Re: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
Thanks for the reply. I am new to FreeRadius and doing analysis on how to remove The identity and password attributes of LDAP module in radiusd.config and still be able to authenticate and authorize LDAP users. Is there any other option/configuration to avoid usernames and plain text passwords in the module ldap of radiusd.conf for authenticating and authorizing users of LDAP database ? I tried EAP-TLS method but didn't get proper result,can I use LDAP as database for EAP-TLS method,as one of forum answers is no http://freeradius.1045715.n5.nabble.com/EAP-TLS-LDAP-tt2750042.html#a2750045 I would like to use a certificate (admin) to bind to the LDAP database using FreeRadius because admin has the authority to traverse the LDAP tree. After binding using certificate i would like to Authenticate different users of LDAP using radclient.exe -d ..\etc\raddb -f radtest.txt -x -s 127.0.0.1 auth testing1 if as per replies only LDAP simpile bind is possible ,how to compile OpenLDAP+SASL+FreeRadius on Windows only through cygwin ? or any other option please advice me I am wrong. Waiting for your inputs. Regards, Pramod On Wed, Apr 10, 2013 at 8:34 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: There are other ways to establish the trust between radiusd and LDAP beside simple binds which do not involve passwords. All of these use SASL in some form. Unfortunately rlm_ldap does not support them. I know Alan rewrote rlm_ldap recently for the upcoming 3.0 version, I don't know if SASL support was added or not. In any event this is an open source project and if you want this functionality then the usual mantra Patches Welcome applies. No it wasn't. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
On 19.04.2013 10:35, pramod kulkarni wrote: Thanks for the reply. I am new to FreeRadius and doing analysis on how to remove The identity and password attributes of LDAP module in radiusd.config and still be able to authenticate and authorize LDAP users. Is that really an issue for you ? set restrictive permission on the file so that only root and freeradius can read the admin credentials for the ldap server. And do not let people log as root. Everyone do that. It works fine. Is there any other option/configuration to avoid usernames and plain text passwords in the module ldap of radiusd.conf for authenticating and authorizing users of LDAP database ? Afaik no I tried EAP-TLS method but didn't get proper result,can I use LDAP as database for EAP-TLS method,as one of forum answers is no http://freeradius.1045715.n5.nabble.com/EAP-TLS-LDAP-tt2750042.html#a2750045 That's something else. EAP-TLS is how the user authenticate to the radius server. Not how the radius server bind to the ldap server. BUT you could do EAP-TLS without user/password (for the user) and check the validity of the certificate against an LDAP server that allows to retrieve those information anonymously (removing the need to have credentials written in the ldap module). But then it's your ldap server who can leak informations. I would like to use a certificate (admin) to bind to the LDAP database using FreeRadius because admin has the authority to traverse the LDAP tree. Not supported at the moment. After binding using certificate i would like to Authenticate different users of LDAP using radclient.exe -d ..\etc\raddb -f radtest.txt -x -s 127.0.0.1 auth testing1 This will work with radclient which do PAP. This won't work with wireless client who does EAP. if as per replies only LDAP simpile bind is possible ,how to compile OpenLDAP+SASL+FreeRadius on Windows only through cygwin ? or any other option If you do PAP and want to authenticate against your ldap, the only option is simple-bind at the moment. As usual, Patches Welcome. As for compiling on cygwin, I can't tell you if that's supported nor working. On a final note, people have been using ldap with credentials in a file for ages. It's down to the security of the server and the filesystem permission to ensure that only authorized users can access this file. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
There are other ways to establish the trust between radiusd and LDAP beside simple binds which do not involve passwords. All of these use SASL in some form. Unfortunately rlm_ldap does not support them. I know Alan rewrote rlm_ldap recently for the upcoming 3.0 version, I don't know if SASL support was added or not. In any event this is an open source project and if you want this functionality then the usual mantra Patches Welcome applies. No it wasn't. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure Solaris 10 Radius Authentication client.
Alek Barsky wrote: There is one problem – the only way I can receive login shell on this box – if user already exists. That's how PAM works. It makes PAM rather a lot less useful. But that's PAM for you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure Solaris 10 Radius Authentication client.
-BEGIN PGP SIGNED MESSAGE- On Jun 4, 2012, at 2:06 PM, Alek Barsky wrote: I need to configure bunch of Solaris servers to use RADIUS PAM for Authentication/Authorization. PAM only does authentication. After all, it stands for Pluggable Authentication Modules. I followed instructions in http://freeradius.org/pam_radius_auth/ and was able to configure Authentication portion of this task. There is one problem – the only way I can receive login shell on this box – if user already exists. That's because in addition to PAM you still need some kind of directory to hold all the other user information like user id, group id, home directory, gecos field and preferred shell. /etc/nsswitch.conf determines where that information can be retrieved from (files, NIS, LDAP, DNS, etc.). I am not aware of a solution that lets you use RADIUS as a directory service for Solaris. - - Michael -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.0.3 (Build 1) Charset: windows-1252 wsBVAwUBT80NGZbfnpCg64TVAQHd4ggArN/0myf0kzlm1eSp+uMZuUl/s4Zi2Ua3 2nhocQZ6psuKwsDXphEkZqOeR5ZOjms8I3HiljLs8Cg6W7iE6ykFU0TRK8miG301 HQLWqHczFA/X4bDsHa8UH6do9Bvt9Nd6uDYn4ksrKJFCQabhTaVocECmOmXFLpUo JSWXqpoaLgS9HJOlb613PqJQa5P5B5poQs+5bN4CPVuyAqKHMjIGquZlswwbl63R hGM5JvlMhxiL7/U7XDqxZNAeo3vz01nVkYE4C6Ml+imYyVWJmBR60MdrehzpsN+s dsJ2LK93Pv1y9r6CbvzhmNnRKxAOy+srk751FcmFEyg5unMZhgbizA== =qg2E -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure COA in freeRadius
ulislam.raihan wrote: If NAS and Freeradius server is in same PC . Then freeradius will send COA request to NAS in which port? This is documented. You were told which file to read. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure COA in freeRadius
Hi Alan , The document says /The default destination of a CoA packet is the NAS (or client) # the sent the original Access-Request or Accounting-Request./ So in the Access-Request it is mentioned as shown in below rad_recv: Access-Request packet from host 127.0.0.1 port 57378, id=1, length=59 User-Name = testing NAS-IP-Address = 127.0.0.1 NAS-Port = 4200 User-Password = password But then why it is showing Unknown destination. The log from the radiusd shows below. Thu Apr 5 13:49:52 2012 : Info: WARNING: Unknown destination 127.0.0.1:4200 for CoA request. Thu Apr 5 13:49:52 2012 : Info: Do CoA Fail handler here I have check with the netstat command in the OS that a java program is listening to the port 4200. Do i have to configure the NAS client IP and port in home_server section of originate-coa file ? Thanks for your pa·tience Best Reagards Raihan Alan DeKok-2 wrote ulislam.raihan wrote: If NAS and Freeradius server is in same PC . Then freeradius will send COA request to NAS in which port? This is documented. You were told which file to read. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5622351.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure COA in freeRadius
Hi Alan , Just want to add Current configuration in originate-coa file is below . It is the default configuration i did not change it. home_server localhost-coa { type = coa # # Note that a home server of type coa MUST be a real NAS, # with an ipaddr or ipv6addr. It CANNOT point to a virtual # server. # ipaddr = 127.0.0.1 port = 3799 # This secret SHOULD NOT be the same as the shared # secret in a client section. secret = testing1234 # CoA specific parameters. See raddb/proxy.conf for details. coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } And in the clients.conf i did not enable the # coa_server = coa. Because i did not want the freeradius server recieve the COA Request. I hope my understanding is right. Thanks for your patience Best Reagards Raihan -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5622373.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure COA in freeRadius
ulislam.raihan wrote: Hi Alan , The document says /The default destination of a CoA packet is the NAS (or client) # the sent the original Access-Request or Accounting-Request./ Yes. To the *IP* of the NAS. But which port? So in the Access-Request it is mentioned as shown in below rad_recv: Access-Request packet from host 127.0.0.1 port 57378, id=1, length=59 User-Name = testing NAS-IP-Address = 127.0.0.1 NAS-Port = 4200 The NAS-Port is *not* the CoA port. User-Password = password But then why it is showing Unknown destination. The log from the radiusd shows below. Thu Apr 5 13:49:52 2012 : Info: WARNING: Unknown destination 127.0.0.1:4200 for CoA request. Yes... because you didn't configure the shared secret for CoA. I have check with the netstat command in the OS that a java program is listening to the port 4200. That doesn't matter. Do i have to configure the NAS client IP and port in home_server section of originate-coa file ? That's what the documentation says. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure COA in freeRadius
Alan DeKok-2 wrote ulislam.raihan wrote: Hi Alan , The document says /The default destination of a CoA packet is the NAS (or client) # the sent the original Access-Request or Accounting-Request./ Yes. To the *IP* of the NAS. But which port? To Alan That was my question in previous mail. So i have to mention the CoA port in home_server section of originate-coa file . If my understanding is right So in the Access-Request it is mentioned as shown in below rad_recv: Access-Request packet from host 127.0.0.1 port 57378, id=1, length=59 User-Name = testing NAS-IP-Address = 127.0.0.1 NAS-Port = 4200 The NAS-Port is *not* the CoA port. User-Password = password But then why it is showing Unknown destination. The log from the radiusd shows below. Thu Apr 5 13:49:52 2012 : Info: WARNING: Unknown destination 127.0.0.1:4200 for CoA request. Yes... because you didn't configure the shared secret for CoA. To Alan where i configure the secret for CoA? I hope in clients.conf. Then it will look like this client 127.0.01 { secret = testing123-2 shortname = private-network-2 coa_server = localhost-coa } and in originate-coa the configuration will be home_server localhost-coa { type = coa # # Note that a home server of type coa MUST be a real NAS, # with an ipaddr or ipv6addr. It CANNOT point to a virtual # server. # ipaddr = 127.0.0.1 port = 4200 # This secret SHOULD NOT be the same as the shared # secret in a client section. secret = testing1234 # CoA specific parameters. See raddb/proxy.conf for details. coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } I have check with the netstat command in the OS that a java program is listening to the port 4200. That doesn't matter. Do i have to configure the NAS client IP and port in home_server section of originate-coa file ? That's what the documentation says. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Quoted from: http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5622396.html -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5622416.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure COA in freeRadius
