Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Authorise based on Calling Station ID ? (Alan DeKok)
2. Re: Authentication on the basis of circuit id and not mac
address (Alan DeKok)
3. Re: your mail (A.L.M.Buxey@lboro.ac.uk)
4. Re: Old school: FreeRADIUS and NIS (Mark Haney)
5. Re: Old school: FreeRADIUS and NIS (Alan DeKok)
6. Re: Old school: FreeRADIUS and NIS (Phil Mayers)
7. Re: Old school: FreeRADIUS and NIS (Mark Haney)
----------------------------------------------------------------------
Message: 1
Date: Mon, 10 Mar 2014 08:10:31 -0400
From: Alan DeKok <aland@deployingradius.com>
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Subject: Re: Authorise based on Calling Station ID ?
Message-ID: <531DABB7.50105@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Darren Ward (darrward) wrote:
> The mac address was sent by the wifi controller as the
> calling-station-id but the question is how do I match that field against
> the user to authorise them?
$ man unlang
It tells you how to do if/then/else checks.
Perhaps you have a more specific question?
Alan DeKok.
------------------------------
Message: 2
Date: Mon, 10 Mar 2014 08:33:25 -0400
From: Alan DeKok <aland@deployingradius.com>
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Subject: Re: Authentication on the basis of circuit id and not mac
address
Message-ID: <531DB115.70109@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Mahima Kumar wrote:
> I have used an Alcatel router as relay agent which gives the circuit id
> and i can see that in the radius debug output, so the client is getting
> authenticated on the basis of mac address and is getting the ip address
> from the Dhcp server , now i want to authenticate the client based on
> the circuit id provided by the relay agent in between,
First, does the circuit ID show up in a RADIUS packet? If so, what
attribute is it?
> but the radius
> server doesn't accept username as circuit id, it only authenticates
> based on mac address of the client(i tried changing the users file), so
> can anyone please guide me as to what changes i have to make for this to
> be possible.
I'm not sure what you're trying to do, so I don't have a good answer
for you.
What does debug output say? What do you think it *should* say?
Alan DeKok.
------------------------------
Message: 3
Date: Mon, 10 Mar 2014 13:54:26 +0000
From: A.L.M.Buxey@lboro.ac.uk
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Subject: Re: your mail
Message-ID: <20140310135426.GC3021@lboro.ac.uk>
Content-Type: text/plain; charset=us-ascii
Hi,
> I'd like to install on FreeBSD 9.2
> FreeRadius2 with MySQL
which bits of http://wiki.freeradius.org/guide/SQL-HOWTO did you
follow, which bits didnt work?
alan
------------------------------
Message: 4
Date: Mon, 10 Mar 2014 10:03:55 -0400
From: Mark Haney <mhaney@practichem.com>
To: <freeradius-users@lists.freeradius.org>
Subject: Re: Old school: FreeRADIUS and NIS
Message-ID: <531DC64B.4010806@practichem.com>
Content-Type: text/plain; charset="ISO-8859-1"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/07/14 16:00, Alan DeKok wrote:
>> The only thing I've changed in the config files is to add the
>> DEFAULT Auth-Type = System at the top of the users file.
>
> Which I don't recommend you do.
>
> Anyawyas, debug mode shows:
>
> ++[unix] returns notfound
>
> Which is pretty definitive.
Okay, what would recommend then? And the ++[unix] returns notfound is
definitive of /what/?
Since I'm setting up FreeRADIUS on my NIS master, I don't really need
NIS integration, the user accounts are all in /etc/passwd (and
/etc/shadow) so all I need is radiusd to check for local accounts and
authenticate against them. This /should/ simplify things, but
apparently I'm missing something, and something probably relatively
simple. Question is, what?
- --
Mark Haney
Network/Systems Administrator
Practichem
W: (919) 714-8428
Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTHcZEAAoJEM/YzwEAv6e7VfIH+gLyCl0i8wJg8yrNRh93PUKG
tuKKRyelWUur6p1Hem/G3LtEBkczbfPw1Mk1mD0McWmrH58lMoFccnFp3KF//QF7
NNBBrbbtkFLq0gdEUr7vr7ICXDqRKnrSSSh+zjOFZ5DwG4pSjhexqwgRZNw34prg
ddG6qsnVwktztIBuiXI05iWL1yqoTVveiXJCRcoOFMc1cKABt4tYR0y2/7QGmjT2
DvfvhD3K+pDtO1HLwPOKay9D47AHSsRyvO64d1zfSVokt/7/FLbUuHtoZ9lXK5uH
BjteP//mlE017d848wHF5PzmYXIPQhT3ANQ274TB/Q9wPalhx/7KMd+WN6CvHeA=
=QgVT
-----END PGP SIGNATURE-----
------------------------------
Message: 5
Date: Mon, 10 Mar 2014 10:21:05 -0400
From: Alan DeKok <aland@deployingradius.com>
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Subject: Re: Old school: FreeRADIUS and NIS
Message-ID: <531DCA51.6070309@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Mark Haney wrote:
>> ++[unix] returns notfound
>
>> Which is pretty definitive.
