WiSPr
Hey al, iread that i can rate limit on a per user basis with the WISPr-Bandwidth-Max-Down and Up.. correct? Can someone please tell me how i can do this? I have freeradius running on Ubuntu server, with mysql atabase and daloradius for web management. My users connect to the freeradius through the captive portal on my pfSense firewall. Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiSPr
By NAS i assume you men my pfsense. There isnt anywhere within Freeradius to traffic shape? are you saying it has to be done on the router and not in freeradius? On 14/09/2011 12:11 PM, Suman Dash wrote: Bandwidth Limit greatly depends on NAS. If yous NAS supports it then it can be done ! On Wed, Sep 14, 2011 at 7:29 PM, Luke Hammond l...@dezignbrasil.com mailto:l...@dezignbrasil.com wrote: Hey al, iread that i can rate limit on a per user basis with the WISPr-Bandwidth-Max-Down and Up.. correct? Can someone please tell me how i can do this? I have freeradius running on Ubuntu server, with mysql atabase and daloradius for web management. My users connect to the freeradius through the captive portal on my pfSense firewall. Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiSPr
Thanks Suman. WIll take a look. On 14/09/2011 1:11 PM, Suman Dash wrote: WISPr-Bandwidth-Max-Down / UP is indeed the Attribute which you are looking. But you need search the mailing lists and find out how to add those into radreply/radgroup reply. Hint : Read http://wiki.freeradius.org/Rlm_sql Regards Suman On Wed, Sep 14, 2011 at 9:34 PM, Suman Dash sumand...@gmail.com mailto:sumand...@gmail.com wrote: Exactly ! Traffic Shaping has nothing to do with RADIUS. RADIUS will send values as configured to NAS. If NAS understands then NAS can use those attributes and do much more than just Traffic Shaping. Check the RADIUS dictionary of pfsense and you can find the attributes which will be used to control traffic. Once you get the attributes, use the same as Reply-Items and it will work like a charm. Read the basic documentation of RADIUS to understand how it works. There is already a lot of discussion regarding *lazy peoples* Regards Suman On Wed, Sep 14, 2011 at 9:18 PM, Luke Hammond l...@dezignbrasil.com mailto:l...@dezignbrasil.com wrote: By NAS i assume you men my pfsense. There isnt anywhere within Freeradius to traffic shape? are you saying it has to be done on the router and not in freeradius? On 14/09/2011 12:11 PM, Suman Dash wrote: Bandwidth Limit greatly depends on NAS. If yous NAS supports it then it can be done ! On Wed, Sep 14, 2011 at 7:29 PM, Luke Hammond l...@dezignbrasil.com mailto:l...@dezignbrasil.com wrote: Hey al, iread that i can rate limit on a per user basis with the WISPr-Bandwidth-Max-Down and Up.. correct? Can someone please tell me how i can do this? I have freeradius running on Ubuntu server, with mysql atabase and daloradius for web management. My users connect to the freeradius through the captive portal on my pfSense firewall. Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unique Identifier
Can someone please let me know if FreeRADIUS can assign a certain unique ID per client added to the database? I want my client numbers to automatically increment as i add them. i am guessing this is possible? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default tables
Thanks Alan, i have another question regarding this. I have inported the schema.sql and i get 7 tables in the database. Am i to assume that this is all working? Just that i remeber a while ago i followed a tutorial for using Freeradius2 with daloRADIUS for management, and i had around 20 tables, many to do with Biling and userinfo.. What am i doing wrong here? On 30/06/2011 3:08 AM, Alan DeKok wrote: Luke Hammond wrote: Sorry if this question is deemed as bein g silly, but i cant find a straight answer for this anywhere.. What are the default tables that are installed with FreeRADIUS when i use MySQL for the database? None. You need to install them manually. See raddb/sql/mysql/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default tables
Ah ok, thanks for the reply Alan. I was trying a tutorial that used daloradius for administration, and that had a sql schema file that inmported some tables, it just that it didn't have a whole bunch of billing tables that i got from a previous install so wasnt sure what was going wrong. On 30/06/2011 3:08 AM, Alan DeKok wrote: Luke Hammond wrote: Sorry if this question is deemed as bein g silly, but i cant find a straight answer for this anywhere.. What are the default tables that are installed with FreeRADIUS when i use MySQL for the database? None. You need to install them manually. See raddb/sql/mysql/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Default tables