Hi Alan , That was my question in second post. So i have to mention the CoA port in home_server section of originate-coa file . If my understanding is right Where i configure the secret for CoA? I hope in clients.conf. Then it will look like this client 127.0.01 { secret = testing123-2 shortname = private-network-2 coa_server = localhost-coa } and in originate-coa the configuration will be home_server localhost-coa { type = coa # # Note that a home server of type coa MUST be a real NAS, # with an ipaddr or ipv6addr. It CANNOT point to a virtual # server. # ipaddr = 127.0.0.1 port = 4200 # This secret SHOULD NOT be the same as the shared # secret in a client section. secret = testing1234 # CoA specific parameters. See raddb/proxy.conf for details. coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } Thanks again.. Best regards Raihan -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5622423.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure COA in freeRadius
ulislam.raihan wrote: Quoted from: http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5622396.html If you're going to insist on being obtuse, you can be unsubscribed and banned. You either didn't read the configuration you posted, or you didn't understand it. You're sending packets to port 4200, but the default configuration uses 3799. Perhaps this could be a problem? What *additional* documentation do we need to write so that you will understand destination port means destination port, and not magical thing I'm supposed to not touch? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure COA in freeRadius
Hi Alan, Thanks for your advice. I was actually confused with home server. Does it refer to virtual server or NAS ? Its now clear and i have solved the problem i added the originate-coa in the radiusd.conf. Now freeradius is sending the request to port. Thanks Raihan -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5623347.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure COA in freeRadius
ulislam.raihan wrote: I have put the following COA list in authorization section of default file. The default file is /etc/freeradius/sits-available to enable the COA request. update coa{ User-Name=%{User-Name} Acct-Session-Id=%Acct-Session-Id NAS-IP-Address=%NAS-IP-Address Packet-Dst-Port=4200 } I am sending Access-Request from my java program and listening to port 4200. I am getting success Access-Accept . but i am not getting any COA request instead i have seen following error Info: WARNING: Unknown destination 127.0.0.1:4200 for CoA request. read raddb/sites-available/originate-coa This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure COA in freeRadius
Hi Alan, I must be very dumb ..i have read that document several times. But can you clear me one thing for the freeradius to sent COA request to other client one need to configure a virtual server Thanks raihan -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5620476.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure COA in freeRadius
ulislam.raihan wrote: I must be very dumb ..i have read that document several times. But can you clear me one thing for the freeradius to sent COA request to other client one need to configure a virtual server If you're going to use CoA, it would be a good idea to follow the existing examples. Perhasp you could try using the originate-coa example, rather than ignoring it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure COA in freeRadius
If NAS and Freeradius server is in same PC . Then freeradius will send COA request to NAS in which port? Thanks Raihan -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5621170.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius as Captive Portal
On 13/03/12 21:41, Fabricio Flores wrote: Hello... I Have a question... Which captive portal is the best? I tried to configure in CentOS coovachilli and is very hard to install and configuring... Grase Hotspot is easier? Grase Hotspot uses Coova Chilli internally, but does the work of setting everything up for you. It uses Debian/Ubuntu based distributions as it makes use of packaging features to do all the hard configuration work. The admin interface is (in my biased opinion) nice and easy to use. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius as Captive Portal
Hi Tim Thanks for your advice. I will try with the Grase Hotspot. It seems very interesting Thanks Raihan -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-configure-FreeRadius-as-Captive-Portal-tp5559073p5560331.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius as Captive Portal
Hello... I Have a question... Which captive portal is the best? I tried to configure in CentOS coovachilli and is very hard to install and configuring... Grase Hotspot is easier? El 13 de marzo de 2012 03:42, ulislam.raihan raihan1...@gmail.comescribió: Hi Tim Thanks for your advice. I will try with the Grase Hotspot. It seems very interesting Thanks Raihan -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-configure-FreeRadius-as-Captive-Portal-tp5559073p5560331.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Fabricio A. Flores G. Egresado en Ingeniería en Sistemas MSN: fabri_flor...@hotmail.com Google: fabriflor...@gmail.com Twitter: fabricioflores Skype: fabriciofloresgallardo Blog Personal http://fabricioflores.wordpress.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius as Captive Portal
Hi, I am a new person using freeRadius server. I have a wireless access point with WPA authentication option. It does not have any support for 802.1x or configuring Radius server.But i want to implement some central security using Radius server.Is it possible to configure the FreeRadius server in such a way so that i can setup an captive portal. Any suggestion will be highly appreciated. yes - but you say you want some central security - and security doesnt go with captive portal so suggest you change the AP to one that can do 802.1X alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius as Captive Portal
Hi Alan, Thanks for your advice. Is it possible to configure the DHCP module in freeRadius in such a way that at first the DHCP will gave ip address of from one subnet like 192.168.1.X and afterwards after authentication is done then DHCP will force to change the IP address to different IP subnet like 192.168.2.X. I am planing to write a small module in Java . Whn a device attached to Access Point. It will get IP from192.168.1.X and all the request from this ip range will go to the java program. It will get the user name and password from the user and then do the authentication with the Radius server. Afrer authentication is done then the DHCP server will change IP address of the that device. May be i am making it more complex. Thanks Raihan -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-configure-FreeRadius-as-Captive-Portal-tp5559073p5559220.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius as Captive Portal
On 13/03/12 07:33, ulislam.raihan wrote: 192.168.2.X. I am planing to write a small module in Java . Whn a device attached to Access Point. It will get IP from192.168.1.X and all the request from this ip range will go to the java program. It will get the user name and password from the user and then do the authentication with the Radius server. Afrer authentication is done then the DHCP server will change IP address of the that device. Hi Raihan. I suggest you look at something like Coova Chilli. It uses a Radius server to authenticate users, but does the captive portal. You can use any access point with it, and it'll run fine on the same machine as Freeradius. I don't suggest reinventing the wheel if you can avoid it. If you are totally new to radius/captive portals etc, I suggest checking out the Grase Hotspot project, all you need is a machine with 2 network cards, install a base debian or ubuntu distro, and then install the Grase Hotspot packages on top. It'll setup the Freeradius for you, with Coova Chilli and a nice admin interface. Tim Dislaimer: The Grase Hotspot is my project, there are other hotspot systems out there with Freeradius and Coova Chilli, but some are hard to setup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure redundant radius?
Christ Schlacta wrote: I've got a number of devices all of which only have the option for one radius IP address (not hostname!) to be configured. How can I configure this type of device for failover (and optionally balance)? is there some PROPER way to do this? or am I limited to only being able to have one fr server configured for these particular devices? If the devices only allow one IP for the RADIUS server, you can only have one RADIUS server. You need to make sure the server is running. See various HA systems for redundancy. But if you have less than 10K users, it's probably not worth it. Just monitor the system to be sure it doesn't go down. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure redundant radius?
I have about 8 users, with on average 2.2 systems per, for a total of about 20 clients, but I'm setting up redundency because I've got basically two systems, both of which have fairly low uptime by enterprise standards, and downtime is met with much headache and griping. Is there no other way to coerce these single-ip devices to work with a pair or more of radius servers, or no other way to configure reliable failover ? On 12/30/2011 11:37, Alan DeKok wrote: Christ Schlacta wrote: I've got a number of devices all of which only have the option for one radius IP address (not hostname!) to be configured. How can I configure this type of device for failover (and optionally balance)? is there some PROPER way to do this? or am I limited to only being able to have one fr server configured for these particular devices? If the devices only allow one IP for the RADIUS server, you can only have one RADIUS server. You need to make sure the server is running. See various HA systems for redundancy. But if you have less than 10K users, it's probably not worth it. Just monitor the system to be sure it doesn't go down. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure redundant radius?
hi, u can build oracle solaris cluster ( two servers are in cluster with same IP) or u can use brodhop device to use one IP for two different servers. anatolii 30 декабря 2011, 23:02 от Christ Schlacta li...@aarcane.org: I've got a number of devices all of which only have the option for one radius IP address (not hostname!) to be configured. How can I configure this type of device for failover (and optionally balance)? is there some PROPER way to do this? or am I limited to only being able to have one fr server configured for these particular devices? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure redundant radius?
