Re: freeradius and vlan assignment
In the users file do this: DEFAULT Ldap-Group == cn=InsideGroup,o=Base Reply-Message = Your a member of the Inside Group, Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-ID = 11, Fall-Through = No DEFAULT Auth-Type == LDAP Reply-Message = You did not match a LDAP Group, Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-ID = 99 All members of the InsideGroup will get the first group of attributes and the FreeRadius will stop looking. Everyone else who authenticated through LDAP will get the second group of attributes. Bob On Thu, Mar 18, 2010 at 8:59 AM, omega bk omeg...@gmail.com wrote: hi, assume that the switch does not support the auth-fail and has 2 vlan ( vlan inside and vlan outside ), is it possible in the users file to put a condition like: if (user belong to Ldap-group=inside) assign to vlan = inside else assign to vlan = outside is that possible ? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- The problem with socialism is that you eventually run out of other people's money. - Margaret Thatcher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and vlan assignment
i could'nt imagine that would be so simple. i'll try that next time [?] thank u 2010/3/18 Bob Brandt b...@brandt.ie In the users file do this: DEFAULT Ldap-Group == cn=InsideGroup,o=Base Reply-Message = Your a member of the Inside Group, Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-ID = 11, Fall-Through = No DEFAULT Auth-Type == LDAP Reply-Message = You did not match a LDAP Group, Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-ID = 99 All members of the InsideGroup will get the first group of attributes and the FreeRadius will stop looking. Everyone else who authenticated through LDAP will get the second group of attributes. Bob On Thu, Mar 18, 2010 at 8:59 AM, omega bk omeg...@gmail.com wrote: hi, assume that the switch does not support the auth-fail and has 2 vlan ( vlan inside and vlan outside ), is it possible in the users file to put a condition like: if (user belong to Ldap-group=inside) assign to vlan = inside else assign to vlan = outside is that possible ? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- The problem with socialism is that you eventually run out of other people's money. - Margaret Thatcher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 330.gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and vlan assignment
Hi, I tried to configure my users file like this : - testNasPort-Type == Ethernet Service-Type = Framed-User, Tunnel-Type +=13, Tunnel-Medium-Type =6, Tunnel-Private-Group-ID =2 - Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-Id = 2 this is a 'change this setting' type of return value rather than a check and comparison version. it also avoids playing with dictionary files etc - a plain method for your cisco kit. you may also need to return a 'UPDATED' flag - these values are much easier to return via eg rlm_perl than the users file (or rlm_sql if you feel that way inclined too!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and vlan assignment
Hi, and thanks for your help. What did you mean by return a 'UPDATED' flag ?? Bruno 2007/3/12, [EMAIL PROTECTED] [EMAIL PROTECTED]: Hi, I tried to configure my users file like this : - testNasPort-Type == Ethernet Service-Type = Framed-User, Tunnel-Type +=13, Tunnel-Medium-Type =6, Tunnel-Private-Group-ID =2 - Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-Id = 2 this is a 'change this setting' type of return value rather than a check and comparison version. it also avoids playing with dictionary files etc - a plain method for your cisco kit. you may also need to return a 'UPDATED' flag - these values are much easier to return via eg rlm_perl than the users file (or rlm_sql if you feel that way inclined too!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and vlan assignment
Hi, Hi, and thanks for your help. What did you mean by return a 'UPDATED' flag ?? eg with rlm_perl you set the return code to be RLM_MODULE_UPDATED which notifies the server that everything is OK and that attribute pairs have been modified. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and vlan assignment
