Re: NAS IP Address
Arran,
Yes. You're right. It works. Great!
Thanks!
Tom
-- Original --
From: a.cudbardba.cudba...@freeradius.org;
Date: Tue, Sep 13, 2011 03:56 PM
To: 23942637402394263...@qq.com;
Subject: Re: NAS IP Address
Ah you want the attribute Packet-Src-IP-Address
-Arran
On 13 Sep 2011, at 03:55, 2394263740 wrote:
Arran,
Looks like the email didn't go through sometime.
Please see below email for my question.
Thanks!
Tom
-- Original --
From: 23942637402394263...@qq.com;
Date: Tue, Sep 13, 2011 09:28 AM
To: freeradius-usersfreeradius-users@lists.freeradius.org;
Subject: Re:NAS IP Address
Arran,
Thanks for your help and reply.
%{NAS-IP-Address} doesn't work for this case.
The connection like below.
Mobile --- WiFi Router --- Internet Gateway (NAT) ---Internet --- FreeRadius
Server.
The %{NAS-IP-Address} will be the LAN interfact IP, such as 192.168.1.1. This
is not I need.
I need the IP address, with such IP address, FreeRadius Server is
communicating. This means, when FreeRadius receive the access request, the
request IP packet was sourced from the Internet Gateway IP address, and this is
the IP address I need. Inside the access request, there is %{NAS-IP-Address},
it's the LAN IP address of the WIFI router, %{NAS-IP-Address} is not the
information I need in such case.
Thanks!
Tom
-- Original --
From: freeradius-usersfreeradius-users-requ...@lists.freeradius.org;
Date: Mon, Sep 12, 2011 10:44 PM
To: freeradius-usersfreeradius-users@lists.freeradius.org;
Subject: Freeradius-Users Digest, Vol 77, Issue 42
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeradius-Users digest...
Today's Topics:
1. NAS IP Address ( 2394263740 )
2. Re: NAS IP Address (Arran Cudbard-Bell)
3. Best Practices - maximum NAS entries in clients.conf
(Sallee, Stephen (Jake))
4. Re: Best Practices - maximum NAS entries in clients.conf
(Alan DeKok)
5. Re: Best Practices - maximum NAS entries in clients.conf
(Arran Cudbard-Bell)
6. Re: Best Practices - maximum NAS entries in clients.conf
(Arran Cudbard-Bell)
7. Re: Best Practices - maximum NAS entries in clients.conf
(Bruce Nunn)
8. Unable to Authenticate with SHA Password (Rajkumar balaji)
--
Message: 1
Date: Mon, 12 Sep 2011 19:58:18 +0800
From: 2394263740 2394263...@qq.com
Subject: NAS IP Address
To: freeradius-users freeradius-users@lists.freeradius.org
Message-ID: tencent_5e7b240c4b421e587b96f...@qq.com
Content-Type: text/plain; charset=iso-8859-1
Hello,
I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1.
OS: Linux Enterprise Server 6.1
Radius: free radius server 2.1.11
Database: Mysql
The WIFI routers we're using are in diffirent private networks, behind the
internet gateways. The WIFI router has private IP address, such as 192.168.1.1.
For some reason, we need know which Internet IP address, the WIFI router is
using to do the authention with the FreeRadius server. The FreeRadius server is
on internet.
As the business needs, we need save the IP addres(Internet gateway IP address)
to MySql database.
Can anyone advise how to do so?
Thanks!
Tom
-- next part --
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110912/9e460040/attachment.html
--
Message: 2
Date: Mon, 12 Sep 2011 14:10:48 +0200
From: Arran Cudbard-Bell a.cudba...@freeradius.org
Subject: Re: NAS IP Address
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: 8b265a64-d969-4949-a8c8-a0bd016c6...@freeradius.org
Content-Type: text/plain; charset=iso-8859-1
On 12 Sep 2011, at 13:58, 2394263740 wrote:
Hello,
I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1.
OS: Linux Enterprise Server 6.1
Radius: free radius server 2.1.11
Database: Mysql
The WIFI routers we're using are in diffirent private networks, behind the
internet gateways. The WIFI router has private IP address, such as
192.168.1.1.
For some reason, we need know which Internet IP address, the WIFI router is
using to do the authention with the FreeRadius server. The FreeRadius server
is on internet.
As the business needs, we need save
Re: NAS IP Address
On 12 Sep 2011, at 13:58, 2394263740 wrote:
Hello,
I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1.
OS: Linux Enterprise Server 6.1
Radius: free radius server 2.1.11
Database: Mysql
The WIFI routers we're using are in diffirent private networks, behind the
internet gateways. The WIFI router has private IP address, such as
192.168.1.1.
For some reason, we need know which Internet IP address, the WIFI router is
using to do the authention with the FreeRadius server. The FreeRadius server
is on internet.
As the business needs, we need save the IP addres(Internet gateway IP
address) to MySql database.
edit the queries in
raddb/sql/mysql/dialup.conf
and add the additional columns to the SQL database.
The original IP address of the NAS may be sent in the NAS-IP-Address attribute,
in which case use the expansion %{NAS-IP-Address} for the value of the new
column.
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Waging war on ignorance and apathy one Access-Challenge at a time.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address or NAS-Identifier in Access-Request?
Eric Geier wrote:
I found %{Packet-Src-IP-Address} but when I include this in the
postauth_query, it doesn't work...the fields are blank in the DB when I view
it.