Sorry if this question is deemed as bein g silly, but i cant find a straight answer for this anywhere.. What are the default tables that are installed with FreeRADIUS when i use MySQL for the database? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to test raduis is working.. can't find radtest
I have just installed FreeRADIUS 2.07 i think it is.. anyways. i followed a tutorial on how to install in with MySQL on Centos 5 and when i get to the part about testing the database using radtest.. it doesnt work. radtest is not where it should be, have looked on google to try and work out where esactly this 'radtest' lives, but all the locations it i supposed to be.. it isnt! So, where should it be and why isnt it there? do i have to install it separately? Also, how do i test that my radius is working and accepting logins without it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to test raduis is working.. can't find radtest
Thanks for the reply, i installed it from the Package Manager in Gnome, centos 5.6. Ill try what you suggested, thankyou. On 25/05/2011 6:28 PM, Phil Mayers wrote: On 05/25/2011 10:06 PM, Luke Hammond wrote: I have just installed FreeRADIUS 2.07 i think it is.. anyways. i followed a tutorial on how to install in with MySQL on Centos 5 and when i get to the part about testing the database using radtest.. it doesnt work. radtest is not where it should be, have looked on google to try and work out where esactly this 'radtest' lives, but all the locations it i supposed to be.. it isnt! So, where should it be and why isnt it there? do i have to install it separately? Also, how do i test that my radius is working and accepting logins without it? This isn't really a FreeRADIUS question; it's either a basic unix question, or one specific to the distribution of Linux you're using. Anyway: How did you install FreeRADIUS. If you installed it from the RPM, are you sure you installed all the RPMs you needed? Perhaps the server and client tools are split into separate RPMs? I see Fedora has freeradius-utils RPM - maybe Centos has that too? If you installed it from source - have you looked into the directory you installed it into (/usr/local usually) Try: locate radtest Or : find / | fgrep radtest Try: yum provides '*/radtest' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Freeradius2
Hey all, is there any good resources on how to actually use Freeradius2 once its installed? I have it running along with CoovaChilli as my captive portal, and daloRADIUS for the GUI (As i wil have people inputting users that have no idea about how to use command..). My problem is this: we have clients that are people in teh ir houses that connect to our wireless network, COoca login page appears and they login with the username and password that i input into daloRADIUS. I have a few clients that are small Lan Houses that want to use our system, but i am unsure if i can have them not need to login through the CoovaChilli portal, and they just get authenticated via MAC address of their Antenna? I can't find any good documentation on how to do anything with Freeradius. Thanks in Advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius2
Hey thanks for the reply.. Probably should have mentioned that i know pretty much nothing about Linux, apart from using with a GUI.. Yes what you said is right, would like some people login with username/password, and some qith MAC. Ill take a look at some of those things you mentioned. Thanks. On 18/03/2011 9:19 PM, Gary Gatten wrote: Dude, you are SO gonna get flamed - put your flame suit on! Hopefully Mr. DeKok is in a good mood! ;-) So you want some users to auth with username/passwd; and others with MAC or some other means? There's been numerous posts about similar requirements, plus: Man unlang, man radiusd, etc. Also, some good info and examples embedded in the various config files and samples in the various dirs. Also wiki's... And I think. www.supportingradius.org? Not sure on the url. Dig around a bit and you'll find a $hit load of doc, and probably some good examples of others that did exactly what you want. - Original Message - From: Luke Hammond [mailto:l...@dezignbrasil.com] Sent: Friday, March 18, 2011 03:24 PM To: FreeRadius users mailing listfreeradius-users@lists.freeradius.org Subject: Using Freeradius2 Hey all, is there any good resources on how to actually use Freeradius2 once its installed? I have it running along with CoovaChilli as my captive portal, and daloRADIUS for the GUI (As i wil have people inputting users that have no idea about how to use command..). My problem is this: we have clients that are people in teh ir houses that connect to our wireless network, COoca login page appears and they login with the username and password that i input into daloRADIUS. I have a few clients that are small Lan Houses that want to use our system, but i am unsure if i can have them not need to login through the CoovaChilli portal, and they just get authenticated via MAC address of their Antenna? I can't find any good documentation on how to do anything with Freeradius. Thanks in Advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2 and OSX clients no TLS
