<DIV>Phil,</DIV>
<DIV> </DIV>
<DIV>Thanks a lot for your great help.</DIV>
<DIV> </DIV>
<DIV>I understand the scripts you wrote. But I don't know where I should put it in.</DIV>
<DIV> </DIV>
<DIV>Can you please kindly advise which file I should edit?</DIV>
<DIV> </DIV>
<DIV>/usr/local/etc/raddb/sites-available/default?</DIV>
<DIV> </DIV>
<DIV>Where I should put the scripts you wrote previously? The context?</DIV>
<DIV> </DIV>
<DIV>Thanks!</DIV>
<DIV> </DIV>
<DIV>Tom</DIV>
<DIV><includetail>
<DIV> </DIV>
<DIV> </DIV>
<DIV style="COLOR: #000">
<DIV style="PADDING-BOTTOM: 2px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; FONT-FAMILY: Arial Narrow; FONT-SIZE: 12px; PADDING-TOP: 2px">------------------ Original ------------------</DIV>
<DIV style="PADDING-BOTTOM: 8px; PADDING-LEFT: 8px; PADDING-RIGHT: 8px; BACKGROUND: #efefef; FONT-SIZE: 12px; PADDING-TOP: 8px">
<DIV id=menu_sender><B>From: </B> "freeradius-users"<freeradius-users-request@lists.freeradius.org>;</DIV>
<DIV><B>Date: </B> Thu, Sep 1, 2011 02:51 AM</DIV>
<DIV><B>To: </B> "freeradius-users"<freeradius-users@lists.freeradius.org>; <WBR></DIV>
<DIV></DIV>
<DIV><B>Subject: </B> Freeradius-Users Digest, Vol 76, Issue 108</DIV></DIV>
<DIV> </DIV>Send Freeradius-Users mailing list submissions to<BR>freeradius-users@lists.freeradius.org<BR><BR>To subscribe or unsubscribe via the World Wide Web, visit<BR>http://lists.freeradius.org/mailman/listinfo/freeradius-users<BR>or, via email, send a message with subject or body 'help' to<BR>freeradius-users-request@lists.freeradius.org<BR><BR>You can reach the person managing the list at<BR>freeradius-users-owner@lists.freeradius.org<BR><BR>When replying, please edit your Subject line so it is more specific<BR>than "Re: Contents of Freeradius-Users digest..."<BR><BR><BR>Today's Topics:<BR><BR> 1. Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS<BR> server (Phil Mayers)<BR> 2. Re: Special WIFI Router MAC check for the user?s first<BR> connection. (Phil Mayers)<BR> 3. Using rlm_passwd as a substitute for hunt groups<BR> (Jan.Weiss@t-systems.com)<BR> 4. problem with LDAP backend (Frank Bonnet)<BR> 5. Re: problem with chillispot (Alan DeKok)<BR> 6. Re: problem with LDAP backend (Alan DeKok)<BR> 7. Rating usage (Shreya Shah)<BR> 8. Re: problem with chillispot (Goke M Aruna)<BR><BR><BR>----------------------------------------------------------------------<BR><BR>Message: 1<BR>Date: Wed, 31 Aug 2011 14:48:00 +0100<BR>From: Phil Mayers <p.mayers@imperial.ac.uk><BR>Subject: Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS<BR>server<BR>To: freeradius-users@lists.freeradius.org<BR>Message-ID: <4E5E3B90.2020109@imperial.ac.uk><BR>Content-Type: text/plain; charset=ISO-8859-1; format=flowed<BR><BR>On 30/08/11 21:12, Glenn Machin wrote:<BR>> Phil - thanks for the feedback.<BR>><BR>> I just ended up proxying out to the IAS server usernames starting with<BR>> "DOMAIN\".<BR><BR>Ok. Obviously that will fail if enters their wireless credentials <BR>without a domain.<BR><BR>><BR>> I configured the freeradius server to not support mschapv2 but will<BR>> support PEAP/GTC EAP/TLS.<BR>><BR>><BR>> It seems to be working fine with the Macs, iPads and Linux systems while<BR>> the windows systems are happy to talk to the IAS server.<BR>><BR>><BR>> It still bugs that ntlm_auth would not authenticate to the domain<BR>> controllers the challenge and nt-response.<BR><BR>I repeat: if you send debug info, people may be able to help.<BR><BR>><BR>><BR>> I assume no one else is having any issues using ntlm_auth to W2008<BR>> servers? It may be some Windows GPO at our site for all I know.<BR><BR>Exactly which version of windows (2008 or 2008R2?) and at which <BR>functional level is your domain?<BR><BR>Did you try increasing the debug level for winbind using "smbcontrol" <BR>and then examining the debug logs after a failed auth?