Re: How to deny access to Switch Cisco by Group
Thanks. I have done your tip but I'm get the follow error rlm_ldap::ldap_groupcmp: Group cisco not found or user is not a member. [ldap] performing search in o=dohler, with filter (&(cn=cisco)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames (uniquemember=)))) [ldap] object not found I have created the group "cisco" in the Ldap and put the user inside it but the logs from freeradius shows that group not found. maybe there is mismatch at the searching ldap from freeradius that I have fit it. any tip about ? Thanks 2013/10/3 <freeradius-users-request@lists.freeradius.org>:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Running RADIUS in permanent debug mode with rotating log (Arran Cudbard-Bell) 2. Re: Wifi APs Models compatible with by username dynamic vlan assignment (Arran Cudbard-Bell) 3. How to deny access to Switch Cisco by Group (Usu?rio do Sistema) 4. Re: How to deny access to Switch Cisco by Group (Alan DeKok) 5. Re: Running RADIUS in permanent debug mode with rotating log (A.L.M.Buxey@lboro.ac.uk) 6. RE: radwho not working (Clint Petty)
----------------------------------------------------------------------
Message: 1 Date: Thu, 3 Oct 2013 11:04:42 +0100 From: Arran Cudbard-Bell <a.cudbardb@freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Running RADIUS in permanent debug mode with rotating log Message-ID: <414C50CC-A53F-4480-B111-14FB8A774FBC@freeradius.org> Content-Type: text/plain; charset=us-ascii
On 3 Oct 2013, at 10:14, <stefan.paetow@diamond.ac.uk> wrote:
How can we run radiusd -x > "logname" such that we have different logname for each day?
Clement, may I suggest a cron job?
At midnight, move the log, kill and restart the radius server with a new log in the name? Of course you run the risk of possibly killing any authentication attempts that happen at that point in time, but... that's something you need to take into account?
Please don't. Use a crontab by all means but just use the main log file and enable additional debugging (-xx).
As of 2.2.1 you can use the radmin control socket to reopen the log file handle without restarting the server, or sending a -HUP.
It's not just the fact you'll kill any EAP auth sessions in progress, but you'll will clear out any cached entries (rlm_cache), and where proxying is being performed upstream server state will be lost.
It's also dangerous in that if someone has messed with the configurations, or overwritten the radiusd/freeradius(debian) binary you'll experience an unexpected migration to the new binary/config on next restart.
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
------------------------------
Message: 2 Date: Thu, 3 Oct 2013 11:08:34 +0100 From: Arran Cudbard-Bell <a.cudbardb@freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Wifi APs Models compatible with by username dynamic vlan assignment Message-ID: <F7069EC1-C670-405B-9FC0-B962BE10E07A@freeradius.org> Content-Type: text/plain; charset=us-ascii
On 3 Oct 2013, at 10:57, matthew pideil <matthew.pideil@teledetection.fr> wrote:
Hello,
I want to perform dynamic VLAN assignment by username through wifi access. I set up this configuration few time ago but didn't works.
I want to know which WiFi APs are compatible and/or what is the term to search for in devices specifications ...
Look for claimed compliance with RFC3580/RFC4675 in the specifications of your Access-Point.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
------------------------------
Message: 3 Date: Thu, 3 Oct 2013 09:37:57 -0300 From: Usu?rio do Sistema <maiconlp@ig.com.br> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: How to deny access to Switch Cisco by Group Message-ID: <CAMTjHrxN6PQ-7Dc8BXF8LggbeyUYY4OSVO2ThN0V3SO+vdK4Fw@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1
Hello, I have just installed a FreeRADIUS Version 2.1.12. it's integrate with OpenLdap and I'm able to use it that way. my issue is how to deny users aren't member of the any group. For exemple, I should like authorize users do login in the my devices Cisco from a group of the my data base LDAP. if user doesn't inside in that group the freeradius must DENY it. currently my freeradius is allow any user from LDAP. if the user is created on LDAP it's able login in my Cisco devices. how to deny access by group ? if user is member of the group it's able login in otherwise the user is deny
thanks
------------------------------
Message: 4 Date: Thu, 03 Oct 2013 08:57:06 -0400 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: How to deny access to Switch Cisco by Group Message-ID: <524D69A2.2040302@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1
Usu?rio do Sistema wrote:
how to deny access by group ? if user is member of the group it's able login in otherwise the user is deny
See the FAQ. Put this at the top of the "users" file:
DEFAULT LDAP-Group != "allowed", Auth-Type := Reject
Alan DeKok.
