On 1 Sep 2011, at 15:40, 2394263740 wrote:
Phil,
Thanks a lot for your great help.
I understand the scripts you wrote. But I don't know where I should put it in.
Can you please kindly advise which file I should edit?
/usr/local/etc/raddb/sites-available/default?
Yes in the authorize section, thats why the script is encapsulated within and authorize {} stanza :) -Arran
------------------ Original ------------------ From: "freeradius-users"<freeradius-users-request@lists.freeradius.org>; Date: Thu, Sep 1, 2011 02:51 AM To: "freeradius-users"<freeradius-users@lists.freeradius.org>; Subject: Freeradius-Users Digest, Vol 76, Issue 108
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS server (Phil Mayers) 2. Re: Special WIFI Router MAC check for the user?s first connection. (Phil Mayers) 3. Using rlm_passwd as a substitute for hunt groups (Jan.Weiss@t-systems.com) 4. problem with LDAP backend (Frank Bonnet) 5. Re: problem with chillispot (Alan DeKok) 6. Re: problem with LDAP backend (Alan DeKok) 7. Rating usage (Shreya Shah) 8. Re: problem with chillispot (Goke M Aruna)
----------------------------------------------------------------------
Message: 1 Date: Wed, 31 Aug 2011 14:48:00 +0100 From: Phil Mayers <p.mayers@imperial.ac.uk> Subject: Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS server To: freeradius-users@lists.freeradius.org Message-ID: <4E5E3B90.2020109@imperial.ac.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 30/08/11 21:12, Glenn Machin wrote:
Phil - thanks for the feedback.
I just ended up proxying out to the IAS server usernames starting with "DOMAIN\".
Ok. Obviously that will fail if enters their wireless credentials without a domain.
I configured the freeradius server to not support mschapv2 but will support PEAP/GTC EAP/TLS.
It seems to be working fine with the Macs, iPads and Linux systems while the windows systems are happy to talk to the IAS server.
It still bugs that ntlm_auth would not authenticate to the domain controllers the challenge and nt-response.
I repeat: if you send debug info, people may be able to help.
I assume no one else is having any issues using ntlm_auth to W2008 servers? It may be some Windows GPO at our site for all I know.
Exactly which version of windows (2008 or 2008R2?) and at which functional level is your domain?
Did you try increasing the debug level for winbind using "smbcontrol" and then examining the debug logs after a failed auth?
For what it's worth, we have no problems with Windows 2008R2 domain controllers and the "samba3x" package available under RHEL5 (samba version 3.5.4-0.70.el5). We did have problems with earlier (Samba 3.3) versions after we'd upgraded to 2008R2 and upgraded functional level.
------------------------------
Message: 2 Date: Wed, 31 Aug 2011 14:55:35 +0100 From: Phil Mayers <p.mayers@imperial.ac.uk> Subject: Re: Special WIFI Router MAC check for the user?s first connection. To: freeradius-users@lists.freeradius.org Message-ID: <4E5E3D57.2000903@imperial.ac.uk> Content-Type: text/plain; charset=UTF-8; format=flowed
On 31/08/11 12:38, 2394263740 wrote:
For example, WIFI AP 26, has the MAC address MAC26. I need ensure one WIFI user, say user 58, must connect to WIFI AP 26 for the first time. After the first connection, user 58 can connect to any WIFI AP in the network. Can someone give some advice on how to do it?
1. Create a whitelist of users who can authenticate to any AP using files, rlm_passwd or ideally SQL - see the FreeRADIUS wiki
2. If they are *not* found in the whitelist, check the "Called-Station-Id" attribute, which usually contains the MAC address of the AP. If your equipment uses a different attribute, check that.
3. If the AP MAC is the correct one, add the user to the whitelist, else reject
For example:
authorize {
... update control { Tmp-String-0 := "%{sql:select 1 from whitelist where username='%{User-Name}'}" } if (control:Tmp-String-0 == 1) { # user is in whitelist } elsif (Called-Station-Id == "aa-bb-cc-dd-ee-ff") { # user is connecting to the "whitelist" AP update control { Tmp-String-0 = "%{sql:insert into whitelist (username) values ('%{User-Name}')}" } } else { reject } ...
}
------------------------------
Message: 3 Date: Wed, 31 Aug 2011 16:11:48 +0200 From: Jan.Weiss@t-systems.com Subject: Using rlm_passwd as a substitute for hunt groups To: <freeradius-users@lists.freeradius.org> Message-ID: <3DD77603D0726248A46541D5119607CE27DFC71606@HE111524.emea1.cds.t-internal.com>
Content-Type: text/plain; charset="us-ascii"
Did you remember to actually define 'My-Device-Group' as an attribute?
