Arran,
 
Thanks for your kind reply.
 
It works.
 
As you and Phil advised, I edit 2 files.
 
/usr/local/etc/raddb/sites-available/default
/usr/local/etc/raddb/sites-available/inner-tunnel
 
The script Phil wrote was put right after "sql" line.
 
Thanks!
 
Tom
 
 
------------------ Original ------------------
Date:  Thu, Sep 1, 2011 09:48 PM
To:  "freeradius-users"<freeradius-users@lists.freeradius.org>;
Subject:  Freeradius-Users Digest, Vol 77, Issue 3
 
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request@lists.freeradius.org

You can reach the person managing the list at
freeradius-users-owner@lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. Re: Special WIFI Router MAC check for the user's first
      connection. (Tom) (Arran Cudbard-Bell)


----------------------------------------------------------------------

Message: 1
Date: Thu, 1 Sep 2011 15:48:18 +0200
From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Subject: Re: Special WIFI Router MAC check for the user's first
connection. (Tom)
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <5FF70066-722F-42B0-B2E1-6B63649E133F@freeradius.org>
Content-Type: text/plain; charset="iso-8859-1"


On 1 Sep 2011, at 15:40, 2394263740 wrote:

> Phil,

> Thanks a lot for your great help.

> I understand the scripts you wrote. But I don't know where I should put it in.

> Can you please kindly advise which file I should edit?

> /usr/local/etc/raddb/sites-available/default?

Yes in the authorize section, thats why the script is encapsulated within and authorize {} stanza :)

-Arran

>


> ------------------ Original ------------------
> From:  "freeradius-users"<freeradius-users-request@lists.freeradius.org>;
> Date:  Thu, Sep 1, 2011 02:51 AM
> To:  "freeradius-users"<freeradius-users@lists.freeradius.org>;
> Subject:  Freeradius-Users Digest, Vol 76, Issue 108