Christ Schlacta wrote: I have about 8 users, with on average 2.2 systems per, for a total of about 20 clients, but I'm setting up redundency because I've got basically two systems, both of which have fairly low uptime by enterprise standards, and downtime is met with much headache and griping. Maybe you should concentrate on fixing those systems rather than trying to add complexity. Is there no other way to coerce these single-ip devices to work with a pair or more of radius servers, or no other way to configure reliable failover ? Magic. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure proxy server to send a copy of acct to remote/home server
Have you got this configuration? How have you done it? I can't get to sync accountin data to remote server with same set of information (acctstarttime and acctstoptime have got differents times - I think that this is because servers catching its local time at the moment on recieve the packets). Any idea? -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-configure-proxy-server-to-send-a-copy-of-acct-to-remote-home-server-tp2843198p4942508.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure radius based on the isakmp group profile
You're assuming FreeRADIUS will magically strip off the 'isakmp-group-id=' part of the value... AVPairs are Ciscos own invention they are not part of the RADIUS standard. It's difficult to do because the order of AVPairs sometimes changes and the == operator will only check the first instance of the attribute. If you care about it being reliable between Cisco NAS upgrade to 3.0x and i'll send you some unlang policies that deal with Cisco-AVPairs properly. If you don't, you can use the following... authorize { # Comment out files # files # Insert at the end of the authorize section update request { Auth-Type := %{control:Auth-Type} } } post-auth { # Add files.authorize } In the users file change Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == CiscoGroup to Auth-Type == ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == isakmp-group-id=CiscoGroup -Arran On 27 Jul 2011, at 09:52, Jevos, Peter wrote: Hi , My cisco sends to radius it’s ip address, and isakmp-group-id ( or profile name ) Debug from radius –X : Cisco-AVPair = isakmp-group-id=CiscoGroup Acct-Session-Id = 61286 User-Name = domain\\user Cisco-AVPair = connect-progress=No Progress Acct-Authentic = Local Acct-Status-Type = Start NAS-Port-Type = Virtual NAS-Port = 20 NAS-IP-Address = 10.1.1.1 How should I configure freeradius to accept request for this group (isakmp-group-id=CiscoGroup ) only for users, that are authenticated against Auth-Type := ntlm_auth_vpn_osw ( already used and working ) ? However other groups ( or profiles ) should be authenticated against Auth-Type := vpn_auth_name I tried this settings in the Users file but It doesn’t work DEFAULT Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == CiscoGroup Service-Type = Framed-User, Framed-Protocol = PPP, DEFAULT Auth-Type := vpn_auth_name Service-Type = Framed-User, Framed-Protocol = PPP, Thanks pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure freeradius client?
Meyer Jerome wrote: # radiusd -v What about radiusd -X, as suggested in the FAQ, README, man page, web pages, and daily on this list? radclient: no response from server for ID 120 socket 3 1) I don’t know what’s the NAS-IP-Address? 2) I don’t find any right document about „how to configure the client“? See raddb/clients.conf. 3) How should I configure the client? Should some deamon to be start? This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure freeradius client?
On Fri, May 6, 2011 at 5:01 PM, Meyer Jerome jerome.me...@iwbtelekom.chwrote: Thanks for reply! Meyer Jerome wrote: # radiusd -v What about radiusd -X, as suggested in the FAQ, README, man page, web pages, and daily on this list? Should the client start the radiusd daemon too? radclient: no response from server for ID 120 socket 3 1) I don’t know what’s the NAS-IP-Address? 2) I don’t find any right document about „how to configure the client“? See raddb/clients.conf. This file it is on the server to check which clients will be connected! Is it on the client too? Because the client should connect to the server and not the reverse! 3) How should I configure the client? Should some deamon to be start? This is documented. You means on the MAN pages? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Jérôme Meyer Jérome, Please, before alan freaks out :-), read the documentation. (the wiki is a nice place to start) The things you're saying clearly show that you don't understand the concept at all. Kind regards Y - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure freeradius client?
On Fri, May 6, 2011 at 10:01 PM, Meyer Jerome jerome.me...@iwbtelekom.ch wrote: Should the client start the radiusd daemon too? radclient: no response from server for ID 120 socket 3 1) I don’t know what’s the NAS-IP-Address? 2) I don’t find any right document about „how to configure the client“? See raddb/clients.conf. This file it is on the server to check which clients will be connected! Is it on the client too? Because the client should connect to the server and not the reverse! Let's try a different approach, to see if you can understand this better. You said you use freeradius to authenticate some Network Equipment, wie Router, Switches, usw.. and all run well!. So I assume you KNOW what to do when you need to add a new router/switch/whatever to use radius authentication, right? One of the proces includes configuring freeradius to recognize the new switch/whatever as a valid radius client (i.e. NAS). From freeradius perspective, the radtest program (or whatever mechanism your nagios will use to test radius functionality) is just another NAS. And you need to configure the server to recognize the new NAS just like you usually do if you add another switch/whatever. Does this make sense so far? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure proxy server to send a copy of acct to remote/home server
Difan Zhao wrote: I configured my switch to send accounting information to the proxy server. The proxy server is using MySQL to store the acct info. This part works fine too. However I’m requested to also send a copy of the acct info to the remote server… Configure the proxy to proxy the accounting packets. Also configure it to store packets locall. I’m still checking my switch (Cisco) and see if it can send two copies of acct info to two different servers at the same time. However, is it possible to make FreeRadius to automatically forward a copy to the remote server?? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure a proxy radius server but the username doesn't have any realm ?
freddychu wrote: Hi, I want to configure a proxy radius server and the username doesn't have any realm, just like 'tom'. So I configure realm NULL section in proxy.conf file, but it doesn't work, the error message in radiusd terminal when redius server received the accounting message: Proxying request 0 to home server 218.83.175.155 port 1813 The message can't be proxy to myProxyPool_1, I don't understand why the home server become 218.83.175.155. The server does not invent random IP addresses for home servers. If that IP address shows up, it is because you put it into a configuration file. Go find that address, and fix the configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to configure Cisco vpn clients againts freeradius
ntlm_auth2 = /usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of= S-1-5-21-853024553-185696384-3473746203-512 Err... no. That won't work. But the vpn cisco clients are authenticated through domainname\username and password Then you don't need to edit the mschap configuration. Is this ntlm_auth2 in the mschap ok ? or should I remove --domain=%{%{mschap:NT-Domain}:} ? Delete the ntlm_auth2 line from the mschap config. It does nothing. I also changed users to : DEFAULT Auth-Type := ntlm_auth2,Huntgroup-Name == vpn That should work. Alan DeKok. Hello Alan, One more question . Why shoud I delete the ntlm_auth2 line from the mschap file ? I thought that it is necessary. I have ntlm_auth file and ntlm_auth2 file 9 with the diferrent commands ), but only one cpmmand ntlm_auth in the mschap file What is the connection between command in the modules/ntlm_authx file, and the command ntlm_auth in the mschap. Thanks pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure Cisco vpn clients againts freeradius
Jevos, Peter wrote: One more question . Why shoud I delete the ntlm_auth2 line from the mschap file ? Does the mschap module documentation/comments say it will understand an ntlm_auth2 line? I thought that it is necessary. I have ntlm_auth file and ntlm_auth2 file 9 with the diferrent commands ), but only one cpmmand ntlm_auth in the mschap file Did you read my previous message explaining why you didn't need an ntlm_auth2 configuration for mschap? What is the connection between command in the modules/ntlm_authx file, and the command ntlm_auth in the mschap. Nothing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to configure Cisco vpn clients againts freeradius
Jevos, Peter wrote: Thank you for your answer, but I don't understand The documentation debug mode is clear. Do you have a *specific* question? I took it from the mailing list: http://lists.freeradius.org/mailman/htdig/freeradius-users/2010-February /msg00046.html I see. You'll believe some random post on the list, but not the documentation, debug mode, or the main author? I'd like to authenticate all cisco vpn clients that match the proper domain name and password. I already have the ntlm_auth command, but I don't know how should look like the Users file You were told what the users file should look like. The Auth-Type text goes on the FIRST line of the entry. See man users, and the examples in the default users file. NONE of the examples in the default users file have Auth-Type on the second line of an entry. Alan DeKok. - Dear Alan, thank you for your answer Actually debug says : Unknown value ntlm_auth2 for attribute Auth-Type I've changed it as you adviced and I put the Auth-Type on the first place. However in the man page there is no example how to use Auth-Type and HUntgorup together. So my config is: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} ntlm_auth2 = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{%{mschap:NT-Domain}:} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of='DOMAIN+vpn users' And the user file is: userAuth-Type := ntlm_auth Service-Type = NAS-Prompt-User, cisco-avpair = shell:priv-lvl=15 DEFAULT Auth-Type := ntlm_auth2 Huntgroup-Name == vpn Of course, I would prefer direct post how it should looks like, cause the documentation has lack of examples and the only source is examples from mailing list. Please, does anybody has example how to combine two ntlm_auth ? Thanks a lot pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure Cisco vpn clients againts freeradius
Jevos, Peter wrote: Actually debug says : Unknown value ntlm_auth2 for attribute Auth-Type Which means you didn't list ntlm_auth2 in the authenticate section. I've changed it as you adviced and I put the Auth-Type on the first place. However in the man page there is no example how to use Auth-Type and HUntgorup together. No. There's no documentation on how to use Filter-Id and User-Name together, either. Documenting all possible combinations of all attributes would require thousands of pages of text. Instead, the *concepts* are documented, and it is expected that people understand, and apply those concepts. DEFAULT Auth-Type := ntlm_auth2 Huntgroup-Name == vpn Were you told to move the Huntrgoup-Name line? No. So why did you move it? Of course, I would prefer direct post how it should looks like, cause the documentation has lack of examples and the only source is examples from mailing list. No. It doesn't help anyone to give you the exact solution. Doing that would mean that you don't need to think for yourself. Please, does anybody has example how to combine two ntlm_auth ? Configure ntlm_auth. Then, duplicate edit the configuration, including all refefences to ntlm_auth, for the ntlm_auth2 module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to configure Cisco vpn clients againts freeradius
