Re: client code for long extended attributes?
Daniel Pocock wrote: > Could you please clarify that - it is possible to build a client library > from the server source tarball? Yes. RedHat already packages libfreeradius-radius as a separate RPM, IIRC. > In Debian, I see "libfreeradius2" built from the server source tarball > but that appears to be server-side library code, or is it also for > client applications? Yes. It's a fully-featured LGPL'd RADIUS library. It handles everything related to RADIUS. Sockets, encoding, decoding, dictionaries, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client code for long extended attributes?
On 20/07/13 14:56, Alan DeKok wrote: > Daniel Pocock wrote: >> Should this code be shared with the client project freeradius-client? > No. The freeradius-client code is pretty bad. > >> Or is it preferred to build a new client (or shared library) from the >> freeradius-server repository eventually? > The client code is already LGPL'd. So it could be used as a client. Could you please clarify that - it is possible to build a client library from the server source tarball? In Debian, I see "libfreeradius2" built from the server source tarball but that appears to be server-side library code, or is it also for client applications? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client code for long extended attributes?
Daniel Pocock wrote: > Should this code be shared with the client project freeradius-client? No. The freeradius-client code is pretty bad. > Or is it preferred to build a new client (or shared library) from the > freeradius-server repository eventually? The client code is already LGPL'd. So it could be used as a client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client code for long extended attributes?
On 15/07/13 21:53, Alan DeKok wrote: > Daniel Pocock wrote: >> Can anybody comment on which client code should be used for long >> extended attributes? >> >> I see that the freeradius-client project predates RFC 6929. > > By a LONG ways. > > There's no client code for the extended attributes. The RFC was just > published. So far as I know, FreeRADIUS is the only open source RADIUS > system which supports it. > >> Is there any module in the server project that provides a good example >> of using these long values from requests? > > src/lib/radius.c is the RADIUS encoder / decoder. > Should this code be shared with the client project freeradius-client? Or is it preferred to build a new client (or shared library) from the freeradius-server repository eventually? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client code for long extended attributes?
Daniel Pocock wrote: > Can anybody comment on which client code should be used for long > extended attributes? > > I see that the freeradius-client project predates RFC 6929. By a LONG ways. There's no client code for the extended attributes. The RFC was just published. So far as I know, FreeRADIUS is the only open source RADIUS system which supports it. > Is there any module in the server project that provides a good example > of using these long values from requests? src/lib/radius.c is the RADIUS encoder / decoder. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
client code for long extended attributes?
Can anybody comment on which client code should be used for long extended attributes? I see that the freeradius-client project predates RFC 6929. Is there any module in the server project that provides a good example of using these long values from requests? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius accept-accept with no AVP attributes
J KIE wrote: > the radius servers on my network are receiving spikes of ACCESS-ACCEPT > traffic, RADIUS servers received Access-Request packets, and send Access-Accept packets. > I have been analysing traffic using tshark and noticed that > some of the ACCESS-ACCEPT sent from the server back to the client does > not have the AVP attributes set Then run the server in debugging mode to see what's going on. > below is an example Of a packet capture... all the way down to Ethernet. Why? FreeRADIUS comes with debugging tools. Use them. You're wasting your time when you look at raw packets. It won't tell you anything useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius accept-accept with no AVP attributes
hi, the radius servers on my network are receiving spikes of ACCESS-ACCEPT traffic, I have been analysing traffic using tshark and noticed that some of the ACCESS-ACCEPT sent from the server back to the client does not have the AVP attributes set below is an example Frame 167 (62 bytes on wire, 62 bytes captured) Arrival Time: Jul 12, 2013 21:52:57.089629000 [Time delta from previous captured frame: 0.008112000 seconds] [Time delta from previous displayed frame: 0.571386000 seconds] [Time since reference or first frame: 3.798843000 seconds] Frame Number: 167 Frame Length: 62 bytes Capture Length: 62 bytes [Frame is marked: False] [Protocols in frame: eth:ip:udp:radius] Ethernet II, Src: Vmware_b7:5f:ec (00:50:56:b7:5f:ec), Dst: Vmware_b7:60:10 (00:50:56:b7:60:10) Destination: Vmware_b7:60:10 (00:50:56:b7:60:10) Address: Vmware_b7:60:10 (00:50:56:b7:60:10) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Source: Vmware_b7:5f:ec (00:50:56:b7:5f:ec) Address: Vmware_b7:5f:ec (00:50:56:b7:5f:ec) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 10.66.xx.13 (10.66.xx.13), Dst: 10.66.xx.19 (10.66.xx.19) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 00.. = Differentiated Services Codepoint: Default (0x00) ..0. = ECN-Capable Transport (ECT): 0 ...0 = ECN-CE: 0 Total Length: 48 Identification: 0x98fe (39166) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x631b [correct] [Good: True] [Bad : False] Source: 10.xx.xx.xx (10.66.xx.13) Destination: 10.xx.xx.19 (10.66.xx.19) User Datagram Protocol, Src Port: radius (1812), Dst Port: 38346 (38346) Source port: radius (1812) Destination port: 38346 (38346) Length: 28 Checksum: 0x83e8 [correct] [Good Checksum: True] [Bad Checksum: False] Radius Protocol Code: Access-Accept (2) Packet identifier: 0xa (10) Length: 20 Authenticator: B08F0EA3338728A7D2F7BC9F2D18861C [This is a response to a request in frame 166] [Time from request: 0.008112000 seconds] traffic was very low when i did this trace so i dont think it is a radius retransmit? the below is another ACCESS-ACCEPT packet but has the radius AVP attributes set, any idea why there is a difference between the first and the second below? Frame 1056 (121 bytes on wire, 121 bytes captured) Arrival Time: Jul 12, 2013 21:56:28.66529 [Time delta from previous captured frame: 0.000353000 seconds] [Time delta from previous displayed frame: 0.000353000 seconds] [Time since reference or first frame: 20.611588000 seconds] Frame Number: 1056 Frame Length: 121 bytes Capture Length: 121 bytes [Frame is marked: False] [Protocols in frame: eth:ip:udp:radius] Ethernet II, Src: Vmware_b7:5f:ec (00:50:56:b7:5f:ec), Dst: Vmware_b7:2d:6f (00:50:56:b7:2d:6f) Destination: Vmware_b7:2d:6f (00:50:56:b7:2d:6f) Address: Vmware_b7:2d:6f (00:50:56:b7:2d:6f) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Source: Vmware_b7:5f:ec (00:50:56:b7:5f:ec) Address: Vmware_b7:5f:ec (00:50:56:b7:5f:ec) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 10.66.xx.13 (10.66.53.13), Dst: 10.66.xx.36 (10.66.xx.36) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 00.. = Differentiated Services Codepoint: Default (0x00) ..0. = ECN-Capable Transport (ECT): 0 ...0 = ECN-CE: 0 Total Length: 107 Identification: 0xeebe (61118) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x0d0f [correct] [Good: True] [Bad : False] Source: 10.66.xx.13 (10.66.xx.13) Destination: 10.66.xx.36 (10.66.xx.36) User Datagram Protocol, Src Port: radius (1812), Dst Port: 50336 (50336) Source port: radius (1812) Destination port: 50336 (50336) Length: 87 Checksum: 0x47a5 [correct] [Good Checksum: True] [Bad Check
Re: Changed Attributes
Hi, >Alc-IPsec-Interface: Unknown attribute "" requires a hex string, not >"private_ipsec" so give it a hex string then private_ipsec is 707269766174655f6970736563 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changed Attributes
George Innocent wrote: > Thanks for the feed back but i have not edited the Dictionary file what > i said i checked and confirmed that the attributes i have configured are > available on dictionary for. The error message you're seeing comes because you did NOT follow the instructions for creating an entry in the "users" file. Your "users" file entry is WRONG. Follow the documentation. If you insist on ignoring instructions and ignoring documentation, you will be unsubscribed, and permanently banned from the list. We're here to help people. If you're not willing to help yourself, then we don't have time to help you, either. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changed Attributes
Hi Alan; Thanks for the feed back but i have not edited the Dictionary file what i said i checked and confirmed that the attributes i have configured are available on dictionary for. On 25 June 2013 16:21, Alan DeKok wrote: > George Innocent wrote: > > I have checked the dictionary files and the attributes which are in > > existance; but i still get this error when i run debug mode. > > Using FreeRADIUS requires a minimum amount of skill and documentation > reading. You've edited the dictionaries without understanding how the > dictionaries work. > > I'm not going to cut & paste the dictionary documentation here. The > instructions already exist. Read the raddb/dictionary file, and "man > dictionary". > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Regards: George Innocent. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changed Attributes
George Innocent wrote: > I have checked the dictionary files and the attributes which are in > existance; but i still get this error when i run debug mode. Using FreeRADIUS requires a minimum amount of skill and documentation reading. You've edited the dictionaries without understanding how the dictionaries work. I'm not going to cut & paste the dictionary documentation here. The instructions already exist. Read the raddb/dictionary file, and "man dictionary". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changed Attributes
