Hi All, I've been setting up my College's first FreeRadius server and I've been having a hard time wrapping my brain around the config with the documentation that is available. If you'll bear with me here through this super long post, I'll go into more depth. What I'm trying to do: I want to configure FreeRadius to Authorize a user against an LDAP directory based on IF that user has the following values: *edupersonprimaryaffiliation: *STAFF AND *psadminarea*: BUSINESS - SMEAL COLLEGE _OR_ *edupersonprimaryaffiliation: *Faculty AND *psadminarea*: BUSINESS - SMEAL COLLEGE If the user's values don't match either of these two condition, they are rejected. If they match either, then they are authenticated agains a kerberos server. I've got the basic configuration working in that FreeRadius will go out to the LDAP directory (right now it just seems to check if the attribute exists but does not make a judgement on it) and then it will go out to the Kerberos server and Authenticate. I want to now add the conditions I stated above but I'm a bit lost this point. At first I thought that this was something the CheckValue module should handle, then I thought maybe it should just be a part of the filter in the LDAP module, then I thought about maybe the values need to be in the dictionary files. At this point, it became apparent that I simply don't understand how FreeRadius handles itself. It is not apparent to me how or where FreeRadius makes its decisions on conditional values. This is where I hope some of you can help. I really like FreeRadius in that it is obviously a quality product, but as it is with the documentation and my lack of Radius experience, I just can't seem to get at the last piece of this puzzle. Right now, I have the following settings (with debug output further down) radiusd.conf, LDAP module: ldap { server = "ldap.psu.edu" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "dc=psu,dc=edu" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "psadminarea" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # # edir_account_policy_check=no # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes } In the file dictionary: ATTRIBUTE Is_Smeal_Member 3998 string ATTRIBUTE Is_Smeal_Fac_Staff_Member 3999 stringModule: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded LDAP ldap: server = "ldap.psu.edu" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "dc=psu,dc=edu" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "psadminarea" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: edir_account_policy_check = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP psadminarea mapped to RADIUS Is_Smeal_Member rlm_ldap: LDAP edupersonprimaryaffiliation mapped to RADIUS Is_Smeal_Fac_Staff_Member rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x811b320 Module: Instantiated ldap (ldap) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded detail detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Initializing the thread pool... thread: start_servers = 5 thread: max_servers = 32 thread: min_spare_servers = 3 thread: max_spare_servers = 10 thread: max_requests_per_server = 0 thread: cleanup_delay = 5 Thread spawned new child 1. Total threads in pool: 1 Thread spawned new child 2. Total threads in pool: 2 Thread spawned new child 3. Total threads in pool: 3 Thread spawned new child 4. Total threads in pool: 4 Thread spawned new child 5. Total threads in pool: 5 Thread pool initialized Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. Thread 1 waiting to be assigned a request Thread 2 waiting to be assigned a request Thread 3 waiting to be assigned a request Thread 4 waiting to be assigned a request Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 127.0.0.1:32778, id=180, length=58 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) User-Name = "pbk105" User-Password = "xxxxxxxxxxxxx" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "pbk105", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for pbk105 radius_xlat: '(uid=pbk105)' radius_xlat: 'dc=psu,dc=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.psu.edu:389, authentication 0 rlm_ldap: bind as / to ldap.psu.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=psu,dc=edu, with filter (uid=pbk105) rlm_ldap: checking if remote access for pbk105 is allowed by psadminarea rlm_ldap: looking for check items in directory... rlm_ldap: Adding edupersonprimaryaffiliation as Is_Smeal_Fac_Staff_Member, value STAFF & op=21 rlm_ldap: Adding psadminarea as Is_Smeal_Member, value BUSINESS & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user pbk105 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_krb5: verify_krb_v5_tgt: host key not found : No such file or directory modcall[authenticate]: module "krb5" returns ok for request 0 modcall: leaving group LDAP (returns ok) for request 0 Sending Access-Accept of id 180 to 127.0.0.1 port 32778 Finished request 0 Going to the next request Thread 1 waiting to be assigned a request --- Walking the entire request list --- Cleaning up request 0 ID 180 with timestamp 44ce2b92 In the ldap.attr file: checkitem Is_Smeal_Member psadminarea checkitem Is_Smeal_Fac_Staff_Member edupersonprimaryaffiliation Debug Output: -- Paul Kuchinski Network Administrator Smeal College of Business Administration Penn State University email: pbk105@psu.edu phone: (814)865-0366 fax: (814)865-1845
On Jul 31, 2006, at 10:08 AM, P. K. wrote:
Hi All,
I've been setting up my College's first FreeRadius server and I've been having a hard time wrapping my brain around the config with the documentation that is available. If you'll bear with me here through this super long post, I'll go into more depth.
What I'm trying to do: I want to configure FreeRadius to Authorize a user against an LDAP directory based on IF that user has the following values:
edupersonprimaryaffiliation: STAFF AND psadminarea: BUSINESS - SMEAL COLLEGE
OR
edupersonprimaryaffiliation: Faculty AND psadminarea: BUSINESS - SMEAL COLLEGE
If the user's values don't match either of these two condition, they are rejected. If they match either, then they are authenticated agains a kerberos server.