Dear Alan, thank you , I'm moving slowly forward : ) So now, I have created second ntlm_auth2 file in the modules directory, with this command: exec ntlm_auth2 { wait = yes program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of=S-1-5-21-853024553-185696384-3473746203-512 } I also added new authentication method ntlm_auth2 into sites-available/inner-tunnel and default I tested with radtest USER PASSWORD localhost 0 testing123 and the test passed : ) So I have created another line in the modules/mschap that looks like: ntlm_auth2 = /usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of= S-1-5-21-853024553-185696384-3473746203-512 But the vpn cisco clients are authenticated through domainname\username and password Is this ntlm_auth2 in the mschap ok ? or should I remove --domain=%{%{mschap:NT-Domain}:} ? I also changed users to : DEFAULT Auth-Type := ntlm_auth2,Huntgroup-Name == vpn Thanks pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure Cisco vpn clients againts freeradius
Jevos, Peter wrote: So now, I have created second ntlm_auth2 file in the modules directory, with this command: Good. I also added new authentication method ntlm_auth2 into sites-available/inner-tunnel and default Good. I tested with radtest USER PASSWORD localhost 0 testing123 and the test passed : ) Very good! So I have created another line in the modules/mschap that looks like: ntlm_auth2 = /usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of= S-1-5-21-853024553-185696384-3473746203-512 Err... no. That won't work. But the vpn cisco clients are authenticated through domainname\username and password Then you don't need to edit the mschap configuration. Is this ntlm_auth2 in the mschap ok ? or should I remove --domain=%{%{mschap:NT-Domain}:} ? Delete the ntlm_auth2 line from the mschap config. It does nothing. I also changed users to : DEFAULT Auth-Type := ntlm_auth2,Huntgroup-Name == vpn That should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to configure Cisco vpn clients againts freeradius
Err... no. That won't work. But the vpn cisco clients are authenticated through domainname\username and password Then you don't need to edit the mschap configuration. Is this ntlm_auth2 in the mschap ok ? or should I remove --domain=%{%{mschap:NT-Domain}:} ? Delete the ntlm_auth2 line from the mschap config. It does nothing. I also changed users to : DEFAULT Auth-Type := ntlm_auth2,Huntgroup-Name == vpn That should work. Dear Alan Yest , it'working, but I had to change the users file, cause it falled down always into ntlm_auth2, when I wante to authenticate with my username Now it looks like: DEFAULT Auth-Type := ntlm_auth2,Huntgroup-Name == vpn Fall-Through = Yes username Auth-Type := ntlm_auth Service-Type = NAS-Prompt-User, cisco-avpair = shell:priv-lvl=15 And this works, but only with one domain. I need to check how it works with more domains BY for now thanks a lot, I will let you know Pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure Cisco vpn clients againts freeradius
Jevos, Peter wrote: user Auth-Type := ntlm_auth Service-Type = NAS-Prompt-User, cisco-avpair = shell:priv-lvl=15 ... And I added this lines into users file: DEFAULT Huntgroup-Name == vpn Auth-Type := ntlm_auth2 What is Auth-Type on the first line for user, and on the second for DEFAULT? See man users Run the server in debugging mode. It WILL complain about the Auth-Type being on the second line. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to configure Cisco vpn clients againts freeradius
Jevos, Peter wrote: user Auth-Type := ntlm_auth Service-Type = NAS-Prompt-User, cisco-avpair = shell:priv-lvl=15 ... And I added this lines into users file: DEFAULT Huntgroup-Name == vpn Auth-Type := ntlm_auth2 What is Auth-Type on the first line for user, and on the second for DEFAULT? See man users Run the server in debugging mode. It WILL complain about the Auth-Type being on the second line. Alan DeKok. - HI alan Thank you for your answer, but I don't understand I took it from the mailing list: http://lists.freeradius.org/mailman/htdig/freeradius-users/2010-February /msg00046.html I'd like to authenticate all cisco vpn clients that match the proper domain name and password. I already have the ntlm_auth command, but I don't know how should look like the Users file My ntlm_auth is: ntlm_auth2 = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain:} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of='SOMEDOMAIN+domain users' I'm using ntlm_auth2 because ntlm_auth is already used ( for the router access ) Thanks pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure Cisco vpn clients againts freeradius
Jevos, Peter wrote: Thank you for your answer, but I don't understand The documentation debug mode is clear. Do you have a *specific* question? I took it from the mailing list: http://lists.freeradius.org/mailman/htdig/freeradius-users/2010-February /msg00046.html I see. You'll believe some random post on the list, but not the documentation, debug mode, or the main author? I'd like to authenticate all cisco vpn clients that match the proper domain name and password. I already have the ntlm_auth command, but I don't know how should look like the Users file You were told what the users file should look like. The Auth-Type text goes on the FIRST line of the entry. See man users, and the examples in the default users file. NONE of the examples in the default users file have Auth-Type on the second line of an entry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure radius for EAP-AKA authentication
you_shunxing wrote: I would like to test EAP-AKA authentication. So, how to configure radius server for EAP-AKA authentication? If you look at the configuration, you will see it doesn't support AKA. There's a patch somewhere for this functionality, but it's based on an old version of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure EAP PEAPv0/EAP-MSCHAPv2 in freeradius 2.10 Ubuntu linux 9.04
Dilip Patel wrote: I am using FreeRADIUS Version 2.1.0 in Ubuntu linux 9.04. Don't. Install 2.1.8. See: http://wiki.freeradius.org/Build#Building_Debian_packages How do I configure Free Radius to use EAP PEAPv0/EAP-MSCHAPv2? Install 2.1.8. Add a user/password in the users file. Then, as root do: $ freeradiusd -X (or radiusd -X) Try PEAP. It will work. See also my web site: http://deployingradius.com/ for more detailed instructions on getting EAP methods to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure EAP PEAPv0/EAP-MSCHAPv2 in freeradius 2.10,
Thanks Alan for your suggestion. I tried to install freeradius2.1.8, but ran into following error: patel...@pateldil-desktop:~/freeradius-server-2.1.8[17:00:07]$ sudo dpkg -i ../freeradius_2.1.8+git_amd64.deb Selecting previously deselected package freeradius. (Reading database ... 179982 files and directories currently installed.) Unpacking freeradius (from .../freeradius_2.1.8+git_amd64.deb) ... dpkg: dependency problems prevent configuration of freeradius: freeradius depends on libfreeradius2 (= 2.1.8+git); however: Version of libfreeradius2 on system is 2.1.0+dfsg-0ubuntu4.1. dpkg: error processing freeradius (--install): dependency problems - leaving unconfigured Errors were encountered while processing: freeradius Can't figure out an easy way to install libfreeradius2 (= 2.1.8+git.). Anyways, thanks for your suggestion. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure EAP PEAPv0/EAP-MSCHAPv2 in freeradius 2.10,
On Thu, Feb 18, 2010 at 5:04 AM, Dilip Patel dilip.pa...@hp.com wrote: patel...@pateldil-desktop:~/freeradius-server-2.1.8[17:00:07]$ sudo dpkg -i ../freeradius_2.1.8+git_amd64.deb dpkg: dependency problems prevent configuration of freeradius: freeradius depends on libfreeradius2 (= 2.1.8+git); however: Version of libfreeradius2 on system is 2.1.0+dfsg-0ubuntu4.1. Can't figure out an easy way to install libfreeradius2 (= 2.1.8+git.). The error pretty much speaks for itself. Update libfreeradius2 as well. It should be available from wherever you got freeradius_2.1.8+git_amd64.deb from. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure realm in freeradius
sample configurations for realm in freeradius 2.1.6 See proxy.conf. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure Wrong Message-Authenticator in Free-radius server response
Venseen wrote: Hi, I have to insert cooked Message-authenticator in Free-radius srver Message, You will need to edit the source code to do this. FreeRADIUS does *not* generate invalid Message-Authenticators. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure 2 wimax qos profiles for the user in users file
I am trying to configure the two wimax qos profiles for the single user as one for uplink and another for downlink. If i configure the same attributes two times, in the Access-Accept message the first configured wimax attribute value only is sending but its not sending the same attribute again which has different value. is there any way to do this and make it work? http://wiki.freeradius.org/Operators += Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure RADIUS on 2 IP address Server
Pongsak Tawankanjanachot wrote: I started installing, ,setting, running ./radiusd -X with default configuration. No. You've configured the server to proxy requests to itself. This is wrong. Sending Access-Accept of id 102 to* 192.168.2.45 * port 36272 Framed-MTU = 1400 NAS-IP-Address = 192.168.25.77 NAS-Port = 15 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Accept packet from host 192.168.2.45 port 1812, id=102, length=38 You have configured it to proxy requests to itself. Don't do that. My question is why the Access-Accept is to 192.168.2.45 (It should be 192.168.25.254? Because: 1) you have 2 interfaces 2) you haven't used the listen type = proxy configuration to set the proxying IP address 3) You haven't enabled UDPFROMTO in configure 4) The OS picks a source IP address and, you've configured the server to proxy requests to itself. Don't do that. radiusd: Opening IP addresses and Ports Listening on authentication address 192.168.25.254 port 1812 Listening on accounting address 192.168.25.254 port 1813 Listening on proxy address 192.168.25.254 port 1814 Ready to process requests. Seems like RADIUS is listening on 192.168.25.254. :D Yes... == On Server terminal, I test with radtest test test localhost 0 testing123 Sending Access-Request of id 103 to 127.0.0.1 port 1812 User-Name = test User-Password = test NAS-IP-Address = 127.0.1.1 NAS-Port = 0 /There is no response at all/ Do you understand what IP addresses are? The server is listening on 192.168.25.254, while you're sending packets to 127.0.0.1. And you're *surprised* that the server doesn't respond? Why? It replies!! Seems like it is listening at eth0 192.168.25.254 BUT when I use RTRadPing Test Utility from local computer-WinXP SP3 (192.168.25.142 ) asking Authentication Request to 192.168.25.254 RTRadPing says no response from server, timeout. Look at the DEBUG output of the SERVER, not the client. What should I do next?? Somebody can suggest me? I think this is just the first step, then I need to install OpenSSL and testa long way to go.. I would stop trying to configure the server, and start by understanding how networks work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius so that clients don't have to be changed?
DaSilva wrote: I want to set up a FreeRadius server for WLAN authentification without the need to change anything on client PCs (because we have so much clients that this would be to much work). Is that possible? No. It's like asking how do I make the PC be a web server... but I don't want to install a web server. You have to configure WLAN authentication on the clients in order for WLAN authentication to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius so that clients don't have to be changed?
