still fighting with test configuration.. I have created two rlm_passwd modules. Afterwards, have put them under 'authorize' section one by one. Why the deamon is accepting the request depending only on the rlm_passwd file where User-Password is present and ignoring the one which should check NAS-IP-Address and Realm? My aim is to make it so that if the last mentioned returns "wrong", the whole request is wrong. Please assist me with ideas. Edgars
Edgars Klavinskis <edzix19@inbox.lv> wrote:
I have created two rlm_passwd modules. Afterwards, have put them under 'authorize' section one by one. Why the deamon is accepting the request depending only on the rlm_passwd file where User-Password is present and ignoring the one which should check NAS-IP-Address and Realm?
Read the debug log.
My aim is to make it so that if the last mentioned returns "wrong", the whole request is wrong.
Read doc/configurable_failover Alan DeKok.
Alan, how to do authentication based on attribute checking (attr_compar or something like this)? I mean, if I am adding some atributes to config_items via rlm_passwd how to check those attributes in the authenticate section? User-Password is only checkd, nothing more. For example, I want to check Framed-Protocol, and am adding it to config_items. Where does these config_items go to? How to compare them? modcall[authorize]: module "edg_pass" returns ok for request 0 rlm_passwd: Added Framed-IP-Address: '2.2.2.6' to reply_items modcall[authorize]: module "edg_pass_group" returns ok for request 0 rlm_passwd: Added Framed-Protocol: 'PPP' to config_items rlm_passwd: Added Auth-Type: 'ACCEPT' to config_items modcall[authorize]: module "edg_check" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type ACCEPT auth: type "ACCEPT" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 WARNING! Asked to process empty group. Returning reject. modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Login incorrect: [edgars/edgars] (from client lalala port 2549 cli 1.1.1.2) Edgars Alan DeKok wrote:
Edgars Klavinskis <edzix19@inbox.lv> wrote:
I have created two rlm_passwd modules. Afterwards, have put them under 'authorize' section one by one. Why the deamon is accepting the request depending only on the rlm_passwd file where User-Password is present and ignoring the one which should check NAS-IP-Address and Realm?
Read the debug log.
My aim is to make it so that if the last mentioned returns "wrong", the whole request is wrong.
Read doc/configurable_failover
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Edgars Klavinskis <edzix19@inbox.lv> wrote:
I mean, if I am adding some atributes to config_items via rlm_passwd how to check those attributes in the authenticate section?
You don't. I don't understand why you would want to check them there.
User-Password is only checkd, nothing more.
No.
For example, I want to check Framed-Protocol, and am adding it to config_items.
Why? Please explain.
rad_check_password: Found Auth-Type ACCEPT auth: type "ACCEPT" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 WARNING! Asked to process empty group. Returning reject.
Hmmm... I don't see why that would be happening, unless you configured an "ACCEPT" group in radiusd.conf. Alan DeKok.
For example, I want to check Framed-Protocol, and am adding it to config_items.
Why? Please explain.
When I am receiving an request from some client, I want to check Realm and User-Password depending on Nas-IP-Address and User-Name as key fields placed in rlm_passwd files. It's because of the fact that someone could use not the correct realm when connecting to some box, I want to decline such persons. Edgars
Edgars Klavinskis <edzix19@inbox.lv> wrote:
When I am receiving an request from some client, I want to check Realm and User-Password depending on Nas-IP-Address and User-Name as key fields placed in rlm_passwd files. It's because of the fact that someone could use not the correct realm when connecting to some box, I want to decline such persons.
So check in the "authorise" section. I don't understand why it's so important to check it in the "authenticate" section. Alan DeKok.
it not required for me to check this in authenticate section, i just though it is the only place where I could check these passwd attributes. Can you please tell me how to check them in authorize section assuming that they are added to config_items? Thanks. Edgars Alan DeKok wrote:
Edgars Klavinskis <edzix19@inbox.lv> wrote:
When I am receiving an request from some client, I want to check Realm and User-Password depending on Nas-IP-Address and User-Name as key fields placed in rlm_passwd files. It's because of the fact that someone could use not the correct realm when connecting to some box, I want to decline such persons.
So check in the "authorise" section. I don't understand why it's so important to check it in the "authenticate" section.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Edgars Klavinskis <edzix19@inbox.lv> wrote:
it not required for me to check this in authenticate section, i just though it is the only place where I could check these passwd attributes. Can you please tell me how to check them in authorize section assuming that they are added to config_items?
In the CVS head, rlm_policy. In 1.0.x, you can't. You also can't check them in the authenticate section in 1.0.x. It's a rare enough request that the server doesn't do it. Alan DeKok.
Hey Guys, I am trying to install the freeradius in sql on my server when I do the db dump I get the following error: mysql -uxxxx -pxxxxxx radius < db_mysql.sql ERROR 1067 (42000) at line 155: Invalid default value for 'id' This is the line in question: -> id int(10) DEFAULT '0' NOT NULL auto_increment, <-- Does anyone know How I can fix this problem? Thanks in Advance, Michael A Cooper BCCISP.net http://www.bccisp.net 281-854-2079 "Technology that counts, voices that matter!" ----- Original Message ----- From: "Alan DeKok" <aland@ox.org> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Saturday, June 18, 2005 10:52 AM Subject: Re: 'authorize' module
Edgars Klavinskis <edzix19@inbox.lv> wrote:
it not required for me to check this in authenticate section, i just though it is the only place where I could check these passwd attributes. Can you please tell me how to check them in authorize section assuming that they are added to config_items?
In the CVS head, rlm_policy. In 1.0.x, you can't.
You also can't check them in the authenticate section in 1.0.x. It's a rare enough request that the server doesn't do it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.7.8/22 - Release Date: 6/17/2005
any doc on rlm_policy? Edgars Alan DeKok wrote:
Edgars Klavinskis <edzix19@inbox.lv> wrote:
it not required for me to check this in authenticate section, i just though it is the only place where I could check these passwd attributes. Can you please tell me how to check them in authorize section assuming that they are added to config_items?
In the CVS head, rlm_policy. In 1.0.x, you can't.
You also can't check them in the authenticate section in 1.0.x. It's a rare enough request that the server doesn't do it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ok, got it. Thanks. But it is still very unclear for me how to check attributes coming from rlm_passwd files in configure_items array. Any comments or example on this? Edgars Alan DeKok wrote:
Edgars Klavinskis <edzix19@inbox.lv> wrote:
any doc on rlm_policy?
Have you tried the "man" page?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Edgars Klavinskis <edzix19@inbox.lv> wrote:
ok, got it. Thanks. But it is still very unclear for me how to check attributes coming from rlm_passwd files in configure_items array. Any comments or example on this?
The documentation? It says EXPLICITLY how to get attributes from the configuration items. Look for the word "configuration". I have NO diea why this is so hard. Alan DeKok.
sorry, man! just googled for rlm_policy and found your tread about doc under raddb/, didn't look at one under man. Edgars Alan DeKok wrote:
Edgars Klavinskis <edzix19@inbox.lv> wrote:
ok, got it. Thanks. But it is still very unclear for me how to check attributes coming from rlm_passwd files in configure_items array. Any comments or example on this?
The documentation? It says EXPLICITLY how to get attributes from the configuration items.
Look for the word "configuration".
I have NO diea why this is so hard.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Edgars Klavinskis -
Michael Cooper