<HTML dir=ltr><HEAD><TITLE>Freeradius-Users Digest, Vol 42, Issue 80</TITLE>
<META http-equiv=Content-Type content="text/html; charset=unicode">
<META content="MSHTML 6.00.6000.20710" name=GENERATOR></HEAD>
<BODY>
<DIV id=idOWAReplyText87598 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>I've configured my tables as follows : </FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr>mysql> select * from usergroup;<BR>+----+----------+-------------+<BR>| id | UserName | GroupName |<BR>+----+----------+-------------+<BR>| 13 | st234824 | test_radius |<BR>+----+----------+-------------+<BR></DIV>
<DIV dir=ltr>mysql> select * from radcheck;<BR>+----+----------+----------------+----+------------------------------------+<BR>| id | UserName | Attribute | op | Value |<BR>+----+----------+----------------+----+------------------------------------+<BR>| 1 | st234824 | Crypt-Password | := | LqI8nHgSp/pTY |<BR>+----+----------+----------------+----+------------------------------------+<BR></DIV>
<DIV dir=ltr>mysql> select * from radgroupcheck;<BR>+----+-------------+-----------+----+-------+<BR>| id | GroupName | Attribute | op | Value |<BR>+----+-------------+-----------+----+-------+<BR>| 4 | test_radius | Auth-Type | := | TLS |<BR>+----+-------------+-----------+----+-------+<BR></DIV>
<DIV dir=ltr>mysql> select * from nas;<BR>+----+---------------+-----------+-------+-------+------------+-----------+-------------+<BR>| id | nasname | shortname | type | ports | secret | community | description |<BR>+----+---------------+-----------+-------+-------+------------+-----------+-------------+<BR>| 6 | 192.168.9.155 | switch | cisco | 1812 | bonjour | | |<BR>| 9 | 192.168.9.154 | webmail01 | other | 1812 | testing123 | | |<BR></DIV>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>Which type of attributes should I use to access from "webmail01", but not "switch" for example ?</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>thanks</FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>De:</B> freeradius-users-bounces+nasr-eddine.badaoui=ratp.fr@lists.freeradius.org de la part de freeradius-users-request@lists.freeradius.org<BR><B>Date:</B> lun. 13/10/2008 19:30<BR><B>À:</B> freeradius-users@lists.freeradius.org<BR><B>Objet :</B> Freeradius-Users Digest, Vol 42, Issue 80<BR></FONT><BR></DIV>
<DIV>
<P><FONT size=2>Send Freeradius-Users mailing list submissions to<BR> freeradius-users@lists.freeradius.org<BR><BR>To subscribe or unsubscribe via the World Wide Web, visit<BR> <A href="http://lists.freeradius.org/mailman/listinfo/freeradius-users">http://lists.freeradius.org/mailman/listinfo/freeradius-users</A><BR>or, via email, send a message with subject or body 'help' to<BR> freeradius-users-request@lists.freeradius.org<BR><BR>You can reach the person managing the list at<BR> freeradius-users-owner@lists.freeradius.org<BR><BR>When replying, please edit your Subject line so it is more specific<BR>than "Re: Contents of Freeradius-Users digest..."