<div dir="ltr">My version of 2.1.10 was the one i got when i did the ever so popular sudo apt-get install freeradius, so i guess i need for my distro to get the update in the source files - that's ok as my Freeradius is not connected to the internet.<br>
<br>Thank you all for the response.<br><br><br><div class="gmail_quote">On Mon, Jan 28, 2013 at 11:40 AM, <span dir="ltr"><<a href="mailto:freeradius-users-request@lists.freeradius.org" target="_blank">freeradius-users-request@lists.freeradius.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Freeradius-Users mailing list submissions to<br>
<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.freeradius.org/mailman/listinfo/freeradius-users" target="_blank">http://lists.freeradius.org/mailman/listinfo/freeradius-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:freeradius-users-request@lists.freeradius.org">freeradius-users-request@lists.freeradius.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:freeradius-users-owner@lists.freeradius.org">freeradius-users-owner@lists.freeradius.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Freeradius-Users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. move /etc/raddb/users file to mysql (Stefan K?nig)<br>
2. Re: dialup.conf custom attributes failure in freeradius 2.2<br>
(<a href="mailto:A.L.M.Buxey@lboro.ac.uk">A.L.M.Buxey@lboro.ac.uk</a>)<br>
3. Re: upgrading freeradius (Mathieu Simon)<br>
4. Re: Help Needed !!! FreeRADIUS Integration with MS AD (Pradyumna)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Mon, 28 Jan 2013 09:25:00 +0100<br>
From: Stefan K?nig <<a href="mailto:montiburns@gmail.com">montiburns@gmail.com</a>><br>
To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
Subject: move /etc/raddb/users file to mysql<br>
Message-ID: <<a href="mailto:510635DC.2080103@gmail.com">510635DC.2080103@gmail.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
Hello List,<br>
<br>
I inherited an old freeradius 1.1.8 system which is configured to use a<br>
mysql DB.<br>
So far so good, but now I discovered, that someone also created a<br>
/etc/raddb/users file with some DEFAULT information in it.<br>
The funny thing is, that I have also some DEFAULT information in my DB<br>
in radgroupreply, which is where I think the data from the "users" file<br>
belongs.<br>
As far as I see in our config, the flat files have precedence over SQL.<br>
<br>
I am not very deep into freeradius, so I have some questions which I<br>
hope someone can answer:<br>
<br>
1) Does the data from the "users" file go into radgroupreply table?<br>
2) I have a DEFAULT groupname in the DB and in the flat file, will I<br>
have to rename the flat file DEFAULT groupname to something else to<br>
avoid problems?<br>
3) "op" needs to be "=~" and ":=" for the first to settings and "==" for<br>
all the following?<br>
<br>
For your reference here is the anonymized content of my users file:<br>
<br>
DEFAULT User-Name =~"@example\.net$",<br>
Auth-Type := "Accept"<br>
Context-Name == local,<br>
Tunnel-Domain == 1,<br>
Tunnel-Type == L2TP,<br>
Tunnel-Medium-Type == IP,<br>
Tunnel-Client-Endpoint == xxx.xxx.xxx.xxx,<br>
Tunnel-Server-Endpoint == yyy.xxx.xxx.xxx,<br>
Tunnel-Password == password,<br>
Tunnel-Assignment-Id == zzz.xxx.xxx.xxx,<br>
Tunnel-Function == 1,<br>
Tunnel-Local-Name == <a href="http://EXAMPLE.NET" target="_blank">EXAMPLE.NET</a><br>
<br>
<br>
Thanks for any help or hints!<br>
<br>
<br>
regards<br>
Stefan<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Mon, 28 Jan 2013 09:03:32 +0000<br>
From: <a href="mailto:A.L.M.Buxey@lboro.ac.uk">A.L.M.Buxey@lboro.ac.uk</a><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: Re: dialup.conf custom attributes failure in freeradius 2.2<br>
Message-ID: <<a href="mailto:20130128090332.GF28146@lboro.ac.uk">20130128090332.GF28146@lboro.ac.uk</a>><br>
Content-Type: text/plain; charset=us-ascii<br>
<br>
Hi,<br>
<br>