Alan DeKok-4 wrote: DaSilva wrote: I want to set up a FreeRadius server for WLAN authentification without the need to change anything on client PCs (because we have so much clients that this would be to much work). Is that possible? No. It's like asking how do I make the PC be a web server... but I don't want to install a web server. You have to configure WLAN authentication on the clients in order for WLAN authentication to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html And is it possible to do this automatically via remote or something else? -- View this message in context: http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-have-to-be-changed--tp18482025p18483881.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius so that clients don't have to be changed?
DaSilva wrote: And is it possible to do this automatically via remote or something else? Is it possible to remotely install programs, and edit registry entries on the PC? In some cases, yes. But this has nothing to do with FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius so that clients don't have to be changed?
I take it that you mean, is it possible to make it transparent to the user, in which, the answer is yes. Depending on your access points, you may be able to do MAC address authentication, which anyone will tell you is insanely insecure, but it prevents people from driving up and accessing your network (unless they are technically inclined to use a packet capturing program and spoof a mac address). So insecure, yes. But practical so long as you dont have a bunch of crackers living around wherever you are setting up authentication. Mac OSX as well as many Linux distros have 802.1x authentication/WPA enterprise built in, so it is not much of a problem. Im not sure about the current state of windows in this department (havent used it in a while... could someone chime in) On Wed, Jul 16, 2008 at 12:37 PM, DaSilva [EMAIL PROTECTED] wrote: Alan DeKok-4 wrote: DaSilva wrote: I want to set up a FreeRadius server for WLAN authentification without the need to change anything on client PCs (because we have so much clients that this would be to much work). Is that possible? No. It's like asking how do I make the PC be a web server... but I don't want to install a web server. You have to configure WLAN authentication on the clients in order for WLAN authentication to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html And is it possible to do this automatically via remote or something else? -- View this message in context: http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-have-to-be-changed--tp18482025p18483881.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Random quote of the week/month/whenever i get to updating it: Like an unchecked cancer, hate corrodes the personality and eats away its vital unity. Hate destroys a man's sense of values and his objectivity. It causes him to describe the beautiful as ugly and the ugly as beautiful, and to confuse the true with the false and the false with the true. - Martin Luther King Jr. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius so that clients don't have to be changed?
On Wed, Jul 16, 2008 at 12:37 PM, DaSilva [EMAIL PROTECTED] wrote: Alan DeKok-4 wrote: DaSilva wrote: I want to set up a FreeRadius server for WLAN authentification without the need to change anything on client PCs (because we have so much clients that this would be to much work). Is that possible? No. It's like asking how do I make the PC be a web server... but I don't want to install a web server. You have to configure WLAN authentication on the clients in order for WLAN authentication to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html And is it possible to do this automatically via remote or something else? -- View this message in context: http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-have-to-be-changed--tp18482025p18483881.html I believe you misunderstood me. We have many APs which all have their own access list, MAC addresses etc. and we want to use a RADIUS server to do this for all APs. So that we have a global station where we can change something for all APs in our AD. I don't mean authentification via WPA and TLS or something like this. So how can I do this or where can I find a tutorial / howto for this? -- View this message in context: http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-have-to-be-changed--tp18482025p18485110.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to configure FreeRadius so that clients don't have to bechanged?
On Wed, Jul 16, 2008 at 12:37 PM, DaSilva [EMAIL PROTECTED] wrote: Alan DeKok-4 wrote: DaSilva wrote: I want to set up a FreeRadius server for WLAN authentification without the need to change anything on client PCs (because we have so much clients that this would be to much work). Is that possible? No. It's like asking how do I make the PC be a web server... but I don't want to install a web server. You have to configure WLAN authentication on the clients in order for WLAN authentication to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html And is it possible to do this automatically via remote or something else? -- View this message in context: http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-ha ve-to-be-changed--tp18482025p18483881.html I believe you misunderstood me. We have many APs which all have their own access list, MAC addresses etc. and we want to use a RADIUS server to do this for all APs. So that we have a global station where we can change something for all APs in our AD. I don't mean authentification via WPA and TLS or something like this. So how can I do this or where can I find a tutorial / howto for this? -- Just another option, and this may be a useless suggestion, but I'll throw it out there anyway. Some AP's support a walled garden feature which takes the ignores the original request and forces the client to a login page (like at airports, $tarbucks etc). Once the client goes there and enters their credentials, RADIUS is used to authenticate them, and they are allowed or denied at that time. It allows you to deploy one configuration to all your points, and use a RADIUS backend (and AD, mysql, text files whatever you use to drive that) to centralize configuration at that point. The glitch is, you have to have AP's that support walled garden, but if you do, it's handy. That said, it sounds like you are already using access lists with MAC addresses for authentication, so the security problems that Alan Dekok noted are already present in your system and MAC authentication might be what you want after all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius so that clients don't have to bechanged?
In your AP user manual. You will still need to set up radius secret, switch local to radius authentication etc. on every AP. It can be done remotely (telnet, ssh, some even have web control panels). Ivan Kalik Kalik Informatika ISP Dana 16/7/2008, DaSilva [EMAIL PROTECTED] piše: On Wed, Jul 16, 2008 at 12:37 PM, DaSilva [EMAIL PROTECTED] wrote: Alan DeKok-4 wrote: DaSilva wrote: I want to set up a FreeRadius server for WLAN authentification without the need to change anything on client PCs (because we have so much clients that this would be to much work). Is that possible? No. It's like asking how do I make the PC be a web server... but I don't want to install a web server. You have to configure WLAN authentication on the clients in order for WLAN authentication to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html And is it possible to do this automatically via remote or something else? -- View this message in context: http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-have-to-be-changed--tp18482025p18483881.html I believe you misunderstood me. We have many APs which all have their own access list, MAC addresses etc. and we want to use a RADIUS server to do this for all APs. So that we have a global station where we can change something for all APs in our AD. I don't mean authentification via WPA and TLS or something like this. So how can I do this or where can I find a tutorial / howto for this? -- View this message in context: http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-have-to-be-changed--tp18482025p18485110.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius so that clients don't have to be changed?
DaSilva wrote: I believe you misunderstood me. We have many APs which all have their own access list, MAC addresses etc. and we want to use a RADIUS server to do this for all APs. This is called MAC address authentication, not WLAN authentication. So that we have a global station where we can change something for all APs in our AD. I don't mean authentification via WPA and TLS or something like this. So how can I do this or where can I find a tutorial / howto for this? Put the MAC addresses into a database, just like user names passwords. There's no need for a howto. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure radius server
Am 15.07.2008 um 08:37 schrieb Sandeep: Hi, all members of free radius.. I install fras fedora9 and want to make radius server but i am new in this field is any body help me to do this. first of all please provide me step to step tutorials so that i can read it and install configure my server .. with testing I am not sure that step-to-step tutorials exist, especially as you do not state in which context you want to use freeradius. See the general documentation at http://wiki.freeradius.org . See the comments in the default configuration files, especially radiusd.conf PLEASE HELP ME You do not need to shout; it will not bring you more help. Sandeep rohilla - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure radius server
http://wiki.freeradius.org/HOWTO http://www.google.com It also depends on what do you want to bind with freeradius and what auth. mech. do you want to use. Just use uncle google ;] On 15 Jul 2008 06:37:18 -, Sandeep [EMAIL PROTECTED] wrote: Hi, all members of free radius..I install fras fedora9 and want to make radius server but i am new in this field is any body help me to do this. first of all please provide me step to step tutorials so that i can read it and install configure my server .. with testing PLEASE HELP ME Sandeep rohilla -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure radius server
Start by reading the README files included with the server. There is one for every module. Installation: http://wiki.freeradius.org/Build Ivan Kalik Kalik Informatika ISP Dana 15/7/2008, Sandeep [EMAIL PROTECTED] piše: Hi, all members of free radius..I install fras fedora9 and want to make radius server but i am new in this field is any body help me to do this. first of all please provide me step to step tutorials so that i can read it and install configure my server .. with testing PLEASE HELP ME Sandeep rohilla - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure RADIUS server to test EAP-SIM