And what does debug log say?
If Packet-Src-IP-Address doesn't work, odds are you're running 1.x.
Upgrade.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address or NAS-Identifier in Access-Request?
Hi, Does anyone happen to know if consumer-level Wi-Fi routers typically transmit the NAS-IP-Address or NAS-Identifier (or maybe both) in the Access-Request? RFC's say An Access-Request MUST contain either a NAS-IP-Address attribute or a NAS-Identifier attribute (or both). so, you will get one or the other (or from good vendors, both!) if you dont get either than the kit isnt fit for purpose, or valid for anything (because if they cant follow such as basic RFC requirement then what hope have you for anything else to operte correctly on it?) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-IP-Address or NAS-Identifier in Access-Request?
Thanks, Alan. Yes I read that in the RFC, but was wondering what vendors usually do, what's the most typical, etc. I'm also wondering the same about the Calling-Station-Id and Called-Station-ID. But sounds like those aren't included very often, completely optional. But now that I've thought of it, if there isn't a NAS-IP-Address then authentication wouldn't work, right? Cause FR needs to lookup the shared secret based upon the NAS-IP-Address? - Eric -Original Message- From: freeradius-users-bounces+me=egeier@lists.freeradius.org [mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Tuesday, August 16, 2011 4:32 AM To: FreeRadius users mailing list Subject: Re: NAS-IP-Address or NAS-Identifier in Access-Request? Hi, Does anyone happen to know if consumer-level Wi-Fi routers typically transmit the NAS-IP-Address or NAS-Identifier (or maybe both) in the Access-Request? RFC's say An Access-Request MUST contain either a NAS-IP-Address attribute or a NAS-Identifier attribute (or both). so, you will get one or the other (or from good vendors, both!) if you dont get either than the kit isnt fit for purpose, or valid for anything (because if they cant follow such as basic RFC requirement then what hope have you for anything else to operte correctly on it?) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-IP-Address or NAS-Identifier in Access-Request?
Understood, thanks! Can I log the source IP address to the Post-Auth DB table? Thanks, Eric -Original Message- From: freeradius-users-bounces+me=egeier@lists.freeradius.org [mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, August 16, 2011 10:38 AM To: FreeRadius users mailing list Subject: Re: NAS-IP-Address or NAS-Identifier in Access-Request? Eric Geier wrote: Yes I read that in the RFC, but was wondering what vendors usually do, what's the most typical, etc. I'm also wondering the same about the Calling-Station-Id and Called-Station-ID. But sounds like those aren't included very often, completely optional. There's no way to know what is typical. There are many dozens of vendors, each of whom has many dozens of products using RADIUS. Each product may have dozens of different firmware revisions, each of which behaves slightly differently. But now that I've thought of it, if there isn't a NAS-IP-Address then authentication wouldn't work, right? Cause FR needs to lookup the shared secret based upon the NAS-IP-Address? No. The shared secret is looked up by source IP address. The NAS-IP-Address can be anything. It is pretty much ignored by the core RADIUS protocol. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-IP-Address or NAS-Identifier in Access-Request?
I found %{Packet-Src-IP-Address} but when I include this in the
postauth_query, it doesn't work...the fields are blank in the DB when I view
it.
How could I log the source IP address of successful authentications?
- Eric
-Original Message-
From: freeradius-users-bounces+me=egeier@lists.freeradius.org
[mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On
Behalf Of Eric Geier
Sent: Tuesday, August 16, 2011 3:49 PM
To: 'FreeRadius users mailing list'
Subject: RE: NAS-IP-Address or NAS-Identifier in Access-Request?
Understood, thanks!
Can I log the source IP address to the Post-Auth DB table?
Thanks,
Eric
-Original Message-
From: freeradius-users-bounces+me=egeier@lists.freeradius.org
[mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On
Behalf Of Alan DeKok
Sent: Tuesday, August 16, 2011 10:38 AM
To: FreeRadius users mailing list
Subject: Re: NAS-IP-Address or NAS-Identifier in Access-Request?
Eric Geier wrote:
Yes I read that in the RFC, but was wondering what vendors usually do,
what's the most typical, etc. I'm also wondering the same about the
Calling-Station-Id and Called-Station-ID. But sounds like those aren't
included very often, completely optional.
There's no way to know what is typical. There are many dozens of vendors,
each of whom has many dozens of products using RADIUS. Each product may
have dozens of different firmware revisions, each of which behaves slightly
differently.
But now that I've thought of it, if there isn't a NAS-IP-Address then
authentication wouldn't work, right? Cause FR needs to lookup the
shared secret based upon the NAS-IP-Address?
No. The shared secret is looked up by source IP address. The
NAS-IP-Address can be anything. It is pretty much ignored by the core
RADIUS protocol.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address modified during Access-Request process
On Mon, Jun 22, 2009 at 23:08, Ivan Kalik t...@kalik.net wrote:
I installed freeradius 2 but my problem is still there.
To remember it :
I configured Freeradius to look in openldap directory to authenticate and
authorize an user.
The authentication phase is OK
During the authorize phase, a ldap search is done : if the user is member
of
a group identified by the host ip he wants to connect, the user is
authorized.
The problem is here : freeradius receives an Access-Request packet with a
NAS-IP-Address (the good one) and to search in the ldap, it doesn't send
the
ip received in the packet but another one !
