Re: ldap instead of /users file
O/H stefek143 έγραψε: Hello. I red that ldap can`t be used with eap-tls method to auth., but just what i wanna do is use LDAP instead of /raddb/users file . for example attribute VLAN ID etc. Is it possible? if yes, where i find some information about it? becouse everywhere is howto authentication, authorization using LDAP but i think its big different in radius configuration when i wanna use LDAP only instead of users file. You just perform only authorization from ldap and not authentication (authentication is done with eap_tls and client certificate authentication). THX for any information. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Stress Test tool
O/H [EMAIL PROTECTED] έγραψε: You do. ;-) If you have freeradius you have radiusclient. Ivan Kalik Kalik Informatika ISP Dana 4/10/2007, Amr el-Saeed [EMAIL PROTECTED] piše: Dear All, Does any one have any tool to stress test the freeRadius ?? http://www.evolynx.com/radius/dl_loadtest.aspx regards, Amr el-Saeed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS-LDAPv3.schema attribute description(s)
O/H Turbo Fredriksson έγραψε: Quoting Turbo Fredriksson [EMAIL PROTECTED]: Is there any documentation of the attributes in the LDAP schema? I'm trying to write a GUI manager for RADIUS (actually a 'plugin' to my http://phpQLAdmin.com) but I don't know how to write the lead text to the form... Cross referencing with the ldap.attrmap, I managed to make the following patch. But a DESCription like: DESC 'replyItem: Reply-Message' for the LDAP attribute 'radiusReplyMessage', it kind'a sucks. Maybe there's better documentation for the RADIUS attribute. I'll check... But that still leaves no mapping for the following RADIUS attributes: dialupAccess See doc/rlm_ldap radiusArapFeatures radiusArapSecurity radiusArapZoneAccess radiusClientIPAddress Maped to Client-IP-Address, could be used to only allow access to specific client-ip-address for a user radiusGroupName radiusHint Hint attribute radiusHuntgroupName Huntgroups radiusLoginTime The Login-Time attribute used by the corresponding module radiusPasswordRetry radiusProfileDn Used for ldap radius regular profiles. See doc/rlm_ldap radiusPrompt radiusProxyToRealm Proxy-To-Realm. I think this attribute is deprecated. radiusRealm Realm attribute. radiusReplicateToRealm Replicate-To-Realm. Again I think this attribute is deprecated. radiusStripUserName radiusTunnelAssignmentId radiusTunnelClientEndpoint radiusTunnelMediumType radiusTunnelPassword radiusTunnelPreference radiusTunnelPrivateGroupId radiusTunnelServerEndpoint radiusTunnelType radiusUserCategory radiusVSA At least, they are'nt referenced in ldap.attrmap. Oversight, are these LDAP attributes deprecated (or not implemented)? One I recognize is 'radiusRealm'. Must be the RADIUS attribute 'Realm', right? Shouldn't that be in ldap.attrmap? If someone could finish the line(s) above ({reply,check}Item) and the corresponding RADIUS attribute, I'm happy to produce a good patch for this... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenLDAP + FreeRADIUS Complete Solution
://www.freeradius.org/list/users.html Freeradius provides ldap authentication of users (either through ldap bind or by pulling the password from the user entry), authorization based on radius specific ldap attributes (an ldap radius schema is provided in the doc directory), group membership evaluation (one way is with groupofnames just like your groups). It does not provide ldap based huntgroups and clients. So you can 'pull' available users and groups but not anything else. -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup admin online user page real online user different
O/H hyunok έγραψε: Hello, I have a freeradius 1.1.7 server setup with ppp and pptp using a mysql DB for user authentication. dialup admin web Online Users page == 5 online real online pptp user === 7 online Why different? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Dialupadmin will only show you what the database is telling it (unless you have a nas supporting the aaa-session-mib in which case it can first query the nas for the online users list). You can enable sql debug to see the sql queries run. -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: customise dialup admin
O/H Carl aniams έγραψε: Hi i'm presently using dialup admin for client connexion to the net. but my handicap is the time counter Which time counter, there are plenty of them . i would like to know if it would be possible to set graphical time counter for a customer What do you mean exactly? . also is it possible to increase the time limit for a customer that may require an hour more. You can increase the time limit by one hour (3600 seconds). See the documentation for the counter module as well as the dialupadmin configuration files in the config catalog if yes how please. thanks -- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ ANIAMBOSSOU Carl NIAMS TECHNOLOGIES tel: +229 90 04 08 58 +229 97 48 01 33 COTONOU REPUBLIC OF BENIN WEST AFRICA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP errror in dialup admin page
O/H Bishal έγραψε: I am trying to use freeradius 1.1.7 in Freebsd 6.2 with openldap 2.3.37 for authentication and mysql for accounting. While creating new user I get following error in dialup admin page: Warning: file(/usr/local/etc/raddb/ldap.attrmap) [function.file]: failed to open stream: Permission denied in /usr/local/www/apache22/data/dialupadmin/lib/ldap/attrmap.php3 on line 4 I think the problem is exactly what is written. Check the persmissions to the /usr/local/etc/raddb/ldap.attrmap file. Especially check that the apache process (usually runs as nobody) can open the file. Warning: Invalid argument supplied for foreach() in /usr/local/www/apache22/data/dialupadmin/lib/ldap/attrmap.php3 on line 5 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a ldap.attrb Dialuppassword to radius-ldap.schema
O/H Jóhann B. Guðmundsson έγραψε: RHEL5/FreeRadius freeradius-1.1.3-1.2.el5/Fedora Directory server. Scenario... Currently trying to move all our dial up user entry's from users file to ldap ( FDS ) and need to add an attribute in radius ldap schema which would contain clear text password of the dial in password for the dial up users and match the dial in password to that password instead of users login password. What needs to be done to make this possible if it is possible? ( user are already authenticated through ldap except for their adsl dial in passwords which are in clear text and even if the passwords weren't in clear text and they could use there login password to login the user ain't smart enough and or technology challenge ( or at least majority of them ) to know if they change they're login password they needed to change it in the adsl router as well ) Schema changes? Dictionary changes ldap.attrmap changes ldap changes in radiusd.conf? ( password_attribute already mapped to userPassword in the ldap section ) Best regards Johann B. You need to add the new attribute in the schema (add it in the user entries) and add it in the password* configuration directives of the ldap module. I don't think you need to touch the dictionaries or ldap.attrmap. After that, configure the pap module and you should be set. -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Off-topic: DHCP server with radius support
O/H Eshun Benjamin έγραψε: Slightly off-topic. Is anyone aware of a DHCP server with radius support. Or even just with exec support? I 'd like to setup a DHPC that will ask a radius server for IP instead of assigning it itself A radius server assigning IPs ...that is not radius (!) . May be you mean the radius server authenticating (MACs and/or IPs) before the dhcp assigns it; this you have to configure and write your own scripts on the dhcp server to authenticate against the radius. Radius is for AAA No i meant exactly what i wrote. RADIUS can assign IP's (that's why we have the rlm_pool/rlm_sqlpool modules and the Framed-IP-Address attribute). I need to forward some information to home radius servers first and based on their response decide on the ip pool to give out IP's. Moreover, i need the extensibility and features of freeradius in my setup. I could provide you with the exact details of what i 'd like to achieve but they 're not important for the question asked.A DHCP request can be transformed to an Acesss-Request (with some default password), forwarded to a RADIUS server and the IP assigned by the radius server returned back to the user. == Benjamin K. Eshun - Message d'origine De : Kostas Kalevras [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Mercredi, 20 Juin 2007, 14h18mn 09s Objet : Off-topic: DHCP server with radius support Slightly off-topic. Is anyone aware of a DHCP server with radius support. Or even just with exec support? I 'd like to setup a DHPC that will ask a radius server for IP instead of assigning it itself -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ne gardez plus qu'une seule adresse mail ! Copiez vos mails http://www.trueswitch.com/yahoo-fr/ vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Off-topic: DHCP server with radius support
Slightly off-topic. Is anyone aware of a DHCP server with radius support. Or even just with exec support? I 'd like to setup a DHPC that will ask a radius server for IP instead of assigning it itself -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grouping users and clients
O/H Giovanni Lovato έγραψε: Hi all. We have a set of Cisco routers and a pool of users in an LDAP directory. At this time routers are configured to request authentication to FreeRadius, which binds to LDAP and grants access to user on successfully binding. We need to create groups of routers and groups of users, granting accesso to certain groups of routers only to certain groups of users. Can we do that using FreeRadius? groups of routers = huntgroups ldap module provides functionality for group handling. Thank you, G.L. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DialupAdmin Question.
O/H Joseph Sullivan έγραψε: Hello Group, I am trying to use Dialup Admin on Free Radius 1.1.6. I have the admin.conf file all setup, it will add, remove users from the MySQL db, but it will not do the radius check by clicking on Check Server. It outputs this: Monday, 21 May 2007, 09:10:14 MDT Server: 127.0.0.1:1812 (test user cowpuppy) Then It just hangs there. I have tried everything in the admin.conf file, setting the host to localhost, the hostname, the public ip address, and it still just hangs there, and it never hits the actual radius server or completes the check. Also, I can login with the user cowpuppy just fine but dialup admin never shows this when I look at the stats for cowpuppy. When I run this command: radtest cowpuppy testpass localhost 0 testing123 It accepts me, and it shows that in the radius.log, but dialup admin doesn't recognize that. I think it is a logging issue. It looks like it needs to log to the SQL server... I am still working on that... As always, thanks for any help you can offer. Cheers!! Probably some library path is missing when the web server tries to run radclient. Check the general_radclient_bin and general_ld_library_path directives. Also check the web server error log for any logs. Joseph Sullivan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP authentication + LDAP attribute recovery
O/H Manuel Sánchez Cuenca έγραψε: Hi all, It is possible to configure freeradius to authenticate users using PEAP and then, for authenticated users, return some RADIUS attributes recovered from a LDAP server, such as Session-Timeout or Framed-IP-Address?. And in that case, how can I configure it? Thanks in adavance Yes. PEAP has specific restrictions on the password though (it should be clear text or NT-Password). rlm_ldap (in the authorize section) will retrieve any radius attributes present in the user entries (as well as in some other profiles). Check the doc folder for the rlm_ldap documentation and for the radius ldap schema. -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius performance requirements
O/H Arnnei Speiser έγραψε: Hi Guys, Any recommendations on the Server minimum configuration - memory, cpu etc for using FR with 10k, 20k, 50k users ? Moved to freeradius-users!! The number of users is not the major factor. Rather the number of requests/sec. Where are the users stored (plain text, ldap, sql)? Do you perform heavy accounting? To sql? How many logins do you expect per second,hour,day? Will you use EAP? If yes will you use one of the SSL versions (TLS,PEAP,TTLS)? In general freeradius should not have any problem as long as you set the thread and/or ldap/sql connection pool parameters large enough for your specific setup. The most important thing to check is your authentication and accounting database not radius itself. Any modern server should be more than adequate for freeradius. So check the directives in thread pool { }, the num_sql_socks in sql.conf and ldap_connections_number in ldap { } (if you are using ldap). What would be the main configuration parameters that we have to select/set in order to handle a high volume of authentication requests. Thanks, Arnnei - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius proxy code questions and proposed patch
O/H Alan DeKok έγραψε: Kostas Zorbadelos wrote: I have read in the list about the major clean up version 2.0 of the server will be. While reading the code of versions 1.x I could see that there is great room for improvement. I will take a look in the 2.0 sources and I look forward to testing it when it becomes available. Please test it now. If everyone waits for 2.0 to be release before testing it, then everyone will discover little problems that they don't like. Spend some time now to give feedback, and 2.0 will be that much more robust for everyone. I think it's a good idea to start releasing 2.0preX versions. That should make a few more people interested in testing the code and get more comments. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: override ldap reply attribute
O/H [EMAIL PROTECTED] έγραψε: Here is the full debug-log. Airespace-Interface-Name value in ldap: 310 vlaue in users-file: 777 as you can see, it doesnt override :-( users-file line 54, which matches: DEFAULT Called-Station-Id == 00-1A-30-2E-C9-60:Test99, Airespace-Interface-Name := 777 Airespace-Interface-Name is a reply item while you are seting it as a check item. Correct way: DEFAULT Called-Station-Id == 00-1A-30-2E-C9-60:Test99 Airespace-Interface-Name := 777 radiusd.conf authorize section: authorize { preprocess eap ldap_wlan files } as you can see, its wlan-authentication with EAP on SSID:Test99 dont know what i can try else :-( thanks in advance for your help! -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add a secondary ldap server to radiusd.conf
O/H Hubert Kupper έγραψε: Hello, how can I add a secondary ldap server to radiusd.conf for failover? Just create a second ldap module instance with the secondary ldap server configuration and read doc/configurable_failover Regards Boert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: override ldap reply attribute
O/H [EMAIL PROTECTED] έγραψε: Hi Guys, I have maybe a quite simple question: is there any way to override the default ldap-reply attribute with an other value than there is in ldap. i.e.: users-file: Default Called-Station-Id = 00-1A-30-2F-11-50:Test, Airespace-Interface-Name := 777 ldap.attrmap: replyItem Airespace-Interface-NameradiusCallingStationId wanted result: if the users-file doesnt match, use vlaue of ldap-attribute: radiusCallingStationId, otherwise use vlaue: 777 in this type of configuration it seems i cant override the ldap-reply attribute-value with the users-file. Check the order in which the files and ldap module appear in the authorize section. If you want to override an ldap value then you need to have the files moduel after the ldap module. is there any possible way to do this? thanks in advance :-) freeradiusver: 1.1.4 -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: override ldap reply attribute
O/H Chaos Commander έγραψε: Kostas Kalevras wrote: O/H [EMAIL PROTECTED] έγραψε: Hi Guys, I have maybe a quite simple question: is there any way to override the default ldap-reply attribute with an other value than there is in ldap. i.e.: users-file: Default Called-Station-Id = 00-1A-30-2F-11-50:Test, Airespace-Interface-Name := 777 ldap.attrmap: replyItem Airespace-Interface-NameradiusCallingStationId wanted result: if the users-file doesnt match, use vlaue of ldap-attribute: radiusCallingStationId, otherwise use vlaue: 777 in this type of configuration it seems i cant override the ldap-reply attribute-value with the users-file. Check the order in which the files and ldap module appear in the authorize section. If you want to override an ldap value then you need to have the files moduel after the ldap module. unfortunately the problem still persists, also if i change the order :-( any other ideas? Run in debug mode (radiusd -X) and POST the output. is there any possible way to do this? thanks in advance :-) freeradiusver: 1.1.4 -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP changes between 1.01 and 1.1.5
O/H Alan DeKok έγραψε: Ryan Kramer wrote: I SUSPECT something might not be escaped in a manner the MS AD server likes, or maybe just the fact it has any escape sequences built in at all is what is causing it to toss it. No. As I have said already, the problem is that the LDAP queries are being escaped. Please pay attention to what I'm saying, it might help you solve the problem. The default install does not do this. The default configuration does not do this. Other people have not run into this problem. The problem is almost definitely the way you are building the queries. i.e. the LDAP queries are built up as: text from config file ldap_escape(other text) text from config ... The text that you, as administrator entered into the configuration file is NEVER escaped. The text that a random user enters as a User-Name is ALWAYS escaped. the problem is with the groupmembership_filter. It contains the Ldap-UserDn attribute which gets xlated and escaped: (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) A DN usually contains commas which get escaped and break the ldap search. I am not so sure why we should escape ',' in the first place. That way we break any ldap searches for attribute values holding DN's. If you're putting queries into an attribute, and then later using that attribute as part of another query, that text WILL be escaped. The server has no way of telling where that text came from, so it's untrusted. The solution is to carefully examine how you build the queries. There may be simpler ways of doing it, which avoids the double escaping issue. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assigning vlan based on NAS and LDAP field?