-Arran
Arran Cudbard-Bell a.cudbardb@freeradius.org
RADIUS - Half the complexity of Diameter
Dictionary: ATTRIBUTE My-Device-Group 3000 string
------------------------------
Message: 4 Date: Wed, 31 Aug 2011 17:02:32 +0200 From: Frank Bonnet <f.bonnet@esiee.fr> Subject: problem with LDAP backend To: freeradius-users@lists.freeradius.org Message-ID: <4E5E4D08.5060109@esiee.fr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hello
Still trying to use freeradius with chillispot I still have problems
I'm trying to use mixed authentication
MAC addresses for some video devices in the "users" file as follows :
00-06-F4-0D-08-66 Auth-Type := Local, User-Password == "xxxxxxxx" Framed-IP-Address = 192.168.182.213, Fall-Through = Yes
LDAP backend for "real" users at the end of the "users" file I have this statement
DEFAULT Auth-Type = LDAP Fall-Through = 1
This configuration were working well on a very old debian machine which died suddenly
When I try to access the the chilli portal it ask radius for authentication but it dows not work. See below the debug trace of radius daemon. Help greatly appreciated, thank you.
Wed Aug 31 16:52:39 2011 : Debug: Processing the authorize section of radiusd.conf Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authorize for request 15 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 15 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 15 Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "preprocess" returns ok for request 15 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 15 Wed Aug 31 16:52:39 2011 : Debug: rlm_eap: No EAP-Message, not doing EAP Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 15 Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "eap" returns noop for request 15 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling files (rlm_files) for request 15 Wed Aug 31 16:52:39 2011 : Debug: users: Matched entry DEFAULT at line 398 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 15 Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "files" returns ok for request 15 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 15 Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authorize Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing user authorization for xxxxxxxx Wed Aug 31 16:52:39 2011 : Debug: radius_xlat: '(uid=xxx)' Wed Aug 31 16:52:39 2011 : Debug: radius_xlat: 'ou=Users,dc=esiee,dc=fr' Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing search in ou=Users,dc=esiee,dc=fr, with filter (uid=hrazdira) Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: checking if remote access for xxxxxxxx is allowed by uid Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for check items in directory... Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for reply items in directory... Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: user xxxxxxxx authorized to use remote access Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 15 Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "ldap" returns ok for request 15 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 15 Wed Aug 31 16:52:39 2011 : Debug: rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 15 Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "pap" returns noop for request 15 Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authorize (returns ok) for request 15 Wed Aug 31 16:52:39 2011 : Debug: rad_check_password: Found Auth-Type LDAP Wed Aug 31 16:52:39 2011 : Debug: auth: type "LDAP" Wed Aug 31 16:52:39 2011 : Debug: Processing the authenticate section of radiusd.conf Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authenticate for request 15 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authenticate]: calling ldap (rlm_ldap) for request 15 Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authenticate Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password". Wed Aug 31 16:52:39 2011 : Debug: modsingle[authenticate]: returned from ldap (rlm_ldap) for request 15 Wed Aug 31 16:52:39 2011 : Debug: modcall[authenticate]: module "ldap" returns invalid for request 15 Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authenticate (returns invalid) for request 15 Wed Aug 31 16:52:39 2011 : Debug: auth: Failed to validate the user. Wed Aug 31 16:52:39 2011 : Debug: Delaying request 15 for 1 seconds Wed Aug 31 16:52:39 2011 : Debug: Finished request 15 Wed Aug 31 16:52:39 2011 : Debug: Going to the next request Wed Aug 31 16:52:39 2011 : Debug: --- Walking the entire request list ---
------------------------------
Message: 5 Date: Wed, 31 Aug 2011 12:27:36 -0400 From: Alan DeKok <aland@deployingradius.com> Subject: Re: problem with chillispot To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4E5E60F8.8070409@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1
Goke M Aruna wrote:
Is it bug on freeradius v2?
No.
I got the chillispot working with freeradius 1.7 then and still tested same recently but v2 of radius give same error while v1 work seamlessly. I compiled this on centos 5.6.
You mistyped the shared secret.
Alan DeKok.
------------------------------
Message: 6 Date: Wed, 31 Aug 2011 12:30:45 -0400 From: Alan DeKok <aland@deployingradius.com> Subject: Re: problem with LDAP backend To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4E5E61B5.2000601@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1
Frank Bonnet wrote:
MAC addresses for some video devices in the "users" file as follows :
00-06-F4-0D-08-66 Auth-Type := Local, User-Password == "xxxxxxxx"
That's wrong. See the debug output for reasons why. See the FAQ for correct examples.
LDAP backend for "real" users at the end of the "users" file I have this statement
DEFAULT Auth-Type = LDAP Fall-Through = 1
That's not needed.
Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password".
That's pretty clear. The NAS is sending a CHAP request. You can't do that with "Auth-Type LDAP"
Instead, list "ldap" in the "authorize" section.
Don't set Auth-Type. It's almost always wrong.
Alan DeKok.
------------------------------
Message: 7 Date: Wed, 31 Aug 2011 13:23:20 -0400 From: Shreya Shah <shreya.nshah@gmail.com> Subject: Rating usage To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <CANN_Z9KOKD0HfM+s_wVmZTyobN=8qcLxbfdQBBrX+KBPUBo-2w@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1"
Is it possible to rate users based on their data usage and reject authentication to those users exceeding the limit ?
I think I can achieve rating using counter.conf and reading the usage from radacct but not sure how to reject this user from authenticating when he exceeds this usage limit ?
Thanks, Shreya.