cisco WAP/FreeRadius/OpenLDAP
Matthew Arguin
matt.arguin at currensee.com
Mon Oct 31 20:06:48 CET 2011
add that in (actually tried that before as well), still does not work,
but the logging looks a little different now:
*****
[ldap] performing user authorization for marguin2
[ldap] expand: (uid=%u) -> (uid=marguin2)
[ldap] expand: ou=people,dc=currensee,dc=com ->
ou=people,dc=currensee,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=currensee,dc=com, with
filter (uid=marguin2)
[ldap] checking if remote access for marguin2 is allowed by radiusFilterId
[ldap] looking for check items in directory...
rlm_ldap: userPassword -> Password-With-Header == "{CRYPT}tGS8HbszeyDmM"
[ldap] looking for reply items in directory...
rlm_ldap: radiusFilterId -> Filter-Id = "wireless"
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user marguin2 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
*****
so now the password is not clear text in the log as it was before but
still seeing that no good password error....but then there is that line
towards the bottom that sasys user authorized to use remote access... do
i need to configure Filter-Id or something in the sites-enabled/default
or innertunnel or something like that?
-m
On 10/31/2011 12:19 PM, freeradius-users-request at lists.freeradius.org
wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: cisco WAP/FreeRadius/OpenLDAP (Phil Mayers)
> 2. RE: IPv6 ready? (Sergio NNX)
> 3. Re: IPv6 ready? (Phil Mayers)
> 4. RE: IPv6 ready? (Sergio NNX)
> 5. Re: IPv6 ready? (Phil Mayers)
> 6. Re: IPv6 ready? (Johan Meiring)
> 7. RE: IPv6 ready? (Sergio NNX)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 31 Oct 2011 14:53:02 +0000
> From: Phil Mayers<p.mayers at imperial.ac.uk>
> Subject: Re: cisco WAP/FreeRadius/OpenLDAP
> To: freeradius-users at lists.freeradius.org
> Message-ID:<4EAEB64E.5080300 at imperial.ac.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 31/10/11 14:03, Matthew Arguin wrote:
>> Phil,
>> I just confirmed that it is tagged with the {CRYPT} or {SHA} (i have
>> tried both). also, i changed the user that is binding to be the manager
>> CN which has full access to the ldap for mod etc to rule that out.
> Ah. I've just seen that you are running 2.1.7 from your original email.
>
> The default LDAP attribute mappings were updated after that version to
> include this line in "ldap.attrmap":
>
> checkitem Password-With-Header userPassword
>
> ...you should:
>
> a. Add that line to your "ldap.attrmap", see if it makes any difference
> b. Plan an upgrade to 2.1.12
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 31 Oct 2011 15:32:07 +0000
> From: Sergio NNX<sfhacker at hotmail.com>
> Subject: RE: IPv6 ready?
> To:<freeradius-users at lists.freeradius.org>
> Message-ID:<BAY147-W5460081D972A7B951D126CCD60 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> Thank you all for your help. I added two more listen blocks in radiusd.conf and I updated detail { ... with the following: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} and it works but ..... (there's always a but). if we use an IPv6 address, then Packet-Src-APv6-Address value will be, for instance, 0:0:0:0:0:0:0:0, and the path becomes :
>
> ${radacctdir}/0:0:0:0:0:0:0:0/detail-%Y%m%d.log
>
> but FR crashes since it cannot create a folder with that name. Is there any way of overcoming this issue? replace : with . or so???
>
> Thanks again for your help.
>
> Sergio.
>
>> Date: Mon, 31 Oct 2011 08:52:46 +0000
>> From: A.L.M.Buxey at lboro.ac.uk
>> To: freeradius-users at lists.freeradius.org
>> Subject: Re: IPv6 ready?
>>
>> Hi,
>>
>>> Just wondering if FR supports IPv6 addresses since I'm unable to start the
>>> server when using IPv6.
>> yes. we use it fine with IPv6 - both receiving and sending RADIUS packets.
>>
>>> Another question is: are you aware of any (client) tool for testing FR
>>> when using IPv6 addresses? eapol_test doesn't seem to know anything about
>>> :: or ::1
>> eapol_test - use hostnames (eg in /etc/hosts ?) ?
>>
>>> Do the below lines from radiusd.conf require any change when IPv6?
>>>
>>> ...
>>> ...
>>> detail {
>>> detailfile =
>>> ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d.log
>> yes, Client-IP-Address doesnt exist in IPv6 world - you can use one of the source
>> address attributes instead
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20111031/af34ae26/attachment.html>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 31 Oct 2011 15:46:47 +0000
> From: Phil Mayers<p.mayers at imperial.ac.uk>
> Subject: Re: IPv6 ready?
