Freeradius-Users Digest, Vol 51, Issue 30

gayathri reddy gayathri409 at gmail.com
Thu Jul 9 15:24:05 CEST 2009 

Hi Kalik,

Thanks for your help...
Now i can send two Qos profiles and it's working fine.

Thanks,
Gayathri

On Wed, Jul 8, 2009 at 3:30 PM, <
freeradius-users-request at lists.freeradius.org> wrote:

> Send Freeradius-Users mailing list submissions to
>        freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>        freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>        freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>   1. Re: freeradius active directory integration fails with "no
>      such realm" (Andrei-Florian Staicu)
>   2. Re: want to authorise but not authenticate (Arran Cudbard-Bell)
>   3. Re: want to authorise but not authenticate (Ivan Kalik)
>   4. Re: How to configure 2 wimax qos profiles for the user in
>      users file (Ivan Kalik)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 08 Jul 2009 12:31:21 +0300
> From: Andrei-Florian Staicu <andrei.staicu at gmail.com>
> Subject: Re: freeradius active directory integration fails with "no
>        such realm"
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Message-ID: <4A546769.8020709 at googlemail.com>
> Content-Type: text/plain; charset=ISO-8859-2; format=flowed
>
> Alan DeKok wrote:
> > Andrei-Florian Staicu wrote:
> >
> >> Hello again. I've reached the output from here:
> >> http://pastebin.com/d19f28a24 , and i still don't understand why it
> >> doesen't call the ntlm_auth line
> >>
> >
> >   It looks like you are adding a "Proxy-To-Realm := LOCAL".
> >
> > ...
> >
> >>  PEAP: Sending tunneled request
> >>        EAP-Message =
> >> 0x02060018014950534f305c616e647265692e737461696375
> >>        FreeRADIUS-Proxied-To = 127.0.0.1
> >>        User-Name = "IPSO0\\andrei.staicu"
> >> server inner-tunnel {
> >> +- entering group authorize
> >>    rlm_realm: Looking up realm "IPSO0" for User-Name =
> >> "IPSO0\andrei.staicu"
> >>    rlm_realm: Found realm "IPSO0"
> >>    rlm_realm: Adding Stripped-User-Name = "andrei.staicu"
> >>    rlm_realm: Adding Realm = "IPSO0"
> >>    rlm_realm: Authentication realm is LOCAL.
> >> ++[ntdomain] returns noop
> >> ++[mschap] returns noop
> >> ++[control] returns noop
> >>
> >
> >   Why is that "update control" section there?  What is in it?
> >
> >
> >
> >>  rlm_eap: Request is supposed to be proxied to Realm LOCAL.  Not doing
> >>
> > EAP.
> >
> >   It's being proxied to realm LOCAL.  You have added a LOCAL realm.
> > Don't do that.
> >
> >
> >> ++[eap] returns noop
> >>  WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
> >> exist!  Cancelling invalid proxy request.
> >>
> >
> >   Even more proof.  The IPSO0 realm above is added because it exists.
> > The server does NOT add a "Proxy-To-Realm := LOCAL".  You have done
> > that.  Delete it from your configuration.
> >
> >   Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> >
> It works now. Thank you very much for clearing thing up for me.
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 08 Jul 2009 10:33:22 +0100
> From: Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>
> Subject: Re: want to authorise but not authenticate
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Message-ID: <4A5467E2.5040309 at sussex.ac.uk>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 8/7/09 10:19, A.L.M.Buxey at lboro.ac.uk wrote:
> > hi,
> >
> > heres one for a wednesday morning.
> >
> >
> > we have a system that we've been done plain authorizations
> > via FreeRADIUS - the device sends the following RADIUS request
> >
> > username: userid
> > password: userid
> >
> > (ie the system sends the username and makes the password the same)
> >
> > okay. fair enough....a bit of unlang and a check that if the username =
> password
> > then set the Auth-Type to something false et voila. all okay.
> >
> >
> > it has now been decided to also do authentication via RADIUS
> > and this is where things get messy.
> >
> >
> > by removing the Auth-Type kludge, we can successfully authenticate
> > a real user with their real password.... however, the authorization
> > now fails because the device still sends username/password with
> > the password the same as the username - this now hits the
> > FreeRADIUS server which cannot find a valid Auth-Type for the user
> > and thus fails authentication and therefore sends back a 'blurgh'
