cisco WAP/FreeRadius/OpenLDAP

Matthew Arguin matt.arguin at currensee.com
Wed Nov 2 15:38:29 CET 2011 

Alan,
   i have no mention of ldap in my pap module file, but the auto_header 
*WAS* set to no, fixed that same result:

[root at ops2 raddb]# cat modules/pap
# -*- text -*-
#
#  $Id$

# PAP module to authenticate users based on their stored password
#
#  Supports multiple encryption/hash schemes.  See "man rlm_pap"
#  for details.
#
#  The "auto_header" configuration item can be set to "yes".
#  In this case, the module will look inside of the User-Password
#  attribute for the headers {crypt}, {clear}, etc., and will
#  automatically create the attribute on the right-hand side,
#  with the correct value.  It will also automatically handle
#  Base-64 encoded data, hex strings, and binary data.
pap {
         auto_header = yes
}

-m
On 11/1/2011 2:09 AM, freeradius-users-request at lists.freeradius.org wrote:
> Send Freeradius-Users mailing list submissions to
> 	freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> 	freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> 	freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>     1. Re: IPv6 ready? (Alan Buxey)
>     2. Re: cisco WAP/FreeRadius/OpenLDAP (Alan Buxey)
>     3. Re: add field in radcheck table (gary)
>     4. Re: add field in radcheck table (Fajar A. Nugraha)
>     5. Client hostname in clients.conf instead of IP address (tohaikmeng)
>     6. Re: Client hostname in clients.conf instead of IP address
>        (Fajar A. Nugraha)
>     7. Re: add field in radcheck table (gary)
>     8. Re: add field in radcheck table (Fajar A. Nugraha)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 31 Oct 2011 19:23:09 +0000
> From: Alan Buxey<A.L.M.Buxey at lboro.ac.uk>
> Subject: Re: IPv6 ready?
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID:<20111031192309.GC19191 at lboro.ac.uk>
> Content-Type: text/plain; charset=iso-8859-1
>
> Hi,
>>     Thank you all for your help. I added two more listen blocks in
>>     radiusd.conf and I updated detail { ... with the following:
>>     %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} and it works but
>>     ..... (there's always a but). if we use an IPv6 address, then
>>     Packet-Src-APv6-Address value will be, for instance, 0:0:0:0:0:0:0:0, and
>>     the path becomes :
>>
>>     ?????????????? ${radacctdir}/0:0:0:0:0:0:0:0/detail-%Y%m%d.log
>>
>>     but FR crashes since it cannot create a folder with that name. Is there
>>     any way of overcoming this issue? replace : with . or so???
> well, you asked how it could be done..you didnt say you were
> trying this on Windows! whats the next surprise?
>
> I would do something like use PERL to make %{Packet-Src-IPv6-Address} become
> sanitized..... eg assign %{Tmp-String-0} and use SED to swap : with -
>
> this means no single source code line change and easily adaptable to whatever
> else you might come across....
>
> then use simly use %{Tmp-String-0} in your detail module config....
>
>
> alan
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 31 Oct 2011 19:25:49 +0000
> From: Alan Buxey<A.L.M.Buxey at lboro.ac.uk>
> Subject: Re: cisco WAP/FreeRadius/OpenLDAP
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID:<20111031192549.GD19191 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
>> so now the password is not clear text in the log as it was before but
>> still seeing that no good password error....but then there is that line
>> towards the bottom that sasys user authorized to use remote access... do
>> i need to configure Filter-Id or something in the sites-enabled/default
>> or innertunnel or something like that?
> getting confused with authorization and authentication?  check your requirements
> in LDAP - do they match (eg CN/DN?)
>
> have you got PAP listed after the ldap and is the auto_header enabled in the pap
> module?
>
> alan
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 1 Nov 2011 10:07:00 +0800
> From: "gary"<gary.yang at browan.com>
> Subject: Re: add field in radcheck table
> To: "FreeRadius users mailing list"
> 	<freeradius-users at lists.freeradius.org>
> Message-ID:<003901cc983a$f335b490$cd15a8c0 at ggyy40fbc8fbae>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
> 	reply-type=original
>
> ----- Original Message -----
> From: "Fajar A. Nugraha"<list at fajar.net>
> To: "FreeRadius users mailing list"<freeradius-users at lists.freeradius.org>
> Sent: Monday, October 31, 2011 8:34 PM
> Subject: Re: add field in radcheck table
>
>
>> On Mon, Oct 31, 2011 at 5:23 PM, gary<gary.yang at browan.com>  wrote:
