Re: user from particular NAS-IP-Address
Pete, On Sat, May 25, 2013 at 02:31:12PM -0600, Pete Ashdown wrote: > I'm trying to restrict a guest user from a single NAS-IP-Address via "users" > and I can't get it to work. > > Doesn't work: > > test NAS-IP-Address == "127.0.0.1" > Auth-Type := Accept Try: test NAS-IP-Address == "127.0.0.1", Auth-Type := Accept The first line is matches against the incoming request packets, and setting things in the control list. The subsequent lines are entries for the reply packet. Auth-Type is a control item. This is documented in the users file - read it carefully and look at the examples, such as "deny access for a group of users". But for restricting users, I doubt you want "Accept"! :) > Also, how would I do this for a group of NAS IP addresses? Is it possible to > assign them to a group in "clients.conf" that can be later checked against in > "users"? Where is the documentation of what can be tested against in the > "users" file? Add entries in the huntgroups file: blockednaslist NAS-IP-Address == 127.0.0.1 blockednaslist NAS-IP-Address == 127.0.1.1 then use something like this in users: testuser Huntgroup-Name == "blockednaslist", Auth-Type := Reject Don't forget that NAS-IP-Address can be spoofed if you permit NASes not under your own control. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user from particular NAS-IP-Address
Pete Ashdown wrote: > I also searched via Google site:lists.freeradius.org because Mailman's archive > sucketh and found similar recriminations to RTFM and run "radiusd -X". That text *also* said to POST THE OUTPUT TO THE LIST. It's understandable that you're not a RADIUS expert. That's what this list is for: to help people. But we can't help you if you don't follow instructions. We can't help you if you post messages like "something went wrong, how do I fix it?" We ASK for the debug output because we NEED IT TO HELP YOU. > I > didn't see a freeradius-newbs list, so I assumed freeradius-users was > welcoming like other users mailing lists. I'll unsubscribe now and go back to > the trial and error. Sorry to have wasted your time. You're welcome back any time. Just *follow instructions*. It shouldn't be hard. This list is for people who want to get help solving RADIUS problems. Getting that help often means *following instructions*. There should be no reason to get upset when asked to follow instructions. You asked for help... it should be obvious that the response should contain *some* kind of instruction. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user from particular NAS-IP-Address
Hi, > [files] users: Matched entry test at line 86 > ++[files] returns ok and what is that entry? > ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the > user what type of authentication is this? > sucketh and found similar recriminations to RTFM and run "radiusd -X". I you'll read that its not just 'run radiusd -X' - theres also the part about giving that information to the list. not just a tiny snippet. there is an expectation that SOME effort is put into reading the docs/resources/wiki rather than just getting people from the list to just do your (I'm guessing paid for) work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user from particular NAS-IP-Address
On Sat, May 25, 2013 at 06:23:44PM -0400, Alan DeKok wrote: > You *did* run the server in debugging mode, as suggested in the FAQ, > README, "man" page, and daily on this list? Yes I did, over a period of about 3 hours of trial and error before banging my head against: [...] [files] users: Matched entry test at line 86 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. [...] I also searched via Google site:lists.freeradius.org because Mailman's archive sucketh and found similar recriminations to RTFM and run "radiusd -X". I didn't see a freeradius-newbs list, so I assumed freeradius-users was welcoming like other users mailing lists. I'll unsubscribe now and go back to the trial and error. Sorry to have wasted your time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user from particular NAS-IP-Address
Pete Ashdown wrote: > I'm trying to restrict a guest user from a single NAS-IP-Address via "users" > and I can't get it to work. > > Doesn't work: > > test NAS-IP-Address == "127.0.0.1" > Auth-Type := Accept That's wrong. Why? See the debug output. It *tells* you what's wrong, and how to fix it. See "man users". It *documents* the format of the "users" file. See the sample "raddb/users" file. Look for "Auth-Type". There are *examples* of how to do this. > Also, how would I do this for a group of NAS IP addresses? Is it possible to > assign them to a group in "clients.conf" that can be later checked against in > "users"? See raddb/huntgroups. You can group NASes, and check the group membership later. > Where is the documentation of what can be tested against in the > "users" file? What does that mean? "man users" describes how the "users" file works. After that, if you get something wrong, the debug output will tell you. You *did* run the server in debugging mode, as suggested in the FAQ, README, "man" page, and daily on this list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user from particular NAS-IP-Address
I'm trying to restrict a guest user from a single NAS-IP-Address via "users"
and I can't get it to work.
Doesn't work:
testNAS-IP-Address == "127.0.0.1"
Auth-Type := Accept
testNAS-IP-Address == "127.0.1.1"
Auth-Type := Accept
Works, but it isn't restricted by NAS:
test Auth-Type := Accept
I've also tried "Calling-Station-ID == 127.0.1.1" to no avail.
Also, how would I do this for a group of NAS IP addresses? Is it possible to
assign them to a group in "clients.conf" that can be later checked against in
"users"? Where is the documentation of what can be tested against in the
"users" file?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Selecting authentication based on NAS-IP-Address or Client IP Address
Well then I obviously have missed something in the debug output which should have been completely obvious but has not to this point been. I do appreciate your time and willingness to help. I have made a lot of changes to the default configuration because I am deploying a highly customized solution. I will go over the debug output again and see if I can figure out what I am missing and turn on a higher level of debugging. I was not trying to get a quick and easy solution without reading the debug output and I apologize if I came across that way. Thank you for the reply. Sent from my iPhone On May 21, 2013, at 5:06 PM, "Alan DeKok-2 [via FreeRADIUS]" < ml-node+s1045715n5720330...@n5.nabble.com> wrote: Jeremiah Peterson wrote: > Thanks Alan. > > I have been researching what you said and have seen from debug that the > code you gave me seems to be accepted by the server when it is > processed. I put the code in the authorize section of the > /etc/freeradius/sites-enabled/default. > > I get: Well... it helps to read the debug output and think about what you've configured. I'll also note that the debug output shows you've made a *lot* of changes to the default configuration. So... it helps to understand the changes, before you make them. i.e. if you're not going to bother reading the debug output and thinking about it, I'm not going to bother doing that, either. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/Selecting-authentication-based-on-NAS-IP-Address-or-Client-IP-Address-tp5720259p5720330.html To unsubscribe from FreeRADIUS, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740692&code=Z2FtZXJqQGdtYWlsLmNvbXwyNzQwNjkyfC0xMjA3NTI4NDQ3> . NAML<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Selecting authentication based on NAS-IP-Address or Client IP Address
Jeremiah Peterson wrote: > Thanks Alan. > > I have been researching what you said and have seen from debug that the > code you gave me seems to be accepted by the server when it is > processed. I put the code in the authorize section of the > /etc/freeradius/sites-enabled/default. > > I get: Well... it helps to read the debug output and think about what you've configured. I'll also note that the debug output shows you've made a *lot* of changes to the default configuration. So... it helps to understand the changes, before you make them. i.e. if you're not going to bother reading the debug output and thinking about it, I'm not going to bother doing that, either. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Selecting authentication based on NAS-IP-Address or Client IP Address
Thanks Alan.
I have been researching what you said and have seen from debug that the =
code you gave me seems to be accepted by the server when it is =
processed. I put the code in the authorize section of the =
/etc/freeradius/sites-enabled/default.
I get:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.10.10 port 51690, id=3D9, =
length=3D43
User-Name =3D "noo"
User-Password =3D "smartcity123"
# Executing section authorize from file =
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[IPASS] No '/' in User-Name =3D "noo", looking up realm NULL
[IPASS] Found realm "DEFAULT"
[IPASS] Adding Stripped-User-Name =3D "noo"
[IPASS] Adding Realm =3D "DEFAULT"
[IPASS] Proxying request from user noo to realm DEFAULT
[IPASS] Preparing to proxy authentication request to realm "DEFAULT"
++[IPASS] returns updated
++? if (Packet-Src-IP-Address =3D=3D 10.10.10.10)
expand: %{Packet-Src-IP-Address} -> 10.10.10.10
? Evaluating (Packet-Src-IP-Address =3D=3D 10.10.10.10) -> TRUE
++? if (Packet-Src-IP-Address =3D=3D 10.10.10.10) -> TRUE
++- entering if (Packet-Src-IP-Address =3D=3D 10.10.10.10) {...}
+++[control] returns updated
++- if (Packet-Src-IP-Address =3D=3D 10.10.10.10) returns updated
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 122 to 10.200.0.1 port 1812
User-Name =3D "noo"
User-Password =3D "test"
NAS-IP-Address =3D 10.10.10.10
Proxy-State =3D 0x3130
Proxying request 0 to home server 10.200.0.1 port 1812
Sending Access-Request of id 122 to 10.200.0.1 port 1812
User-Name =3D "noo"
User-Password =3D "test"
NAS-IP-Address =3D 10.10.10.10
Proxy-State =3D 0x3130
Going to the next request
So it looks like it evaluates the unlang correctly, but it doesn't =
change the home server pool to the intended pool.
Is the unlang supposed to be in the authorize section as I suspect? =
(NEWPOOL is the pool I want to choose)
Here is some config (the relevant part anyway)
root@FreeRADIUS:/etc/freeradius# cat sites-enabled/default
authorize {
preprocess
IPASS
if(Packet-Src-IP-Address =3D=3D 10.10.10.10) {
update control {
Home-Server-Pool =3D NEWPOOL
}
}
suffix
}
root@FreeRADIUS:/etc/freeradius# cat proxy.conf
proxy server {
default_fallback =3D no
}
home_server default {
type =3D auth+acct
ipaddr =3D 10.200.0.1
port =3D 1812
secret =3D gdsa
}
home_server primary {
type =3D auth+acct
ipaddr =3D 10.100.0.1
port =3D 1812
secret =3D secret
}
home_server_pool DEFAULT {
home_server =3D default
}
home_server_pool NEWPOOL {
home_server =3D primary
}
realm DEFAULT {
auth_pool =3D DEFAULT
}
I am still learning and researching. I just can't find enough =
documentation out there which is why I turned to the mailing list. =
Thanks for your assistance.
On May 18, 2013, at 5:36 AM, Alan DeKok-2 [via FreeRADIUS]
wrote:
> Jeremiah Peterson wrote:
> > I see that it is possible to create realms and have each realm use a
> > different proxy, but what I am more interested in is having the
> > authentication method be selected based on client.
> >
> > For example:
> >
> > If the request comes from IP 10.10.10.10 and user bob then use
> > home_server_pool xxx (and return attribute "blah blah blah")
> > If the request comes from IP 10.20.20.20 and user bob then use
> > home_server_pool yyy (and return attribute "yadda yadda yadda")
> > If the request comes from IP 10.30.30.30 and user bob then use
> > home_server_pool zzz (and return results from SQL query "x")
>
> Most of this can be done via "unlang". It has if/then/else checks,
> just like you wrote above. You can even update the control items to
> have "Home-Server-Pool := xxx".
>
> > I can see how this is done when making the user enter a realm name or
> > prefix or suffix to the username, but I don't want to do that for every
> > authentication. I want the authentication method to be selected based on
> > the client.
>
> You can select the *source* for authentication credentials. You can't
> select the authentication *method*. The client selects that. (PAP,
> CHAP, etc.)
>
> > I have been searching for detai
Re: Selecting authentication based on NAS-IP-Address or Client IP Address
Jeremiah Peterson wrote:
> I see that it is possible to create realms and have each realm use a
> different proxy, but what I am more interested in is having the
> authentication method be selected based on client.
>
> For example:
>
> If the request comes from IP 10.10.10.10 and user bob then use
> home_server_pool xxx (and return attribute "blah blah blah")
> If the request comes from IP 10.20.20.20 and user bob then use
> home_server_pool yyy (and return attribute "yadda yadda yadda")
> If the request comes from IP 10.30.30.30 and user bob then use
> home_server_pool zzz (and return results from SQL query "x")
Most of this can be done via "unlang". It has if/then/else checks,
just like you wrote above. You can even update the control items to
have "Home-Server-Pool := xxx".
> I can see how this is done when making the user enter a realm name or prefix
> or suffix to the username, but I don't want to do that for every
> authentication. I want the authentication method to be selected based on the
> client.
You can select the *source* for authentication credentials. You can't
select the authentication *method*. The client selects that. (PAP,
CHAP, etc.)
> I have been searching for details on all the configuration files but I am not
> finding anything very conclusive or explanatory on how to build custom sites.
It's pretty simple:
if ((Packet-Src-IP-Address == 10.10.10.10) && (User-Name == "bob")) {
update control {
Home-Server-Pool := "xxx"
}
}
You can't edit the reply here, because it's set by the home server.
You'll need to set the reply in post-auth.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Selecting authentication based on NAS-IP-Address or Client IP Address
I see that it is possible to create realms and have each realm use a different proxy, but what I am more interested in is having the authentication method be selected based on client. For example: If the request comes from IP 10.10.10.10 and user bob then use home_server_pool xxx (and return attribute "blah blah blah") If the request comes from IP 10.20.20.20 and user bob then use home_server_pool yyy (and return attribute "yadda yadda yadda") If the request comes from IP 10.30.30.30 and user bob then use home_server_pool zzz (and return results from SQL query "x") I can see how this is done when making the user enter a realm name or prefix or suffix to the username, but I don't want to do that for every authentication. I want the authentication method to be selected based on the client. I have been searching for details on all the configuration files but I am not finding anything very conclusive or explanatory on how to build custom sites. Any help would be appreciated. Thanks for your help. JerLasVegas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to change request attribute based on NAS IP address
Dear
Giuseppe Marocchio
it works :)
thanks.
On Wed, Apr 24, 2013 at 11:15 AM, Giuseppe Marocchio wrote:
> Hello, is simple & stupid.
>
>
> if (Cisco-AVpair =~ /^client-mac-address=([a-f0-9]**
> [a-f0-9])([a-f0-9][a-f0-9]).([**a-f0-9][a-f0-9])([a-f0-9][a-**
> f0-9]).([a-f0-9][a-f0-9])([a-**f0-9][a-f0-9])$/) {
> if (!Calling-Station-Id) {
> update request {
> Calling-Station-Id :=
> "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}**"
> Called-Station-Id := "%{NAS-Port-Id}"
> }
>
> }
> }
>
>
>
>
> Il 23/04/13 23.49, Mehdi Ravanbakhsh ha scritto:
>
>> Hi All
>>
>> i use Cisco and mikrotik as Access server in my network and i need to
>> limit user access by MAC address.
>>
>> in this case i can use Calling-Station-Id , it works for mikrotik :
>> AUTH Detail
>>
>> Packet-Type = Access-Request
>> Service-Type = Framed-User
>> Framed-Protocol = PPP
>> NAS-Port = 11062419
>> NAS-Port-Type = Ethernet
>> User-Name = "7622240489"
>> Calling-Station-Id = "90:F6:52:D5:74:96"
>> Called-Station-Id = "EHO-L"
>> NAS-Port-Id = "902- ADSL-EMAM-HOSIEN"
>> NAS-Identifier = "2800gs-langha"
>> NAS-IP-Address = 10.185.3.5
>> SQL-User-Name = "7622240489"
>>
>>
>> But not work for Cisco :
>>
>> Packet-Type = Access-Request
>> Cisco-AVPair = "client-mac-address=9094.e483.**390b"
>> Framed-Protocol = PPP
>> User-Name = "585851"
>> NAS-Port-Type = Ethernet
>> NAS-Port = 13145502
>> NAS-Port-Id = "0/0/2/352"
>> Service-Type = Framed-User
>> NAS-IP-Address = 85.185.83.242
>> Acct-Session-Id = "00C8959E"
>> NAS-Identifier = "BOJNOORD_7204_1"
>> SQL-User-Name = "585851"
>>
>>
>> So how i can Set calling station ID to MAC addreess for cisco NAS ?