This is very similar to our situation: you need to authorize based on some combination of a user's attributes that are found in LDAP, but that *aren't* present for comparison in the RADIUS request. Our solution is to use rlm_perl for the comparison. You already have part of the solution: you've got LDAP retrieving the relevant LDAP data into locally-defined RADIUS attributes. Now you just need to write a perl script to check the appropriate members of the %RAD_CHECK hash, and configure an Autz-Type that uses your LDAP module, followed by your rlm_perl module. -- George C. Kaplan gckaplan@ack.berkeley.edu Communication & Network Services 510-643-0496 University of California at Berkeley
George, Thanks for your reply. Unfortunately, the FreeRadius documentation and support is so abysmal and my experience too limited to make good use of the advice you gave. Each OSS package has its benefits and weaknesses I guess. For instance I've used ISC DHCP server for years and it has stellar support from the programmer, great on-line information and documentation so much so that I can't imagine using anything else. I guess I was hoping FreeRadius would have the same support. Without a doubt it doesn't. I've spent about two weeks now struggling to make the software do what I want and at this point I give up. I'm moving on to Radiator. I just can't spend any more time spinning my wheels. Perhaps in the future the FreeRadius writer's will realize how useless their software is with the level of documentation and support they are providing and choose to make improvements or maybe they'll just continue to operate on a "you get what you pay for basis." Either way it's not worth the frustration. It's a shame really because it's obvious that it is a really good piece of software. Anyway, thanks again for the reply. --Paul Paul Kuchinski Network Administrator Smeal College of Business Administration Penn State University email: pbk105@psu.edu phone: (814)865-0366 fax: (814)865-1845 George C. Kaplan wrote:
On Jul 31, 2006, at 10:08 AM, P. K. wrote:
Hi All,
I've been setting up my College's first FreeRadius server and I've been having a hard time wrapping my brain around the config with the documentation that is available. If you'll bear with me here through this super long post, I'll go into more depth.
What I'm trying to do: I want to configure FreeRadius to Authorize a user against an LDAP directory based on IF that user has the following values:
edupersonprimaryaffiliation: STAFF AND psadminarea: BUSINESS - SMEAL COLLEGE
OR
edupersonprimaryaffiliation: Faculty AND psadminarea: BUSINESS - SMEAL COLLEGE
If the user's values don't match either of these two condition, they are rejected. If they match either, then they are authenticated agains a kerberos server.
This is very similar to our situation: you need to authorize based on some combination of a user's attributes that are found in LDAP, but that *aren't* present for comparison in the RADIUS request. Our solution is to use rlm_perl for the comparison.
You already have part of the solution: you've got LDAP retrieving the relevant LDAP data into locally-defined RADIUS attributes. Now you just need to write a perl script to check the appropriate members of the %RAD_CHECK hash, and configure an Autz-Type that uses your LDAP module, followed by your rlm_perl module.
--George C. Kaplan gckaplan@ack.berkeley.edu Communication & Network Services 510-643-0496 University of California at Berkeley
"P. K." <pbk105@psu.edu> wrote:
Thanks for your reply. Unfortunately, the FreeRadius documentation and support is so abysmal and my experience too limited to make good use of the advice you gave. Each OSS package has its benefits and weaknesses I guess. For instance I've used ISC DHCP server for years and it has stellar support from the programmer, great on-line information and documentation so much so that I can't imagine using anything else.
ISC DHCP has one, maybe two full-time programmers working on it, ISC has 100's of 1000's of dollars in funds to support it, and companies have paid large sums of money to for ISC to write additional documentation.
Perhaps in the future the FreeRadius writer's will realize how useless their software is with the level of documentation and support they are providing and choose to make improvements or maybe they'll just continue to operate on a "you get what you pay for basis."
Yes. It's clear you're not willing to pay for FreeRADIUS support, and would rather go with a commercial solution. It's also clear you're upset that you didn't get immediate answers to all of your questions, for free. There's little anyone can do to solve that problem. And I will note that I've dealt with many people who've installed multiple servers, commercial and open source. Most say that the FreeRADIUS documentation is more than adequate for their needs. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
And Mr. Friendly wrote:
Yes. It's clear you're not willing to pay for FreeRADIUS support, and would rather go with a commercial solution.
Huh? Well, that comment makes no sense but I'll try to squeeze something useful out of it.... Just so I'm clear, because this would be news to me, FreeRadius paid support is available? From where?
It's also clear you're upset that you didn't get immediate answers to all of your questions, for free. There's little anyone can do to solve that problem.
Ah, okay. So you do operate under the "you get what you pay for" philosophy. And BTW Thanks for taking the time to respond to this email with insults and accusations. Does the paid for service come with your snide responses as well? I'd just love to be able to pay real money for the honor of subjecting myself to your charismatic attitude. --Paul Paul Kuchinski Network Administrator Smeal College of Business Administration Penn State University email: pbk105@psu.edu phone: (814)865-0366 fax: (814)865-1845 Alan DeKok wrote:
"P. K." <pbk105@psu.edu> wrote:
Thanks for your reply. Unfortunately, the FreeRadius documentation and support is so abysmal and my experience too limited to make good use of the advice you gave. Each OSS package has its benefits and weaknesses I guess. For instance I've used ISC DHCP server for years and it has stellar support from the programmer, great on-line information and documentation so much so that I can't imagine using anything else.