Dynamic expansion for Ldap and SQL-Group doesn't work in users file. I can
replicate this. But it works in unlang:
if(Ldap-Group == %{NAS-IP-Address}) {
...
}
will work just fine.
Ivan Kalik
Kalik Informatika ISP
:) It works fine !
To help users who have the same problem, I put these lines in authorize
section :
if(Ldap-Group == %{NAS-IP-Address}) {
ok
}
else {
reject
}
Thanks !
--
KeV
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address modified during Access-Request process
Hi,
I installed freeradius 2 but my problem is still there.
To remember it :
I configured Freeradius to look in openldap directory to authenticate and
authorize an user.
The authentication phase is OK
During the authorize phase, a ldap search is done : if the user is member of
a group identified by the host ip he wants to connect, the user is
authorized.
The problem is here : freeradius receives an Access-Request packet with a
NAS-IP-Address (the good one) and to search in the ldap, it doesn't send the
ip received in the packet but another one !
Why this attribute is modified ?
Is there any cache (the other ip comes from another equipment) ?
To precize :
I think there is some cache enabled anywhere (the ip used for ldap filter is
always the one of the first request), is there any way to disable it ?
Before testing, I created the group for IP1 and I added the test user to it.
Test 1:
- I ran radiusd -X
- I try to connect with IP 1. = OK
- I try to connect with IP 2 = OK (not right result because to check the
membership it's the first IP which is used)
Then, I kill radiusd.
test 2 :
- I ran radiusd -X
- I try to connect with IP2 = KO (expected because the group for IP 2
doesn't exist)
- I try to connect with IP1 = KO (not expected because the group for IP1
exists)
To help, the logs :
--
rad_recv: Access-Request packet from host 126.50.0.148 port 1645, id=34,
length=80
NAS-IP-Address = 126.50.0.148
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = testuser
Calling-Station-Id = 126.100.100.6
User-Password = X
+- entering group authorize {...}
++[preprocess] returns ok
rlm_ldap: Entering ldap_groupcmp()
[files] expand: dc=example,dc=com - dc=example,dc=com
[files] expand: (uid=%{User-Name}) - (uid=testuser)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser)
rlm_ldap: ldap_search() failed: LDAP connection lost.
rlm_ldap: Attempting reconnect
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: starting TLS
rlm_ldap: bind as ou=radius,ou=applications,dc=example,dc=com/X to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser)
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand:
((objectClass=GroupOfUniqueNames)(uniquemember=%{control:LDAP-UserDn})) -
((objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter
((cn=126.50.0.147)((objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom)))
rlm_ldap::ldap_groupcmp: User found in group 126.50.0.147
rlm_ldap: ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
[ldap] performing user authorization for testuser
[ldap] expand: (uid=%{User-Name}) - (uid=testuser)
[ldap] expand: dc=example,dc=com - dc=example,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] login attempt by testuser with password azerty12
[ldap] user DN: uid=testuser,uid=test01,ou=users,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: starting TLS
rlm_ldap: bind as
uid=testuser,uid=test01,ou=users,dc=example,dc=com/azerty12 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[ldap] user testuser authenticated succesfully
++[ldap] returns ok
Login OK: [testuser] (from client petitnom port 1 cli 126.100.100.6)
Sending Access-Accept of id 34 to 126.50.0.148 port 1645
Nokia-IPSO-User-Role = adminRole
Nokia-IPSO-SuperUser-Access = 1
Service-Type = Login-User
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 34 with timestamp +52
Ready to process requests.
--
--
KeV
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address modified during Access-Request process
I have a big problem in freeradius installed in version 1.1.4 on RHEL 5, and today it's the third day i'm looking for a solution :( Upgrade. This was likely fixed ages ago. http://wiki.freeradius.org/Red_Hat_FAQ Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address modified during Access-Request process
thanks for the quick answer :) Indeed, the version installed is not the last one but the no longer maintained one I just did yum install freeradius. I will fix this right now Thanks again -- KeV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas-Ip-Address attribute and source IP address of UDP datagram.
I deal with bad hand-made NAS, which doesn't include Nas-Ip-Address attribute into the packet. So I can't distinguish packets from different NAS'es. Is there a way to add this attribute (with value of source address of UDP datagram) using standard FreeRadius facilities? Packet-Src-IP-Address already exists. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas-Ip-Address attribute and source IP address of UDP datagram.
Dmitry V. Krivenok wrote:
I deal with bad hand-made NAS, which doesn't include Nas-Ip-Address
attribute into the packet.
So I can't distinguish packets from different NAS'es.
Look at Packet-Src-IP-Address. It is a virtual attribute that you
can use in dynamic expansions.
Is there a way to add this attribute (with value of source address of
UDP datagram) using standard FreeRadius facilities?
We don't use proxies, so this solution seems to be correct.
if (!NAS-IP-Address) {
update request {
NAS-IP-Address = %{Packet-Src-IP-Address}
}
}
I'm writing my own rlm and I can implement desired functionality if
there is no one in FreeRadius.
The problem lies in that I can't find the address of client in REQUEST
(i.e. auth_req) structure.
request-packet-src_ipaddr.
Alan Dekok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas-Ip-Address attribute and source IP address of UDP datagram.
Alan DeKok wrote:
Dmitry V. Krivenok wrote:
I deal with bad hand-made NAS, which doesn't include Nas-Ip-Address
attribute into the packet.