>>
>>
>> Best regards.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
>> list/users.html <http://www.freeradius.org/list/users.html>
>>
>
>
> --
> Giuseppe Marocchio
> http://www.marocchio.com
> Tel: (+39) 045.853
> Fax: (+39) 045.597
> skype: giuseppe.marocchio
>
> Riservatezza / Confidentiality
> In ottemperanza al D.L. n. 196 del 30/6/2003 in materia di protezione dei
> dati personali,
> le informazioni contenute in questo messaggio sono strettamente riservate
> ed esclusivamente
> indirizzate al destinatario indicato (oppure alla persona responsabile di
> rimetterlo al
> destinatario). Vogliate tener presente che qualsiasi uso, riproduzione o
> divulgazione di questo
> messaggio è vietato. Nel caso in cui aveste ricevuto questo messaggio per
> errore, vogliate
> cortesemente avvertire il mittente e distruggere il presente messaggio.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to change request attribute based on NAS IP address
Hello, is simple & stupid.
if (Cisco-AVpair =~
/^client-mac-address=([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9])$/)
{
if (!Calling-Station-Id) {
update request {
Calling-Station-Id :=
"%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
Called-Station-Id := "%{NAS-Port-Id}"
}
}
}
Il 23/04/13 23.49, Mehdi Ravanbakhsh ha scritto:
Hi All
i use Cisco and mikrotik as Access server in my network and i need to
limit user access by MAC address.
in this case i can use Calling-Station-Id , it works for mikrotik :
AUTH Detail
Packet-Type = Access-Request
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 11062419
NAS-Port-Type = Ethernet
User-Name = "7622240489"
Calling-Station-Id = "90:F6:52:D5:74:96"
Called-Station-Id = "EHO-L"
NAS-Port-Id = "902- ADSL-EMAM-HOSIEN"
NAS-Identifier = "2800gs-langha"
NAS-IP-Address = 10.185.3.5
SQL-User-Name = "7622240489"
But not work for Cisco :
Packet-Type = Access-Request
Cisco-AVPair = "client-mac-address=9094.e483.390b"
Framed-Protocol = PPP
User-Name = "585851"
NAS-Port-Type = Ethernet
NAS-Port = 13145502
NAS-Port-Id = "0/0/2/352"
Service-Type = Framed-User
NAS-IP-Address = 85.185.83.242
Acct-Session-Id = "00C8959E"
NAS-Identifier = "BOJNOORD_7204_1"
SQL-User-Name = "585851"
So how i can Set calling station ID to MAC addreess for cisco NAS ?
Best regards.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Giuseppe Marocchio
http://www.marocchio.com
Tel: (+39) 045.853
Fax: (+39) 045.597
skype: giuseppe.marocchio
Riservatezza / Confidentiality
In ottemperanza al D.L. n. 196 del 30/6/2003 in materia di protezione dei dati
personali,
le informazioni contenute in questo messaggio sono strettamente riservate ed
esclusivamente
indirizzate al destinatario indicato (oppure alla persona responsabile di
rimetterlo al
destinatario). Vogliate tener presente che qualsiasi uso, riproduzione o
divulgazione di questo
messaggio è vietato. Nel caso in cui aveste ricevuto questo messaggio per
errore, vogliate
cortesemente avvertire il mittente e distruggere il presente messaggio.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to change request attribute based on NAS IP address
Hi All
i use Cisco and mikrotik as Access server in my network and i need to
limit user access by MAC address.
in this case i can use Calling-Station-Id , it works for mikrotik :
AUTH Detail
Packet-Type = Access-Request
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 11062419
NAS-Port-Type = Ethernet
User-Name = "7622240489"
Calling-Station-Id = "90:F6:52:D5:74:96"
Called-Station-Id = "EHO-L"
NAS-Port-Id = "902- ADSL-EMAM-HOSIEN"
NAS-Identifier = "2800gs-langha"
NAS-IP-Address = 10.185.3.5
SQL-User-Name = "7622240489"
But not work for Cisco :
Packet-Type = Access-Request
Cisco-AVPair = "client-mac-address=9094.e483.390b"
Framed-Protocol = PPP
User-Name = "585851"
NAS-Port-Type = Ethernet
NAS-Port = 13145502
NAS-Port-Id = "0/0/2/352"
Service-Type = Framed-User
NAS-IP-Address = 85.185.83.242
Acct-Session-Id = "00C8959E"
NAS-Identifier = "BOJNOORD_7204_1"
SQL-User-Name = "585851"
So how i can Set calling station ID to MAC addreess for cisco NAS ?
Best regards.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho with nas-ip-address behind NAT
2012/6/25 Fajar A. Nugraha : > NAS-IP-Address should be whatever the NAS sends, which can be its > loopback/admin address, or it's private IP address in case of NAT. Well, I don't think that. NAS is sending its public IP, I mean the nat device IP, not its actual IP. Except that I am doing something wrong... > > Packet-Src-IP-Address, on the other hand, is whatever the radius sees > the packet coming from, which should be the NAS/firewal's public IP > address in your case. > > -- > Fajar > > On Mon, Jun 25, 2012 at 11:13 PM, Sergio Belkin wrote: >> Hi, >> >> I wonder radwho can show the "actual" Nas-IP-Address os and not the >> Nat device IP nat. Another interesting option would be NAS-Identifier. >> Is that feasible? > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho with nas-ip-address behind NAT
NAS-IP-Address should be whatever the NAS sends, which can be its loopback/admin address, or it's private IP address in case of NAT. Packet-Src-IP-Address, on the other hand, is whatever the radius sees the packet coming from, which should be the NAS/firewal's public IP address in your case. -- Fajar On Mon, Jun 25, 2012 at 11:13 PM, Sergio Belkin wrote: > Hi, > > I wonder radwho can show the "actual" Nas-IP-Address os and not the > Nat device IP nat. Another interesting option would be NAS-Identifier. > Is that feasible? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho with nas-ip-address behind NAT
Hi, I wonder radwho can show the "actual" Nas-IP-Address os and not the Nat device IP nat. Another interesting option would be NAS-Identifier. Is that feasible? Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS IP Address
Arran,
Yes. You're right. It works. Great!
Thanks!
Tom
-- Original --
From: "a.cudbardb";
Date: Tue, Sep 13, 2011 03:56 PM
To: "2394263740"<2394263...@qq.com>;
Subject: Re: NAS IP Address
Ah you want the attribute Packet-Src-IP-Address
-Arran
On 13 Sep 2011, at 03:55, 2394263740 wrote:
Arran,
Looks like the email didn't go through sometime.
Please see below email for my question.
Thanks!
Tom
-- Original --
From: "2394263740"<2394263...@qq.com>;
Date: Tue, Sep 13, 2011 09:28 AM
To: "freeradius-users";
Subject: Re:NAS IP Address
Arran,
Thanks for your help and reply.
%{NAS-IP-Address} doesn't work for this case.
The connection like below.
Mobile --- WiFi Router --- Internet Gateway (NAT) ---Internet --- FreeRadius
Server.
The %{NAS-IP-Address} will be the LAN interfact IP, such as 192.168.1.1. This
is not I need.
I need the IP address, with such IP address, FreeRadius Server is
communicating. This means, when FreeRadius receive the access request, the
request IP packet was sourced from the Internet Gateway IP address, and this is
the IP address I need. Inside the access request, there is %{NAS-IP-Address},
it's the LAN IP address of the WIFI router, %{NAS-IP-Address} is not the
information I need in such case.
Thanks!
Tom
-- Original --
From: "freeradius-users";
Date: Mon, Sep 12, 2011 10:44 PM
To: "freeradius-users";
Subject: Freeradius-Users Digest, Vol 77, Issue 42
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. NAS IP Address ( 2394263740 )
2. Re: NAS IP Address (Arran Cudbard-Bell)
3. Best Practices - maximum NAS entries in clients.conf
(Sallee, Stephen (Jake))
4. Re: Best Practices - maximum NAS entries in clients.conf
(Alan DeKok)
5. Re: Best Practices - maximum NAS entries in clients.conf
(Arran Cudbard-Bell)
6. Re: Best Practices - maximum NAS entries in clients.conf
(Arran Cudbard-Bell)
7. Re: Best Practices - maximum NAS entries in clients.conf
(Bruce Nunn)
8. Unable to Authenticate with SHA Password (Rajkumar balaji)
--------------
Message: 1
Date: Mon, 12 Sep 2011 19:58:18 +0800
From: " 2394263740 " <2394263...@qq.com>
Subject: NAS IP Address
To: " freeradius-users "
Message-ID:
Content-Type: text/plain; charset="iso-8859-1"
Hello,
I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1.
OS: Linux Enterprise Server 6.1
Radius: free radius server 2.1.11
Database: Mysql
The WIFI routers we're using are in diffirent private networks, behind the
internet gateways. The WIFI router has private IP address, such as 192.168.1.1.
For some reason, we need know which Internet IP address, the WIFI router is
using to do the authention with the FreeRadius server. The FreeRadius server is
on internet.
As the business needs, we need save the IP addres(Internet gateway IP address)
to MySql database.
Can anyone advise how to do so?
Thanks!
Tom
-- next part --
An HTML attachment was scrubbed...
URL:
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110912/9e460040/attachment.html>
--
Message: 2
Date: Mon, 12 Sep 2011 14:10:48 +0200
From: Arran Cudbard-Bell
Subject: Re: NAS IP Address
To: FreeRadius users mailing list
Message-ID: <8b265a64-d969-4949-a8c8-a0bd016c6...@freeradius.org>
Content-Type: text/plain; charset="iso-8859-1"
On 12 Sep 2011, at 13:58, 2394263740 wrote:
> Hello,
> I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1.
> OS: Linux Enterprise Server 6.1
> Radius: free radius server 2.1.11
> Database: Mysql
>
> The WIFI routers we're using are in diffirent private networks, behind the
> internet gateways. The WIFI router has private IP address, such as
> 192.168.1.1.
>
> For some reason, we need know which Internet IP address, the WIFI router is
> using to do the authention with the FreeRadius server. The FreeRadius server
> is on internet.
>
> As the business needs, we
Re: NAS IP Address
On 12 Sep 2011, at 13:58, 2394263740 wrote:
> Hello,
> I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1.
> OS: Linux Enterprise Server 6.1
> Radius: free radius server 2.1.11
> Database: Mysql
>
> The WIFI routers we're using are in diffirent private networks, behind the
> internet gateways. The WIFI router has private IP address, such as
> 192.168.1.1.
>
> For some reason, we need know which Internet IP address, the WIFI router is
> using to do the authention with the FreeRadius server. The FreeRadius server
> is on internet.
>
> As the business needs, we need save the IP addres(Internet gateway IP
> address) to MySql database.
edit the queries in
raddb/sql/mysql/dialup.conf
and add the additional columns to the SQL database.
The original IP address of the NAS may be sent in the NAS-IP-Address attribute,
in which case use the expansion %{NAS-IP-Address} for the value of the new
column.
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Waging war on ignorance and apathy one Access-Challenge at a time.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS IP Address
Hello, I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1. OS: Linux Enterprise Server 6.1 Radius: free radius server 2.1.11 Database: Mysql The WIFI routers we're using are in diffirent private networks, behind the internet gateways. The WIFI router has private IP address, such as 192.168.1.1. For some reason, we need know which Internet IP address, the WIFI router is using to do the authention with the FreeRadius server. The FreeRadius server is on internet. As the business needs, we need save the IP addres(Internet gateway IP address) to MySql database. Can anyone advise how to do so? Thanks! Tom- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address or NAS-Identifier in Access-Request?
Eric Geier wrote:
> I found %{Packet-Src-IP-Address} but when I include this in the
> postauth_query, it doesn't work...the fields are blank in the DB when I view
> it.
And what does debug log say?
If Packet-Src-IP-Address doesn't work, odds are you're running 1.x.
Upgrade.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-IP-Address or NAS-Identifier in Access-Request?
I found %{Packet-Src-IP-Address} but when I include this in the
postauth_query, it doesn't work...the fields are blank in the DB when I view
it.
How could I log the source IP address of successful authentications?
- Eric
-Original Message-
From: freeradius-users-bounces+me=egeier@lists.freeradius.org
[mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On
Behalf Of Eric Geier
Sent: Tuesday, August 16, 2011 3:49 PM
To: 'FreeRadius users mailing list'
Subject: RE: NAS-IP-Address or NAS-Identifier in Access-Request?
Understood, thanks!
Can I log the source IP address to the Post-Auth DB table?
Thanks,
Eric
-Original Message-
From: freeradius-users-bounces+me=egeier@lists.freeradius.org
[mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On
Behalf Of Alan DeKok
Sent: Tuesday, August 16, 2011 10:38 AM
To: FreeRadius users mailing list
Subject: Re: NAS-IP-Address or NAS-Identifier in Access-Request?
Eric Geier wrote:
> Yes I read that in the RFC, but was wondering what vendors usually do,
> what's the most typical, etc. I'm also wondering the same about the
> Calling-Station-Id and Called-Station-ID. But sounds like those aren't
> included very often, completely optional.
There's no way to know what is typical. There are many dozens of vendors,
each of whom has many dozens of products using RADIUS. Each product may
have dozens of different firmware revisions, each of which behaves slightly
differently.
> But now that I've thought of it, if there isn't a NAS-IP-Address then
> authentication wouldn't work, right? Cause FR needs to lookup the
> shared secret based upon the NAS-IP-Address?
No. The shared secret is looked up by source IP address. The
NAS-IP-Address can be anything. It is pretty much ignored by the core
RADIUS protocol.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-IP-Address or NAS-Identifier in Access-Request?
Understood, thanks! Can I log the source IP address to the Post-Auth DB table? Thanks, Eric -Original Message- From: freeradius-users-bounces+me=egeier@lists.freeradius.org [mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, August 16, 2011 10:38 AM To: FreeRadius users mailing list Subject: Re: NAS-IP-Address or NAS-Identifier in Access-Request? Eric Geier wrote: > Yes I read that in the RFC, but was wondering what vendors usually do, > what's the most typical, etc. I'm also wondering the same about the > Calling-Station-Id and Called-Station-ID. But sounds like those aren't > included very often, completely optional. There's no way to know what is typical. There are many dozens of vendors, each of whom has many dozens of products using RADIUS. Each product may have dozens of different firmware revisions, each of which behaves slightly differently. > But now that I've thought of it, if there isn't a NAS-IP-Address then > authentication wouldn't work, right? Cause FR needs to lookup the > shared secret based upon the NAS-IP-Address? No. The shared secret is looked up by source IP address. The NAS-IP-Address can be anything. It is pretty much ignored by the core RADIUS protocol. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address or NAS-Identifier in Access-Request?
