<div dir="ltr">Hello! Thanks to all. Configuration example that`s i need, will try it.<br><div class="gmail_extra"><br><br><div class="gmail_quote">2014-03-11 0:46 GMT+04:00 <span dir="ltr"><<a href="mailto:freeradius-users-request@lists.freeradius.org" target="_blank">freeradius-users-request@lists.freeradius.org</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Send Freeradius-Users mailing list submissions to<br>
<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.freeradius.org/mailman/listinfo/freeradius-users" target="_blank">http://lists.freeradius.org/mailman/listinfo/freeradius-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:freeradius-users-request@lists.freeradius.org">freeradius-users-request@lists.freeradius.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:freeradius-users-owner@lists.freeradius.org">freeradius-users-owner@lists.freeradius.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Freeradius-Users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: Not trivial configuration of Freeradius as DHCP server<br>
(Tony DeMatteis)<br>
2. Re: Old school: FreeRADIUS and NIS (Alan DeKok)<br>
3. Re: Old school: FreeRADIUS and NIS (Alan DeKok)<br>
4. Re: Old school: FreeRADIUS and NIS (<a href="mailto:A.L.M.Buxey@lboro.ac.uk">A.L.M.Buxey@lboro.ac.uk</a>)<br>
5. RE: Authorise based on Calling Station ID ?<br>
(Darren Ward (darrward))<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Mon, 10 Mar 2014 13:07:37 -0700<br>
From: Tony DeMatteis <<a href="mailto:tonyd@commspeed.net">tonyd@commspeed.net</a>><br>
To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
Subject: Re: Not trivial configuration of Freeradius as DHCP server<br>
Message-ID: <<a href="mailto:531E1B89.4040007@commspeed.net">531E1B89.4040007@commspeed.net</a>><br>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"<br>
<br>
Hello,<br>
<br>
Took this snippet from what I'm doing which I got from a colleague who<br>
first pulled a working config together. See where you can with this...<br>
<br>
'dhcp' folder resides in raddb/dhcp and the dhcp-config.txt file is raddb/sites-available/dhcp<br>
<br>
<br>
<br>
# Main conf - dhcp-config.txt<br>
<br>
server dhcp {<br>
<br>
client any {<br>
ipaddr = 0.0.0.0<br>
#netmask = 0<br>
dhcp = yes<br>
}<br>
<br>
listen {<br>
ipaddr = *<br>
port = 67<br>
type = dhcp<br>
}<br>
<br>
dhcp DHCP-Discover {<br>
update reply {<br>
DHCP-Message-Type = DHCP-Offer<br>
}<br>
<br>
switch "%{DHCP-Gateway-IP-Address}" {<br>
<br>
case 192.168.60.1 {<br>
$INCLUDE dhcp/pool_system1<br>
}<br>
<br>
case 10.20.0.1 {<br>
$INCLUDE dhcp/pool_system2<br>
}<br>
<br>
case {<br>
# Do not reply to DHCP requests from subnets<br>
# which we are not authoriative<br>
update reply {<br>
DHCP-Message-Type !* 0<br>
}<br>
do_not_respond<br>
}<br>
}<br>
<br>
# Global DHCP parameters<br>
$INCLUDE dhcp/global<br>
<br>
dhcp_sqlippool<br>
<br>
if(notfound || noop) {<br>
reject<br>
}<br>
<br>
ok<br>
}<br>
<br>
dhcp DHCP-Request {<br>
update reply {<br>
DHCP-Message-Type = DHCP-Ack<br>
}<br>
<br>
switch "%{DHCP-Gateway-IP-Address}" {<br>
<br>
case 192.168.10.1 {<br>
$INCLUDE dhcp/pool_system1<br>
}<br>
<br>
case 10.20.0.1 {<br>
$INCLUDE dhcp/pool_system2<br>
}<br>
<br>
case {<br>
# Do not reply to DHCP requests from subnets<br>
# which we are not authoriative<br>
update reply {<br>
DHCP-Message-Type !* 0<br>
}<br>
do_not_respond<br>
}<br>
}<br>
<br>
# Global DHCP parameters<br>
$INCLUDE dhcp/global<br>
<br>
dhcp_sqlippool<br>
<br>
if(notfound || noop) {<br>
reject<br>
}<br>
<br>
ok<br>
}<br>
<br>
dhcp DHCP-Inform {<br>
}<br>
<br>
# If there's no named section for the packet type, then the packet<br>
# is processed through this section.<br>
dhcp {<br>
# send a DHCP NAK.<br>
reject<br>
}<br>
}<br>
<br>
# End main conf<br>
<br>
# Global Conf<br>
# ./dhcp/global.conf<br>
update reply {<br>
DHCP-Domain-Name-Server = 8.8.8.8<br>
DHCP-Domain-Name-Server += 8.8.4.4<br>
DHCP-Domain-Name = "<a href="http://mydomain.com" target="_blank">mydomain.com</a>"<br>
DHCP-DHCP-Server-Identifier = <dhcp-server-ip><br>
}<br>
<br>
# System 1 devices - Cable Modems<br>
# ./dhcp/pool_system1.conf<br>
if(DHCP-Vendor-Class-Identifier =~ /^docsis[1-2].*$/){<br>
update control {<br>
Pool-Name := 'system_pool1'<br>
}<br>
}<br>
<br>
# System 2 devices<br>
# ./dhcp/pool_system2.conf<br>
if(DHCP-Vendor-Class-Identifier){<br>
update reply {<br>
DHCP-Subnet-Mask = 255.255.255.0<br>
DHCP-Router-Address = 10.20.0.1<br>
DHCP-Broadcast-Address = 10.20.0.255<br>
DHCP-IP-Address-Lease-Time = 3600<br>
}<br>
update control {<br>
Pool-Name := 'system_pool2'<br>
}<br>
}<br>
<br>
<br>
<br>
<br>
On 03/10/2014 12:38 PM, Alan DeKok wrote:<br>
