On Mon, Jan 28, 2013 at 11:40 AM,
<freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. move /etc/raddb/users file to mysql (Stefan K?nig)
2. Re: dialup.conf custom attributes failure in freeradius 2.2
(A.L.M.Buxey@lboro.ac.uk)
3. Re: upgrading freeradius (Mathieu Simon)
4. Re: Help Needed !!! FreeRADIUS Integration with MS AD (Pradyumna)
----------------------------------------------------------------------
Message: 1
Date: Mon, 28 Jan 2013 09:25:00 +0100
From: Stefan K?nig <montiburns@gmail.com>
To: freeradius-users@lists.freeradius.org
Subject: move /etc/raddb/users file to mysql
Message-ID: <510635DC.2080103@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hello List,
I inherited an old freeradius 1.1.8 system which is configured to use a
mysql DB.
So far so good, but now I discovered, that someone also created a
/etc/raddb/users file with some DEFAULT information in it.
The funny thing is, that I have also some DEFAULT information in my DB
in radgroupreply, which is where I think the data from the "users" file
belongs.
As far as I see in our config, the flat files have precedence over SQL.
I am not very deep into freeradius, so I have some questions which I
hope someone can answer:
1) Does the data from the "users" file go into radgroupreply table?
2) I have a DEFAULT groupname in the DB and in the flat file, will I
have to rename the flat file DEFAULT groupname to something else to
avoid problems?
3) "op" needs to be "=~" and ":=" for the first to settings and "==" for
all the following?
For your reference here is the anonymized content of my users file:
DEFAULT User-Name =~"@example\.net$",
Auth-Type := "Accept"
Context-Name == local,
Tunnel-Domain == 1,
Tunnel-Type == L2TP,
Tunnel-Medium-Type == IP,
Tunnel-Client-Endpoint == xxx.xxx.xxx.xxx,
Tunnel-Server-Endpoint == yyy.xxx.xxx.xxx,
Tunnel-Password == password,
Tunnel-Assignment-Id == zzz.xxx.xxx.xxx,
Tunnel-Function == 1,
Tunnel-Local-Name == EXAMPLE.NET
Thanks for any help or hints!
regards
Stefan
------------------------------
Message: 2
Date: Mon, 28 Jan 2013 09:03:32 +0000
From: A.L.M.Buxey@lboro.ac.uk
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Subject: Re: dialup.conf custom attributes failure in freeradius 2.2
Message-ID: <20130128090332.GF28146@lboro.ac.uk>
Content-Type: text/plain; charset=us-ascii
Hi,
> Hi, I need some help with inserting custom attributes to MySQL server. It
> seems that version 2.2 broke it, at least on my server... When I revert
> back to 2.1 it immediately starts to work with same config files.
> Below are config files and traces for both versions.
> Any idea?
yes, you dont seem to have 3GPP-IMSI in your dictionary file. thus the string
expansion fails as per
> [sql] WARNING: Unknown module "3GPP-IMSI" in string expansion "%',
thats my first guess anyway! ;-)
alan
------------------------------
Message: 3
Date: Mon, 28 Jan 2013 10:12:21 +0100
From: Mathieu Simon <mathieu.sim@gmail.com>
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Subject: Re: upgrading freeradius
Message-ID: <510640F5.6000009@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Am 27.01.2013 21:52, schrieb A.L.M.Buxey@lboro.ac.uk:
> Hi,
>
>> 2.1.10 is the version delivered by your distribution - and contains
>> backported security bugfixes released until 2.2.0. In terms of security,
>> your version is fine.
> why? why do that? why not simple release 2.2.0 - you are CONFUSING your users
> and CONFUSING those people who support them.
>
> if it says 2.1.10 then one can only ASSUME that its 2.1.10
Yes, somewhat true, but that's how a couple of distribution consider
'stable' releases:
Stick with a version of a software and backport (bug and) security
updates to this version.
(and only update the version of a package at new distro release)
Enterprise distributions or commercial unix often do much heavier
backporting than
what Debian/Ubuntu do, just to deliver the very same version during the
period of time
the package is bundled with a release of their distro/software.
You have to outweight the advantages vs. disadvantages like breaking
support from
your distributor, in this case Canonical. But I agree that asking on
this list is likely yield
the answer "upgrade first" in case of problems.
A Ubuntu PPA can be a very good thing - but you have to trust a third party.
That said, I really like PPAs when the packagers do good work and care
about
updating the packages - thanks Fajar for maintaining this repository!
-- Mathieu
------------------------------
Message: 4
Date: Mon, 28 Jan 2013 15:10:14 +0530
From: Pradyumna <neomatrixgem@gmail.com>
To: "A.L.M.Buxey@lboro.ac.uk" <A.L.M.Buxey@lboro.ac.uk>
Cc: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Subject: Re: Help Needed !!! FreeRADIUS Integration with MS AD
Message-ID: <E751B5FB-B309-402E-8C4E-6D77FE3958AB@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Hi,
Am not able to see my authorization happening because I don't see the value-attr or reply message. Please help. Logs attached.
rad_recv: Access-Request packet from host 192.168.0.2 port 39662, id=92, length=62
User-Name = "radiustest"
User-Password = "password@123"
NAS-IP-Address = 192.168.0.2
NAS-Port = 1812
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.0.2/auth-detail-20130128
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.2/auth-detail-20130128
[auth_log] expand: %t -> Mon Jan 28 10:12:16 2013
++[auth_log] returns ok
[ldap] performing user authorization for radiustest
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> radiustest
[ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=radiustest))
[ldap] expand: cn=users,dc=example,dc=com -> cn=users,dc=example,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=users,dc=example,dc=com, with filter (&(sAMAccountName=radiustest))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] Setting Auth-Type = ldap
[ldap] user radiustest authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "radiustest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ldap] performing user authorization for radiustest
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> radiustest
[ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=radiustest))
[ldap] expand: cn=users,dc=example,dc=com -> cn=users,dc=example,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=users,dc=example,dc=com, with filter (&(sAMAccountName=radiustest))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user radiustest authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ldap
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "radiustest" with password "password@123"
[ldap] user DN: CN=radiustest,CN=Users,DC=example,DC=com
[ldap] (re)connect to 192.168.0.3:389, authentication 1
[ldap] bind as CN=radiustest,CN=Users,DC=example,DC=com/password@123 to 192.168.0.3:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user radiustest authenticated succesfully
++[ldap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 92 to 192.168.0.2 port 39662
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 92 with timestamp +88
Ready to process requests.
Regards,
/Neo
Sent from my iPhone
On 25-Jan-2013, at 3:32 AM, A.L.M.Buxey@lboro.ac.uk wrote:
> Hi,
>
>> Do you mean the below in the "users" file?
>>
>> cisco Auth-Type := LDAP
>>
>> Service-Type = Administrative-User,
>> cisco-avpair = "shell:priv-lvl=15"
>
> no.
>
> cisco Auth-Type := LDAP
> Service-Type = Administrative-User,
> cisco-avpair = "shell:priv-lvl=15"
>
>
> (see all the examples in the users file)
>
> alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130128/a6a02077/attachment.html>
------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 93, Issue 78
************************************************