Just a side question, how did you get Freedradius to give you a login window? i tried this and couldn't see how to get it to work.. so had to use another portal for this. On 5/03/2011 2:10 PM, Gary Gatten wrote: FR just does what its told. I think the settings need to be changed on your wireless gear. - Original Message - From: Guy [mailto:g...@britewhite.net] Sent: Saturday, March 05, 2011 10:46 AM To: freeradius-users@lists.freeradius.orgfreeradius-users@lists.freeradius.org Subject: Freeradius2 and OSX clients no TLS -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I'm setting up Freeradius2 (FreeRADIUS Version 2.1.7) for WPA Enterprise 2, and I have it basically working. my iPhone/iPad are able to authenticate and connect via the base station. However my Mac (OSX 10.6 Snow leopard) Laptops are having issues. I do not want to push out Client certificates to the laptops. I also do not want people to have to perform any customisations on the clients. When the laptop attempts to join the network I get a nice login window, with username/password. This is fine. However without playing with the network settings (802.1x settings). I'm not able to join the network because I do not have a client Cert: Sat Mar 5 16:21:28 2011 : Error: -- verify error:num=19:self signed certificate in certificate chain Sat Mar 5 16:21:28 2011 : Error: TLS Alert write:fatal:unknown CA Sat Mar 5 16:21:28 2011 : Error: TLS_accept:error in SSLv3 read client certificate B Sat Mar 5 16:21:28 2011 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Sat Mar 5 16:21:28 2011 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Sat Mar 5 16:21:28 2011 : Auth: Login incorrect: [guy/via Auth-Type = EAP] (from client extreme port 0 cli 00-19-E3-E1-BA-C5) However if I do change the 802.1x settings on the mac to not try and to TLS then I'm able to connect just fine. either by PEAP, or TTLS.. So finally my question... How can I reconfigure Radius to not try and offer TLS or if it does offer TLS to not die if a cert is not presented?? I have tried some suggestions such as commenting out the CA in the eap.conf file, but still I fail to pass the TLS. Thanks - ---Guy -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iEYEARECAAYFAk1yaQcACgkQDc8ue1+sfKEcAQCfYRVtzNb1UcRa9hf+PM3ipToT zCgAn2TGSTOAjigyWLYwTm4HDcy12l9L =JyX7 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2 and OSX clients no TLS
Ahh ok. thanks. THought you were talking about a captive portal. On 5/03/2011 2:39 PM, Guy wrote: it wasn't Freeradius providing the login window, it was OSX... trying to logon to the WiFi Network --Guy On 5 Mar 2011, at 17:26, Luke Hammond wrote: Just a side question, how did you get Freedradius to give you a login window? i tried this and couldn't see how to get it to work.. so had to use another portal for this. On 5/03/2011 2:10 PM, Gary Gatten wrote: FR just does what its told. I think the settings need to be changed on your wireless gear. - Original Message - From: Guy [mailto:g...@britewhite.net] Sent: Saturday, March 05, 2011 10:46 AM To: freeradius-users@lists.freeradius.orgfreeradius-users@lists.freeradius.org Subject: Freeradius2 and OSX clients no TLS -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I'm setting up Freeradius2 (FreeRADIUS Version 2.1.7) for WPA Enterprise 2, and I have it basically working. my iPhone/iPad are able to authenticate and connect via the base station. However my Mac (OSX 10.6 Snow leopard) Laptops are having issues. I do not want to push out Client certificates to the laptops. I also do not want people to have to perform any customisations on the clients. When the laptop attempts to join the network I get a nice login window, with username/password. This is fine. However without playing with the network settings (802.1x settings). I'm not able to join the network because I do not have a client Cert: Sat Mar 5 16:21:28 2011 : Error: -- verify error:num=19:self signed certificate in certificate chain Sat Mar 5 16:21:28 2011 : Error: TLS Alert write:fatal:unknown CA Sat Mar 5 16:21:28 2011 : Error: TLS_accept:error in SSLv3 read client certificate B Sat Mar 5 16:21:28 2011 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Sat Mar 5 16:21:28 2011 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Sat Mar 5 16:21:28 2011 : Auth: Login incorrect: [guy/via Auth-Type = EAP] (from client extreme port 0 cli 00-19-E3-E1-BA-C5) However if I do change the 802.1x settings on the mac to not try and to TLS then I'm able to connect just fine. either by PEAP, or TTLS.. So finally my question... How can I reconfigure Radius to not try and offer TLS or if it does offer TLS to not die if a cert is not presented?? I have tried some suggestions such as commenting out the CA in the eap.conf file, but still I fail to pass the TLS. Thanks - ---Guy -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iEYEARECAAYFAk1yaQcACgkQDc8ue1+sfKEcAQCfYRVtzNb1UcRa9hf+PM3ipToT zCgAn2TGSTOAjigyWLYwTm4HDcy12l9L =JyX7 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2 and OSX clients no TLS