Eric Geier wrote: > Yes I read that in the RFC, but was wondering what vendors usually do, > what's the most typical, etc. I'm also wondering the same about the > Calling-Station-Id and Called-Station-ID. But sounds like those aren't > included very often, completely optional. There's no way to know what is typical. There are many dozens of vendors, each of whom has many dozens of products using RADIUS. Each product may have dozens of different firmware revisions, each of which behaves slightly differently. > But now that I've thought of it, if there isn't a NAS-IP-Address then > authentication wouldn't work, right? Cause FR needs to lookup the shared > secret based upon the NAS-IP-Address? No. The shared secret is looked up by source IP address. The NAS-IP-Address can be anything. It is pretty much ignored by the core RADIUS protocol. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-IP-Address or NAS-Identifier in Access-Request?
Thanks, Alan. Yes I read that in the RFC, but was wondering what vendors usually do, what's the most typical, etc. I'm also wondering the same about the Calling-Station-Id and Called-Station-ID. But sounds like those aren't included very often, completely optional. But now that I've thought of it, if there isn't a NAS-IP-Address then authentication wouldn't work, right? Cause FR needs to lookup the shared secret based upon the NAS-IP-Address? - Eric -Original Message- From: freeradius-users-bounces+me=egeier@lists.freeradius.org [mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Tuesday, August 16, 2011 4:32 AM To: FreeRadius users mailing list Subject: Re: NAS-IP-Address or NAS-Identifier in Access-Request? Hi, > Does anyone happen to know if consumer-level Wi-Fi routers typically > transmit the NAS-IP-Address or NAS-Identifier (or maybe both) in the > Access-Request? RFC's say An Access-Request MUST contain either a NAS-IP-Address attribute or a NAS-Identifier attribute (or both). so, you will get one or the other (or from good vendors, both!) if you dont get either than the kit isnt fit for purpose, or valid for anything (because if they cant follow such as basic RFC requirement then what hope have you for anything else to operte correctly on it?) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address or NAS-Identifier in Access-Request?
Hi, > Does anyone happen to know if consumer-level Wi-Fi routers typically > transmit the NAS-IP-Address or NAS-Identifier (or maybe both) in the > Access-Request? RFC's say An Access-Request MUST contain either a NAS-IP-Address attribute or a NAS-Identifier attribute (or both). so, you will get one or the other (or from good vendors, both!) if you dont get either than the kit isnt fit for purpose, or valid for anything (because if they cant follow such as basic RFC requirement then what hope have you for anything else to operte correctly on it?) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-IP-Address or NAS-Identifier in Access-Request?
Does anyone happen to know if consumer-level Wi-Fi routers typically transmit the NAS-IP-Address or NAS-Identifier (or maybe both) in the Access-Request? Would be great if there was a central place to look up the exact attributes and formats vendors use. Thanks, Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: pre-proxy automatically added "NAS-IP-Address"
thanks a lot Phil.
>It was probably added by the "preprocess" module, if memory serves.
>
>Why would you want to stop it?
>
>If you do, just remove the "preprocess" module from the "authorize"
>section - but it does a lot of other processing and cleanups too.
>
>The better option is to use attr_filter in the "pre-proxy" section, like so:
>
>pre-proxy {
> attr_filter.preproxy
>}
>
>...then in /etc/raddb/attrs.pre-proxy, edit the sample entries to
>permit/deny attributes you want/don't want to send.
>
>You probably want the postproxy filter too, in case your upstream proxy
>sends you junk you can't / don't want to handle.
Oh, I see.
Surely I didn't think that "preprocess" added "NAS-IP-Address".
I used "attr_filter", and could stop it.
my settings...
---
/etc/raddb/attrs.pre-proxy
example.jp
User-Name =* ANY,
User-Password =* ANY,
NAS-IP-Address !* ANY
DEFAULT
User-Name =* ANY,
User-Password =* ANY,
...
---
thanks for your help
ichiro tanaka
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pre-proxy automatically added "NAS-IP-Address"
On 10/21/2010 03:34 AM, ichiro tanaka wrote:
Hi.
i have a problem proxy.
Proxying to auth-server, and "NAS-IP-Address" was automatically added by proxy.
can I stop it?
It was probably added by the "preprocess" module, if memory serves.
Why would you want to stop it?
If you do, just remove the "preprocess" module from the "authorize"
section - but it does a lot of other processing and cleanups too.
The better option is to use attr_filter in the "pre-proxy" section, like so:
pre-proxy {
attr_filter.preproxy
}
...then in /etc/raddb/attrs.pre-proxy, edit the sample entries to
permit/deny attributes you want/don't want to send.
You probably want the postproxy filter too, in case your upstream proxy
sends you junk you can't / don't want to handle.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pre-proxy automatically added "NAS-IP-Address"
Hi.
i have a problem proxy.
Proxying to auth-server, and "NAS-IP-Address" was automatically added by proxy.
can I stop it?
I used ntradping-1.5 and freeradius-2.1.10.
--hosts--
ntradping-1.5 10.233.55.200
proxy (freeradius-2.1.10) 10.233.36.101
auth-server (freeradius-2.1.10) 10.233.36.100
--debug log--
FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Oct 20
2010 at 15:43:53
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /tmp/radius/etc/raddb/radiusd.conf
including configuration file /tmp/radius/etc/raddb/proxy.conf
including configuration file /tmp/radius/etc/raddb/clients.conf
including files in directory /tmp/radius/etc/raddb/modules/
including configuration file /tmp/radius/etc/raddb/modules/radutmp
including configuration file /tmp/radius/etc/raddb/modules/passwd
including configuration file /tmp/radius/etc/raddb/modules/cui
including configuration file /tmp/radius/etc/raddb/modules/opendirectory
including configuration file /tmp/radius/etc/raddb/modules/dynamic_clients
including configuration file /tmp/radius/etc/raddb/modules/ippool
including configuration file /tmp/radius/etc/raddb/modules/realm
including configuration file /tmp/radius/etc/raddb/modules/pam
including configuration file /tmp/radius/etc/raddb/modules/ldap
including configuration file /tmp/radius/etc/raddb/modules/always
including configuration file /tmp/radius/etc/raddb/modules/counter
including configuration file /tmp/radius/etc/raddb/modules/smbpasswd
including configuration file /tmp/radius/etc/raddb/modules/sql_log
including configuration file /tmp/radius/etc/raddb/modules/logintime
including configuration file /tmp/radius/etc/raddb/modules/wimax
including configuration file /tmp/radius/etc/raddb/modules/detail.example.com
including configuration file /tmp/radius/etc/raddb/modules/policy
including configuration file /tmp/radius/etc/raddb/modules/unix
including configuration file /tmp/radius/etc/raddb/modules/mschap
including configuration file /tmp/radius/etc/raddb/modules/
sqlcounter_expire_on_login
including configuration file /tmp/radius/etc/raddb/modules/files
including configuration file /tmp/radius/etc/raddb/modules/otp
including configuration file /tmp/radius/etc/raddb/modules/inner-eap
including configuration file /tmp/radius/etc/raddb/modules/perl
including configuration file /tmp/radius/etc/raddb/modules/etc_group
including configuration file /tmp/radius/etc/raddb/modules/linelog
including configuration file /tmp/radius/etc/raddb/modules/mac2vlan
including configuration file /tmp/radius/etc/raddb/modules/attr_rewrite
including configuration file /tmp/radius/etc/raddb/modules/digest
including configuration file /tmp/radius/etc/raddb/modules/sradutmp
including configuration file /tmp/radius/etc/raddb/modules/expr
including configuration file /tmp/radius/etc/raddb/modules/expiration
including configuration file /tmp/radius/etc/raddb/modules/attr_filter
including configuration file /tmp/radius/etc/raddb/modules/mac2ip
including configuration file /tmp/radius/etc/raddb/modules/pap
including configuration file /tmp/radius/etc/raddb/modules/detail
including configuration file /tmp/radius/etc/raddb/modules/detail.log
including configuration file /tmp/radius/etc/raddb/modules/smsotp
including configuration file /tmp/radius/etc/raddb/modules/krb5
including configuration file /tmp/radius/etc/raddb/modules/acct_unique
including configuration file /tmp/radius/etc/raddb/modules/echo
including configuration file /tmp/radius/etc/raddb/modules/ntlm_auth
including configuration file /tmp/radius/etc/raddb/modules/exec
including configuration file /tmp/radius/etc/raddb/modules/preprocess
including configuration file /tmp/radius/etc/raddb/modules/chap
including configuration file /tmp/radius/etc/raddb/modules/checkval
including configuration file /tmp/radius/etc/raddb/eap.conf
including configuration file /tmp/radius/etc/raddb/policy.conf
including files in directory /tmp/radius/etc/raddb/sites-enabled/
including configuration file /tmp/radius/etc/raddb/sites-enabled/control-socket
including configuration file /tmp/radius/etc/raddb/sites-enabled/default
including configuration file /tmp/radius/etc/raddb/sites-enabled/inner-tunnel
including dictionary file /tmp/radius/etc/raddb/dictionary
main {
prefix = "/tmp/radius"
localstatedir = "/tmp/radius/var"
logdir = "/tmp/radius/var/log/radius"
libdir = "/tmp/radius/lib"
radacctdir = "/tmp/radius/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/tmp/radius/var/run/r
Re: Policy Based on NAS IP address
for example:
server exampe_acct {
listen {
type = acct
ipaddr = *
port = 1813
}
accounting
{
if (request:NAS-IP-Address == '1.1.1.1') {
blablabla
}
else {
blablabla
}
}
}
?
Quoting *Nasser Heidari *:
> Hi,
> Is it possible to apply special policy based on NAS IP Address, for
> example I want to check originating ip address for special NAS or
> set IP
> Address pool for the other NAS .
> Thanks in advance
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Policy Based on NAS IP address
Hi, Is it possible to apply special policy based on NAS IP Address, for example I want to check originating ip address for special NAS or set IP Address pool for the other NAS . Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: framed-ip-address based on nas-ip-address
I have read doc/rlm_sql many times but I unable to find any solution . adding Fall-Through in radreply for user or radgroupreply for groups doesn't help .. even I tried to use huntgroups but same result .. it works just when the user is membership of a group .. mean if I add user to second group its not working any more and sqlippool is not processing ! its not matter if group checks is matching or no .. it seems there is something wrong when a user is membership of 2 groups because its checking none of them when user is in more than 1 group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: framed-ip-address based on nas-ip-address
On Thu, Mar 18, 2010 at 2:21 PM, power159 wrote: > the only problem that I have is if user is membership of 2 groups . > freeradius is processing none of them ! even if both are matching ! but if I > remove one of groups its working without any problem ! and assigning ip from > ip pool > +--+---+--+ > | username | groupname | priority | > +--+---+--+ > | test1 | group1 | 0 | > | test1 | group2 | 0 | > +--+---+--+ See doc/rlm_sql in particular, I think the priority should be different. Also if you want both groups processed, you might need Fall-Through. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
framed-ip-address based on nas-ip-address
Hi , As there was a mistake in my previous email title and as I had big improvement in processing my problem I am sending a new email . As I said in previous email I want to configure freeradius to reply different framed-ip-addresses based on nas servers . I found following email in the archive which helped a lot : http://lists.cistron.nl/pipermail/freeradius-users/2009-January/msg00630.html the only problem that I have is if user is membership of 2 groups . freeradius is processing none of them ! even if both are matching ! but if I remove one of groups its working without any problem ! and assigning ip from ip pool read-groups is on here is my tables : select * from radcheck; ++--+---+++ | id | username | attribute | op | value | ++--+---+++ | 4 | test1| User-Password | := | 123456 | ++--+---+++ select * from radgroupcheck; ++---+++-+ | id | groupname | attribute | op | value | ++---+++-+ | 1 | group1| Nas-IP-Address | == | 192.168.1.5 | | 2 | group1| Pool-Name | := | pool1 | | 3 | group2| Nas-IP-Address | == | 192.168.1.6 | | 4 | group2| Pool-Name | := | pool2 | ++---+++-+ select * from radusergroup; +--+---+--+ | username | groupname | priority | +--+---+--+ | test1| group1|0 | | test1| group2|0 | +--+---+--+ select * from radippool; ++---+-+--+-+--+-+--+--+ | id | pool_name | framedipaddress | nasipaddress | calledstationid | callingstationid | expiry_time | username | pool_key | ++---+-+--+-+--+-+--+--+ | 1 | pool1 | 90.90.90.1 | | | | NULL| | 0| | 2 | pool1 | 90.90.90.2 | | | | NULL| | | | 5 | pool2 | 91.90.90.1 | | | | NULL| | 0| | 6 | pool2 | 91.90.90.2 | | | | NULL| | | ++---+-+--+-+--+-+--+--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address modified during Access-Request process
On Mon, Jun 22, 2009 at 23:08, Ivan Kalik wrote:
> > I installed freeradius 2 but my problem is still there.
> > To remember it :
> >
> > I configured Freeradius to look in openldap directory to authenticate and
> > authorize an user.
> > The authentication phase is OK
> > During the authorize phase, a ldap search is done : if the user is member
> > of
> > a group identified by the host ip he wants to connect, the user is
> > authorized.
> > The problem is here : freeradius receives an Access-Request packet with a
> > NAS-IP-Address (the good one) and to search in the ldap, it doesn't send
> > the
> > ip received in the packet but another one !
>
> Dynamic expansion for Ldap and SQL-Group doesn't work in users file. I can
> replicate this. But it works in unlang:
>
> if(Ldap-Group == "%{NAS-IP-Address}) {
> ...
> }
>
> will work just fine.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
:) It works fine !
To help users who have the same problem, I put these lines in authorize
section :
if(Ldap-Group == "%{NAS-IP-Address}") {
ok
}
else {
reject
}
Thanks !
--
KeV
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address modified during Access-Request process
Hi,
I installed freeradius 2 but my problem is still there.
To remember it :
I configured Freeradius to look in openldap directory to authenticate and
authorize an user.
The authentication phase is OK
During the authorize phase, a ldap search is done : if the user is member of
a group identified by the host ip he wants to connect, the user is
authorized.
The problem is here : freeradius receives an Access-Request packet with a
NAS-IP-Address (the good one) and to search in the ldap, it doesn't send the
ip received in the packet but another one !
Why this attribute is modified ?
Is there any cache (the other ip comes from another equipment) ?
To precize :
I think there is some cache enabled anywhere (the ip used for ldap filter is
always the one of the first request), is there any way to disable it ?
Before testing, I created the group for IP1 and I added the test user to it.