So I can't distinguish packets from different NAS'es.
Look at Packet-Src-IP-Address. It is a virtual attribute that you
can use in dynamic expansions.
Is there a way to add this attribute (with value of source address of
UDP datagram) using standard FreeRadius facilities?
We don't use proxies, so this solution seems to be correct.
if (!NAS-IP-Address) {
update request {
NAS-IP-Address = %{Packet-Src-IP-Address}
}
}
It looks cool.
Where can I use this code?
In authorize section?
I'm writing my own rlm and I can implement desired functionality if
there is no one in FreeRadius.
The problem lies in that I can't find the address of client in REQUEST
(i.e. auth_req) structure.
request-packet-src_ipaddr.
request-client-ipaddr seems to be what I need.
I tested via the following command:
DEBUG(rlm_osb: Source IP address %s.,
inet_ntoa(request-client-ipaddr.ipaddr.ip4addr));
Is it correct to use request-client-ipaddr instead of
request-packet-src_ipaddr?
Alan Dekok.
--
Sincerely yours, Dmitry V. Krivenok
Orange System Co., Ltd.
Saint-Petersburg, Russia
work phone: +7 812 332-32-40
cellular phone: +7 921 576-70-91
e-mail: krive...@orangesystem.ru
web: http://www.orangesystem.ru
skype: krivenok_dmitry
jabber: krivenok_dmi...@jabber.ru
icq: 242-526-443
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas-Ip-Address attribute and source IP address of UDP datagram.
Dmitry V. Krivenok wrote: It looks cool. Where can I use this code? In authorize section? Anywhere. request-client-ipaddr seems to be what I need. It may *not* be the same as request-packet-src_ipaddr. The client IP address may be a netmask, and not a /32. I tested via the following command: DEBUG(rlm_osb: Source IP address %s., inet_ntoa(request-client-ipaddr.ipaddr.ip4addr)); Is it correct to use request-client-ipaddr instead of request-packet-src_ipaddr? No. There's a *reason* I said use request-packet-src_ipaddr. I'm curious why you went looking for something else, rather than just use what I told you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address, rlm_perl, and loopback
Sewell, Adam W wrote: Thanks for the help guys, but I don't think that's going to work for me. I was doing some testing today and it doesn't seem like I can add a filter-id to the access-accept packet from the post-auth function. Uh... no. You can add almost anything to the Access-Accept from the post-auth function. What are you trying to do, and how are you trying to do it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-IP-Address, rlm_perl, and loopback
Thanks for the help guys, but I don't think that's going to work for me. I was doing some testing today and it doesn't seem like I can add a filter-id to the access-accept packet from the post-auth function. Our switches require that to set the policy. Am I missing something here? - Original Message - From: [EMAIL PROTECTED] Sent: Fri, 8/22/2008 3:10am To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: NAS-IP-Address, rlm_perl, and loopback Hi, Which explains what's going on. PEAP is really two things: an outer TLS session, and inner EAP-MSCHAPv2 authentication. So there are *two* streams of RADIUS packets. One that sets up the tunnel, and one that does the authentication inside of the tunnel. yep - so if you only want to define a policy after successful authentication, you only call the 'perl' routine in the post-auth section - therefore it doesnt get called all the time. As Alan pointed out. You should also ensure that , if this is the case, you only have the post-auth function defined in the perl module and in the perl code. no need to have any other functions enabled. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address, rlm_perl, and loopback
Adam W. Sewell wrote: I am using PEAP/MsChapv2. Exactly. There are multiple packet exchanges as part of one PEAP authentication. I am using a perl script to authorize the user access to the network based on some information that is pulled out of a database via our perl script. This part is working ok. What I want to happen is with the NAS-IP-Address being sent back, I can tell the port on the switch (NAS) which policy this person should have. This would work great if I could get some consistent data from the NAS. Then put it in the post-auth section. In 2.0.5, raddb/sites-available/default, section post-auth. Below are some excerpts from debug log and a log of the variables in RAD_REQUEST for one of our test users. I've looked through the logs and all I can come up with is that it looks like some of the packets are being proxyed even though I have proxy turned off in the radius.conf file and have the proxy.conf file commented out. Which explains what's going on. PEAP is really two things: an outer TLS session, and inner EAP-MSCHAPv2 authentication. So there are *two* streams of RADIUS packets. One that sets up the tunnel, and one that does the authentication inside of the tunnel. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address, rlm_perl, and loopback
Hi, Which explains what's going on. PEAP is really two things: an outer TLS session, and inner EAP-MSCHAPv2 authentication. So there are *two* streams of RADIUS packets. One that sets up the tunnel, and one that does the authentication inside of the tunnel. yep - so if you only want to define a policy after successful authentication, you only call the 'perl' routine in the post-auth section - therefore it doesnt get called all the time. As Alan pointed out. You should also ensure that , if this is the case, you only have the post-auth function defined in the perl module and in the perl code. no need to have any other functions enabled. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address, rlm_perl, and loopback
