<DIV>Arran,</DIV>
<DIV> </DIV>
<DIV>Thanks for your kind reply.</DIV>
<DIV> </DIV>
<DIV>It works.</DIV>
<DIV> </DIV>
<DIV>As you and Phil advised, I edit 2 files.</DIV>
<DIV> </DIV>
<DIV>/usr/local/etc/raddb/sites-available/default<BR>/usr/local/etc/raddb/sites-available/inner-tunnel</DIV>
<DIV> </DIV>
<DIV>The script Phil wrote was put right after "sql" line.</DIV>
<DIV> </DIV>
<DIV>Thanks!</DIV>
<DIV> </DIV>
<DIV>Tom</DIV>
<DIV><includetail>
<DIV> </DIV>
<DIV> </DIV>
<DIV style="COLOR: #000">
<DIV style="PADDING-BOTTOM: 2px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; FONT-FAMILY: Arial Narrow; FONT-SIZE: 12px; PADDING-TOP: 2px">------------------ Original ------------------</DIV>
<DIV style="PADDING-BOTTOM: 8px; PADDING-LEFT: 8px; PADDING-RIGHT: 8px; BACKGROUND: #efefef; FONT-SIZE: 12px; PADDING-TOP: 8px">
<DIV id=menu_sender><B>From: </B> "freeradius-users"<freeradius-users-request@lists.freeradius.org>;</DIV>
<DIV><B>Date: </B> Thu, Sep 1, 2011 09:48 PM</DIV>
<DIV><B>To: </B> "freeradius-users"<freeradius-users@lists.freeradius.org>; <WBR></DIV>
<DIV></DIV>
<DIV><B>Subject: </B> Freeradius-Users Digest, Vol 77, Issue 3</DIV></DIV>
<DIV> </DIV>Send Freeradius-Users mailing list submissions to<BR>freeradius-users@lists.freeradius.org<BR><BR>To subscribe or unsubscribe via the World Wide Web, visit<BR>http://lists.freeradius.org/mailman/listinfo/freeradius-users<BR>or, via email, send a message with subject or body 'help' to<BR>freeradius-users-request@lists.freeradius.org<BR><BR>You can reach the person managing the list at<BR>freeradius-users-owner@lists.freeradius.org<BR><BR>When replying, please edit your Subject line so it is more specific<BR>than "Re: Contents of Freeradius-Users digest..."<BR><BR><BR>Today's Topics:<BR><BR> 1. Re: Special WIFI Router MAC check for the user's first<BR> connection. (Tom) (Arran Cudbard-Bell)<BR><BR><BR>----------------------------------------------------------------------<BR><BR>Message: 1<BR>Date: Thu, 1 Sep 2011 15:48:18 +0200<BR>From: Arran Cudbard-Bell <a.cudbardb@freeradius.org><BR>Subject: Re: Special WIFI Router MAC check for the user's first<BR>connection. (Tom)<BR>To: FreeRadius users mailing list<BR><freeradius-users@lists.freeradius.org><BR>Message-ID: <5FF70066-722F-42B0-B2E1-6B63649E133F@freeradius.org><BR>Content-Type: text/plain; charset="iso-8859-1"<BR><BR><BR>On 1 Sep 2011, at 15:40, 2394263740 wrote:<BR><BR>> Phil,<BR>> <BR>> Thanks a lot for your great help.<BR>> <BR>> I understand the scripts you wrote. But I don't know where I should put it in.<BR>> <BR>> Can you please kindly advise which file I should edit?<BR>> <BR>> /usr/local/etc/raddb/sites-available/default?<BR><BR>Yes in the authorize section, thats why the script is encapsulated within and authorize {} stanza :)<BR><BR>-Arran<BR><BR>> <BR>> <BR>> <BR>> ------------------ Original ------------------<BR>> From: "freeradius-users"<freeradius-users-request@lists.freeradius.org>;<BR>> Date: Thu, Sep 1, 2011 02:51 AM<BR>> To: "freeradius-users"<freeradius-users@lists.freeradius.org>;<BR>> Subject: Freeradius-Users Digest, Vol 76, Issue 108<BR>> <BR>> Send Freeradius-Users mailing list submissions to<BR>> freeradius-users@lists.freeradius.org<BR>> <BR>> To subscribe or unsubscribe via the World Wide Web, visit<BR>> http://lists.freeradius.org/mailman/listinfo/freeradius-users<BR>> or, via email, send a message with subject or body 'help' to<BR>> freeradius-users-request@lists.freeradius.org<BR>> <BR>> You can reach the person managing the list at<BR>> freeradius-users-owner@lists.freeradius.org<BR>> <BR>> When replying, please edit your Subject line so it is more specific<BR>> than "Re: Contents of Freeradius-Users digest..."<BR>> <BR>> <BR>> Today's Topics:<BR>> <BR>> 1. Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS<BR>> server (Phil Mayers)<BR>> 2. Re: Special WIFI Router MAC check for the user?s first<BR>> connection. (Phil Mayers)<BR>> 3. Using rlm_passwd as a substitute for hunt groups<BR>> (Jan.Weiss@t-systems.com)<BR>> 4. problem with LDAP backend (Frank Bonnet)<BR>> 5. Re: problem with chillispot (Alan DeKok)<BR>> 6. Re: problem with LDAP backend (Alan DeKok)<BR>> 7. Rating usage (Shreya Shah)<BR>> 8. Re: problem with chillispot (Goke M Aruna)<BR>> <BR>> <BR>> ----------------------------------------------------------------------<BR>> <BR>> Message: 1<BR>> Date: Wed, 31 Aug 2011 14:48:00 +0100<BR>> From: Phil Mayers <p.mayers@imperial.ac.uk><BR>> Subject: Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS<BR>> server<BR>> To: freeradius-users@lists.freeradius.org<BR>> Message-ID: <4E5E3B90.2020109@imperial.ac.uk><BR>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed<BR>> <BR>> On 30/08/11 21:12, Glenn Machin wrote:<BR>> > Phil - thanks for the feedback.<BR>> ><BR>> > I just ended up proxying out to the IAS server usernames starting with<BR>> > "DOMAIN\".<BR>> <BR>> Ok. Obviously that will fail if enters their wireless credentials <BR>> without a domain.<BR>> <BR>> ><BR>> > I configured the freeradius server to not support mschapv2 but will<BR>> > support PEAP/GTC EAP/TLS.<BR>> ><BR>> ><BR>> > It seems to be working fine with the Macs, iPads and Linux systems while<BR>> > the windows systems are happy to talk to the IAS server.<BR>> ><BR>> ><BR>> > It still bugs that ntlm_auth would not authenticate to the domain<BR>> > controllers the challenge and nt-response.<BR>> <BR>> I repeat: if you send debug info, people may be able to help.<BR>> <BR>> ><BR>> ><BR>> > I assume no one else is having any issues using ntlm_auth to W2008<BR>> > servers? It may be some Windows GPO at our site for all I know.<BR>> <BR>> Exactly which version of windows (2008 or 2008R2?) and at which <BR>> functional level is your domain?<BR>> <BR>> Did you try increasing the debug level for winbind using "smbcontrol" <BR>> and then examining the debug logs after a failed auth?<BR>> <BR>> For what it's worth, we have no problems with Windows 2008R2 domain <BR>> controllers and the "samba3x" package available under RHEL5 (samba <BR>> version 3.5.4-0.70.el5). We did have problems with earlier (Samba 3.3) <BR>> versions after we'd upgraded to 2008R2 and upgraded functional level.<BR>> <BR>> <BR>> ------------------------------<BR>> <BR>> Message: 2<BR>> Date: Wed, 31 Aug 2011 14:55:35 +0100<BR>> From: Phil Mayers <p.mayers@imperial.ac.uk><BR>> Subject: Re: Special WIFI Router MAC check for the user?s first<BR>> connection.<BR>> To: freeradius-users@lists.freeradius.org<BR>> Message-ID: <4E5E3D57.2000903@imperial.ac.uk><BR>> Content-Type: text/plain; charset=UTF-8; format=flowed<BR>> <BR>> On 31/08/11 12:38, 2394263740 wrote:<BR>> <BR>> > For example, WIFI AP 26, has the MAC address MAC26. I need ensure one<BR>> > WIFI user, say user 58, must connect to WIFI AP 26 for the first time.<BR>> > After the first connection, user 58 can connect to any WIFI AP in the<BR>> > network.<BR>> > Can someone give some advice on how to do it?<BR>> <BR>> 1. Create a whitelist of users who can authenticate to any AP using <BR>> files, rlm_passwd or ideally SQL - see the FreeRADIUS wiki<BR>> <BR>> 2. If they are *not* found in the whitelist, check the <BR>> "Called-Station-Id" attribute, which usually contains the MAC address of <BR>> the AP. If your equipment uses a different attribute, check that.<BR>> <BR>> 3. If the AP MAC is the correct one, add the user to the whitelist, <BR>> else reject<BR>> <BR>> For example:<BR>> <BR>> authorize {<BR>> <BR>> ...