>>> Hi Fajar
>>> I think the secondname field may be realm instead of.
>> First rule before asking anything: make SURE you know what you want.
>> When you're not even sure, how can others help you?
>>
>>> I am thinking this in case without proxy, using local database it can
>>> determine by two field "username+realm" instead one check field username
>>> such as "gary at companyA" . User can see his/her name like "gary" only
>>> without
>>> "@companyA" character.
>> What do you mean "User can SEE"?
>>
>> The question is simple. What does the user put as username? How do you
>> want to process that username?
>>
>> If the user only inputs "gary", and you don't know how you you can get
>> the realm, then how can FR do what you want? By being psychic?
>>
> Sorry for my poor english.
> > From the login page,user can type his name and select pull-down option for
> the realm and then send to FR server for authentication.
> for example, gary at domain1 and gary at domain2 come from different company and
> both in same database.
> I can directly input gary at domain1 and gary at domain2 as user name for
> authentication.
> but I would like to separate two field for checking.
> user can see(probably read) user infomation(eg:logout page) only user name
> instead of gary at domain1 .
> Furthermore, in case lot of data in radcheck, it can be search,sort...etc
> according to the realm field to improve server performance.
>
>> -- 
>> Fajar
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 1 Nov 2011 10:02:22 +0700
> From: "Fajar A. Nugraha"<list at fajar.net>
> Subject: Re: add field in radcheck table
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID:
> 	<CAG1y0scMgFLgQivxcF+i12pUyFcMWWzZuXYgn8VdfMmz4QRBqw at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Tue, Nov 1, 2011 at 9:07 AM, gary<gary.yang at browan.com>  wrote:
>>>  From the login page,user can type his name and select pull-down option for
>> the realm and then send to FR server for authentication.
>> for example, gary at domain1 and gary at domain2 come from different company and
>> both in same database.
>> I can directly input gary at domain1 and gary at domain2 as user name for
>> authentication.
>> but I would like to separate two field for checking.
>> user can see(probably read) user infomation(eg:logout page) only user name
>> instead of gary at domain1 .
> This is a captive portal setup, right? FR doesn't really care what
> user puts in "drop down box", it only cares what the NAS (e.g.
> chillispot) sends. And the NAS doesn't really care what the user
> inputs, it only cares what the captive portal sends it (which may or
> may not be the same as what the user inputs).
>
> For example, in my setup the captive portal adds a realm automatically
> (user can't put it manually) and pre-process the password that user
> entered (e.g. using a custom hash).
>
> In that setup there's really no need to separate user and realm. Just
> use the default setup.
>
>> Furthermore, in case lot of data in radcheck, it can be search,sort...etc
>> according to the realm field to improve server performance.
> I actually think the easiest way is to just add a "realm" field in
> radcheck as ENUM type, indexed, used only for search/sorting purposes,
> updated automatically by mysql trigger. That way you don't have to
> modify anything on FR side.
>

-- 
Matthew Arguin
Currensee, Inc.
54 Canal St, 4th Floor
Boston, MA 02114
(617) 986-4758 (Office)
_________________________________________________________________________
This email and any files transmitted with it are confidential and intended solely for the addressee.  If you received this email in error, please do not disclose the contents to anyone; kindly notify the sender by return email and delete this email and any attachments from your system.

© 2011 Currensee Inc. is a member of the National Futures Association (NFA) Member ID 0403251 | Over the counter retail foreign currency (Forex) trading may involve significant risk of loss. It is not suitable for all investors and you should make sure you understand the risks involved before trading and seek independent advice if necessary. Performance, strategies and charts shown are not necessarily predictive of any particular result and past performance is no indication of future results. Investor returns may vary from Trade Leader returns based on slippage, fees, broker spreads, volatility or other market conditions.

Currensee Inc | 54 Canal St 4th Floor | Boston, MA 02114 | +1.617.624.3824

More information about the Freeradius-Users mailing list