My version of 2.1.10 was the one i got when i did the ever so popular sudo apt-get install freeradius, so i guess i need for my distro to get the update in the source files - that's ok as my Freeradius is not connected to the internet. Thank you all for the response. On Mon, Jan 28, 2013 at 11:40 AM, < freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. move /etc/raddb/users file to mysql (Stefan K?nig) 2. Re: dialup.conf custom attributes failure in freeradius 2.2 (A.L.M.Buxey@lboro.ac.uk) 3. Re: upgrading freeradius (Mathieu Simon) 4. Re: Help Needed !!! FreeRADIUS Integration with MS AD (Pradyumna)
----------------------------------------------------------------------
Message: 1 Date: Mon, 28 Jan 2013 09:25:00 +0100 From: Stefan K?nig <montiburns@gmail.com> To: freeradius-users@lists.freeradius.org Subject: move /etc/raddb/users file to mysql Message-ID: <510635DC.2080103@gmail.com> Content-Type: text/plain; charset=ISO-8859-1
Hello List,
I inherited an old freeradius 1.1.8 system which is configured to use a mysql DB. So far so good, but now I discovered, that someone also created a /etc/raddb/users file with some DEFAULT information in it. The funny thing is, that I have also some DEFAULT information in my DB in radgroupreply, which is where I think the data from the "users" file belongs. As far as I see in our config, the flat files have precedence over SQL.
I am not very deep into freeradius, so I have some questions which I hope someone can answer:
1) Does the data from the "users" file go into radgroupreply table? 2) I have a DEFAULT groupname in the DB and in the flat file, will I have to rename the flat file DEFAULT groupname to something else to avoid problems? 3) "op" needs to be "=~" and ":=" for the first to settings and "==" for all the following?
For your reference here is the anonymized content of my users file:
DEFAULT User-Name =~"@example\.net$", Auth-Type := "Accept" Context-Name == local, Tunnel-Domain == 1, Tunnel-Type == L2TP, Tunnel-Medium-Type == IP, Tunnel-Client-Endpoint == xxx.xxx.xxx.xxx, Tunnel-Server-Endpoint == yyy.xxx.xxx.xxx, Tunnel-Password == password, Tunnel-Assignment-Id == zzz.xxx.xxx.xxx, Tunnel-Function == 1, Tunnel-Local-Name == EXAMPLE.NET
Thanks for any help or hints!
regards Stefan
------------------------------
Message: 2 Date: Mon, 28 Jan 2013 09:03:32 +0000 From: A.L.M.Buxey@lboro.ac.uk To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: dialup.conf custom attributes failure in freeradius 2.2 Message-ID: <20130128090332.GF28146@lboro.ac.uk> Content-Type: text/plain; charset=us-ascii
Hi,
Hi, I need some help with inserting custom attributes to MySQL server. It seems that version 2.2 broke it, at least on my server... When I revert back to 2.1 it immediately starts to work with same config files. Below are config files and traces for both versions.
Any idea?
yes, you dont seem to have 3GPP-IMSI in your dictionary file. thus the string expansion fails as per
[sql] WARNING: Unknown module "3GPP-IMSI" in string expansion "%',
thats my first guess anyway! ;-)
alan
------------------------------
Message: 3 Date: Mon, 28 Jan 2013 10:12:21 +0100 From: Mathieu Simon <mathieu.sim@gmail.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: upgrading freeradius Message-ID: <510640F5.6000009@gmail.com> Content-Type: text/plain; charset=ISO-8859-1
Am 27.01.2013 21:52, schrieb A.L.M.Buxey@lboro.ac.uk:
Hi,
2.1.10 is the version delivered by your distribution - and contains backported security bugfixes released until 2.2.0. In terms of security, your version is fine. why? why do that? why not simple release 2.2.0 - you are CONFUSING your users and CONFUSING those people who support them.
if it says 2.1.10 then one can only ASSUME that its 2.1.10 Yes, somewhat true, but that's how a couple of distribution consider 'stable' releases: Stick with a version of a software and backport (bug and) security updates to this version. (and only update the version of a package at new distro release)
Enterprise distributions or commercial unix often do much heavier backporting than what Debian/Ubuntu do, just to deliver the very same version during the period of time the package is bundled with a release of their distro/software.
You have to outweight the advantages vs. disadvantages like breaking support from your distributor, in this case Canonical. But I agree that asking on this list is likely yield the answer "upgrade first" in case of problems.
A Ubuntu PPA can be a very good thing - but you have to trust a third party. That said, I really like PPAs when the packagers do good work and care about updating the packages - thanks Fajar for maintaining this repository!
-- Mathieu
------------------------------
Message: 4 Date: Mon, 28 Jan 2013 15:10:14 +0530 From: Pradyumna <neomatrixgem@gmail.com> To: "A.L.M.Buxey@lboro.ac.uk" <A.L.M.Buxey@lboro.ac.uk> Cc: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Help Needed !!! FreeRADIUS Integration with MS AD Message-ID: <E751B5FB-B309-402E-8C4E-6D77FE3958AB@gmail.com> Content-Type: text/plain; charset="us-ascii"
Hi,
Am not able to see my authorization happening because I don't see the value-attr or reply message. Please help. Logs attached. rad_recv: Access-Request packet from host 192.168.0.2 port 39662, id=92, length=62 User-Name = "radiustest" User-Password = "password@123" NAS-IP-Address = 192.168.0.2 NAS-Port = 1812 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.0.2/auth-detail-20130128 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.2/auth-detail-20130128 [auth_log] expand: %t -> Mon Jan 28 10:12:16 2013 ++[auth_log] returns ok [ldap] performing user authorization for radiustest [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> radiustest [ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=radiustest)) [ldap] expand: cn=users,dc=example,dc=com -> cn=users,dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=users,dc=example,dc=com, with filter (&(sAMAccountName=radiustest)) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = ldap [ldap] user radiustest authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "radiustest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ldap] performing user authorization for radiustest [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> radiustest [ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=radiustest)) [ldap] expand: cn=users,dc=example,dc=com -> cn=users,dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=users,dc=example,dc=com, with filter (&(sAMAccountName=radiustest)) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user radiustest authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ldap # Executing group from file /etc/raddb/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "radiustest" with password "password@123" [ldap] user DN: CN=radiustest,CN=Users,DC=example,DC=com [ldap] (re)connect to 192.168.0.3:389, authentication 1 [ldap] bind as CN=radiustest,CN=Users,DC=example,DC=com/password@123 to 192.168.0.3:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user radiustest authenticated succesfully ++[ldap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 92 to 192.168.0.2 port 39662 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 92 with timestamp +88 Ready to process requests.
Regards, /Neo Sent from my iPhone
On 25-Jan-2013, at 3:32 AM, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
Do you mean the below in the "users" file?
cisco Auth-Type := LDAP
Service-Type = Administrative-User, cisco-avpair = "shell:priv-lvl=15"
no.
cisco Auth-Type := LDAP Service-Type = Administrative-User, cisco-avpair = "shell:priv-lvl=15"
(see all the examples in the users file)
alan