> To: freeradius-users at lists.freeradius.org
> Message-ID:<4EAEC2E7.20500 at imperial.ac.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 31/10/11 15:32, Sergio NNX wrote:
>> Thank you all for your help. I added two more listen blocks in
>> radiusd.conf and I updated detail { ... with the following:
>> %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} and it works but
>> ..... (there's always a but). if we use an IPv6 address, then
>> Packet-Src-APv6-Address value will be, for instance, 0:0:0:0:0:0:0:0,
>> and the path becomes :
>>
>> ${radacctdir}/0:0:0:0:0:0:0:0/detail-%Y%m%d.log
>>
>> but FR crashes since it cannot create a folder with that name. Is there
>> any way of overcoming this issue? replace : with . or so???
> Really? Which OS?
>
> There's no built-in xlat that allows you to do a substitute; you'll have
> to use rlm_perl or rlm_python, or an exec script, to translate the name.
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 31 Oct 2011 15:58:35 +0000
> From: Sergio NNX<sfhacker at hotmail.com>
> Subject: RE: IPv6 ready?
> To:<freeradius-users at lists.freeradius.org>
> Message-ID:<BAY147-W12F047CD2D7B8351888B32CCD60 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> Thanks Phil. Can you try 'mkdir 0:0:0:0:0:0:0:0' on a Windows box and let mw know if it works?
>
>> Date: Mon, 31 Oct 2011 15:46:47 +0000
>> From: p.mayers at imperial.ac.uk
>> To: freeradius-users at lists.freeradius.org
>> Subject: Re: IPv6 ready?
>>
>> On 31/10/11 15:32, Sergio NNX wrote:
>>> Thank you all for your help. I added two more listen blocks in
>>> radiusd.conf and I updated detail { ... with the following:
>>> %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} and it works but
>>> ..... (there's always a but). if we use an IPv6 address, then
>>> Packet-Src-APv6-Address value will be, for instance, 0:0:0:0:0:0:0:0,
>>> and the path becomes :
>>>
>>> ${radacctdir}/0:0:0:0:0:0:0:0/detail-%Y%m%d.log
>>>
>>> but FR crashes since it cannot create a folder with that name. Is there
>>> any way of overcoming this issue? replace : with . or so???
>> Really? Which OS?
>>
>> There's no built-in xlat that allows you to do a substitute; you'll have
>> to use rlm_perl or rlm_python, or an exec script, to translate the name.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20111031/adfd0635/attachment.html>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 31 Oct 2011 16:08:21 +0000
> From: Phil Mayers<p.mayers at imperial.ac.uk>
> Subject: Re: IPv6 ready?
> To: freeradius-users at lists.freeradius.org
> Message-ID:<4EAEC7F5.5090008 at imperial.ac.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 31/10/11 15:58, Sergio NNX wrote:
>> Thanks Phil. Can you try 'mkdir 0:0:0:0:0:0:0:0' on a Windows box and
>> let mw know if it works?
> I can tell you for absolute certain it won't without even having to try.
> It's a Windows limitation.
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 31 Oct 2011 18:08:52 +0200
> From: Johan Meiring<jmeiring at pcservices.co.za>
> Subject: Re: IPv6 ready?
> To: freeradius-users at lists.freeradius.org
> Message-ID:<4EAEC814.2050507 at pcservices.co.za>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 2011/10/31 05:58 PM, Sergio NNX wrote:
>> Thanks Phil. Can you try 'mkdir 0:0:0:0:0:0:0:0' on a Windows box and let mw
>> know if it works?
>>
> C:\junk>mkdir 0:0:0:0:0:0:0:0
> The system cannot find the drive specified.
>
> C:\junk>mkdir '0:0:0:0:0:0:0:0'
> The filename, directory name, or volume label syntax is incorrect.
>
> C:\junk>mkdir "0:0:0:0:0:0:0:0"
> The system cannot find the drive specified.
>
>
> C:\junk>mkdir 0\:0\:0\:0\:0\:0\:0\:0
> The filename, directory name, or volume label syntax is incorrect.
>
>
> Why not simply remove the Ip address from the log path?
> Do they HAVE to be in directories with the IP address as part of the name?
>
> Cheers,
>
--
Matthew Arguin
Currensee, Inc.
54 Canal St, 4th Floor
Boston, MA 02114
(617) 986-4758 (Office)
_________________________________________________________________________
This email and any files transmitted with it are confidential and intended solely for the addressee. If you received this email in error, please do not disclose the contents to anyone; kindly notify the sender by return email and delete this email and any attachments from your system.
© 2011 Currensee Inc. is a member of the National Futures Association (NFA) Member ID 0403251 | Over the counter retail foreign currency (Forex) trading may involve significant risk of loss. It is not suitable for all investors and you should make sure you understand the risks involved before trading and seek independent advice if necessary. Performance, strategies and charts shown are not necessarily predictive of any particular result and past performance is no indication of future results. Investor returns may vary from Trade Leader returns based on slippage, fees, broker spreads, volatility or other market conditions.
Currensee Inc | 54 Canal St 4th Floor | Boston, MA 02114 | +1.617.624.3824
More information about the Freeradius-Users
mailing list