Freeradius-Users Digest, Vol 150, Issue 60
dahili.network at gmail.com
dahili.network at gmail.com
Sat Oct 28 12:14:33 CEST 2017
Dear friends i am looking paid help on
freeradius to offer unpaid page to ppoe customers
my email is dahili.network at gmail.com
unpaid page on real ip web server
page is php and curently working for mac auth users
but unpaid ppoe disconnected that is why unuseable to ppoe users
freeradius may default accept connection ider user paid or unpaid
but if unpaid with route to unpaid section if paid than route to paid
section
----- Original Message -----
From: <freeradius-users-request at lists.freeradius.org>
To: <freeradius-users at lists.freeradius.org>
Sent: Saturday, October 28, 2017 1:00 PM
Subject: Freeradius-Users Digest, Vol 150, Issue 60
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: ldap group membership check issue (Alan DeKok)
> 2. Re: Radius proxy request to other radius for OTP auth
> (Satish Patel)
> 3. Re: Radius proxy request to other radius for OTP auth (Alan DeKok)
> 4. Re: Radius proxy request to other radius for OTP auth
> (Satish Patel)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 27 Oct 2017 08:48:03 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: ldap group membership check issue
> Message-ID: <3A589B8E-AF8B-46C5-B9FA-9344D95BDA1C at deployingradius.com>
> Content-Type: text/plain; charset=utf-8
>
> On Oct 27, 2017, at 7:49 AM, Евгений Подберезкин <epodber at gmail.com>
> wrote:
>>
>> Thanks for the reply. I 've already added the realms to proxy.conf , but
>> adding ntdomain module wasn`t obvious for me (suffix is enabled by
>> default,
>> so I did not care of it).
>
> Yes, that's not obvious.
>
>> I have one more question, could you give me hint.
>>
>> If check LDAP-Group in etc/raddb/users, it works.
>>
>> DEFAULT chtpzldap-LDAP-Group ==
>> "CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru"
>>
>> DEFAULT Auth-Type := Reject
>> Reply-Message = "Group do not match"
>>
>> But if I need to set an attribute in post-auth, it does not
>>
>> F.e. in sites-enabled/default or sites-enabled/inner-tunnel
>
> That sets the attribute in the *inner-tunnel*. You still need to get it
> to the outer, default server.
>
> See raddb/mods-available/eap. Look for "use_tunneled_reply".
>
>> post-auth {
>>
>> if (chtpzldap-LDAP-Group ==
>> "CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru") {
>> Tunnel-Private-Group-ID := "165"
>> }
>>
>>
>> radiusd -X :
>>
>> (9) # Executing section post-auth from file
>> /opt/freeradius3/etc/raddb/sites-enabled/default
>> (9) post-auth {
>> (9) if (chtpzldap-LDAP-Group ==
>> "CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru") {
>> (9) *if (chtpzldap-LDAP-Group ==
>> "CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru") -> FALSE*
>
> Which means it doesn't match. Find out why, first.
>
> See the comments at the top of the "inner-tunnel" virtual server for how
> to debug it.
>
> Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 27 Oct 2017 12:05:24 -0400
> From: Satish Patel <satish.txt at gmail.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Radius proxy request to other radius for OTP auth
> Message-ID:
> <CAPgF-for5jSuCE3anKQ+sUdvaXC548c6JSHS27oMQ2CTOM8PHA at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> In short this is what i am planning to do with FreeRadius instead of
> IAS windows
> http://www.dasblinkenlichten.com/using-radius-attributes-during-webvpn-logon/
>
> We have Multi Factor authentication (password+OTP) for VPN login, and
> MFA (multi factor auth) provided by onelogin company, in my Cisco ASA
> i tell my RADIUS server is onlogin in cloud and my asa authenticate
> users from there, but that company doesn't support Attribute Class 25
> which i posted in link, so i was thinking to build Freeradius in-house
> and do whatever i want there for grouping and then proxy request to
> onlogin for OTP stuff. In short my local radius will act like Proxy
> and forward request to onelogin in cloud for OTP.
>
> I am not sure it's possible or not so just trying to see what people
> think about it or any other way out.
>
> On Fri, Oct 27, 2017 at 8:43 AM, Alan DeKok <aland at deployingradius.com>
> wrote:
>> On Oct 26, 2017, at 10:58 PM, Satish Patel <satish.txt at gmail.com> wrote:
>>> Recently we decided to create multiple Group Policy for VPN and every
>>> group will have own permission to access application, like Sales,
>>> Finance and contractor etc, In short contractor can't access Finance
>>> related application etc.
