Hi Ivan,
4. RE: Freeradius-Users Digest, Vol 49, Issue 87 (Ivan Kalik)
And how will you know to which ISP does the user belong to? Normally they
enter names like user@ISP1 and user@ISP2. That way you know to which home
server to proxy to.
The ISP is identified using @ISP1 in User-Name attribute. The problem is the following: The customers ask me if possible send them the packets from an interface defined. My Radius proxy listen on an IP address (i.e. 192.168.1.3) for authentication packet and forwarding them towards two different networks (i.e. 192.168.14.4(Customer1) and 192.168.24.4(Customer2)) Thanks Marco -----Original Message----- From: freeradius-users-bounces+marco.de.magistris=ericsson.com@lists.freeradius.org [mailto:freeradius-users-bounces+marco.de.magistris=ericsson.com@lists.freeradius.org] On Behalf Of freeradius-users-request@lists.freeradius.org Sent: mercoledì 20 maggio 2009 12.00 To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 49, Issue 89 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: Dynamic clients and NAS-Identifier (Alan DeKok) 2. Re: question about windows users (Ivan Kalik) 3. Re: Is it possible to share bandwidth or maximum downloaded bytes (Ivan Kalik) 4. RE: Freeradius-Users Digest, Vol 49, Issue 87 (Ivan Kalik) 5. Freeradius LDAP weird login issue (cktan) 6. RE: Dynamic clients and NAS-Identifier (Santiago Balaguer Garc?a) 7. Re: Dynamic clients and NAS-Identifier (Ivan Kalik) ---------------------------------------------------------------------- Message: 1 Date: Wed, 20 May 2009 11:04:52 +0200 From: Alan DeKok <aland@deployingradius.com> Subject: Re: Dynamic clients and NAS-Identifier To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4A13C7B4.2070803@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1 Johan Meiring wrote:
I realise, i've asked for the before, and it is on your todo list, but
I'd like to make a case again for maybe getting it moved up higher onto
the list.
My "to do" list right now is: - consulting work (my *only* source of income is FreeRADIUS) - 3 IETF documents that I'm author / co-author - White paper for a linux conference
The current "clients" structure identify the NAS's by ip address.
While this is perfect for corporate environments, it is not so perfect
for the hotspot environment in which we operate.
RADIUS was never designed to work that way. It's insecure. One of the documents I'm writing involves leveraging SSL to allow that capability. But implementations are a long ways out.
We need to somehow authenticate the nas, so someone can not send "rough"
accounting info to radius.
You could always write a simple RADIUS proxy that did those checks. It likely could be done in ~200-300 lines of Perl.
I'm sure that I'm not the only one that have NAS's behind dynamic IPs,
and this would make radius traffic from such NAS's much more secure.
Maybe... Alan DeKok. ------------------------------ Message: 2 Date: Wed, 20 May 2009 10:38:45 +0100 (BST) From: "Ivan Kalik" <tnt@kalik.net> Subject: Re: question about windows users To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <30072.194.176.105.43.1242812325.squirrel@webmail.kalik.net> Content-Type: text/plain;charset=utf-8
could you give me good freeradius guide for dummies - I think I need it :)
Guide: don't make any changes to the default configuration unless you know what you are doing. That's it. Server is configured by default to handle EAP-TLS. There is nothing that you need to do to make it happen. Now, about your problem: freeradius uses fake realm example.com - for examples. Of proxying, fail-over home servers, use of vitual servers etc. Why are *you* using it as well? These examples are not what you want to do. Use your own domain. For EAP-TLS - no modification needed. I have seen you going on about PEAP as well. If those users are also using format user@your_domain, then create local realm your_domain - it won't interfere with EAP-TLS and will create Stripped-User-Name that can be used for authentication. Ivan Kalik Kalik Informatika ISP ------------------------------ Message: 3 Date: Wed, 20 May 2009 10:43:21 +0100 (BST) From: "Ivan Kalik" <tnt@kalik.net> Subject: Re: Is it possible to share bandwidth or maximum downloaded bytes To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <10246.194.176.105.43.1242812601.squirrel@webmail.kalik.net> Content-Type: text/plain;charset=utf-8
I have 3 users and I want to give them 1Mbps/256Kbps bandwidth. They must
not have this bandwidth individually but must share it. Is it possible to
do
with freeRADIUS. If so can you help me on what I have to do.
No, radius can't do that. But you can fix their IPs or make them a small pool and then limit that IP range as a bundle on your router. Ivan Kalik Kalik Informatika ISP ------------------------------ Message: 4 Date: Wed, 20 May 2009 10:47:08 +0100 (BST) From: "Ivan Kalik" <tnt@kalik.net> Subject: RE: Freeradius-Users Digest, Vol 49, Issue 87 To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <47671.194.176.105.43.1242812828.squirrel@webmail.kalik.net> Content-Type: text/plain;charset=utf-8
Hi Alan,
1. Radius Client sends packets towards Radius Proxy (from 192.168.1.2
to 192.168.1.3)
2. Radius proxy listen on 192.168.1.3 for authentication packet and
forwarding them towards two different network (192.168.14.4 and
192.168.24.4)
192.168.14.4 and 192.168.24.4 are 2 different Radius Servers.
192.168.14.4: Radius Server for IPS 1.
192.168.24.4: Radius Server for IPS 2.
I need send the packets towards ISP1 using VLAN1 and towards ISP2 using
VLAN2.
And how will you know to which ISP does the user belong to? Normally they enter names like user@ISP1 and user@ISP2. That way you know to which home server to proxy to. Ivan Kalik Kalik Informatika ISP ------------------------------ Message: 5 Date: Wed, 20 May 2009 17:48:52 +0800 From: cktan <cktan@ocesb.com.my> Subject: Freeradius LDAP weird login issue To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4A13D204.1080706@ocesb.com.my> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" Hi all, I'm using freeradius+LDAP for the PPPoE dialup access control for a while. Lately I noticed there is weird issue whereby an user login with username as "user=5C=5C=5C=5Cuser@domain" and surprisingly freeradius allow it to login although the actual username should be "user@domain". I've run radius in -X mode and capture the log for your reference as below. In radiusd -X, we noticed server received Access-Request with username "user=5C=5C=5C=5Cuser@domain" but when reach to radius_xlat, the uid will become "user" only and when it query my LDAP the account for "user" is available and it will accept the access request. The question is why "user=5C=5C=5C=5Cuser" = "user"? We try the username with xC (i.e. 1C, 2C, 3C and so on...) and all are able to login because radius will take as user@domain. After login, the username in radacct will become "user=5C=5C=5C=5Cuser@domain" instead of "user@domain". As the consequence, the smart user may have multiple logins (by using user=1C/2C/3C....) and the records in radacct is different and therefore we will out of control for multiple login with single account. Any idea to fix this? rad_recv: Access-Request packet from host 127.0.0.1:32877, id=87, length=93 User-Name = *"user=5C=5C=5C=5Cuser@domain"* User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rlm_ldap: performing user authorization for *user=5c=5c=5c=5cuser* radius_xlat: * '(uid=user)'* Regards -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.