O/H Matt Ashfield έγραψε: HI all, We're using FR authenticating against LDAP to implement our wireless solution. Basically, we are looking at the LDAP field of record type and determining if it is a staff or a student, and assigning a vlan based on that. Pretty simple and it works. However, there are two issues with this: 1. We have a sister campus, on a different network, but who are sharing the same FR and LDAP servers for authentication. Obviously their NAS's are different than ours because we're in different physical locations and networks. With our current configuration, it looks like we have to define the exact same vlans id's and the same vlan eligibility rules (ie staff get vlan x and student get vlan y) in order for this to work. I guess I'm hoping there is a way to assign different vlans based on the NAS ip address in addition to the student/staff distinction. You can use multiple ldap module instances and set Autz-Type depending on the nas ip address (or better yet huntgroups) 2. This follows into our future wired side implementation of 802.1x. In this case, we don't want our staff/student wired users to be assigned to the same vlans as they would be if they were on wireless. Rather we'd prefer to break them up based on their NAS or something like that. Anyways, I realize this is quite an odd situation, but probably quite similar to what many EDU people are encountering. Any help/advice is greatly appreaciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
O/H Alan DeKok έγραψε: Milan Holub wrote: - we are keeping NAS entries in DB. Then the server should re-load them via reading the DB. - these entries are edited by operation guys via web interface - when a new NAS entry is added then we need to reload/restart freeradius - we reload freeradius using SNMP write query(can be done via web interface as well; without need of ssh to radius server) If the server automatically discovers NAS changes from the DB, then the server doesn't need to be reloaded. i.e. You're changing *one* thing: a NAS. You're then telling the server to reload *everything*. That's where the expense and complexity comes in. The problem is: You add one NAS. But you need to update the clients list. To do that you have to lock the clients list for write and make sure no one reads it. That means you have to stop accepting requests and wait for already present ones to finish. Afterwards you just have to start accepting requests again. The same more or less applies to changes on module configuration (CRLs for TLS, users for the files module). You have to reload the module and in the meantime make sure no one uses it (and the best way to do that is by stop accepting requests). This all sounds like the work done on a HUP so i don't see any major differences. In general when restarting the server you might loose some radius packets(especially on high loaded server), don't you? It's possible. == what do you imagine under these features? Basically I thought HUP is good for reloading config files when one does not want to bring the server down but wants to bring into effect some minor config change. I am trying to say that there are OTHER ways to perform some minor config change than HUP. HUP should be the *last* resort. == is there any other use of HUP? No. HUP is *only* to notify the server of configuration changes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can i do that?
O/H apolyxrono έγραψε: Hi list, I have freeradius-1.1.3 doing accounting with mysql. I am thinking to create 2 or 3 new tables in the radius db for my purposes and write in them the info i want every time freeradius writes data to the other tables (nas ,radcheck ,radacct etc.). freeradius only writes to radacct. It assumes someone else has written to nas/radcheck. Is it possible to do that ? If yes how ? If yes is it possible to do it using php scripts and not perl (for example to call a php script to update my tables every time freeradius writting accounting data in the radius db) Thanks a lot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html You can: 1. Use sql triggers if your sql server supports them 2. Just create 2-3 more sql module instances that will execute the queries you want 3. Create an external php script to do that. That will be slower though since you 'll have to execute it on every request and create a new sql connection (sql module uses a connection pool). I would suggest 2-1-3 (in that order). -- Kostas Kalevras Network Operations Center - National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Performance testing
O/H Murray Hooper έγραψε: Are there any performance statistics available for freeradius? I am using 1.1.5 and mysql 5 and trying do determine if there will be a bottleneck in radius packet processing. The makers of my NAS are saying that this could become an issue and I am just trying to see what type of numbers people believe this solution should handle. Is it 10 transactions / second or 10,000. Thanks in advance murray - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html In general FreeRADIUS will never be the bottleneck unless you are doing things like calling external scripts (instead of using rlm_perl/rlm_python). What you should do is make sure that your database can handle the load (create indexes, enlarge cache size etc). See the testimonials page on http://www.freeradius.org/testimonials.html for actual cases. Don't expect your installation to handle more than a few transactions/sec unless you are handling way too much traffic.As long as your sql dabatase is quick enough you won't have any problems. You can find a few performance tips on a page of my blog at http://kkalev.wordpress.com/2007/03/25/radius-server-performance-tips/ Hope this helps - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more than one AVP from LDAP with same name is it possible ?
O/H Bodin Bruno έγραψε: Hello, My problem is about Radius reply. With user file it's possible to reply some AVPs with same name like that : My-AVP += name:robert, My-AVP += age:38, My-AVP += country:fr most important it's possible to do that : Sip-AVP+= username:%{User-Name} But how it's possible to do something like that with ldap attribute ? because I use this : replyItemMy-AVP username_radius but that work only one time, because when I do : replyItemMy-AVP username_radius replyItemMy-AVP age_radius it's only return the last attribute content ( 38, the age of Robert ). And when I type this : replyItemMy-AVP username_radius,age_radius that return nothing ... Too bad, return 2 AVPs should be better :( there is any method to do this ? could it be a new feature ? thank for help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html You can include the operator in the ldap attribute value. You can also set the operator (from the default = for reply items) for an attribute in the ldap.attrmap (i m not sure if it's only available in the cvs). First solution: ldap.attrmap: replyItem My-AVP ldap_my_avp In the ldap entry you can do: ldap_my_avp: += name:robert ldap_my_avp: += age:38 Second solution: ldap.attrmap: replyItam My-AVP ldap_my_avp += ldap entry: ldap_my_avp: name:robert ldap_my_avp: age:38 Hope this helps -- Kostas Kalevras Network Operations Center - National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with freeradius 1.1.5 (2.0.0) 20070322 with postgresql (SIGHUP = segmentation fault)
O/H Alan DeKok έγραψε: Claudiu Filip wrote: ... Second: 8x-8x-- rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 3 , fields = 5 rlm_sql (sql): Read entry nasname=1.2.3.4,shortname=nume,secret=secret rlm_sql (sql): Adding client 1.2.3.4 (nume) to clients list Segmentation fault (core dumped) OK. I don't put clients into SQL, so I haven't tested that portion of the code. ... So, we free the same location.. I guess the problem is in the clients_parse_section which doesnt return a new address space. A better solution is this: - remove the read clients from SQL code in src/modules/rlm_sql. - add configuration to the clients section, e.g.: client 192.168.0.0/16 { query = %{sql: SELECT } } Hmm that would mean stil having to add client entris in the clients.conf. We 'd like to avoid that when using sql. Something like: clients.conf: per_socket_clients { clients_query = %{sql: SELECT } } And have it do the SELECT, and parse the result at run time. It will take a bit of work to add that, but it's a much better solution. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Kostas Kalevras Network Operations Center - National Technical University of Athens http://kkalev.wordpress.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialupadmin url hash problem
O/H Holger Goßmann έγραψε: Hi, i have freeradius/mysql/dialup_admin running with one problem i cannot solve. I've already searched the web and the archives and cannot find the answer. The interface is running fine except for users containing a hash # in the name, for example user1#domain. All other users which do not contain this character are working fine. I can search the database using the find.php3 script to get the list of all users, but if i try to edit one using the link provided by the search page, the interface returns user name [user1] does not exists because of the hash in the url. I think it is interpreted as location hash. Example: https://127.0.0.1/radius/user_admin.php3?login=user1#domain The request in the access log of the webserver is just https://127.0.0.1/radius/user_admin.php3?login=user1 thats why dialup_admin cannot find the user. If i enter the username into the edit user field it is working. The same problem exists when trying to use the administer selected user button in the show group menu. Anyone already had this problem or any ideas how to solve it? Hmm, dialupadmin should probably url escape from stupid characters. I 'll see what i can do. Versions: freeradius 1.0.2-4sarge3 freeradius-dialup_admin (tried from 1.1.3-3 up to 1.62) mysql 4.0.24-10sarge2 regards, Holger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is anyone using dialup_admin with a PHP version newer than 4.2.0?
O/H Ethan Dicks έγραψε: Hi, all, This is a refinement of my earlier request for information, honed after half a week of trying to untangle things. I've been grubbing through all the code for dialup_admin 1.80 (from the 20070320 CVS snapshot) and am entirely unconvinced that it works with version of PHP newer than 4.2.0. I'm using PHP 4.3.0, since that's what comes with RedHat Enterprise Linux 4. I've turned on register_globals, but I can't get the dialup_admin code to stop throwing warnings about variable names, etc. Let's take $login as an example. In config.php3, there's code to scrub bad characters out of it, and to strip the realm if requested. Unfortunately, in my environment, just going to the entry point of the dialup_admin application results in... [client 127.0.0.1] PHP Notice: Undefined variable: login in /usr/local/dialup_admin/conf/config.php3 on line 92, referer: http://localhost/dialup/ [client 127.0.0.1] PHP Notice: Undefined variable: login in /usr/local/dialup_admin/conf/config.php3 on line 95, referer: http://localhost/dialup/ Well as you probably have seen config.php3 will call import_request_variables('GPC') so you should not normally have problems with variables like $login. I have dialupadmin running on php-5.0.3 without a problem. (ignore the exact line numbers - they won't match the code in CVS because I have some debugging stuff further up right now). I realize that this is a notice level message and that messages can be turned off by twiddling error_reporting, but that's not the point - the point is not simply that there are hundreds of these 'notices' getting logged when I bounce around dialup_admin. The point is that these notices are caused by PHP trying to do the right thing and getting it wrong because the dialup_admin code is chock-a-block with $login rather than the now-accepted practice of $_GET['login], and in any case, because of how the URLs and PHP code interrelate, modules like config.php3 aren't always called from other modules that were invoked with a GET method with those exact elements, thus variables like $login and $find_user and any other variables which appear to be implicly created under older versions of PHP might or might not be defined, but the code is written as if they are always defined, albeit occasionally empty. I'm entirely willing to accept that I've missed a step in the installation, but I did try to follow the steps in the TODO file and don't believe I missed any. Do people just use the freeRADIUS server and manipulate the user database manually? Are there any dialup_admin users running on operating systems less than a year old? All I'm really after is a user management GUI - I don't really care if it's dialup_admin or not. If there's something that other people prefer, I'd love to hear about it. In terms of getting this all going, I'm about to start forcing variables to be something useful, as in... $login = ; $max_results = ; if (!empty($_GET)) { $login = $_GET['login']; $max_results = $_GET['max_results']; } ... just to quiet down the logged errors in the code so I can drill down to why I can't click on new user and get a page that lets me enter a new user. I'm also open to other suggestions to clean up the dialup_admin code and get it up to snuff w.r.t. presently-shipping versions of PHP. This will be an essential step to getting this code running under php5, as all of these globalisms have been deprecated because they lead to massive vulnerabilities. Thanks, -ethan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is anyone using dialup_admin with a PHP version newer than 4.2.0?