Adam W. Sewell wrote: I'm having a couple of issues particularly pertaining to the NAS-IP-Address variable that is passed from the switch. When a client sends the auth-request, we find that the authorize function of our perl script is being executed multiple times for the same request. It's being run once per packet. Go read the debug output. I would think that the authorize function would only be called once. For PAP, CHAP, and other authentication methods that only use one round trip. This also leads into the second issue I'm having that when the perl script does run, it doesn't always pass the same data in the NAS-IP-Address variable. Half the time it is the correct information and half the time it is 127.0.0.1. Go read the debug output. The NAS-IP-Address is sent by the NAS. It's not invented by the server. There's no magic here. If the NAS-IP-Address is different from packet to packet, it's likely because the NAS is *sending* it differently for each packet. If there are multiple packets for one authentication session, it's because you're doing EAP... which takes multiple round trips. Again, read the debugging output to see what's going on. Perhaps you could try talking about what you *want* to have happen, rather than wondering why the server doesn't work the way you expect. The server is doing exactly the right thing for the authentication protocol you're using, and is doing exactly what you told it to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-IP-Address, rlm_perl, and loopback
This also leads into the second issue I'm having that when the perl script does run, it doesn't always pass the same data in the NAS-IP-Address variable. Half the time it is the correct information and half the time it is 127.0.0.1. Go read the debug output. The NAS-IP-Address is sent by the NAS. It's not invented by the server. There's no magic here. If the NAS-IP-Address is different from packet to packet, it's likely because the NAS is *sending* it differently for each packet. If there are multiple packets for one authentication session, it's because you're doing EAP... which takes multiple round trips. Again, read the debugging output to see what's going on. I am using PEAP/MsChapv2. Perhaps you could try talking about what you *want* to have happen, rather than wondering why the server doesn't work the way you expect. The server is doing exactly the right thing for the authentication protocol you're using, and is doing exactly what you told it to do. I am using a perl script to authorize the user access to the network based on some information that is pulled out of a database via our perl script. This part is working ok. What I want to happen is with the NAS-IP-Address being sent back, I can tell the port on the switch (NAS) which policy this person should have. This would work great if I could get some consistent data from the NAS. Below are some excerpts from debug log and a log of the variables in RAD_REQUEST for one of our test users. I've looked through the logs and all I can come up with is that it looks like some of the packets are being proxyed even though I have proxy turned off in the radius.conf file and have the proxy.conf file commented out. -- Debug: -- Thu Aug 21 12:57:15 2008 : rad_recv: Access-Request packet from host 192.168.0.1:1212, id=248, length=151 Thu Aug 21 12:57:15 2008 : Message-Authenticator = 0xd4a6f83dee299957e58e7ad71fb484b6 Thu Aug 21 12:57:15 2008 : User-Name = test_user Thu Aug 21 12:57:15 2008 : NAS-IP-Address = 192.168.0.1 Thu Aug 21 12:57:15 2008 : NAS-Port = 8 Thu Aug 21 12:57:15 2008 : NAS-Port-Type = Ethernet Thu Aug 21 12:57:15 2008 : Calling-Station-Id = 00-03-25-12-39-09 Thu Aug 21 12:57:15 2008 : EAP-Message = 0x0201000d016a6d63646f77656c Thu Aug 21 12:57:15 2008 : Framed-MTU = 1000 Thu Aug 21 12:57:15 2008 : Called-Station-Id = 0001F4-7A-06-60\0009 Thu Aug 21 12:57:15 2008 : NAS-Identifier = BZRBAS_09614_M80 Thu Aug 21 12:57:15 2008 : NAS-Port-Id = fe.0.8 Thu Aug 21 12:57:15 2008 : Using perl at 0x80116518 Thu Aug 21 12:57:15 2008 : rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=CCP_Student Thu Aug 21 12:57:15 2008 : rlm_perl: Added pair Cleartext-Password = USERPASS Thu Aug 21 12:57:15 2008 : rlm_perl: Added pair Auth-Type = EAP Thu Aug 21 12:57:15 2008 : Sending Access-Challenge of id 248 to 192.168.0.1 port 1212 Thu Aug 21 12:57:15 2008 : Filter-Id = Enterasys:version=1:policy=CCP_Student Thu Aug 21 12:57:15 2008 : EAP-Message = 0x010200061920 Thu Aug 21 12:57:15 2008 : Message-Authenticator = 0x Thu Aug 21 12:57:15 2008 : State = 0xad137155784feb70aaf74d3c65a9a86e Thu Aug 21 12:57:15 2008 : rad_recv: Access-Request packet from host 192.168.0.1:1212, id=249, length=248 Thu Aug 21 12:57:15 2008 : Message-Authenticator = 0x07f9f250ad693b0842998be1dda18420 Thu Aug 21 12:57:15 2008 : User-Name = test_user Thu Aug 21 12:57:15 2008 : State = 0xad137155784feb70aaf74d3c65a9a86e Thu Aug 21 12:57:15 2008 : NAS-IP-Address = 192.168.0.1 Thu Aug 21 12:57:15 2008 : NAS-Port = 8 Thu Aug 21 12:57:15 2008 : NAS-Port-Type = Ethernet Thu Aug 21 12:57:15 2008 : Calling-Station-Id = 00-03-25-12-39-09 Thu Aug 21 12:57:15 2008 : Called-Station-Id = 00-01-F4-7A-06-60 Thu Aug 21 12:57:15 2008 : Framed-MTU = 1000 Thu Aug 21 12:57:15 2008 : EAP-Message = 0x0202005c19001603010051014d030148ad9e3eee721642dca72c79e437cd5e18483257e35b2933d1b1bf7c255d08732600390038003500160013000a00330032002f00050004001500120009001400110008000600030100 Thu Aug 21 12:57:15 2008 : NAS-Identifier = BZRBAS_09614_M80 Thu Aug 21 12:57:15 2008 : NAS-Port-Id = fe.0.8 Thu Aug 21 12:57:15 2008 : Using perl at 0x80116518 Thu Aug 21 12:57:15 2008 : rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=CCP_Student Thu Aug 21 12:57:15 2008 : rlm_perl: Added pair Cleartext-Password = USERPASS Thu Aug 21 12:57:15 2008 : rlm_perl: Added pair Auth-Type = EAP Thu Aug 21 12:57:15 2008 : Sending Access-Challenge of id 249 to 192.168.0.1 port 1212 Thu Aug 21 12:57:15 2008 : Filter-Id = Enterasys:version=1:policy=CCP_Student Thu Aug 21 12:57:15 2008 : EAP-Message =
Re: Nas IP address in logs
From clients.conf: # The short name is used as an alias for the fully qualified # domain name, or the IP address. # shortname = localhost shortname is printed in the log. Put NAS IP there if you want it in radius.log. Ivan Kalik Kalik Informatika ISP Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše: Hi, how can I get the NAS-IP-Address in radius.log? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas IP address in logs
Thanks Ivan,
I know that :) But I want get IP from NAS's that are behind a
NAT-proxy-firewall server, I want the NAS IP and not the
NAT-proxy-firewall server IP.
