Re: Freeradius-Users Digest, Vol 51, Issue 30
Hi Kalik, Thanks for your help... Now i can send two Qos profiles and it's working fine. Thanks, Gayathri On Wed, Jul 8, 2009 at 3:30 PM, < freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: freeradius active directory integration fails with "no such realm" (Andrei-Florian Staicu) 2. Re: want to authorise but not authenticate (Arran Cudbard-Bell) 3. Re: want to authorise but not authenticate (Ivan Kalik) 4. Re: How to configure 2 wimax qos profiles for the user in users file (Ivan Kalik)
----------------------------------------------------------------------
Message: 1 Date: Wed, 08 Jul 2009 12:31:21 +0300 From: Andrei-Florian Staicu <andrei.staicu@gmail.com> Subject: Re: freeradius active directory integration fails with "no such realm" To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4A546769.8020709@googlemail.com> Content-Type: text/plain; charset=ISO-8859-2; format=flowed
Alan DeKok wrote:
Andrei-Florian Staicu wrote:
Hello again. I've reached the output from here: http://pastebin.com/d19f28a24 , and i still don't understand why it doesen't call the ntlm_auth line
It looks like you are adding a "Proxy-To-Realm := LOCAL".
...
PEAP: Sending tunneled request EAP-Message = 0x02060018014950534f305c616e647265692e737461696375 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "IPSO0\\andrei.staicu" server inner-tunnel { +- entering group authorize rlm_realm: Looking up realm "IPSO0" for User-Name = "IPSO0\andrei.staicu" rlm_realm: Found realm "IPSO0" rlm_realm: Adding Stripped-User-Name = "andrei.staicu" rlm_realm: Adding Realm = "IPSO0" rlm_realm: Authentication realm is LOCAL. ++[ntdomain] returns noop ++[mschap] returns noop ++[control] returns noop
Why is that "update control" section there? What is in it?
rlm_eap: Request is supposed to be proxied to Realm LOCAL. Not doing
EAP.
It's being proxied to realm LOCAL. You have added a LOCAL realm. Don't do that.
++[eap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request.
Even more proof. The IPSO0 realm above is added because it exists. The server does NOT add a "Proxy-To-Realm := LOCAL". You have done that. Delete it from your configuration.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
It works now. Thank you very much for clearing thing up for me.
------------------------------
Message: 2 Date: Wed, 08 Jul 2009 10:33:22 +0100 From: Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk> Subject: Re: want to authorise but not authenticate To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4A5467E2.5040309@sussex.ac.uk> Content-Type: text/plain; charset=UTF-8; format=flowed
On 8/7/09 10:19, A.L.M.Buxey@lboro.ac.uk wrote:
hi,
heres one for a wednesday morning.
we have a system that we've been done plain authorizations via FreeRADIUS - the device sends the following RADIUS request
username: userid password: userid
(ie the system sends the username and makes the password the same)
okay. fair enough....a bit of unlang and a check that if the username = password then set the Auth-Type to something false et voila. all okay.
it has now been decided to also do authentication via RADIUS and this is where things get messy.
by removing the Auth-Type kludge, we can successfully authenticate a real user with their real password.... however, the authorization now fails because the device still sends username/password with the password the same as the username - this now hits the FreeRADIUS server which cannot find a valid Auth-Type for the user and thus fails authentication and therefore sends back a 'blurgh' to the box requesting authorization.
authorize { if((User-Name == User-Password) && %{ldap:etc...}){ update control { Auth-Type := 'NULL' } } else { // Authentication modules } }
Auth-Type NULL { ok }
this is to be expected because there is nothing in the request to distoniguish between an authorization request and an authentication request.
so the question is, how do we handle this so that the system can send a username=password for authorization AND a proper authentication can happen WITHOUT (hers a gotcha) the user doing something cute like putting their username in as their password! ;-)
Slightly confused as to what you want... Try again without the caffeine ?
Arran
-- Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
------------------------------
Message: 3 Date: Wed, 8 Jul 2009 10:35:04 +0100 (BST) From: "Ivan Kalik" <tnt@kalik.net> Subject: Re: want to authorise but not authenticate To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <10825.194.176.105.43.1247045704.squirrel@webmail.kalik.net> Content-Type: text/plain;charset=utf-8
we have a system that we've been done plain authorizations via FreeRADIUS - the device sends the following RADIUS request
username: userid password: userid
(ie the system sends the username and makes the password the same)
okay. fair enough....a bit of unlang and a check that if the username = password then set the Auth-Type to something false et voila. all okay.
it has now been decided to also do authentication via RADIUS and this is where things get messy.
by removing the Auth-Type kludge, we can successfully authenticate a real user with their real password.... however, the authorization now fails because the device still sends username/password with the password the same as the username - this now hits the FreeRADIUS server which cannot find a valid Auth-Type for the user and thus fails authentication and therefore sends back a 'blurgh' to the box requesting authorization.
this is to be expected because there is nothing in the request to distoniguish between an authorization request and an authentication request.
so the question is, how do we handle this so that the system can send a username=password for authorization AND a proper authentication can happen WITHOUT (hers a gotcha) the user doing something cute like putting their username in as their password! ;-)
Send Service-Type = Authorize-Only in authorization request. Then you can distinguish between the requsts. Or do authorization in the same time as authentication.
Without opening a major security hole. You can set Auth-Type to Accept if User-Name = User-Password in the request but that would enable anyone to log in knowing just username.
Ivan Kalik Kalik Informatika ISP
------------------------------
Message: 4 Date: Wed, 8 Jul 2009 10:39:48 +0100 (BST) From: "Ivan Kalik" <tnt@kalik.net> Subject: Re: How to configure 2 wimax qos profiles for the user in users file To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <59554.194.176.105.43.1247045988.squirrel@webmail.kalik.net> Content-Type: text/plain;charset=utf-8
I am trying to configure the two wimax qos profiles for the single user as one for uplink and another for downlink. If i configure the same attributes two times, in the Access-Accept message the first configured wimax attribute value only is sending but its not sending the same attribute again which has different value. is there any way to do this and make it work?
http://wiki.freeradius.org/Operators
+=
Ivan Kalik Kalik Informatika ISP
------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 51, Issue 30 ************************************************
participants (1)
-
gayathri reddy