Hi Experts I have checked the dictionary files and the attributes which are in existance; but i still get this error when i run debug mode. /usr/local/etc/raddb/users[157]: Parse error (check) for entry Alc-IPsec-Interface: Unknown attribute "" requires a hex string, not "private_ipsec" Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module "files" /usr/local/etc/raddb/sites-enabled/default[170]: Failed to load module "files". /usr/local/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section. root@Radius-pst:~# The profile of my user is: steve Cleartext-Password := "testing" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.1.2, Framed-IP-Netmask = 255.255.255.0, Alc-IPsec-Interface = private_ipsec, Alc-IPsec-SA-Lifetime = 1200, Alc-IPsec-SA-Encr-Algorithm = aes128, Alc-IPsec-SA-Auth-Algorithm = sha1 Rgds On 24 June 2013 22:04, wrote: > Hi, > > >But when i comment the attributes the radtest is successful > > did you check my other statement: > > > 3) ensure that these attributes that you are using are in a > dictionary > > file and that the dictionary file is being read by the server when > it > > starts > > well? > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Regards: George Innocent. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changed Attributes
Hi, >But when i comment the attributes the radtest is successful did you check my other statement: > 3) ensure that these attributes that you are using are in a dictionary > file and that the dictionary file is being read by the server when it > starts well? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changed Attributes
The configured user with the stated attributes: steve Cleartext-Password := "testing" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.1.2, Framed-IP-Netmask = 255.255.255.0, Alc-IPsec-Interface = private_ipsec, Alc-IPsec-SA-Lifetime = 1200, Alc-IPsec-SA-Encr-Algorithm = aes128, Alc-IPsec-SA-Auth-Algorithm = sha1, Error received on running radtest remains same. But when i comment the attributes the radtest is successful On 24 June 2013 19:55, wrote: > Hi, > > >I am creating attributes for the user using the scripts below but on > >running the radtest i get the failure attributes ; which seems to have > >changed. I am using Freeradius 2.1.0 . > > > >"user1test" Auth-Type := Local, User-Password == "testpassword" > > > >Framed-IP-Address = 172.162.3.33, > > > > Framed-IP-Netmask = 255.255.255.0, > > > >Alc-Primary-Dns = 4.4.2.2, > > > >Alc-Primary-Nbns = 8.8.4.4, > > > >Alc-IPsec-Serv-Id = 199920, > > > >Alc-IPsec-Interface = public_ipsec, > > > >Alc-IPsec-SA-Lifetime = 1200, > > > >Alc-IPsec-SA-Encr-Algorithm = aes128, > > > >Alc-IPsec-SA-Auth-Algorithm = sha1 > > 1) its Cleartext-Password := NOT User-Password == > > 2) formatting is VERY important...I hope you dont have blank lines between > each entry > > 3) ensure that these attributes that you are using are in a dictionary > file and that the dictionary file is being read by the server when it > starts > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Regards: George Innocent. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changed Attributes
Hi, >I am creating attributes for the user using the scripts below but on >running the radtest i get the failure attributes ; which seems to have >changed. I am using Freeradius 2.1.0 . > >"user1test" Auth-Type := Local, User-Password == "testpassword" > >Framed-IP-Address = 172.162.3.33, > > Framed-IP-Netmask = 255.255.255.0, > >Alc-Primary-Dns = 4.4.2.2, > >Alc-Primary-Nbns = 8.8.4.4, > >Alc-IPsec-Serv-Id = 199920, > >Alc-IPsec-Interface = public_ipsec, > >Alc-IPsec-SA-Lifetime = 1200, > >Alc-IPsec-SA-Encr-Algorithm = aes128, > >Alc-IPsec-SA-Auth-Algorithm = sha1 1) its Cleartext-Password := NOT User-Password == 2) formatting is VERY important...I hope you dont have blank lines between each entry 3) ensure that these attributes that you are using are in a dictionary file and that the dictionary file is being read by the server when it starts alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Retrieving eDirectory VLAN attributes
Alan, Thanks for the clear response, adding the attribute map to ldap.attrmap made it come to life. Thanks much for your help. Dan -Original Message- From: freeradius-users-bounces+dlietz=inghamisd@lists.freeradius.org [mailto:freeradius-users-bounces+dlietz=inghamisd@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, May 24, 2013 10:18 AM To: FreeRadius users mailing list Subject: Re: Retrieving eDirectory VLAN attributes Dan Lietz wrote: > I’m pretty much a noob when it comes to freeradius as I still don’t > completely understand what files are used for authorization and > authentication and where to put different certain pieces of configuration. Rule 1: don't touch anything. The configuration is complicated, but it mostly works. The "files used for authorization" are the virtual servers. See raddb/sites-enabled. Those files reference other configuration. But it's all reasonably well abstracted. i.e. you don't need to know anything about the "mschap" module configuration to use it. You don't even need to know *where* its configuration lives. But if you run the server in debugging mode, it will tell you. The "where to put configuration" issue largely depends on what you want to do. Edit a virtual server? See raddb/sites-enabled. A module? raddb/modules. > I’m trying to set up dynamic vlans for a wireless network with a > Ruckus Zone Director backend and a freeradius backend authenticating > via LDAP to eDirectory running on the same box. So far I’ve managed to > configure 802.11x authentication using PEAP and that is working well. That's good. > Now I want to be able to retrieve the radius attribute in eDirectory > for the vlan tag so the Ruckus Zone Directory will automatically place > the user on the correct vlan once they are authenticated. OK. > I did some initial testing without using LDAP by adding the following > lines to my users file: > > > > DEFAULT > Tunnel-Type = VLAN, > Tunnel-Medium-Type = 802, > Tunnel-Private-Group-ID = 85, > Fall-Through=Yes Yes, that works. It's a good first step. > By changing the value of “Tunnel-Private-Group-ID” (set to 85 in the > above example) the Zone Director will move users to the vlan ID I > specify here, but it is obviously static and does not change based on > the user. The next step is to configure FreeRadius to pull the info > from eDir via LDAP and that’s the part I’m not getting. The "ldap.attrmap" file is in the "raddb" directory. It contains mappings from LDAP to RADIUS. It's also documented in the comments at the top of the file. > Part of my problem is that I don’t know which attributes mappings are > built in and which aren’t. See ldap.attrmap. > According to this document: Integrating Novell eDirectory with > FreeRadius > <https://www.netiq.com/documentation/edir_radius/radiusadmin/?page=/do > cumentation/edir_radius/radiusadmin/data/bv8m2ll.html> > the listed radius attributes are available for use, but does that mean > I don’t need to add them to ldap.attr or the dictionary file at all? > Or that I don’t need to add an LDAP attribute map to the LDAP Group > object in iManager? The LDAP to RADIUS map is defined in ldap.attrmap. And ONLY in ldap.attrmap. Go look there. If a mapping isn't there, it isn't mapped. If it is there, the LDAP attribute (if any) is mapped to the RADIUS equivalent. > The other thing I don’t understand is where (i.e. what file) to put > the ldap call for said attributes and what the syntax would look like. See raddb/sites-available/inner-tunnel, and "default". Look for "ldap". Read the comments there. > I’ve configured my eap.conf to include ‘copy_request_to_tunnel = yes’ > and ‘use_tunneled_reply = yes’ That's correct for your setup. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Retrieving eDirectory VLAN attributes
Dan Lietz wrote: > I’m pretty much a noob when it comes to freeradius as I still don’t > completely understand what files are used for authorization and > authentication and where to put different certain pieces of configuration. Rule 1: don't touch anything. The configuration is complicated, but it mostly works. The "files used for authorization" are the virtual servers. See raddb/sites-enabled. Those files reference other configuration. But it's all reasonably well abstracted. i.e. you don't need to know anything about the "mschap" module configuration to use it. You don't even need to know *where* its configuration lives. But if you run the server in debugging mode, it will tell you. The "where to put configuration" issue largely depends on what you want to do. Edit a virtual server? See raddb/sites-enabled. A module? raddb/modules. > I’m trying to set up dynamic vlans for a wireless network with a Ruckus > Zone Director backend and a freeradius backend authenticating via LDAP > to eDirectory running on the same box. So far I’ve managed to configure > 802.11x authentication using PEAP and that is working well. That's good. > Now I want to be able to retrieve the radius attribute in eDirectory for > the vlan tag so the Ruckus Zone Directory will automatically place the > user on the correct vlan once they are authenticated. OK. > I did some initial testing without using LDAP by adding the following > lines to my users file: > > > > DEFAULT > Tunnel-Type = VLAN, > Tunnel-Medium-Type = 802, > Tunnel-Private-Group-ID = 85, > Fall-Through=Yes Yes, that works. It's a good first step. > By changing the value of “Tunnel-Private-Group-ID” (set to 85 in the > above example) the Zone Director will move users to the vlan ID I > specify here, but it is obviously static and does not change based on > the user. The next step is to configure FreeRadius to pull the info from > eDir via LDAP and that’s the part I’m not getting. The "ldap.attrmap" file is in the "raddb" directory. It contains mappings from LDAP to RADIUS. It's also documented in the comments at the top of the file. > Part of my problem is that I don’t know which attributes mappings are > built in and which aren’t. See ldap.attrmap. > According to this document: Integrating > Novell eDirectory with FreeRadius > <https://www.netiq.com/documentation/edir_radius/radiusadmin/?page=/documentation/edir_radius/radiusadmin/data/bv8m2ll.html> > the listed radius attributes are available for use, but does that mean I > don’t need to add them to ldap.attr or the dictionary file at all? Or > that I don’t need to add an LDAP attribute map to the LDAP Group object > in iManager? The LDAP to RADIUS map is defined in ldap.attrmap. And ONLY in ldap.attrmap. Go look there. If a mapping isn't there, it isn't mapped. If it is there, the LDAP attribute (if any) is mapped to the RADIUS equivalent. > The other thing I don’t understand is where (i.e. what file) to put the > ldap call for said attributes and what the syntax would look like. See raddb/sites-available/inner-tunnel, and "default". Look for "ldap". Read the comments there. > I’ve configured my eap.conf to include ‘copy_request_to_tunnel = yes’ > and ‘use_tunneled_reply = yes’ That's correct for your setup. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Retrieving eDirectory VLAN attributes