> Hi, I need some help with inserting custom attributes to MySQL server. It<br>
> seems that version 2.2 broke it, at least on my server... When I revert<br>
> back to 2.1 it immediately starts to work with same config files.<br>
> Below are config files and traces for both versions.<br>
<br>
<br>
> Any idea?<br>
<br>
yes, you dont seem to have 3GPP-IMSI in your dictionary file. thus the string<br>
expansion fails as per<br>
<br>
<br>
> [sql] WARNING: Unknown module "3GPP-IMSI" in string expansion "%',<br>
<br>
<br>
thats my first guess anyway! ;-)<br>
<br>
alan<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Mon, 28 Jan 2013 10:12:21 +0100<br>
From: Mathieu Simon <<a href="mailto:mathieu.sim@gmail.com">mathieu.sim@gmail.com</a>><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: Re: upgrading freeradius<br>
Message-ID: <<a href="mailto:510640F5.6000009@gmail.com">510640F5.6000009@gmail.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
Am 27.01.2013 21:52, schrieb <a href="mailto:A.L.M.Buxey@lboro.ac.uk">A.L.M.Buxey@lboro.ac.uk</a>:<br>
> Hi,<br>
><br>
>> 2.1.10 is the version delivered by your distribution - and contains<br>
>> backported security bugfixes released until 2.2.0. In terms of security,<br>
>> your version is fine.<br>
> why? why do that? why not simple release 2.2.0 - you are CONFUSING your users<br>
> and CONFUSING those people who support them.<br>
><br>
> if it says 2.1.10 then one can only ASSUME that its 2.1.10<br>
Yes, somewhat true, but that's how a couple of distribution consider<br>
'stable' releases:<br>
Stick with a version of a software and backport (bug and) security<br>
updates to this version.<br>
(and only update the version of a package at new distro release)<br>
<br>
Enterprise distributions or commercial unix often do much heavier<br>
backporting than<br>
what Debian/Ubuntu do, just to deliver the very same version during the<br>
period of time<br>
the package is bundled with a release of their distro/software.<br>
<br>
You have to outweight the advantages vs. disadvantages like breaking<br>
support from<br>
your distributor, in this case Canonical. But I agree that asking on<br>
this list is likely yield<br>
the answer "upgrade first" in case of problems.<br>
<br>
A Ubuntu PPA can be a very good thing - but you have to trust a third party.<br>
That said, I really like PPAs when the packagers do good work and care<br>
about<br>
updating the packages - thanks Fajar for maintaining this repository!<br>
<br>
-- Mathieu<br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Mon, 28 Jan 2013 15:10:14 +0530<br>
From: Pradyumna <<a href="mailto:neomatrixgem@gmail.com">neomatrixgem@gmail.com</a>><br>
To: "<a href="mailto:A.L.M.Buxey@lboro.ac.uk">A.L.M.Buxey@lboro.ac.uk</a>" <<a href="mailto:A.L.M.Buxey@lboro.ac.uk">A.L.M.Buxey@lboro.ac.uk</a>><br>
Cc: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: Re: Help Needed !!! FreeRADIUS Integration with MS AD<br>
Message-ID: <<a href="mailto:E751B5FB-B309-402E-8C4E-6D77FE3958AB@gmail.com">E751B5FB-B309-402E-8C4E-6D77FE3958AB@gmail.com</a>><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
Hi,<br>
<br>
Am not able to see my authorization happening because I don't see the value-attr or reply message. Please help. Logs attached.<br>
rad_recv: Access-Request packet from host 192.168.0.2 port 39662, id=92, length=62<br>
User-Name = "radiustest"<br>
User-Password = "password@123"<br>
NAS-IP-Address = 192.168.0.2<br>
NAS-Port = 1812<br>
# Executing section authorize from file /etc/raddb/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/<a href="http://192.168.0.2/auth-detail-20130128" target="_blank">192.168.0.2/auth-detail-20130128</a><br>
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/<a href="http://192.168.0.2/auth-detail-20130128" target="_blank">192.168.0.2/auth-detail-20130128</a><br>
[auth_log] expand: %t -> Mon Jan 28 10:12:16 2013<br>
++[auth_log] returns ok<br>
[ldap] performing user authorization for radiustest<br>