Cool, well if you need that part, i have Coovachilli running quite nicely.. I thought that Freeradius had its own captive portal, but couldnt see any way to get it working On 5/03/2011 3:08 PM, Guy wrote: That comes later! :) --Guy On 5 Mar 2011, at 17:56, Luke Hammond wrote: Ahh ok. thanks. THought you were talking about a captive portal. On 5/03/2011 2:39 PM, Guy wrote: it wasn't Freeradius providing the login window, it was OSX... trying to logon to the WiFi Network --Guy On 5 Mar 2011, at 17:26, Luke Hammond wrote: Just a side question, how did you get Freedradius to give you a login window? i tried this and couldn't see how to get it to work.. so had to use another portal for this. On 5/03/2011 2:10 PM, Gary Gatten wrote: FR just does what its told. I think the settings need to be changed on your wireless gear. - Original Message - From: Guy [mailto:g...@britewhite.net] Sent: Saturday, March 05, 2011 10:46 AM To: freeradius-users@lists.freeradius.orgfreeradius-users@lists.freeradius.org Subject: Freeradius2 and OSX clients no TLS -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I'm setting up Freeradius2 (FreeRADIUS Version 2.1.7) for WPA Enterprise 2, and I have it basically working. my iPhone/iPad are able to authenticate and connect via the base station. However my Mac (OSX 10.6 Snow leopard) Laptops are having issues. I do not want to push out Client certificates to the laptops. I also do not want people to have to perform any customisations on the clients. When the laptop attempts to join the network I get a nice login window, with username/password. This is fine. However without playing with the network settings (802.1x settings). I'm not able to join the network because I do not have a client Cert: Sat Mar 5 16:21:28 2011 : Error: --verify error:num=19:self signed certificate in certificate chain Sat Mar 5 16:21:28 2011 : Error: TLS Alert write:fatal:unknown CA Sat Mar 5 16:21:28 2011 : Error: TLS_accept:error in SSLv3 read client certificate B Sat Mar 5 16:21:28 2011 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Sat Mar 5 16:21:28 2011 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Sat Mar 5 16:21:28 2011 : Auth: Login incorrect: [guy/via Auth-Type = EAP] (from client extreme port 0 cli 00-19-E3-E1-BA-C5) However if I do change the 802.1x settings on the mac to not try and to TLS then I'm able to connect just fine. either by PEAP, or TTLS.. So finally my question... How can I reconfigure Radius to not try and offer TLS or if it does offer TLS to not die if a cert is not presented?? I have tried some suggestions such as commenting out the CA in the eap.conf file, but still I fail to pass the TLS. Thanks - ---Guy -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iEYEARECAAYFAk1yaQcACgkQDc8ue1+sfKEcAQCfYRVtzNb1UcRa9hf+PM3ipToT zCgAn2TGSTOAjigyWLYwTm4HDcy12l9L =JyX7 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with user authentication
Thanks for that... I dounf coovachilli and installed it, now my freeradius wont start.. when i type: radiusd -X i get a whole lot of errors, any ideas where i could have gone wrong? We have a cisco 2800 or 2850 on its way from the company we have purchased our internet link from, so i am not sure if that can do the captive portal thing? On 19/01/2011 4:24 AM, Fajar A. Nugraha wrote: On Wed, Jan 19, 2011 at 1:52 PM, Johan Meiring jmeir...@pcservices.co.za mailto:jmeir...@pcservices.co.za wrote: On 2011/01/19 04:24 AM, Luke Hammond wrote: I want to have a wireless network, that will be open, and when a user connects and tries to browse they get redirected to a page where they have to login It's called captive portal http://en.wikipedia.org/wiki/Captive_portal Try coova.org/CoovaChilli http://coova.org/CoovaChilli What we usually do: - get a wireless AP which has captive portal feature. I find it easier than having to install a captive portal manually on a server. For example, if you're willing to use third-party firmware, dd-wrt support these devices: http://www.dd-wrt.com/wiki/index.php/Supported_Devices - get a radius server (you already have that) - get a login page. Something like http://net-mai.net/files/hotspotlogin.php.txt - adjust settings as required -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help needed with user authentication