Test 1:
- I ran radiusd -X
- I try to connect with IP 1. => OK
- I try to connect with IP 2 => OK (not right result because to check the
membership it's the first IP which is used)
Then, I kill radiusd.
test 2 :
- I ran radiusd -X
- I try to connect with IP2 => KO (expected because the group for IP 2
doesn't exist)
- I try to connect with IP1 => KO (not expected because the group for IP1
exists)
To help, the logs :
--
rad_recv: Access-Request packet from host 126.50.0.148 port 1645, id=34,
length=80
NAS-IP-Address = 126.50.0.148
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "testuser"
Calling-Station-Id = "126.100.100.6"
User-Password = "X"
+- entering group authorize {...}
++[preprocess] returns ok
rlm_ldap: Entering ldap_groupcmp()
[files] expand: dc=example,dc=com -> dc=example,dc=com
[files] expand: (uid=%{User-Name}) -> (uid=testuser)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser)
rlm_ldap: ldap_search() failed: LDAP connection lost.
rlm_ldap: Attempting reconnect
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: starting TLS
rlm_ldap: bind as ou=radius,ou=applications,dc=example,dc=com/X to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser)
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand:
(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:LDAP-UserDn})) ->
(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter
(&(cn=126.50.0.147)(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom)))
rlm_ldap::ldap_groupcmp: User found in group 126.50.0.147
rlm_ldap: ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
[ldap] performing user authorization for testuser
[ldap] expand: (uid=%{User-Name}) -> (uid=testuser)
[ldap] expand: dc=example,dc=com -> dc=example,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] login attempt by "testuser" with password "azerty12"
[ldap] user DN: uid=testuser,uid=test01,ou=users,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: starting TLS
rlm_ldap: bind as
uid=testuser,uid=test01,ou=users,dc=example,dc=com/azerty12 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[ldap] user testuser authenticated succesfully
++[ldap] returns ok
Login OK: [testuser] (from client petitnom port 1 cli 126.100.100.6)
Sending Access-Accept of id 34 to 126.50.0.148 port 1645
Nokia-IPSO-User-Role = "adminRole"
Nokia-IPSO-SuperUser-Access = 1
Service-Type = Login-User
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 34 with timestamp +52
Ready to process requests.
--
--
KeV
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address modified during Access-Request process
thanks for the quick answer :) Indeed, the version installed is not the last one but the "no longer maintained one" I just did yum install freeradius. I will fix this right now Thanks again -- KeV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address modified during Access-Request process
> I have a big problem in freeradius installed in version 1.1.4 on RHEL 5, > and > today it's the third day i'm looking for a solution :( Upgrade. This was likely fixed ages ago. http://wiki.freeradius.org/Red_Hat_FAQ Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-IP-Address modified during Access-Request process
Hi everybody,
I have a big problem in freeradius installed in version 1.1.4 on RHEL 5, and
today it's the third day i'm looking for a solution :(
Here is the problem:
I configured Freeradius to look in openldap directory to auth and auth an
user.
The authentication phase is OK
During the auth phase, a ldap search is done : if the user is member of a
group identified by the host ip he wants to connect, the user is authorized.
The problem is here : freeradius receives an Access-Request packet with a
NAS-IP-Address (the good one) and to search in the ldap, it doesn't send the
ip received in the packet but another one !
Why this attribute is modified ?
Is there any cache (the other ip comes from another equipment) ?
Thanks for any helpful idea
Here are
/etc/raddb/users (I also tried with ldap-group == "%{NAS-IP-Address}" )
DEFAULT ldap-group == "%{Client-Ip-Address}", Auth-Type := LDAP
Service-Type = 1,
Fall-Through = no
DEFAULT Auth-Type := Reject
Fall-Through = no,
Reply-Message = "You are not authorized to log in to this host :("
/etc/raddb/clients.conf
client 126.50.0.0/8 {
secret = secretsecret
shortname = shortname
}
radius LOG (with radiusd -X)
rad_recv: Access-Request packet from host *126.50.0.148*:1645, id=17,
length=82
NAS-IP-Address = *126.50.0.148*
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "testadmin"
Calling-Station-Id = "XX.XX.XX.XX"
User-Password = "X"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=example,dc=com'
radius_xlat: '(uid=testadmin)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter
(uid=testadmin)
rlm_ldap: ldap_search() failed: LDAP connection lost.
rlm_ldap: Attempting reconnect
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
rlm_ldap: starting TLS
rlm_ldap: bind as uid=radius,ou=applications,dc=example,dc=com/radiuspass to
127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=example,dc=com, with filter
(uid=testadmin)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter (&(cn=*
126.50.0.147*
)(|(&(objectClass=GroupOfNames)(member=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom
rlm_ldap::ldap_groupcmp: User found in group 126.50.0.147
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 3
modcall[authorize]: module "files" returns ok for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testadmin
radius_xlat: '(uid=testadmin)'
radius_xlat: 'dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter
(uid=testadmin)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testadmin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 4
modcall: leaving group authorize (returns ok) for request 4
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 4
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testadmin" with password "X"
rlm_ldap: user DN: uid=testAdmin,uid=test01,ou=users,dc=example,dc=com
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
rlm_ldap: starting TLS
rlm_ldap: bind as
uid=testAdmin,uid=test01,ou=users,dc=example,d
RE: check-item NAS-IP-ADdress & Calling-Station-ID with openldap
Thanks Ivan ! With huntgroup it works perfectly, now I am searching to manage my huntgroup whith ldap, no longer with the file huntgroup. Each users have the primitive radiusHuntgroupName, but I want to define my huntgroup in ldap, is it possible you think ? Regards, Francois -Message d'origine- De : Ivan Kalik [mailto:t...@kalik.net] Envoyé : mardi 19 mai 2009 15:09 À : François Mehault Objet : RE: check-item NAS-IP-ADdress & Calling-Station-ID with openldap > Well, I am using checkval to check the attribute NAS-IP-Address, what I > want : I have several users and several NAS, some users allows to > authenticate on some NAS, and others not. I use an openldap database. Each > users have an attribute "radiusCheckItem". I don't know if I am right, if > it's the good way to do what I need, but I am a novice with freeRadisu and > OpenLDAP. Well, if user is going to have only one value for NAS IP, then you don't need checkval - just map appropriate attribute as check item in raddb/ldap.attrmap. If he should be allowed on several devices it might be better to use huntgroups/sqlhuntgroups - as long as there are not too many combinations. Same applies to mac address - if user can use only one there is no need to use checkval. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress & Calling-Station-ID with openldap
Well, I am using checkval to check the attribute NAS-IP-Address, what I want : I have several users and several NAS, some users allows to authenticate on some NAS, and others not. I use an openldap database. Each users have an attribute "radiusCheckItem". I don't know if I am right, if it's the good way to do what I need, but I am a novice with freeRadisu and OpenLDAP. -Message d'origine- De : Ivan Kalik [mailto:t...@kalik.net] Envoyé : mardi 19 mai 2009 13:46 À : François Mehault Objet : RE: check-item NAS-IP-ADdress & Calling-Station-ID with openldap > [...] > > rlm_checkval: Could not find item named Client-IP-Address in request > rlm_checkval: Could not find attribute named Client-IP-Address in check > pairs > ++[nas-check] returns notfound OK. It can't work since Client-IP-Address is not in the request. Can you remind me: why are you using checkval? Multiple values for NAS IP? Your user entry has only one. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress & Calling-Station-ID with openldap
Checkval with Calling-station-id works fine ! And I want to check also the IP
of the NAS to authenticate my user.
rlm_checkval: Item Name: Calling-Station-Id, Value: 192.168.0.80
rlm_checkval: Value Name: Calling-Station-Id, Value: 192.168.0.80
++[station-check] returns ok
>NAS-IP-Address can be forged. Use Client-IP-Address. I am not sure why did
>it come out like that in checkval when elsewhere in the debug it looks OK.
I try with Client-IP-Address instead of NAS-IP-Address but it don't works:
rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=162,
length=80
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "fmehault"
Calling-Station-Id = "192.168.0.80"
User-Password = "toto"
+- entering group authorize {...}
[...]
rlm_checkval: Could not find item named Client-IP-Address in request
rlm_checkval: Could not find attribute named Client-IP-Address in check pairs
++[nas-check] returns notfound
My ldap:
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
objectClass: hostObject
radiusGroupName: stagiaire
userPassword: {MD5}9x2+UmKKP4OnerSUgXUlxg==
radiusNASIpAddress: 192.168.0.50
host: labobe1
radiusCheckItem: "Client-IP-Address = 192.168.0.50"
radiusCallingStationId: 192.168.0.80
My checval modul:
checkval station-check {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
notfound-reject = yes
}
checkval nas-check {
item-name = Client-IP-Address
check-name = Client-IP-Address
data-type = ipaddr
notfound-reject = yes
}
Thanks Ivan Kalik for your first response
Regards,
François
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Ivan Kalik
Envoyé : lundi 11 mai 2009 13:29
À : FreeRadius users mailing list
Objet : Re: check-item NAS-IP-ADdress & Calling-Station-ID with openldap
> I want to use FreeRadius to administer network equipement. I use also
> OpenLDAP to stock information about users. FreeRADIUS and OpenLDAP are
> installed on the same server FreeBSD 7.0.
> I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty
> (ssh/telnet).
>
> I have 2 questions :
>
>
> - Why my calling-station-id in the request is a IP and not a MAC
> ?
Because you are using telnet/ssh. Same applies to VPN. PPPoE (wired and
wireless) request should have mac address in that field. Dial-up should
have phone number.
>
> - When I authenticate on the cisco 2950, I have in my log «
> rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of
> 192.168.0.50, what is the problem ???
>
NAS-IP-Address can be forged. Use Client-IP-Address. I am not sure why did
it come out like that in checkval when elsewhere in the debug it looks OK.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress & Calling-Station-ID with openldap
Hi All,
I want to use FreeRadius to administer network equipement. I use also OpenLDAP
to stock information about users. FreeRADIUS and OpenLDAP are installed on the
same server FreeBSD 7.0.
I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty
(ssh/telnet).
To resume :
Windows XP -> ssh or telnet -> Cisco 2950 (client radius/authenticator/NAS) ->
EAPoRadius (I suppose) -> FreeRADIUS & OpenLDAP
For the moment, I don't install/configure supplicant on the Windows XP, I don't
know if it's require because I don't want to use FreeRADIUS to auhtenticate my
Windows session. I have an active directory to do this.
I configure slapd.conf, radius.conf, clients.conf, module ldap etc ... and it's
works. And now I would like to add some check-item like NAS-IP-Address and
Caliing-Station-ID. But I don't succeed :s, I use checkval to do this.
I have 2 questions :
- Why my calling-station-id in the request is a IP and not a MAC ?
- When I authenticate on the cisco 2950, I have in my log «
rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of 192.168.0.50,
what is the problem ???
I think I have numerous problem, If you see one of them, could you inform me ?
I am a novice with freeradius (and openldap also :s ). I could give you all
information you need to help me to fix my problem.
Thanks for your help,
Regards
Francçois MEHAULT
On my cisco 2950 :
aaa new-model
aaa authentication login default local group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
My ldap.attrmap :
checkItem Calling-Station-Id radiusCallingStationId
checkItem NAS-IP-Address radiusNASIpAddress
Extract of my openldap :
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
radiusGroupName: stagiaire
radiusCallingStationId: 192.168.0.80 -> I put a IP address and not a Mac
address because in the request it's a IP and not a mac, I don't know why...
radiusNASIpAddress: 192.168.0.60 -> in fact, the NAS IP is 192.168.0.50, but
I put .60 to have Access-Reject
userPassword: {SSHA}tOoPUvtVW5O3+StoxScmQLiGFTO5l/+z
<12:34>[labobe2:~]# radiusd -X
FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.0, built on Apr 16
2009 at 12:03:36
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
[...]
radiusd: Loading Clients
client 192.168.0.50 {
require_message_authenticator = no
secret = "cherche"
shortname = "swlabo"
nastype = "cisco"
}
radiusd: Instantiating modules
[...]
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = "127.0.0.1"
port = 389
password = "secret"
identity = "cn=root,dc=netplus,dc=fr"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "dc=netplus,dc=fr"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = "radiusGroupName"
dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
[...]
rlm_ldap: LDAP radiusVSA mapped to RADIUS Cisco-AVPair
conns: 0x2852c240
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linke
Re: check-item NAS-IP-ADdress & Calling-Station-ID with openldap
> I want to use FreeRadius to administer network equipement. I use also > OpenLDAP to stock information about users. FreeRADIUS and OpenLDAP are > installed on the same server FreeBSD 7.0. > I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty > (ssh/telnet). > > I have 2 questions : > > > - Why my calling-station-id in the request is a IP and not a MAC > ? Because you are using telnet/ssh. Same applies to VPN. PPPoE (wired and wireless) request should have mac address in that field. Dial-up should have phone number. > > - When I authenticate on the cisco 2950, I have in my log « > rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of > 192.168.0.50, what is the problem ??? > NAS-IP-Address can be forged. Use Client-IP-Address. I am not sure why did it come out like that in checkval when elsewhere in the debug it looks OK. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
>I'm afriad, but this won't work in my environment. I will need a different >subnetmask. Can you explain why do you think 255.255.255.255 netmask won't work for you. Do you know how that netmask works? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
>> That should happen only if IP allocation has expired (see lease-duration >> in sqlippool.conf). There is another allocate-find query that issues >> random IPs. >> > >Hmmm, maybe there is another problem in my config. I tried two requests within >ten seconds. Attached you'll find the debug. During the second request the >first ip-address is freed and can be used again. The lease-duration has the >standard value of 3600, so this can't be the reason. > >This is the table radippool after the second request: > >+---+-+--+-+--+--+ >| pool_name | framedipaddress | nasipaddress | expiry_time | username >| pool_key | >+---+-+--+-+--+--+ >| poolUK| 10.10.10.10 | 10.98.6.95 | 2009-02-02 10:14:32 | peter2 >| | >| poolUK| 10.10.10.11 | | 2009-02-02 09:14:31 | >| 0| >+---+-+--+-+--+--+ You don't have a pool_key because you are doing radtest requests. Proper request will have NAS-Port or Calling-Station-Id as pool_key. With updated queries user, nas *and* pool_key need to match for IP to be released. Queries in the distribution don't have pool_key so double login will release the older IP. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
Original-Nachricht
> Datum: Fri, 30 Jan 2009 11:51:20 +0100
> Von: t...@kalik.net
> An: "FreeRadius users mailing list"
> Betreff: Re: IP-Assignment with sqlippool based on nas-ip-address
> >Now, the "behaviour" of the server changed in the way, that the
> freeradius reserves only one ip-address per user. if the same user logs in
> again on
> the same nas (without accounting-stop-packet before), the old ip-address is
> freed and the user receives a new one.
> >
>
> That should happen only if IP allocation has expired (see lease-duration
> in sqlippool.conf). There is another allocate-find query that issues
> random IPs.
>
Hmmm, maybe there is another problem in my config. I tried two requests within
ten seconds. Attached you'll find the debug. During the second request the
first ip-address is freed and can be used again. The lease-duration has the
standard value of 3600, so this can't be the reason.