Hello, I'm pretty much a noob when it comes to freeradius as I still don't completely understand what files are used for authorization and authentication and where to put different certain pieces of configuration. I'm trying to set up dynamic vlans for a wireless network with a Ruckus Zone Director backend and a freeradius backend authenticating via LDAP to eDirectory running on the same box. So far I've managed to configure 802.11x authentication using PEAP and that is working well. Now I want to be able to retrieve the radius attribute in eDirectory for the vlan tag so the Ruckus Zone Directory will automatically place the user on the correct vlan once they are authenticated. I did some initial testing without using LDAP by adding the following lines to my users file: DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 85, Fall-Through=Yes By changing the value of "Tunnel-Private-Group-ID" (set to 85 in the above example) the Zone Director will move users to the vlan ID I specify here, but it is obviously static and does not change based on the user. The next step is to configure FreeRadius to pull the info from eDir via LDAP and that's the part I'm not getting. Part of my problem is that I don't know which attributes mappings are built in and which aren't. According to this document: Integrating Novell eDirectory with FreeRadius<https://www.netiq.com/documentation/edir_radius/radiusadmin/?page=/documentation/edir_radius/radiusadmin/data/bv8m2ll.html> the listed radius attributes are available for use, but does that mean I don't need to add them to ldap.attr or the dictionary file at all? Or that I don't need to add an LDAP attribute map to the LDAP Group object in iManager? The other thing I don't understand is where (i.e. what file) to put the ldap call for said attributes and what the syntax would look like. I've configured my eap.conf to include 'copy_request_to_tunnel = yes' and 'use_tunneled_reply = yes' Any help is greatly appreciated and if I'm asking Thanks. Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupcheck attributes and test client
On Sun, May 5, 2013 at 6:51 PM, wrote: > > Von: Russell Mike > > > You said same setup is working with Coovachilli, same groups / profiles? > > Else cross chech your reply & check items, if in place. If FR groups are > > same check NAS side. > > Thanks > > I'll check reply and check items when I'm in office again, but I'm quite > sure they are the same. > > How can I check NAS side? Documentation will tell > One is Coovachilli, the other is a radius test client (NTRadPing and > Radius Test Rig Utily) > you need to create NAS entry in MySQL or File for the ip address of the machine. The machine from where you would run NTRadping. > > Thank you! > > Chris > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupcheck attributes and test client
Von: Russell Mike > You said same setup is working with Coovachilli, same groups / profiles? > Else cross chech your reply & check items, if in place. If FR groups are > same check NAS side. > Thanks I'll check reply and check items when I'm in office again, but I'm quite sure they are the same. How can I check NAS side? One is Coovachilli, the other is a radius test client (NTRadPing and Radius Test Rig Utily) Thank you! Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupcheck attributes and test client
You said same setup is working with Coovachilli, same groups / profiles? Else cross chech your reply & check items, if in place. If FR groups are same check NAS side. Thanks On Friday, May 3, 2013, wrote: > Hi, > > Von: Russell Mike > > > > FR should be able to know if the allowed time used / consumed before it > can > > deny request. have you setup rlm_sqlcounter ? > > Yes. The same setup is working with a Coova Chilli WLAN Router, so I guess > it is a client issue. > > Chris > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Aw: Re: radgroupcheck attributes and test client
Hi, Von: Russell Mike > FR should be able to know if the allowed time used / consumed before it can > deny request. have you setup rlm_sqlcounter ? Yes. The same setup is working with a Coova Chilli WLAN Router, so I guess it is a client issue. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupcheck attributes and test client
FR should be able to know if the allowed time used / consumed before it can deny request. have you setup rlm_sqlcounter ? Thanks RM -- On Fri, May 3, 2013 at 7:49 AM, wrote: > All, > > I'm a newbie in radius. > > I've setup freeradius with mySQL and max-daily-session. When I set > max-daily-session := 10 in radgroupcheck table, a user of this group can > login (accept packet after authentication), even if he already has been > logged in for 10 seconds before. I'm using NTRadPing and Radius Test Rig > Utily as a client. I've sent accounting packages. Radacct table got > populated (beginning and end of session, no octets). > > Is it a client issue? Must NTRadPing send any additional parameters? > > Any help is appreciated. > > Chris > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radgroupcheck attributes and test client
All, I'm a newbie in radius. I've setup freeradius with mySQL and max-daily-session. When I set max-daily-session := 10 in radgroupcheck table, a user of this group can login (accept packet after authentication), even if he already has been logged in for 10 seconds before. I'm using NTRadPing and Radius Test Rig Utily as a client. I've sent accounting packages. Radacct table got populated (beginning and end of session, no octets). Is it a client issue? Must NTRadPing send any additional parameters? Any help is appreciated. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Updating Reply Attributes in authenticate section
Thanks for the reply.
First, adding an else to the if statement doesn't really help. As that is
in the authorize section that simply queries AD via LDAP to check for
groups of the user. It uses an admin DN to bind and query, not the actual
user credentials (as this is a PEAP) request. So I actually need to set
that attribute in the authenticate section when I determine that
authentication had failed.
All that being said, I was unaware of what you stated in your second
paragraph. I did test that though. I just always return ACCEPT - ACCEPT
when the calling station ID was from the wireless controller. Even when I
provided wrong credentials radius returned ACCEPT-ACCEPT which indicated to
the controller it was successful and the user was able to get on WIFI (just
the wrong VLAN because LDAP found the user in a specific group and assigned
that VLAN).
On Wed, May 1, 2013 at 3:36 PM, wrote:
> Hi,
>
> >elsif (Ldap-Group == "netCoreClass-finance") {
> >update reply {
> >Tunnel-Private-Group-Id:1 := 124
> >}
> >}
> >Authentication is against Active Directory. So while a user may get
> >assigned to a VLAN based of their group membership, if they fail to
> >actually authenticate I want to change what VLAN they are assigned to
> >(want to put them into a guest VLAN).
> >How can I update reply attributes further down the chain?
>
> else {
> update reply {
> Tunnel-Private-Group-Id:1 := 666
> }
>
> >The reason I am doing this is I have an old Cisco wireless LAN
> controller
> >that can't fall back to MAC 802.1x authentication. Therefore if a user
> >fails with their credentials they fail to authenticate all together.
> So
> >when coming from the wireless LAN controller I want always Accept.
>
> what type of system is this? 802.1X ? if so, then you cant just blindly
> Access-Accept
> EAP auths if they've got incorrect user/pass - the WPA/WPA2 enterprise key
> is derived from
> mutual agreement.
>
> if, however, this is just eg PAP with some captive portal thing then
> that'd work.
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Updating Reply Attributes in authenticate section
Hi,
>elsif (Ldap-Group == "netCoreClass-finance") {
>update reply {
>Tunnel-Private-Group-Id:1 := 124
>}
>}
>Authentication is against Active Directory. So while a user may get
>assigned to a VLAN based of their group membership, if they fail to
>actually authenticate I want to change what VLAN they are assigned to
>(want to put them into a guest VLAN).
>How can I update reply attributes further down the chain?
else {
update reply {
Tunnel-Private-Group-Id:1 := 666
}
>The reason I am doing this is I have an old Cisco wireless LAN controller
>that can't fall back to MAC 802.1x authentication. Therefore if a user
>fails with their credentials they fail to authenticate all together. So
>when coming from the wireless LAN controller I want always Accept.
what type of system is this? 802.1X ? if so, then you cant just blindly
Access-Accept
EAP auths if they've got incorrect user/pass - the WPA/WPA2 enterprise key is
derived from
mutual agreement.
if, however, this is just eg PAP with some captive portal thing then that'd
work.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Updating Reply Attributes in authenticate section
In my authorize section I am matching LDAP groups to set VLAN attributes as
such:
if (Ldap-Group == "netCoreClass-IT") {
update reply {
Tunnel-Private-Group-Id:1 := 102
}
}
elsif (Ldap-Group == "netCoreClass-engineering") {
update reply {
Tunnel-Private-Group-Id:1 := 112
}
}
elsif (Ldap-Group == "netCoreClass-sales") {
update reply {
Tunnel-Private-Group-Id:1 := 116
}
}
elsif (Ldap-Group == "netCoreClass-HR_Facility") {
update reply {
Tunnel-Private-Group-Id:1 := 120
}
}
elsif (Ldap-Group == "netCoreClass-finance") {
update reply {
Tunnel-Private-Group-Id:1 := 124
}
}
Authentication is against Active Directory. So while a user may get
assigned to a VLAN based of their group membership, if they fail to
actually authenticate I want to change what VLAN they are assigned to (want
to put them into a guest VLAN).
How can I update reply attributes further down the chain?
The reason I am doing this is I have an old Cisco wireless LAN controller
that can't fall back to MAC 802.1x authentication. Therefore if a user
fails with their credentials they fail to authenticate all together. So
when coming from the wireless LAN controller I want always Accept.
I tried putting the following in the users file:
DEFAULT Called-Station-Id == "e8-40-40-cd-d6-10:sid_802"
Tunnel-Type:1 = 13,
Tunnel-Medium-Type:1 = 6,
Tunnel-Private-Group-Id:1 = 104
Which accomplishes that radius never rejects even on a failed
authentication, but the Tunnel-Private-Group:Id:1 doesn't get modified from
what was set in the authorize section.