Hey, i am new so sorry that i know nothing about Freeradius. Basically, i found a tutorial and followed it to get Freeradius2, Mysql and Daloradius working together.. that part is ok. But i am confused with this: I want to have a wireless network, that will be open, and when a user connects and tries to browse they get redirected to a page where they have to login, and that will talk to freeradius to make sure the user is authorised, then it will accept them and continue to where they were trying to browse to.. Thats basically what i need, but how does Freeradius do that? Where is that page so i can edit it with my logo or whatever? Or do i need more software to have that login page? Please assist, am desperate here to get this working.. thanks in advance! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
auth type as check item in users file
Hi, I'm trying to figure out how to check to see if the auth type is mschap in the users file. I can find tons of help on setting the Auth-Type, but not a lot on how to compare it. Additional background info: I'm running 802.1x with two auth types, certificate based and mschap. I have a default (meaning, no other checks performed) users entry to assign anyone who authenticates but doesn't match a group entry further up the file into a specific vlan. However, if I'm going to add in certificate based authentication, these will also hit that default setting, and I don't want it to... I want the certificate based authenticators to not have a vlan assigned to them by 802.1x. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and Stripped-User-Name
Finally found that {mschap:User-Name} will work for me. Thanks anyway :) On Mon, Nov 3, 2008 at 5:27 PM, Luke [EMAIL PROTECTED] wrote: I'm trying to use rlm_ldap to do group lookups for dynamic vlan assignment. I've got freeradius (version 2.1.1) to connect to my ldap server, but when it tries searching, it's not working correctly. I'm not getting a Stripped-User-Name, and the non-stripped user name is coming across as domain\5cusername. I've been looking around for a couple of hours now, and have yet to find out how to make it either a) give me a stripped user name or b) figure out some way to strip the username myself. I was trying to use something I had found before where someone was using attr_rewrite to manually create the Stripped-User-Name, but it wasn't working at all. The first part was copying User-Name into Stripped-User-Name, and since the original username happens to have the string \t in it, it was interpreting that as a tab, instead of straight copying the text. Then when I tried to do regex replacement on it, the string was in this crazy state where it had a bunch of extra spaces in it due to the \t being interpreted as a tab. Can someone help me out with this? I'm not sure what I'm doing wrong that's preventing the Stripped-User-Name from working in the first place, or how to work around the fact that the attr_rewrite is not directly copying the text into my variable, and is instead interpreting it. Thanks, Luke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap and Stripped-User-Name
I'm trying to use rlm_ldap to do group lookups for dynamic vlan assignment. I've got freeradius (version 2.1.1) to connect to my ldap server, but when it tries searching, it's not working correctly. I'm not getting a Stripped-User-Name, and the non-stripped user name is coming across as domain\5cusername. I've been looking around for a couple of hours now, and have yet to find out how to make it either a) give me a stripped user name or b) figure out some way to strip the username myself. I was trying to use something I had found before where someone was using attr_rewrite to manually create the Stripped-User-Name, but it wasn't working at all. The first part was copying User-Name into Stripped-User-Name, and since the original username happens to have the string \t in it, it was interpreting that as a tab, instead of straight copying the text. Then when I tried to do regex replacement on it, the string was in this crazy state where it had a bunch of extra spaces in it due to the \t being interpreted as a tab. Can someone help me out with this? I'm not sure what I'm doing wrong that's preventing the Stripped-User-Name from working in the first place, or how to work around the fact that the attr_rewrite is not directly copying the text into my variable, and is instead interpreting it. Thanks, Luke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dell 6248 and Dynamic VLAN Assignment