O/H Ethan Dicks έγραψε: Hi, all, This is a refinement of my earlier request for information, honed after half a week of trying to untangle things. I've been grubbing through all the code for dialup_admin 1.80 (from the 20070320 CVS snapshot) and am entirely unconvinced that it works with version of PHP newer than 4.2.0. I'm using PHP 4.3.0, since that's what comes with RedHat Enterprise Linux 4. I've turned on register_globals, but I can't get the dialup_admin code to stop throwing warnings about variable names, etc. Let's take $login as an example. In config.php3, there's code to scrub bad characters out of it, and to strip the realm if requested. Unfortunately, in my environment, just going to the entry point of the dialup_admin application results in... [client 127.0.0.1] PHP Notice: Undefined variable: login in /usr/local/dialup_admin/conf/config.php3 on line 92, referer: http://localhost/dialup/ [client 127.0.0.1] PHP Notice: Undefined variable: login in /usr/local/dialup_admin/conf/config.php3 on line 95, referer: http://localhost/dialup/ Well as you probably have seen config.php3 will call import_request_variables('GPC') so you should not normally have problems with variables like $login. I have dialupadmin running on php-5.0.3 without a problem. (ignore the exact line numbers - they won't match the code in CVS because I have some debugging stuff further up right now). I realize that this is a notice level message and that messages can be turned off by twiddling error_reporting, but that's not the point - the point is not simply that there are hundreds of these 'notices' getting logged when I bounce around dialup_admin. The point is that these notices are caused by PHP trying to do the right thing and getting it wrong because the dialup_admin code is chock-a-block with $login rather than the now-accepted practice of $_GET['login], and in any case, because of how the URLs and PHP code interrelate, modules like config.php3 aren't always called from other modules that were invoked with a GET method with those exact elements, thus variables like $login and $find_user and any other variables which appear to be implicly created under older versions of PHP might or might not be defined, but the code is written as if they are always defined, albeit occasionally empty. I'm entirely willing to accept that I've missed a step in the installation, but I did try to follow the steps in the TODO file and don't believe I missed any. Do people just use the freeRADIUS server and manipulate the user database manually? Are there any dialup_admin users running on operating systems less than a year old? All I'm really after is a user management GUI - I don't really care if it's dialup_admin or not. If there's something that other people prefer, I'd love to hear about it. In terms of getting this all going, I'm about to start forcing variables to be something useful, as in... $login = ; $max_results = ; if (!empty($_GET)) { $login = $_GET['login']; $max_results = $_GET['max_results']; } ... just to quiet down the logged errors in the code so I can drill down to why I can't click on new user and get a page that lets me enter a new user. I'm also open to other suggestions to clean up the dialup_admin code and get it up to snuff w.r.t. presently-shipping versions of PHP. This will be an essential step to getting this code running under php5, as all of these globalisms have been deprecated because they lead to massive vulnerabilities. Thanks, -ethan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin and log_badlogins error
tzieleniewski wrote: Hi! My first question is if the dialup_admin is still supported and compatible with latest free radius:)? because right now I am trying to use it with my latest free radius cvs version. Yes If it is still compatible please help me with the following issues: Is it possible to control the radcheck table through dialup_admin or it only used for accounting?? Yes Another thing is that when I try to use log_badlogins I get the following error: ./log_badlogins /var/log/radiusd/radiusd.log /home/radius/dialup_admin/conf/admin.conf Could not open %{general_raddb_dir}/clients.conf file Log_badlogins does not support variable expansion. So set the path to clients.conf to a literal value in admin.conf Thank you for any help Bests Tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin and log_badlogins error
tzieleniewski wrote: tzieleniewski wrote: Hi! My first question is if the dialup_admin is still supported and compatible with latest free radius:)? because right now I am trying to use it with my latest free radius cvs version. Yes If it is still compatible please help me with the following issues: Is it possible to control the radcheck table through dialup_admin or it only used for accounting?? Yes How is it done? I cannot find any documentation about it. Ive installed dialup_admin and it works. So wich positions from the main menu for the dialup_admin panel consider accounting radcheck table contents?? Everything that has to do with group management,new user,edit user and so on. Another thing is that when I try to use log_badlogins I get the following error: ./log_badlogins /var/log/radiusd/radiusd.log /home/radius/dialup_admin/conf/admin.conf Could not open %{general_raddb_dir}/clients.conf file Log_badlogins does not support variable expansion. So set the path to clients.conf to a literal value in admin.conf I managed to start it but whenever I send and accept request to the freeradius nothing appears in the database? The corresponding records should appear in the badusers table, right? No, in the radacct table. badusers is for another thing I read in the HOWTO that log_badlogins will concatenate client short name with the general_domain variable in admin.conf. this client short name is the name defined in the freeradius clients.conf file?? Then it creates $client_shortname.$domain and resolves NAS IP address by some query?? Is it the DNS A record query or something else?? Yes it's the DNS A record query Thank you for any help Bests Tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin NAS List
Cory Robson wrote: I'm hoping someone may be able to assist in modifying the user_finger.php script to retrieve the list of NAS's for the online users from radacct table. Why not just use the nas table. In the cvs version of dialupadmin there's a file called lib/sql/nas_list.php3 It will read the nas table and get the nas list. You could try changing that one if it suits your needs. Basically instead of reading the text file and cycling through them to add the breakdown of NAS's I want to use something like select DISTINCT NASIPAddress from radacct add them to an array and use the php gethostbyaddr() function to retrieve the true hostname to sort them by I don't need any of the snmp or NAS type or number of lines left as my upstream does not allow me to connect to verify the information anyway . This should just be a quick change for someone more talented than I to remove the existing loop and replace it with the relevant sql loop instead. Anyone ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin NAS List
Cory Robson wrote: Whilst this is a good example it still doesn't suit my purpose. It requires someone to constantly update the list for it to be effective. This is not to be confused with the clients. I have multiple roaming numbers, therefore if a customer is travelling around and dials in at different locations I will receive a diff NASIP from that local POP. As this information is provided in the account start/stop and update packets then why enter them manually. Just drill through the existing radacct table filtering on no stop time to see a list of active NAS's and display them as I wanted. No further updating the separate table. So edit lib/sql/nas_list.php3 to read the radacct table instead and set the nas type/port num variables to some default value. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kostas Kalevras Sent: Tuesday, 16 January 2007 6:53 PM To: FreeRadius users mailing list Subject: Re: Dialup Admin NAS List Cory Robson wrote: I'm hoping someone may be able to assist in modifying the user_finger.php script to retrieve the list of NAS's for the online users from radacct table. Why not just use the nas table. In the cvs version of dialupadmin there's a file called lib/sql/nas_list.php3 It will read the nas table and get the nas list. You could try changing that one if it suits your needs. Basically instead of reading the text file and cycling through them to add the breakdown of NAS's I want to use something like select DISTINCT NASIPAddress from radacct add them to an array and use the php gethostbyaddr() function to retrieve the true hostname to sort them by I don't need any of the snmp or NAS type or number of lines left as my upstream does not allow me to connect to verify the information anyway . This should just be a quick change for someone more talented than I to remove the existing loop and replace it with the relevant sql loop instead. Anyone ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 1981 (20070116) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dailup admin and badusers
[EMAIL PROTECTED] wrote: hi, i don't understand why dialup admin need its own sql table badusers and a script to get bad logins whereas rejected users can be found in the freeradius table radpostauth ? badusers serves a completely different purpose. As for log_badlogins: 1. It was created before post-auth functionality was added in rlm_sql 2. It's able to store records in the radacct table in a convenient format for dialupadmin to show bad logins 3. It's able of sending bad login information to other sql servers using a buffer file, which is convenient to keep bad login information within a replicated infrastructure. Having a freeradius attribute Reject-Reson which could hold values such as Multiple-Login,Invaling-User,Outside-Timestamp and freeradius setting it on reject would be a step forward though. Regards, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup admin Display users online (suggestion)
Cory Robson wrote: I am slowly getting around this interface and notice many things that could be improved upon but I'm lacking in the coding department. For example the user_finger.php page, this does a nice job once you have manually entered all of the pops into the separate naslist file but can become a royal pain to maintain. If someone could rewrite the code to extract the users online from the raddact table and simply group them by the independent nas's this would be a far simpler method. As you added additional pops to your range nothing to add/remove in the code, it simply regenerates as people log in from that pool. If you are using sql to keep radius client info then you don't need to do any extra work, since you already have your clients added in the table for freeradius to function correctly. What you are suggesting isn't a lot of work. The idea was to have more information than just the ip of the nas server though (like description, ports available). In any case it could be added as a configuration option I have done a very similar thing with the failed logins page. Have the sql query dumping failed logins into the postauth table from the radius process and then have dialup admin failed logins script running an sql query against that table instead. Alas my coding is not that good so I'm not getting all records just the last one. Again help would be needed for me to finish this. It's a nice thought. Anyone up to the task to assist in this matter Regards Cory Robson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap search filter with '/'s (front slashes)
Mark T. Valites wrote: I'm trying to set up authentication to a SunOne Directory that requires not only a successful bind with by radius on behalf of the user attempting to authticate to it, but also a specified LDAP search filter to return a result as well. I can't seem to get the freeradius ldap module to return any result when the value of the attribute I'm comparing against contains a '/', as often found in the 'homeDirectory' and 'loginShell' LDAP attributes. From the command line, the search and filter returns correctly: $ ldapsearch -v -H ldaps://ldapserver.domain.com \ -b ou=people,dc=domain,dc=com -x -D \ uid=myuid,ou=people,dc=domain,dc=com -W \ '((uid=myuid)(loginShell=/bin/tcsh))' The corresponding SunOne log: [12/Dec/2006:11:10:24 -0500] conn=4896 op=-1 msgId=-1 - fd=45 slot=45 LDAPS connection from www.xxx.yyy.zzz to xxx.yyy.zzz.www [12/Dec/2006:11:10:24 -0500] conn=4896 op=0 msgId=1 - BIND dn=uid=myuid,ou=people,dc=domain,dc=com method=128 version=3 [12/Dec/2006:11:10:24 -0500] conn=4896 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=myuid,ou=people,dc=domain,dc=com [12/Dec/2006:11:10:24 -0500] conn=4896 op=1 msgId=2 - SRCH base=ou=people,dc=domain,dc=com scope=2 filter=((uid=myuid)(loginShell=/bin/tcsh)) attrs=ALL[12/Dec/2006:11:10:24 -0500] conn=4896 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0 [12/Dec/2006:11:10:24 -0500] conn=4896 op=2 msgId=3 - UNBIND [12/Dec/2006:11:10:24 -0500] conn=4896 op=2 msgId=-1 - closing - U1 [12/Dec/2006:11:10:25 -0500] conn=4896 op=-1 msgId=-1 - closed. A snippet from my radiusd.conf: server = ldapserver.domain.com basedn = ou=people,dc=domain,dc=com filter = ((uid=%u)(loginshell=/bin/tcsh)) The output from running radiusd in debug mode: rlm_ldap: - authorize rlm_ldap: performing user authorization for myuid radius_xlat: '((uid=myuid)(loginShell=/bin/tcsh))' radius_xlat: 'ou=people,dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldapserver.domain.com:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as / to ldapserver.domain.com:636 TLS certificate verification: Error, Unknown error rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter ((uid=myuid)(loginShell=/bin/tcsh)) request 2 done rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type ldap Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by myuid with password mypasswd radius_xlat: '((uid=myuid)(loginShell=/bin/tcsh))' radius_xlat: 'ou=people,dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter ((uid=myuid)(loginShell=/bin/tcsh)) request 3 done rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authenticate]: module ldap returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. The corresponding SunOne log: [12/Dec/2006:11:12:33 -0500] conn=4897 op=-1 msgId=-1 - fd=45 slot=45 LDAPS connection from www.xxx.yyy.zzz to xxx.yyy.zzz.www [12/Dec/2006:11:12:33 -0500] conn=4897 op=0 msgId=1 - BIND dn= method=128 version=3 [12/Dec/2006:11:12:33 -0500] conn=4897 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn= [12/Dec/2006:11:12:33 -0500] conn=4897 op=1 msgId=2 - SRCH base=ou=people,dc=domina,dc=com scope=2 filter=((uid=myuid)(loginShell=/bin/tcsh)) attrs=radiusnasipaddress radiusexpiration acctflags ntpassword lmpassword radiuscallingstationid radiuscalledstationid radiussimultaneoususe radiusauthtype radiuscheckitem radiusreplymessage radiusloginlatport radiusportlimit radiusframedappletalkzone radiusframedappletalknetwork radiusframedappletalklink radiusloginlatgroup radiusloginlatnode radiusloginlatservice radiusterminationaction radiusidletimeout radiussessiontimeout radiusclass radiusframedipxnetwork radiuscallbackid radiuscallbacknumber radiuslogintcpport radiusloginservice radiusloginiphost radiusframedcompression radiusframedmtu radiusfilterid radiusframedrouting radiusframedroute radiusframedipnetmask radiusframedipaddress radiusframedprotocol radiusservicetype radiusreplyitem [12/Dec/2006:11:12:33 -0500] conn=4897 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0 [12/Dec/2006:11:12:33 -0500] conn=4897 op=2
Re: Problem cheking multivalued attributes in LDAP schemas.