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: implementing 3gpp2 attributes
Thank you very much Alan and Peter!! it is nice to know that freeradius is capable of doing so with minors changes in the dictionary. i m using stable version 2.2 so i understand the master branch in the git supports this, i will downloaded. thanks a lot !!! From: jpablolorenze...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: implementing 3gpp2 attributes Date: Wed, 24 Apr 2013 22:35:58 + Hi, i m in the early stages of implementing a prepaid service for a CDMA network, i have to exchange radius package using the 3gpp2 standard which is an extension to the basic radius protocol. i m facing an issue and that is that the attributes in the 3gpp2 standard included attributes that contain subtypes, in the form of: type:26Length: variable, greated than 8Vendor-ID: 5535Vendor-Type: 91Vendor-Length: variable, greater than 2Sub-Type (=1): Sub-Type for AvailableInClient attributeSub-Type (=2): Sub-Type for SelectedForSession attribute...Sub-Type (=N): i have done several tests to confirm that freeradius only supports simple attributes in the form of attribute = value, i need to implement the above, is there any way i can implement it ? i dont mind doing all the work my self but i do not see available or easy ways to access the actual data of the structures directly ... can someone please advise how to implement attributes such as the above ? thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: implementing 3gpp2 attributes
Juan Pablo L. wrote: > i have done several tests to confirm that freeradius only supports > simple attributes in the form of attribute = value, i need to implement > the above, is there any way i can implement it ? Massive code changes. Don't do it. Use the git "master" branch, which does support TLVs for VSAs. You'll probably need to edit the 3gpp2 dictionary, but the underlying code is there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: implementing 3gpp2 attributes
The dictionary.3gpp2 seems to have the VSA Attributes you're looking for. If you're saying that VSA 91 should have subtypes, then you should look at TLVs in the definition. ATTRIBUTE 3GPP2-Prepaid-acct-Capability 91 octets If you have a look in dictionary.dhcp under VSA 82 it gives you an idea how to create the TLV sub VSAs. ATTRIBUTE DHCP-Relay-Agent-Information82 tlv BEGIN-TLV DHCP-Relay-Agent-Information ATTRIBUTE DHCP-Agent-Circuit-Id 1 octets ... END-TLV DHCP-Relay-Agent-Information I assume you're reading the spec from here? http://www.3gpp2.org/public_html/specs/X.S0011-005-C_v1.0_110703.pdf So you would want to want to update the dictionary file to say something like: ATTRIBUTE 3GPP2-Prepaid-acct-Capability 91 tlv BEGIN-TLV 3GPP2-Prepaid-acct-Capability ATTRIBUTE 3GPP2-Prepaid-acct-Capability-AvailableInClient 1 octets ATTRIBUTE 3GPP2-Prepaid-acct-Capability-SelectedForSession 2 octets ... Rinse and repeat... END-TLV 3GPP2-Prepaid-acct-Capability And then you just need to define what you need in those values. On Thu, Apr 25, 2013 at 10:35 AM, Juan Pablo L. wrote: > Hi, i m in the early stages of implementing a prepaid service for a CDMA > network, i have to exchange radius package using the 3gpp2 standard which is > an extension to the basic radius protocol. i m facing an issue and that is > that the attributes in the 3gpp2 standard included attributes that contain > subtypes, in the form of: > > type:26 > Length: variable, greated than 8 > Vendor-ID: 5535 > Vendor-Type: 91 > Vendor-Length: variable, greater than 2 > Sub-Type (=1): Sub-Type for AvailableInClient attribute > Sub-Type (=2): Sub-Type for SelectedForSession attribute > ... > Sub-Type (=N): > > > i have done several tests to confirm that freeradius only supports simple > attributes in the form of attribute = value, i need to implement the above, > is there any way i can implement it ? i dont mind doing all the work my self > but i do not see available or easy ways to access the actual data of the > structures directly ... can someone please advise how to implement > attributes such as the above ? thanks! > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
implementing 3gpp2 attributes
Hi, i m in the early stages of implementing a prepaid service for a CDMA network, i have to exchange radius package using the 3gpp2 standard which is an extension to the basic radius protocol. i m facing an issue and that is that the attributes in the 3gpp2 standard included attributes that contain subtypes, in the form of: type:26Length: variable, greated than 8Vendor-ID: 5535Vendor-Type: 91Vendor-Length: variable, greater than 2Sub-Type (=1): Sub-Type for AvailableInClient attributeSub-Type (=2): Sub-Type for SelectedForSession attribute...Sub-Type (=N): i have done several tests to confirm that freeradius only supports simple attributes in the form of attribute = value, i need to implement the above, is there any way i can implement it ? i dont mind doing all the work my self but i do not see available or easy ways to access the actual data of the structures directly ... can someone please advise how to implement attributes such as the above ? thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 & LDAP Generic Attributes
On 12 Apr 2013, at 15:21, Arran Cudbard-Bell wrote: > > On 12 Apr 2013, at 15:00, Nicholas Lemberger wrote: > >> The ldap.attrmap syntax in FR2 was: >> checkItem $GENERIC$ radiusCheckItem >> replyItem $GENERIC$ radiusReplyItem >> >> Basically the ldap attributes radiusCheckItem & radiusReplyItem >> contained FR attr/value pairs which were then added to the >> corresponding attribute list in FR (e.g. in LDAP radiusReplyItem could >> be "Primary-DNS-Server := 1.1.1.1"). >> >> They wouldn't necessarily need to be distinct check/reply attributes >> in the new rlm_ldap... it could work more like unlang where an LDAP >> attribute value could be "control:Disabled := true", and where if the >> list: portion is omitted it would default to reply. No matter how >> this happens, there's probably going to need to be a special case >> syntax made in the rlm_ldap attribute mapping... > > I was thinking just adding a valuepair_attr = "blah" config item in the ldap > config and then doing exactly what you suggested above. > > It's not much work, i'll take a look at it later today or tomorrow. Done, but somebody's new xlat parser is segfaulting so i'd wait until tomorrow for that to be fixed before testing. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 & LDAP Generic Attributes
On 12 Apr 2013, at 15:00, Nicholas Lemberger wrote: > The ldap.attrmap syntax in FR2 was: > checkItem $GENERIC$ radiusCheckItem > replyItem $GENERIC$ radiusReplyItem > > Basically the ldap attributes radiusCheckItem & radiusReplyItem > contained FR attr/value pairs which were then added to the > corresponding attribute list in FR (e.g. in LDAP radiusReplyItem could > be "Primary-DNS-Server := 1.1.1.1"). > > They wouldn't necessarily need to be distinct check/reply attributes > in the new rlm_ldap... it could work more like unlang where an LDAP > attribute value could be "control:Disabled := true", and where if the > list: portion is omitted it would default to reply. No matter how > this happens, there's probably going to need to be a special case > syntax made in the rlm_ldap attribute mapping... I was thinking just adding a valuepair_attr = "blah" config item in the ldap config and then doing exactly what you suggested above. It's not much work, i'll take a look at it later today or tomorrow. -Arran Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Freeradius 3 & LDAP Generic Attributes
The ldap.attrmap syntax in FR2 was: checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem Basically the ldap attributes radiusCheckItem & radiusReplyItem contained FR attr/value pairs which were then added to the corresponding attribute list in FR (e.g. in LDAP radiusReplyItem could be "Primary-DNS-Server := 1.1.1.1"). They wouldn't necessarily need to be distinct check/reply attributes in the new rlm_ldap... it could work more like unlang where an LDAP attribute value could be "control:Disabled := true", and where if the list: portion is omitted it would default to reply. No matter how this happens, there's probably going to need to be a special case syntax made in the rlm_ldap attribute mapping... Best Regards, -Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 & LDAP Generic Attributes
> I've been puttering around with FR3 and haven't been able to figure > out how to set up a mapping from LDAP 'radiusReplyItem' & > 'radiusCheckItem' attributes to FR3 generic attributes. I guess if it was useful we could add it back in, there's no real reason not to. Could you remind me what the value format was? > While we do often create a special LDAP attribute for what we need, > the generic attributes in FR2 made testing and certain one-off > configurations much quicker. Ok. Arran Cudbard-Bell FreeRADIUS Development Team Please contribute documentation: http://wiki.freeradius.org "Stupidity is a harsh teacher and her lesson is pain" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 3 & LDAP Generic Attributes
Hi, I've been puttering around with FR3 and haven't been able to figure out how to set up a mapping from LDAP 'radiusReplyItem' & 'radiusCheckItem' attributes to FR3 generic attributes. While we do often create a special LDAP attribute for what we need, the generic attributes in FR2 made testing and certain one-off configurations much quicker. I was hoping someone could point me in the correct direction! Thanks, -Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On Fri, Mar 15, 2013 at 2:03 PM, Arran Cudbard-Bell wrote: >> I know, but that attribute isn't presented to the python function call. Is >> there another way such as an environmental variable or just "please update >> the source"? :) > > Did you check the control list (config item tuple)? As far as I can tell, the module only provides the request packet, request->packet->vps It does however update the config if provided from the module function. -- regards, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 15 Mar 2013, at 08:43, Robin Helgelin wrote: > On 14 mar 2013, at 18:44, Arran Cudbard-Bell wrote: >> >> That'd be the LDAP-UserDN attribute… > > I know, but that attribute isn't presented to the python function call. Is > there another way such as an environmental variable or just "please update > the source"? :) Did you check the control list (config item tuple)? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 14 mar 2013, at 18:44, Arran Cudbard-Bell wrote: > > That'd be the LDAP-UserDN attribute… I know, but that attribute isn't presented to the python function call. Is there another way such as an environmental variable or just "please update the source"? :) regards, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 14 Mar 2013, at 13:39, Robin Helgelin wrote: > On 14 mar 2013, at 11:06, Phil Mayers wrote: > >> On 03/13/2013 07:45 PM, Robin Helgelin wrote: >> >>> First problem is that I need to rewrite the output from ldap to >>> something the radius-client finds useful. But there are radius modules >>> for rewriting things right? >> >> Yes, though TBH manipulating LDAP DNs in unlang/attr_rewrite is going to be >> a pain. You might have to fall back on one of the scripting language >> modules, as Arran says. > > Yes, I ended up writing a small python script, works very nicely :) > > The only thing missing is if it's possible for the ldap module to set an > attribute with the users full dn to be available for the python module. That'd be the LDAP-UserDN attribute... -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 14 mar 2013, at 11:06, Phil Mayers wrote: > On 03/13/2013 07:45 PM, Robin Helgelin wrote: > >> First problem is that I need to rewrite the output from ldap to >> something the radius-client finds useful. But there are radius modules >> for rewriting things right? > > Yes, though TBH manipulating LDAP DNs in unlang/attr_rewrite is going to be a > pain. You might have to fall back on one of the scripting language modules, > as Arran says. Yes, I ended up writing a small python script, works very nicely :) The only thing missing is if it's possible for the ldap module to set an attribute with the users full dn to be available for the python module. Regards, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 03/13/2013 07:45 PM, Robin Helgelin wrote: First problem is that I need to rewrite the output from ldap to something the radius-client finds useful. But there are radius modules for rewriting things right? Yes, though TBH manipulating LDAP DNs in unlang/attr_rewrite is going to be a pain. You might have to fall back on one of the scripting language modules, as Arran says. Next problem seems to be that freeradius ignores when ldap is returning more than one group, am I correct? If you mean that you've setup ldap.attrmap but are only seeing one group, you might need to use the "operator" column and set it to += - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 13 Mar 2013, at 16:17, Robin Helgelin wrote: > On 13 mar 2013, at 20:52, Arran Cudbard-Bell > wrote: > >>> >>> Next problem seems to be that freeradius ignores when ldap is >>> returning more than one group, am I correct? >> >> Ignores what? >> >> If you're talking about an xlat query, then yes, it'll only provide the >> first result. > > Yes, and there are no workarounds to that? More than editing the code I guess > :) No. xlat is just string expansion (replacing placeholders in the string with other values). There are cases where it's used (abused) to do other things, but normally it only produces one value, the expanded string. > Would it be possible to another post-auth module to do this instead? As the > ldap module itself seems not quite what I'm trying to do here. You could use one of the dynamic language modules, python, perl, ruby etc. Usually people just need to verify a user is in a certain group, they don't usually need to return all the groups a user is in... -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 13 mar 2013, at 20:52, Arran Cudbard-Bell wrote: >> >> Next problem seems to be that freeradius ignores when ldap is >> returning more than one group, am I correct? > > Ignores what? > > If you're talking about an xlat query, then yes, it'll only provide the first > result. Yes, and there are no workarounds to that? More than editing the code I guess :) Would it be possible to another post-auth module to do this instead? As the ldap module itself seems not quite what I'm trying to do here. Regards, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 13 Mar 2013, at 15:45, Robin Helgelin wrote: > On Wed, Mar 13, 2013 at 4:11 PM, Arran Cudbard-Bell > wrote: >>> Yes. Edit the ldap.attrmap to map the LDAP group attribute to a RADIUS >>> attribute, and add the RADIUS attribute to raddb/dictionary (taking care to >>> note the comments about numbering i.e. pick a number from 3000-3999). Don't >>> re-use an existing attribute - many of the xxGroup attribute have "magic" >>> behaviour hooks. >> >> Phili is correct, but this will only work for something like AD, where you >> have memberOf attributes which link a user account to a group. >> >> This also doesn't really work if you want a group name, and the membership >> attributes specify a group DN, though it'd probably be pretty easy to figure >> out the group name later (you could even do it within unlang if you're using >> FR 3.0). > > Thanks, we're using the memberof overlay, and that might be working. > > First problem is that I need to rewrite the output from ldap to > something the radius-client finds useful. But there are radius modules > for rewriting things right? Um, yes, but you can probably just use unlang. > > Next problem seems to be that freeradius ignores when ldap is > returning more than one group, am I correct? Ignores what? If you're talking about an xlat query, then yes, it'll only provide the first result. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On Wed, Mar 13, 2013 at 4:11 PM, Arran Cudbard-Bell wrote: >> Yes. Edit the ldap.attrmap to map the LDAP group attribute to a RADIUS >> attribute, and add the RADIUS attribute to raddb/dictionary (taking care to >> note the comments about numbering i.e. pick a number from 3000-3999). Don't >> re-use an existing attribute - many of the xxGroup attribute have "magic" >> behaviour hooks. > > Phili is correct, but this will only work for something like AD, where you > have memberOf attributes which link a user account to a group. > > This also doesn't really work if you want a group name, and the membership > attributes specify a group DN, though it'd probably be pretty easy to figure > out the group name later (you could even do it within unlang if you're using > FR 3.0). Thanks, we're using the memberof overlay, and that might be working. First problem is that I need to rewrite the output from ldap to something the radius-client finds useful. But there are radius modules for rewriting things right? Next problem seems to be that freeradius ignores when ldap is returning more than one group, am I correct? -- regards, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 13/03/13 15:11, Arran Cudbard-Bell wrote: Phili is correct, but this will only work for something like AD, where you have memberOf attributes which link a user account to a group. Good point, got to watch that - my LDAP is getting very AD-centric :o( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 13 Mar 2013, at 10:52, Phil Mayers wrote: > On 13/03/13 14:44, Robin Helgelin wrote: >> Hi! >> >> I want to add the LDAP-users current groups as extra attributes to the >> authentication reply. >> >> Is it possible? I'm having a hard time finding documentation about this. > > Yes. Edit the ldap.attrmap to map the LDAP group attribute to a RADIUS > attribute, and add the RADIUS attribute to raddb/dictionary (taking care to > note the comments about numbering i.e. pick a number from 3000-3999). Don't > re-use an existing attribute - many of the xxGroup attribute have "magic" > behaviour hooks. Phili is correct, but this will only work for something like AD, where you have memberOf attributes which link a user account to a group. This also doesn't really work if you want a group name, and the membership attributes specify a group DN, though it'd probably be pretty easy to figure out the group name later (you could even do it within unlang if you're using FR 3.0). Where you have the inverse, i.e. a group object specifying user names or user DNs the code doesn't currently support group retrieval, feel free to submit patches. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 13/03/13 14:44, Robin Helgelin wrote: Hi! I want to add the LDAP-users current groups as extra attributes to the authentication reply. Is it possible? I'm having a hard time finding documentation about this. Yes. Edit the ldap.attrmap to map the LDAP group attribute to a RADIUS attribute, and add the RADIUS attribute to raddb/dictionary (taking care to note the comments about numbering i.e. pick a number from 3000-3999). Don't re-use an existing attribute - many of the xxGroup attribute have "magic" behaviour hooks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add LDAP groups as extra attributes
Hi! I want to add the LDAP-users current groups as extra attributes to the authentication reply. Is it possible? I'm having a hard time finding documentation about this. Thanks! Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Listing attributes in a request
Adam Moffett wrote: > Does the output from radius -X display all of the attributes in a > request from a client? Yes. FreeRADIUS isn't in the business of hiding information from the administrator. > If not, is there a way to see all of the > attributes in the request? I'm looking for the value of a VSA and I'm > not seeing it. Then the NAS isn't sending it. Remember, this is RADIUS. If anything goes wrong, it's usually the fault of the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Listing attributes in a request
Does the output from radius -X display all of the attributes in a request from a client? If not, is there a way to see all of the attributes in the request? I'm looking for the value of a VSA and I'm not seeing it. I'm not sure if it's not being displayed in the debug output or just not there at all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius accounting of cdr and quotes for string attributes
Alan, Thank you for the info. Kelly 206.331.3525o 425.270.8481c On Wed 06 Feb 2013 11:41:42 AM PST, Alan DeKok wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius accounting of cdr and quotes for string attributes
Kelly Roestel wrote: > Yes that works. However, if the attribute is empty there will still be > quotes in the csv file. If you want generic string manipulation code, use a real programming language. Or, write a "csv" module to do what you want. The linelog module is intended to write *lines of text*. That is, strings. It is *not* intended to write carefully formatted CSV files. It cannot be made to that, as CSV files are not simple text strings. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius accounting of cdr and quotes for string attributes
Matthew,
Yes that works. However, if the attribute is empty there will still be
quotes in the csv file.
Example.
using format =
"\"%{Client-IP-Address}\",\"%{Calling-Station-Id}\",\"%{User-Name}\""
would yield, "x.x.x.x","station-x","Kelly"
if %{Calling-Station-Id} was null this format would yield.
"x.x.x.x","","Kelly".
I would like to have blank attribute not insert quotes. So my desired
format would be "x.x.x.x",,"Kelly"
Thank for the help so far.
Kelly
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius accounting of cdr and quotes for string attributes
On Tue, Feb 05, 2013 at 05:18:13PM +, Kelly Roestel wrote:
> If you look at the detailed format, these string attributes are
> enclosed. But there seems to be no option in linelog module.
linelog {
...
format = "\"%{Client-IP-Address}\",\"%{Calling-Station-Id}\",\"%{User-Name}\""
...
}
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius output attributes configuration
rlm_sql does not support sql parameter binding, neither input, nor
output. Specifically rlm_sql xlat (i.e. "%{sql: ...}") return number of
rows affected for insert/update/delete, and return result of single-row
and single-column select.
So your only option is a function called inside select from dual:
if ("{sql: select func('%{User-Name}') from dual}") {
...
}
On 06.02.2013 14:19, Lakshmi Narayana Baliah wrote:
Hi All,
How can configure output attributes in free-radius?
How do i do that ??? please help
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius output attributes configuration
what is output attributes ? On Wed, Feb 6, 2013 at 10:19 AM, Lakshmi Narayana Baliah < lb0074...@techmahindra.com> wrote: > Hi All, > > How can configure output attributes in free-radius? > How do i do that ??? please help > > > Thanks > Lakshmi > > > > > > Disclaimer: This message and the information contained herein is > proprietary and confidential and subject to the > Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html";> > http://www.techmahindra.com/Disclaimer.html > externally and http://tim.techmahindra.com/tim/disclaimer.html";> > http://tim.techmahindra.com/tim/disclaimer.html internally within > Tech Mahindra. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius output attributes configuration
Hi All, How can configure output attributes in free-radius? How do i do that ??? please help Thanks Lakshmi Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html";>http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/tim/disclaimer.html";>http://tim.techmahindra.com/tim/disclaimer.html internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius accounting of cdr and quotes for string attributes
My question is this, I need to write CDR information out using the linelog module in csv format. The requirement is that all string attributes need to be enclosed in double quotes. How does one go about doing this? If you look at the detailed format, these string attributes are enclosed. But there seems to be no option in linelog module. I am using freeradius v2.1.10. Thanks for any help Kelly - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: output attributes in free-radius
2013/1/29 Lakshmi Narayana Baliah : > Hi All, > > How can i define output attributes in free-radius? > Any help would be appreciated. > I'm no expert on this, but maybe adding a custom dictionary? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
output attributes in free-radius
Hi All, How can i define output attributes in free-radius? Any help would be appreciated. Thanks Lakshmi Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html";>http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/tim/disclaimer.html";>http://tim.techmahindra.com/tim/disclaimer.html internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup.conf custom attributes failure in freeradius 2.2
David Peterson wrote: > Any release notes or is it primarily a bug fix release? Mostly a bug fix release. https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/doc/ChangeLog Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup.conf custom attributes failure in freeradius 2.2
On Jan 28, 2013, at 4:27 PM, Alan DeKok wrote: > Use the v2.x.x branch from git. > > We should release 2.2.1 soon. > > Alan DeKok. Hi Alan, I can wait till 2.2.1 is released, no problem, will wait for freebsd ports being updated with latest version and try again :) I just wanted to know if I am doing something wrong or something changed… Thanks for response!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dialup.conf custom attributes failure in freeradius 2.2
Any release notes or is it primarily a bug fix release? David On Jan 28, 2013, at 4:27 PM, Alan DeKok wrote: Use the v2.x.x branch from git. We should release 2.2.1 soon. Alan DeKok. Hi Alan, I can wait till 2.2.1 is released, no problem, will wait for freebsd ports being updated with latest version and try again :) I just wanted to know if I am doing something wrong or something changed... Thanks for response! <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup.conf custom attributes failure in freeradius 2.2
Miha Petkovsek wrote: > Hi, I need some help with inserting custom attributes to MySQL server. > It seems that version 2.2 broke it, at least on my server… When I revert > back to 2.1 it immediately starts to work with same config files. > > Below are config files and traces for both versions. > > Any idea? Use the v2.x.x branch from git. We should release 2.2.1 soon. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup.conf custom attributes failure in freeradius 2.2
> yes, you dont seem to have 3GPP-IMSI in your dictionary file. thus the string > expansion fails Yes, that was my first thought but I am confident it is there, that's why it is strange… [root@server ~]# grep IMSI /usr/local/share/freeradius/dictionary.3gpp ATTRIBUTE 3GPP-IMSI 1 string ATTRIBUTE 3GPP-IMSI-MCC-MNC 8 string [root@server ~]# - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup.conf custom attributes failure in freeradius 2.2
Hi, >Hi, I need some help with inserting custom attributes to MySQL server. It >seems that version 2.2 broke it, at least on my server... When I revert >back to 2.1 it immediately starts to work with same config files. >Below are config files and traces for both versions. >Any idea? yes, you dont seem to have 3GPP-IMSI in your dictionary file. thus the string expansion fails as per >[sql] WARNING: Unknown module "3GPP-IMSI" in string expansion "%', thats my first guess anyway! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup.conf custom attributes failure in freeradius 2.2
Hi, I need some help with inserting custom attributes to MySQL server. It seems
that version 2.2 broke it, at least on my server… When I revert back to 2.1 it
immediately starts to work with same config files.