<BR><BR>For what it's worth, we have no problems with Windows 2008R2 domain <BR>controllers and the "samba3x" package available under RHEL5 (samba <BR>version 3.5.4-0.70.el5). We did have problems with earlier (Samba 3.3) <BR>versions after we'd upgraded to 2008R2 and upgraded functional level.<BR><BR><BR>------------------------------<BR><BR>Message: 2<BR>Date: Wed, 31 Aug 2011 14:55:35 +0100<BR>From: Phil Mayers <p.mayers@imperial.ac.uk><BR>Subject: Re: Special WIFI Router MAC check for the user?s first<BR>connection.<BR>To: freeradius-users@lists.freeradius.org<BR>Message-ID: <4E5E3D57.2000903@imperial.ac.uk><BR>Content-Type: text/plain; charset=UTF-8; format=flowed<BR><BR>On 31/08/11 12:38, 2394263740 wrote:<BR><BR>> For example, WIFI AP 26, has the MAC address MAC26. I need ensure one<BR>> WIFI user, say user 58, must connect to WIFI AP 26 for the first time.<BR>> After the first connection, user 58 can connect to any WIFI AP in the<BR>> network.<BR>> Can someone give some advice on how to do it?<BR><BR> 1. Create a whitelist of users who can authenticate to any AP using <BR>files, rlm_passwd or ideally SQL - see the FreeRADIUS wiki<BR><BR> 2. If they are *not* found in the whitelist, check the <BR>"Called-Station-Id" attribute, which usually contains the MAC address of <BR>the AP. If your equipment uses a different attribute, check that.<BR><BR> 3. If the AP MAC is the correct one, add the user to the whitelist, <BR>else reject<BR><BR>For example:<BR><BR>authorize {<BR><BR> ...<BR> update control {<BR> Tmp-String-0 := "%{sql:select 1 from whitelist where <BR>username='%{User-Name}'}"<BR> }<BR> if (control:Tmp-String-0 == 1) {<BR> # user is in whitelist<BR> }<BR> elsif (Called-Station-Id == "aa-bb-cc-dd-ee-ff") {<BR> # user is connecting to the "whitelist" AP<BR> update control {<BR> Tmp-String-0 = "%{sql:insert into whitelist (username) values <BR>('%{User-Name}')}"<BR> }<BR> }<BR> else {<BR> reject<BR> }<BR> ...<BR><BR>}<BR><BR><BR>------------------------------<BR><BR>Message: 3<BR>Date: Wed, 31 Aug 2011 16:11:48 +0200<BR>From: Jan.Weiss@t-systems.com<BR>Subject: Using rlm_passwd as a substitute for hunt groups<BR>To: <freeradius-users@lists.freeradius.org><BR>Message-ID:<BR><3DD77603D0726248A46541D5119607CE27DFC71606@HE111524.emea1.cds.t-internal.com><BR><BR>Content-Type: text/plain; charset="us-ascii"<BR><BR>>Did you remember to actually define 'My-Device-Group' as an attribute?<BR>><BR>>-Arran<BR>><BR>>Arran Cudbard-Bell<BR>>a.cudbardb@freeradius.org<BR>><BR>>RADIUS - Half the complexity of Diameter<BR><BR><BR>Dictionary:<BR>ATTRIBUTE My-Device-Group 3000 string<BR><BR><BR>------------------------------<BR><BR>Message: 4<BR>Date: Wed, 31 Aug 2011 17:02:32 +0200<BR>From: Frank Bonnet <f.bonnet@esiee.fr><BR>Subject: problem with LDAP backend<BR>To: freeradius-users@lists.freeradius.org<BR>Message-ID: <4E5E4D08.5060109@esiee.fr><BR>Content-Type: text/plain; charset=ISO-8859-1; format=flowed<BR><BR>Hello<BR><BR>Still trying to use freeradius with chillispot I still have problems<BR><BR>I'm trying to use mixed authentication<BR><BR>MAC addresses for some video devices in the "users" file<BR>as follows :<BR><BR>00-06-F4-0D-08-66 Auth-Type := Local, User-Password == "xxxxxxxx"<BR> Framed-IP-Address = 192.168.182.213,<BR> Fall-Through = Yes<BR><BR>LDAP backend for "real" users at the end of the "users" file I have this <BR>statement<BR><BR>DEFAULT Auth-Type = LDAP<BR> Fall-Through = 1<BR><BR>This configuration were working well on a very old debian machine which <BR>died suddenly<BR><BR>When I try to access the the chilli portal it ask radius for authentication<BR>but it dows not work. See below the debug trace of radius daemon.<BR>Help greatly appreciated, thank you.