In fact my clients.conf has something as follows:
client 10.128.255.86 {
require_message_authenticator = no
secret = pepepotamo
shortname = Hormiga
}
client 10.128.255.87 {
require_message_authenticator = no
secret = pepepotamo2
shortname = Avispa
}
client 203.221.198.59 {
require_message_authenticator = no
secret = pepepotamo3
shortname = Abeja
}
-- end of file---
client with 203.221.198.59 is a remote server (connect to radius via
vpn) with NAS's behind.
If I run in debug mode I can see the actual NAS IP can be read,
For example:
rad_recv: Access-Request packet from host 203.221.198.59 port 2048,
id=0, length=123
User-Name = soyreloco
NAS-IP-Address = 192.168.134.210
Called-Station-Id = 001d7edc2621
Calling-Station-Id = 001b63085e39
NAS-Identifier = 001d7edc2624
NAS-Port = 63
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020a016c79616972
Message-Authenticator = 0x951db6ffd60187bc4b6fee7f951feef3
is there a way to get such a thing (192.168.134.210 in this case) in
radius logs with radius running in non-debug mode?
Thanks in advance!
2008/4/23, Ivan Kalik [EMAIL PROTECTED]:
From clients.conf:
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
shortname = localhost
shortname is printed in the log. Put NAS IP there if you want it in
radius.log.
Ivan Kalik
Kalik Informatika ISP
Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše:
Hi, how can I get the NAS-IP-Address in radius.log?
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas IP address in logs
That will be logged in your accounting log.
Ivan Kalik
Kalik Informatika ISP
Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše:
Thanks Ivan,
I know that :) But I want get IP from NAS's that are behind a
NAT-proxy-firewall server, I want the NAS IP and not the
NAT-proxy-firewall server IP.
In fact my clients.conf has something as follows:
client 10.128.255.86 {
require_message_authenticator = no
secret = pepepotamo
shortname = Hormiga
}
client 10.128.255.87 {
require_message_authenticator = no
secret = pepepotamo2
shortname = Avispa
}
client 203.221.198.59 {
require_message_authenticator = no
secret = pepepotamo3
shortname = Abeja
}
-- end of file---
client with 203.221.198.59 is a remote server (connect to radius via
vpn) with NAS's behind.
If I run in debug mode I can see the actual NAS IP can be read,
For example:
rad_recv: Access-Request packet from host 203.221.198.59 port 2048,
id=0, length=123
User-Name = soyreloco
NAS-IP-Address = 192.168.134.210
Called-Station-Id = 001d7edc2621
Calling-Station-Id = 001b63085e39
NAS-Identifier = 001d7edc2624
NAS-Port = 63
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020a016c79616972
Message-Authenticator = 0x951db6ffd60187bc4b6fee7f951feef3
is there a way to get such a thing (192.168.134.210 in this case) in
radius logs with radius running in non-debug mode?
Thanks in advance!
2008/4/23, Ivan Kalik [EMAIL PROTECTED]:
From clients.conf:
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
shortname = localhost
shortname is printed in the log. Put NAS IP there if you want it in
radius.log.
Ivan Kalik
Kalik Informatika ISP
Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše:
Hi, how can I get the NAS-IP-Address in radius.log?
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/usershtml
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas IP address in logs
Thanks Ivan that I did'n know :) also, I had disabled accounting, now,
I enabled that and detailed auth log
Now I get something as follow in radacct/10.128.255.80/auth-detail-20080423 :
Wed Apr 23 14:16:22 2008
Packet-Type = Access-Request
User-Name = quelocoquesoyche
NAS-IP-Address = 10.128.255.80
Called-Station-Id = 005d7edc25de
Calling-Station-Id = 005cb37ae2ee
NAS-Identifier = 005d7edc25de
NAS-Port = 55
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020c0167736965727232
Message-Authenticator = 0x955e4a648595f3ae5dd7f3486dea99f4
Great!
2008/4/23, Ivan Kalik [EMAIL PROTECTED]:
That will be logged in your accounting log.