> > to the box requesting authorization.
>
> authorize {
>        if((User-Name == User-Password) && %{ldap:etc...}){
>                update control {
>                        Auth-Type := 'NULL'
>                }
>        }
>        else {
>                // Authentication modules
>        }
> }
>
>
> Auth-Type NULL {
>        ok
> }
>
> >
> > this is to be expected because there is nothing in the request to
> > distoniguish between an authorization request and an authentication
> > request.
> >
> > so the question is, how do we handle this so that the system can
> > send a username=password for authorization AND a proper authentication
> > can happen WITHOUT (hers a gotcha) the user doing something cute
> > like putting their username in as their password! ;-)
>
> Slightly confused as to what you want... Try again without the caffeine ?
>
> Arran
>
> --
> Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>,
> Systems Administrator (AAA),
> Infrastructure Services (IT Services),
> E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
> DDI+FAX: +44 1273 873900 | INT: 3900
> GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 8 Jul 2009 10:35:04 +0100 (BST)
> From: "Ivan Kalik" <tnt at kalik.net>
> Subject: Re: want to authorise but not authenticate
> To: "FreeRadius users mailing list"
>        <freeradius-users at lists.freeradius.org>
> Message-ID:
>        <10825.194.176.105.43.1247045704.squirrel at webmail.kalik.net>
> Content-Type: text/plain;charset=utf-8
>
> > we have a system that we've been done plain authorizations
> > via FreeRADIUS - the device sends the following RADIUS request
> >
> > username: userid
> > password: userid
> >
> > (ie the system sends the username and makes the password the same)
> >
> > okay. fair enough....a bit of unlang and a check that if the username =
> > password
> > then set the Auth-Type to something false et voila. all okay.
> >
> >
> > it has now been decided to also do authentication via RADIUS
> > and this is where things get messy.
> >
> >
> > by removing the Auth-Type kludge, we can successfully authenticate
> > a real user with their real password.... however, the authorization
> > now fails because the device still sends username/password with
> > the password the same as the username - this now hits the
> > FreeRADIUS server which cannot find a valid Auth-Type for the user
> > and thus fails authentication and therefore sends back a 'blurgh'
> > to the box requesting authorization.
> >
> > this is to be expected because there is nothing in the request to
> > distoniguish between an authorization request and an authentication
> > request.
> >
> > so the question is, how do we handle this so that the system can
> > send a username=password for authorization AND a proper authentication
> > can happen WITHOUT (hers a gotcha) the user doing something cute
> > like putting their username in as their password! ;-)
>
> Send Service-Type = Authorize-Only in authorization request. Then you can
> distinguish between the requsts. Or do authorization in the same time as
> authentication.
>
> Without opening a major security hole. You can set Auth-Type to Accept if
> User-Name = User-Password in the request but that would enable anyone to
> log in knowing just username.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 8 Jul 2009 10:39:48 +0100 (BST)
> From: "Ivan Kalik" <tnt at kalik.net>
> Subject: Re: How to configure 2 wimax qos profiles for the user in
>        users file
> To: "FreeRadius users mailing list"
>        <freeradius-users at lists.freeradius.org>
> Message-ID:
>        <59554.194.176.105.43.1247045988.squirrel at webmail.kalik.net>
> Content-Type: text/plain;charset=utf-8
>
> > I am trying to configure the two wimax qos profiles for the single user
> as
> > one for uplink and another for downlink.
> > If i configure the same attributes two times, in the Access-Accept
> message
> > the first configured wimax attribute value only is sending but its not
> > sending the same attribute again which has different value. is there any
> > way
> > to do this and make it work?
>
> http://wiki.freeradius.org/Operators
>
> +=
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 51, Issue 30
> ************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090709/0ebd7d4a/attachment.html>

More information about the Freeradius-Users mailing list