Hi Kalik,
Thanks for your help...
Now i can send two Qos profiles and it's working fine.
Thanks,
Gayathri
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: freeradius active directory integration fails with "no
such realm" (Andrei-Florian Staicu)
2. Re: want to authorise but not authenticate (Arran Cudbard-Bell)
3. Re: want to authorise but not authenticate (Ivan Kalik)
4. Re: How to configure 2 wimax qos profiles for the user in
users file (Ivan Kalik)
----------------------------------------------------------------------
Message: 1
Date: Wed, 08 Jul 2009 12:31:21 +0300
From: Andrei-Florian Staicu <andrei.staicu@gmail.com>
Subject: Re: freeradius active directory integration fails with "no
such realm"
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <4A546769.8020709@googlemail.com>
Content-Type: text/plain; charset=ISO-8859-2; format=flowed
Alan DeKok wrote:
> Andrei-Florian Staicu wrote:
>
>> Hello again. I've reached the output from here:
>> http://pastebin.com/d19f28a24 , and i still don't understand why it
>> doesen't call the ntlm_auth line
>>
>
> It looks like you are adding a "Proxy-To-Realm := LOCAL".
>
> ...
>
>> PEAP: Sending tunneled request
>> EAP-Message =
>> 0x02060018014950534f305c616e647265692e737461696375
>> FreeRADIUS-Proxied-To = 127.0.0.1
>> User-Name = "IPSO0\\andrei.staicu"
>> server inner-tunnel {
>> +- entering group authorize
>> rlm_realm: Looking up realm "IPSO0" for User-Name =
>> "IPSO0\andrei.staicu"
>> rlm_realm: Found realm "IPSO0"
>> rlm_realm: Adding Stripped-User-Name = "andrei.staicu"
>> rlm_realm: Adding Realm = "IPSO0"
>> rlm_realm: Authentication realm is LOCAL.
>> ++[ntdomain] returns noop
>> ++[mschap] returns noop
>> ++[control] returns noop
>>
>
> Why is that "update control" section there? What is in it?
>
>
>
>> rlm_eap: Request is supposed to be proxied to Realm LOCAL. Not doing
>>
> EAP.
>
> It's being proxied to realm LOCAL. You have added a LOCAL realm.
> Don't do that.
>
>
>> ++[eap] returns noop
>> WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
>> exist! Cancelling invalid proxy request.
>>
>
> Even more proof. The IPSO0 realm above is added because it exists.
> The server does NOT add a "Proxy-To-Realm := LOCAL". You have done
> that. Delete it from your configuration.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
It works now. Thank you very much for clearing thing up for me.
------------------------------
Message: 2
Date: Wed, 08 Jul 2009 10:33:22 +0100
From: Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>
Subject: Re: want to authorise but not authenticate
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <4A5467E2.5040309@sussex.ac.uk>
Content-Type: text/plain; charset=UTF-8; format=flowed
On 8/7/09 10:19, A.L.M.Buxey@lboro.ac.uk wrote:
> hi,
>
> heres one for a wednesday morning.
>
>
> we have a system that we've been done plain authorizations
> via FreeRADIUS - the device sends the following RADIUS request
>
> username: userid
> password: userid
>
> (ie the system sends the username and makes the password the same)
>
> okay. fair enough....a bit of unlang and a check that if the username = password
> then set the Auth-Type to something false et voila. all okay.
>
>
> it has now been decided to also do authentication via RADIUS
> and this is where things get messy.
>
>
> by removing the Auth-Type kludge, we can successfully authenticate
> a real user with their real password.... however, the authorization
> now fails because the device still sends username/password with
> the password the same as the username - this now hits the
> FreeRADIUS server which cannot find a valid Auth-Type for the user
> and thus fails authentication and therefore sends back a 'blurgh'
> to the box requesting authorization.
authorize {
if((User-Name == User-Password) && %{ldap:etc...}){
update control {
Auth-Type := 'NULL'
}
}
else {
// Authentication modules
}
}
Auth-Type NULL {
ok
}
>
> this is to be expected because there is nothing in the request to
> distoniguish between an authorization request and an authentication
> request.
>
> so the question is, how do we handle this so that the system can
> send a username=password for authorization AND a proper authentication
> can happen WITHOUT (hers a gotcha) the user doing something cute
> like putting their username in as their password! ;-)
Slightly confused as to what you want... Try again without the caffeine ?
Arran
--
Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>,
Systems Administrator (AAA),
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
------------------------------
Message: 3
Date: Wed, 8 Jul 2009 10:35:04 +0100 (BST)
From: "Ivan Kalik" <tnt@kalik.net>
Subject: Re: want to authorise but not authenticate
To: "FreeRadius users mailing list"
<freeradius-users@lists.freeradius.org>
Message-ID:
<10825.194.176.105.43.1247045704.squirrel@webmail.kalik.net>
Content-Type: text/plain;charset=utf-8
> we have a system that we've been done plain authorizations
> via FreeRADIUS - the device sends the following RADIUS request
>
> username: userid
> password: userid
>
> (ie the system sends the username and makes the password the same)
>
> okay. fair enough....a bit of unlang and a check that if the username =
> password
> then set the Auth-Type to something false et voila. all okay.
>
>
> it has now been decided to also do authentication via RADIUS
> and this is where things get messy.
>
>
> by removing the Auth-Type kludge, we can successfully authenticate
> a real user with their real password.... however, the authorization
> now fails because the device still sends username/password with
> the password the same as the username - this now hits the
> FreeRADIUS server which cannot find a valid Auth-Type for the user
> and thus fails authentication and therefore sends back a 'blurgh'
> to the box requesting authorization.
>
> this is to be expected because there is nothing in the request to
> distoniguish between an authorization request and an authentication
> request.
>
> so the question is, how do we handle this so that the system can
> send a username=password for authorization AND a proper authentication
> can happen WITHOUT (hers a gotcha) the user doing something cute
> like putting their username in as their password! ;-)
Send Service-Type = Authorize-Only in authorization request. Then you can
distinguish between the requsts. Or do authorization in the same time as
authentication.
Without opening a major security hole. You can set Auth-Type to Accept if
User-Name = User-Password in the request but that would enable anyone to
log in knowing just username.
Ivan Kalik
Kalik Informatika ISP
------------------------------
Message: 4
Date: Wed, 8 Jul 2009 10:39:48 +0100 (BST)
From: "Ivan Kalik" <tnt@kalik.net>
Subject: Re: How to configure 2 wimax qos profiles for the user in
users file
To: "FreeRadius users mailing list"
<freeradius-users@lists.freeradius.org>
Message-ID:
<59554.194.176.105.43.1247045988.squirrel@webmail.kalik.net>
Content-Type: text/plain;charset=utf-8
> I am trying to configure the two wimax qos profiles for the single user as
> one for uplink and another for downlink.
> If i configure the same attributes two times, in the Access-Accept message
> the first configured wimax attribute value only is sending but its not
> sending the same attribute again which has different value. is there any
> way
> to do this and make it work?
http://wiki.freeradius.org/Operators
+=
Ivan Kalik
Kalik Informatika ISP
------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 51, Issue 30
************************************************