<BR>> update control {<BR>> Tmp-String-0 := "%{sql:select 1 from whitelist where <BR>> username='%{User-Name}'}"<BR>> }<BR>> if (control:Tmp-String-0 == 1) {<BR>> # user is in whitelist<BR>> }<BR>> elsif (Called-Station-Id == "aa-bb-cc-dd-ee-ff") {<BR>> # user is connecting to the "whitelist" AP<BR>> update control {<BR>> Tmp-String-0 = "%{sql:insert into whitelist (username) values <BR>> ('%{User-Name}')}"<BR>> }<BR>> }<BR>> else {<BR>> reject<BR>> }<BR>> ...<BR>> <BR>> }<BR>> <BR>> <BR>> ------------------------------<BR>> <BR>> Message: 3<BR>> Date: Wed, 31 Aug 2011 16:11:48 +0200<BR>> From: Jan.Weiss@t-systems.com<BR>> Subject: Using rlm_passwd as a substitute for hunt groups<BR>> To: <freeradius-users@lists.freeradius.org><BR>> Message-ID:<BR>> <3DD77603D0726248A46541D5119607CE27DFC71606@HE111524.emea1.cds.t-internal.com><BR>> <BR>> Content-Type: text/plain; charset="us-ascii"<BR>> <BR>> >Did you remember to actually define 'My-Device-Group' as an attribute?<BR>> ><BR>> >-Arran<BR>> ><BR>> >Arran Cudbard-Bell<BR>> >a.cudbardb@freeradius.org<BR>> ><BR>> >RADIUS - Half the complexity of Diameter<BR>> <BR>> <BR>> Dictionary:<BR>> ATTRIBUTE My-Device-Group 3000 string<BR>> <BR>> <BR>> ------------------------------<BR>> <BR>> Message: 4<BR>> Date: Wed, 31 Aug 2011 17:02:32 +0200<BR>> From: Frank Bonnet <f.bonnet@esiee.fr><BR>> Subject: problem with LDAP backend<BR>> To: freeradius-users@lists.freeradius.org<BR>> Message-ID: <4E5E4D08.5060109@esiee.fr><BR>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed<BR>> <BR>> Hello<BR>> <BR>> Still trying to use freeradius with chillispot I still have problems<BR>> <BR>> I'm trying to use mixed authentication<BR>> <BR>> MAC addresses for some video devices in the "users" file<BR>> as follows :<BR>> <BR>> 00-06-F4-0D-08-66 Auth-Type := Local, User-Password == "xxxxxxxx"<BR>> Framed-IP-Address = 192.168.182.213,<BR>> Fall-Through = Yes<BR>> <BR>> LDAP backend for "real" users at the end of the "users" file I have this <BR>> statement<BR>> <BR>> DEFAULT Auth-Type = LDAP<BR>> Fall-Through = 1<BR>> <BR>> This configuration were working well on a very old debian machine which <BR>> died suddenly<BR>> <BR>> When I try to access the the chilli portal it ask radius for authentication<BR>> but it dows not work. See below the debug trace of radius daemon.<BR>> Help greatly appreciated, thank you.<BR>> <BR>> <BR>> Wed Aug 31 16:52:39 2011 : Debug: Processing the authorize section of <BR>> radiusd.conf<BR>> Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authorize for <BR>> request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling <BR>> preprocess (rlm_preprocess) for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from <BR>> preprocess (rlm_preprocess) for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module <BR>> "preprocess" returns ok for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling eap <BR>> (rlm_eap) for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: rlm_eap: No EAP-Message, not doing EAP<BR>> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from <BR>> eap (rlm_eap) for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "eap" <BR>> returns noop for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling files <BR>> (rlm_files) for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: users: Matched entry DEFAULT at <BR>> line 398<BR>> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from <BR>> files (rlm_files) for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "files" <BR>> returns ok for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling ldap <BR>> (rlm_ldap) for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authorize<BR>> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing user <BR>> authorization for xxxxxxxx<BR>> Wed Aug 31 16:52:39 2011 : Debug: radius_xlat: '(uid=xxx)'<BR>> Wed Aug 31 16:52:39 2011 : Debug: radius_xlat: 'ou=Users,dc=esiee,dc=fr'<BR>> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0<BR>> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0<BR>> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing search in <BR>> ou=Users,dc=esiee,dc=fr, with filter (uid=hrazdira)<BR>> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: checking if remote access <BR>> for xxxxxxxx is allowed by uid<BR>> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for check items in <BR>> directory...