Hi Kalik,

Thanks for your help...
Now i can send two Qos profiles and it's working fine.

Thanks,
Gayathri

On Wed, Jul 8, 2009 at 3:30 PM, <freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to
       freeradius-users@lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
       http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
       freeradius-users-request@lists.freeradius.org

You can reach the person managing the list at
       freeradius-users-owner@lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

  1. Re: freeradius active directory integration fails with "no
     such realm" (Andrei-Florian Staicu)
  2. Re: want to authorise but not authenticate (Arran Cudbard-Bell)
  3. Re: want to authorise but not authenticate (Ivan Kalik)
  4. Re: How to configure 2 wimax qos profiles for the user in
     users file (Ivan Kalik)


----------------------------------------------------------------------

Message: 1
Date: Wed, 08 Jul 2009 12:31:21 +0300
From: Andrei-Florian Staicu <andrei.staicu@gmail.com>
Subject: Re: freeradius active directory integration fails with "no
       such realm"
To: FreeRadius users mailing list
       <freeradius-users@lists.freeradius.org>
Message-ID: <4A546769.8020709@googlemail.com>
Content-Type: text/plain; charset=ISO-8859-2; format=flowed

Alan DeKok wrote:
> Andrei-Florian Staicu wrote:
>
>> Hello again. I've reached the output from here:
>> http://pastebin.com/d19f28a24 , and i still don't understand why it
>> doesen't call the ntlm_auth line
>>
>
>   It looks like you are adding a "Proxy-To-Realm := LOCAL".
>
> ...
>
>>  PEAP: Sending tunneled request
>>        EAP-Message =
>> 0x02060018014950534f305c616e647265692e737461696375
>>        FreeRADIUS-Proxied-To = 127.0.0.1
>>        User-Name = "IPSO0\\andrei.staicu"
>> server inner-tunnel {
>> +- entering group authorize
>>    rlm_realm: Looking up realm "IPSO0" for User-Name =
>> "IPSO0\andrei.staicu"
>>    rlm_realm: Found realm "IPSO0"
>>    rlm_realm: Adding Stripped-User-Name = "andrei.staicu"
>>    rlm_realm: Adding Realm = "IPSO0"
>>    rlm_realm: Authentication realm is LOCAL.
>> ++[ntdomain] returns noop
>> ++[mschap] returns noop
>> ++[control] returns noop
>>
>
>   Why is that "update control" section there?  What is in it?
>
>
>
>>  rlm_eap: Request is supposed to be proxied to Realm LOCAL.  Not doing
>>
> EAP.
>
>   It's being proxied to realm LOCAL.  You have added a LOCAL realm.
> Don't do that.
>
>
>> ++[eap] returns noop
>>  WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
>> exist!  Cancelling invalid proxy request.
>>
>
>   Even more proof.  The IPSO0 realm above is added because it exists.
> The server does NOT add a "Proxy-To-Realm := LOCAL".  You have done
> that.  Delete it from your configuration.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
It works now. Thank you very much for clearing thing up for me.


------------------------------

Message: 2
Date: Wed, 08 Jul 2009 10:33:22 +0100
From: Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>
Subject: Re: want to authorise but not authenticate
To: FreeRadius users mailing list
       <freeradius-users@lists.freeradius.org>
Message-ID: <4A5467E2.5040309@sussex.ac.uk>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 8/7/09 10:19, A.L.M.Buxey@lboro.ac.uk wrote:
> hi,
>
> heres one for a wednesday morning.
>
>
> we have a system that we've been done plain authorizations
> via FreeRADIUS - the device sends the following RADIUS request
>
> username: userid
> password: userid
>
> (ie the system sends the username and makes the password the same)
>
> okay. fair enough....a bit of unlang and a check that if the username = password
> then set the Auth-Type to something false et voila. all okay.
>
>
> it has now been decided to also do authentication via RADIUS
> and this is where things get messy.
>
>
> by removing the Auth-Type kludge, we can successfully authenticate
> a real user with their real password.... however, the authorization
> now fails because the device still sends username/password with
> the password the same as the username - this now hits the
> FreeRADIUS server which cannot find a valid Auth-Type for the user
> and thus fails authentication and therefore sends back a 'blurgh'
> to the box requesting authorization.

authorize {
       if((User-Name == User-Password) && %{ldap:etc...}){
               update control {
                       Auth-Type := 'NULL'
               }
       }
       else {
               // Authentication modules
       }
}


Auth-Type NULL {
       ok
}

>
> this is to be expected because there is nothing in the request to
> distoniguish between an authorization request and an authentication
> request.
>
> so the question is, how do we handle this so that the system can
> send a username=password for authorization AND a proper authentication
> can happen WITHOUT (hers a gotcha) the user doing something cute
> like putting their username in as their password! ;-)

Slightly confused as to what you want... Try again without the caffeine ?

Arran

--
Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>,
Systems Administrator (AAA),
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2


------------------------------

Message: 3
Date: Wed, 8 Jul 2009 10:35:04 +0100 (BST)
From: "Ivan Kalik" <tnt@kalik.net>
Subject: Re: want to authorise but not authenticate
To: "FreeRadius users mailing list"
       <freeradius-users@lists.freeradius.org>
Message-ID:
       <10825.194.176.105.43.1247045704.squirrel@webmail.kalik.net>
Content-Type: text/plain;charset=utf-8

> we have a system that we've been done plain authorizations
> via FreeRADIUS - the device sends the following RADIUS request
>
> username: userid
> password: userid
>
> (ie the system sends the username and makes the password the same)
>
> okay. fair enough....a bit of unlang and a check that if the username =
> password
> then set the Auth-Type to something false et voila. all okay.
>
>
> it has now been decided to also do authentication via RADIUS
> and this is where things get messy.
>
>
> by removing the Auth-Type kludge, we can successfully authenticate
> a real user with their real password.... however, the authorization
> now fails because the device still sends username/password with
> the password the same as the username - this now hits the
> FreeRADIUS server which cannot find a valid Auth-Type for the user
> and thus fails authentication and therefore sends back a 'blurgh'
> to the box requesting authorization.
>
> this is to be expected because there is nothing in the request to
> distoniguish between an authorization request and an authentication
> request.
>
> so the question is, how do we handle this so that the system can
> send a username=password for authorization AND a proper authentication
> can happen WITHOUT (hers a gotcha) the user doing something cute
> like putting their username in as their password! ;-)

Send Service-Type = Authorize-Only in authorization request. Then you can
distinguish between the requsts. Or do authorization in the same time as
authentication.

Without opening a major security hole. You can set Auth-Type to Accept if
User-Name = User-Password in the request but that would enable anyone to
log in knowing just username.

Ivan Kalik
Kalik Informatika ISP



------------------------------

Message: 4
Date: Wed, 8 Jul 2009 10:39:48 +0100 (BST)
From: "Ivan Kalik" <tnt@kalik.net>
Subject: Re: How to configure 2 wimax qos profiles for the user in
       users file
To: "FreeRadius users mailing list"
       <freeradius-users@lists.freeradius.org>
Message-ID:
       <59554.194.176.105.43.1247045988.squirrel@webmail.kalik.net>
Content-Type: text/plain;charset=utf-8

> I am trying to configure the two wimax qos profiles for the single user as
> one for uplink and another for downlink.
> If i configure the same attributes two times, in the Access-Accept message
> the first configured wimax attribute value only is sending but its not
> sending the same attribute again which has different value. is there any
> way
> to do this and make it work?

http://wiki.freeradius.org/Operators

+=

Ivan Kalik
Kalik Informatika ISP



------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 51, Issue 30
************************************************