<BR><BR><BR>Today's Topics:<BR><BR> 1. access rights for some users ou users groups with freeradius<BR> and mysql (BADAOUI Nasr-Eddine (P))<BR> 2. Re: access rights for some users ou users groups with<BR> freeradius and mysql (tnt@kalik.net)<BR> 3. Re: One user - Different Service Type depending on NAS<BR> (Alan DeKok)<BR> 4. Re: NAS-Identifier (Paul Bartell)<BR> 5. FR2.1.1 Solaris 5.10 x86 32-bit race condition (Chris Howley)<BR> 6. Re: FR2.1.1 Solaris 5.10 x86 32-bit race condition (Alan DeKok)<BR> 7. Authentication ok but not login on a Netopia (Gamaliel Bedolla)<BR> 8. syntax errors on mysql ip pools (Marcelus Trojahn)<BR><BR><BR>----------------------------------------------------------------------<BR><BR>Message: 1<BR>Date: Mon, 13 Oct 2008 13:51:28 +0200<BR>From: "BADAOUI Nasr-Eddine (P)" <nasr-eddine.badaoui@ratp.fr><BR>Subject: access rights for some users ou users groups with freeradius<BR> and mysql<BR>To: <freeradius-users@lists.freeradius.org><BR>Message-ID:<BR> <E50F5250B1B60045B2B10390D6FFE79462BC7E@EXCHANGEA2.info.ratp><BR>Content-Type: text/plain; charset="iso-8859-1"<BR><BR>Hi,<BR><BR>I'd like to know how to authorize some users or users's group created in mysql tables can logged only on some mysql's clients, with freeradius.<BR><BR>Mysql's tables are :<BR><BR>nas table for clients<BR>radcheck table for users<BR>radgropucheck table<BR>usergroup table<BR><BR>many thanks<BR><BR><BR>-------------- next part --------------<BR>An HTML attachment was scrubbed...<BR>URL: <<A href="https://lists.freeradius.org/pipermail/freeradius-users/attachments/20081013/d09394e0/attachment.html">https://lists.freeradius.org/pipermail/freeradius-users/attachments/20081013/d09394e0/attachment.html</A>><BR><BR>------------------------------<BR><BR>Message: 2<BR>Date: Mon, 13 Oct 2008 13:24:07 +0100<BR>From: <tnt@kalik.net><BR>Subject: Re: access rights for some users ou users groups with<BR> freeradius and mysql<BR>To: "FreeRadius users mailing list"<BR> <freeradius-users@lists.freeradius.org><BR>Message-ID: <ywKtdFdk.1223900647.6302610.tnt@kalik.net><BR>Content-Type: text/plain; charset=ISO-8859-2<BR><BR>If I understood you well, you want some users or groups to have access<BR>from NAS1 but not from NAS2. Add attribute NAS-IP Address with<BR>appropriate value to radcheck or radgroupcheck table.<BR><BR>Ivan Kalik<BR>Kalik Informatika ISP<BR><BR><BR>Dana 13/10/2008, "BADAOUI Nasr-Eddine (P)"<BR><nasr-eddine.badaoui@ratp.fr> pi?e:<BR><BR>>Hi,<BR>><BR>>I'd like to know how to authorize some users or users's group created in mysql tables can logged only on some mysql's clients, with freeradius.<BR>><BR>>Mysql's tables are :<BR>><BR>>nas table for clients<BR>>radcheck table for users<BR>>radgropucheck table<BR>>usergroup table<BR>><BR>>many thanks<BR>><BR>><BR>><BR>><BR><BR><BR><BR>------------------------------<BR><BR>Message: 3<BR>Date: Mon, 13 Oct 2008 14:24:45 +0200<BR>From: Alan DeKok <aland@deployingradius.com><BR>Subject: Re: One user - Different Service Type depending on NAS<BR>To: FreeRadius users mailing list<BR> <freeradius-users@lists.freeradius.org><BR>Message-ID: <48F33E0D.1010709@deployingradius.com><BR>Content-Type: text/plain; charset=ISO-8859-1<BR><BR>Mats Blomgren B wrote:<BR>> 3 of the users should have full access (read/write) to the network (94<BR>> Extreme Switches). This is straight forward.<BR>> The other 3 should have read/write to about 80 switches and read only to<BR>> the last 14.<BR><BR> Put the users into groups. Put the NASes into groups. Apply policies<BR>based on group membership.<BR><BR>> I understand that I can group devices in huntgroups and users in groups<BR>> and then control the access.<BR><BR> Yes. However, huntgroups may not be the best way to handle this.