Hi :) I'm trying to get dynamic VLAN assignment to work with my Dell 6248, which they officially support as of firmware revision 2.1.0.13. I'm using freeradius version 2.1.1 I think I'm sending the information the correct way from freeradius, to wit: DEFAULT Auth-Type == MS-CHAP Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 3 (this is in my users file) When watching the debug output from radiusd -X, I can see it sending these messages back to the Dell switch. However, the dell switch is not correctly assigning the VLAN. The information from the release notes from Dell is as follows: 802.1x Option 81 The Tunnel Attribute indicates the tunneling protocol to be used or the tunneling protocol in use at the Authenticator. In particular, it may be desirable to allow a supplicant (MAC based) or port (Port Based) to be placed into a particular Virtual LAN (VLAN) based on the result of the authentication. To achieve the distribution of the VLAN id to the supplicant, the tunnel attribute can be used. For use in VLAN assignment, the following tunnel attributes are used: Tunnel-Type=VLAN (13) Tunnel-Medium-Type=802 Tunnel-Private-Group-ID=VLANID, where VLANID is 12-bits, taking a value between 1 and 4093. The NAS-IP Attribute indicates the identifying IP Address of the NAS (Switch or Access Point) which is requesting authentication of the user, and should be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier must be present in an Access-Request packet. I can see from my Dell switch that this stuff is enabled, but for some reason it's still not setting the VLAN. Does anyone have any suggestions? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP and Windows 2003 AD LDAP
Alan DeKok wrote: Luke [EMAIL PROTECTED] wrote: Unfortunately I need to support CHAP because it is used by an external global Dial-Up provider which the freeradius machine is authenticating for. If the passwords are in AD your ONLY choice is to use IAS, and even then, only if ALL of the passwords are stored via what they call using reversible encryption. Thanks Alan - looks like it is not possible (we do not want to use IAS and store passwords using reversible encryption - which would also mean resetting every user's password). I'm going to need to talk to our global dial-up provider to see if they can send the radius request using anything other than CHAP if possible. Thanks again, Luke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP and Windows 2003 AD LDAP
Hi, I'm trying to get a freeradius server (v1.0.1) to work with CHAP and querying a Windows 2003 Active Directory server using LDAP. I've got LDAP working for PAP queries, but CHAP comes back with the rlm_chap: Could not find clear text password. Now I've read the FAQ and followed those notes, but I'm not sure what the values should be for the password_header, password_attribute and password_radius_attribute? Any help would be much appreciated, Thanks, Luke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP and Windows 2003 AD LDAP
Stefan Winter wrote: I've got LDAP working for PAP queries, but CHAP comes back with the rlm_chap: Could not find clear text password. AD and LDAP-mode don't work together. The AD server will not give away the user's attribute. If you want CHAP to work, you will need to use ntlm_auth. Thanks for the responses guys. Unfortunately I need to support CHAP because it is used by an external global Dial-Up provider which the freeradius machine is authenticating for. The whole idea of using LDAP was because the machine was in the DMZ, and LDAP would allow us to lock it down more by only allowing the bind user access to certain parts of the AD tree. If I use ntlm_auth, the box will have to be joined to the domain (from my understanding) - wouldn't this represent quite a big security risk? Will ntlm_auth also do PAP (used by another provider authenticating against the server) where the password is in clear-text? There's also a great tutorial on the topic, which is referenced here quite often by Charles Schwartz, see the archives for that one as well. It's at http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf I believe (for anyone else which wants to have a look). Thanks, Luke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting question
Hi, I have a question about radius, Is there anyone on this list that can help? I'm sure this is a very common request. I have a situation where radius accounting is logged to a mysql database. I'd like to find a way to show the accurate number of users that are currently online. Up till now this has been done by querying the database to find entries in the radacct table that have value 0 for AccountStopTime. However there are quite a number of entries in this 'radacct' table that have the 0 as AccountStopTime but are not active sessions. What would be a way to get just the sessions that are active? kind regards, Luke -- ._ :| .| |.|/.|_ :|__.|_|.|\.|_ :0421 276 282. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html