<BR>> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for reply items in <BR>> directory...<BR>> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: user xxxxxxxx authorized to <BR>> use remote access<BR>> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0<BR>> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from <BR>> ldap (rlm_ldap) for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "ldap" <BR>> returns ok for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling pap <BR>> (rlm_pap) for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: rlm_pap: WARNING! No "known good" <BR>> password found for the user. Authentication may fail because of this.<BR>> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from <BR>> pap (rlm_pap) for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "pap" <BR>> returns noop for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authorize <BR>> (returns ok) for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: rad_check_password: Found Auth-Type <BR>> LDAP<BR>> Wed Aug 31 16:52:39 2011 : Debug: auth: type "LDAP"<BR>> Wed Aug 31 16:52:39 2011 : Debug: Processing the authenticate section <BR>> of radiusd.conf<BR>> Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authenticate <BR>> for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authenticate]: calling <BR>> ldap (rlm_ldap) for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authenticate<BR>> Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is <BR>> required for authentication. Cannot use "CHAP-Password".<BR>> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authenticate]: returned <BR>> from ldap (rlm_ldap) for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: modcall[authenticate]: module "ldap" <BR>> returns invalid for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authenticate <BR>> (returns invalid) for request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: auth: Failed to validate the user.<BR>> Wed Aug 31 16:52:39 2011 : Debug: Delaying request 15 for 1 seconds<BR>> Wed Aug 31 16:52:39 2011 : Debug: Finished request 15<BR>> Wed Aug 31 16:52:39 2011 : Debug: Going to the next request<BR>> Wed Aug 31 16:52:39 2011 : Debug: --- Walking the entire request list ---<BR>> <BR>> <BR>> <BR>> ------------------------------<BR>> <BR>> Message: 5<BR>> Date: Wed, 31 Aug 2011 12:27:36 -0400<BR>> From: Alan DeKok <aland@deployingradius.com><BR>> Subject: Re: problem with chillispot<BR>> To: FreeRadius users mailing list<BR>> <freeradius-users@lists.freeradius.org><BR>> Message-ID: <4E5E60F8.8070409@deployingradius.com><BR>> Content-Type: text/plain; charset=ISO-8859-1<BR>> <BR>> Goke M Aruna wrote:<BR>> > Is it bug on freeradius v2?<BR>> <BR>> No.<BR>> <BR>> > I got the chillispot working with freeradius 1.7 then and still tested<BR>> > same recently but v2 of radius give same error while v1 work<BR>> > seamlessly. I compiled this on centos 5.6.<BR>> <BR>> You mistyped the shared secret.<BR>> <BR>> Alan DeKok.