<BR><BR>> The problem I have is that I don't know how to give a certain user a<BR>> specific "Service-Type" depending on the NAS he/she tries to connect to.<BR>> I want the Service Type do differ for certain users depending on the NAS.<BR><BR> Don't. Do *group* checking.<BR><BR> if ((Packet-Src-IP-Address == 1.2.3.4) || ... # 80 times<BR> update request {<BR> NAS-Group = "one" # define this in "dictionary"<BR> }<BR> }<BR> elsif ((Packet-Src-IP-Address == 2.3.4.5) || ... # 14 times<BR> update request {<BR> NAS-Group = "two"<BR> }<BR> }<BR><BR> Put the users into similar groups. Put them into groups called<BR>"admin", "some", or "readonly".<BR><BR> if (User-Group == "admin") {<BR> update reply {<BR> Service-Type = Administrative-User<BR> }<BR> }<BR> elsif ((User-Group == "some") && (NAS-Group == "one")) {<BR> update reply {<BR> Service-Type = Administrative-User<BR> }<BR> }<BR> else {<BR> update reply {<BR> Service-Type = Login-User<BR> }<BR> }<BR><BR> Alan DeKok.<BR><BR><BR>------------------------------<BR><BR>Message: 4<BR>Date: Mon, 13 Oct 2008 07:08:57 -0700<BR>From: "Paul Bartell" <paul-bartell@ubuntu.com><BR>Subject: Re: NAS-Identifier<BR>To: "FreeRadius users mailing list"<BR> <freeradius-users@lists.freeradius.org><BR>Message-ID:<BR> <2b5bab0f0810130708j708b4456l8d22cd8a555c6157@mail.gmail.com><BR>Content-Type: text/plain; charset=ISO-8859-1<BR><BR>You can use the called-station-id variable to say yay or nay for<BR>authentication. For example, we have a Staff network, that requires<BR>different usernames/passwords from the regular wifi SSIDS. We use<BR>regex to check for regular users trying to get onto the staff ssid.<BR><BR>On 10/13/08, Alan DeKok <aland@deployingradius.com> wrote:<BR>> Stefan Eck (gmail) wrote:<BR>> > Well, the new NAS device sends 5 different NAS-Identifier. eg WebAdmin,<BR>> > SSLVPN or HTTP. But only one RADIUS can be configured.<BR>><BR>><BR>> One one RADIUS can be configured... where?<BR>><BR>><BR>> > I'm just thinking about that users can be authenticated via RADIUS<BR>> > server1 and admin(webadmins) can be authenticated via RADIUS server2. Or<BR>> > similar like that.<BR>><BR>><BR>> Why?<BR>><BR>><BR>> > Currently, I don't have any clue to take advantage of the<BR>> > NAS-Identifier. Where is this attribute configured on the RADIUS. Other<BR>> > devices send the NAS-IP, but this is only relevant for the shared secret<BR>> > or the accouting.<BR>><BR>><BR>> No. The server does NOT use the NAS-IP-Address to look up the shared<BR>> secret.<BR>><BR>> If you want to apply policies based on attributes, see "man unlang".<BR>> You can write complex policies using a very simple language.<BR>><BR>><BR>> Alan DeKok.<BR>> -<BR>> List info/subscribe/unsubscribe? See <A href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</A><BR>><BR><BR><BR>--<BR>Random quote of the week/month/whenever i get to updating it:<BR>"Opportunity knocked. My doorman threw him out." - Adrienne Gusoff<BR><BR>"At school you don't get parole, good behavior only brings a longer<BR>sentence." - The History Boys<BR><BR><BR>------------------------------<BR><BR>Message: 5<BR>Date: Mon, 13 Oct 2008 16:18:42 +0100<BR>From: "Chris Howley" <C.P.Howley@leeds.ac.uk><BR>Subject: FR2.1.1 Solaris 5.10 x86 32-bit race condition<BR>To: <freeradius-users@lists.freeradius.org><BR>Message-ID:<BR> <8C86A47C06F80643A4B6F95F71505357CCA47B@HERMES1.ds.leeds.ac.uk><BR>Content-Type: text/plain; charset="US-ASCII"<BR><BR>Alan,<BR><BR>FR 2.1.1, Solaris 5.10 x86 32-bit<BR><BR>We're using the latest code from git.freeradius.org.