Hi Ivan,
3. RE: Freeradius-Users Digest, Vol 49, Issue 93 (Ivan
Kalik)
____________________________________________________________________________
> Radius Client --> Radius Proxy
> 192.168.1.2 192.168.1.3 192.168.14.3 -->
IPS1(192.168.14.4)
> 192.168.24.3 -->
IPS2(192.168.24.4)
____________________________________________________________________________
You say:
>>Yes. Proxy server will change NAS-IP-Address from the original
NAS >>address into it's own. That is OK.
It not works. In my scenario I have two different NAS-IP-Address(a NAS-IP-Address
for ISP1 and a NAS-IP-Address for ISP2).
Radius Proxy sees 3 different ip address:
- 192.168.1.3: ipaddress client side.
- 192.168.14.3: ipaddress for isp1
- 192.168.14.3: ipaddress for isp2
In my opinion the packet (received from Radius Client) is sent towards
the default gateway.
The following link describes the same scenario:
http://www.opensubscriber.com/message/freeradius-users@lists.freeradius.org/82575.html
They introduce proxyip = 10.10.10.10
in proxy.conf.
Thanks again.
Marco
-----Original Message-----
From:
freeradius-users-bounces+marco.de.magistris=ericsson.com@lists.freeradius.org
[mailto:freeradius-users-bounces+marco.de.magistris=ericsson.com@lists.freeradius.org]
On Behalf Of freeradius-users-request@lists.freeradius.org
Sent: mercoledì 20 maggio 2009 15.55
To:
Subject: Freeradius-Users Digest, Vol 49, Issue 95
Send Freeradius-Users mailing list submissions to
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: question about windows users (Bartosz Chodzinski)
2. Re: R: Sql Counter reads only the first 4 digits (Alan DeKok)
3. RE: Freeradius-Users Digest, Vol 49, Issue 93 (Ivan Kalik)
4. R: R: Sql Counter reads only the first 4 digits
(Mauro Iorio - Smart Soft s.r.l.)
5. Re: question about windows users (Bartosz Chodzinski)
----------------------------------------------------------------------
Message: 1
Date: Wed, 20 May 2009 15:23:22 +0200
From: Bartosz Chodzinski <bartosz.c@gmail.com>
Subject: Re: question about windows users
To: tnt@kalik.net, FreeRadius users mailing list
<
Message-ID:
<1f06c2db0905200623k5e90f148naaadaf7402c82c16@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
ok I changed it to default
proxy_requests = yes
$INCLUDE proxy.conf
/etc/freeradius/certs/Makefile
was
#client.crt: client.csr server.crt server.key index.txt serial
# openssl ca -batch -keyfile server.key -cert server.crt -in
client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions
xpclient_ext
-extfile xpextensions -config ./client.cnf
is now:
client.crt: client.csr ca.pem ca.key index.txt serial
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr
-key
$(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf
changes in client.cnf
was:
certificate = $dir/server.pem
serial = $dir/serial
private_key = $dir/server.key
commonName = user@example.com
is now:
certificate = $dir/ca.pem
serial = $dir/serial
private_key = $dir/ca.key
commonName = user_certificate
now after instalation ca.der and client.p12 in windows everything in
certificate stores seams to be ok.
there is no exclamation mark on user_certificate, and certification path
is
ok
back to the server:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812,
id=240,
length=147
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user_certificate"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0200001501757365725f6365727469666963617465
Message-Authenticator = 0x0d65a52fd78035c3c828c30d2a2442d9
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user_certificate", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 240 to 192.168.5.206 port 1812
EAP-Message = 0x0101001604100c91af03e9cd5c25126407d36f22684a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb5a5cfd0b5a4cb20491e5ee122e4a622
Finished request 0.
Going to the next request
On Wed, May 20, 2009 at 2:39 PM, Ivan Kalik <tnt@kalik.net>
wrote:
> >>> The steps you took show that you are NOT following
the guide.
> >>> Good luck. You clearly are *not* interested in
solving the problem.
> >
> > the guide in radiusd.conf says:
> > #The server has proxying turned on by default. If your
system is NOT
> > # set up to proxy requests to another server, then you can
turn proxying
> > # off here. This will save a small amount of resources on
the server.
> > I tried to read carefully with undrestanding, I dont use
proxy, my system
> > not sending request to another server, so I turned it off.
