Hi , I am doing a yum install & it is supposed to bring the latest version rt ? . Please let me know how I can get the version which you are using (3.0.17) . I am using centos 7 does the version which you mentioned exist for the same ? please inform me Thanks, Arun On Sun, Aug 12, 2018 at 11:39 AM < freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: dynamic vlan assign and LDAP authentication (Siddhartha Mishra)
----------------------------------------------------------------------
Message: 1 Date: Sun, 12 Aug 2018 11:38:35 +0530 From: Siddhartha Mishra <siddhartha0111@gmail.com> To: freeradius-users@lists.freeradius.org Subject: Re: dynamic vlan assign and LDAP authentication Message-ID: < CAGb7Tj4XhTvHza8fd5Fk3d-rRtzi94wKBaMZXTWYPpF5aehqMg@mail.gmail.com> Content-Type: text/plain; charset="UTF-8"
Dear All,
Please help to me for configuration dynamic vlan on user authentication via LDAP. User authentication via LDAP is working But when we r going to enable file module in innertunnel and default file it's not work.
Because we add grop- LDAP detail in users file.
Please help to resolve this.
On Fri 10 Aug, 2018, 10:59 PM , < freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Freeradius-Users Digest, Vol 160, Issue 9 (Alan DeKok) 2. Re: Filtering out Proxy-State in COA to fix broken Cisco NAS (Alan DeKok) 3. FOREACH error message? (Stefan Paetow) 4. Re: FOREACH error message? (Stefan Paetow) 5. Re:Re: Accounting-Request packet shared secret fail (Alan DeKok) (Kevin Virk) (Alan DeKok) (Kevin Virk)
----------------------------------------------------------------------
Message: 1 Date: Fri, 10 Aug 2018 07:21:24 -0400 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Freeradius-Users Digest, Vol 160, Issue 9 Message-ID: <3BC2D945-4A1F-4E2C-8328-61997A3A0A98@deployingradius.com> Content-Type: text/plain; charset=us-ascii
On Aug 10, 2018, at 4:29 AM, Arun NP <arun85np@gmail.com> wrote:
As suggested . I removed free radius & deleted all the files and did a fresh installation. This time , I did only the following changes :
OK.
copied default file in sites-available to a file "new" . Edited the port numbers in new four times ,two for authentication and two for accounting created a soft link for new in the sites-enabled directory
Did you edit the name? "server NEW { " ?
added my client IPs and secret to the clients.conf file started radius by "radiusd -d /etc/raddb -i 5.1.13.70 -p 2018 -X
But , still I am getting the same error.
I'm running v3.0.x head (mostly 3.0.17) and it works for me.
radiusd -d /etc/raddb -i 5.1.13.70 -p 2018 -X FreeRADIUS Version 3.0.13
Upgrade.
We're not going to track down & fix bugs which were already found and fixed years ago.
Alan DeKok.
------------------------------
Message: 2 Date: Fri, 10 Aug 2018 08:12:35 -0400 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Filtering out Proxy-State in COA to fix broken Cisco NAS Message-ID: <E01CB6A4-EDD9-4A23-BA0E-D50941E442E3@deployingradius.com> Content-Type: text/plain; charset=us-ascii
On Aug 8, 2018, at 9:19 PM, Fraser McGlinn <fraser@frizianz.com> wrote:
Trying to get COA proxying working with a Cisco NAS. Unfortunately they
have a broken implementation where if Proxy-State is in the request it drops it.
That's based on a naive reading of RFC 5176. Happily, my new draft clarifies this. It should be an RFC this year:
https://tools.ietf.org/html/draft-ietf-radext-coa-proxy-03
I dug and found this old thread
http://lists.freeradius.org/pipermail/freeradius-users/2012-April/060456.htm...
implying that we can filter out Proxy-State in attr_filter, however i've had some issues getting this working. Although this was relevant to freeradius 2x, i'm running 3.0.16.
Any other ways to achieve this? Hoping someone can point me in the
right direction.
You can delete the Proxy-State attribute in the "pre-proxy" section:
pre-proxy { ... update proxy-request { Proxy-State !* ANY } ... }
Hope that helps.
Alan DeKok.
