hello,<br> i configure freeradiusd server and it is working fine. but i really confuse about nas table and its entry. In my radiusd server ,people can login multiple with same username and password.i couldn't made simultaneouse login =1 at a same time for that similar username. i try so much to made this simutaneouse login =1 but i couldn't so i feel that it that a problem of naslist because i get this kind of messege in radiusd log file when i start the rasdiusd server. i attached this radiusd log file with this posting.<br> regards <br> rina <br> <br> <br> <br> <br><br><b><i>freeradius-users-request@lists.freeradius.org</i></b> wrote:<blockquote class="replbq" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"> Send Freeradius-Users mailing list submissions to<br> freeradius-users@lists.freeradius.org<br><br>To subscribe or unsubscribe via the World Wide
Web, visit<br> http://lists.freeradius.org/mailman/listinfo/freeradius-users<br>or, via email, send a message with subject or body 'help' to<br> freeradius-users-request@lists.freeradius.org<br><br>You can reach the person managing the list at<br> freeradius-users-owner@lists.freeradius.org<br><br>When replying, please edit your Subject line so it is more specific<br>than "Re: Contents of Freeradius-Users digest..."<br><br><br>Today's Topics:<br><br> 1. Re: PEAP+MSCHAP+AD (please help) (Phil Mayers)<br> 2. How to pass information between modules? (Martin Gadbois)<br> 3. Re: How to pass information between modules? (Alan DeKok)<br> 4. Re: LDAP->RADIUS Attribute Mapping (Alan DeKok)<br> 5. Re: How to pass information between modules? (Martin Gadbois)<br> 6. Re: Choosing The best replication system. (Sarkis Gabriel)<br> 7. Re: TTLS : where to indicate User/Password ? (Bruno
Costacurta)<br><br><br>----------------------------------------------------------------------<br><br>Message: 1<br>Date: Fri, 08 Dec 2006 18:31:37 +0000<br>From: Phil Mayers <p.mayers @imperial.ac.uk=""><br>Subject: Re: PEAP+MSCHAP+AD (please help)<br>To: FreeRadius users mailing list<br> <freeradius-users @lists.freeradius.org=""><br>Message-ID: <4579AF89.3010307@imperial.ac.uk><br>Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br><br>Hector.Ortiz@swisscom.com wrote:<br>> Hi there, this is an old issue, but AFAIAC hasn't been solved yet, that's why I'm asking for help with this problem which is driving me crazy.<br>> <br>> <br>> In the first attempt the user has checked the option "Automatically use my Windows logon name and password (and domain if any)", user account is valid in the domain and is not locked out, however user authentication fails.<br>> <br>> In the next attempt the user has unchecked this option, so everytime he
connects to the network he has to type his credentials in. After clicking "Connect" he gets access. <br>> <br>> Why if Windows sends the same user information only in the latter case user is able to get in?<br>> <br>> Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=c61ad7019723b68d --nt-response=70fb1b0438208667d0bac6eb895ea8644b413566785d5785<br>> Exec-Program output: Logon failure (0xc000006d) <br>> Exec-Program-Wait: plaintext: Logon failure (0xc000006d) <br>> Exec-Program: returned: 1<br>> rlm_mschap: External script failed.<br>> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect<br>> modcall[authenticate]: module "mschap" returns reject for request 7<br><br>It failed because the client returned the wrong challenge<br><br>> Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=aea3ef9fe78f8ac2
--nt-response=8c6a735e29ed7cddb8c02ae601424aca79d115544324731d<br>> Exec-Program output: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF <br>> Exec-Program-Wait: plaintext: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF <br>> Exec-Program: returned: 0<br>> modcall[authenticate]: module "mschap" returns ok for request 16<br>> modcall: leaving group MS-CHAP (returns ok) for request 16<br>> MSCHAP Success <br><br>Whereas that worked.<br><br>It looks to me as if you've edited the debug output so I can't be sure, <br>but I'd suggest looking at the client - the radius server is configured <br>correctly. Perhaps the client is not in fact logging on to the laptop <br>with the correct username and password.<br><br><br>------------------------------<br><br>Message: 2<br>Date: Fri, 08 Dec 2006 14:02:36 -0500<br>From: Martin Gadbois <martin.gadbois @colubris.com=""><br>Subject: How to pass information between modules?<br>To: FreeRadius users mailing list<br> <freeradius-users
@lists.freeradius.org=""><br>Message-ID: <4579B6CC.5010406@colubris.com><br>Content-Type: text/plain; charset=UTF-8<br><br>-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br>Hi!<br><br>Let's say I have the following authorize {} section:<br>authorize {<br> ldap<br> sql<br>}<br><br>What would be the best way to pass information between ldap and sql?<br><br>For example, if I were to extract a group name from "ldap" and pass it<br>to "sql" to get all the RADIUS attributes associated to this group, what<br>would be the strategy to acheive that?<br><br>In other words, how to configure those modules if the "ldap" contains<br>the group info, but "sql" the actual RADIUS attribute per group?<br><br>Thanks!<br><br>- --<br>============== +----------------------------------------------+<br>Martin Gadbois | "Windows might take you from 0 to 60 faster, |<br>S/W Developer | but to go to 100 you need Unix." |<br>Colubris Networks Inc.