> Send Freeradius-Users mailing list submissions to
> freeradius-users@lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request@lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner@lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS
>       server (Phil Mayers)
>    2. Re: Special WIFI Router MAC check for the user?s first
>       connection. (Phil Mayers)
>    3. Using rlm_passwd as a substitute for hunt groups
>       (Jan.Weiss@t-systems.com)
>    4. problem with LDAP backend (Frank Bonnet)
>    5. Re: problem with chillispot (Alan DeKok)
>    6. Re: problem with LDAP backend (Alan DeKok)
>    7. Rating usage (Shreya Shah)
>    8. Re: problem with chillispot (Goke M Aruna)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 31 Aug 2011 14:48:00 +0100
> From: Phil Mayers <p.mayers@imperial.ac.uk>
> Subject: Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS
> server
> To: freeradius-users@lists.freeradius.org
> Message-ID: <4E5E3B90.2020109@imperial.ac.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 30/08/11 21:12, Glenn Machin wrote:
> > Phil - thanks for the feedback.
> >
> > I just ended up proxying out to the IAS server usernames starting with
> > "DOMAIN\".
>
> Ok. Obviously that will fail if enters their wireless credentials
> without a domain.
>
> >
> > I configured the freeradius server to not support mschapv2 but will
> > support PEAP/GTC EAP/TLS.
> >
> >
> > It seems to be working fine with the Macs, iPads and Linux systems while
> > the windows systems are happy to talk to the IAS server.
> >
> >
> > It still bugs that ntlm_auth would not authenticate to the domain
> > controllers the challenge and nt-response.
>
> I repeat: if you send debug info, people may be able to help.
>
> >
> >
> > I assume no one else is having any issues using ntlm_auth to W2008
> > servers? It may be some Windows GPO at our site for all I know.
>
> Exactly which version of windows (2008 or 2008R2?) and at which
> functional level is your domain?
>
> Did you try increasing the debug level for winbind using "smbcontrol"
> and then examining the debug logs after a failed auth?
>
> For what it's worth, we have no problems with Windows 2008R2 domain
> controllers and the "samba3x" package available under RHEL5 (samba
> version 3.5.4-0.70.el5). We did have problems with earlier (Samba 3.3)
> versions after we'd upgraded to 2008R2 and upgraded functional level.
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 31 Aug 2011 14:55:35 +0100
> From: Phil Mayers <p.mayers@imperial.ac.uk>
> Subject: Re: Special WIFI Router MAC check for the user?s first
> connection.
> To: freeradius-users@lists.freeradius.org
> Message-ID: <4E5E3D57.2000903@imperial.ac.uk>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 31/08/11 12:38, 2394263740 wrote:
>
> > For example, WIFI AP 26, has the MAC address MAC26. I need ensure one
> > WIFI user, say user 58, must connect to WIFI AP 26 for the first time.
> > After the first connection, user 58 can connect to any WIFI AP in the
> > network.
> > Can someone give some advice on how to do it?
>
>   1. Create a whitelist of users who can authenticate to any AP using
> files, rlm_passwd or ideally SQL - see the FreeRADIUS wiki
>
>   2. If they are *not* found in the whitelist, check the
> "Called-Station-Id" attribute, which usually contains the MAC address of
> the AP. If your equipment uses a different attribute, check that.
>
>   3. If the AP MAC is the correct one, add the user to the whitelist,
> else reject
>
> For example:
>
> authorize {
>
>   ...
>   update control {
>     Tmp-String-0 := "%{sql:select 1 from whitelist where
> username='%{User-Name}'}"
>   }
>   if (control:Tmp-String-0 == 1) {
>     # user is in whitelist
>   }
>   elsif (Called-Station-Id == "aa-bb-cc-dd-ee-ff") {
>     # user is connecting to the "whitelist" AP
>     update control {
>       Tmp-String-0 = "%{sql:insert into whitelist (username) values
> ('%{User-Name}')}"
>     }
>   }
>   else {
>    reject
>   }
>   ...
>
> }
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 31 Aug 2011 16:11:48 +0200
> From: Jan.Weiss@t-systems.com
> Subject: Using rlm_passwd as a substitute for hunt groups
> To: <freeradius-users@lists.freeradius.org>
> Message-ID:
> <3DD77603D0726248A46541D5119607CE27DFC71606@HE111524.emea1.cds.t-internal.com>
>
> Content-Type: text/plain; charset="us-ascii"
>
> >Did you remember to actually define 'My-Device-Group' as an attribute?
> >
> >-Arran
> >
> >Arran Cudbard-Bell
> >a.cudbardb@freeradius.org
> >
> >RADIUS - Half the complexity of Diameter
>
>
> Dictionary:
> ATTRIBUTE       My-Device-Group         3000    string
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 31 Aug 2011 17:02:32 +0200
> From: Frank Bonnet <f.bonnet@esiee.fr>
> Subject: problem with LDAP backend
> To: freeradius-users@lists.freeradius.org
> Message-ID: <4E5E4D08.5060109@esiee.fr>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hello
>
> Still trying to use freeradius with chillispot I still have problems
>
> I'm trying to use mixed authentication
>
> MAC addresses for some video devices in the "users" file
> as follows :
>
> 00-06-F4-0D-08-66       Auth-Type := Local, User-Password == "xxxxxxxx"
>                          Framed-IP-Address = 192.168.182.213,
>                          Fall-Through = Yes
>
> LDAP backend for "real" users at the end of the "users" file I have this
> statement
>
> DEFAULT    Auth-Type = LDAP
>      Fall-Through = 1
>
> This configuration were working well on a very old debian machine which
> died suddenly
>
> When I try to access the the chilli portal it ask radius for authentication
> but it dows not work. See below the debug trace of radius daemon.
> Help greatly appreciated, thank you.
>
>
> Wed Aug 31 16:52:39 2011 : Debug:   Processing the authorize section of
> radiusd.conf
> Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authorize for
> request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: calling
> preprocess (rlm_preprocess) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: returned from
> preprocess (rlm_preprocess) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modcall[authorize]: module
> "preprocess" returns ok for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: calling eap
> (rlm_eap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   rlm_eap: No EAP-Message, not doing EAP
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: returned from
> eap (rlm_eap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modcall[authorize]: module "eap"
> returns noop for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: calling files
> (rlm_files) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:     users: Matched entry DEFAULT at
> line 398
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: returned from