------------------------------
Message: 3 Date: Fri, 10 Aug 2018 14:01:31 +0000 From: Stefan Paetow <Stefan.Paetow@jisc.ac.uk> To: "freeradius-users@lists.freeradius.org" <freeradius-users@lists.freeradius.org> Subject: FOREACH error message? Message-ID: <C77025A2-BE73-4732-8924-996CBE33C547@jisc.ac.uk> Content-Type: text/plain; charset=UTF-8
Alan, Arran et al,
I'm getting this message:
/etc/raddb/policy.d/moonshot-assertion[46]: MUST use attribute or list reference in 'foreach' /etc/raddb/policy.d/moonshot-assertion[46]: Failed to parse "foreach" subsection. /etc/raddb/policy.d/moonshot-assertion[38]: Failed to parse "if" subsection. /etc/raddb/policy.d/moonshot-assertion[105]: Failed to parse "saml_add_affiliation" entry.
The policy in question is this (I've marked line 46 with '46>'):
# This policy adds the eduPersonAffiliation if it exists saml_add_affiliation.post-auth { # Only try to add the Affiliation when the attribute exists if (&reply:Reply-eduPersonAffiliation) { update control { SAML-Attribute-Value !* ANY SAML-Attribute-Value += "%{explode:&reply:Reply-eduPersonAffiliation ,}" } update reply { SAML-AAA-Assertion += '<saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">' } 46> foreach &control:SAML-Attribute-Value { update reply { SAML-AAA-Assertion += '<saml:AttributeValue xsi:type="xs:string">' SAML-AAA-Assertion += "%{Foreach-Variable-0}" SAML-AAA-Assertion += '</saml:AttributeValue>' } } update reply { SAML-AAA-Assertion += '</saml:Attribute>' } } }
I can't see where I'm going wrong here... It's probably something *very* obvious that I can't see. I'm using FreeRADIUS 3.0.15 (I know, I know... It's not the newest).
Can someone point out the obvious mistake? :-/
Thank you :-)
Stefan Paetow Consultant, Trust and Identity
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
------------------------------
Message: 4 Date: Fri, 10 Aug 2018 14:18:52 +0000 From: Stefan Paetow <Stefan.Paetow@jisc.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: FOREACH error message? Message-ID: <198BEB54-C708-4E9A-8A18-012E2C3B4131@jisc.ac.uk> Content-Type: text/plain; charset=UTF-8
And I've figured it out...
It would help to update the dictionary with the custom values! *headdesk*
*eyeroll*
Stefan Paetow Consultant, Trust and Identity
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
On 10/08/2018, 15:02, "Freeradius-Users on behalf of Stefan Paetow" <freeradius-users-bounces+stefan.paetow=jisc.ac.uk@lists.freeradius.org on behalf of Stefan.Paetow@jisc.ac.uk> wrote:
Alan, Arran et al,
I'm getting this message:
/etc/raddb/policy.d/moonshot-assertion[46]: MUST use attribute or list reference in 'foreach' /etc/raddb/policy.d/moonshot-assertion[46]: Failed to parse "foreach" subsection. /etc/raddb/policy.d/moonshot-assertion[38]: Failed to parse "if" subsection. /etc/raddb/policy.d/moonshot-assertion[105]: Failed to parse "saml_add_affiliation" entry.
The policy in question is this (I've marked line 46 with '46>'):
# This policy adds the eduPersonAffiliation if it exists saml_add_affiliation.post-auth { # Only try to add the Affiliation when the attribute exists if (&reply:Reply-eduPersonAffiliation) { update control { SAML-Attribute-Value !* ANY SAML-Attribute-Value += "%{explode:&reply:Reply-eduPersonAffiliation ,}" } update reply { SAML-AAA-Assertion += '<saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">' } 46> foreach &control:SAML-Attribute-Value { update reply { SAML-AAA-Assertion += '<saml:AttributeValue xsi:type="xs:string">' SAML-AAA-Assertion += "%{Foreach-Variable-0}" SAML-AAA-Assertion += '</saml:AttributeValue>' } } update reply { SAML-AAA-Assertion += '</saml:Attribute>' } } }
I can't see where I'm going wrong here... It's probably something *very* obvious that I can't see. I'm using FreeRADIUS 3.0.15 (I know, I know... It's not the newest).
Can someone point out the obvious mistake? :-/
Thank you :-)
Stefan Paetow Consultant, Trust and Identity
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
Message: 5 Date: Fri, 10 Aug 2018 17:28:25 +0000 From: Kevin Virk <Kevin.Virk@faithlife.com> To: "freeradius-users@lists.freeradius.org" <freeradius-users@lists.freeradius.org> Subject: Re:Re: Accounting-Request packet shared secret fail (Alan DeKok) (Kevin Virk) (Alan DeKok) Message-ID: <1533922105253.29587@faithlife.com> Content-Type: text/plain; charset=WINDOWS-1252
I did make sure to restart the server. I did fail to mention that I purged freeradius and reinstalled so I must have made a configuration error somewhere along the way.