+----------------------------------------------+<br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1.4.5 (GNU/Linux)<br>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org<br><br>iD8DBQFFebbM9Y3/iTTCEDkRAlbtAJ9xef4aCw0IGd5SIJXXn7UxLtUwEACZAf/e<br>hPg7eJ53Xt+PgxSYPpFecPM=<br>=K9c0<br>-----END PGP SIGNATURE-----<br><br><br>------------------------------<br><br>Message: 3<br>Date: Fri, 08 Dec 2006 11:11:27 -0800<br>From: Alan DeKok <aland @deployingradius.com=""><br>Subject: Re: How to pass information between modules?<br>To: FreeRadius users mailing list<br> <freeradius-users @lists.freeradius.org=""><br>Message-ID: <4579B8DF.6030008@deployingradius.com><br>Content-Type: text/plain; charset=UTF-8<br><br>Martin Gadbois wrote:<br><br>> What would be the best way to pass information between ldap and sql?<br><br> In the same way that all of the other modules do it: Put the<br>information into attributes. That's what the "config item" list is
for.<br><br>> For example, if I were to extract a group name from "ldap" and pass it<br>> to "sql" to get all the RADIUS attributes associated to this group, what<br>> would be the strategy to acheive that?<br><br> Put it into an attribute in the config items.<br><br>> In other words, how to configure those modules if the "ldap" contains<br>> the group info, but "sql" the actual RADIUS attribute per group?<br><br> You can use the "LDAP-Group" attribute, see the rlm_ldap documentation.<br><br> Alan DeKok.<br>--<br> http://deployingradius.com - The web site of the book<br> http://deployingradius.com/blog/ - The blog<br><br><br>------------------------------<br><br>Message: 4<br>Date: Fri, 08 Dec 2006 11:21:59 -0800<br>From: Alan DeKok <aland @deployingradius.com=""><br>Subject: Re: LDAP->RADIUS Attribute Mapping<br>To: FreeRadius users mailing list<br> <freeradius-users @lists.freeradius.org=""><br>Message-ID:
<4579BB57.5040504@deployingradius.com><br>Content-Type: text/plain; charset=ISO-8859-1<br><br>Owen DeLong wrote:<br><br>> We have historically used the AuthorizedService attribute in LDAP to<br>> control the level<br>> of access available to the user. We would like to continue to do so. <br>> However, in order<br>> for that to work, I need to map AuthorizedService to different RADIUS<br>> attributes in<br>> the response depending on the authentication client.<br><br> Do it in two steps. Map the AuthorisedService LDAP attribute to a<br>RADIUS attribute (invent a local one, see the dictionary docs), and then<br>depending on the NAS, map that to another attribute.<br><br> The reason for doing it this way is that the LDAP -> RADIUS attribute<br>mapping is simple, and should be kept simple.<br><br>> Ideally, I'd like to be able to map RADIUS clients into "groups" and<br>> have a mapping<br>> of AuthorizedService values for each group.