> files (rlm_files) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modcall[authorize]: module "files"
> returns ok for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: calling ldap
> (rlm_ldap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authorize
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing user
> authorization for xxxxxxxx
> Wed Aug 31 16:52:39 2011 : Debug: radius_xlat:  '(uid=xxx)'
> Wed Aug 31 16:52:39 2011 : Debug: radius_xlat:  'ou=Users,dc=esiee,dc=fr'
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing search in
> ou=Users,dc=esiee,dc=fr, with filter (uid=hrazdira)
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: checking if remote access
> for xxxxxxxx is allowed by uid
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for check items in
> directory...
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for reply items in
> directory...
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: user xxxxxxxx authorized to
> use remote access
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: returned from
> ldap (rlm_ldap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modcall[authorize]: module "ldap"
> returns ok for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: calling pap
> (rlm_pap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: rlm_pap: WARNING! No "known good"
> password found for the user.  Authentication may fail because of this.
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: returned from
> pap (rlm_pap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modcall[authorize]: module "pap"
> returns noop for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authorize
> (returns ok) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   rad_check_password:  Found Auth-Type
> LDAP
> Wed Aug 31 16:52:39 2011 : Debug: auth: type "LDAP"
> Wed Aug 31 16:52:39 2011 : Debug:   Processing the authenticate section
> of radiusd.conf
> Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authenticate
> for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authenticate]: calling
> ldap (rlm_ldap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authenticate
> Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is
> required for authentication. Cannot use "CHAP-Password".
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authenticate]: returned
> from ldap (rlm_ldap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modcall[authenticate]: module "ldap"
> returns invalid for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authenticate
> (returns invalid) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: auth: Failed to validate the user.
> Wed Aug 31 16:52:39 2011 : Debug: Delaying request 15 for 1 seconds
> Wed Aug 31 16:52:39 2011 : Debug: Finished request 15
> Wed Aug 31 16:52:39 2011 : Debug: Going to the next request
> Wed Aug 31 16:52:39 2011 : Debug: --- Walking the entire request list ---
>
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 31 Aug 2011 12:27:36 -0400
> From: Alan DeKok <aland@deployingradius.com>
> Subject: Re: problem with chillispot
> To: FreeRadius users mailing list
> <freeradius-users@lists.freeradius.org>
> Message-ID: <4E5E60F8.8070409@deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Goke M Aruna wrote:
> > Is it bug on freeradius v2?
>
>   No.
>
> > I got the chillispot working with freeradius 1.7 then and still tested
> > same recently but v2 of radius give same error while v1 work
> > seamlessly. I compiled this on centos 5.6.
>
>   You mistyped the shared secret.
>
>   Alan DeKok.
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 31 Aug 2011 12:30:45 -0400
> From: Alan DeKok <aland@deployingradius.com>
> Subject: Re: problem with LDAP backend
> To: FreeRadius users mailing list
> <freeradius-users@lists.freeradius.org>
> Message-ID: <4E5E61B5.2000601@deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Frank Bonnet wrote:
> > MAC addresses for some video devices in the "users" file
> > as follows :
> >
> > 00-06-F4-0D-08-66       Auth-Type := Local, User-Password == "xxxxxxxx"
>
>   That's wrong.  See the debug output for reasons why.  See the FAQ for
> correct examples.
>
> > LDAP backend for "real" users at the end of the "users" file I have this
> > statement
> >
> > DEFAULT    Auth-Type = LDAP
> >     Fall-Through = 1
>
>   That's not needed.
>
> > Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is
> > required for authentication. Cannot use "CHAP-Password".
>
>   That's pretty clear.  The NAS is sending a CHAP request.  You can't do
> that with "Auth-Type LDAP"
>
>   Instead, list "ldap" in the "authorize" section.
>
>   Don't set Auth-Type.  It's almost always wrong.
>
>   Alan DeKok.
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 31 Aug 2011 13:23:20 -0400
> From: Shreya Shah <shreya.nshah@gmail.com>
> Subject: Rating usage
> To: FreeRadius users mailing list
> <freeradius-users@lists.freeradius.org>
> Message-ID:
> <CANN_Z9KOKD0HfM+s_wVmZTyobN=8qcLxbfdQBBrX+KBPUBo-2w@mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Is it possible to rate users based on their data usage and reject
> authentication to those users exceeding the limit ?
>
> I think I can achieve rating using counter.conf and reading the usage from
> radacct but not sure how to reject this user from authenticating when he
> exceeds this usage limit ?
>
> Thanks,
> Shreya.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110831/ad586a05/attachment.html>
>
> ------------------------------
>
> Message: 8
> Date: Wed, 31 Aug 2011 19:51:20 +0100
> From: Goke M Aruna <goksie@gmail.com>
> Subject: Re: problem with chillispot
> To: FreeRadius users mailing list
> <freeradius-users@lists.freeradius.org>
> Message-ID:
> <CAE=DitpQoroJHxQA7u+BtCuXhEh0_1V-TahmuW1ntgiO9_e69Q@mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Hi Allan,
> Mistyped shared-secret? How can I confirm that?
>
> Thank you.
>
> On 8/31/11, Alan DeKok <aland@deployingradius.com> wrote:
> > Goke M Aruna wrote:
> >> Is it bug on freeradius v2?
> >
> >   No.
> >
> >> I got the chillispot working with freeradius 1.7 then and still tested
> >> same recently but v2 of radius give same error while v1 work
> >> seamlessly. I compiled this on centos 5.6.
> >
> >   You mistyped the shared secret.
> >
> >   Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
> --
> Sent from my mobile device
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 76, Issue 108
> *************************************************
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Arran Cudbard-Bell
a.cudbardb@freeradius.org

RADIUS - Half the complexity of Diameter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110901/83b490af/attachment.html>

------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 77, Issue 3
***********************************************