This is the table radippool after the second request:
+---+-+--+-+--+--+
| pool_name | framedipaddress | nasipaddress | expiry_time | username |
pool_key |
+---+-+--+-+--+--+
| poolUK| 10.10.10.10 | 10.98.6.95 | 2009-02-02 10:14:32 | peter2 |
|
| poolUK| 10.10.10.11 | | 2009-02-02 09:14:31 | |
0|
+---+-+--+-+--+--+
debug
rad_recv: Access-Request packet from host 10.98.6.95 port 3099, id=194,
length=46
User-Name = "peter2"
User-Password = "peter2"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.98.6.95/auth-detail-20090202
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.98.6.95/auth-detail-20090202
[auth_log] expand: %t -> Mon Feb 2 09:13:45 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "peter2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 183
++[files] returns ok
[sql] expand: %{User-Name} -> peter2
[sql] sql_set_user escaped user --> 'peter2'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'peter2' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'peter2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'peter2' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'peter2' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM radusergroup WHERE username = 'peter2' ORDER
BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'peter2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'UK' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'UK' ORDER BY id
[sql] User found in group UK
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'UK' ORDER BY id
rlm_sql_mysql: query: SE
Re: IP-Assignment with sqlippool based on nas-ip-address
>Now, the "behaviour" of the server changed in the way, that the freeradius >reserves only one ip-address per user. if the same user logs in again on the >same nas (without accounting-stop-packet before), the old ip-address is freed >and the user receives a new one. > That should happen only if IP allocation has expired (see lease-duration in sqlippool.conf). There is another allocate-find query that issues random IPs. >Is there a possibility to assign also a specific subnetmask with the >radippool-table? we have different subnetmasks for the different pools. > If these are PPP connections you should use 255.255.255.255 for all of them. That will match any gateway subnet and mask. You coral them with firewall. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
> I have attached new schema and queries for mysql sqlippool. These should > work with both 4 and 5 MySQL versions (I have done some manual testing > on both; 4 on Linux and 5 on Windows). In version 5 (at least the > Windows one I have tested on) CURRENT_TIMESTAMP defaults to '-00-00 > 00:00:00' instead of current date. This has no impact on how queries > work. It might have been fixed in later MySQL verions (this is 5.0.18). > > I am not sure if I have done diff from the correct files so I included > both patches and files. > > Ivan Kalik > Kalik Informatika ISP I've tested the patch in my environment. It seems, as if this works correct. Thanks Ivan for the fast patch! My mysql-version is 5.0.26 on suse linux 10. Now, the "behaviour" of the server changed in the way, that the freeradius reserves only one ip-address per user. if the same user logs in again on the same nas (without accounting-stop-packet before), the old ip-address is freed and the user receives a new one. Is there a possibility to assign also a specific subnetmask with the radippool-table? we have different subnetmasks for the different pools. Thanks. -- NUR NOCH BIS 31.01.! GMX FreeDSL - Telefonanschluss + DSL für nur 16,37 EURO/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
I have attached new schema and queries for mysql sqlippool. These should
work with both 4 and 5 MySQL versions (I have done some manual testing
on both; 4 on Linux and 5 on Windows). In version 5 (at least the
Windows one I have tested on) CURRENT_TIMESTAMP defaults to '-00-00
00:00:00' instead of current date. This has no impact on how queries
work. It might have been fixed in later MySQL verions (this is 5.0.18).
I am not sure if I have done diff from the correct files so I included
both patches and files.
Ivan Kalik
Kalik Informatika ISP
--- ippool.sql 2009-01-29 22:33:12.0 +0100
+++ ippooln.sql 2009-01-29 22:39:22.0 +0100
@@ -8,7 +8,7 @@
nasipaddress varchar(15) NOT NULL default '',
calledstationid VARCHAR(30) NOT NULL,
callingstationid VARCHAR(30) NOT NULL,
- expiry_time DATETIME NULL default NULL,
+ expiry_time TIMESTAMP NOT NULL default CURRENT_TIMESTAMP,
username varchar(64) NOT NULL default '',
pool_key varchar(30) NOT NULL,
PRIMARY KEY (id)
ippooln.sql
Description: Binary data
--- ippool.conf 2009-01-29 19:13:12.0 +0100
+++ ippooln.conf2009-01-29 23:29:32.0 +0100
@@ -8,7 +8,7 @@
# allocate-clear = "UPDATE ${ippool_table} \
# SET nasipaddress = '', pool_key = 0, \
# callingstationid = '', username = '', \
-# expiry_time = NULL \
+# expiry_time = NOW() - INTERVAL 1 SECOND \
# WHERE pool_key = '${pool-key}'"
## This series of queries allocates an IP address
@@ -19,8 +19,8 @@
allocate-clear = "UPDATE ${ippool_table} \
SET nasipaddress = '', pool_key = 0, \
callingstationid = '', username = '', \
- expiry_time = NULL \
- WHERE expiry_time <= NOW() - INTERVAL 1 SECOND
+ expiry_time = NOW() - INTERVAL 1 SECOND \
+ WHERE pool_key = '${pool-key}' \
AND nasipaddress = '%{Nas-IP-Address}'"
@@ -39,7 +39,7 @@
# ## use this query instead
# allocate-find = "SELECT framedipaddress FROM ${ippool_table} \
# WHERE pool_name = '%{control:Pool-Name}' \
-# AND expiry_time =s NULL \
+# AND expiry_time < NOW() \
# ORDER BY RAND() \
# LIMIT 1 \
# FOR UPDATE"
@@ -59,21 +59,21 @@
SET nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \
callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', \
expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
- WHERE framedipaddress = '%I' AND expiry_time = NULL"
+ WHERE framedipaddress = '%I'"
-## This series of queries frees an IP number when an accounting
+## This query updates lease duration for an IP address when an accounting
## START record arrives
start-update = "UPDATE ${ippool_table} \
SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '${pool-key}'"
-## This series of queries frees an IP number when an accounting
+## This query frees an IP number when an accounting
## STOP record arrives
stop-clear = "UPDATE ${ippool_table} \
SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', \
- expiry_time = NULL \
+ expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}' \
AND username = '%{User-Name}' \
AND callingstationid = '%{Calling-Station-Id}' \
@@ -81,7 +81,7 @@
-## This series of queries frees an IP number when an accounting
+## This query updates lease duration for an IP address when an accounting
## ALIVE record arrives
alive-update = "UPDATE ${ippool_table} \
SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
@@ -92,18 +92,18 @@
-## This series of queries frees the IP numbers allocate to a
+## This query frees the IP numbers allocated to a
## NAS when an accounting ON record arrives
on-clear = "UPDATE ${ippool_table} \
SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', \
- expiry_time = NULL \
+ expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE nasipaddress = '%{Nas-IP-Address}'"
-## This series of queries frees the IP numbers allocate to a
+## This query frees the IP numbers allocated to a
## NAS when an accounting OFF record arrives
off-clear = "UPDATE ${ippool_table} \
SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', \
- expiry_time = NULL \
+ expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE nasipaddress = '%{Nas-IP-Address}'"
ippooln.conf
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
>> >>> Hm, does it "see" NULL greater than now()? Replace NULL in expiry_time >> >>> column with "-00-00 00:00:00" (that's what MySQL thinks null >> >>> datetime is - it will match IS NULL). And in that previous query >> replace >> >>> = NULL with = '-00-00 00:00:00'. >> >>> >> >>> If this is so, sqlippool schema will need to be changed. >> >> >> >> This works. Yes, i think the schema really needs a update. >> > >> > As always, patches are welcome. >> > >> >> It probably needs just a change from NULL to '-00-00 00:00:00' for >> the expiry_time default value in ippool.sql. >> >> expiry_time IS NULL will match if value is '-00-00 00:00:00'. I >> will fix the queries to use MySQL null value (-00-00 00:00:00) and >> not NULL, since NULL doesn't work in > > >Yes, that should work... > I am afraid it won't. NULL and '-00-00 00:00:00' are treated differently in 4.x and 5.x MySQL versions. You can make it work for one but not the other. I have a different idea - scrap NULL and use now() as default. I'll see what needs to be changed for queries to work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
> >>> Hm, does it "see" NULL greater than now()? Replace NULL in expiry_time
> >>> column with "-00-00 00:00:00" (that's what MySQL thinks null
> >>> datetime is - it will match IS NULL). And in that previous query
> replace
> >>> = NULL with = '-00-00 00:00:00'.
> >>>
> >>> If this is so, sqlippool schema will need to be changed.
> >>
> >> This works. Yes, i think the schema really needs a update.
> >
> > As always, patches are welcome.
> >
>
> It probably needs just a change from NULL to '-00-00 00:00:00' for
> the expiry_time default value in ippool.sql.
>
> expiry_time IS NULL will match if value is '-00-00 00:00:00'. I
> will fix the queries to use MySQL null value (-00-00 00:00:00) and
> not NULL, since NULL doesn't work in
Yes, that should work...
There is another problem with the mysql-configuration. In the file ippool.conf
there is the following part:
-------------
## This series of queries allocates an IP address
## (Note: If your pool-key is set to Calling-Station-Id and not NAS-Port
## then you may wish to delete the "AND nasipaddress = '%{Nas-IP-Address}'
## from the WHERE clause)
allocate-clear = "UPDATE ${ippool_table} \
SET nasipaddress = '', pool_key = 0, \
callingstationid = '', username = '', \
expiry_time IS NULL \
WHERE expiry_time <= NOW() - INTERVAL 1 SECOND
AND nasipaddress = '%{Nas-IP-Address}'"
after the line "WHERE expiry_time <= NOW() - INTERVAL 1 SECOND" there is the
"\" missing.
This will cause an error, if you start the server.
--
Pt! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen:
http://www.gmx.net/de/go/multimessenger
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
> >Is there another possibility to reassign the same ip-address to the user > again? > > Not while first connection is still active. That can't possibly work. > NAS will reject such IP. > > Are you trying to create a multilink? That is NAS, not radius capability. > > Ivan Kalik > Kalik Informatika ISP > > Ok, i will check that with our NAS. At the moment i am only testing with radtest. But thanks a lot so far for all the help! -- NUR NOCH BIS 31.01.! GMX FreeDSL - Telefonanschluss + DSL für nur 16,37 EURO/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
>Is there another possibility to reassign the same ip-address to the user again? Not while first connection is still active. That can't possibly work. NAS will reject such IP. Are you trying to create a multilink? That is NAS, not radius capability. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
>>> Hm, does it "see" NULL greater than now()? Replace NULL in expiry_time >>> column with "-00-00 00:00:00" (that's what MySQL thinks null >>> datetime is - it will match IS NULL). And in that previous query replace >>> = NULL with = '-00-00 00:00:00'. >>> >>> If this is so, sqlippool schema will need to be changed. >> >> This works. Yes, i think the schema really needs a update. > > As always, patches are welcome. > It probably needs just a change from NULL to '-00-00 00:00:00' for the expiry_time default value in ippool.sql. expiry_time IS NULL will match if value is '-00-00 00:00:00'. I will fix the queries to use MySQL null value (-00-00 00:00:00) and not NULL, since NULL doesn't work in http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
> > i have another question: when does the server free an ip-address? i > tested a login with the same username within one minute and the server > reserved > two different ip-addresses. i thought, that the server will use the same > ip-address for the second login, but the server doesn't. > > > > Which behaviour is the right one? > > The server frees IP's when accounting stop packets are received. This > is the correct behavior. > ok, i understand this. :-) Is there another possibility to reassign the same ip-address to the user again? Thanks Sebastian -- Pt! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
Sebastian Heil wrote: >> Hm, does it "see" NULL greater than now()? Replace NULL in expiry_time >> column with "-00-00 00:00:00" (that's what MySQL thinks null >> datetime is - it will match IS NULL). And in that previous query replace >> = NULL with = '-00-00 00:00:00'. >> >> If this is so, sqlippool schema will need to be changed. > > This works. Yes, i think the schema really needs a update. As always, patches are welcome. > i have another question: when does the server free an ip-address? i tested a > login with the same username within one minute and the server reserved two > different ip-addresses. i thought, that the server will use the same > ip-address for the second login, but the server doesn't. > > Which behaviour is the right one? The server frees IP's when accounting stop packets are received. This is the correct behavior. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
> > Hm, does it "see" NULL greater than now()? Replace NULL in expiry_time > column with "-00-00 00:00:00" (that's what MySQL thinks null > datetime is - it will match IS NULL). And in that previous query replace > = NULL with = '-00-00 00:00:00'. > > If this is so, sqlippool schema will need to be changed. This works. Yes, i think the schema really needs a update. i have another question: when does the server free an ip-address? i tested a login with the same username within one minute and the server reserved two different ip-addresses. i thought, that the server will use the same ip-address for the second login, but the server doesn't. Which behaviour is the right one? -- NUR NOCH BIS 31.01.! GMX FreeDSL - Telefonanschluss + DSL für nur 16,37 EURO/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
>But there seems to be a problem with this statement now: > >- >SELECT framedipaddress FROM radippool WHERE pool_name = 'poolDE' AND >expiry_time < NOW() ORDER BY (username <> 'peter2'), (callingstationid <> >''), expiry_time LIMIT 1 FOR UPDATE > > >This statement should receive a free ip-adress, i think, but it doesn't. There is also a clue: >[sqlippool] SQL query did not return any results Your IP pool is used up. >I think the problem is the part "expiry_time < NOW()". This is not working in >mysql. Does anyone know how to fix this? Hm, does it "see" NULL greater than now()? Replace NULL in expiry_time column with "-00-00 00:00:00" (that's what MySQL thinks null datetime is - it will match IS NULL). And in that previous query replace = NULL with = '-00-00 00:00:00'. If this is so, sqlippool schema will need to be changed. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
>
> It is a bug. That should be "... expiry_time = NULL WHERE ..."
>
Hi,
this is working fine.
But there seems to be a problem with this statement now:
-
SELECT framedipaddress FROM radippool WHERE pool_name = 'poolDE' AND
expiry_time < NOW() ORDER BY (username <> 'peter2'), (callingstationid <>
''), expiry_time LIMIT 1 FOR UPDATE
This statement should receive a free ip-adress, i think, but it doesn't. I
think the problem is the part "expiry_time < NOW()". This is not working in
mysql. Does anyone know how to fix this?
Thanks
Sebastian
complete debug:
rad_recv: Access-Request packet from host 10.98.6.33 port 2577, id=127,
length=67
User-Name = "peter2"
User-Password = "peter2"
Called-Station-Id = "xxx"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.98.6.33/auth-detail-20090128
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.98.6.33/auth-detail-20090128
[auth_log] expand: %t -> Wed Jan 28 14:27:45 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "peter2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 183
++[files] returns ok
[sql] expand: %{User-Name} -> peter2
[sql] sql_set_user escaped user --> 'peter2'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'peter2' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'peter2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'peter2' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'peter2' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM radusergroup WHERE username = 'peter2' ORDER
BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'peter2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'Deutschland' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'Deutschland'
ORDER BY id
[sql] User found in group Deutschland
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'Deutschland' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'Deutschland'
ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "peter2"
[pap] Using clear text password "peter2"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
rlm_sql (sql): Reserving sql socket id: 1
[sqlippool] expand: %{User-Name} -> peter2
[sqlippool] sql_set_user escaped user --> 'peter2'
[sqlippool] expand: START TRANSACTION -> START TRANSACTION
rlm_sql_mysql: query: START TRANSACTION
[sqlippool] expand: UPDATE radippool SET nasipaddress = '&
Re: IP-Assignment with sqlippool based on nas-ip-address
>it seems, as if this is working... > >But there seems to be another problem or even a bug: > >What does this errormessage mean? > > >rlm_sql_mysql: MYSQL check_error: 1064 received >sqlippool_command: database query error in: 'UPDATE radippool SET >nasipaddress = '', pool_key = 0, callingstationid = '', username = '', >expiry_time IS NULL WHERE expiry_time <= NOW() - INTERVAL 1 SECOND AND >nasipaddress = '10.98.6.33'' >- > It is a bug. That should be "... expiry_time = NULL WHERE ..." Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
>
> You don't. You use sql groups.