The client groups would,<br>> ideally,<br>> be defined by matching the client IP address. An example of what I'd<br>> like that<br>> mapping to look like is below:<br><br> Use rlm_passwd to map clients to groups (see it's documentation), and<br>then the "users" file to map AuthorizedService to another RADIUS<br>attribute, as described above.<br><br>> Alan, your flames and RTFM comments are welcome, but, please understand,<br>> I've done my best to RTFM before posting this.<br><br> As I tell my co-workers, "Remember, there are no stupid questions.<br>There are only stupid people.".<br><br> And they still speak to me after that. :)<br><br> Alan DeKok.<br>--<br> http://deployingradius.com - The web site of the book<br> http://deployingradius.com/blog/ - The blog<br><br><br>------------------------------<br><br>Message: 5<br>Date: Fri, 08 Dec 2006 15:41:28 -0500<br>From: Martin Gadbois <martin.gadbois @colubris.com=""><br>Subject: Re: How to pass
information between modules?<br>To: FreeRadius users mailing list<br> <freeradius-users @lists.freeradius.org=""><br>Message-ID: <4579CDF8.5090207@colubris.com><br>Content-Type: text/plain; charset=UTF-8<br><br>-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br>Alan DeKok wrote:<br>>> What would be the best way to pass information between ldap and sql?<br>> <br>> In the same way that all of the other modules do it: Put the<br>> information into attributes. That's what the "config item" list is for.<br><br>My subconscious FreeRADIUS mind was saying that as well; but how to use<br>config items and what makes them different from RADIUS Reply attributes?<br><br>An theoritical example:<br><br>modules {<br> file users {<br> ...<br> }<br> file groups {<br> ...<br> }<br>}<br><br>authorized {<br> users<br> groups<br>}<br><br>file users:<br>martin User-Password == "gadbois"<br> Group = "staff"<br><br>file groups:<br>DEFAULT Group == "staff"<br>
Reply-Message = "Hello Staff!"<br><br>I expect this to set "martin" into the "staff" group, and a RADIUS<br>request returns Reply-Message "Hello Staff!!"<br><br>This does not work:<br>[/etc/raddb/users]:223 WARNING! Check item "Group" ?found in reply item<br>list for user "martin". ?This attribute MUST go on the first line with<br>the other check items<br><br>Some explaination, a C function or a URL would greatly help!<br><br>> <br>>> In other words, how to configure those modules if the "ldap" contains<br>>> the group info, but "sql" the actual RADIUS attribute per group?<br>> <br>> You can use the "LDAP-Group" attribute, see the rlm_ldap documentation.<br><br>I got it now; LDAP-Group is like a callback into the "ldap" module,<br>where the LDAP group is going to be checked to the value.<br><br>I'll go update the FR LDAP Wiki.. ;-)<br><br>Thanks Alan for the quick reply.<br><br>- --<br>==============
+----------------------------------------------+<br>Martin Gadbois | "Windows might take you from 0 to 60 faster, |<br>S/W Developer | but to go to 100 you need Unix." |<br>Colubris Networks Inc. +----------------------------------------------+<br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1.4.5 (GNU/Linux)<br>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org<br><br>iD8DBQFFec349Y3/iTTCEDkRAsgfAJ45vsoHrRKwsPkITrUBuPsFgbGBXACgm1yU<br>gjlFYOPYrcMsN80odSYfAWA=<br>=6TFA<br>-----END PGP SIGNATURE-----<br><br><br>------------------------------<br><br>Message: 6<br>Date: Fri, 8 Dec 2006 22:53:07 +0100<br>From: "Sarkis Gabriel" <sarky @raycon.net=""><br>Subject: Re: Choosing The best replication system.<br>To: FreeRadius users mailing list<br> <freeradius-users @lists.freeradius.org=""><br>Message-ID: <20061208215219.M71831@raycon.net><br>Content-Type: text/plain; charset=iso-8859-1<br><br>Anyone out there with some guide or
