Hi Ivan,
> 4. RE: Freeradius-Users Digest, Vol 49, Issue 87 (Ivan Kalik)
>And how will you know to which ISP does the user belong to?
Normally they
>enter names like user@ISP1 and user@ISP2. That way you know to
which home
>server to proxy to.
The ISP is identified using @ISP1 in User-Name attribute.
The problem is the following:
The customers ask me if possible
send them the packets from an interface defined.
My Radius proxy listen on an IP address (i.e. 192.168.1.3)
for authentication packet and forwarding them towards two different networks (i.e.
192.168.14.4(Customer1) and 192.168.24.4(Customer2))
Thanks
Marco
-----Original Message-----
From:
freeradius-users-bounces+marco.de.magistris=ericsson.com@lists.freeradius.org
[mailto:freeradius-users-bounces+marco.de.magistris=ericsson.com@lists.freeradius.org]
On Behalf Of freeradius-users-request@lists.freeradius.org
Sent: mercoledì 20 maggio 2009 12.00
To:
Subject: Freeradius-Users Digest, Vol 49, Issue 89
Send Freeradius-Users mailing list submissions to
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Dynamic clients and NAS-Identifier (Alan DeKok)
2. Re: question about windows users (Ivan Kalik)
3. Re: Is it possible to share bandwidth or maximum downloaded
bytes (Ivan Kalik)
4. RE: Freeradius-Users Digest, Vol 49, Issue 87 (Ivan Kalik)
5. Freeradius LDAP weird login issue (cktan)
6. RE: Dynamic clients and NAS-Identifier (Santiago Balaguer Garc?a)
7. Re: Dynamic clients and NAS-Identifier (Ivan Kalik)
----------------------------------------------------------------------
Message: 1
Date: Wed, 20 May 2009 11:04:52 +0200
From: Alan DeKok <aland@deployingradius.com>
Subject: Re: Dynamic clients and NAS-Identifier
To: FreeRadius users mailing list
<
Message-ID: <4A13C7B4.2070803@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Johan Meiring wrote:
> I realise, i've asked for the before, and it is on your todo list,
but
> I'd like to make a case again for maybe getting it moved up higher
onto
> the list.
My "to do" list right now is:
- consulting work (my *only* source of income is FreeRADIUS)
- 3 IETF documents that I'm author / co-author
- White paper for a linux conference
> The current "clients" structure identify the NAS's by ip
address.
> While this is perfect for corporate environments, it is not so
perfect
> for the hotspot environment in which we operate.
RADIUS was never designed to work that way. It's insecure.
One of the documents I'm writing involves leveraging SSL to allow
that
capability. But implementations are a long ways out.
> We need to somehow authenticate the nas, so someone can not send
"rough"
> accounting info to radius.
You could always write a simple RADIUS proxy that did those checks.
It likely could be done in ~200-300 lines of Perl.
> I'm sure that I'm not the only one that have NAS's behind dynamic
IPs,
> and this would make radius traffic from such NAS's much more
secure.
Maybe...
Alan DeKok.
------------------------------
Message: 2
Date: Wed, 20 May 2009 10:38:45 +0100 (BST)
From: "Ivan Kalik" <tnt@kalik.net>
Subject: Re: question about windows users
To: "FreeRadius users mailing list"
<
Message-ID:
<30072.194.176.105.43.1242812325.squirrel@webmail.kalik.net>
Content-Type: text/plain;charset=utf-8
> could you give me good freeradius guide for dummies - I think I
need it :)
>
Guide: don't make any changes to the default configuration unless you
know
what you are doing. That's it.
Server is configured by default to handle EAP-TLS. There is nothing
that
you need to do to make it happen.
Now, about your problem: freeradius uses fake realm example.com - for
examples. Of proxying, fail-over home servers, use of vitual servers
etc.
Why are *you* using it as well? These examples are not what you want to
do.
Use your own domain. For EAP-TLS - no modification needed. I have seen
you
going on about PEAP as well. If those users are also using format
user@your_domain, then create local realm your_domain - it won't
interfere
with EAP-TLS and will create Stripped-User-Name that can be used for
authentication.
Ivan Kalik
Kalik Informatika ISP
------------------------------
Message: 3
Date: Wed, 20 May 2009 10:43:21 +0100 (BST)
From: "Ivan Kalik" <tnt@kalik.net>
Subject: Re: Is it possible to share bandwidth or maximum downloaded
bytes
To: "FreeRadius users mailing list"
<
Message-ID:
<10246.194.176.105.43.1242812601.squirrel@webmail.kalik.net>
Content-Type: text/plain;charset=utf-8
> I have 3 users and I want to give them 1Mbps/256Kbps bandwidth.
They must
> not have this bandwidth individually but must share it. Is it
possible to
> do
> with freeRADIUS. If so can you help me on what I have to do.
No, radius can't do that. But you can fix their IPs or make them a
small
pool and then limit that IP range as a bundle on your router.
Ivan Kalik
Kalik Informatika ISP
------------------------------
Message: 4
Date: Wed, 20 May 2009 10:47:08 +0100 (BST)
From: "Ivan Kalik" <tnt@kalik.net>
Subject: RE: Freeradius-Users Digest, Vol 49, Issue 87
To: "FreeRadius users mailing list"
<
Message-ID:
<47671.194.176.105.43.1242812828.squirrel@webmail.kalik.net>
Content-Type: text/plain;charset=utf-8
> Hi Alan,
>
>
>
>> 1. Radius Client sends packets towards Radius Proxy (from
192.168.1.2
>
>> to 192.168.1.3)
>
>> 2. Radius proxy listen on 192.168.1.3 for authentication
packet and
>
>> forwarding them towards two different network
(192.168.14.4 and
>
>> 192.168.24.4)
>
>
>
> 192.168.14.4 and 192.168.24.4 are 2 different Radius Servers.