> Vyacheslav Maliev wrote:<br>
>> Hello! I`ve tried to configure my freeradius installation like described<br>
>> here <a href="http://wiki.freeradius.org/guide/dhcp-for-static-ip-allocation" target="_blank">http://wiki.freeradius.org/guide/dhcp-for-static-ip-allocation</a><br>
>> but it`s very simple case for only one subnet. Now we have two networks<br>
>> which needs to get IP by DHCP server. So is there any possibility to<br>
>> configure DHCP scopes for different networks? Thanks!<br>
> Yes. It's not as easy as with a dedicated DHCP server. You'll need<br>
> to split the packets, so that some use subnet A, and some use subnet B.<br>
> Look at the packets (radiusd -X) to see how they're different. Usually<br>
> there will be a gateway IP address different, or perhaps something else.<br>
><br>
> It's probably best to use groups to assign the network parameters.<br>
> e.g. use the radgroupcheck and radgroupreply tables. For users in group<br>
> A, assign them options for network A, and users in group B should be<br>
> assigned options in network B.<br>
><br>
> i.e. separate the *common* configuration into group parameters. Thenm<br>
> each user should have only user-specific parameters. e.g. an IP<br>
> address, and a group membership.<br>
><br>
> For v3.1, we're looking at maybe coming up with DHCP-specific queries<br>
> for SQL. But getting help from other people would be useful, too.<br>
><br>
> Alan DeKok.<br>
><br>
> -<br>
> List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
><br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140310/b8edb1a8/attachment-0001.html" target="_blank">http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140310/b8edb1a8/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Mon, 10 Mar 2014 16:18:57 -0400<br>
From: Alan DeKok <<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: Re: Old school: FreeRADIUS and NIS<br>
Message-ID: <<a href="mailto:531E1E31.7050809@deployingradius.com">531E1E31.7050809@deployingradius.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
Arran Cudbard-Bell wrote:<br>
> An excerpt from the Fedora list:<br>
<br>
It's nice to see he's getting the same answers from others.<br>
<br>
i.e. the problem isn't us.<br>
<br>
> > Thing is, based on my searching, getting FreeRADIUS to work with NIS<br>
> > isn't possible. At least I've found no documentation on how to make<br>
> > it work. There's tons on getting it to work with LDAP, but not NIS.<br>
> > Which is the reason for my OP.<br>
<br>
I fail to see what the problem is. NIS is just a way of adding more<br>
back-ends to getpwent() and getspwent(). The applications using those<br>
function calls don't need to do anything.<br>
<br>
i.e. to "integrate" FreeRADIUS with NIS, you just configure NIS.<br>
Then, use the "unix" module in FreeRADIUS, in the "authenticate"<br>
section. The module will do PAP checks by using getspwent() to get the<br>
crypt'd password.<br>
<br>
*Where* that crypt'd password comes from is for NIS to determine.<br>
FreeRADIUS (and the Unix module) doesn't need to do anything.<br>
<br>
His question amounts to "how do I get FreeRADIUS to read files from<br>
MySQL, where MySQL is using ext4 instead of ext3". The answer is "you<br>
don't". FreeRADIUS interacts with X, and X does it's magic. What's<br>
*behind* X doesn't matter.<br>
<br>
Either NIS works, and getspwent() returns something useful, or NIS<br>
doesn't work, and getspwent() doesn't return anything. Maybe running<br>
FreeRADIUS as "root" will help. But if that doesn't work, then the<br>
problem is NIS (or something else), *not* FreeRADIUS.<br>
<br>
And yes, this is one of my common answers. It's why my answers are<br>
seen as "unhelpful". I talk about the *cause* of the problem, not the<br>
*symptom*. Very often, the cause of the problem is a something external<br>
to FreeRADIUS. The symptom is that FreeRADIUS doesn't work the way you<br>
want, but that's just a symptom.<br>
<br>
Sadly, some people *refuse* to understand this.<br>
<br>
Alan DeKok.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Mon, 10 Mar 2014 16:22:03 -0400<br>
From: Alan DeKok <<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: Re: Old school: FreeRADIUS and NIS<br>
Message-ID: <<a href="mailto:531E1EEB.8010605@deployingradius.com">531E1EEB.8010605@deployingradius.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
Adam Bishop wrote:<br>
> I suspect the problem here is either SELinux or the shadow group not existing.<br>
<br>
Quote possibly.<br>
<br>
> RHEL doesn't have a shadow group by default - as it's a nasty hack and potential source of vulnerability, you're expected to have the sense to create it yourself if its needed.<br>