>
> Create two groups, group1 and group2; add to radgroupcheck:
> Nas-IP-Address == nas1 address and Pool-Name := pool1 for group1 and
> Nas-IP-Address == nas2 address and Pool-Name := pool2 for group2. Add
> the user to both groups.
Thanks,
it seems, as if this is working...
But there seems to be another problem or even a bug:
What does this errormessage mean?
rlm_sql_mysql: MYSQL check_error: 1064 received
sqlippool_command: database query error in: 'UPDATE radippool SET
nasipaddress = '', pool_key = 0, callingstationid = '', username = '',
expiry_time IS NULL WHERE expiry_time <= NOW() - INTERVAL 1 SECOND AND
nasipaddress = '10.98.6.33''
-
I tried the same statement in the mysql-console and received the following
error:
-
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near 'IS
NULL WHERE expiry_time <= NOW() - INTERVAL 1 SECOND AND nasipaddress = '1'
at line 1
-
Here is the complete debug-output:
---
rad_recv: Access-Request packet from host 10.98.6.33 port 4356, id=23, length=67
User-Name = "peter2"
User-Password = "peter2"
Called-Station-Id = "xxx"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.98.6.33/auth-detail-20090128
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.98.6.33/auth-detail-20090128
[auth_log] expand: %t -> Wed Jan 28 13:10:04 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "peter2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 183
++[files] returns ok
[sql] expand: %{User-Name} -> peter2
[sql] sql_set_user escaped user --> 'peter2'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'peter2' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'peter2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'peter2' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'peter2' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM radusergroup WHERE username = 'peter2' ORDER
BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'peter2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'Deutschland' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'Deutschland'
ORDER BY id
[sql] User found in group Deutschland
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'Deutschland' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'Deutschland'
ORDER BY id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[l
Re: IP-Assignment with sqlippool based on nas-ip-address
>We have different Network Access Servers, which are located in different >locations. The users, which login to this NAS, will be assigned an ip-address >by the sqlippool-module. > >I read a lot of the documentation and tried a lot of different things, but i >don't know, how to configure the sqlippool-module to assign an ipaddress based >on the nas, on the which the users logs in. > You don't. You use sql groups. Create two groups, group1 and group2; add to radgroupcheck: Nas-IP-Address == nas1 address and Pool-Name := pool1 for group1 and Nas-IP-Address == nas2 address and Pool-Name := pool2 for group2. Add the user to both groups. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP-Assignment with sqlippool based on nas-ip-address
Hello, we are using freeradius 2.1.1 on suse linux enterprise server 10. We have different Network Access Servers, which are located in different locations. The users, which login to this NAS, will be assigned an ip-address by the sqlippool-module. I read a lot of the documentation and tried a lot of different things, but i don't know, how to configure the sqlippool-module to assign an ipaddress based on the nas, on the which the users logs in. So for example, if the users logs in on nas1, he will get an ip out of the pool 10.1.1.1 - 10.1.10.255, if he logs in on nas2, he will get an ip out of the pool 10.200.1.1 - 10.200.10.255. The authentication information and the ippoolinformation will be stored in mysql. Can you give me an example where i have to configure this? Thanks. Sebastian -- Pt! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas-Ip-Address attribute and source IP address of UDP datagram.
Dmitry V. Krivenok wrote:
> It looks cool.
> Where can I use this code?
> In authorize section?
Anywhere.
> request->client->ipaddr seems to be what I need.
It may *not* be the same as request->packet->src_ipaddr. The client
IP address may be a netmask, and not a /32.
> I tested via the following command:
> DEBUG("rlm_osb: Source IP address %s.",
> inet_ntoa(request->client->ipaddr.ipaddr.ip4addr));
>
> Is it correct to use request->client->ipaddr instead of
> request->packet->src_ipaddr?
No.
There's a *reason* I said use request->packet->src_ipaddr. I'm
curious why you went looking for something else, rather than just use
what I told you.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas-Ip-Address attribute and source IP address of UDP datagram.
Alan DeKok wrote:
Dmitry V. Krivenok wrote:
I deal with bad "hand-made" NAS, which doesn't include "Nas-Ip-Address"
attribute into the packet.
So I can't distinguish packets from different NAS'es.
Look at Packet-Src-IP-Address. It is a "virtual" attribute that you
can use in dynamic expansions.
Is there a way to add this attribute (with value of source address of
UDP datagram) using standard FreeRadius facilities?
We don't use proxies, so this solution seems to be correct.
if (!NAS-IP-Address) {
update request {
NAS-IP-Address = "%{Packet-Src-IP-Address}"
}
}
It looks cool.
Where can I use this code?
In authorize section?
I'm writing my own rlm and I can implement desired functionality if
there is no one in FreeRadius.
The problem lies in that I can't find the address of client in REQUEST
(i.e. auth_req) structure.
request->packet->src_ipaddr.
request->client->ipaddr seems to be what I need.
I tested via the following command:
DEBUG("rlm_osb: Source IP address %s.",
inet_ntoa(request->client->ipaddr.ipaddr.ip4addr));
Is it correct to use request->client->ipaddr instead of
request->packet->src_ipaddr?
Alan Dekok.
--
Sincerely yours, Dmitry V. Krivenok
Orange System Co., Ltd.
Saint-Petersburg, Russia
work phone: +7 812 332-32-40
cellular phone: +7 921 576-70-91
e-mail: krive...@orangesystem.ru
web: http://www.orangesystem.ru
skype: krivenok_dmitry
jabber: krivenok_dmi...@jabber.ru
icq: 242-526-443
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas-Ip-Address attribute and source IP address of UDP datagram.
Dmitry V. Krivenok wrote:
> I deal with bad "hand-made" NAS, which doesn't include "Nas-Ip-Address"
> attribute into the packet.
> So I can't distinguish packets from different NAS'es.
Look at Packet-Src-IP-Address. It is a "virtual" attribute that you
can use in dynamic expansions.
> Is there a way to add this attribute (with value of source address of
> UDP datagram) using standard FreeRadius facilities?
> We don't use proxies, so this solution seems to be correct.
if (!NAS-IP-Address) {
update request {
NAS-IP-Address = "%{Packet-Src-IP-Address}"
}
}
> I'm writing my own rlm and I can implement desired functionality if
> there is no one in FreeRadius.
> The problem lies in that I can't find the address of client in REQUEST
> (i.e. auth_req) structure.
request->packet->src_ipaddr.
Alan Dekok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas-Ip-Address attribute and source IP address of UDP datagram.
>I deal with bad "hand-made" NAS, which doesn't include "Nas-Ip-Address" >attribute into the packet. >So I can't distinguish packets from different NAS'es. > >Is there a way to add this attribute (with value of source address of >UDP datagram) using standard FreeRadius facilities? Packet-Src-IP-Address already exists. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nas-Ip-Address attribute and source IP address of UDP datagram.
Hello! I deal with bad "hand-made" NAS, which doesn't include "Nas-Ip-Address" attribute into the packet. So I can't distinguish packets from different NAS'es. Is there a way to add this attribute (with value of source address of UDP datagram) using standard FreeRadius facilities? We don't use proxies, so this solution seems to be correct. I'm writing my own rlm and I can implement desired functionality if there is no one in FreeRadius. The problem lies in that I can't find the address of client in REQUEST (i.e. auth_req) structure. Comments in "site-enabled/default" say that preprocess module should add "Client-IP-Address" attribute. I printed request->packet->vps, but did't find this attribute in the list. Is source IP address reachable via REQUEST structure passed to authorize callback? -- Sincerely yours, Dmitry V. Krivenok Orange System Co., Ltd. Saint-Petersburg, Russia work phone: +7 812 332-32-40 cellular phone: +7 921 576-70-91 e-mail: krive...@orangesystem.ru web: http://www.orangesystem.ru skype: krivenok_dmitry jabber: krivenok_dmi...@jabber.ru icq: 242-526-443 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address, rlm_perl, and loopback
Sewell, Adam W wrote: > Thanks for the help guys, but I don't think that's going to work > for me. I was doing some testing today and it doesn't seem like > I can add a filter-id to the access-accept packet from the > post-auth function. Uh... no. You can add almost anything to the Access-Accept from the post-auth function. What are you trying to do, and how are you trying to do it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-IP-Address, rlm_perl, and loopback
Thanks for the help guys, but I don't think that's going to work for me. I was doing some testing today and it doesn't seem like I can add a filter-id to the access-accept packet from the post-auth function. Our switches require that to set the policy. Am I missing something here? - Original Message - From: [EMAIL PROTECTED] Sent: Fri, 8/22/2008 3:10am To: FreeRadius users mailing list Subject: Re: NAS-IP-Address, rlm_perl, and loopback Hi, > Which explains what's going on. PEAP is really two things: an outer > TLS session, and inner EAP-MSCHAPv2 authentication. So there are *two* > streams of RADIUS packets. One that sets up the tunnel, and one that > does the authentication inside of the tunnel. yep - so if you only want to define a policy after successful authentication, you only call the 'perl' routine in the post-auth section - therefore it doesnt get called all the time. As Alan pointed out. You should also ensure that , if this is the case, you only have the post-auth function defined in the perl module and in the perl code. no need to have any other functions enabled. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address, rlm_perl, and loopback
Hi, > Which explains what's going on. PEAP is really two things: an outer > TLS session, and inner EAP-MSCHAPv2 authentication. So there are *two* > streams of RADIUS packets. One that sets up the tunnel, and one that > does the authentication inside of the tunnel. yep - so if you only want to define a policy after successful authentication, you only call the 'perl' routine in the post-auth section - therefore it doesnt get called all the time. As Alan pointed out. You should also ensure that , if this is the case, you only have the post-auth function defined in the perl module and in the perl code. no need to have any other functions enabled. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address, rlm_perl, and loopback
Adam W. Sewell wrote: > I am using PEAP/MsChapv2. Exactly. There are multiple packet exchanges as part of one PEAP authentication. > I am using a perl script to authorize the user access to the network based on > some information that is pulled out of a database via our perl script. This > part is working ok. What I want to happen is with the NAS-IP-Address being > sent back, I can tell the port on the switch (NAS) which policy this person > should have. This would work great if I could get some consistent data from > the NAS. Then put it in the "post-auth" section. In 2.0.5, raddb/sites-available/default, section post-auth. > Below are some excerpts from debug log and a log of the variables in > RAD_REQUEST for one of our test users. I've looked through the logs and all I > can come up with is that it looks like some of the packets are being proxyed > even though I have proxy turned off in the radius.conf file and have the > proxy.conf file commented out. Which explains what's going on. PEAP is really two things: an outer TLS session, and inner EAP-MSCHAPv2 authentication. So there are *two* streams of RADIUS packets. One that sets up the tunnel, and one that does the authentication inside of the tunnel. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-IP-Address, rlm_perl, and loopback
> > This also leads into the second issue I'm having that when > > the perl script does run, it doesn't always pass the same > > data in the NAS-IP-Address variable. Half the time it is the > > correct information and half the time it is 127.0.0.1. > > Go read the debug output. The NAS-IP-Address is sent by the NAS. > It's not invented by the server. There's no magic here. > > If the NAS-IP-Address is different from packet to packet, it's likely > because the NAS is *sending* it differently for each packet. > > If there are multiple packets for one "authentication" session, it's > because you're doing EAP... which takes multiple round trips. Again, > read the debugging output to see what's going on. I am using PEAP/MsChapv2. > Perhaps you could try talking about what you *want* to have happen, > rather than wondering why the server doesn't work the way you expect. > The server is doing exactly the right thing for the authentication > protocol you're using, and is doing exactly what you told it to do. I am using a perl script to authorize the user access to the network based on some information that is pulled out of a database via our perl script. This part is working ok. What I want to happen is with the NAS-IP-Address being sent back, I can tell the port on the switch (NAS) which policy this person should have. This would work great if I could get some consistent data from the NAS. Below are some excerpts from debug log and a log of the variables in RAD_REQUEST for one of our test users. I've looked through the logs and all I can come up with is that it looks like some of the packets are being proxyed even though I have proxy turned off in the radius.conf file and have the proxy.conf file commented out. -- Debug: -- Thu Aug 21 12:57:15 2008 : rad_recv: Access-Request packet from host 192.168.0.1:1212, id=248, length=151 Thu Aug 21 12:57:15 2008 : Message-Authenticator = 0xd4a6f83dee299957e58e7ad71fb484b6 Thu Aug 21 12:57:15 2008 : User-Name = "test_user" Thu Aug 21 12:57:15 2008 : NAS-IP-Address = 192.168.0.1 Thu Aug 21 12:57:15 2008 : NAS-Port = 8 Thu Aug 21 12:57:15 2008 : NAS-Port-Type = Ethernet Thu Aug 21 12:57:15 2008 : Calling-Station-Id = "00-03-25-12-39-09" Thu Aug 21 12:57:15 2008 : EAP-Message = 0x0201000d016a6d63646f77656c Thu Aug 21 12:57:15 2008 : Framed-MTU = 1000 Thu Aug 21 12:57:15 2008 : Called-Station-Id = "0001F4-7A-06-60\0009" Thu Aug 21 12:57:15 2008 : NAS-Identifier = "BZRBAS_09614_M80" Thu Aug 21 12:57:15 2008 : NAS-Port-Id = "fe.0.8" Thu Aug 21 12:57:15 2008 : Using perl at 0x80116518 Thu Aug 21 12:57:15 2008 : rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=CCP_Student Thu Aug 21 12:57:15 2008 : rlm_perl: Added pair Cleartext-Password = USERPASS Thu Aug 21 12:57:15 2008 : rlm_perl: Added pair Auth-Type = EAP Thu Aug 21 12:57:15 2008 : Sending Access-Challenge of id 248 to 192.168.0.1 port 1212 Thu Aug 21 12:57:15 2008 : Filter-Id = "Enterasys:version=1:policy=CCP_Student" Thu Aug 21 12:57:15 2008 : EAP-Message = 0x010200061920 Thu Aug 21 12:57:15 2008 : Message-Authenticator = 0x Thu Aug 21 12:57:15 2008 : State = 0xad137155784feb70aaf74d3c65a9a86e Thu Aug 21 12:57:15 2008 : rad_recv: Access-Request packet from host 192.168.0.1:1212, id=249, length=248 Thu Aug 21 12:57:15 2008 : Message-Authenticator = 0x07f9f250ad693b0842998be1dda18420 Thu Aug 21 12:57:15 2008 : User-Name = "test_user" Thu Aug 21 12:57:15 2008 : State = 0xad137155784feb70aaf74d3c65a9a86e Thu Aug 21 12:57:15 2008 : NAS-IP-Address = 192.168.0.1 Thu Aug 21 12:57:15 2008 : NAS-Port = 8 Thu Aug 21 12:57:15 2008 : NAS-Port-Type = Ethernet Thu Aug 21 12:57:15 2008 : Calling-Station-Id = "00-03-25-12-39-09" Thu Aug 21 12:57:15 2008 : Called-Station-Id = "00-01-F4-7A-06-60" Thu Aug 21 12:57:15 2008 : Framed-MTU = 1000 Thu Aug 21 12:57:15 2008 : EAP-Message = 0x0202005c19001603010051014d030148ad9e3eee721642dca72c79e437cd5e18483257e35b2933d1b1bf7c255d08732600390038003500160013000a00330032002f00050004001500120009001400110008000600030100 Thu Aug 21 12:57:15 2008 : NAS-Identifier = "BZRBAS_09614_M80" Thu Aug 21 12:57:15 2008 : NAS-Port-Id = "fe.0.8" Thu Aug 21 12:57:15 2008 : Using perl at 0x80116518 Thu Aug 21 12:57:15 2008 : rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=CCP_Student Thu Aug 21 12:57:15 2008 : rlm_perl: Added pair Cleartext-Password = USERPASS Thu Aug 21 12:57:15 2008 : rlm_perl: Add
Re: NAS-IP-Address, rlm_perl, and loopback
Adam W. Sewell wrote: > I'm having a couple of issues particularly pertaining > to the NAS-IP-Address variable that is passed from the > switch. When a client sends the auth-request, we find > that the authorize function of our perl script is being > executed multiple times for the same request. It's being run once per packet. Go read the debug output. > I would think that the authorize function would only be > called once. For PAP, CHAP, and other authentication methods that only use one round trip. > This also leads into the second issue I'm having that when > the perl script does run, it doesn't always pass the same > data in the NAS-IP-Address variable. Half the time it is the > correct information and half the time it is 127.0.0.1. Go read the debug output. The NAS-IP-Address is sent by the NAS. It's not invented by the server. There's no magic here. If the NAS-IP-Address is different from packet to packet, it's likely because the NAS is *sending* it differently for each packet. If there are multiple packets for one "authentication" session, it's because you're doing EAP... which takes multiple round trips. Again, read the debugging output to see what's going on. Perhaps you could try talking about what you *want* to have happen, rather than wondering why the server doesn't work the way you expect. The server is doing exactly the right thing for the authentication protocol you're using, and is doing exactly what you told it to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-IP-Address, rlm_perl, and loopback
I'm having a couple of issues particularly pertaining to the NAS-IP-Address variable that is passed from the switch. When a client sends the auth-request, we find that the authorize function of our perl script is being executed multiple times for the same request. I would think that the authorize function would only be called once. This also leads into the second issue I'm having that when the perl script does run, it doesn't always pass the same data in the NAS-IP-Address variable. Half the time it is the correct information and half the time it is 127.0.0.1. Can anyone shed some light on why this is happening? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Access-Request of id 42 to 10.0.6.29 port 1812 User-Name= "test" User-Password = "testing123" NAS-IP-Address =10.30.1.104 NAS-Port = 1812 rad_recv: Access-Reject packet fromhost 10.0.6.29
>hi ! to firts alan my server is 10.30.1.104 no 10.0.6.29 Fine. > >ok, and when i write : radtest test testing123 10.0.6.29 1812 testing123 So why are you sending the request to the wrong radius server? Read instructions how to use radtest again. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Access-Request of id 42 to 10.0.6.29 port 1812 User-Name = "test" User-Password = "testing123" NAS-IP-Address = 10.30.1.104 NAS-Port = 1812 rad_recv: Access-Reject packet from host 10.0.6.