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>
[ldap] ... expanding second conditional<br>
[ldap] expand: %{User-Name} -> radiustest<br>
[ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=radiustest))<br>
[ldap] expand: cn=users,dc=example,dc=com -> cn=users,dc=example,dc=com<br>
[ldap] ldap_get_conn: Checking Id: 0<br>
[ldap] ldap_get_conn: Got Id: 0<br>
[ldap] performing search in cn=users,dc=example,dc=com, with filter (&(sAMAccountName=radiustest))<br>
[ldap] looking for check items in directory...<br>
[ldap] looking for reply items in directory...<br>
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?<br>
[ldap] Setting Auth-Type = ldap<br>
[ldap] user radiustest authorized to use remote access<br>
[ldap] ldap_release_conn: Release Id: 0<br>
++[ldap] returns ok<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "radiustest", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[ldap] performing user authorization for radiustest<br>
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>
[ldap] ... expanding second conditional<br>
[ldap] expand: %{User-Name} -> radiustest<br>
[ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=radiustest))<br>
[ldap] expand: cn=users,dc=example,dc=com -> cn=users,dc=example,dc=com<br>
[ldap] ldap_get_conn: Checking Id: 0<br>
[ldap] ldap_get_conn: Got Id: 0<br>
[ldap] performing search in cn=users,dc=example,dc=com, with filter (&(sAMAccountName=radiustest))<br>
[ldap] looking for check items in directory...<br>
[ldap] looking for reply items in directory...<br>
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?<br>
[ldap] user radiustest authorized to use remote access<br>
[ldap] ldap_release_conn: Release Id: 0<br>
++[ldap] returns ok<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
++[pap] returns noop<br>
Found Auth-Type = ldap<br>
# Executing group from file /etc/raddb/sites-enabled/default<br>
+- entering group LDAP {...}<br>
[ldap] login attempt by "radiustest" with password "password@123"<br>
[ldap] user DN: CN=radiustest,CN=Users,DC=example,DC=com<br>
[ldap] (re)connect to <a href="http://192.168.0.3:389" target="_blank">192.168.0.3:389</a>, authentication 1<br>
[ldap] bind as CN=radiustest,CN=Users,DC=example,DC=com/password@123 to <a href="http://192.168.0.3:389" target="_blank">192.168.0.3:389</a><br>
[ldap] waiting for bind result ...<br>
[ldap] Bind was successful<br>
[ldap] user radiustest authenticated succesfully<br>
++[ldap] returns ok<br>
# Executing section post-auth from file /etc/raddb/sites-enabled/default<br>
+- entering group post-auth {...}<br>
++[exec] returns noop<br>
Sending Access-Accept of id 92 to 192.168.0.2 port 39662<br>
Finished request 2.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
Cleaning up request 2 ID 92 with timestamp +88<br>
Ready to process requests.<br>
<br>
Regards,<br>
/Neo<br>
Sent from my iPhone<br>
<br>
On 25-Jan-2013, at 3:32 AM, <a href="mailto:A.L.M.Buxey@lboro.ac.uk">A.L.M.Buxey@lboro.ac.uk</a> wrote:<br>
<br>
> Hi,<br>
><br>
>> Do you mean the below in the "users" file?<br>
>><br>
>> cisco Auth-Type := LDAP<br>
>><br>
>> Service-Type = Administrative-User,<br>
>> cisco-avpair = "shell:priv-lvl=15"<br>
><br>
> no.<br>
><br>
> cisco Auth-Type := LDAP<br>
> Service-Type = Administrative-User,<br>
> cisco-avpair = "shell:priv-lvl=15"<br>
><br>
><br>
> (see all the examples in the users file)<br>
><br>
> alan<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130128/a6a02077/attachment.html" target="_blank">http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130128/a6a02077/attachment.html</a>><br>
<br>
------------------------------<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
<br>
End of Freeradius-Users Digest, Vol 93, Issue 78<br>
************************************************<br>
</blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr">____<div>Sometimes you just glow in the dark...</div></div>
</div>