<BR><BR>We're using PEAP/MSCAHPv2 and authenticating against Microsoft AD. We've<BR>encountered a race<BR>condition affecting the server when the supplicant on a windows XP<BR>station attempts to<BR>reauthenticates 30 minutes after the initial user logon.<BR><BR>Here's the URL for the gdb and radiusd -X output:<BR><A href="http://129.11.59.52/RADIUSD/">http://129.11.59.52/RADIUSD/</A><BR><BR>Any help in fixing this problem would be appreciated.<BR><BR>Thanks,<BR><BR>Chris Howley<BR><BR><BR><BR>------------------------------<BR><BR>Message: 6<BR>Date: Mon, 13 Oct 2008 17:34:37 +0200<BR>From: Alan DeKok <aland@deployingradius.com><BR>Subject: Re: FR2.1.1 Solaris 5.10 x86 32-bit race condition<BR>To: FreeRadius users mailing list<BR> <freeradius-users@lists.freeradius.org><BR>Message-ID: <48F36A8D.9060909@deployingradius.com><BR>Content-Type: text/plain; charset=ISO-8859-1<BR><BR>Chris Howley wrote:<BR>> We're using PEAP/MSCAHPv2 and authenticating against Microsoft AD. We've<BR>> encountered a race<BR>> condition affecting the server when the supplicant on a windows XP<BR>> station attempts to<BR>> reauthenticates 30 minutes after the initial user logon.<BR><BR> What is the race condition? It's not entirely obvious from the 600+K<BR>of debug output.<BR><BR> All I see is a bunch of authentication requests, followed by you<BR>stopping the server via CRTL-C, and running gdb.<BR><BR> What's going wrong? Is it *not* reading the data from the pipe?<BR>Maybe something else?<BR><BR> Alan DeKok.<BR><BR><BR>------------------------------<BR><BR>Message: 7<BR>Date: Mon, 13 Oct 2008 10:35:54 -0600<BR>From: Gamaliel Bedolla <gbf@transtelco.net><BR>Subject: Authentication ok but not login on a Netopia<BR>To: freeradius-users@lists.freeradius.org<BR>Message-ID: <48F378EA.5040308@transtelco.net><BR>Content-Type: text/plain; charset=ISO-8859-1; format=flowed<BR><BR>Hi all,<BR><BR> I have problems with the autentication of a Netopia R910 router with<BR>firmware 4.11. The configuration of the Freeradius is ok but Netopia is<BR>not accepting the Acces-Accept form the freeradius. The questions are: <BR>Is there an atrribute the Freeradius must reply to the Netopia ? Is<BR>there any misconfiguration on the Netopia?<BR>Freeradius ver. is 2.0.4.<BR><BR>(part of the reply of the Freeradius)<BR>rlm_sql (sql): Released sql socket id: 2<BR>++[sql] returns ok<BR>++[expiration] returns noop<BR>++[logintime] returns noop<BR>++[pap] returns updated<BR> rad_check_password: Found Auth-Type<BR>auth: type "PAP"<BR>+- entering group PAP<BR>rlm_pap: login attempt with password "****"<BR>rlm_pap: Using clear text password "****"<BR>rlm_pap: User authenticated successfully<BR>++[pap] returns ok<BR>Login OK: [gbf/****] (from client ezeronet port 0)<BR>+- entering group post-auth<BR>++[exec] returns noop<BR>Finished request 2.<BR>Going to the next request<BR>Waking up in 4.9 seconds.<BR>Cleaning up request 2 ID 24 with timestamp +98<BR>Ready to process requests.