<br>
That's unfriendly. Oh well.<br>
<br>
> It's also tagged with a unique policy type:<br>
><br>
> [root@orps1 ~]# ls -alZ /etc/shadow<br>
> ----------. root root system_u:object_r:shadow_t:s0 /etc/shadow<br>
><br>
> Which I *think* would cause an AVC denial.<br>
<br>
Yes.<br>
<br>
> Then there's the small matter of /etc/shadow having no permission mask by default.<br>
<br>
Arg. That's Unix 101 debugging, TBH. Track down the root cause of<br>
the problem, and fix it.<br>
<br>
> But someone who's been doing this for a long time would have checked such things, or even provided us with the output of strace, right? :)<br>
<br>
Yes. The people who claim decades of experience usually don't follow<br>
standard practices. The people who have decades of experience just get<br>
follow standard practice, and things done.<br>
<br>
Alan DeKok.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Mon, 10 Mar 2014 20:42:57 +0000<br>
From: <a href="mailto:A.L.M.Buxey@lboro.ac.uk">A.L.M.Buxey@lboro.ac.uk</a><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: Re: Old school: FreeRADIUS and NIS<br>
Message-ID: <<a href="mailto:20140310204257.GC4519@lboro.ac.uk">20140310204257.GC4519@lboro.ac.uk</a>><br>
Content-Type: text/plain; charset=us-ascii<br>
<br>
Hi,<br>
<br>
> I don't think I've ever flamed anyone in my life, but now I believe I<br>
> have to.<br>
<br>
oh..this is going to be interesting... just grabbing the popcorn and<br>
cola ready for the show! :-)<br>
<br>
<snip> oh...that wasnt a flame!<br>
<br>
disappointed...the rest of the popcron is going away now and the colas<br>
going to be flat for when its needed :(<br>
<br>
> Radiusd.conf DOES NOT talk about issues with reading /etc/shadow.<br>
> ANYWHERE. PERIOD.<br>
<br>
..do you mean this bit of radiusd.conf:<br>
<br>
# On systems with shadow passwords, you might have to set 'group = shadow'<br>
# for the server to be able to read the shadow password file. If you can<br>
# authenticate users while in debug mode, but not in daemon mode, it may be<br>
# that the debugging mode server is running as a user that can read the<br>
# shadow info, and the user listed below can not.<br>
<br>
? seems clear to me.<br>
<br>
> And due to that 'take two steps forward and half-dozen back', I've<br>
> made it clear to my boss that FreeRADIUS, while it may work just fine,<br>
<br>
lets hope I dont come across the contact details for your boss ;-)<br>
<br>
alan<br>
<br>
<br>
------------------------------<br>
<br>
Message: 5<br>
Date: Mon, 10 Mar 2014 20:46:19 +0000<br>
From: "Darren Ward (darrward)" <<a href="mailto:darrward@cisco.com">darrward@cisco.com</a>><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: RE: Authorise based on Calling Station ID ?<br>
Message-ID:<br>
<<a href="mailto:5D5ED6338DFDB54B8E876331223AEE2D1F88F871@xmb-rcd-x10.cisco.com">5D5ED6338DFDB54B8E876331223AEE2D1F88F871@xmb-rcd-x10.cisco.com</a>><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
Hi Alan<br>
<br>
I guess the question is because the accounting files are the only place that contains both the calling-station-id and username how can I write unlang in the authorise that would be able to look up the active session to match the mac address?<br>
<br>
i.e. I would need to parse the accounting files for the mac address and find the matching username then look up the username in the 'users' file to authorise with the appropriate attributes<br>
<br>
I'm not sure how to do that lookup of files or cache<br>
<br>
Darren<br>
<br>
-----Original Message-----<br>
From: freeradius-users-bounces+darrward=<a href="mailto:cisco.com@lists.freeradius.org">cisco.com@lists.freeradius.org</a> [mailto:<a href="mailto:freeradius-users-bounces%2Bdarrward">freeradius-users-bounces+darrward</a>=<a href="mailto:cisco.com@lists.freeradius.org">cisco.com@lists.freeradius.org</a>] On Behalf Of Alan DeKok<br>
Sent: Monday, 10 March 2014 11:11 PM<br>
To: FreeRadius users mailing list<br>
Subject: Re: Authorise based on Calling Station ID ?<br>
<br>
Darren Ward (darrward) wrote:<br>
> The mac address was sent by the wifi controller as the<br>
> calling-station-id but the question is how do I match that field<br>
> against the user to authorise them?<br>
<br>
$ man unlang<br>
<br>
It tells you how to do if/then/else checks.<br>
<br>
Perhaps you have a more specific question?<br>
<br>
Alan DeKok.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
<br>
<br>
------------------------------<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
<br>
End of Freeradius-Users Digest, Vol 107, Issue 42<br>
*************************************************<br>
</blockquote></div><br></div></div>