Hi, please respond to freeradius mailing list I am not sure if you can use EAP to make a comparation.. but anyway you will need two = ( == ) instead of one = ( = )... Try setting testNAS-Port-Type == Ethernet Tunnel-Type += 13, . Regards, E:S Hi, I tried this but i never see anything about vlan in my freeradius log !! My user stay in default VLAN !!! Is my user's definition in the users file correct ? - test Auth-Type = EAP Tunnel-Type += 13, Tunnel-Medium-Type += 6, Tunnel-Private-Group-Id += 2, Fall-Through += No --- Thanks Sending Access-Challenge of id 148 to 192.168.16.1:1645 EAP-Message = 0x019500201900170301001594b0749a153a5db24986ad5b383747d599cefa165e Message-Authenticator = 0x State = 0xfaadc1f3fdcd54caba3eb520194cbda4 rad_recv: Access-Request packet from host 192.168.16.1:1645, id=149, length=172 NAS-IP-Address = 192.168.16.1 NAS-Port = 50147 User-Name = CSB\\test Called-Station-Id = 00-17-5A-1B-28-B3 Calling-Station-Id = 00-04-75-85-8F-61 Service-Type = Framed-User Framed-MTU = 1500 State = 0xfaadc1f3fdcd54caba3eb520194cbda4 EAP-Message = 0x0295002419001703010019d71271328e83be4bb86e90cb9cf78a13f6e92985f71a24f71b Message-Authenticator = 0x6534f60da4b6f525ae500bcdc1f1b683 rlm_eap_mschapv2: Issuing Challenge Sending Access-Challenge of id 149 to 192.168.16.1:1645 EAP-Message = 0x019600391900170301002e35934ed543adc3872069178f99dad4cef4ddb3891fae093be210 029063523c48015aeb6aa2e3d4eb17fd39890382 Message-Authenticator = 0x State = 0x1b1b2139747f2fd4a4bbb4f9f279eb11 rad_recv: Access-Request packet from host 192.168.16.1:1645 , id=150, length=226 NAS-IP-Address = 192.168.16.1 NAS-Port = 50147 NAS-Port-Type = Ethernet User-Name = CSB\\test Called-Station-Id = 00-17-5A-1B-28-B3 Calling-Station-Id = 00-04-75-85-8F-61 Service-Type = Framed-User Framed-MTU = 1500 State = 0x1b1b2139747f2fd4a4bbb4f9f279eb11 EAP-Message = 0x0296005a1900170301004f8e53cc58384cebdce1096ef486e518b9efd644cb4029eb633ef3 f06b1682f03fed4152d8f5eac2bd535a02befb274d4a591c3e60910efcec65ba22d6d5c33c8a 50797ccfca8f0c7c57bc2287068b2d Message-Authenticator = 0x416672a07b4421f704970f07db03e442 radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=CSB --username=test --challenge=3e2e4fe28bd9b464 --nt-response=927de3350c738b570a464aeac694ca367884505006ceb2af Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program: returned: 0 Sending Access-Challenge of id 150 to 192.168.16.1:1645 EAP-Message = 0x0197004a1900170301003fc00a2f7339369e45babdf23184b0f04fb295d015a9bd4316050d a913d6538bf4329c8c46835179297980a5b669ce00e7b984fa8368858b6db4cea48759d7c1 Message-Authenticator = 0x State = 0x7ef7f6d05a6f3d00427213ecb574faa2 rad_recv: Access-Request packet from host 192.168.16.1:1645 , id=151, length=165 NAS-IP-Address = 192.168.16.1 NAS-Port = 50147 NAS-Port-Type = Ethernet User-Name = CSB\\test Called-Station-Id = 00-17-5A-1B-28-B3 Calling-Station-Id = 00-04-75-85-8F-61 Service-Type = Framed-User Framed-MTU = 1500 State = 0x7ef7f6d05a6f3d00427213ecb574faa2 EAP-Message = 0x0297001d190017030100128fca90d7480fc827988c01b59ca594725eda Message-Authenticator = 0xf453065f5ccd452281e10cf4fcce3d8a Trying to look up name of unknown client 127.0.0.1. Login OK: [CSB\\test/no User-Password attribute] (from client UNKNOWN-CLIENT port 0) Sending Access-Challenge of id 151 to 192.168.16.1:1645 EAP-Message = 0x019800261900170301001b424c8e15103d6091ff787a4a81a9d7f36e071506fee1dd9365f8 27 Message-Authenticator = 0x State = 0x00edbd8474f305a438e2129b69d8d833 rad_recv: Access-Request packet from host 192.168.16.1:1645, id=152, length=174 NAS-IP-Address = 192.168.16.1 NAS-Port = 50147 NAS-Port-Type = Ethernet User-Name = CSB\\test Called-Station-Id = 00-17-5A-1B-28-B3 Calling-Station-Id = 00-04-75-85-8F-61 Service-Type = Framed-User Framed-MTU = 1500 State = 0x00edbd8474f305a438e2129b69d8d833 EAP-Message =
RE: Freeradius and vlan assignment
http://wiki.freeradius.org/Operators Hint += for Tunnel-Type ! Regards, E:S _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Bruno Mardirossian Sent: Freitag, 09. März 2007 03:49 To: freeradius-users@lists.freeradius.org Subject: Freeradius and vlan assignment Hello! I am working on implementing freeradius with a cisco 3750 switch connected to freeradius , which then talks to AD. (The linux box is on the AD domain) Anyway, we try to make vlan assignment by using the 'users' file . We create a user named 'test' on my AD server , and we created this section in the file users : testAuth-Type := MS-CHAP Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 2 The user is correctly authenticated by AD , but he is put in the default vlan ( id 1 ) and not in the vlan defined in the file 'users' ( id 2 ) . By the way, readind the radiusd output , i think that freeradius does not read my users file...i didn't see int he log anything about the Tunnel-Type or Tunnel-Private-Group-Id informations Anyone have any thoughts? Regards Bruno Message-Authenticator = 0xa309657e84ce8131d67aa64d9a491059 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 rlm_realm: No '@' in User-Name = CSB\test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 users: Matched entry DEFAULT at line 165 users: Matched entry DEFAULT at line 184 modcall[authorize]: module files returns ok for request 6 rlm_eap: EAP packet type response id 6 length 90 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 