Hi, I have gone through document that u have sent understood few things, still one doubt is there? In my above mail..in users file i have following line eapsim Auth-Type := EAP, EAP-Type := SIM Will you plz tell me what is this eapsim stands for? I mean in my case whether I should use IMSI number or something else instead of eapsim. -Raghu. On 12/11/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: http://wiki.freeradius.org/index.php/Rlm_eap Configure clients.conf and users file. EAP-SIM will work with default radiusd and eap settings. Ivan Kalik Kalik Informatika ISP Dana 11/12/2007, Raghavendra. S [EMAIL PROTECTED] piše: Hi All, I want to use RADIUS server to test EAP-SIM. I would like to know how to configure eap.conf, users, radiusd.conf and clients.conf to support EAP-SIM. Also plz let me know if I have to configure some more files. Actually I want to test wpa supplicant for EAP-SIM. So I need to configure RADIUS server. I am working on snapshot of freeradius, that is * freeradius-snapshot-20051130*. radiusd(after) version-1.1.0. -- Regards Thanks Raghavendra. S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards Thanks Raghavendra. S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure RADIUS server to test EAP-SIM
Hi, I added following lines in eap.conf inside eap block. sim { } I added following lines to users file. eapsim Auth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234, EAP-Sim-SRES1 = 0x1234abcd, EAP-Sim-KC1 = 0x0011223344556677, EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a, EAP-Sim-SRES2 = 0x234abcd1, EAP-Sim-KC2 = 0x1021324354657687, EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab, EAP-Sim-SRES3 = 0x34abcd12, EAP-Sim-KC3 = 0x30415263748596a7 In src/tests/eapsim-03 there is one extra parameter, Autz-Type:=EAP, for which I am getting some error while enabling radiusd. So I removed Autz-Type:=EAP from first line. Is that OK? I want to know how I to get above Hex values? On 12/11/07, Alan DeKok [EMAIL PROTECTED] wrote: Raghavendra. S wrote: I want to use RADIUS server to test EAP-SIM. I would like to know how to configure eap.conf, users, radiusd.conf and clients.conf to support EAP-SIM. Also plz let me know if I have to configure some more files. Look in src/tests/eapsim* Actually I want to test wpa supplicant for EAP-SIM. So I need to configure RADIUS server. I am working on snapshot of freeradius, that is *freeradius-snapshot-20051130*. radiusd(after) version-1.1.0 . Why would you ever use a version of the server that is more than two years old? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards Thanks Raghavendra. S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure freeradius to support, EAP-TTLS, CHAP/PAP
Raghavendra. S wrote: I was able to get authenticated using radius server for EAP-TTLS/EAP-MD5, by having following configuration ... Modified users file as below raghu User-Password == whatever Use Clear-text-Password := ... It's in the FAQ. Modified clients.conf as 10.89.49.1 { That won't work. It's not the documented format, Can anybody tell me how to support, EAP-TTLS, CHAP/PAP... I mean second level protocol inside TTLS should be chap/pap/mschap/mschapv2. Nothing more needs to be done. All you have to do is test it, and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure RADIUS server to test EAP-SIM
Raghavendra. S wrote: I want to use RADIUS server to test EAP-SIM. I would like to know how to configure eap.conf, users, radiusd.conf and clients.conf to support EAP-SIM. Also plz let me know if I have to configure some more files. Look in src/tests/eapsim* Actually I want to test wpa supplicant for EAP-SIM. So I need to configure RADIUS server. I am working on snapshot of freeradius, that is *freeradius-snapshot-20051130*. radiusd(after) version-1.1.0 . Why would you ever use a version of the server that is more than two years old? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure RADIUS server to test EAP-SIM
http://wiki.freeradius.org/index.php/Rlm_eap Configure clients.conf and users file. EAP-SIM will work with default radiusd and eap settings. Ivan Kalik Kalik Informatika ISP Dana 11/12/2007, Raghavendra. S [EMAIL PROTECTED] piše: Hi All, I want to use RADIUS server to test EAP-SIM. I would like to know how to configure eap.conf, users, radiusd.conf and clients.conf to support EAP-SIM. Also plz let me know if I have to configure some more files. Actually I want to test wpa supplicant for EAP-SIM. So I need to configure RADIUS server. I am working on snapshot of freeradius, that is * freeradius-snapshot-20051130*. radiusd(after) version-1.1.0. -- Regards Thanks Raghavendra. S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure EAP Identity in 1.1.3
Govardhana K N wrote: If that is the case, How can I add the WiMAX support in Free Radius? Send a patch, or pay someone to do the work. What are the changes I should make in order to have WiMAX support? Read the WiMAX specifications, and read the code to FreeRADIUS. do the work to figure out what has to be done. So far, no one has done that, so there's no WiMAX support. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure EAP Identity in 1.1.3
rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 60 to 127.0.0.1 port 32825 CUI = jrccui Class = 0x6a7263636c617373 State = 0x6a72637374617465 Framed-MTU = 1400 Framed-IP-Address = 1.2.3.4 Service-Type = Framed-User Session-Timeout = 30 MS-MPPE-Send-Key = 0x6a72636d736b MS-MPPE-Recv-Key = 0x6a7263726563766d736b AAA-Session-Id = jrcmultisessionid HA-IP-MIP4 = 1.1.1.1 DHCPv4-Server = 2.2.2.2 MN-HA-MIP4-KEY = jrcmipkey MN-HA-MIP4-SPI = jrcmipspi DHCP-RK = jrcdhcprk DHCP-RK-KEY-ID = jrcdhcpkey DHCP-RK-LIFETIME = 20 EAP-Message = 0x01d300160410e0ccb378852f7a673815379d2f819db1 Message-Authenticator = 0x State = 0x8343fbb52835fa0fb7fb84cab7f7a0db Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32825, id=61, length=155 User-Name = jrc User-Password = jrc NAS-Identifier = jrcnas NAS-Port-Type = Ethernet CUI = 0 Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = 1:1:1:1:1:1 Message-Authenticator = 0x8dc52d59961b5eb7d8789f7cb4dbea5a State = 0x6a72637374617465 State = 0x8343fbb52835fa0fb7fb84cab7f7a0db EAP-Message = 0x02d300160410d3ab9cde585da0c10b343d38433fa0db Something is wrong with your client. There are two State entries in this reply. The one that doesn't match the Challenge is breaking EAP conversation. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : How to configure EAP Identity in 1.1.3
You have misconfigured the Nas-Identifier govardhana Nas-Identifier == nas, Nas-Port-Type == 15 You haveNAS-Identifier = jrcnas == Benjamin K. Eshun - Message d'origine De : Govardhana K N [EMAIL PROTECTED] À : FreeRadius freeradius-users@lists.freeradius.org Envoyé le : Lundi, 16 Juillet 2007, 12h24mn 09s Objet : How to configure EAP Identity in 1.1.3 Hi, I was trying to configure FreeRadius server with EAP authentication. AS mentioned in eap.conf, I didn't change the Auth-Type, but I was sending a EAP message, and Message-Authenticator attributes in Access-Request. When i tried sending an Access-Request with EAP-Message, I got the following error rlm_eap: Identity Unknown, authentication failed. How to configure the Identity for EAP? debug log from server: - Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = no exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = /etc/passwd unix: shadow = /etc/shadow unix: group = /etc/group unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/freeradius/users files: acctusersfile = /etc/freeradius/acct_users files: preproxy_usersfile = /etc/freeradius/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail
Re: How to configure EAP Identity in 1.1.3
Add EAP-Type-Identity to radeapclient attributes. Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, Govardhana K N [EMAIL PROTECTED] piše: Hi, I was trying to configure FreeRadius server with EAP authentication. AS mentioned in eap.conf, I didn't change the Auth-Type, but I was sending a EAP message, and Message-Authenticator attributes in Access-Request. When i tried sending an Access-Request with EAP-Message, I got the following error rlm_eap: Identity Unknown, authentication failed. How to configure the Identity for EAP? debug log from server: - Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = no exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = /etc/passwd unix: shadow = /etc/shadow unix: group = /etc/group unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/freeradius/users files: acctusersfile = /etc/freeradius/acct_users files: preproxy_usersfile = /etc/freeradius/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /var/log/freeradius/radutmp radutmp: username = %{User-Name} radutmp:
Re : How to configure EAP Identity in 1.1.3
Check on your AP, client.conf and naslist == Benjamin K. Eshun - Message d'origine De : Govardhana K N [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Lundi, 16 Juillet 2007, 13h28mn 28s Objet : How to configure EAP Identity in 1.1.3 I changed it but the same error is still coming. On 7/16/07, Eshun Benjamin [EMAIL PROTECTED] wrote: You have misconfigured the Nas-Identifier govardhana Nas-Identifier == nas, Nas-Port-Type == 15 You haveNAS-Identifier = jrcnas == Benjamin K. Eshun - Message d'origine De : Govardhana K N [EMAIL PROTECTED] À : FreeRadius freeradius-users@lists.freeradius.org Envoyé le : Lundi, 16 Juillet 2007, 12h24mn 09s Objet : How to configure EAP Identity in 1.1.3 Hi, I was trying to configure FreeRadius server with EAP authentication. AS mentioned in eap.conf, I didn't change the Auth-Type, but I was sending a EAP message, and Message-Authenticator attributes in Access-Request. When i tried sending an Access-Request with EAP-Message, I got the following error rlm_eap: Identity Unknown, authentication failed. How to configure the Identity for EAP? debug log from server: - Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = no exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = /etc/passwd unix: shadow = /etc/shadow unix: group = /etc/group unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no
Re: How to configure EAP Identity in 1.1.3
Govardhana K N wrote I have got an Access-Challenge response from the server, and the Access-Request sent in response to this challenge is failing (Access-Reject is sent by the server). Below i have given the debug log from the server, Are you writing a 802.1x supplicant? It looks like it. Also, note that the server does NOT support WiMAX attributes. You can create a WiMAX dictionary, but the attributes in the packet will NOT be in the WiMAX format. Also, many of the WiMAX attributes have sub-attributes, and those are definitely not supported. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure EAP Identity in 1.1.3
If that is the case, How can I add the WiMAX support in Free Radius? What are the changes I should make in order to have WiMAX support? On 7/17/07, Alan DeKok [EMAIL PROTECTED] wrote: Govardhana K N wrote I have got an Access-Challenge response from the server, and the Access-Request sent in response to this challenge is failing (Access-Reject is sent by the server). Below i have given the debug log from the server, Are you writing a 802.1x supplicant? It looks like it. Also, note that the server does NOT support WiMAX attributes. You can create a WiMAX dictionary, but the attributes in the packet will NOT be in the WiMAX format. Also, many of the WiMAX attributes have sub-attributes, and those are definitely not supported. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure multiple LDAPs with different DN's ?
I will be really appreciated if someone points me to the right direction or archive of the thread. Thanks in advance. Regards. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure multiple LDAPs with different DN's ?