>
> Okay, what would recommend then? And the ++[unix] returns notfound is
> definitive of /what/?
Uh.... the module looks users up in /etc/passwd. What could
"notfound" possibly mean?
> Since I'm setting up FreeRADIUS on my NIS master, I don't really need
> NIS integration, the user accounts are all in /etc/passwd (and
> /etc/shadow) so all I need is radiusd to check for local accounts and
> authenticate against them. This /should/ simplify things, but
> apparently I'm missing something, and something probably relatively
> simple. Question is, what?
The user isn't in /etc/passwd.
Alan DeKok.
------------------------------
Message: 6
Date: Mon, 10 Mar 2014 14:33:55 +0000
From: Phil Mayers <p.mayers@imperial.ac.uk>
To: freeradius-users@lists.freeradius.org
Subject: Re: Old school: FreeRADIUS and NIS
Message-ID: <531DCD53.9080402@imperial.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 10/03/14 14:03, Mark Haney wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On 03/07/14 16:00, Alan DeKok wrote:
>
>>> The only thing I've changed in the config files is to add the
>>> DEFAULT Auth-Type = System at the top of the users file.
>>
>> Which I don't recommend you do.
>>
>> Anyawyas, debug mode shows:
>>
>> ++[unix] returns notfound
>>
>> Which is pretty definitive.
>
> Okay, what would recommend then? And the ++[unix] returns notfound is
> definitive of /what/?
rlm_unix has a flow like this:
r = getpwnam(username)
if not r:
return NOTFOUND
if not r.passwd or len(r.passwd) < 10:
s = getspnam(username)
if not s:
return NOTFOUND
passwd = s.passwd
else:
passwd = r.passwd
So, either FreeRADIUS is getting no reply to getpwnam() or it's getting
an empty or "x" value for the password hash at that stage, *then*
calling getspnam() and getting no value.
My NIS is rusty, but IIRC calling the getspnam() routines under NIS
requires you being root? Most likely this is the problem.
PAM has a suid-root helper for this; FreeRADIUS doesn't. So one possible
alternative would be to use rlm_pam, and let PAM do the work of getting
at the shadow data.
------------------------------
Message: 7
Date: Mon, 10 Mar 2014 12:23:29 -0400
From: Mark Haney <mhaney@practichem.com>
To: <freeradius-users@lists.freeradius.org>
Subject: Re: Old school: FreeRADIUS and NIS
Message-ID: <531DE701.5090606@practichem.com>
Content-Type: text/plain; charset="ISO-8859-1"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/10/14 10:33, Phil Mayers wrote:
>
> rlm_unix has a flow like this:
>
> r = getpwnam(username) if not r: return NOTFOUND if not r.passwd or
> len(r.passwd) < 10: s = getspnam(username) if not s: return
> NOTFOUND passwd = s.passwd else: passwd = r.passwd
>
> So, either FreeRADIUS is getting no reply to getpwnam() or it's
> getting an empty or "x" value for the password hash at that stage,
> *then* calling getspnam() and getting no value.
>
> My NIS is rusty, but IIRC calling the getspnam() routines under
> NIS requires you being root? Most likely this is the problem.
Le me re-iterate. Since I've installed FreeRADIUS on my NIS master, I
no longer care so much about dealing with NIS. At this stage, it's
simply a matter of getting FR and rlm_unix to see and access my local
user/pwd sitting in /etc/passwd and /etc/shadow. Surely, setting up
Fr for that is not /that/ complicated. So, forget about NIS. That is
not a problem.
So, now that I have that out of the way, it seems rlm_unix isn't able
to read /etc/shadow. I'm assuming the getspnam(username) call is
trying to read /etc/shadow? If so, how is the best way to fix this?
I read somewhere that rlm_unix didn't need to copy the password files
into a temp file with radwtmp unless there was a specific reason for
it. What exactly is that all about?
- --
Mark Haney
Network/Systems Administrator
Practichem
W: (919) 714-8428
Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTHeb2AAoJEM/YzwEAv6e7EtsH/1DSyXULTwGN2Y4x/lvq/5cj
OYj585upGm0gZlNTEBjDYF1eJQw+S26bIhbogiaaWElBhnNE43K0iXnlJMxC3rwJ
ZRdoT5dQHufyOAFpDrg0GvR4BsnlSUlRzckBDGdFSsEtHHUtH0UU/ajuKo8JgXxZ
4smQ1dl9dFY9A9xe7AI7MGMI76QAqTIuTREmEwfPVKl9HSsBHAFr64hzxsUc8TcE
5GEizfXQv3XvTLsYuDCPRF2SxZr5ZpLi3Yuu/GLlC6Vl88qpNHgbPVf5rKw1NVMl
OhYFHSnz+pzgyAKJBg3Np5xoV1cvDYf0wQ3Kv0i1UwP3SF4r9RvdAPNjyyzjZJc=
=mS2E
-----END PGP SIGNATURE-----
------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 107, Issue 38
*************************************************