From: Freeradius-Users <freeradius-users-bounces+kevin.virk= faithlife.com@lists.freeradius.org> on behalf of freeradius-users-request@lists.freeradius.org < freeradius-users-request@lists.freeradius.org> Sent: Friday, August 10, 2018 1:30 AM To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 160, Issue 14
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: ldap module for user and mac authentication (Dave Macias) 2. Re: ldap module for user and mac authentication (Michael Ströder) 3. Re: Accounting-Request packet shared secret fail (Alan DeKok) (Kevin Virk) (Alan DeKok) 4. Re: Dynamic vlan assignment (Dom Latter) 5. Re: Freeradius-Users Digest, Vol 160, Issue 9 (Arun NP)
----------------------------------------------------------------------
Message: 1 Date: Thu, 9 Aug 2018 08:23:51 -0400 From: Dave Macias <davama@gmail.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: ldap module for user and mac authentication Message-ID: <CA+nFYV_UOg+TuMMciVwPWTHUX5B=H=rbhpUE9mv_e+rsVDvCYw@mail.gmail.com> Content-Type: text/plain; charset="UTF-8"
Yes, I had thought of something to the effect of (suggestions
welcomed) :
* if
(!"%{ldap:ldap://master1/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?cn?sub?(*
*&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {* * if
(!"%{ldap:ldap://master2/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?c*
*n?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
{* * reject* * }* * }* * update {* * control:Auth-Type := Accept* * }*
But this does not account for the scenario of openldap being dead. The 1st "if" statement will be always be FALSE and never attempt the next "if" statement and therefore 'Accept'
I believe i misspoke here... But interesting observations.
if i use the below code AND have multiple ldap servers configured in my ldap module, radius '%{ldap:ldap:///...}' will automatically go to the one that is alive; assuming one is at least alive. IF i have just one ldap server configured in my ldap module, (which is dead), then the 'if' will FAIL and reject as it should.
*if
(!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
{* *reject* *}* *else {* *update {* *control:Auth-Type := Accept* *}* *}*
Same results as above (ldap module will use the live ldap server, not the dead one) *if
(!"%{ldap:ldap://dead-ldap-server/ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")*
*...* *...*
So what did i learn? you dont need to use the SRV record for failover, as long as you have all the ldap servers in your ldap module.
I think it makes sense since '%{ldap:...}" is using the ldap module, technically, but i would have thought that "ldap:///" or "ldap://dead-ldap-server/" meant localhost/dead-ldap-server not "live.ldap.the-module-found'
Or maybe im just completely off... Hope that makes, sense.
(1) if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) { (1) if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) -> TRUE (1) if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) { (1) policy rewrite_calling_station_id { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{ (1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE (1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{ (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> 00-04-F2-DD-98-C6 (1) &Calling-Station-Id := 00-04-F2-DD-98-C6 (1) } # update request = noop (1) [updated] = updated (1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_calling_station_id = updated (1) if
(!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
{ rlm_ldap (ldap): Reserved connection (0) (1) Performing search in "ou=sub-macs,ou=macs,dc=myorg,dc=net" with filter "(&(objectClass=ieee802Device)(macAddress=00-04-F2-DD-98-C6))", scope "sub" (1) Waiting for search result... rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 ldap://ldap2:389 TLSMC: MozNSS compatibility interception begins. tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present. tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (1) EXPAND
%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}
(1) --> 0004f2dd98c6 (1) if
(!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
-> FALSE (1) else { (1) update { (1) control:Auth-Type := Accept (1) } # update = noop (1) } # else = noop (1) } # if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) = updated (1) ... skipping else: Preceding "if" was taken (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = Accept
------------------------------
Message: 2 Date: Thu, 9 Aug 2018 14:40:04 +0200 From: Michael Ströder <michael@stroeder.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>, Dave Macias <davama@gmail.com> Subject: Re: ldap module for user and mac authentication Message-ID: <7caaa8c6-5a4c-19b6-a59b-fa045992de8c@stroeder.com> Content-Type: text/plain; charset="utf-8"; Format="flowed"
On 8/9/18 2:23 PM, Dave Macias wrote:
So what did i learn? you dont need to use the SRV record for failover, as long as you have all the ldap servers in your ldap module.
Yes!
In theory the advantage of SRV RRs are that you can theoretically change what's in your pool of LDAP servers and adjust priorities based on locations.
Besides that I don't believe anybody fully implemented that I'm not a fan of SRV RRs anyway because the TLS hostname check is not even defined for that.
Ciao, Michael.