It will be postauth that you need. Unfortunately Im still learning that part myself (when I have spare time). On 5/8/07, Eric Martell [EMAIL PROTECTED] wrote: I will be really appreciated if someone points me to the right direction or archive of the thread. Thanks in advance. Regards. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure
i need to configure my freeradius server in proxy server to use it with windows IAS! i want the configuration of the files of freeradius which can permit me to do that! We all want lots of things. Asking a bit more polite might help. my last coonfiguration of these files is: radiusd.conf proxy_request = yes proxy.conf realm gie.local { type = radius authhost = LOCAL accthost = LOCAL } realm DEFAULT { type = radius authhost = araignee.gie.local:1812 accthost = araignee.gie.local:1813 secret = parfait nostrip } Clients.conf client 192.168.0.2 { secret = parfait shortname = araignee.gie.local } This snippet of config looks good, under the assumption that araignee.gie.local is resolvable on your DNS server and resolves to IP 192.168.0.2. Now, configure your FreeRADIUS server as a client on the IAS box so that IAS accepts the proxied requests, and, if appliable open the required firewall ports. BTW: do you actually have a _problem_? Nothing in your mail tells us where things don't work. The general, several-years-old and well-documented rule here is: post the debug output of radiusd -X if you hae a problem. It will help people here figure out the problem. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpYSrwpoRsxS.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure
it's true! i had configure my FreeRADIUS server as a client on the IAS box, but my server freeradius which i need it toi be server proxy don't transmit the request of my switch. when i learned freeradius, i begun it by configurate it with users file, and after with MySQL database. then i want to configure it to proxy server which can retransmit request to IAS on windows server 2003. i don't want my freeradius do authentication, i want it proxy server. i have find some informations on that not be true. for the commande radiusd -X he wrote ready to process requests, and when i do my test my freeradius reject the packets. i need configurations files(radiusd.conf, proxy.conf, clients.conf ...) to tranformate it at proxy server. i use freeradius with eap-MD5, Switch cysco catalyst 2950, and windows server 2003. thanks for your help! From: Stefan Winter [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: how to configure Date: Thu, 19 Apr 2007 10:54:38 +0200 i need to configure my freeradius server in proxy server to use it with windows IAS! i want the configuration of the files of freeradius which can permit me to do that! We all want lots of things. Asking a bit more polite might help. my last coonfiguration of these files is: radiusd.conf proxy_request = yes proxy.conf realm gie.local { type = radius authhost = LOCAL accthost = LOCAL } realm DEFAULT { type = radius authhost = araignee.gie.local:1812 accthost = araignee.gie.local:1813 secret = parfait nostrip } Clients.conf client 192.168.0.2 { secret = parfait shortname = araignee.gie.local } This snippet of config looks good, under the assumption that araignee.gie.local is resolvable on your DNS server and resolves to IP 192.168.0.2. Now, configure your FreeRADIUS server as a client on the IAS box so that IAS accepts the proxied requests, and, if appliable open the required firewall ports. BTW: do you actually have a _problem_? Nothing in your mail tells us where things don't work. The general, several-years-old and well-documented rule here is: post the debug output of radiusd -X if you hae a problem. It will help people here figure out the problem. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: Tel.: +352 424409-1 http://www.restena.luFax: +352 422473 attach4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live Spaces : créez votre blog à votre image ! http://www.windowslive.fr/spaces - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure
You already have those files. What you need to do (if you really want help on this list) is to paste the output from radiusd -X so people can see what has gone wrong and tell you how to fix it. freeradius reject the packets can mean loads of things. Ivan Kalik Kalik Informatika ISP Dana 19/4/2007, parfait nda [EMAIL PROTECTED] piše: it's true! i had configure my FreeRADIUS server as a client on the IAS box, but my server freeradius which i need it toi be server proxy don't transmit the request of my switch. when i learned freeradius, i begun it by configurate it with users file, and after with MySQL database. then i want to configure it to proxy server which can retransmit request to IAS on windows server 2003. i don't want my freeradius do authentication, i want it proxy server. i have find some informations on that not be true. for the commande radiusd -X he wrote ready to process requests, and when i do my test my freeradius reject the packets. i need configurations files(radiusd.conf, proxy.conf, clients.conf ...) to tranformate it at proxy server. i use freeradius with eap-MD5, Switch cysco catalyst 2950, and windows server 2003. thanks for your help! From: Stefan Winter [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: how to configure Date: Thu, 19 Apr 2007 10:54:38 +0200 i need to configure my freeradius server in proxy server to use it with windows IAS! i want the configuration of the files of freeradius which can permit me to do that! We all want lots of things. Asking a bit more polite might help. my last coonfiguration of these files is: radiusd.conf proxy_request = yes proxy.conf realm gie.local { type = radius authhost = LOCAL accthost = LOCAL } realm DEFAULT { type = radius authhost = araignee.gie.local:1812 accthost = araignee.gie.local:1813 secret = parfait nostrip } Clients.conf client 192.168.0.2 { secret = parfait shortname = araignee.gie.local } This snippet of config looks good, under the assumption that araignee.gie.local is resolvable on your DNS server and resolves to IP 192.168.0.2. Now, configure your FreeRADIUS server as a client on the IAS box so that IAS accepts the proxied requests, and, if appliable open the required firewall ports. BTW: do you actually have a _problem_? Nothing in your mail tells us where things don't work. The general, several-years-old and well-documented rule here is: post the debug output of radiusd -X if you hae a problem. It will help people here figure out the problem. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: Tel.: +352 424409-1 http://www.restena.luFax: +352 422473 attach4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live Spaces : créez votre blog ŕ votre image ! http://www.windowslive.fr/spaces - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure USERS file to assign the VLAN ID according toLDAP group name?
Hi Alan, Ichanged Group to Ldap-Group in users file, however, Freeradius can not find the group name I specify in users file. I think the reason is the basedn (ou=people,dc=richard,dc=com)I set in radiusd.conf is for user only, the group is binded with a different basedn (ou=group,dc=richard,dc=com). So, ldap_groupcmp() can not find the group in the basedn (ou=people,dc=richard,dc=com). Since I don't want to authenticate the groupmembership, just want to get the name of the grouptowhich the user is belong, I don't think I need to configure any group authentication for LDAP. The result isthe user is authenticated, but the Tunnel-Private-Group-ID is not assigned in theAccess-Accept message because no group name matches. When I changed it back, it works fine. I am not sure what Group represents in Freeradius. I only configured group 1 and group 10 in LDAP. I did test as follow. I changed name of group 10 to group 20 in LDAP, and keep all other configurations. When the user who was in group 10 before and in group 20 now tried to be authenticated, it is successful except no Tunnel-Private-Group-ID assigned since there is no group 20 in users file. So, I assume the Group does have something to do with ldap group. I am using SuSE enterprise server 10 and the OpenLDAP integrated with it. Do you think the groups configured in LDAP has some relationship with the Unix group you mentioned? Richard On 10/31/06, Alan DeKok [EMAIL PROTECTED] wrote: Richard [EMAIL PROTECTED] wrote: Right now the situation is the RADIUS can authenticate the user in LDAP. But the group attribute does work.As I said before, Group is for Unix groups.If you want to checkLDAP groups, you should use the LDAP-Group attribute.Alan DeKok.-- http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure USERS file to assign the VLAN ID according toLDAP group name?
Hi, Alan, Thanks for reply. Right now the situation is the RADIUS can authenticate the user in LDAP. But the group attribute does work. So, the vlan ID can not be assigned. Could you tell me what should be correct configuration in users file. Richard - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, October 31, 2006 6:19 PM Subject: Re: How to configure USERS file to assign the VLAN ID according toLDAP group name? richard Bai [EMAIL PROTECTED] wrote: This is my *users* file configuration: *DEFAULT Group == 1* Why put asterisks around every line? * Auth-Type = LDAP,* 1) Auth-Type belongs on the first line, radiusd -X will tell you that 2) Setting Auth-Type = LDAP is probably wrong. Now, it works fine except I have to add more lines manual once I add one more group in LDAP. Except the Group attribute is for Unix groups, not LDAP groups. Either your system *doesn't* work at all, or the users file entries you included above are *not* what you're using. Such as programming: *Tunnel-Private-Group-ID = Group * See doc/variables.txt. It explains how to copy the contents of one attribute to another attribute. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure USERS file to assign the VLAN ID according toLDAP group name?
Richard [EMAIL PROTECTED] wrote: Right now the situation is the RADIUS can authenticate the user in LDAP. But the group attribute does work. As I said before, Group is for Unix groups. If you want to check LDAP groups, you should use the LDAP-Group attribute. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure/store NAS clients in LDAP instead of clients.conf
Lenir Santiago [EMAIL PROTECTED] wrote: I've been looking for the past two days all over the web regarding this subject. Sorry if this question has been posted before. With rlm_sql im able to store NAS clients on a SQL table. I want to do the same but with ldap. It's not possible. If it was possible, it would have been documented. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure multi nas
On Wed 18 Oct 2006 12:19, Enkhbat.N wrote: Hi All I have those problems. Please help to solve the problems 1.How to configure many NASes on one RADIUS? 2.How to setting user's connection NAS. Example Special users are connected on Primary NAS and other users are connected on Secondary NAS. Please read the documentation (http://wiki.freeradius.org/ is a good place to start). If you still can't figure it out youself then ask for help on the users list.. NOT this list. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpGJZbDmAVol.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure free radius to make it listen to different udp ports?
On Thu, 2006-08-31 at 10:34 +0530, Shankar Ganesh C wrote: Hi, How can i make freeradius listen to different UDP ports? Thanks and regards Shankar ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html http://wiki.freeradius.org/index.php/Radiusd.conf look for the listen { } section. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to configure free radius to make it listen to different udpports?