Below are config files and traces for both versions.
Any idea?
thanks,
brm
--
Relevant part of dialup.conf (modified to include custom attributes):
accounting_start_query = " \
INSERT INTO ${acct_table1} \
(acctsessionid,acctuniqueid, username, \
imsi, imei, ms_timezone, \
rat_type, user_location_info,realm, \
nasipaddress, nasportid, \
nasporttype, acctstarttime,acctstoptime, \
acctsessiontime, acctauthentic,connectinfo_start, \
connectinfo_stop, acctinputoctets, acctoutputoctets, \
calledstationid, callingstationid, acctterminatecause, \
servicetype, framedprotocol, framedipaddress, \
acctstartdelay, acctstopdelay) \
VALUES \
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \
'%{SQL-User-Name}', \
'%{3GPP-IMSI}', '%{3GGP-IMEISV}', '%{3GPP-MS-TimeZone}', \
'%{3GPP-RAT-type}', '%{3GPP-User-Location-Info}', '%{Realm}', \
'%{NAS-IP-Address}', '%{NAS-Port}', \
'%{NAS-Port-Type}', '%S', NULL, \
'0', '%{Acct-Authentic}', '%{Connect-Info}', \
'', '0', '0', \
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', \
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \
'%{%{Acct-Delay-Time}:-0}', '0')"
Slightly modified dictionary.3gpp file to include custom attributes:
# new attributes
ATTRIBUTE 3GGP-IMEISV 20 string
ATTRIBUTE 3GPP-RAT-type 21 byte
ATTRIBUTE 3GPP-User-Location-Info 22 octets
ATTRIBUTE 3GPP-MS-TimeZone23 integer has_tag
# set RAT-TYPE
VALUE 3GPP-RAT-Type Reserved0
VALUE 3GPP-RAT-Type UTRAN 1
VALUE 3GPP-RAT-Type GERAN 2
VALUE 3GPP-RAT-Type WLAN3
VALUE 3GPP-RAT-Type GAN 4
VALUE 3GPP-RAT-Type HSPA-Evolution 5
VALUE 3GPP-RAT-Type IEEE-802-16e101
VALUE 3GPP-RAT-Type 3GPP2-eHRPD 102
VALUE 3GPP-RAT-Type 3GPP2-HRPD 103
VALUE 3GPP-RAT-Type 3GPP2-1xRTT 104
VALUE 3GPP-RAT-Type 3GPP-EPS105
This is the accounting start record from debug mode:
rad_recv: Accounting-Request packet from host port 54002, id=50,
length=375
Acct-Status-Type = Start
Event-Timestamp = "Jan 26 2013 18:20:08 CET"
Framed-IP-Address = xxx
Called-Station-Id = "xx"
Calling-Station-Id = "xxx"
NAS-IP-Address = xxx
NAS-Identifier = "xxx"
Service-Type = Framed-User
NAS-Port-Type = Virtual
Acct-Session-Id = "5BB9DD25a7846fd9"
3GPP-IMSI = "xxx"
3GPP-IMSI-MCC-MNC = "xxx"
3GPP-NSAPI = "5"
3GGP-IMEISV = "xxx"
3GPP-RAT-type = UTRAN
3GPP-User-Location-Info = 0x0192f307000a79be
3GPP-Charging-ID = 2810474457
3GPP-PDP-Type = IP
3GPP-Selection-Mode = "0"
Error on version 2.2:
...
+- entering group accounting {...}
[sql] expand: %{Calling-Station-Id} ->
[sql] sql_set_user escaped user --> 'x'
[sql] WARNING: Unknown module "3GPP-IMSI" in string expansion "%',
'%{3GGP-IMEISV}', '%{3GPP-MS-TimeZone}', '%{3GPP-RAT-type}',
'%{3GPP-User-Location-Info}','%{Realm}',
'%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S',
NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}',
'', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
'%{%{Acct-Delay-Time}:-0}', '0')"
[sql] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
rlm_sq
Re: Question on attributes
2013/1/17 Phil Mayers : > On 17/01/13 12:42, Tiago wrote: >> >> Hello Phil, >> Thanks for your answer. >> >> I have these: >> ATTRIBUTE Download78 integer >> ATTRIBUTE Upload 79 integer >> >> On /etc/freeradius/dictionary file that is being included as debug showed. >> >> including dictionary file /etc/freeradius/dictionary on freeradius v2. >> >> Maybe I need to create a separate dictionary file and have a include >> on this file? What I'm doing wrong? > > > These attributes are already allocated; you've "stolen" them from the main > attribute space, and are probably having problems with dictionary precedence > - IIRC there were changes in this area in FR2. Thanks for clarification. > > The correct thing to do is either use a valid, allocated attribute, or > assign your own from a valid, allocated enterprise number that you own. > Any suggestion/tip on how can I migrate from v1 to v2 considering that I have few "invalid" attributes on production today (Download/Upload for example) that it was implemented using the numbers I already mentioned here, so I don't need to mess with 11,000 of customers radreply attributes (that are configured with Download/Upload values) without naming-change? Maybe it will not be there best thing to do, but as a next step. > What is processing these attributes? Since you are using rp-pppoe, I suspect > you are using an "ip-up" script and processing them in shell script? > > In that case, find an allocated attribute with similar purpose, and use > that. Use "grep" to search the dictionaries. Yes, that's correct, its being processed on ip-up. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
Tiago wrote: > Alan, Please also learn to edit the messages to this list. There is NO need to quote the entire message again. > Thanks, can I add an attribute to dictionary.roaringpenguin besides > the ones listed there? I'm asking that to avoid broking my production > environment. Are you in charge of roaring penguin? > I saw there this (dictionary.roaringpenguin): > # Downstream speed limit in kb/s > ATTRIBUTE RP-Downstream-Speed-Limit 2 integer > > Can I add at the end? > ATTRIBUTE Download 6 integer Why? And where did you get the number "6" from? Did you just invent it? In case it was not clear before: DO NOT EDIT THE DICTIONARIES. DO NOT INVENT NUMBERS. YOU DO NOT CONTROL VENDOR DICTIONARIES. DO NOT EDIT THEM. Is that clearer? > Do I need to make any attribute number change on my pppoe/nas server > to understand the new defined here? You have absolutely no idea how RADIUS works. As a result, you have NO BUSINESS editing the dictionaries. > I'm asking that because the old freeradius/pppoe are working using > those attributes numbers, which is already defined by another > attributes as you stated. How about reading the roaring penguin documentation to see which attributes it needs? You are obsessed with editing the dictionaries. DON'T DO THAT. Instead, read the documentation. It's not hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
On 17/01/13 12:42, Tiago wrote: Hello Phil, Thanks for your answer. I have these: ATTRIBUTE Download78 integer ATTRIBUTE Upload 79 integer On /etc/freeradius/dictionary file that is being included as debug showed. including dictionary file /etc/freeradius/dictionary on freeradius v2. Maybe I need to create a separate dictionary file and have a include on this file? What I'm doing wrong? These attributes are already allocated; you've "stolen" them from the main attribute space, and are probably having problems with dictionary precedence - IIRC there were changes in this area in FR2. The correct thing to do is either use a valid, allocated attribute, or assign your own from a valid, allocated enterprise number that you own. What is processing these attributes? Since you are using rp-pppoe, I suspect you are using an "ip-up" script and processing them in shell script? In that case, find an allocated attribute with similar purpose, and use that. Use "grep" to search the dictionaries. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
Alan, 2013/1/17 Alan DeKok : > Tiago wrote: >> From man I have: > > Please don't quote the documentation here. I've read it. > >> May I ask you a bit of patience helping me on this? So, can I conclude >> that adding attributes to dictionary file will not make freeradius to >> send those to NAS? > > That is what the documentation says. > >> But are they necessary to create sql pairs and so >> got from sql radreply? > > I'm not sure what you mean by that. > >> So I didnt understand that, so entries with 3000-4000 numbers aren't >> placed on radius packet, can I conclude that the others are? > > No. > >> but on >> the man it says that attributes are never exchanged. So I'm a bit >> confused here. > > It says the NAMES are never exchanged. NAMES. Not ATTRIBUTES. > >> What I need to do to radius server send the attributes that are >> collected from my mysql database (radreply attrib)? > > Use attributes that are *supposed* to go into a RADIUS packet. It has > nothing to do with MySQL. The attributes can come from anywhere. > > You can't simply invent attribute numbers. They are assigned via a > controlled process. The numbers you used "78" and "79" are *already* > assigned to different attributes. > > You need to read the documentation for the PPOE server to see which > attributes it understands. There's also a "dictionary.roaringpenguin" > file distributed with FreeRADIUS. It defines attributes for the RP > PPPoE server, for upload and download rate limiting. > > Use that. > Thanks, can I add an attribute to dictionary.roaringpenguin besides the ones listed there? I'm asking that to avoid broking my production environment. I saw there this (dictionary.roaringpenguin): # Downstream speed limit in kb/s ATTRIBUTE RP-Downstream-Speed-Limit 2 integer Can I add at the end? ATTRIBUTE Download 6 integer Do I need to make any attribute number change on my pppoe/nas server to understand the new defined here? I'm asking that because the old freeradius/pppoe are working using those attributes numbers, which is already defined by another attributes as you stated. Thanks > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