Erling Paulsen wrote: I try to make a decision based on checking for a value in a certain attribute of a LDAP schema. The problem is that this is a multivalued attribute, and it seems somewhat undefined when I try to check against it! My exact problem is checking against a eduPerson schema for an affiliation on an attribute called eduPersonAffiliation (which is multivalued). I want to check if a certain user has the right affiliation= before assigning a dynamic Vlan. I fetch the attribute in Authorization as LDAP-Affiliation (mapped as a checkItem in ldap.attrmap). I've tried checking with the regular expression operator (i.e. for staff affiliation), but it seems to not give a match. Ex. check-statement from users file: LDAP-Affiliation :~ .*staff.* In the LDAP-backend the eduPersonAffiliation is shown as containing: eduPersonAffiliation: employee staff member Is this a common problem in checking against multivalued attributes, or is there a way around it? Any feedback would be appreciated! - Erling Paulsen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html You could try using the checkval module which supports multivalued attributes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap attributes
Jóhann B. Guðmundsson wrote: I was wondering what is the proper way to enable ldap attributes in radius.conf for example Ldap-Group groupmembership_attribute = radiusGroupName will then other ldap attributes be matched in the same way? Ldap-Callingstationid callingstationid_attribute = radiusCallingStationId Ldap-Realm realm_attribute = radiusRealm etc etc Cant seem to find any documentaition about this! Maybe a chapther in your book Alan :) Best regards Johann B. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hello, there are no hidden configuration like that. Groups are a special case and that's why there are special configuration attributes. In general you can map ldap attributes to radius attributes. Read ldap.attrmap, the ldap schema and the ldap documentation under /doc for more information. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
core dump with freeradius-1.1.3-mysql
Hello, i 've been encountering core dumps with freeradius-1.1.3 in the mysql module. Information: OS: SunOS radius 5.8 Generic_108528-29 sun4u sparc SUNW,UltraAX-i2 After code dump: Radius process still exists but won't handle requests GDB: #0 0xfdfc89e4 in mysql_errno () from /opt/csw/mysql4/lib/mysql/libmysqlclient_r.so.14 #1 0xfe150e38 in sql_query () from /usr/local/freeradius-1.1.3/lib/rlm_sql_mysql-1.1.3.so #2 0xfe176fc0 in rlm_sql_query () from /usr/local/freeradius-1.1.3/lib/rlm_sql-1.1.3.so #3 0xfe174fe8 in rlm_sql_accounting () from /usr/local/freeradius-1.1.3/lib/rlm_sql-1.1.3.so #4 0x22568 in module_post_auth () #5 0x23088 in modcall () #6 0x2262c in module_post_auth () #7 0x227ec in module_post_auth () #8 0x22fbc in modcall () #9 0x210c8 in find_module_instance () #10 0x21fd0 in module_accounting () #11 0x139d8 in rad_accounting () #12 0x2c008 in session_zap () #13 0xfe175ed0 in rlm_sql_checksimul () from /usr/local/freeradius-1.1.3/lib/rlm_sql-1.1.3.so #14 0x22568 in module_post_auth () #15 0x23088 in modcall () #16 0x2262c in module_post_auth () #17 0x227ec in module_post_auth () #18 0x22fbc in modcall () #19 0x210c8 in find_module_instance () #20 0x22078 in module_checksimul () #21 0x155f8 in rad_authenticate () #22 0x284f4 in rad_respond () #23 0x2cf88 in rad_check_ts () As can be seen, i m using the thread safe mysql libraries. PKGINST: CSWmysql4rt NAME: mysql4rt - run-time libraries for mysql4 CATEGORY: system ARCH: sparc VERSION: 4.1.21,REV=2006.07.29 Lines in source file: /src/freeradius-1.1.3/src/modules/rlm_sql/drivers/rlm_sql_mysql/sql_mysql.c static int sql_query(SQLSOCK * sqlsocket, SQL_CONFIG *config, char *querystr) { [..] mysql_query(mysql_sock-sock, querystr); return sql_check_error(mysql_errno(mysql_sock-sock)); } Log file: Tue Oct 17 11:11:51 2006 : Error: Discarding duplicate request from client adsl.ira:1645 - ID: 141 due to unfinished request 482895 Tue Oct 17 11:11:51 2006 : Auth: Login OK: [r-165dim-athin] (from client cas1.att port 20211 cli ) Tue Oct 17 11:11:52 2006 : Error: Discarding duplicate request from client adsl.ira:1645 - ID: 144 due to unfinished request 482980 Tue Oct 17 11:11:52 2006 : Info: rlm_sql (radacct): There are no DB handles to use! skipped 0, tried to connect 0 Tue Oct 17 11:11:52 2006 : Info: rlm_sql (radacct): There are no DB handles to use! skipped 0, tried to connect 0 Tue Oct 17 11:11:52 2006 : Info: rlm_sql (radacct): There are no DB handles to use! skipped 0, tried to connect 0 Tue Oct 17 11:11:52 2006 : Auth: Login incorrect: [sch.gr] (from client adsl.ach port 581 cli atm 2) Tue Oct 17 11:11:52 2006 : Auth: Login OK: [r-gym-amaliad] (from client cas.ilei port 20026 cli XXX) Tue Oct 17 11:11:52 2006 : Auth: Login OK: [r-gym-saval] (from client cas.ilei port 20111 cli XXX) Tue Oct 17 11:11:52 2006 : Auth: Login OK: [digital] (from client cas1.att port 20629 cli XX) Tue Oct 17 11:11:52 2006 : Info: rlm_sql (radacct): There are no DB handles to use! skipped 0, tried to connect 0 Tue Oct 17 11:11:53 2006 : Auth: Login OK: [EMAIL PROTECTED] (from client adsl.ach port 382 cli atm 2) Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB handles to use! skipped 0, tried to connect 0 Tue Oct 17 11:11:53 2006 : Auth: Login OK: [distrat] (from client cas.ait port 20006 cli XX) Tue Oct 17 11:11:53 2006 : Error: Discarding duplicate request from client adsl.att:1645 - ID: 182 due to unfinished request 482899 Tue Oct 17 11:11:53 2006 : Auth: Login OK: [digital] (from client cas1.att port 20725 cli XX) Tue Oct 17 11:11:53 2006 : Error: Discarding duplicate request from client adsl.ira:1645 - ID: 142 due to unfinished request 482907 Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB handles to use! skipped 0, tried to connect 0 Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB handles to use! skipped 0, tried to connect 0 Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB handles to use! skipped 0, tried to connect 0 Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB handles to use! skipped 0, tried to connect 0 Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB handles to use! skipped 0, tried to connect 0 Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB handles to use! skipped 0, tried to connect 0 Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB handles to use! skipped 0, tried to connect 0 Tue Oct 17 11:11:53 2006 : Auth: Login OK: [EMAIL PROTECTED] (from client adsl.ira port 1039 cli atm 10) Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB handles to use! skipped 0, tried to connect 0 Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB handles to use! skipped 0, tried to connect 0 Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no
Re: Dialupadmin Problems
Andy Dixon wrote: On 11 Oct 2006, at 19:11, Ali Jawad wrote: Could be a permissions issue..you might wana investigate that I thought it may have been an issue with PHP and / or apache. I tailed the logs from Apache and got nothing, but PHP threw up lots of notices about un-initialized constants / variables / etc, a warning about a for loop being given something dodgy, and another error about a security risk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Usually when you get a blank page in dialupadmin the reason is that php is lacking mysql support. I would suggest to check that one - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authorizedService attribute matching
Owen DeLong wrote: I've got an LDAP database which works with PAM and uses PosixAccounts to describe users. It uses the authorizedService attribute to specify which services the user is allowed to log into. I've configured freeradius to map authorizedService - Service-Type and have set up Service-Type as a check attribute. I'm running: (radiusd: FreeRADIUS Version 1.1.3, for host i686-pc-linux-gnu, built on Oct 10 2006 at 13:13:55) For example, say user foo has: dn: uid=foo, ou=people, dc=zone, dc=example, dc=com ... authorizedService: sshd authorizedService: vpn authorizedService: xdm ... I would like this user to succeed authenticating against RADIUS if Service-Type in the request matches sshd, vpn, or xdm, but, not if it contains anything else. Is there a way to set up this comparison in freeradius? See the checkval module I've read the FAQ, but, I haven't found a way to do this. I've included debug output below, just in case. Any help, especially a sepecific set of put this in x configuration file here and it should work type help is greatly appreciated. Thanks, Owen Test authentication command (the username, password, and domain name have been replaced to preserve the anonymity of the implementation in question): In this case, user foo has authorizedService attributes with the following values: passwd login sshd xdm gdm sudo su (echo User-Name = foo ; echo User-Password = xyzzy; echo Service- type = sshd ) | \ radclient localhost auth testing123 results in: rad_recv: Access-Request packet from host 127.0.0.1:32772, id=37, length=50 User-Name = foo User-Password = xyzzy Service-Type = sshd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = foo, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = foo rlm_realm: Proxying request from user owen to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for foo radius_xlat: '(uid=foo)' radius_xlat: 'ou=people,dc=zone,dc=example,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=zone,dc=example,dc=com, with filter (uid=foo) rlm_ldap: checking if remote access for owen is allowed by authorizedService rlm_ldap: looking for check items in directory... rlm_ldap: Adding authorizedService as Service-Type, value passwd op=21 rlm_ldap: Adding authorizedService as Service-Type, value login op=21 rlm_ldap: Adding authorizedService as Service-Type, value sshd op=21 rlm_ldap: Adding authorizedService as Service-Type, value xdm op=21 rlm_ldap: Adding authorizedService as Service-Type, value gdm op=21 rlm_ldap: Adding authorizedService as Service-Type, value sudo op=21 rlm_ldap: Adding authorizedService as Service-Type, value su op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user foo authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by foo with password xyzzy rlm_ldap: user DN: uid=foo,ou=people,dc=zone,dc=example,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=foo,ou=people,dc=zone,dc=example,dc=com/xyzzy to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user owen authenticated succesfully modcall[authenticate]: module ldap returns ok for request 0 modcall: leaving group LDAP (returns ok) for request 0 Sending Access-Accept of id 37 to 127.0.0.1 port 32772 Finished request 0 Going to the next request --- Walking the entire request list --- Received response ID 37, code 2, length = 20 Waking up in 6 seconds... Which is correct. However, because the following does not fail: (echo User-Name = foo ; echo User-Password = xyzzy; echo Service- type = vpn ) | \ radclient localhost auth testing123 I suspect it's just that anything succeeds whether it matches or not. Here is the debug output for the VPN
Re: Help returning multiple values for attrbute (rlm_ldap)
Owen DeLong wrote: OK... The suggestion I got here last night allowed me to get basic auth working as desired, however, I have another problem. I need to return in the reply a series of values for a given attribute, such as: dn: uid=foo,ou=people,dc=zone,dc=example,dc=com uid: foo Attribute: first_value Attribute: second_value Attribute: third_value I have LDAP Attribute mapped to Radius-Attribute in the ldap.attrmap. However, when I query the server, I get back: Radius-Attribute: first-value And the second and third values are not returned. Is there a way to make this work? Either you put the += operator in the ldap attribute values: Attribute: += first_value Attribute: += second_value or you edit ldap.attrmap to not use the = operator for that attribute but the += operator instead. Thanks, Owen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FEERADIUS and SUN Directory server groups
Petr Qaxi Klíma wrote: Kostas Kalevras napsal(a): Petr Qaxi Klíma wrote: filteredgroup === $ ldapsearch cn=gprs_filter dn: cn=gprs_filter,ou=Groups,dc=myorg cn: gprs_filter objectClass: groupofurls objectClass: groupofuniquenames objectClass: top objectClass: iplanet-am-managed-filtered-group objectClass: iplanet-am-managed-group memberURL: ldap:///dc=myorg??sub?((uid=k*)(o=mysuborg)) === How should I set groupmembership_filter or how should I use do_xlat (I probably misunderstand the feature) The FreeRADIUS ldap module supports *static* ldap groups. These groups are implemented either as a group entry containing member DN's or as a group membership attribute in the user entries. What you are looking for (evaluating the memberURL attribute during group evaluation) cannot be done in an efficient way. The memberURL is mostly an informational attribute used when browsing groups. Hmm .. SUN Java Enterprise server is using it as authoritative usergroup mapping ... This is moving away from being a freeradius configuration issue. Implementing group evaluation through memberURL means that we have to run the corresponding query on each group lookup. That's as costly as the number/2 of entries present on each group hence it will take a lot of time and will polute the ldap server caches with not necessary entries. Group lookup is already quite costly as it is so i don't think implementing memberURL can add something. Also IMHO evaluating memberURL is the ldap server's job not the radius server. You will have to use one of the two methods supported for ldap groups to work. Dynamic groups What methods? groupofuniquenames and ... ??? And a group membership attribute in the user entry like memberOf are costly and should be implemented on the ldap server side. How to do it? Are there any suggestions (there are other DS which uses souch group filtering (SUN,Netscape,RedHat (they are from the same nest), but Apache DS too ...) You could probably acieve what you are looking for with Class Of Service in the SUN One Directory Server - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FEERADIUS and SUN Directory server groups
Petr Qaxi Klíma wrote: Hello I am using freeradius (1.0.1) with SUN directory server (5.2) Authentication (username:password) works well but I do not know how to use LDAP for group mapping (to Ldap-Group). The problem: in SUN DS there are groups defined in two ways (If you use SUN JES system) === subscribe group $ ldapsearch cn=gprs_subscr dn: cn=gprs_subscr,ou=Groups,dc=myorg cn: gprs_subscr objectClass: groupofurls objectClass: groupofuniquenames objectClass: top objectClass: iplanet-am-managed-assignable-group objectClass: iplanet-am-managed-group memberURL: ldap:///dc=myorg??sub?memberof=cn=gprs_subscr,ou=Groups,dc=myorg iplanet-am-group-subscribable: false === or filteredgroup === $ ldapsearch cn=gprs_filter dn: cn=gprs_filter,ou=Groups,dc=myorg cn: gprs_filter objectClass: groupofurls objectClass: groupofuniquenames objectClass: top objectClass: iplanet-am-managed-filtered-group objectClass: iplanet-am-managed-group memberURL: ldap:///dc=myorg??sub?((uid=k*)(o=mysuborg)) === How should I set groupmembership_filter or how should I use do_xlat (I probably misunderstand the feature) The FreeRADIUS ldap module supports *static* ldap groups. These groups are implemented either as a group entry containing member DN's or as a group membership attribute in the user entries. What you are looking for (evaluating the memberURL attribute during group evaluation) cannot be done in an efficient way. The memberURL is mostly an informational attribute used when browsing groups. You will have to use one of the two methods supported for ldap groups to work. Dynamic groups are costly and should be implemented on the ldap server side. Thanks for any help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth flow according to attribute value
On Mon, 11 Sep 2006, Giuseppe Tricarico wrote: Hi all I'm new to freeradius, I would like to know if there is a module that basing on some attribute of the radius request execute a module, i.e. I want to alter the execution flow of the authorize section ... This give me the possibiltity to manage some business logic through the configuration of radius server... For example I could analize the nas-port-type attribute in the request and autheticate users on different database, basing on such parameter.. See doc/Autz-Type Something like (in users file): DEFAULT NAS-Port-Type == Virtual, Autz-Type := Virtual DEFAULT NAS-Port-Type == ISDN, Autz-Type := ISDN Best regards Giuseppe Tricarico - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different ldap authentications
On Fri, 8 Sep 2006, Angel L. Mateo wrote: Hello, We are using freeradius as our radius server and we use it for authentication and authorization in different applications. Our users backend is a ldap directory, so in radiusd.conf we've got: server = ldap.domain.com identity = cn=radiususer,dc=domain,dc=com password = radiuspw basedn = ou=People,dc=domain,dc=com filter = (uid=%{Stripped-User-Name:-%{User-Name}}) Now, we need to configure our radius server so it could use another different ldap configuration for some of its clients. I know I could discriminate clients, but I haven't found how to make it use another different ldap configuration, if it is possible. Set Autz-Type depending on the incoming client (check NAS-IP-Address or create Huntgroups) and create multiple ldap module instances. See doc/Autz-Type -- Angel L. Mateo Mart?nez Secci?n de Telem?tica ?rea de Tecnolog?as de la Informaci?n _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting -- radrelay?