>
> 192.168.14.4: Radius Server for IPS 1.
>
> 192.168.24.4: Radius Server for IPS 2.
>
>
>
> I need send the packets towards ISP1 using VLAN1 and towards ISP2
using
> VLAN2.
>
And how will you know to which ISP does the user belong to? Normally
they
enter names like user@ISP1 and user@ISP2. That way you know to which
home
server to proxy to.
Ivan Kalik
Kalik Informatika ISP
------------------------------
Message: 5
Date: Wed, 20 May 2009 17:48:52 +0800
From: cktan <cktan@ocesb.com.my>
Subject: Freeradius LDAP weird login issue
To: FreeRadius users mailing list
<
Message-ID: <4A13D204.1080706@ocesb.com.my>
Content-Type: text/plain; charset="iso-8859-1";
Format="flowed"
Hi all,
I'm using freeradius+LDAP for the PPPoE dialup access control for a
while. Lately I noticed there is weird issue whereby an user login with
username as "user=5C=5C=5C=5Cuser@domain" and surprisingly
freeradius
allow it to login although the actual username should be
"user@domain".
I've run radius in -X mode and capture the log for your reference as
below. In radiusd -X, we noticed server received Access-Request with
username "user=5C=5C=5C=5Cuser@domain" but when reach to
radius_xlat,
the uid will become "user" only and when it query my LDAP the
account
for "user" is available and it will accept the access
request. The
question is why "user=5C=5C=5C=5Cuser" = "user"? We
try the username
with xC (i.e. 1C, 2C, 3C and so on...) and all are able to login
because
radius will take as user@domain. After login, the username in radacct
will become "user=5C=5C=5C=5Cuser@domain" instead of
"user@domain". As
the consequence, the smart user may have multiple logins (by using
user=1C/2C/3C....) and the records in radacct is different and
therefore
we will out of control for multiple login with single account. Any idea
to fix this?
rad_recv: Access-Request packet from host 127.0.0.1:32877, id=87,
length=93
User-Name = *"user=5C=5C=5C=5Cuser@domain"*
User-Password = "password"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rlm_ldap: performing user authorization for *user=5c=5c=5c=5cuser*
radius_xlat: * '(uid=user)'*
Regards
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090520/dd79b56f/attachment.html>
------------------------------
Message: 6
Date: Wed, 20 May 2009 09:51:49 +0000
From: Santiago Balaguer Garc?a <santiagoawa@hotmail.com>
Subject: RE: Dynamic clients and NAS-Identifier
To: Lista de correo RADIUS <
Message-ID: <BAY143-W6D91A9DFFF280017E8BD5B0580@phx.gbl>
Content-Type: text/plain; charset="iso-8859-1"
> > I'm sure that I'm not the only one that have NAS's behind
dynamic IPs,
> > and this would make radius traffic from such NAS's much more
secure.
OK, if you have Dynamic public IP you have two options:
1) use a DNS to identify the dynamic IP of your hotspot. It means that
your DSL router or hotspot has capability to update its public IP every x
minutes. You can use dyndns.org service. DSL routers normally have this
feature.
2) Install a VPN tunnel like PPPTP/L2TP/OVPN... and route all the
autentication request for this range. For instance, you have your radius server
with IP 10.200.0.11 and your NASes with 10.200.0.x range. All the auth request
are sent by the tunnel, so all ones are valid.
I tried both methods with good results. However second option is
better because you have another way to access to your hotspots since you know
which is hotspot IP (tunnel IP (10.200.0.x)).
_________________________________________________________________
?Qu?tate unos clics! Ahora, Internet Explorer 8 tiene todo lo que te
gusta de Windows Live ?Cons?guelo gratis!
http://ie8.msn.com/microsoft/internet-explorer-8/es-es/ie8.aspx
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090520/5f2d07ba/attachment.html>
------------------------------
Message: 7
Date: Wed, 20 May 2009 10:59:19 +0100 (BST)
From: "Ivan Kalik" <tnt@kalik.net>
Subject: Re: Dynamic clients and NAS-Identifier
To: "FreeRadius users mailing list"
<
Message-ID:
<47988.194.176.105.43.1242813559.squirrel@webmail.kalik.net>
Content-Type: text/plain;charset=utf-8
> The problem is that the hotspots can be anywhere. They are mostly
> behind ADSL lines. The source ip address of the radius packet is
> therefore not predictable.
>
Ahem, it's not. But subnet is. There can't be that many IP pools ADSL
providers can use. And you configure the subnet, not exact IP in
dynamic-clients. Just make one for each ADSL pool.
> The only other way I can thing of is identifying the nas by the
> NAS-Identifier.
>
Why "other"? That's a bad idea.
> To sum up.
> Currently a nas is "authenticated" by ip address/radius
secret.
> I feel that being able to "authenticate" a nas by nas
identifier/radius
> secret is a very good enhancement.
>
> I'm sure that I'm not the only one that have NAS's behind dynamic
IPs,
> and this would make radius traffic from such NAS's much more
secure.
>
No, that would be less secure. Enhancement woud be to have
NAS-Identifier
*on top* of Packet-Src-IP-Address. Then you could assign individual
shared
secrets to each hotspot (at present whole range has to have same shared
secret).
Ivan Kalik
Kalik Informatika ISP
------------------------------
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 49, Issue 89
************************************************