<BR><BR><BR>Wed Aug 31 16:52:39 2011 : Debug: Processing the authorize section of <BR>radiusd.conf<BR>Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authorize for <BR>request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling <BR>preprocess (rlm_preprocess) for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from <BR>preprocess (rlm_preprocess) for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module <BR>"preprocess" returns ok for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling eap <BR>(rlm_eap) for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: rlm_eap: No EAP-Message, not doing EAP<BR>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from <BR>eap (rlm_eap) for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "eap" <BR>returns noop for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling files <BR>(rlm_files) for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: users: Matched entry DEFAULT at <BR>line 398<BR>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from <BR>files (rlm_files) for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "files" <BR>returns ok for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling ldap <BR>(rlm_ldap) for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authorize<BR>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing user <BR>authorization for xxxxxxxx<BR>Wed Aug 31 16:52:39 2011 : Debug: radius_xlat: '(uid=xxx)'<BR>Wed Aug 31 16:52:39 2011 : Debug: radius_xlat: 'ou=Users,dc=esiee,dc=fr'<BR>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0<BR>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0<BR>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing search in <BR>ou=Users,dc=esiee,dc=fr, with filter (uid=hrazdira)<BR>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: checking if remote access <BR>for xxxxxxxx is allowed by uid<BR>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for check items in <BR>directory...<BR>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for reply items in <BR>directory...<BR>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: user xxxxxxxx authorized to <BR>use remote access<BR>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0<BR>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from <BR>ldap (rlm_ldap) for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "ldap" <BR>returns ok for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling pap <BR>(rlm_pap) for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: rlm_pap: WARNING! No "known good" <BR>password found for the user. Authentication may fail because of this.<BR>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from <BR>pap (rlm_pap) for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "pap" <BR>returns noop for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authorize <BR>(returns ok) for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: rad_check_password: Found Auth-Type <BR>LDAP<BR>Wed Aug 31 16:52:39 2011 : Debug: auth: type "LDAP"<BR>Wed Aug 31 16:52:39 2011 : Debug: Processing the authenticate section <BR>of radiusd.conf<BR>Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authenticate <BR>for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authenticate]: calling <BR>ldap (rlm_ldap) for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authenticate<BR>Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is <BR>required for authentication. Cannot use "CHAP-Password".<BR>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authenticate]: returned <BR>from ldap (rlm_ldap) for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: modcall[authenticate]: module "ldap" <BR>returns invalid for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authenticate <BR>(returns invalid) for request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: auth: Failed to validate the user.<BR>Wed Aug 31 16:52:39 2011 : Debug: Delaying request 15 for 1 seconds<BR>Wed Aug 31 16:52:39 2011 : Debug: Finished request 15<BR>Wed Aug 31 16:52:39 2011 : Debug: Going to the next request<BR>Wed Aug 31 16:52:39 2011 : Debug: --- Walking the entire request list ---<BR><BR><BR><BR>------------------------------<BR><BR>Message: 5<BR>Date: Wed, 31 Aug 2011 12:27:36 -0400<BR>From: Alan DeKok <aland@deployingradius.com><BR>Subject: Re: problem with chillispot<BR>To: FreeRadius users mailing list<BR><freeradius-users@lists.freeradius.org><BR>Message-ID: <4E5E60F8.8070409@deployingradius.com><BR>Content-Type: text/plain; charset=ISO-8859-1<BR><BR>Goke M Aruna wrote:<BR>> Is it bug on freeradius v2?