On Wed, 6 Sep 2006, Alan DeKok wrote: Justin Church [EMAIL PROTECTED] wrote: OK. The patch worked, since I can now run radiusd -n radrelay w/o the Abort, but I still am not seeing a way to replicate to multiple accounting servers with radiusd -n radrelay. Unfortunately, it doesn't yet do that. The issue is that the server core is really designed to forward packets, not to clone them. I think it's possible to clone the packets, it just requires additional work in the server core. Just a side note on the clone packets issue i ve come across it in another situation. We act as a proxy for various ISPs and we need to have a way to replicate accounting-on/off packets (which obviously don't carry a [EMAIL PROTECTED] attribute) to all ISPs. But currently this is not possible since we have a server logic of one request,one thread. Being able to use multiple Proxy-To-Realm attributes would be great. I need to take accounting requests that arrive at main-radius in radrelay-detail and replicate them to remote-radius1, remote-radius2, remote-radius3 in parallel. It appears as if my only two options in radrelay.conf are to store accounting data in sql or proxy to other servers. You can do more than that. Pretty much anything the server can do is valid in radrelay, it's just that the example config is simpler. With the old radrelay, I believe I could have just run #radrelay -r remote-radius1 radrelay-detail; radrelay -r remote-radius2 radrelay-detail; radrelay -r remote-radius3 radrelay-detail. i.e. one radrelay per detail file. You can still do this with the new code, you just have to create radrelay1.conf, radrelay2.conf, etc. It's a big pain, and something that should be fixed before 2.0. Am I missing something, and is this still possible with radiusd -n radrelay? Yes, it is. But it's more work. And looking at the conf files, I think the main libdir, raddbdir, etc. stuff at the top should be moved into a separate directories.conf file. That way all of the other radiusd.conf and radrelay.conf files can just $INCLUDE it, which gives a central point for storing all changes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialupadmin in dedicated server
On Wed, 30 Aug 2006, Guilherme Franco wrote: Hello, I need to use Dialup Admin that is installed alone in a dedicated server. In the dialupadmin admin.config, it states thats it needs the /etc/local/radius in the same machine. What can I do? (considering that the freeradius in installed in another server) dialupadmin does not really need radius in the same machine. The dependencies are the following: test user page needs radclient log_badlogins can read the clints.conf to find nas information So you can place a statically linked radclient on the same machine with dialupadmin (in order for the test page to work) and if you need log_badlogins you can also transfer your clients.conf file. Thank you. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
On Mon, 7 Aug 2006, Alan DeKok wrote: Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type Autz-type specified in radiusd.conf. How can I set in users file to search for which tree? Right now, you can't. It's probably not too hard to add support in rlm_ldap for dynamic updates of the basedn. That would make life a lot easier for many people, I think. basedn is already xlated.. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? radiusSessionTimeout: += value -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: Hello to everyone. I have a question regarding a configuration I am trying to achieve. I have users stored in an ldap database. An example user entry looks like this: dn: uid=kzorba,ou=people,dc=company,dc=gr cn: ZORBADELOS KONSTANTINOS uid: kzorba clearTextPwd: mypassword radiusProfile: PSTN_STATIC radiusAccountStatus: activated radiusMaxLogins: 1 radiusExpDate: 2030/12/31 00:00:00 Framed-IP-Address: 62.103.176.39 objectClass: account objectClass: MyRadiusAccount objectClass: top Tha attribute radiusProfile groups the users. For each group we have a corresponding profile Why not put the full profile DN in radiusProfile? Then you can use the profile_attribute mechanism -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: On Wed, Jun 28, 2006 at 02:09:15PM +0300, Kostas Kalevras wrote: On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? radiusSessionTimeout: += value I meant in ldap.attrmap. When I define for example checkItem Group-Name radiusProfile what is the operator implied ( op=21 in the debugging output)? Can this be changed? In the cvs version at least an extra field is supported in ldap.attrmap which sets the operator to be used. Dont know if it's supported in the stable versions. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius advocacy needed for convincing corporate management
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: My greetings to the list. The company I work is one of the largest ISPs in Greece. We are evaluating the possibility to move away from our current radius software (FUNK Radius now Juniper) in favour of freeradius. We as technical people understand all the benefits of the move (and it would also give us opportunity to contribute to the project). However management would like to hear stuff like - Any large installations that use freeradius effectively today (commercial environments preffered). This would give us arguments in favour of freeradius scalability and reliability http://www.freeradius.org/testimonials.html - Possibility to have commercial support Anyone who can contribute arguments or facts is more than welcome. Kostas -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP-Authentication based on CHAP
On Tue, 6 Jun 2006, Rainer Brinkmann wrote: Hello, despite the FAQ- Entry How do I make CHAP work with LDAP?: can anybody tell us if its basically possible to run a chap-Auth against an LDAP? I know, that a specific LDAP-Service must be able to retrieve a user-Pwd and often it cant, cause of the storage of the pwd as one-directioned (hashed). So, only a simple bind is ok. But if LDAP can run a chap-based password-check by retrieving a password: is the LDAP-Protocol (v3) basically capable of doing this? If clear text passwords are available and can be retrieved by the ldap store then yes. Otherwise no. The ldap protocol has nothing to do with all this. Its only a matter of password availability. Hamburg/Germany, Rainer Brinkmann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Zero Session-Timeout
On Tue, 30 May 2006, Rohaizam Abu Bakar wrote: Dear all, Using FB 6.0, FR 1.0.5 (will upgrade soon) I've problem with timeout... I've set in users file as below in order to load timeout value depending on type of connection (ISDN/PSTN) DEFAULT NAS-Port-Type == Sync, Autz-Type := DIALUP, Auth-Type := DIALUP Session-Timeout = `%{exec:/usr/local/etc/raddb/timeout.pl %U ISDN}` DEFAULT NAS-Port-Type == Async, Autz-Type := DIALUP, Auth-Type := DIALUP Session-Timeout = `%{exec:/usr/local/etc/raddb/timeout.pl %U PSTN}`value The problem is when Session-Timeout =0, normally happen when script cannot load value... it will NOT timeout... user till can get connect until manually disconnect... I think that some access servers cannot handle session-timeout values which are very low or zero. In any case if session-timeout is zero you re better off sending an access-reject anyway. I would suggest moving the script to rlm_perl and just return REJECT in case you cannot find a correct value. And also try not sending a session-timeout value which is lower than 60 secs. Below is the debug log... Login OK: [integ36] (from client INFRANETTEST port 300 cli ) Sending Access-Accept of id 111 to 10.1.1.1:1645 Session-Timeout = 0 Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1500 Framed-Protocol = PPP Service-Type = Framed-User Finished request 89 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Accounting-Request packet from host 10.1.1.1:1646, id=97, length=131 Acct-Session-Id = 00AE Framed-Protocol = PPP User-Name = integ36 Acct-Authentic = RADIUS Acct-Status-Type = Start Calling-Station-Id = Called-Station-Id = 2426 NAS-Port-Type = Async Connect-Info = 50667/24000 V90/V44/LAPM NAS-Port = 300 Service-Type = Framed-User NAS-IP-Address = 10.1.1.1 Acct-Delay-Time = 0 . . . . rad_recv: Accounting-Request packet from host 10.1.1.1:1646, id=98, length=173 Acct-Session-Id = 00AE Framed-Protocol = PPP Framed-IP-Address = 10.1.1.3 User-Name = integ36 Acct-Authentic = RADIUS Acct-Session-Time = 26 Acct-Input-Octets = 8110 Acct-Output-Octets = 4998 Acct-Input-Packets = 92 Acct-Output-Packets = 37 Acct-Terminate-Cause = User-Request Acct-Status-Type = Stop Calling-Station-Id = Called-Station-Id = 2426 NAS-Port-Type = Async Connect-Info = 50667/24000 V90/V44/LAPM NAS-Port = 300 Service-Type = Framed-User NAS-IP-Address = 10.1.1.1 Acct-Delay-Time = 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify multiple values for Called-Station-Id (checkval)
On Mon, 29 May 2006, Mike Jakubik wrote: Kostas Kalevras wrote: As i said before you should just add more attribute/value pairs. It works. What does your radgroupcheck table look like when you add more than one number? Could someone please help me with this? I am stumped, is there a bug in the rlm_checkval module? --- Well, it does not in my case. Here is the table: +++---+++ | id | GroupName | Attribute | op | Value | +++---+++ | 11 | restricted | Called-Station-Id | := | 4166231473 | | 16 | restricted | Called-Station-Id | := | 4166231474 | | 17 | restricted | Called-Station-Id | := | 4166231475 | | 18 | restricted | Called-Station-Id | := | 4168489499 | I dial in to 4168489499 and this is what happens: Fri May 26 10:26:12 2006 : Auth: Invalid user (rlm_checkval: This Called-Station-Id is not allowed for the user): [mikej/xxx] (from client xxx port 1487 cli xxx) You r using the := operator. That way u ll be overwriting the Called-Station-Id value. Use the += operator instead. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify multiple values for Called-Station-Id (checkval)
On Thu, 25 May 2006, Mike Jakubik wrote: Kostas Kalevras wrote: On Wed, 24 May 2006, Mike Jakubik wrote: Hello, I am trying to setup group checks for Called-Station-Id in freeradius 1.1.1 and mysql. I have enabled the checkval module in radiusd.conf and set notfound-reject = yes. In my radgroupcheck table when i specify restricted Called-Station-Id := number, it works fine. However i need to specify more than one number. I have tried the following format; number, number, number and number, number, number and number, number but none of those seem to work. Could someone please tell me how this can be accomplished? You just need to add more attribute/value pairs, one for each number you wantto allow. You can also use a regular expression if you use the =~ operator. I have tried that, but it does not work either. I have also tried using regexp, while it seems to function, it no longer seems to use the checkval module and throws the following notice: Info: rlm_sql (sql): No matching entry in the database for request from user [user] But the checkval module shows: Auth: Invalid user (rlm_checkval: This Called-Station-Id is not allowed for the user) Whats the point of this checkval module if it can only check a single value? As i said before you should just add more attribute/value pairs. It works. What does your radgroupcheck table look like when you add more than one number? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify multiple values for Called-Station-Id (checkval)
On Wed, 24 May 2006, Mike Jakubik wrote: Hello, I am trying to setup group checks for Called-Station-Id in freeradius 1.1.1 and mysql. I have enabled the checkval module in radiusd.conf and set notfound-reject = yes. In my radgroupcheck table when i specify restricted Called-Station-Id := number, it works fine. However i need to specify more than one number. I have tried the following format; number, number, number and number, number, number and number, number but none of those seem to work. Could someone please tell me how this can be accomplished? You just need to add more attribute/value pairs, one for each number you wantto allow. You can also use a regular expression if you use the =~ operator. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting logins with Calling-Station-Id in MySQL
On Thu, 18 May 2006, Mike Jakubik wrote: Hello, I need help restricting users based on the number they called. I am using Freeradius 1.1.1 and a MySQL backend. I tried adding Called-Station-Id == number,number,... in to radgroupcheck, but it does not seem to be functioning. Could someone shed some light on the problem? Check the checkval module. You can use a := operator in that case Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: adding field to dialup_admin
On Tue, 16 May 2006, David Antognini wrote: Hi Guys, I want to add the attribute WISPr-Bandwidth-Max-Down to the user edit page in dialup_admin. I added WISPr-Bandwidth-Max-Down to the bottom of the user_edit.attrs file. Then I manually went in and added the attribute into the radreply table and it works fine, and in dialup admin I can see the values, but when I go to edit the values, it doesn't work...Any tips on how to get this working? What do u mean it doesnt work? What exactly did you add in user_edit.attrs? Enable sql_debug to see what's going on in more detail. Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use time period