<BR>> <BR>> <BR>> ------------------------------<BR>> <BR>> Message: 6<BR>> Date: Wed, 31 Aug 2011 12:30:45 -0400<BR>> From: Alan DeKok <aland@deployingradius.com><BR>> Subject: Re: problem with LDAP backend<BR>> To: FreeRadius users mailing list<BR>> <freeradius-users@lists.freeradius.org><BR>> Message-ID: <4E5E61B5.2000601@deployingradius.com><BR>> Content-Type: text/plain; charset=ISO-8859-1<BR>> <BR>> Frank Bonnet wrote:<BR>> > MAC addresses for some video devices in the "users" file<BR>> > as follows :<BR>> > <BR>> > 00-06-F4-0D-08-66 Auth-Type := Local, User-Password == "xxxxxxxx"<BR>> <BR>> That's wrong. See the debug output for reasons why. See the FAQ for<BR>> correct examples.<BR>> <BR>> > LDAP backend for "real" users at the end of the "users" file I have this<BR>> > statement<BR>> > <BR>> > DEFAULT Auth-Type = LDAP<BR>> > Fall-Through = 1<BR>> <BR>> That's not needed.<BR>> <BR>> > Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is<BR>> > required for authentication. Cannot use "CHAP-Password".<BR>> <BR>> That's pretty clear. The NAS is sending a CHAP request. You can't do<BR>> that with "Auth-Type LDAP"<BR>> <BR>> Instead, list "ldap" in the "authorize" section.<BR>> <BR>> Don't set Auth-Type. It's almost always wrong.<BR>> <BR>> Alan DeKok.<BR>> <BR>> <BR>> ------------------------------<BR>> <BR>> Message: 7<BR>> Date: Wed, 31 Aug 2011 13:23:20 -0400<BR>> From: Shreya Shah <shreya.nshah@gmail.com><BR>> Subject: Rating usage<BR>> To: FreeRadius users mailing list<BR>> <freeradius-users@lists.freeradius.org><BR>> Message-ID:<BR>> <CANN_Z9KOKD0HfM+s_wVmZTyobN=8qcLxbfdQBBrX+KBPUBo-2w@mail.gmail.com><BR>> Content-Type: text/plain; charset="iso-8859-1"<BR>> <BR>> Is it possible to rate users based on their data usage and reject<BR>> authentication to those users exceeding the limit ?<BR>> <BR>> I think I can achieve rating using counter.conf and reading the usage from<BR>> radacct but not sure how to reject this user from authenticating when he<BR>> exceeds this usage limit ?<BR>> <BR>> Thanks,<BR>> Shreya.<BR>> -------------- next part --------------<BR>> An HTML attachment was scrubbed...<BR>> URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110831/ad586a05/attachment.html><BR>> <BR>> ------------------------------<BR>> <BR>> Message: 8<BR>> Date: Wed, 31 Aug 2011 19:51:20 +0100<BR>> From: Goke M Aruna <goksie@gmail.com><BR>> Subject: Re: problem with chillispot<BR>> To: FreeRadius users mailing list<BR>> <freeradius-users@lists.freeradius.org><BR>> Message-ID:<BR>> <CAE=DitpQoroJHxQA7u+BtCuXhEh0_1V-TahmuW1ntgiO9_e69Q@mail.gmail.com><BR>> Content-Type: text/plain; charset=UTF-8<BR>> <BR>> Hi Allan,<BR>> Mistyped shared-secret? How can I confirm that?<BR>> <BR>> Thank you.<BR>> <BR>> On 8/31/11, Alan DeKok <aland@deployingradius.com> wrote:<BR>> > Goke M Aruna wrote:<BR>> >> Is it bug on freeradius v2?<BR>> ><BR>> > No.<BR>> ><BR>> >> I got the chillispot working with freeradius 1.7 then and still tested<BR>> >> same recently but v2 of radius give same error while v1 work<BR>> >> seamlessly. I compiled this on centos 5.6.<BR>> ><BR>> > You mistyped the shared secret.<BR>> ><BR>> > Alan DeKok.<BR>> > -<BR>> > List info/subscribe/unsubscribe? See<BR>> > http://www.freeradius.org/list/users.html<BR>> ><BR>> <BR>> -- <BR>> Sent from my mobile device<BR>> <BR>> <BR>> ------------------------------<BR>> <BR>> -<BR>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<BR>> <BR>> <BR>> End of Freeradius-Users Digest, Vol 76, Issue 108<BR>> *************************************************<BR>> -<BR>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<BR><BR>Arran Cudbard-Bell<BR>a.cudbardb@freeradius.org<BR><BR>RADIUS - Half the complexity of Diameter<BR><BR>-------------- next part --------------<BR>An HTML attachment was scrubbed...<BR>URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110901/83b490af/attachment.html><BR><BR>------------------------------<BR><BR>-<BR>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<BR><BR><BR>End of Freeradius-Users Digest, Vol 77, Issue 3<BR>***********************************************<BR></DIV></includetail></DIV>