Ivan Kalik
Kalik Informatika ISP
Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše:
Thanks Ivan,
I know that :) But I want get IP from NAS's that are behind a
NAT-proxy-firewall server, I want the NAS IP and not the
NAT-proxy-firewall server IP.
In fact my clients.conf has something as follows:
client 10.128.255.86 {
require_message_authenticator = no
secret = pepepotamo
shortname = Hormiga
}
client 10.128.255.87 {
require_message_authenticator = no
secret = pepepotamo2
shortname = Avispa
}
client 203.221.198.59 {
require_message_authenticator = no
secret = pepepotamo3
shortname = Abeja
}
-- end of file---
client with 203.221.198.59 is a remote server (connect to radius via
vpn) with NAS's behind.
If I run in debug mode I can see the actual NAS IP can be read,
For example:
rad_recv: Access-Request packet from host 203.221.198.59 port 2048,
id=0, length=123
User-Name = soyreloco
NAS-IP-Address = 192.168.134.210
Called-Station-Id = 001d7edc2621
Calling-Station-Id = 001b63085e39
NAS-Identifier = 001d7edc2624
NAS-Port = 63
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020a016c79616972
Message-Authenticator = 0x951db6ffd60187bc4b6fee7f951feef3
is there a way to get such a thing (192.168.134.210 in this case) in
radius logs with radius running in non-debug mode?
Thanks in advance!
2008/4/23, Ivan Kalik [EMAIL PROTECTED]:
From clients.conf:
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
shortname = localhost
shortname is printed in the log. Put NAS IP there if you want it in
radius.log.
Ivan Kalik
Kalik Informatika ISP
Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše:
Hi, how can I get the NAS-IP-Address in radius.log?
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/usershtml
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address = 0.0.0.0
On Fri 05 Oct 2007, Walter Gould wrote: [EMAIL PROTECTED] wrote: You are aware that this is not Cisco technical support? Yes - I am...smirk. radius server attribute 4 a.b.c.d Ivan Kalik Kalik Informatika ISP That didn't seem to work. For others that may run into this problem, this did: ip radius source-interface Vlan 1 Great. Please write up a short description of the issue and solution and add it to http://wiki.freeradius.org/Cisco (Thats the fee we charge for providing Cisco support..) Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address = 0.0.0.0
Walter Gould wrote: Please excuse me if this has already been covered in the docs or the FAQ (I looked - but nothing jumped out at me). In accounting packets coming from Cisco Catalyst 6513 switches, the NAS-IP-Address = 0.0.0.0. Does anybody know why and if this can be changed? I have tried modifying the aaa accounting commands on the switch, but has not seemed to fix it. On our 3750 series switches, this doesn't happen and the correct switch/NAS ip address is listed in the NAS-IP-Address attribute field. # ip radius source-interface interface Bye, G.L. -- mail: [EMAIL PROTECTED] web: http://heruan.my.aldu.net smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address = 0.0.0.0
On Fri, 2007-10-05 at 11:53 -0500, Walter Gould wrote: Please excuse me if this has already been covered in the docs or the FAQ (I looked - but nothing jumped out at me). In accounting packets coming from Cisco Catalyst 6513 switches, the NAS-IP-Address = 0.0.0.0. Does anybody know why and if this can be changed? I have tried modifying the aaa accounting commands on the switch, but has not seemed to fix it. On our 3750 series switches, this doesn't happen and the correct switch/NAS ip address is listed in the NAS-IP-Address attribute field. Thanks in advance, Not sure but look into assigning an IP address to Loopback0. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address = 0.0.0.0
You are aware that this is not Cisco technical support? radius server attribute 4 a.b.c.d Ivan Kalik Kalik Informatika ISP Dana 5/10/2007, Walter Gould [EMAIL PROTECTED] piše: Please excuse me if this has already been covered in the docs or the FAQ (I looked - but nothing jumped out at me). In accounting packets coming from Cisco Catalyst 6513 switches, the NAS-IP-Address = 0.0.0.0. Does anybody know why and if this can be changed? I have tried modifying the aaa accounting commands on the switch, but has not seemed to fix it. On our 3750 series switches, this doesn't happen and the correct switch/NAS ip address is listed in the NAS-IP-Address attribute field. Thanks in advance, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address = 0.0.0.0
[EMAIL PROTECTED] wrote: You are aware that this is not Cisco technical support? Yes - I am...smirk. radius server attribute 4 a.b.c.d Ivan Kalik Kalik Informatika ISP That didn't seem to work. For others that may run into this problem, this did: ip radius source-interface Vlan 1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address - localhost
Rascher, Markus wrote: Hi All, I have a problem with the radius-Attribute NAS-IP-ADDRESS. I use freeradius with pam_radius and a mysql-DB If i want to ssh-login on the machine, freeradius runs, the nas-ip is 127.0.0.1. It's correct, but the database does not know 127.0.0.1. It knows the real ip and therefore my radcheck-stored-procedure does not work. Can someone help? Is there a method to convert the 127.0.0.1 to the real ip? Nslookup? Thanks Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Attribute you want is Packet-Src-IP-Address Gives you the source IP of he incoming packet . -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-IP-Address
Hi, Are you using Chillispot or something like that? Fabián From: Erico Augusto [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: NAS-IP-Address Date: Tue, 27 Mar 2007 11:14:19 -0700 (PDT) Hi, i) during Authentication phase, NAS-IP-Address attribute is filled with correct IP. During Post-Auth, NAS-IP-Address is filled with loopback 127.0.0.1 Address ... Is it possible to send the correct NAS-IP-Address during Post-Auth? How is it possible? Thanks, Erico. __ Fale com seus amigos de graça com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Exercise your brain! Try Flexicon. http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglinemarch07 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address