Hi, > hi ! to firts alan my server is 10.30.1.104 no 10.0.6.29 and when i write > this: radiusd -i 10.30.1.104 -p 1812 -x -X : okay. your server is 10.30.1.104 > ok, and when i write : radtest test testing123 10.0.6.29 1812 testing123 i > get: do you know what that command means? you are sending a request for user 'test' with password 'testing123' to server 10.0.6.29 so WHAT is server 10.0.6.29 ? its certainly not the server you've just started. THAT server was 10.30.1.104 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Access-Request of id 42 to 10.0.6.29 port 1812 User-Name = "test" User-Password = "testing123" NAS-IP-Address = 10.30.1.104 NAS-Port = 1812 rad_recv: Access-Reject packet from host 10.0.6.
;
Thu Aug 14 17:36:15 2008 : Debug: hints = "/usr/local/etc/raddb/hints"
Thu Aug 14 17:36:15 2008 : Debug: with_ascend_hack = no
Thu Aug 14 17:36:15 2008 : Debug: ascend_channels_per_line = 23
Thu Aug 14 17:36:15 2008 : Debug: with_ntdomain_hack = no
Thu Aug 14 17:36:15 2008 : Debug: with_specialix_jetstream_hack = no
Thu Aug 14 17:36:15 2008 : Debug: with_cisco_vsa_hack = no
Thu Aug 14 17:36:15 2008 : Debug: with_alvarion_vsa_hack = no
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: Module: Checking preacct {...} for more
modules to load
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_acct_unique, checking if
it's valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_acct_unique
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating acct_unique
Thu Aug 14 17:36:15 2008 : Debug: acct_unique {
Thu Aug 14 17:36:15 2008 : Debug: key = "User-Name, Acct-Session-Id,
NAS-IP-Address, Client-IP-Address, NAS-Port"
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: Module: Checking accounting {...} for
more modules to load
Thu Aug 14 17:36:15 2008 : Debug: (Loaded rlm_detail, checking if it's
valid)
Thu Aug 14 17:36:15 2008 : Debug: Module: Linked to module rlm_detail
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating detail
Thu Aug 14 17:36:15 2008 : Debug: detail {
Thu Aug 14 17:36:15 2008 : Debug: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
Thu Aug 14 17:36:15 2008 : Debug: header = "%t"
Thu Aug 14 17:36:15 2008 : Debug: detailperm = 384
Thu Aug 14 17:36:15 2008 : Debug: dirperm = 493
Thu Aug 14 17:36:15 2008 : Debug: locking = no
Thu Aug 14 17:36:15 2008 : Debug: log_packet_header = no
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: Module: Instantiating
attr_filter.accounting_response
Thu Aug 14 17:36:15 2008 : Debug: attr_filter
attr_filter.accounting_response {
Thu Aug 14 17:36:15 2008 : Debug: attrsfile =
"/usr/local/etc/raddb/attrs.accounting_response"
Thu Aug 14 17:36:15 2008 : Debug: key = "%{User-Name}"
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: Module: Checking session {...} for more
modules to load
Thu Aug 14 17:36:15 2008 : Debug: Module: Checking post-proxy {...} for
more modules to load
Thu Aug 14 17:36:15 2008 : Debug: Module: Checking post-auth {...} for more
modules to load
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: }
Thu Aug 14 17:36:15 2008 : Debug: radiusd: Opening IP addresses and
Ports
Thu Aug 14 17:36:15 2008 : Debug: Listening on authentication address
10.30.1.104 port 1812
Thu Aug 14 17:36:15 2008 : Debug: Listening on accounting address
10.30.1.104 port 1813
Thu Aug 14 17:36:15 2008 : Debug: Listening on proxy address
10.30.1.104port 1814
Thu Aug 14 17:36:15 2008 : Debug: Ready to process requests.
ok, and when i write : radtest test testing123 10.0.6.29 1812 testing123 i
get:
Sending Access-Request of id 74 to 10.0.6.29 port 1812
User-Name = "test"
User-Password = "testing123"
NAS-IP-Address = 10.30.1.104
NAS-Port = 1812
rad_recv: Access-Reject packet from host 10.0.6.29 port 1812, id=74,
length=88
State =
0xb58bf2bf2470c7b33a07ab72ff21378e
Message-Authenticator = 0xbefeb88cc603cce206c6101378ca48b4
and to second alan, no understand very much you say.
sorry my ingles, is not my lenguage native..
thanks for you time!!!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Access-Request of id 42 to 10.0.6.29 port 1812 User-Name = "test" User-Password = "testing123" NAS-IP-Address = 10.30.1.104 NAS-Port = 1812 rad_recv: Access-Reject packet from host 10.0.6.
Martin Silvero wrote: > now i have this. i hope this time your answerme!!1 Why? Is there some kind of contractual obligation requiring people here to respond? > Sending Access-Request of id 42 to 10.0.6.29 <http://10.0.6.29> port 1812 > User-Name = "test" > User-Password = "testing123" > NAS-IP-Address = 10.30.1.104 <http://10.30.1.104> > NAS-Port = 1812 > rad_recv: Access-Reject packet from host 10.0.6.29 <http://10.0.6.29> > port 1812, id=42, length=88 > State = > 0xb58bf2bf2470c7b33a07ab72ff21378e > Message-Authenticator = 0x53f17e1045e6a2f65d3a3f48704ea2c9 The RADIUS server isn't FreeRADIUS. Go ask the RADIUS server vendor what's going on. Don't be surprised if they ask for money before answering your questions. Questions about other RADIUS servers don't belong on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Access-Request of id 42 to 10.0.6.29 port 1812 User-Name = "test" User-Password = "testing123" NAS-IP-Address = 10.30.1.104 NAS-Port = 1812 rad_recv: Access-Reject packet from host 10.0.6.
hi, you need to look at the debug log for the RADIUS server which lives at 10.0.6.29 as that is the thing doing the rejecting! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sending Access-Request of id 42 to 10.0.6.29 port 1812 User-Name = "test" User-Password = "testing123" NAS-IP-Address = 10.30.1.104 NAS-Port = 1812 rad_recv: Access-Reject packet from host 10.0.6.29 p
hello!
now i have this. i hope this time your answerme!!1
Sending Access-Request of id 42 to 10.0.6.29 port 1812
User-Name = "test"
User-Password = "testing123"
NAS-IP-Address = 10.30.1.104
NAS-Port = 1812
rad_recv: Access-Reject packet from host 10.0.6.29 port 1812, id=42,
length=88
State =
0xb58bf2bf2470c7b33a07ab72ff21378e
Message-Authenticator = 0x53f17e1045e6a2f65d3a3f48704ea2c9
¿? could you help me
--
--
Silvero Martin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
No, it should return notfound.
I can confirm this. If check is put in radcheck table user will be
rejected but if check (that should fail) is put in radgroupcheck table
user is authenticated. That is not how things should work. It should
return notfound if there is no match in radgroupcheck too.
Ivan Kalik
Kalik Informatika ISP
Dana 23/7/2008, "leopold" <[EMAIL PROTECTED]> piše:
>
>Ivan,
>Even with default SQL query it returns OK, because user is defined properly,
>it is just check attributes of group do not match
>
>I went to the code and I saw that rlm_sql_process_groups function causes the
>whole module to return OK even though NAS-IP-Address attribute does not
>match
>Note it does not return attributes, it just return OK
>
>/*
>* rows == 0. This is like having the username on
> a line
>* in the user's file with no check vp's. As
> such, we treat
>* it as found and add the reply attributes, so
> that we
>* match expected behavior
>*/
> found = 1;
> DEBUG2("rlm_sql (%s): User found in group %s",
> inst->config->xlat_name,
> group_list_tmp->groupname);
>
>
>User-Name = "validuser"
>User-Password = "validpasswd"
>NAS-IP-Address = y.y.y.1
>
>
>rlm_sql (sql): Reserving sql socket id: 6
>expand: SELECT id, username, attribute, value, op FROM
>radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
>-> SELECT id, username, attribute, value, op FROM radcheck
>WHERE username = 'validuser' ORDER BY id
>rlm_sql_mysql: query: SELECT id, username, attribute, value, op
>FROM radcheck WHERE username = 'validuser' ORDER BY id
>rlm_sql (sql): User found in radcheck table
>expand: SELECT id, username, attribute, value, op FROM
>radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
>-> SELECT id, username, attribute, value, op FROM radreply
>WHERE username = 'validuser' ORDER BY id
>rlm_sql_mysql: query: SELECT id, username, attribute, value, op
>FROM radreply WHERE username = 'validuser' ORDER BY id
>expand: SELECT groupname FROM radusergroup WHERE
>username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
>groupname FROM radusergroup WHERE username = 'validuser'
>ORDER BY priority
>rlm_sql_mysql: query: SELECT groupname FROM radusergroup
>WHERE username = 'validuser' ORDER BY priority
>expand: SELECT id, groupname, attribute, Value, op
>FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
>ORDER BY id -> SELECT id, groupname, attribute, Value, op
>FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY
>id
>
>rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
>FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY
>id
>rlm_sql (sql): Released sql socket id: 6
>++[sql] returns ok
>
>Should this module return FAIL if group check fails?
>
>
>Ivan Kalik wrote:
>>
>>>See in debug output a valid user with valid password comes from wrong
>>>NAS-IP-Address which does not belong to check attributes of the user's
>group
>>>
>>>++[sql] returns ok
>>
>> That is wrong. If group check fails sql should return notfound. Check
>> your sql entries again. Have you altered default sql queries in some way
>> (you have left them out of the debug)?
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>
>--
>View this message in context:
>http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18614701.html
>Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
It seems that rlm_sql_process_groups in rlm_sql.c does not handle this
situation
1. If paircompare fails in rlm_sql_process_groups it should not return
found=1
2. rlm_sql_authorize should handle return code of rlm_sql_process_groups so
that if it is not found it should actually return not found and not "OK"
diff ./src/modules/rlm_sql/rlm_sql.c.ORIG ./src/modules/rlm_sql/rlm_sql.c
676a677,682
> else
> {
> found = 0;
> DEBUG2("rlm_sql (%s): User not found in
> group %s",
> inst->config->xlat_name,
> group_list_tmp->groupname);
> }
1004a1011,1015
> else
> {
> /* rows == 0 here */
> found = 0;
> }
1048a1060,1064
> else
> {
> /* rows == 0 here */
> found = 0;
>
Comments?
--
View this message in context:
http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18617625.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
Ivan,
Even with default SQL query it returns OK, because user is defined properly,
it is just check attributes of group do not match
I went to the code and I saw that rlm_sql_process_groups function causes the
whole module to return OK even though NAS-IP-Address attribute does not
match
Note it does not return attributes, it just return OK
/*
* rows == 0. This is like having the username on
a line
* in the user's file with no check vp's. As
such, we treat
* it as found and add the reply attributes, so
that we
* match expected behavior
*/
found = 1;
DEBUG2("rlm_sql (%s): User found in group %s",
inst->config->xlat_name,
group_list_tmp->groupname);
User-Name = "validuser"
User-Password = "validpasswd"
NAS-IP-Address = y.y.y.1
rlm_sql (sql): Reserving sql socket id: 6
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'validuser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'validuser' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'validuser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'validuser' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'validuser'
ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'validuser' ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY
id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY
id
rlm_sql (sql): Released sql socket id: 6
++[sql] returns ok
Should this module return FAIL if group check fails?
Ivan Kalik wrote:
>
>>See in debug output a valid user with valid password comes from wrong
>>NAS-IP-Address which does not belong to check attributes of the user's
group
>>
>>++[sql] returns ok
>
> That is wrong. If group check fails sql should return notfound. Check
> your sql entries again. Have you altered default sql queries in some way
> (you have left them out of the debug)?