Tiago wrote: > From man I have: Please don't quote the documentation here. I've read it. > May I ask you a bit of patience helping me on this? So, can I conclude > that adding attributes to dictionary file will not make freeradius to > send those to NAS? That is what the documentation says. > But are they necessary to create sql pairs and so > got from sql radreply? I'm not sure what you mean by that. > So I didnt understand that, so entries with 3000-4000 numbers aren't > placed on radius packet, can I conclude that the others are? No. > but on > the man it says that attributes are never exchanged. So I'm a bit > confused here. It says the NAMES are never exchanged. NAMES. Not ATTRIBUTES. > What I need to do to radius server send the attributes that are > collected from my mysql database (radreply attrib)? Use attributes that are *supposed* to go into a RADIUS packet. It has nothing to do with MySQL. The attributes can come from anywhere. You can't simply invent attribute numbers. They are assigned via a controlled process. The numbers you used "78" and "79" are *already* assigned to different attributes. You need to read the documentation for the PPOE server to see which attributes it understands. There's also a "dictionary.roaringpenguin" file distributed with FreeRADIUS. It defines attributes for the RP PPPoE server, for upload and download rate limiting. Use that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
Alan, Sorry, I did that. But I think I didn't understod it correctly, maybe due english not being my first lang. >From man I have: The names have no meaning outside of the RADIUS server itself, and are never exchanged between server and clients. That is, editing the dictionaries will have NO EFFECT on anything other than the server that is reading those files. Adding new attributes to the dictioâ naries will have NO EFFECT on RADIUS clients, and will not make RADIUS clients magically understand those attributes. The dictionaries are solely for local administrator convenience, and are specific to each version of FreeRADIUS. May I ask you a bit of patience helping me on this? So, can I conclude that adding attributes to dictionary file will not make freeradius to send those to NAS? But are they necessary to create sql pairs and so got from sql radreply? Yet, On the dictionary file I have: # If you want to add entries to the dictionary file, # which are NOT going to be placed in a RADIUS packet, # add them here. The numbers you pick should be between # 3000 and 4000. So I didnt understand that, so entries with 3000-4000 numbers aren't placed on radius packet, can I conclude that the others are? but on the man it says that attributes are never exchanged. So I'm a bit confused here. What I need to do to radius server send the attributes that are collected from my mysql database (radreply attrib)? Thanks again. 2013/1/17 Alan DeKok : > Tiago wrote: >> I have these: >> ATTRIBUTE Download78 integer >> ATTRIBUTE Upload 79 integer >> >> On /etc/freeradius/dictionary file that is being included as debug showed. > > They are wrong. Delete them. > >> including dictionary file /etc/freeradius/dictionary on freeradius v2. >> >> Maybe I need to create a separate dictionary file and have a include >> on this file? What I'm doing wrong? > > The documentation describes how the dictionaries work. If you're > editing the dictionary file, then READ IT. It contains DOCUMENTATION > describing how to add new attributes. > > I honestly don't know why I write *any* documentation. It seems that > the bulk of problems on this list are people who fanatically avoid all > existing documentation. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
Tiago wrote: > I have these: > ATTRIBUTE Download78 integer > ATTRIBUTE Upload 79 integer > > On /etc/freeradius/dictionary file that is being included as debug showed. They are wrong. Delete them. > including dictionary file /etc/freeradius/dictionary on freeradius v2. > > Maybe I need to create a separate dictionary file and have a include > on this file? What I'm doing wrong? The documentation describes how the dictionaries work. If you're editing the dictionary file, then READ IT. It contains DOCUMENTATION describing how to add new attributes. I honestly don't know why I write *any* documentation. It seems that the bulk of problems on this list are people who fanatically avoid all existing documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
Hello Phil, Thanks for your answer. I have these: ATTRIBUTE Download78 integer ATTRIBUTE Upload 79 integer On /etc/freeradius/dictionary file that is being included as debug showed. including dictionary file /etc/freeradius/dictionary on freeradius v2. Maybe I need to create a separate dictionary file and have a include on this file? What I'm doing wrong? 2013/1/17 Phil Mayers : > On 17/01/13 11:29, Tiago wrote: >> >> Hello everyone, >> I'm struggling with something that should be simple to fix. >> >> I have a rp-pppoe NAS server here that correctly understand a few >> attributes (radreply) that come from freeradius 1.x (w/mysql >> database). Example: >> >> Download (for download rates) attribute >> >> Simple real example, from pppoe server: >> # cat /var/run/radattr.ppp479 >> >> Framed-Compression Van-Jacobson-TCP-IP >> Framed-Protocol PPP >> Framed-MTU 1500 >> Download 12000 >> Upload 3072 > > > "Download" and "Upload" aren't standard attributes. Where are these defined > in "dictionary" files? > > >> Sending Access-Accept of id 192 to NASPPPOE01 port 48956 >> Framed-Protocol = PPP >> Framed-Compression = Van-Jacobson-TCP-IP >> Cliente = >> "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" >> Framed-MTU = 1500 >> WISPr-Bandwidth-Max-Down = 256000 >> WISPr-Bandwidth-Max-Up = 256000 >> Finished request 0. >> Going to the next request >> >> What I'm missing? it seems like the attributes are not being sent to >> NAS, but I could be wrong > > > Correct. > > Check the attributes are actually defined in a dictionary on the 2.x > installation; check raddb/dictionary on the 1.x installation, see if they > were defined as custom VSAs or similar. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
On 17/01/13 11:29, Tiago wrote: Hello everyone, I'm struggling with something that should be simple to fix. I have a rp-pppoe NAS server here that correctly understand a few attributes (radreply) that come from freeradius 1.x (w/mysql database). Example: Download (for download rates) attribute Simple real example, from pppoe server: # cat /var/run/radattr.ppp479 Framed-Compression Van-Jacobson-TCP-IP Framed-Protocol PPP Framed-MTU 1500 Download 12000 Upload 3072 "Download" and "Upload" aren't standard attributes. Where are these defined in "dictionary" files? Sending Access-Accept of id 192 to NASPPPOE01 port 48956 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Cliente = "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" Framed-MTU = 1500 WISPr-Bandwidth-Max-Down = 256000 WISPr-Bandwidth-Max-Up = 256000 Finished request 0. Going to the next request What I'm missing? it seems like the attributes are not being sent to NAS, but I could be wrong Correct. Check the attributes are actually defined in a dictionary on the 2.x installation; check raddb/dictionary on the 1.x installation, see if they were defined as custom VSAs or similar. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP Reply Attributes
>Switch config issue? Ensure your switch is configured to authorize over RADIUS >as well as to authenticate over RADIUS. >(sounds like its doing the latter but not the former) You were absolutely correct. I’m dumb and forgot that I removed the authorization statement from my switch awhile back. T. Brady - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Reply Attributes
Switch config issue? Ensure your switch is configured to authorize over RADIUS as well as to authenticate over RADIUS. (sounds like its doing the latter but not the former) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Reply Attributes
I'm sure this is an easy issue to solve, but my simple brain can't seem to put the pieces together. Any help would be greatly appreciated. I'm trying to authorize a login into a Cisco switch with admin privileges. Users: DEFAULT = LDAP-Group == Radius-Users" Reply-Message = "Welcome Message Test", Cisco-AVPair = "shell:priv-lvl=15" Note: I've tried many different combinations of attributes with no luck. (Service-Type = Administrative-User, Service-Type = NAS-Prompt-User) Output: Sending Access-Accept of id 61 to 172.28.64.3 port 1645 Reply-Message = "Welcome Message Test" Cisco-AVPair = "shell:priv-lvl=15" The switch login successfully shows "Welcome Message Test," but still kicks into user exec mode without applying the Cisco-AVPair = "shell:priv-lvl=15" I noticed that there is a mapping for the Reply-Message found in ldap.attrmap, but none for Cisco-AVPair. Is this why it's not working? If so, I have not been able to find the correct syntax for adding it to ldap.attrmap. Thanks in advance, T. Brady - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different reply attributes for same username in rlm_sql
On 04/01/13 14:18, Joe Rogers wrote:
I am having difficulties implementing the following users file
configuration in sql using freeradius 2.2.0:
user1 Calling-Station-Id == "xx-xx-xx-xx-xx-xx"
Tunnel-Private-Group-ID = VLAN1,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type = VLAN
user1 Calling-Station-Id == "yy-yy-yy-yy-yy-yy"
Tunnel-Private-Group-ID = VLAN2,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type = VLAN
I'm attempting to send different reply attributes for the same username
based on different check attributes. But, I'm having a hard time seeing
how this is possible with rlm_sql using the default
authorize_check_query and authorize_reply_query settings. I can
certainly re-write those queries, but I'm hoping that I'm simply
overlooking the proper way to configure this.
I think you need to rewrite the queries. IIRC there is no way to have >1
set of radcheck/radreply users for a single user; the check/reply
entries are merged.
