From the site: RADIUS Debugging File FreeRADIUS server does not support preauthentication. There is no example for this case.
-- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 Jonathan.de.graeve@imelda.be -----Oorspronkelijk bericht----- Van: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] Namens King, Michael Verzonden: woensdag 5 oktober 2005 20:08 Aan: FreeRadius users mailing list Onderwerp: RE: Call-Check I wonder if it's this one? http://www.cisco.com/univercd/cc/td/doc/product/voice/sipproxy/radiusps/ radpreau.htm
-----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, October 05, 2005 2:01 PM To: FreeRadius users mailing list Subject: Re: Call-Check
Ivo <ml.radius@ultra.hr> wrote:
Can someone tell me is it possible to get freeradius respond to Service-Type==Call-Check requests?
I don't see why niot.
I have read on cisco's web pages that it is not possible.
Please post the URL.
Namely, I would like to check for valid caller-id before answering the call and going on with username/password check.
Sure. It's just data in RADIUS packets.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Jonathan De Graeve" <Jonathan.De.Graeve@imelda.be> wrote:
From the site: RADIUS Debugging File FreeRADIUS server does not support preauthentication. There is no example for this case.
I'm not sure it's true. Please configure the pre-authentication as they describe, run FreeRADIUS in debugging mode, and try using preauthentication. Post the results to the list. Also, configure ACS (or a server that *does* support preauthenticat), run some requests, capture the output with tcpdump, and post the capture file on a web page. From what I can see of Table 10, they're not doing anything magic. There's no reason why you can't configure preauthentication using FreeRADIUS. Alan DeKok.
I'm using Cisco preauth feature on an AS5300 series acting as standard modem RAS against a FreeRADIUS. I use it to blacklist some ANIs that aren't allowed to put a call on my gear, and I need to do it before the call gets answered. It is working great in the sense that I get the blacklisted numbers rejected without sending an Answer signal on the PSTN line, due to that Cisco's preauth feature makes it to do an Access-Request before it answers the call, but FR treats it as a normal packet, with the only detail that it has lesser information (i.e, in the modem RAS case, you dont have the real UserName until you answer the call and modem negotiation ends up, so Cisco normally lets you put the DNIS or ANI or something in the UserName field and password). The only two details is this and the fact that from FR's point of view, the NAS will be doing Auth twice, one for the "preauth" fase on the cisco, and another for the real "auth" fase. So you will be seeing two Access-Request packets from NAS. Ing. Paolo Rotela Jefe Técnico Blue Telecom ----- Original Message ----- From: "Alan DeKok" <aland@ox.org> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Wednesday, October 05, 2005 3:41 PM Subject: Re: Call-Check
"Jonathan De Graeve" <Jonathan.De.Graeve@imelda.be> wrote:
From the site: RADIUS Debugging File FreeRADIUS server does not support preauthentication. There is no example for this case.
I'm not sure it's true.
Please configure the pre-authentication as they describe, run FreeRADIUS in debugging mode, and try using preauthentication. Post the results to the list.
Also, configure ACS (or a server that *does* support preauthenticat), run some requests, capture the output with tcpdump, and post the capture file on a web page.
From what I can see of Table 10, they're not doing anything magic. There's no reason why you can't configure preauthentication using FreeRADIUS.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sri, 2005-10-05 at 17:28 -0300, Paolo Rotela wrote:
so Cisco normally lets you put the DNIS or ANI or something in the UserName field and password). The only two details is this and the fact that from FR's point of view, the NAS will be doing Auth twice, one for the "preauth" fase on the cisco, and another for the real "auth" fase. So you will be seeing two Access-Request packets from NAS.
Since it looks like "normal" authentication request, FR (when using sql database) is looking into radcheck for username / password, but my NAS (PM3) sends only username and there is no User-Password attribute in request so FR denies access - I can see "Auth: Login incorrect: [XXXXXXX/<no User-Password attribute>] in log file (where XXXXXXX is callerId, of course). So, how can I tell FR not to look for password and to "accept call" from some phone number if that number is in some sql table? TIA.
participants (4)
-
Alan DeKok -
Ivo -
Jonathan De Graeve -
Paolo Rotela