Shankar Ganesh wrote: How can i make freeradius listen to different UDP ports? Hi Shankar, This is very clearly explained in the radiusd.conf configuration file. Search for listen regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure NAI realms routing table
Any links to documentation on how to achieve this with freeradius would be appreciated. ? Have you taken a look at proxy.conf? Should all be there... Stefan -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure my scenario
--- Phil Mayers [EMAIL PROTECTED] escribió: Peter Manckok wrote: authenticate { .. Auth-Type LDAP1 { interface1 } Auth-Type LDAP2 { interface2 } Auth-Type LDAP3 { interface3 } } In my authorize section I have: authorize{ files ... } In my users file I have: DEFAULT NAS-IP-Address == a.b.c.d, Auth-Type :=LDAP1 DEFAULT NAS-IP-Address == a2.b2.c2.d2, Auth-Type :=LDAP2 DEFAULT NAS-IP-Address == a3.b3.c3.d3, Auth-Type :=LDAP3 Provided there's nothing after the files in authorize that might be (re)setting Auth-Type, that should work. Thanks for the warning Don't snip bits out - what is the full contents of the authorize and authenticate sections? What does the radius server say when you run it in debug mode (with -X)? - Hy Phil, My problem is how to select the correct authorize method of an instance depending on the NAS-IP-Address of the Access-Request packet. For example, if the NAS-IP-Address is a.b.c.d I would like to use the authorize method of interface1 (and NOT the authorize method of interface2 or interface3) I haven´t tested it yet, I am not in my company now In the authorize section I have: authorize{ preprocess suffix files ??? --- how can I discriminate between the differents authorize methods of interface1, interface2, interface3 depending on the source NAS-IP-Address? } In the authenticate section: authenticate { Auth-Type LDAP1 { interface1 } Auth-Type LDAP2 { interface2 } Auth-Type LDAP3 { interface3 } unix } Thanks again Any hint is very appreciated Peter List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure my scenario
- Original Message - From: Peter Manckok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, February 23, 2006 11:52 AM Subject: Re: how to configure my scenario --- Phil Mayers [EMAIL PROTECTED] escribió: Peter Manckok wrote: authenticate { .. Auth-Type LDAP1 { interface1 } Auth-Type LDAP2 { interface2 } Auth-Type LDAP3 { interface3 } } In my authorize section I have: authorize{ files ... } In my users file I have: DEFAULT NAS-IP-Address == a.b.c.d, Auth-Type :=LDAP1 DEFAULT NAS-IP-Address == a2.b2.c2.d2, Auth-Type :=LDAP2 DEFAULT NAS-IP-Address == a3.b3.c3.d3, Auth-Type :=LDAP3 Provided there's nothing after the files in authorize that might be (re)setting Auth-Type, that should work. Thanks for the warning Don't snip bits out - what is the full contents of the authorize and authenticate sections? What does the radius server say when you run it in debug mode (with -X)? - Hy Phil, My problem is how to select the correct authorize method of an instance depending on the NAS-IP-Address of the Access-Request packet. For example, if the NAS-IP-Address is a.b.c.d I would like to use the authorize method of interface1 (and NOT the authorize method of interface2 or interface3) I haven´t tested it yet, I am not in my company now In the authorize section I have: authorize{ preprocess suffix files ??? --- how can I discriminate between the differents authorize methods of interface1, interface2, interface3 depending on the source NAS-IP-Address? } In the authenticate section: authenticate { Auth-Type LDAP1 { interface1 } Auth-Type LDAP2 { interface2 } Auth-Type LDAP3 { interface3 } unix } Thanks again Any hint is very appreciated Peter Use Autz-Type to select between authorization methods List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure my scenario
Hi, My problem is how to select the correct authorize method of an instance depending on the NAS-IP-Address of the Access-Request packet. For example, if the NAS-IP-Address is a.b.c.d I would like to use the authorize method of interface1 (and NOT the authorize method of interface2 or interface3) to seperate within the authorize section, you have set Autz-Type as well. That would be DEFAULT NAS-IP-Address == a.b.c.d, Auth-Type :=LDAP1, Autz-Type := LDAP1 DEFAULT NAS-IP-Address == a2.b2.c2.d2, Auth-Type :=LDAP2, Autz-Type := LDAP2 DEFAULT NAS-IP-Address == a3.b3.c3.d3, Auth-Type :=LDAP3, Autz-Type := LDAP3 (just always make sure that files is before the interfaceX bits, to ensure that Autz-Type is already set. You can then do authorize{ preprocess suffix files Autz-Type LDAP1 { interface1 } Autz-Type LDAP2 { interface2 } Autz-Type LDAP3 { interface3 } } That should work, I did a very similar thing just last week :-) Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure my scenario
--- Stefan Winter [EMAIL PROTECTED] escribió: Hi, My problem is how to select the correct authorize method of an instance depending on the NAS-IP-Address of the Access-Request packet. For example, if the NAS-IP-Address is a.b.c.d I would like to use the authorize method of interface1 (and NOT the authorize method of interface2 or interface3) to seperate within the authorize section, you have set Autz-Type as well. That would be DEFAULT NAS-IP-Address == a.b.c.d, Auth-Type :=LDAP1, Autz-Type := LDAP1 DEFAULT NAS-IP-Address == a2.b2.c2.d2, Auth-Type :=LDAP2, Autz-Type := LDAP2 DEFAULT NAS-IP-Address == a3.b3.c3.d3, Auth-Type :=LDAP3, Autz-Type := LDAP3 (just always make sure that files is before the interfaceX bits, to ensure that Autz-Type is already set. You can then do authorize{ preprocess suffix files Autz-Type LDAP1 { interface1 } Autz-Type LDAP2 { interface2 } Autz-Type LDAP3 { interface3 } } One question Stefan, in the Autz-Type file I read that the order should look like that: authorize{ preprocess suffix Autz-Type LDAP1 { interface1 } Autz-Type LDAP2 { interface2 } Autz-Type LDAP3 { interface3 } files } files is before or after Autz-Type lines in the authorize section? Thank you very much Peter That should work, I did a very similar thing just last week :-) Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure my scenario
Hi, One question Stefan, in the Autz-Type file I read that the order should look like that: authorize{ preprocess suffix Autz-Type LDAP1 { interface1 } Autz-Type LDAP2 { interface2 } Autz-Type LDAP3 { interface3 } files } files is before or after Autz-Type lines in the authorize section? Now that I think of it... I think I set Autz-Type already during preprocess, so files could be behind the Autz-Type stanzas. But it should work the other way around as well. -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to configure my scenario
I will try to explain it better In my modules section I have: modules { ... ldap2 interface1 { server = 10.x.y.a ... } ldap2 interface2 { server = 10.x.y.b ... } ldap2 interface3 { server = 10.x.y.c ... } ... } In the authenticate section I have: authenticate { .. Auth-Type LDAP1 { interface1 } Auth-Type LDAP2 { interface2 } Auth-Type LDAP3 { interface3 } } In my authorize section I have: authorize{ files ... } In my users file I have: DEFAULT NAS-IP-Address == a.b.c.d, Auth-Type :=LDAP1 DEFAULT NAS-IP-Address == a2.b2.c2.d2, Auth-Type :=LDAP2 DEFAULT NAS-IP-Address == a3.b3.c3.d3, Auth-Type :=LDAP3 How can I say to FreeRadius in the authorize section (after processing files module) which authorize method to use(depending on the NAS-IP-Address of the Access-Request packet)? For example, in my case, if the NAS-IP-Address is a.b.c.d I would like to use the authorize method of the interface1 module. If the NAS-IP-Address is a2.b2.c2.d2 I would like to use the authorize method of the interface2 module... Thanks a lot :-) --- Peter Manckok [EMAIL PROTECTED] escribió: Hy all, I am not sure how to configure my scenario. I explain it to you: We have 3 LDAP servers running. We authenticate against one or other depending the type of access (GPRS, Callback...). I am going to create three instances of the ldap module. But I dont know how and where to say which is the instance to use for the authorization and authentication in each case. For example, if I have a GPRS access I would like to authenticate against my first LDAP server (instance ldap1). How can I say to the FreeRadius server to use the authenticate method of the l1 instance? Thanks Regards, Peter __ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure my scenario
Peter Manckok [EMAIL PROTECTED] wrote: For example, if I have a GPRS access I would like to authenticate against my first LDAP server (instance ldap1). How can I say to the FreeRadius server to use the authenticate method of the l1 instance? In 1.1.0, once you select an LDAP module during the authorization phase, it will cause itself to be run during the authenticate phase, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure my scenario
Peter Manckok wrote: authenticate { .. Auth-Type LDAP1 { interface1 } Auth-Type LDAP2 { interface2 } Auth-Type LDAP3 { interface3 } } In my authorize section I have: authorize{ files ... } In my users file I have: DEFAULT NAS-IP-Address == a.b.c.d, Auth-Type :=LDAP1 DEFAULT NAS-IP-Address == a2.b2.c2.d2, Auth-Type :=LDAP2 DEFAULT NAS-IP-Address == a3.b3.c3.d3, Auth-Type :=LDAP3 Provided there's nothing after the files in authorize that might be (re)setting Auth-Type, that should work. Don't snip bits out - what is the full contents of the authorize and authenticate sections? What does the radius server say when you run it in debug mode (with -X)? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure my scenario
Alan DeKok wrote: Peter Manckok [EMAIL PROTECTED] wrote: For example, if I have a GPRS access I would like to authenticate against my first LDAP server (instance ldap1). How can I say to the FreeRadius server to use the authenticate method of the l1 instance? In 1.1.0, once you select an LDAP module during the authorization phase, it will cause itself to be run during the authenticate phase, too. I assume we can still override this (or example, to authorize with LDAP, but authenticate with kerberos) as we're doing with 1.0.5. Is this correct? -- George C. Kaplan[EMAIL PROTECTED] Communication Network Services510-643-0496 University of California at Berkeley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure my scenario
George C. Kaplan [EMAIL PROTECTED] wrote: I assume we can still override this (or example, to authorize with LDAP, but authenticate with kerberos) as we're doing with 1.0.5. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius to proxy out a PoD packet to a NAS
Suparna Kumar [EMAIL PROTECTED] wrote: 2. Sending the PoD Packets to FreeRadius (which port should I send it to, port 1812 reports Unknown packet code 40 ) FreeRADIUS doesn't support proxying this packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure freeradius to answer on two IP addresses
Stefan A. wrote: How may I advice freeradius, to bind to two IP addresses? I tried the Listen option and the bind_address by separating my ip addresses with an whitespace, a colon or a semicolon... Delete bind_address and port from radiusd.conf, and use multiple listen {} stanzas for each IP address. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html