Erico Augusto wrote: Hi, i) during Authentication phase, NAS-IP-Address attribute is filled with correct IP. During Post-Auth, NAS-IP-Address is filled with loopback 127.0.0.1 Address ... If that happens, it's because some configuration you added changes it. The server doesn't change NAS-IP-Address on the fly like this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address in mysql
On Thu, 15 Feb 2007, VeNoMouS wrote: Hi guys After doing some tests, I just discovered that I cant have more then one NAS-IP-Address in radgroupcheck (it seems to ignore the others) does anyone know of a work around as i dont want to use the huntgroup file (makes it kinda anonying since im doing a web frontend for administration). this is getting to be a really common question :) Yes, you need to embed the nas-ip-address as part of your query (in the WHERE clause (same way as you match the username) so only the matching items are returned. -Dan Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- I can feel it, comin' back again...Like a rolling thunder chasin' the wind... -Dan Mahoney, JS, JB SL, May 10th, 1997, Approx 1AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address in mysql
On Thu 15 Feb 2007 08:09, Dan Mahoney, System Admin wrote: On Thu, 15 Feb 2007, VeNoMouS wrote: Hi guys After doing some tests, I just discovered that I cant have more then one NAS-IP-Address in radgroupcheck (it seems to ignore the others) does anyone know of a work around as i dont want to use the huntgroup file (makes it kinda anonying since im doing a web frontend for administration). this is getting to be a really common question :) Maybe you should add it to the FAQ on the wiki ;-) Yes, you need to embed the nas-ip-address as part of your query (in the WHERE clause (same way as you match the username) so only the matching items are returned. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-address == 10.1.2.0/24 allowed?
Min Qiu [EMAIL PROTECTED] writes: I would like to restrict user login by NAS-IP-address or fqdn if possible. Therefore I can restrict user to login a group of devices. user1 Auth-Type := Local, User-Password == sceret, NAS-IP-address ==10.1.2.0/24 Using a regexp is just as easy when you just need to restrict it on the byte boundaries: user1 Auth-Type := Local, User-Password == sceret, NAS-IP-address =~ ^10\.1\.2\. Hmm, the manual says that the regex operators may only be applied to string attributes. But I believe it works on IP addresses too, doesn't it? You might want to check out huntgroups in any case. See doc/README and the sample raddb/huntgroups file. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: nas-ip-address
Moktar KONE [EMAIL PROTECTED] wrote: I have a lucent portmaster and I which internal IP is NATed with a public address but the NAS-IP-address field in radius accounting packet contents the internal IP and not the NATed public IP address. How could I change this? attr_rewrite, probably how could change the ip in packets sent to the authentication server to a different ip from the ether0 ip address? Tell the NAS to use a different IP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address and Shortname
Nicolas Justin [EMAIL PROTECTED] wrote: Does NAS-IP-Address (in huntgroups) could be equals to the shortname defined in the clients.conf ? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address
On Saturday 05 June 2004 15:02, jesk wrote: hello, i got some problem with NAS-IP-Address. when im using the == operator in checking the nas then everything works fine, but when im using the oposite != then the following default entry is evertime accepted though the request cames from the ip from which is shouldnt be accepted DEFAULT Auth-Type := Accept,NAS-IP-Address != xxx.xxx.xxx.xxx Framed-IP-Address = 255.255.255.254, Framed-Protocol = PPP, Service-Type = Framed-User can somebody help me, why this dont works? regards, christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html hi again, i have to correct me, the check item NAS-IP-Address works never :( i got this DEFAULT entry in users-file everything else is in sql. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address
jesk [EMAIL PROTECTED] wrote: can somebody help me, why this dont works? Have you tried reading the FAQ? i have to correct me, the check item NAS-IP-Address works never :( I don't believe you. The problem lies elsewhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address
On Saturday 05 June 2004 17:27, Alan DeKok wrote: jesk [EMAIL PROTECTED] wrote: can somebody help me, why this dont works? Have you tried reading the FAQ? i have to correct me, the check item NAS-IP-Address works never :( I don't believe you. The problem lies elsewhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html hi alan, ok maybe i told you not enough of my setup. i changed my configuration, and put the DEFAULT entry in mysql. i got the following in mysql radgroupcheck: -- | 33 | DEFAULT | Auth-Type| := | Accept | | 34 | DEFAULT | NAS-IP-Address | != | 172.20.0.1 | -- and this in radgroupreply: -- | 3 | DEFAULT | Framed-Protocol| = | PPP |0 | | 4 | DEFAULT | Framed-IP-Address | = | 255.255.255.254 |0 | | 5 | DEFAULT | Service-Type | = | Framed-User |0 | | 6 | DEFAULT | Port-Limit | = | 2 | 0 | -- with this setup i want that everyone connecting from clients that are not 127.20.0.1 will be get the default replyitems if the user is not found, but when i user is not found and is coming from ip 172.20.0.1 i want that the request is reject. the problem is that with setting every request comming from 172.20.0.1 is rejected. i dont know how to get around it, please help. regards, christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