On Tue, 16 May 2006, ludovic cailleau wrote: Good morning!! I would like to authorize connection to the users to one time period stored in Ldap base. Example: The user Steeve can be connecting between 8h and 12h. So at the time of the request for connection, freeradius will have to check if the time of connection is between this time period. If its true freeradius send accept but if it is wrong he send reject. Does freedius manage that? Because I be not found information in connection with that. Thanks See the Login-Time attribute (radiusLoginTime ldap attribute) Also read doc/README for an explanation of Login-Time Ludovic Cailleau - Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services pr?f?r?s : v?rifiez vos nouveaux mails, lancez vos recherches et suivez l'actualit? en temps r?el. Cliquez ici. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need a little help with ldap groupings
On Wed, 3 May 2006, Mark Jayson R. Alvarez wrote: Hi, I have grouped my users in ldap using groupofNames objectclass. now one group of users which I only want to allow to authenticate to the radius server has a dn of: dn: cn=radiususers,ou=groups,o=example,dc=com It has member attributes such as: member: uid=user2,ou=people,o=example,dc=com member: uid=user3,ou=people,o=example,dc=com member: uid=user4,ou=people,o=example,dc=com member: uid=user5,ou=people,o=example,dc=com In my radiusd.conf I have these lines: groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames) (member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames) (uniquemember=%{Ldap-UserDn}))) However, I'm not sure where to specify that only the member of the group radiususer is allowed to authenticate... Although I can simply add an dialupAccess attribute to each user I only want to allow, It is difficult because I have so many users... If only there's a way to just tell radius to only allow the member of this group You can also use the access_attr_used_for_allow directive (see doc/rlm_ldap) See doc/rlm_ldap and ldap_howto.txt for a description of how to use ldap groups Please help.. thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: default vlan for ldap users
On Tue, 2 May 2006, Nuno Reis wrote: Hi, Is there any way to make freeradius assign a vlan to any user that was authenticated using active directory database? Something like, freeradius asks active directory for user authenticity, and if accepted, freeradius forwards always the same tunnel-pvt-group-id to NAS. Look at the default_profile directive for the ldap module (doc/rlm_ldap) Thanks, Nuno Reis -- No trees were killed in the sending of this message. However, a large number of electrons have been terribly inconvenienced -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup admin
On Mon, 17 Oct 2005, Madhvi Gokool wrote: Hi Documentation of dialup admin says it works with a database. My current users file is plain text ( I manually add users and their attributes). can dialup admin be tweaked to work with this users file? Or is there a script that we can use to facilitate the administration of the users file. No dialupadmin cannot work with the users file. Regards Madhvi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup admin - problem with users
On Wed, 12 Oct 2005, Matt Vollmar wrote: Hi, I searched the archives briefly, but I wasn't sure how to even phrase this issue. I have Freeradius authenticating Chillispot through a MySQL DB. One of the features of Chillispot is to authenticate based on MAC address first before checking username. This sends the MAC as Username and a pre-determined password. I have this working fine, but the problem is that Dialup Admin will not accept usernames with dashes in them. Every time I try to edit a user like 00-0E-35-A8-25-9F, it changes the name to 000E35A8259F which of course does not exist. Anyone know of a quick fix for this? If not, I will send some patches for this and a few other problems I found with Dialup Admin. I just hate delving into a project like this when there is the possibility of a fix existing. See conf/config.php3 and preg_replace on the $login variable. Though in the latest version '-' is also accepted. Hope this helps Thanks, Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question on dialup_admin
On Thu, 6 Oct 2005, [EMAIL PROTECTED] wrote: Ok, I have successfuly stored in mysql the lod data. But the Calling-Station-Id and Called-Station-Id aren't stored. This attributes are present in the access_request and access_response packet but not in the accounting_packet. It's possible to store this data also? Thanks, Felice If they are not present in the accounting packets there's not much you can do. Try making your NAS send them. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question on dialup_admin
On Mon, 3 Oct 2005, [EMAIL PROTECTED] wrote: Hello! I have a question on dialup_admin: I have configured freeradius to authorization by LDAP and authentication by EAP and it works fine. Now I want to log the activity of my users with dialup_admin, it's necessary that I use sql for authentication and authorization? or I can use EAP and LDAP again and dialup_admin only for log? dialupadmin will use sql to read accounting data and sql OR ldap to read user data. So u only need to point dialupadmin to ldap to read your user profiles and to sql to read the accounting information. Hope this helps If yes, I must add the entry in the database (mysql) for any user that can access to my network? excuse me for my bad english... Thanks, Felice -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Occhialeria.it Scopri le migliori marche a prezzi imbattibili Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=879d=20051003 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Receivin a full DN in a radius request
On Wed, 14 Sep 2005, Jean-Francois Gobin wrote: Here is my whole ldap definition : ldap { server = ldap..xxx # identity = cn=admin,o=My Org,c=UA # password = mypass basedn = This should be an actual DN of your tree. Something like: ou=people,dc=company,dc=com filter = (%{User-Name}) This is wrong. It should most probably read filter = (uid=%{User-Name}) # base_filter = (objectclass=radiusprofile) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile= /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = demand # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn # access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = {clear} # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with 0x, such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading 0x, NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # # edir_account_policy_check=no # # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqu eNames)(uniquemember=%{Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } On Tue, 13 Sep 2005, Nicolas Baradakis wrote: Jean-Francois Gobin wrote: rlm_ldap: - authorize rlm_ldap: performing user authorization for uid=P06227,ou=people,o=nrb,c=be radius_xlat: '(uid)' radius_xlat: ' ' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in , with filter (uid) rlm_ldap: ldap_search() failed: Bad search filter: (uid) What is your filter in section ldap of radiusd.conf ? -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Jean-Francois Gobin - Administrateur gobinjf.be http://www.gobinjf.be mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap attribute, checkItem, and the users file
On Mon, 23 May 2005, Chris Carver wrote: Hello, I'm still struggling with a problem I wrote in about in the past. I will explain what I am trying to do as well as possible. We have customers authenticating through our radius server which uses an openldap backend. Each user has an entry in our ldap database and it is the only means of authentication. We want to be able to check for the existance of an ldap attribute in the users file for the user who is currently trying to authenticate. If the attribute is found, we add a radius attribute to the reply and fall-through. If it is not found, those lines are bypassed and logic will continue down the users file. This ldap attribute is our own creation and we modified the schema calling the attribute radiusRedirectPort80 on the ldap backend. Its tested and it works perfectly on the ldap end. I modified the dictionary file and it is called redirectPort80 on the radius side. Following is etc/raddb/dictionary: $INCLUDE /usr/local/pw/freeradius-1.0.2/share/freeradius/dictionary $INCLUDE /usr/local/pw/freeradius-1.0.2/etc/raddb/netsweeper The definition is in the netsweeper file, along with other attributes of ours, and its contents are as follows: VENDOR SlipStream 7000 ATTRIBUTE SlipStream-Enabled 1 string SlipStream ATTRIBUTE NetSweeper-Enabled 2 string SlipStream ATTRIBUTE redirectPort80 3 string SlipStream After ensuring that the attribute was defined on the ldap side and the radius side, I understood that I needed to modify ldap.attrmap and add a checkItem. Here is that change in etc/raddb/ldap.attrmap: checkItem redirectPort80 radiusRedirectPort80 I did not add a reply item, because I'm not replying with the value of that attribute. I'm performing logic in the users file on that value and THEN passing back attribute/value pairs specified in the users file. My next step was to finally modify the users file. Here is a change to the users file: DEFAULT redirectPort80 == true Framed-Route = 0.0.0.0/0 205.247.236.1/32 1, Fall-Through = yes other irrelevant lines removed To my knowledge, at this point if the user has the ldap attribute radiusRedirectPort80: true then Framed-Route attribute/value should be in the access-accept. I do a radtest with a user who has the ldap attribute radiusRedirectPort80 set to true, and it is not matched. I see exactly the same behavior as with a user who does not have the attribute. Am I doing something fundamentally wrong? If not, might there be any common mistakes I could be making? I would be grateful for any pointers. Thanks in advance. The users file will only check attributes in the request, not in the check item list. So the above won't work. You can try using the policy module: if (%{check:redirectPort80} == true) { reply .= { Framed-Route = 0.0.0.0/0 205.247.236.1/32 1 } } Chris Carver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup admin and pptp
On Tue, 24 May 2005, Florin Samareanu wrote: from dialup_admin web interface i can clear sessions but i cannot disconnect users. when i press disconnect user nothing happens. i use latest cvs dialup admin , freeradius with mysql and pptp. any clue ? The disconnect facility will work only for cisco routers using the SNMP AAA session MIB (if that is available and configured) or telnet (if that is configured). Patches are always welcome for other vendors. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Ldap servers
On Wed, 18 May 2005, Matthew Hunter wrote: How do I get freeradius to check both ldap servers for a user. I have ldap configured already for redundency but I want it to look at the first ldap server and if the user is not found then check the second ldap server. Yes. See doc/configurable_failover Matt Hunter Network Analyst Waukesha County Technical College - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DialupAdmin/LDAP - General Questions
On Thu, 12 May 2005, [ISO-8859-1] Mathieu B?nard wrote: First of all thanks for your answer. What do you mean by modifiying your schema ? What you show is the original LDAP schema provided with freeradius. This schema cannot work with the following statement in dialupadmin (for example): $dn = 'uid=' . $login . ',' . $config[ldap_default_new_entry_suffix]; Wrong. dialupadmin uses more objectclasses than just radiusprofile when creating a user, in particular inetorgperson which *allows* the uid attribute, so there should be no problem creating a user. radiusprofile is an *auxiliary* objectclass, it is designed to be used in combination with other objectclasses when creating a user. The reason why radiusprofile demands cn and not uid is that it may be used in objects other than user accounts in which case the uid attribute will not be present but the cn attribute will. To make it clear, my problem is that the codelines of DialupAdmin's user management pages don't fit the LDAP schema provided with freeradius (RADIUS-LDAPv3.schema). In my opinion there are only 2 options: - Modify dialupadmin according to the FreeRadius LDAP schema, what I don't intend to do because there are several pages involved and it may make it quite unstable. - Modify the RADIUS LDAP schema according to what dialupadmin is trying to do. I don't want to do this either, because it is the one provided with freeradius, so it doesn't seem a good idea to modify it How am I supposed to make it work without modifying freeradius LDAP schema or dialupadmin ? I am surprised that it doesn't seem to be a well-known issue. Am I missing something ? I don't see why anything should be changed anywhere. Thanks in advance, Mafioo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slow Accounting-Database - workaround?