>
> You might not want to, but you *are* proxying your requests. You
have
> created client certificate with predefined data in client.cnf -
which is
> part of the proxy demonstration setup. So, leave proxy settings
alone and
> concentrate on doing what you have been advised - changing data in
> client.cnf so created client certificate won't have @example.com
as part
> of the username.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090520/dace037b/attachment.html>
------------------------------
Message: 2
Date: Wed, 20 May 2009 15:29:45 +0200
From: Alan DeKok <aland@deployingradius.com>
Subject: Re: R: Sql Counter reads only the first 4 digits
To: FreeRadius users mailing list
<
Message-ID: <4A1405C9.8020005@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Mauro Iorio - Smart Soft s.r.l. wrote:
> Yes, it does. Check the following output:
...
> [sessioncounter] expand: %{sql:SELECT 123456 FROM radacct
WHERE
> UserName='mauro'} -> 1234
Hmm... I don't use the unixodbc drivers, so I can't test it here. I
don't see anything in the code that would chop the results at 4 digits.
Alan DeKok.
------------------------------
Message: 3
Date: Wed, 20 May 2009 14:47:44 +0100 (BST)
From: "Ivan Kalik" <tnt@kalik.net>
Subject: RE: Freeradius-Users Digest, Vol 49, Issue 93
To: "FreeRadius users mailing list"
<
Message-ID:
<61032.194.176.105.44.1242827264.squirrel@webmail.kalik.net>
Content-Type: text/plain;charset=utf-8
>
>>What does that mean? IP of the original NAS packet?
>
> I have 2 interfaces towards the network.
>
>
____________________________________________________________________________
> Radius Client --> Radius Proxy
> 192.168.1.2 192.168.1.3 192.168.14.3 -->
IPS1(192.168.14.4)
> 192.168.24.3 -->
IPS2(192.168.24.4)
>
____________________________________________________________________________
>
> Steps:
> 1)Radius Client ---> Send packet with NAS-IP-Address =
192.168.1.2
> towards Radius Proxy.
> 2)Radius Proxy changes NAS-IP-Address with 192.168.14.3 for
IPS1(or
> 192.168.24.3 for IPS2) and sends it.
>
>
> You say that changing NAS-IP-Address the packet is transmitted
correctly.
> Right?
>
> From 192.168.14.3 to IPS1(192.168.14.4) if NAS-IP-Address =
> 192.168.14.3
> From 192.168.24.3 to IPS1(192.168.24.4) if NAS-IP-Address =
> 192.168.24.3
>
Yes. Proxy server will change NAS-IP-Address from the original NAS
address
into it's own. That is OK.
>> That's in internal attribute Packet-Src-IP-Address.
>
> Should I modify this attribute or FreeRadius associates
> Packet-Src-IP-Address = NAS-IP-Address.
No, Packet-Src-IP-Address has the originating IP address for the radius
packet (in your case it will be 192.168.1.2). If ISP needs to know the
original NAS IP they should look in Packet-Src-IP-Address.
Ivan Kalik
Kalik Informatika ISP
------------------------------
Message: 4
Date: Wed, 20 May 2009 15:48:25 +0200
From: "Mauro Iorio - Smart Soft s.r.l."
<m.iorio@smartsoft.it>
Subject: R: R: Sql Counter reads only the first 4 digits
To: tnt@kalik.net, "'FreeRadius users mailing list'"
<
Message-ID: <CFF53251EC794CACBFC36E03F72AF74E@zuccherino>
Content-Type: text/plain; charset="us-ascii"
>
> Don't bother with all that. Hardcode just:
>
> SELECT 123456
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
Done. Same result: 1234.
Mauro Iorio.
------------------------------
Message: 5
Date: Wed, 20 May 2009 15:54:56 +0200
From: Bartosz Chodzinski <bartosz.c@gmail.com>
Subject: Re: question about windows users
To:
Message-ID:
<1f06c2db0905200654h286a5bbfi44d40e166af02717@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
I am using a standard settings of eap.conf
when I change eap.conf to:
# default_eap_type = md5
default_eap_type = peap
I have similar communicate
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812,
id=242,
length=147
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user_certificate"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0200001501757365725f6365727469666963617465
Message-Authenticator = 0x4fea88a60594825de9229268206fb02d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user_certificate", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 242 to 192.168.5.206 port 1812
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x54cef72d54cfee66f11829ca8f9f95d7
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 242 with timestamp +37
Ready to process requests.
On Wed, May 20, 2009 at 3:51 PM, Ivan Kalik <tnt@kalik.net>
wrote:
> > [eap] processing type md5
> > rlm_eap_md5: Issuing Challenge
>
> Hm, you are saying you want to do EAP-TLS but your server reports
that it
> has got EAP-MD5 request. Check connection settings on Windows
machine.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090520/99755328/attachment.html>
------------------------------
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 49, Issue 95
************************************************