atleast some pitfalls i should try and avoid on<br>Replicating the radius server ?<br><br>Sarky<br><br>---------- Original Message -----------<br>From: "Sarkis Gabriel" <sarky @raycon.net=""><br>To: FreeRadius users mailing list <freeradius-users @lists.freeradius.org=""><br>Sent: Thu, 7 Dec 2006 17:29:22 +0100<br>Subject: Choosing The best replication system.<br><br>> Hello all,<br>> <br>> With the way work is and the pops are growing looks like i need to start <br>> centralising the database.<br>> <br>> At the moment i have 4 pops around the country and all are feeding from a <br>> satellite links, as the company is growing it is becoming very hard to <br>> maintain and we are looking to have a central MySQL DB in the UK which feeds <br>> the slave machines with the updated info.<br>> <br>> Each pop will have a live radius / mysql db feeding info back to a master <br>> machine in the UK and that would replicate the info down to the
slaves on the <br>> other pops, this is the wishfull thinking i have :).<br>> <br>> I have read about Replication with MySQL (One-Way) and radrelay, then i <br>> noticed there is rlm_slq_log and radsqlrelay.<br>> <br>> One thing I must mention there is a lot of LAG on satellite connection looking <br>> at approx 650ms and because of BW cost we do rely on proxies which makes BW <br>> usage during the day very expensive, so i would like to be able to replicate <br>> maybe once a night lets say at midnight being less busy and cheaper.<br>> <br>> Any one out there with some ideas they can send my way..<br>> <br>> Thanks<br>> <br>> Sarky<br>> - <br>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<br>------- End of Original Message -------<br><br><br><br>------------------------------<br><br>Message: 7<br>Date: Sat, 9 Dec 2006 00:12:01 +0100<br>From: Bruno Costacurta <pubmb01
@skynet.be=""><br>Subject: Re: TTLS : where to indicate User/Password ?<br>To: FreeRadius users mailing list<br> <freeradius-users @lists.freeradius.org=""><br>Message-ID: <200612090012.01376.pubmb01@skynet.be><br>Content-Type: text/plain; charset="iso-8859-1"<br><br>On Monday 04 December 2006 22:21, Alan DeKok wrote:<br>> Bruno Costacurta wrote:<br>> > I'm trying to configure FreeRadius using TTLS (certificate on server side<br>> > only) and MySQL. Client is a Linux laptop using wpa_supplicant.<br>> > I'm in a learning curve regarding 802.1x and FreeRadius and especially<br>> > TTLS.<br>><br>> That should work without too much effort.<br>><br>> > Questions:<br>> > - TTLS available authentications are: CHAP,PAP,MS-CHAP,EAP (correct ?)<br>><br>> Yes.<br>><br>> > - 'Auth-Type=local' means CHAP,PAP and MS-CHAP (correct ?)<br>><br>> No, just CHAP and PAP. You shouldn't be using it at
all.<br>><br>> > - for the learning curve :<br>> > --- which is the easiest authentications to start with ?<br>><br>> PAP.<br>><br>> > --- MySQL will be removed at the first stage to ease debugging / setup of<br>> > the config (good idea ?)<br>><br>> Yes.<br>><br>> Alan DeKok.<br>> --<br>> http://deployingradius.com - The web site of the book<br>> http://deployingradius.com/blog/ - The blog<br>> -<br>> List info/subscribe/unsubscribe? See<br>> http://www.freeradius.org/list/users.html<br><br>Dear Alan,<br>thanks for your answers.<br><br>Indeed starting from a fresh FreeRadius install, following instructions<br>http://deployingradius.com/documents/configuration/ <br>I'm now able to authenticate via TTLS.<br><br>Thanks again for attention.<br><br>Bye,<br>Bruno<br><br><br>------------------------------<br><br>- <br>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html<br><br><br>End of Freeradius-Users Digest, Vol 20, Issue 29<br>************************************************<br></freeradius-users></pubmb01></freeradius-users></sarky></freeradius-users></sarky></freeradius-users></martin.gadbois></freeradius-users></aland></freeradius-users></aland></freeradius-users></martin.gadbois></freeradius-users></p.mayers></blockquote><br><p>
<hr size=1>Access over 1 million songs - <a href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=36035/*http://music.yahoo.com/unlimited/">Yahoo! Music Unlimited.</a>