>>
>> I'm not sure that's possible in RADIUS. You can send policies to the
>> VPN (maybe), but the VPN may ignore them.
>>
>>> After reading found ASA support RADIUS attribute Class 25 where i can
>>> create OU=sales and implement policy base on whatever LDAP memberOf
>>> list users.
>>
>> That's vague... what, exactly are you doing? What piece of the network
>> is doing what?
>>
>>> But unfortunately onelogin doesn't support that kind of attributes
>>> mapping and now we stuck here so only solution is to deploy on radius
>>> server and integrate with google authenticator.
>>
>> How does deploying a RADIUS server help with controlling access to
>> applications?
>>
>>> So i have question is there anyway i can use FreeRadius locally and
>>> use attributes Class 25 and then proxy authentication to onlelogin
>>> RADIUS?
>>
>> FreeRADIUS can use Class. So? What does it *do* with it?
>>
>>> What should i do and what you guys suggest here?
>>
>> First, you have to describe what you're doing. Which network machines
>> are involved? What are they doing? What information do they exchange?
>>
>> Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 27 Oct 2017 12:10:28 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Radius proxy request to other radius for OTP auth
> Message-ID: <17B7D2F9-A785-487D-B691-38EEDE050FAC at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
>
>> On Oct 27, 2017, at 12:05 PM, Satish Patel <satish.txt at gmail.com> wrote:
>>
>> In short this is what i am planning to do with FreeRadius instead of
>> IAS windows
>> http://www.dasblinkenlichten.com/using-radius-attributes-during-webvpn-logon/
>
> You just configure FreeRADIUS to send the Class attribute back. That
> should be simple.
>
>> We have Multi Factor authentication (password+OTP) for VPN login, and
>> MFA (multi factor auth) provided by onelogin company, in my Cisco ASA
>> i tell my RADIUS server is onlogin in cloud and my asa authenticate
>> users from there, but that company doesn't support Attribute Class 25
>> which i posted in link,
>
> Then you can't do it.
>
>> so i was thinking to build Freeradius in-house
>> and do whatever i want there for grouping and then proxy request to
>> onlogin for OTP stuff. In short my local radius will act like Proxy
>> and forward request to onelogin in cloud for OTP.
>
> That still isn't clear. If the VPN doesn't support Class, then adding
> FreeRADIUS won't help.
>
> Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 27 Oct 2017 12:37:12 -0400
> From: Satish Patel <satish.txt at gmail.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Radius proxy request to other radius for OTP auth
> Message-ID:
> <CAPgF-fqKM-Jq1WteajY3h+aC1f8vGxazSUdTVT-bftG4v7dbpg at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
>> That still isn't clear. If the VPN doesn't support Class, then adding
>> FreeRADIUS won't help.
>
> VPN does support that Class
>
> On Fri, Oct 27, 2017 at 12:10 PM, Alan DeKok <aland at deployingradius.com>
> wrote:
>>
>>> On Oct 27, 2017, at 12:05 PM, Satish Patel <satish.txt at gmail.com> wrote:
>>>
>>> In short this is what i am planning to do with FreeRadius instead of
>>> IAS windows
>>> http://www.dasblinkenlichten.com/using-radius-attributes-during-webvpn-logon/
>>
>> You just configure FreeRADIUS to send the Class attribute back. That
>> should be simple.
>>
>>> We have Multi Factor authentication (password+OTP) for VPN login, and
>>> MFA (multi factor auth) provided by onelogin company, in my Cisco ASA
>>> i tell my RADIUS server is onlogin in cloud and my asa authenticate
>>> users from there, but that company doesn't support Attribute Class 25
>>> which i posted in link,
>>
>> Then you can't do it.
>>
>>> so i was thinking to build Freeradius in-house
>>> and do whatever i want there for grouping and then proxy request to
>>> onlogin for OTP stuff. In short my local radius will act like Proxy
>>> and forward request to onelogin in cloud for OTP.
>>
>> That still isn't clear. If the VPN doesn't support Class, then adding
>> FreeRADIUS won't help.
>>
>> Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 150, Issue 60
> *************************************************
>
---
Bu e-posta, AVG tarafından virüslere karşı kontrol edildi.
http://www.avg.com
More information about the Freeradius-Users
mailing list