You can probably (ab)use the groups functionality to do this.
Or, don't use the radcheck/radreply stuff at all; instead use an SQL
xlat in "unlang":
post-auth {
update reply {
Tunnel-Private-Group-ID = "%{sql:select vlan ... where ...}"
Tunnel-Medium-Type = IEEE-802
Tunnel-Type = VLAN
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different reply attributes for same username in rlm_sql
I am having difficulties implementing the following users file configuration in sql using freeradius 2.2.0: user1 Calling-Station-Id == "xx-xx-xx-xx-xx-xx" Tunnel-Private-Group-ID = VLAN1, Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN user1 Calling-Station-Id == "yy-yy-yy-yy-yy-yy" Tunnel-Private-Group-ID = VLAN2, Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN I'm attempting to send different reply attributes for the same username based on different check attributes. But, I'm having a hard time seeing how this is possible with rlm_sql using the default authorize_check_query and authorize_reply_query settings. I can certainly re-write those queries, but I'm hoping that I'm simply overlooking the proper way to configure this. Any help would be appreciated! Joe Rogers University of South Florida - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encode multiple sub-attributes in single vsa?
On 10/10/2012 04:56 AM, Fajar A. Nugraha wrote:
Interestingly enough, debian packages enable that option while redhat
doesn't. What are the performance implications of enabling it? Is it
something huge, or only several-percent-penalty and
careful-you-can-shoot-yourself-in-the-foot kind of thing?
I'm not sure there are any performance implications per-se. If I read
the ./configure script correctly, what it primarily does is enable
debugging symbols ("-g") and a whole bunch of C warnings. However,
debugging symbols are conditionally enabled if the compiler supports
them further up anyway, so really it's just the warnings AFACIT.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encode multiple sub-attributes in single vsa?
On Tue, Oct 9, 2012 at 6:36 PM, Alan DeKok wrote: > Build it from source, with "./configure --enable-developer" It worked, Thanks! F.R - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encode multiple sub-attributes in single vsa?
On Wed, Oct 10, 2012 at 8:36 AM, Alan DeKok wrote: > Far Runner wrote: >> I have tried Raw-Attribute, but the result packet doesn't contain the >> synthesized VSA, and there is no error message in "-X" debug output. I >> search around, and found following in 2.0.2 release notes: >> "* Added ability send raw attributes via "Raw-Attribute = >> 0x0102..."This is available only debug builds. It can be used to >> create invalid packets! Use it with care." >> so it seems Raw-Attribute only work with a"debug build", but how do I >> install a "debug build"? > > Build it from source, with "./configure --enable-developer" Interestingly enough, debian packages enable that option while redhat doesn't. What are the performance implications of enabling it? Is it something huge, or only several-percent-penalty and careful-you-can-shoot-yourself-in-the-foot kind of thing? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encode multiple sub-attributes in single vsa?
Far Runner wrote: > I have tried Raw-Attribute, but the result packet doesn't contain the > synthesized VSA, and there is no error message in "-X" debug output. I > search around, and found following in 2.0.2 release notes: > "* Added ability send raw attributes via "Raw-Attribute = > 0x0102..."This is available only debug builds. It can be used to > create invalid packets! Use it with care." > so it seems Raw-Attribute only work with a"debug build", but how do I > install a "debug build"? Build it from source, with "./configure --enable-developer" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encode multiple sub-attributes in single vsa?
On Sat, Oct 6, 2012 at 4:03 AM, Alan DeKok wrote: > > Or, use "Raw-Attribute" in FreeRADIUS. It puts data into a packet > exactly as-is. It means that you do the work of creating a VSA with > subattributes, and FreeRADIUS handles all of the signing, packet > sending, etc. > > e.g.: > > bob Cleartext-Password := "bob" > Raw-Attribute = 0x1a120001010612345678020612345678" > > You'll have to create the contents of the VSA by hand. > I have tried Raw-Attribute, but the result packet doesn't contain the synthesized VSA, and there is no error message in "-X" debug output. I search around, and found following in 2.0.2 release notes: "* Added ability send raw attributes via "Raw-Attribute = 0x0102..."This is available only debug builds. It can be used to create invalid packets! Use it with care." so it seems Raw-Attribute only work with a"debug build", but how do I install a "debug build"? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encode multiple sub-attributes in single vsa?
2012/10/6 Alan DeKok : > You can use the Perl RADIUS libraries to create a packet. > > Or, use "Raw-Attribute" in FreeRADIUS. It puts data into a packet > exactly as-is. It means that you do the work of creating a VSA with > subattributes, and FreeRADIUS handles all of the signing, packet > sending, etc. > > e.g.: > > bob Cleartext-Password := "bob" > Raw-Attribute = 0x1a120001010612345678020612345678" > > You'll have to create the contents of the VSA by hand. Great tip, I think Raw-Attribute should do the work. Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encode multiple sub-attributes in single vsa?
Far.Runner wrote: > I need to test a radius client, one test item is to see if the client > could handle a VSA includes multiple sub-attrs, so I need a radius > server that could generate an access-accept that contains such VSA. You can use the Perl RADIUS libraries to create a packet. Or, use "Raw-Attribute" in FreeRADIUS. It puts data into a packet exactly as-is. It means that you do the work of creating a VSA with subattributes, and FreeRADIUS handles all of the signing, packet sending, etc. e.g.: bob Cleartext-Password := "bob" Raw-Attribute = 0x1a120001010612345678020612345678" You'll have to create the contents of the VSA by hand. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encode multiple sub-attributes in single vsa?
2012/10/5 Alan DeKok : > FreeRADIUS will correctly handle this. It will NOT put multiple > sub-attributes into a VSA, because many NASes will break. > > A better response is: Why do you need this? I need to test a radius client, one test item is to see if the client could handle a VSA includes multiple sub-attrs, so I need a radius server that could generate an access-accept that contains such VSA. Thanks for your answer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encode multiple sub-attributes in single vsa?
Far.Runner wrote: > Hi, > RFC2865 states "Multiple subattributes MAY be encoded within a single > Vendor-Specific attribute, although they do not have to be." in > section 5.26. > Does Freeradius support this? if yes, how to enable it? FreeRADIUS will correctly handle this. It will NOT put multiple sub-attributes into a VSA, because many NASes will break. A better response is: Why do you need this? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Encode multiple sub-attributes in single vsa?
Hi, RFC2865 states "Multiple subattributes MAY be encoded within a single Vendor-Specific attribute, although they do not have to be." in section 5.26. Does Freeradius support this? if yes, how to enable it? F.R - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-valued attributes
Lorenzo Milesi wrote: > Is it possible to use Multi-valued attributes? > I have > group1 NAS-Identifier =~ nas01|nas02 > group2 NAS-Identifier =~ nas03|nas04 > > I'd like some users which are in group1 to access ALSO group2 nases. > Is it possible to do that, without creating a dedicated group? You'd have to do the group checks individually. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multi-valued attributes
Hi. Is it possible to use Multi-valued attributes? I have group1 NAS-Identifier =~ nas01|nas02 group2 NAS-Identifier =~ nas03|nas04 I'd like some users which are in group1 to access ALSO group2 nases. Is it possible to do that, without creating a dedicated group? thanks -- Lorenzo Milesi - lorenzo.mil...@yetopen.it GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting final response attributes for EAP
> Yes, in post-auth.
>
> post-auth {
>update reply {
> ...
>}
> }
Thank you, that's an easy way to set it globally for all users - or I can do
a database dip there if required.
> Generally people will do this kind of thing in the inner-tunnel virtual
> server and set "use_tunneled_reply = yes" to copy the attributed back.
> You need to exercise caution if you're using session resumption here,
> because resumed sessions don't use the inner-tunnel.
Right, I see that it defaults to 'no' which is why it wasn't working
originally when I just attached the reply attribute directly to the user.
Thanks again,
Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting final response attributes for EAP
On 18/09/12 14:16, Brian Candler wrote:
When a user logs into a wireless AP, I would to include some per-user
response attributes, in particular Acct-Interim-Interval = 600
However freeradius -X shows that this isn't happening, and it appears to be
because of the following stanza in the default config:
# The example below uses module failover to avoid querying all
# of the following modules if the EAP module returns "ok".
# Therefore, your LDAP and/or SQL servers will not be queried
# for the many packets that go back and forth to set up TTLS
# or PEAP. The load on those servers will therefore be reduced.
#
eap {
ok = return
}
This is in the "authorize" section. EAP doesn't know, at this point,
that the packet will *be* the final one, because it hasn't processed it yet.
The EAP module does all it's work in the "authenticate" section. It
must, because it might need data added by previous modules in the
"authorize" section (e.g. passwords from LDAP, SQL, files, etc.)
What's the recommended solution here? Is it possible to distinguish between
the final EAP accept and the earlier Access-Challenge, so that just the
final response does a database lookup for the required user response
attributes?
Yes, in post-auth.
post-auth {
update reply {
...
}
}
Generally people will do this kind of thing in the inner-tunnel virtual
server and set "use_tunneled_reply = yes" to copy the attributed back.
You need to exercise caution if you're using session resumption here,
because resumed sessions don't use the inner-tunnel.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting final response attributes for EAP
Hi, > When a user logs into a wireless AP, I would to include some per-user > response attributes, in particular Acct-Interim-Interval = 600 yep - so just return that in the post-auth - done by either using an entry in users file, unlang, perl code etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting final response attributes for EAP
When a user logs into a wireless AP, I would to include some per-user
response attributes, in particular Acct-Interim-Interval = 600
However freeradius -X shows that this isn't happening, and it appears to be
because of the following stanza in the default config:
# The example below uses module failover to avoid querying all
# of the following modules if the EAP module returns "ok".
# Therefore, your LDAP and/or SQL servers will not be queried
# for the many packets that go back and forth to set up TTLS
# or PEAP. The load on those servers will therefore be reduced.
#
eap {
ok = return
}
What's the recommended solution here? Is it possible to distinguish between
the final EAP accept and the earlier Access-Challenge, so that just the
final response does a database lookup for the required user response
attributes?
Thanks,
Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