<BR><BR> No.<BR><BR>> I got the chillispot working with freeradius 1.7 then and still tested<BR>> same recently but v2 of radius give same error while v1 work<BR>> seamlessly. I compiled this on centos 5.6.<BR><BR> You mistyped the shared secret.<BR><BR> Alan DeKok.<BR><BR><BR>------------------------------<BR><BR>Message: 6<BR>Date: Wed, 31 Aug 2011 12:30:45 -0400<BR>From: Alan DeKok <aland@deployingradius.com><BR>Subject: Re: problem with LDAP backend<BR>To: FreeRadius users mailing list<BR><freeradius-users@lists.freeradius.org><BR>Message-ID: <4E5E61B5.2000601@deployingradius.com><BR>Content-Type: text/plain; charset=ISO-8859-1<BR><BR>Frank Bonnet wrote:<BR>> MAC addresses for some video devices in the "users" file<BR>> as follows :<BR>> <BR>> 00-06-F4-0D-08-66 Auth-Type := Local, User-Password == "xxxxxxxx"<BR><BR> That's wrong. See the debug output for reasons why. See the FAQ for<BR>correct examples.<BR><BR>> LDAP backend for "real" users at the end of the "users" file I have this<BR>> statement<BR>> <BR>> DEFAULT Auth-Type = LDAP<BR>> Fall-Through = 1<BR><BR> That's not needed.<BR><BR>> Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is<BR>> required for authentication. Cannot use "CHAP-Password".<BR><BR> That's pretty clear. The NAS is sending a CHAP request. You can't do<BR>that with "Auth-Type LDAP"<BR><BR> Instead, list "ldap" in the "authorize" section.<BR><BR> Don't set Auth-Type. It's almost always wrong.<BR><BR> Alan DeKok.<BR><BR><BR>------------------------------<BR><BR>Message: 7<BR>Date: Wed, 31 Aug 2011 13:23:20 -0400<BR>From: Shreya Shah <shreya.nshah@gmail.com><BR>Subject: Rating usage<BR>To: FreeRadius users mailing list<BR><freeradius-users@lists.freeradius.org><BR>Message-ID:<BR><CANN_Z9KOKD0HfM+s_wVmZTyobN=8qcLxbfdQBBrX+KBPUBo-2w@mail.gmail.com><BR>Content-Type: text/plain; charset="iso-8859-1"<BR><BR>Is it possible to rate users based on their data usage and reject<BR>authentication to those users exceeding the limit ?<BR><BR>I think I can achieve rating using counter.conf and reading the usage from<BR>radacct but not sure how to reject this user from authenticating when he<BR>exceeds this usage limit ?<BR><BR>Thanks,<BR>Shreya.<BR>-------------- next part --------------<BR>An HTML attachment was scrubbed...<BR>URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110831/ad586a05/attachment.html><BR><BR>------------------------------<BR><BR>Message: 8<BR>Date: Wed, 31 Aug 2011 19:51:20 +0100<BR>From: Goke M Aruna <goksie@gmail.com><BR>Subject: Re: problem with chillispot<BR>To: FreeRadius users mailing list<BR><freeradius-users@lists.freeradius.org><BR>Message-ID:<BR><CAE=DitpQoroJHxQA7u+BtCuXhEh0_1V-TahmuW1ntgiO9_e69Q@mail.gmail.com><BR>Content-Type: text/plain; charset=UTF-8<BR><BR>Hi Allan,<BR>Mistyped shared-secret? How can I confirm that?<BR><BR>Thank you.<BR><BR>On 8/31/11, Alan DeKok <aland@deployingradius.com> wrote:<BR>> Goke M Aruna wrote:<BR>>> Is it bug on freeradius v2?<BR>><BR>> No.<BR>><BR>>> I got the chillispot working with freeradius 1.7 then and still tested<BR>>> same recently but v2 of radius give same error while v1 work<BR>>> seamlessly. I compiled this on centos 5.6.<BR>><BR>> You mistyped the shared secret.<BR>><BR>> Alan DeKok.<BR>> -<BR>> List info/subscribe/unsubscribe? See<BR>> http://www.freeradius.org/list/users.html<BR>><BR><BR>-- <BR>Sent from my mobile device<BR><BR><BR>------------------------------<BR><BR>-<BR>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<BR><BR><BR>End of Freeradius-Users Digest, Vol 76, Issue 108<BR>*************************************************<BR></DIV></includetail></DIV>