name = No Hint = TUM DEFAULT Prefix = t, Strip-User-Name = No Hint = TUM nur mit einem = nach Prefix? Thank you for the answer, but Prefix == t is correct, when i try only one = i get the message Invalid operator for item Prefix: reverting to '==' in debug output. When i try to use N instead of No: DEFAULT Prefix == t, Strip-User-Name = N Hint = TUM The Debug output looks better, but the proxied user-name is still wrong. rad_recv: Access-Request packet from host x.x.x.x:32770, id=171, length=56 User-Name = test User-Password = x NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 48 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = test rlm_realm: Proxying request from user test to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Preparing to proxy authentication request to realm NULL modcall[authorize]: module suffix returns updated for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched DEFAULT at 178 users: Matched DEFAULT at 385 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 Sending Access-Request of id 0 to 10.156.10.42:1812 User-Name = est User-Password = x NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Proxy-State = 0x313731 Any idea? regards Helmut Troebs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with hints file when i use freeradius-1.0.1
Hello, i want to upgrade from freeradius-0.8.1 to freeradius-1.0.1. My hints file: DEFAULT Prefix == t, Strip-User-Name = No Hint = TUM It works with freeradius-0.8.1, the username leaves unstripped. With freeradius-1.0.1 the username is always be stripped, why? Maybe i made a Syntax-Error? A little bit Debug: SunOS wsc41 5.8 Generic_117000-01 sun4u sparc SUNW,Ultra-5_10 rad_recv: Access-Request packet from host x.x.x.x:32771, id=128, length=56 User-Name = test User-Password = NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 36 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = est, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = est rlm_realm: Proxying request from user est to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Preparing to proxy authentication request to realm NULL modcall[authorize]: module suffix returns updated for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched DEFAULT at 178 users: Matched DEFAULT at 385 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 Sending Access-Request of id 0 to 10.156.10.42:1812 User-Name = est User-Password = NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Proxy-State = 0x313238 regards Helmut Troebs -- --- Helmut Troebs Leibniz-Rechenzentrum der Bayerischen Akademie der Wissenschaften Abteilung Kommunikationsnetze Barer Str. 21 80333 Muenchen E-Mail:[EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