<BR><BR><BR>This is the configuration of the Netopia router:<BR><BR> Advanced Security Options<BR><BR><BR> Security Databases... RADIUS then Local<BR><BR> RADIUS Server Addr/Name: (Ip-of-the-Freeradius)<BR> RADIUS Server Secret: ********************<BR> Alt RADIUS Server Addr/Name:<BR> Alt RADIUS Server Secret:<BR> RADIUS Identifer:<BR> RADIUS Server Authentication Port: 1812<BR> RADIUS Access Privileges... All<BR><BR><BR> Telnet Server Port: 23<BR><BR><BR> LAN (EN Hub) IP Filter Set...<BR> Remove Filter Set<BR><BR><BR>Thanks to all.<BR><BR><BR><BR><BR>------------------------------<BR><BR>Message: 8<BR>Date: Mon, 13 Oct 2008 14:30:18 -0300<BR>From: "Marcelus Trojahn" <mtrojahn@gmail.com><BR>Subject: syntax errors on mysql ip pools<BR>To: freeradius-users@lists.freeradius.org<BR>Message-ID:<BR> <614f5d520810131030h7d378003p8892fbd340e56d3f@mail.gmail.com><BR>Content-Type: text/plain; charset="iso-8859-1"<BR><BR>Hello,<BR><BR>I've been trying for a few days to configure a new freeradius server with<BR>mysql IP pools support and I noticed there's a few errors with the syntax of<BR>some queries on sqlippool.conf for mysql.<BR><BR>First of all, some queries would never match because the schema provided<BR>with freeradius for the radippools table would set the 'expiry_time' field<BR>as default to NULL and then the queries would try something like expiry_time<BR>< NOW(), which would never match if the field as NULL.<BR><BR>So, the correct schema for the database would be:<BR>CREATE TABLE radippool (<BR> id int(11) unsigned NOT NULL auto_increment,<BR> pool_name varchar(30) NOT NULL,<BR> framedipaddress varchar(15) NOT NULL default '',<BR> nasipaddress varchar(15) NOT NULL default '',<BR> calledstationid VARCHAR(30) NOT NULL,<BR> callingstationid VARCHAR(30) NOT NULL,<BR> expiry_time DATETIME NOT NULL,<BR> username varchar(64) NOT NULL default '',<BR> pool_key varchar(30) NOT NULL,<BR> PRIMARY KEY (id)<BR>);<BR><BR>And the, the complete ippool.conf should be:<BR><BR>-- begin -----------<BR><BR># ## This series of queries allocates an IP address<BR> allocate-clear = "UPDATE ${ippool_table} \<BR> SET nasipaddress = '', pool_key = 0, \<BR> callingstationid = '', username = '', \<BR> expiry_time = '0000-00-00' \<BR> WHERE pool_key = '${pool-key}'"<BR><BR>## This series of queries allocates an IP address<BR>## (Note: If your pool-key is set to Calling-Station-Id and not NAS-Port<BR>## then you may wish to delete the "AND nasipaddress = '%{Nas-IP-Address}'<BR>## from the WHERE clause)<BR><BR> allocate-clear = "UPDATE ${ippool_table} \<BR> SET nasipaddress = '', pool_key = 0, \<BR> callingstationid = '', username = '', \<BR> expiry_time = '0000-00-00' \<BR> WHERE expiry_time <= NOW() - INTERVAL 1 SECOND \<BR> AND nasipaddress = '%{Nas-IP-Address}'"<BR><BR>## The ORDER BY clause of this query tries to allocate the same IP-address<BR>## which user had last session...<BR>allocate-find = "SELECT framedipaddress FROM ${ippool_table} \<BR> WHERE pool_name = '%{control:Pool-Name}' AND expiry_time < NOW() \<BR> ORDER BY (username <> '%{User-Name}'), \<BR> (callingstationid <> '%{Calling-Station-Id}'), \<BR> expiry_time \<BR> LIMIT 1 \<BR> FOR UPDATE"<BR><BR># ## If you prefer to allocate a random IP address every time, i<BR># ## use this query instead<BR><BR># allocate-find = "SELECT framedipaddress FROM ${ippool_table} \<BR># WHERE pool_name = '%{control:Pool-Name}' \<BR># AND expiry_time IS NULL \<BR># ORDER BY RAND() \<BR># LIMIT 1 \<BR># FOR UPDATE"<BR><BR>## If an IP could not be allocated, check to see if the pool exists or not<BR>## This allows the module to differentiate between a full pool and no pool<BR>## Note: If you are not running redundant pool modules this query may be<BR>## commented out to save running this query every time an ip is not<BR>allocated.