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
--
View this message in context:
http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18614701.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
>See in debug output a valid user with valid password comes from wrong >NAS-IP-Address which does not belong to check attributes of the user's group > >++[sql] returns ok That is wrong. If group check fails sql should return notfound. Check your sql entries again. Have you altered default sql queries in some way (you have left them out of the debug)? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
The problem is that all the users are valid and SQL module returns OK
replyattribute list is empty, so I need somehow reject the user
I did some dirty workaround
if (!reply:Service-Type) {
# reply list does not contain Service-Type
reject
}
See in debug output a valid user with valid password comes from wrong
NAS-IP-Address which does not belong to check attributes of the user's group
++[sql] returns ok
++? if (!reply:Service-Type)
? Evaluating !(reply:Service-Type) -> FALSE
++? if (!reply:Service-Type) -> TRUE
++- entering if (!reply:Service-Type)
+++[reject] returns reject
++- if (!reply:Service-Type) returns reject
Found Post-Auth-Type Reject
+- entering group REJECT
The problem is that I do not want to rely that reply list always contains
Service-Type
reply:Service-Type
The SQL module returns OK even if there are no reply attributes
Thanks again
--
View this message in context:
http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18612055.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
leopold wrote:
> If user is coming from NAS-IP-Address x.x.x.1 or x.x.x.2 or x.x.x.3 the user
> should be accepted and reply attributes are sent back
> If however if user is coming from NAS-IP-Address y.y.y.1 he should be
> rejected (even in the case he provide a valid password and NAS y.y.y.1 is
> properly defined in NAS table with a valid shared key)
It's a little difficult to do that with just the SQL module.
> Since I found that only one operator "==" for NAS-IP-Address check attrubute
> can be found, I changed
> authorize_group_check_query, but still I managed to get reply list as empty
> for invalid NAS-IP and expected attributes from valid NAS (which is part of
> check attributes) but user is accepted in both cases.
>
> Is there a way to check if "reply" list is empty in unlang (does not contain
> ANY attributes)?
No. However, see the return code from SQL. If it doesn't find the
user, it should return "notfound", or "noop". Read the debug output to
see more. You can then do:
if (notfound) {
reject
}
Which is what you want.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authorization: unlang/NAS-IP-Address
Hi,
I am using freeradius 2.0.5 with MySQL, I am very new to Radius and
FreRadius so please pardon my ignorance
I need to reject user if his NAS-IP-Address input attribute does not match
check attributes defined for his group.
For example radgroupcheck
| 1 | GROUP1 | NAS-IP-Address | == | x.x.x.1
| 2 | GROUP1 | NAS-IP-Address | == | x.x.x.2
| 3 | GROUP1 | NAS-IP-Address | == | x.x.x.3
If user is coming from NAS-IP-Address x.x.x.1 or x.x.x.2 or x.x.x.3 the user
should be accepted and reply attributes are sent back
If however if user is coming from NAS-IP-Address y.y.y.1 he should be
rejected (even in the case he provide a valid password and NAS y.y.y.1 is
properly defined in NAS table with a valid shared key)
Since I found that only one operator "==" for NAS-IP-Address check attrubute
can be found, I changed
authorize_group_check_query, but still I managed to get reply list as empty
for invalid NAS-IP and expected attributes from valid NAS (which is part of
check attributes) but user is accepted in both cases.
Is there a way to check if "reply" list is empty in unlang (does not contain
ANY attributes)?
I tried this, but it does not work.
if (!reply:[0]) {
# reply list is empty
reject
}
Do you have any suggestions?
Thanks you very much for your reply.
--
View this message in context:
http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18609937.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging NAS IP address and supplicant MAC/IP address with subnet inclients.conf
It's already logged in detail logs. Ivan Kalik Kalik Informatika ISP Dana 15/7/2008, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> piše: >Hi, I'm running freeradius-1.1.7.1 and have switched to using a subnet >for my NAS devices in clients.conf. > >Unfortunately, my logs no longer tell me which NAS device a request >came from and show only the MAC address of the user's laptop. > >Is there a way to get the NAS IP address as well in the logs? Having >the NAS IP, the user's laptop IP and also MAC address in one line >would be great. >Thanks! >~Matt >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging NAS IP address and supplicant MAC/IP address with subnet in clients.conf
Hi, I'm running freeradius-1.1.7.1 and have switched to using a subnet for my NAS devices in clients.conf. Unfortunately, my logs no longer tell me which NAS device a request came from and show only the MAC address of the user's laptop. Is there a way to get the NAS IP address as well in the logs? Having the NAS IP, the user's laptop IP and also MAC address in one line would be great. Thanks! ~Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assign Ip-Pool based on NAS-Ip-Address
Users file: DEFAULT NAS-IP-Address == a.b.c.d, Pool-Name := thatNASpool Ivan Kalik Kalik Informatika ISP Dana 29/5/2008, "Giovanni Lovato" <[EMAIL PROTECTED]> piše: >Alan DeKok wrote: >> Giovanni Lovato wrote: >>> I would like to assign IP addresses from pools based on which NAS the >>> request comes from. Can I achieve this? Users are stored in LDAP and NAS >>> on SQL. >> >> See the sqlippool module. > >What key on sqippool table should I set to make FR choose a pool based >on NAS-IP-Address? > The scenario is: > 1. a NAS requires access for a user; > 2. if FR doesn't find a Framed-IP-Address on user attributes, it should >assign an IP from a pool depending which NAS the request comes from. > I tried to set `nasipaddress' key on sqippool table but FR seems ignore >it... > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assign Ip-Pool based on NAS-Ip-Address
Giovanni Lovato wrote: > What key on sqippool table should I set to make FR choose a pool based > on NAS-IP-Address? Read the sqlippool.conf file? This IS documented. > The scenario is: > 1. a NAS requires access for a user; > 2. if FR doesn't find a Framed-IP-Address on user attributes, it should > assign an IP from a pool depending which NAS the request comes from. > I tried to set `nasipaddress' key on sqippool table but FR seems ignore > it... Read the FAQ for "it doesn't work". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assign Ip-Pool based on NAS-Ip-Address
Alan DeKok wrote: > Giovanni Lovato wrote: >> I would like to assign IP addresses from pools based on which NAS the >> request comes from. Can I achieve this? Users are stored in LDAP and NAS >> on SQL. > > See the sqlippool module. What key on sqippool table should I set to make FR choose a pool based on NAS-IP-Address? The scenario is: 1. a NAS requires access for a user; 2. if FR doesn't find a Framed-IP-Address on user attributes, it should assign an IP from a pool depending which NAS the request comes from. I tried to set `nasipaddress' key on sqippool table but FR seems ignore it... smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assign Ip-Pool based on NAS-Ip-Address
Giovanni Lovato wrote: > I would like to assign IP addresses from pools based on which NAS the > request comes from. Can I achieve this? Users are stored in LDAP and NAS > on SQL. See the sqlippool module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assign Ip-Pool based on NAS-Ip-Address
I would like to assign IP addresses from pools based on which NAS the request comes from. Can I achieve this? Users are stored in LDAP and NAS on SQL. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas IP address in logs
Thanks Ivan that I did'n know :) also, I had disabled accounting, now,
I enabled that and detailed auth log
Now I get something as follow in radacct/10.128.255.80/auth-detail-20080423 :
Wed Apr 23 14:16:22 2008
Packet-Type = Access-Request
User-Name = "quelocoquesoyche"
NAS-IP-Address = 10.128.255.80
Called-Station-Id = "005d7edc25de"
Calling-Station-Id = "005cb37ae2ee"
NAS-Identifier = "005d7edc25de"
NAS-Port = 55
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020c0167736965727232
Message-Authenticator = 0x955e4a648595f3ae5dd7f3486dea99f4
Great!
2008/4/23, Ivan Kalik <[EMAIL PROTECTED]>:
> That will be logged in your accounting log.
>
>
> Ivan Kalik
> Kalik Informatika ISP
>
> Dana 23/4/2008, "Sergio Belkin" <[EMAIL PROTECTED]> piše:
>
> >Thanks Ivan,
> >
> >I know that :) But I want get IP from NAS's that are behind a
> >NAT-proxy-firewall server, I want the NAS IP and not the
> >NAT-proxy-firewall server IP.
> >
> >In fact my clients.conf has something as follows:
> >
> > client 10.128.255.86 {
> > require_message_authenticator = no
> > secret = "pepepotamo"
> > shortname = "Hormiga"
> > }
> > client 10.128.255.87 {
> > require_message_authenticator = no
> > secret = "pepepotamo2"
> > shortname = "Avispa"
> > }
> > client 203.221.198.59 {
> > require_message_authenticator = no
> > secret = "pepepotamo3"
> > shortname = "Abeja"
> >}
> >-- end of file---
> >
> >client with 203.221.198.59 is a remote server (connect to radius via
> >vpn) with NAS's "behind".
> >
> >If I run in debug mode I can see the "actual" NAS IP can be read,
> >
> >For example:
> >
> >rad_recv: Access-Request packet from host 203.221.198.59 port 2048,
> >id=0, length=123
> > User-Name = "soyreloco"
> > NAS-IP-Address = 192.168.134.210
> > Called-Station-Id = "001d7edc2621"
> > Calling-Station-Id = "001b63085e39"
> > NAS-Identifier = "001d7edc2624"
> > NAS-Port = 63
> > Framed-MTU = 1400
> > NAS-Port-Type = Wireless-802.11
> > EAP-Message = 0x020a016c79616972
> > Message-Authenticator = 0x951db6ffd60187bc4b6fee7f951feef3
> >
> >
> > is there a way to get such a thing (192.168.134.210 in this case) in
> >radius logs with radius running in non-debug mode?
> >
> >Thanks in advance!
> >
> >2008/4/23, Ivan Kalik <[EMAIL PROTECTED]>:
> >> >From clients.conf:
> >>
> >> # The short name is used as an alias for the fully qualified
> >> # domain name, or the IP address.
> >> #
> >> shortname = localhost
> >>
> >> shortname is printed in the log. Put NAS IP there if you want it in
> >> radius.log.
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >>
> >>
> >> Dana 23/4/2008, "Sergio Belkin" <[EMAIL PROTECTED]> piše:
> >>
> >>
> >> >Hi, how can I get the "NAS-IP-Address" in radius.log?
> >> >
> >> >--
> >> >--
> >> >Open Kairos http://www.openkairos.com
> >> >Watch More TV http://sebelk.blogspot.com
> >> >Sergio Belkin -
> >>
> >> >-
> >> >List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >> >
> >> >
> >>
> >> -
>
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/usershtml
> >>
> >
> >
> >--
>
> >--
> >Open Kairos http://www.openkairos.com
> >Watch More TV http://sebelk.blogspot.com
> >Sergio Belkin -
> >
> >-
> >List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas IP address in logs
That will be logged in your accounting log.
Ivan Kalik
Kalik Informatika ISP
Dana 23/4/2008, "Sergio Belkin" <[EMAIL PROTECTED]> piše:
>Thanks Ivan,
>
>I know that :) But I want get IP from NAS's that are behind a
>NAT-proxy-firewall server, I want the NAS IP and not the
>NAT-proxy-firewall server IP.
>
>In fact my clients.conf has something as follows:
>
> client 10.128.255.86 {
> require_message_authenticator = no
> secret = "pepepotamo"
> shortname = "Hormiga"
> }
> client 10.128.255.87 {
> require_message_authenticator = no
> secret = "pepepotamo2"
> shortname = "Avispa"
> }
> client 203.221.198.59 {
> require_message_authenticator = no
> secret = "pepepotamo3"
> shortname = "Abeja"
>}
>-- end of file---
>
>client with 203.221.198.59 is a remote server (connect to radius via
>vpn) with NAS's "behind".
>
>If I run in debug mode I can see the "actual" NAS IP can be read,
>
>For example:
>
>rad_recv: Access-Request packet from host 203.221.198.59 port 2048,
>id=0, length=123
> User-Name = "soyreloco"
> NAS-IP-Address = 192.168.134.210
> Called-Station-Id = "001d7edc2621"
> Calling-Station-Id = "001b63085e39"
> NAS-Identifier = "001d7edc2624"
> NAS-Port = 63
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x020a016c79616972
> Message-Authenticator = 0x951db6ffd60187bc4b6fee7f951feef3
>
>
> is there a way to get such a thing (192.168.134.210 in this case) in
>radius logs with radius running in non-debug mode?
>
>Thanks in advance!
>
>2008/4/23, Ivan Kalik <[EMAIL PROTECTED]>:
>> >From clients.conf:
>>
>> # The short name is used as an alias for the fully qualified
>> # domain name, or the IP address.
>> #
>> shortname = localhost
>>
>> shortname is printed in the log. Put NAS IP there if you want it in
>> radius.log.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>> Dana 23/4/2008, "Sergio Belkin" <[EMAIL PROTECTED]> piše:
>>
>>
>> >Hi, how can I get the "NAS-IP-Address" in radius.log?
>> >
>> >--
>> >--
>> >Open Kairos http://www.openkairos.com
>> >Watch More TV http://sebelk.blogspot.com
>> >Sergio Belkin -
>>
>> >-
>> >List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> >
>> >
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/usershtml
>>
>
>
>--
>--
>Open Kairos http://www.openkairos.com
>Watch More TV http://sebelk.blogspot.com
>Sergio Belkin -
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas IP address in logs
Thanks Ivan,
I know that :) But I want get IP from NAS's that are behind a
NAT-proxy-firewall server, I want the NAS IP and not the
NAT-proxy-firewall server IP.
In fact my clients.conf has something as follows:
client 10.128.255.86 {
require_message_authenticator = no
secret = "pepepotamo"
shortname = "Hormiga"
}
client 10.128.255.87 {
require_message_authenticator = no
secret = "pepepotamo2"
shortname = "Avispa"
}
client 203.221.198.59 {
require_message_authenticator = no
secret = "pepepotamo3"
shortname = "Abeja"
}
-- end of file---
client with 203.221.198.59 is a remote server (connect to radius via
vpn) with NAS's "behind".
If I run in debug mode I can see the "actual" NAS IP can be read,
For example:
rad_recv: Access-Request packet from host 203.221.198.59 port 2048,
id=0, length=123
User-Name = "soyreloco"
NAS-IP-Address = 192.168.134.210
Called-Station-Id = "001d7edc2621"
Calling-Station-Id = "001b63085e39"
NAS-Identifier = "001d7edc2624"
NAS-Port = 63
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020a016c79616972
Message-Authenticator = 0x951db6ffd60187bc4b6fee7f951feef3
is there a way to get such a thing (192.168.134.210 in this case) in
radius logs with radius running in non-debug mode?
Thanks in advance!
2008/4/23, Ivan Kalik <[EMAIL PROTECTED]>:
> >From clients.conf:
>
> # The short name is used as an alias for the fully qualified
> # domain name, or the IP address.
> #
> shortname = localhost
>
> shortname is printed in the log. Put NAS IP there if you want it in
> radius.log.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 23/4/2008, "Sergio Belkin" <[EMAIL PROTECTED]> piše:
>
>
> >Hi, how can I get the "NAS-IP-Address" in radius.log?
> >
> >--
> >--
> >Open Kairos http://www.openkairos.com
> >Watch More TV http://sebelk.blogspot.com
> >Sergio Belkin -
>
> >-
> >List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