------------------------------
Message: 5 Date: Thu, 3 Oct 2013 16:29:41 +0100 From: A.L.M.Buxey@lboro.ac.uk To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Running RADIUS in permanent debug mode with rotating log Message-ID: <20131003152941.GA4711@lboro.ac.uk> Content-Type: text/plain; charset=us-ascii
Hi,
this is FreeRADIUS list, not general Linux lsit - I'd suggest looking at some guides for the EXACT thing you need eg
http://www.cyberciti.biz/faq/linux-unix-formatting-dates-for-display/
(and ensure your escape quotes are the right way around)
alan
------------------------------
Message: 6 Date: Thu, 3 Oct 2013 17:10:17 +0000 From: Clint Petty <cpetty@luthresearch.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: RE: radwho not working Message-ID: <64d95a19c8744c0ca70e1343e2118371@DM2PR04MB334.namprd04.prod.outlook.com>
Content-Type: text/plain; charset="us-ascii"
Hi Alan,
Below is the results from radiusd -X (debug mode), while logging in:
rad_recv: Access-Request packet from host xx.xx.xx.79 port 40379, id=79, length=138 User-Name = "test" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 53 NAS-Port-Id = "ios" NAS-IP-Address = xx.xx.xx.79 Called-Station-Id = "xx.xx.xx.79[4500]" Calling-Station-Id = "xx.xx.xx.150[32055]" EAP-Message = 0x02000009016a646f65 NAS-Identifier = "strongSwan" Message-Authenticator = 0x13a0846c40f521e3c009161546f6f3fb # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for test [ldap] expand: (&(uid=%u)) -> (&(uid=test)) [ldap] expand: ou=People,dc=company,dc=com -> ou=People,dc=company,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to xx.xx.xx.126:389, authentication 0 [ldap] bind as cn=Admin,dc=company,dc=com/xxxx to xx.xx.xx.126:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=People,dc=company,dc=com, with filter (&(uid=test)) [ldap] looking for check items in directory... [ldap] userPassword -> User-Password == "password" [ldap] userPassword -> Password-With-Header == "password" [ldap] sambaNtPassword -> NT-Password == 0x38424235443 [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Config already contains "known good" password. Ignoring Password-With-Header [pap] Normalizing NT-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 79 to xx.xx.xx.79 port 40379 EAP-Message = 0x010100160410c73f50e02103b6473c8f5ed51995e29f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2310bb7d2311bf963fc3fbc63c331669 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xx.xx.xx.79 port 40379, id=80, length=169 User-Name = "test" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 53 NAS-Port-Id = "ios" NAS-IP-Address = xx.xx.xx.79 Called-Station-Id = "xx.xx.xx.79[4500]" Calling-Station-Id = "xx.xx.xx.150[32055]" EAP-Message = 0x020100160410958ab4a6a9b38188febc74cc0c573b96 NAS-Identifier = "strongSwan" State = 0x2310bb7d2311bf963fc3fbc63c331669 Message-Authenticator = 0xdb77c116ca06726a60a2d3a224bc2e22 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for test [ldap] expand: (&(uid=%u)) -> (&(uid=test)) [ldap] expand: ou=People,dc=company,dc=com -> ou=People,dc=company,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=People,dc=company,dc=com, with filter (&(uid=test)) [ldap] looking for check items in directory... [ldap] userPassword -> User-Password == "password" [ldap] userPassword -> Password-With-Header == "password" [ldap] sambaNtPassword -> NT-Password == 0x38424235443 [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Config already contains "known good" password. Ignoring Password-With-Header [pap] Normalizing NT-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 [eap] Freeing handler ++[eap] returns ok Login OK: [test] (from client localhost port 53 cli xx.xx.xx.150[32055]) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 80 to xx.xx.xx.79 port 40379 EAP-Message = 0x03010004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 79 with timestamp +20 Cleaning up request 1 ID 80 with timestamp +20 Ready to process requests.
-----Original Message----- From: freeradius-users-bounces+me=company.com@lists.freeradius.org [mailto:freeradius-users-bounces+me=company.com@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Thursday, October 03, 2013 1:32 AM To: FreeRadius users mailing list Subject: Re: radwho not working
Hi,
I would like to display the active Radius connections. When I run radwho I get the following results (showing nothing but the titles) even though I know I have an active connection:
using the utmp/wtmp modules? what does your FreeRADIUS debug show when someone logging in?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 102, Issue 11 *************************************************
participants (1)
-
Usuário do Sistema