<BR>pool-check = "SELECT id FROM ${ippool_table} \<BR> WHERE pool_name='%{control:Pool-Name}' LIMIT 1"<BR><BR>## This is the final IP Allocation query, which saves the allocated ip<BR>details<BR>allocate-update = "UPDATE ${ippool_table} \<BR> SET nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \<BR> callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', \<BR> expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \<BR> WHERE framedipaddress = '%I'"<BR><BR>## This series of queries frees an IP number when an accounting<BR>## START record arrives<BR>start-update = "UPDATE ${ippool_table} \<BR> SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \<BR> WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '${pool-key}'"<BR><BR>## This series of queries frees an IP number when an accounting<BR>## STOP record arrives<BR>stop-clear = "UPDATE ${ippool_table} \<BR> SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '',<BR>\<BR> expiry_time = '0000-00-00' \<BR> WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}' \<BR> AND username = '%{User-Name}' \<BR> AND callingstationid = '%{Calling-Station-Id}' \<BR> AND framedipaddress = '%{Framed-IP-Address}'"<BR><BR>## This series of queries frees an IP number when an accounting<BR>## ALIVE record arrives<BR>alive-update = "UPDATE ${ippool_table} \<BR> SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \<BR> WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}' \<BR> AND username = '%{User-Name}' \<BR> AND callingstationid = '%{Calling-Station-Id}' \<BR> AND framedipaddress = '%{Framed-IP-Address}'"<BR><BR>## This series of queries frees the IP numbers allocate to a<BR>## NAS when an accounting ON record arrives<BR>on-clear = "UPDATE ${ippool_table} \<BR> SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '',<BR>\<BR> expiry_time = '0000-00-00' \<BR> WHERE nasipaddress = '%{Nas-IP-Address}'"<BR><BR>## This series of queries frees the IP numbers allocate to a<BR>## NAS when an accounting OFF record arrives<BR>off-clear = "UPDATE ${ippool_table} \<BR> SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '',<BR>\<BR> expiry_time = '0000-00-00' \<BR> WHERE nasipaddress = '%{Nas-IP-Address}'"<BR><BR>-- end of file --------------<BR><BR>I might add I'm not any Mysql expert so any opinions about what I said are<BR>really welcome... I've tested it and apparently it works and I couldn't find<BR>any potential bugs so far...<BR><BR>I hope my english is not that rusty :)<BR><BR>--<BR>Marcelus Trojahn<BR>-------------- next part --------------<BR>An HTML attachment was scrubbed...<BR>URL: <<A href="https://lists.freeradius.org/pipermail/freeradius-users/attachments/20081013/8d600518/attachment.html">https://lists.freeradius.org/pipermail/freeradius-users/attachments/20081013/8d600518/attachment.html</A>><BR><BR>------------------------------<BR><BR>-<BR>List info/subscribe/unsubscribe? See <A href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</A><BR><BR><BR>End of Freeradius-Users Digest, Vol 42, Issue 80<BR>************************************************<BR></FONT></P></DIV></BODY></HTML>