On Tue, 10 May 2005, oz wrote: Hello, our Accounting-SQL-Database became slower, so often radius-packets are dropped and and the NAS falls back to the secondary radius-server. Though the postgres database is indexed, there are often response-times between 1 - 3 secs and we cannot change it for the moment. To speed up things a little, I tried to change from single- to multi-threaded radius mode, but the problems even get worse. Only a few minutes after radiusd start, the maximum number of threads (= 256) is reached, caused by Unresponsive childs, which might be slow database answers: That makes sense. Instead of serializing writes to a *slow* database you are performing them in parallel which will be even worse. radius.log: ... Tue May 10 10:59:48 2005 : Error: WARNING: Unresponsive child (id 1015871) for request 71 Tue May 10 10:59:48 2005 : Info: The maximum number of threads (256) are active, cannot spawn new thread to handle request ... Is there any chance to use freeradius-1.0.2 with a *slow* SQL-Database? I read something about radsqlrelay in the 1.1.0 snapshot - can that be used to form some kind of buffer queue between the radiusd and the slow accounting database? Or will radsqlrelay step into the same timing-problem as the single- or multi-threaded radiusd? Yes use radsqlrelay. It's in cvs. radsqlrelay will be used in combination with a detail file for buffering and can handle sql database slow downs/failures. Bear in mind though that if your sql database cannot handle the accounting rate no buffering will do you any good in the long run. Thanks, Oliver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
On Fri, 6 May 2005, Alan DeKok wrote: Babar Shafiq [EMAIL PROTECTED] wrote: I know i can see the reject cause while running in debug mode but I want to store the reject causes in database or logs it. so it will be helpful in future for support people,customer support etc, so they can inform users what is the exact cause of the rejection !! Then always run the server in debugging mode. Or, write scripts to log reasons for failure. log_badlogins from the dialupadmin package will do what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pools distributed on multiple FreeRADIUS Servers
On Sat, 7 May 2005, Nizar Shana'ah wrote: Hello all, I have two freeRADIUS Server, the second one is used for redundancy, how can i distribute the IP pools and have full redundancy, I am afraid of the conflicts that this may cause, I dont want them leasing the same IP to multiple clients when something happens and the other server is down. See bug #46 http://bugs.freeradius.org/show_bug.cgi?id=46 rlm_ippool should also renew ip address leasing informatio on accounting-start packets to achieve full redundancy (as long as accounting relaying works fine). Right now the lease databases are only synchronized on accounting-stop packets which means that a backup server *may* give out an ip already taken. BR - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: digest+ldap+radius
On Thu, 5 May 2005, Tiziano wrote: Hi all I'm trying to authenticate sip server with radius and ldap backend. SIP uses digest authentication, i've mede it to work without problems i i put an user directrly in /etc/freeradius/users: [EMAIL PROTECTED] Auth-Type := Digest, User-Password == 1000 Reply-Message = Authenticated if i try to authorize sip with ldap: DEFAULT Auth-Type := LDAP Fall-Through = 1 if i try to login from a standard cisco nas with a user in ldap it's working ok (i think because it's sending clear text password) it i try to login via sip: Thu May 5 12:05:21 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client localhost port 5060) (in the meanwhile i see ldap looking at User-Password attribute of [EMAIL PROTECTED] ...) can sb help me? You are performing ldap authentication. Don't do that. You need to read the user password from ldap but perform authentication with the digest module. Thanks in advance, Tiziano -- Tiziano [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP compare_check_item
On Wed, 4 May 2005, Christian Meutes wrote: Hello again, at home iam playing a little bit with 802.1x and use my private ldapbackend for FreeRadius :) i want to use ldap attributes for compare checks of the incoming requests and tested the compare_check_items directive with setting it to yes. i tried to use the existing attributes for the checks and tried to use the radiusCheckItem for the checks like described in rlm_ldap. both didnt worked. i read in the maillinglist about using checkval, but checkval seems to work only for single check attributes. can somebody explain me how to get this working either with compare_check_item or with the checkval module? compare_check_items just calls paircmp which does not work as you 'd probably want in all cases. You could just use multiple instances of the checkval module to check the attributes you want. regards, Christian Meutes systems engineer -- claranet gmbh internet service provider tel +49 (0) 69 - 40 80 18 - 300 email: [EMAIL PROTECTED] http://www.claranet.de/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Snmp trap
On Thu, 5 May 2005, Yoram Baruchian wrote: Hi. I mean that the radius server send reject to the client. I want to get a trap that describe the user name that is not allowed or rejected . exec snmp_trap { wait = no program = /bin/send_trap snmp.server.addr %{User-Name} } postauth { [...] Post-Auth-Type REJECT { snmp_trap } } I believe that should work. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication
On Wed, 4 May 2005, [ISO-8859-1] Jos? Berenguer wrote: Hello! We have this type of authentication in freeradius 1.0.1 installed in Fedora Linux against an Oracle LDAP server: default Ldap-Group == cn=Users,dc=bacterio,dc=com, Auth-Type := LDAP Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP, Fall-Through = No, Tunnel-Type += VLAN, Tunnel-Medium-Type += IEEE-802, Tunnel-Private-Group-Id += 800 Is it possible to authenticate only by one attribute of the LDAP directory instead of authenticating by the group? That would be the case we need because we have a plain organization of the LDAP directory. You can use the access_attr. Another choise is to still use group matching, but based on group membership info stored in a per user attribute. See doc/rlm_ldap and the groupmembership_attribute. Thanks in advance! -- ** Jos? Berenguer Gim?nez ?rea de Comunicaciones-Servicio de Inform?tica UNIVERSIDAD DE ALMER?A Crta. de Sacramento s/n, 04120 - Almer?a Tlf.: 950014014 E-mail: [EMAIL PROTECTED] ** -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-Auth: reply values
On Tue, 3 May 2005, Gillmann, Christian wrote: Hello all, I'm trying to write a script for the post-auth section. In this script I need the information if the Request was successful or if it was rejected. The sql module uses the following expression: %{reply:Packet-Type} But how could I use this in my script? I've written a short script shich should list all available Variables: #!/bin/bash printenv /tmp/radius/`date +%F_%H-%M-%S_%N` But it doesn't contain the reply values ... Any ideas or hints? Only what's included in the Post-Auth-Type REJECT section in postauth is run when the request is about to be rejected. So that's a rather easy way of finding out if the request was successful or not. bye Christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and sip
On Tue, 3 May 2005, Lucas Aimaretto wrote: Hi everybody, I'm willing to remove from a sip URI (ie:sip:[EMAIL PROTECTED]) the sip: and @domain parts, but, when they arrive in the Calling-Station-Id or Called-Station-Id Attributes. How to solve this ??? I've been able to remove @domain from the Uri, but at the User-Name only. Any help would be nice ... thanx! See the attr_rewrite module Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.2 - Release Date: 02/05/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize
was thinking the custom dictionary file was somewhere else? I'm not sure, but it seems to work now and thats the only thing I changed. Thanks for your time. Chris Carver Alan DeKok wrote: Chris Carver [EMAIL PROTECTED] wrote: I believe so. Here is what is a custom dictionary file thats included in /etc/raddb/dictionary: Ok... I still see the same behavior as before. The users file completely ignores the existance of a redirectPort80 in the access-request, but it can REPLY with a redirectPort80 attribute. Is there something special I have to do to be able to check for this specific attribute in an access-request? No. It should just work. DEFAULT redirectPort80 == true Does not match even though thats what I'm feeding it with radclient. Hmm... if I test it with my server, it works. My guess is that you have *other* entries in your users file. Read the debug output to see which entries did match, and walk through the users file by hand to see where it stops matching, and why. Odds are you don't have a Fall-Through configured somewhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --__--__-- Message: 3 Date: Mon, 25 Apr 2005 23:29:35 -0400 From: frad [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Re: TLS problem Reply-To: freeradius-users@lists.freeradius.org A good resource is www.austux.net/resources/network/eaptls.html Also, make sure you are using windows zero configuration on the WinXP client. Jon [EMAIL PROTECTED] wrote: Hello, I'm tying to make an authentication using freeradius-1.0.1-1 on Fedora Core 3, Cisco Catalyst 2950 as authenticator and WinXP (SP2) as a client. I didn't manage to make it work and I found a document describing that I should make a TLS authentication first, then go to MS-CHAP v2, but it didn't work too. I found that the TLS connection doesn't establish completely but I can't find the problem. Can you tell me the reason it doesn't work or url to more descriptive document? --__--__-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.10.2 - Release Date: 21/04/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.10.2 - Release Date: 21/04/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting access by LDAP group.
On Mon, 25 Apr 2005 [EMAIL PROTECTED] wrote: I had this working, I don't know why but for some reason it doesn't anymore. Any user in LDAP receives an Access-Accept. Here's my entire radiusd.conf and the output of a user that is not in the VPN group receiving an Access-Accept using radtest. Is there something wrong with my configuration? Thanks authorize { preprocess chap mschap suffix eap ldap } You don't have the files (users file) module in the authorize section. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about limit
On Fri, 22 Apr 2005, avudz wrote: Hello, sorry for this fool question, perhaps this have been discuss before. i user freeradius-1.0.2 and dialup admin, the problem is, the clients still can connect through radius server even the daily limit is over. i've implement http://www.lh.freeradius.org/radiusd/doc/rlm_sqlcounter howto, and put field like this : INSERT into radcheck VALUES ('','b','Max-All-Session','400',':='); but user b still can login after 6 minutes ? so how can i limit the max-daily-session ? here is the log from dialup admin : User is not online now - Last Connection Time 2005-04-22 11:03:03 Online Time 33 minutes, 10 seconds Server 202.78.193.83 (202.78.193.83) Server Port 0 Workstation 00:E0:4C:13:8B:1B Upload 152.89 KBs Download 7.41 KBs Allowed Session user can login for 0 seconds (Out of daily quota) --- over quota ? Usefull User Description - Run the server in debug mode to see if it is rejecting the user and if things work as expected. -- Best regards, ./avd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stop simultaneous active directory logins with only one account
On Fri, 22 Apr 2005, Sylvain Clerc wrote: Hello, when I authenticate an user who is in the active directory, as freeradius answers it to only know if the account exists, I can log many users in the same time with the same account. I would that only one user can use his account and if another user tries to authenticate him with the same account, he will be rejected. As I use the ntlm_auth command to authenticate users from active directory, can it possible to do that? If i understand you correctly you need to read doc/Simultaneous-Use Thanks, Sylvain Clerc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL accounting and users on seperate servers
On Tue, 19 Apr 2005, Greg Ulyatt wrote: I'm trying to get a 2 server SQL setup going where all user data is kept on one system, and the accounting is on another. I have tried several things (including copyingrenaming sql.conf to sqlacct.conf then using them both... no joy!) Of course, I could do this with radrelay but that seems to be inefficent arguous - is there no way to log directly into one SQL system while authenticating against another? There is, you can just create multiple sql module instances. Hint: Look at how the detail module multiple instances are created and used. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: nas-identifier and ldap.attrmap
On Mon, 18 Apr 2005, guest01 wrote: Hi Thxs for the fast reply!! Ok, user steve (the one with the Auth-Type := Local) exists only for testing purposes. With user-data in die local users file, the nas-identifier works So, I don't know why radius ignores my ldap data ... Thxs for you help! best regards peda user testuser (defined in the ldap) with userpassword dn:uid=testuser,ou=users,dc=myserver,dc=local radiusProfileDn: uid=testuser,ou=radius,dc=myserver,dc=local isVPNUser: TRUE uid: testuser objectClass: myserverUser userPassword: 123456 dn:uid=testuser,ou=radius,dc=myserver,dc=local uid: testuser cn: testuser objectClass: radiusprofile account radiusNASIdentifier: vpn So the user should be allowed to authenticate because of the different radiusNASIdentifier (NAS-Identifier chilli is the right one!) I would suggest using the checkval module to achieve that. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different pools for different realms
On Fri, 8 Apr 2005, Angel L. Mateo wrote: Hello, I am newbie with freeradius (and with all radius servers), so maybe this is a silly question, I am sorry if it is. I have 1.0.2 running in a debian sarge box. I am configuring a new radius server to substitute two different radius already working. We want to substitute that two servers with a new one. So we have to unify both configurations. That servers offers IP addresses from different pools to their users. So with the new one we have to authenticate users (with different realms) and map them to different ip pools. By now, I have an entry in the users file like this: DEFAULT Auth-Type = LDAP, Pool-Name := my_pool, NAS-IP-Address == 10.10.10.1 User-Name := `%{User-Name}`, Service-Type = Framed-User, Framed-Protocol = PPP, X-Ascend-Client-Primary-DNS = 10.10.10.10, X-Ascend-Client-Secondary-DNS = 10.10.10.11, Fall-Through = No (I authenticate through a LDAP server) Is there any way to force that entry to have a particular realm?, that is something like this: DEFAULT Auth-Type = LDAP, Realm == @myrealm, Pool-Name := my_pool, NAS-IP-Address == 10.10.10.1 Yes. DEFAULT Realm == myrealm, NAS-IP-Address == 10.10.10.1, Auth-Type = LDAP, Pool-Name := my_pool ... ... Or there is any other way to do what I want? -- Angel L. Mateo Mart?nez Secci?n de Telem?tica ?rea de Tecnolog?as de la Informaci?n _o) y las Comunicaciones Aplicadas (ATICA)/ \\ http://www.um.es/atica _(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: freeradius bandwidth counter help
On Sun, 3 Apr 2005, Micky S wrote: Does anybody think this is possible? Any help much appreciated. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Micky S Sent: 01 April 2005 12:32 To: freeradius-users@lists.freeradius.org Subject: freeradius bandwidth counter help Hi all, Here is the scernario Authenicating users against a MySQL database, what i want to do is to have a counter to how much bandwidth the user has used, but to count DOWN from a set amount ie 100mb, if they use 3mb in one session then the next session they have 97mb etc... when the user has reached 0mb they are disconnected, any of the above, help would be well appreciated. You can use the counter module for this. You need to find if your NAS supports an attribute setting the remaining badwidth available to the user though. If such an attribute is not supported you can disallow access after the session where the user exceeded his bandwidth limit has been completed. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Give 2 ip pools to the clients