modcall[authorize]: module mschap returns noop for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type MS-CHAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'CSB\test' auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to CSB\test PEAP: Adding old state with 86 79 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 rlm_realm: No '@' in User-Name = CSB\test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 users: Matched entry DEFAULT at line 165 modcall[authorize]: module files returns ok for request 6 rlm_eap: EAP packet type response id 6 length 67 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 modcall[authorize]: module mschap returns noop for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type MS-CHAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'CSB\test' auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 9a radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --domain=CSB --username=test --challenge=0529c10bac22a3fa --nt-response=4b1e21679b85263858da26874073491971a58f8bfc024456' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=CSB --username=test --challenge=0529c10bac22a3fa
Re: FreeRADIUS for VLAN-assignment auth. via WinNT-PDC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Dienstag, 15. März 2005 23:02 schrieb Mark Wasmer: Hello FreeRADIUS-users, I have to set up a FreeRADIUS-server to authenticate notebooks and PCs (Win2000, WinXP, Linux) via the existing Windows-NT PDC (will be replaced with Server2003 sometimes) and add them to their matching VLAN (using HP 2524-switches). Can someone give me a few hints what might be the best way to do this ? Through the lack of consistent documentation i can't see how to move on. The urgent questions in detail : 1. The Windows-NT server is not allowed to deliver plaintext-passwords, so which authentication-protokol should be used ? EAP-MD5 would be fine, but does it work without plaintext-passwords ? EAP/MD5 is the only way for WinNT as far as I know. MD5 hash is transferred over the net, so no plaintext passwords on the line. 2. How to get the passwords from the PDC at all ? I've read about rlm_smb (but is not included in the used Debian-Sarge-packet), ntlm_auth, winbindd, PAM_winbind and the SMB-Method described in the experimental.conf *puh* ??? SMB experimental yes. 3. If the things above work, how to define which user belongs to which VLAN and get RADIUS to tell this to the authenticator ? Well, I could not imagine how WinNT could deliver VLANs since these information is not stored in WinNT user profiles. Perhaps you have to use realms to link user groups to VLANs. Only the username part is forwarded to WinNT. The username could look like [EMAIL PROTECTED] 4. And finally - how to set up a centralized/convenient administration method for the whole thing which makes it easy to add/delete users ? No chance since dialupadmin does not work with SMB. You always hace to set up two admins systems: One for WinNT, one for Radius. The better was would be to use directly the AD from Win2003. It should be possible to store VLAN information in AD with a scheme extension. Freeradius can operate together with AD. Management from AD. private Ich bin unter u.g. Adresse auch direkt zu erreichen ! /private - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn misch at multinet punkt de Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCN+yxqndXpO3Yl5sRAskpAKCRy91N5pY+jfeJXrp1dPQGmO3BGwCgi28L 1JpLerb/KjnJypWy6/0aepg= =ot06 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS for VLAN-assignment auth. via WinNT-PDC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | EAP/MD5 is the only way for WinNT as far as I know. MD5 hash is transferred | over the net, so no plaintext passwords on the line. Seems i misunderstood the method - so EAP-MD5 will work fine for me :-) | SMB experimental yes. I'll give it a try. | Well, I could not imagine how WinNT could deliver VLANs since these | information is not stored in WinNT user profiles. Perhaps you have to use | realms to link user groups to VLANs. Only the username part is forwarded to | WinNT. The username could look like [EMAIL PROTECTED] Would'nt this be insecure ? The users would be able to define themselves which VLAN they join - if i understand you correctly. This is not intended. Even though, how do i tell FreeRADIUS to strip the @vlan-group-part of the username and use it as VLAN-Identifier ? Greetings ~ Mark Wasmer -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: GnuPT-Light 0.2 by EQUIPMENTE.DE Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQFCOHdNrUtz+gVmmXsRAvHuAJjAmW+Q5eI7fQ5bznB0IAoZqujjAJ9hpxyB h5FmlRmsEt7qpmJLYQfCTw== =x9RK -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html