On Fri, 1 Apr 2005, eDoS wrote: Hi, i get alocation 2 network of ip, the range is : 192.168.2.1 - 192.168.2.14 192.168.5.1 - 192.168.5.14 my conf : ippool pool1 { range-start = 192.168.2.1 range-stop = 192.168.2.14 netmask = 255.255.255.0 cache-size = 14 session-db = ${raddbdir}/db.ippool1 ip-index = ${raddbdir}/db.ipindex1 } ippool pool2 { range-start = 192.168.5.1 range-stop = 192.168.5.14 netmask = 255.255.255.0 cache-size = 14 session-db = ${raddbdir}/db.ippool2 ip-index = ${raddbdir}/db.ipindex2 } i want to give all ip alocation to all of clients. i have use just 1 network of ip but sometimes my clients couldn't get any more ip. is there any way to give 2 attribute pool-name (pool1 pool2) ? You can set Pool-Name to DEFAULT to match all ippool modules. best regards, eDoS -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Give 2 ip pools to the clients
On Mon, 4 Apr 2005, eDoS wrote: thank you kostas, but i have another problem if there is 1 network of public ip, ippool public { range-start = 223.xxx.xxx.xxx range-stop = 223.xxx.xxx.xxx netmask = 255.255.255.0 cache-size = 62 session-db = ${raddbdir}/db.ippublic ip-index = ${raddbdir}/db.ippublic_idx } and i want to separate my public users and my private users, if i use DEFAULT value for Pool-Name it will be including public ip. is there a way that just give pool1 and pool2 to my private users ? You can also use the Post-Auth attribute. Use the public ippool module for public users and put pool1 and pool2 in a Post-Auth section available only to private users: users (example!!): #private DEFAULT Group == private, Pool-Name := DEFAULT, Post-Auth := private #public DEFAULT Pool-Name := public postauth { public Post-Auth private { pool1 pool2 } } Hope you get the picture. regards eDoS - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Monday, April 04, 2005 6:32 PM Subject: Re: Give 2 ip pools to the clients On Fri, 1 Apr 2005, eDoS wrote: Hi, i get alocation 2 network of ip, the range is : 192.168.2.1 - 192.168.2.14 192.168.5.1 - 192.168.5.14 my conf : ippool pool1 { range-start = 192.168.2.1 range-stop = 192.168.2.14 netmask = 255.255.255.0 cache-size = 14 session-db = ${raddbdir}/db.ippool1 ip-index = ${raddbdir}/db.ipindex1 } ippool pool2 { range-start = 192.168.5.1 range-stop = 192.168.5.14 netmask = 255.255.255.0 cache-size = 14 session-db = ${raddbdir}/db.ippool2 ip-index = ${raddbdir}/db.ipindex2 } i want to give all ip alocation to all of clients. i have use just 1 network of ip but sometimes my clients couldn't get any more ip. is there any way to give 2 attribute pool-name (pool1 pool2) ? You can set Pool-Name to DEFAULT to match all ippool modules. best regards, eDoS -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with ip pools
On Thu, 31 Mar 2005, Sbastien Cantos wrote: Hi, I'm using ip pools to manage my client ips from the radius side. Here's my conf: * users file : DEFAULT Service-Type == Framed-User, Pool-Name := main_pool Framed-Protocol = PPP, Framed-MTU = 576 * radiusd.conf file: ippool main_pool { range-start = 192.168.52.2 range-stop = 192.168.52.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } Everything is working well for some days then my clients could not get anymore ips from the radius. I've found a way to correct this by deletinf the db.ip* files and restarting the radius but this is not *clean*. Is there a way to dump the content of the ippool database ? I want to understand how ips are freed from the pool because I think that there's a problem when a client disconnects. It seems that ips stay in the pool as used even if the client has disconnected. Thanks in advance for your help. There's rlm_ippool_tool which might help you in src/modules/rlm_ippool. rlm_ippool depends on accounting working ok. If it is not working then you might get into problems. The module *does* have a few more methods of finding out stale records and deleting them: 1. maximum-timeout directive. You can set that to the maximum session time expected in your network (if that can be calculated) in order to make sure no ip remains active for more time than maximum-timeout. 2. Each time an authentication request is performed from a nas ip/port pair which has already an ip allocated that ip is cleaned up. That means that as long as your ip pool is as large as your nas ports number it will be difficult to run out of available ip's. My suggestion is to make sure you don't run an old version of the module (older version did have problems) and to take a closer look at how well your accounting works. Regargs, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf
Re: LDAP Profiles
On Tue, 29 Mar 2005, Jarred Cleem wrote: Thanks Dustin Doris for your reply. I seem to be missing something because I can not get it to work like you mentioned. Let me provide some data and config info in hopes that you might be able to help further. What I am hoping for is that it will send the profile info and the info for the user. For example, I am hoping to see the return attributes for jcleem/dial to be: radiusClientIPAddress: 172.18.5.1 radiusFramedIPNetmask: 255.255.255.0 radiusFramedProtocol: PPP radiusFramedRouting: None radiusServiceType: Framed-User radiusFramedCompression: Van-Jacobson-TCP-IP But I only get (does not include radiusClientIPAddress): The radiusClientIPAddress attribute is a check and not a reply item. It is normally not included in raddb/ldap.attrmap and i don't think you wanted to use that in the first place. What you need to use is the radiusFramedIPAddress attribute: radiusFramedIPAddress: 172.18.5.1 -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Profiles vs. No-profiles
On Mon, 28 Mar 2005, Jarred Cleem wrote: I am setting up a test environment and I am having some problems. Any help would be great. I have the servers build very similarly to what is document at http://www.freeradius.org/radiusd/doc/ldap_howto.txt. I have created a few profiles like dialup, dsl, and isdn. I have the server working in the test environment and it seems to function very well. My question is how do I use profiles and still be able to pass specific attributes to the radius server that are dependent on the user. For example, if the user has been assigned a static IP address. Below is an example of an of the users file from the old Radius server that we are migrating off of. default profile: An ldap entry holding radius attributes. Defined in the ldap module configuration and used in all cases regular profile: An ldap entry holding radius attributes. Defined in the user entry as an attribute pointing to the dn of that entry. Used when authorizing that specific user. user profile: The attributes contained in the user entry. These attributes take precedence to the attributes defined in the above profiles. So in general you can use default/regular profiles to define default attributes used in most cases and then define any user specific attributes inside each user's entry. # Entry for Customer 1 dedicated dsl Customer1 Auth-Type = Local, Password = xx Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.1.69, Framed-IP-Netmask = 255.255.255.252, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP # Entry for customer 2 dedicated dsl Customer2 Auth-Type = Local, Password = xxx Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.1.65, Framed-IP-Netmask = 255.255.255.252, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP # Entry for customer 3 dedicated dsl Customer3 Auth-Type = Local, Password = xx Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.1.177, Framed-IP-Netmask = 255.255.255.248, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP DEFAULT Auth-Type = System Fall-Through = Yes DEFAULT Service-Type = Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = PPP, since PPP might also be auto-detected # by the terminal server in which case there may not be a P suffix. # The terminal server sends Framed-Protocol = PPP for auto PPP. # DEFAULT Framed-Protocol = PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT Hint = CSLIP Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT Hint = SLIP Framed-Protocol = SLIP -- Jarred F. Cleem IS Manager Multiband 2000 44th Street SW Fargo, ND 58103 (W) 701-281-5376 (F)701-492-5376 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf
Re: (dialup_admin) snmpfinger program pays no attention to naslist.conf
On Thu, 17 Mar 2005, Nick Bright wrote: Also executing Check NAS validity fails for every NAS, I looked at the PHP and it's trying to do gethostbyname($selected_nas), where the name is an IP address. Is that why it's failing, because I used IP's instead of hostnames? Maybe that factors in to why user_finger.php3 is doing funky stuff? Also fixed in CVS, Thanks. Running Check Nas Validity now results in: Fatal error: Call to undefined function: check_ip() in /usr/local/dialup_admin/htdocs/nas_admin.php3 on line 48 Fixed, thanks Another error on stats.php3, too (it wasn't doing this before): Fatal error: Cannot redeclare time2str() (previously declared in /usr/local/dialup_admin/lib/functions.php3:2) in /usr/local/dialup_admin/lib/functions.php3 on line 2 If I change line 16 from require('../lib/functions.php3'); to require_once('../lib/functions.php3'); it goes back to doing what it was doing before this CVS release, spitting out a bunch of errors like this: Fixed also. Warning: Cannot use a scalar value as an array in /usr/local/dialup_admin/htdocs/stats.php3 on line 117 These warnings should be gone now. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin.crfon
On Sun, 13 Mar 2005, zack musa wrote: Hi I try to run the script (dialup_admin.cron) to allow auto update the totacct and mtotacct table. But what happen is I still need to run the totacct and mtotacct script manually or the .cron script;daily, to make an update in my database. I disable some script such truncate radacct, clean radacct from executing. Do I miss something to get this auto upodate done? Thanks. You add whatever is included in dialup_admin.cron in your crontab. You don't run that file! __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialup_admin) snmpfinger program pays no attention to naslist.conf
On Thu, 10 Mar 2005, Nick Bright wrote: To hop back to this question, updating to the latest CVS made user_finger.php3 behave quite a bit differently. Now when I go to that page, I get a listing for every NAS from the database, but there is no information for the NAS unless there is also information in naslist.conf Shouldn't it just use the information from SQL if the nas table is there, and completely ignore/not use naslist.conf? It seems a little redundant to put the information into two locations. dialupadmin will use all information that is available. That means that it will also use any information present in naslist.conf. In any case, it was a bug and hopefully fixed in CVS. *shrug* maybe I'm just doing something wrong? That's pretty likely ;) Another odd thing is that on nas_admin.php3, all my NAS's are showing type other in the dropdown, though they are set for various things in the database (including: other, max40xx, and usrhiper). When I try to modify the setting through dialup_admin, it doesn't change in the dropdown, but it does change in the database. Seems like the dropdown isn't reading properly. Also fixed in CVS, Thanks. Also executing Check NAS validity fails for every NAS, I looked at the PHP and it's trying to do gethostbyname($selected_nas), where the name is an IP address. Is that why it's failing, because I used IP's instead of hostnames? Maybe that factors in to why user_finger.php3 is doing funky stuff? Also fixed in CVS, Thanks. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (dialup_admin) snmpfinger program pays no attention to naslist.conf
On Mon, 14 Mar 2005, Nick Bright wrote: Wow, WTF. I downloaded the latest CVS and _everything_ is all jacked up. I'm pretty sure I'm not doing something correctly (I don't use CVS much). . . I did: shell cvs -d:pserver:[EMAIL PROTECTED]:/cvsroot/dialup-admin login * When prompted for a password simply press the Enter Key shell cvs -z3 -d:pserver:[EMAIL PROTECTED]:/cvsroot/dialup-admin co dialup_admin The resulting version is missing files, doesn't contain many of the default configuration files, and just basically doesn't work. wtf? Is this not the right way to get the CVS? Should I be getting the CVS of freeradius and taking the dialup_admin directory out of there? Downloading through cvs is clearly described in http://www.freeradius.org/development.html#cvs There's no module dialup_admin and i don't think there's a /cvsroot/dialup-admin So please read that page and try again. dialup_admin is included in the radiusd module. - Nick Bright Terraworld, Inc On Mon, 2005-03-14 at 05:58, Kostas Kalevras wrote: On Thu, 10 Mar 2005, Nick Bright wrote: To hop back to this question, updating to the latest CVS made user_finger.php3 behave quite a bit differently. Now when I go to that page, I get a listing for every NAS from the database, but there is no information for the NAS unless there is also information in naslist.conf Shouldn't it just use the information from SQL if the nas table is there, and completely ignore/not use naslist.conf? It seems a little redundant to put the information into two locations. dialupadmin will use all information that is available. That means that it will also use any information present in naslist.conf. In any case, it was a bug and hopefully fixed in CVS. *shrug* maybe I'm just doing something wrong? That's pretty likely ;) Another odd thing is that on nas_admin.php3, all my NAS's are showing type other in the dropdown, though they are set for various things in the database (including: other, max40xx, and usrhiper). When I try to modify the setting through dialup_admin, it doesn't change in the dropdown, but it does change in the database. Seems like the dropdown isn't reading properly. Also fixed in CVS, Thanks. Also executing Check NAS validity fails for every NAS, I looked at the PHP and it's trying to do gethostbyname($selected_nas), where the name is an IP address. Is that why it's failing, because I used IP's instead of hostnames? Maybe that factors in to why user_finger.php3 is doing funky stuff? Also fixed in CVS, Thanks. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using IP Pools
On Fri, 11 Mar 2005, Jason Frisvold wrote: Hi all I want to set up freeradius to use IP pools. I see the section in the radius.conf file where I can set this up, but I'm a bit unsure of how to proceed. Currently we're using freeradius to authenticate dial-up users. The RAS only needs to receive a Framed-IP-Address of 255.255.255.254 to trigger the internal pools. Moving forward, we want to continue with this, and also use freeradius for some other devices that don't have internal IP Pools. Is there a document somewhere that describes how to handle all of this? No there isn't. There is documentation for how the server works though. It's your job to use them all together. I believe I'm going to need multiple pools for this, depending on the device that the user is authenticating on... --users-- DEFAULT NAS-IP-Address == $RAS-IP Framed-IP-Address = 255.255.255.254 DEFAULT NAS-IP-Address == $OTHER-NAS-IP, Pool-Name := pool1 DEFAULT NAS-IP-Address == $OTHER-NAS-IP2, Pool-Name := pool2 --radiusd.conf-- ippool pool1 { [...] } ippool pool2 { [...] } postauth{ pool1 pool2 [...] } Any help would be appreciated... Thanks! -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Logging
On Fri, 11 Mar 2005, Data Processing Fone Net wrote: Morning all. I believe I read not to long ago on the list a thread concerning logging failed logins and the reasons for the failure so that tech support personnel could assist customers? I do not recall the eventual outcome and or solution if any. So, here is a more direct question for logging errors. We currently log the errors to our syslog. We monitor the log via a web interface so that our tech support can see when and why a customer is not getting a successful login, e.g. wrong username, puts in CAPS, adds spaces and the like and repeated efforts to hack into our system. Is there a way to log only the failed attempts and the reason to a log so we can continue to have a quick and easy way to assist customers with failied logins as indicated above? See the log_badlogins script in dialupadmin. Thanks Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html