ISC DHCP has one, maybe two full-time programmers working on it, ISC has 100's of 1000's of dollars in funds to support it, and companies have paid large sums of money to for ISC to write additional documentation.
Perhaps in the future the FreeRadius writer's will realize how useless their software is with the level of documentation and support they are providing and choose to make improvements or maybe they'll just continue to operate on a "you get what you pay for basis."
Yes. It's clear you're not willing to pay for FreeRADIUS support, and would rather go with a commercial solution. It's also clear you're upset that you didn't get immediate answers to all of your questions, for free. There's little anyone can do to solve that problem.
And I will note that I've dealt with many people who've installed multiple servers, commercial and open source. Most say that the FreeRADIUS documentation is more than adequate for their needs.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
"P. K." <pbk105@psu.edu> wrote:
And Mr. Friendly wrote:
Yes. It's clear you're not willing to pay for FreeRADIUS support, and would rather go with a commercial solution.
Huh? Well, that comment makes no sense but I'll try to squeeze something useful out of it.... Just so I'm clear, because this would be news to me, FreeRadius paid support is available? From where?
See the web page. http://www.freeradius.org/. The TOP LINE OF TEXT has the word "support" in it. Click that, and you'll get a page offering support. Let me repeat that: READING THE MAIN FREERADIUS WEB PAGE WOULD GET YOU A LINK TO COMMERCIAL SUPPORT. My conjecture is that documentation isn't the problem. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Sorry to jump in here, but I feel like I have to defend something I believe in now. I haven't read this entire thing, but I can say I have seen this a hundred times. If you cannot read or clearly understand the topic in the extensive documentation provided. Then you need to find someone else who knows Unix or BSD. There is no way anyone is going to give you a simple answer. The FreeBSD/Unix/Linux community provides vast amounts of documentation, research, and help. First look for your answer by going through old mailing lists, type in errors you are receiving in google, or other easy troubleshooting tips. But don't expect to say I can't get it to work and tell me how to make it work. I will admit I am a complete FreeBSD/Unix noob, but I have spent countless hours now playing with the operating system, pulling my hair out, and ready to blow it up. But that frustrating process is the knowledge base I develop in knowing how a particular program works. As far as paying someone or a commercial product. Go for it. 1000% mark up on something that is already free. If you do not have the time, patience, or know how, then by all means this is your best solution. 99% of the companies go look at licensing agreements. You will see a lot of it documents back to what is already Open Source and Free. PS. As an end note it is just as fucking stupid as I post Message of Days for employees that never read it and always ask what are we doing. I can't answer 100's of the same question everyday. That is why the DOCUMENTATION is very well written generally, and lots of time goes into it. Hell you can figure out Unix by just installing the MAN pages and taking the time to play with the commands; then I see you as one of my fellow X-Employees that lied on resume of knowing how to READ something that is right in front of you everyday. So don't expect people not to get pissed face. P. K. wrote:
And Mr. Friendly wrote:
Yes. It's clear you're not willing to pay for FreeRADIUS support, and would rather go with a commercial solution.
Huh? Well, that comment makes no sense but I'll try to squeeze something useful out of it.... Just so I'm clear, because this would be news to me, FreeRadius paid support is available? From where?
It's also clear you're upset that you didn't get immediate answers to all of your questions, for free. There's little anyone can do to solve that problem.
Ah, okay. So you do operate under the "you get what you pay for" philosophy. And BTW Thanks for taking the time to respond to this email with insults and accusations. Does the paid for service come with your snide responses as well? I'd just love to be able to pay real money for the honor of subjecting myself to your charismatic attitude.
--Paul
Paul Kuchinski Network Administrator Smeal College of Business Administration Penn State University
email: pbk105@psu.edu phone: (814)865-0366 fax: (814)865-1845
Alan DeKok wrote:
"P. K." <pbk105@psu.edu> wrote:
Thanks for your reply. Unfortunately, the FreeRadius documentation and support is so abysmal and my experience too limited to make good use of the advice you gave. Each OSS package has its benefits and weaknesses I guess. For instance I've used ISC DHCP server for years and it has stellar support from the programmer, great on-line information and documentation so much so that I can't imagine using anything else.
ISC DHCP has one, maybe two full-time programmers working on it, ISC has 100's of 1000's of dollars in funds to support it, and companies have paid large sums of money to for ISC to write additional documentation.
Perhaps in the future the FreeRadius writer's will realize how useless their software is with the level of documentation and support they are providing and choose to make improvements or maybe they'll just continue to operate on a "you get what you pay for basis."
Yes. It's clear you're not willing to pay for FreeRADIUS support, and would rather go with a commercial solution. It's also clear you're upset that you didn't get immediate answers to all of your questions, for free. There's little anyone can do to solve that problem.
And I will note that I've dealt with many people who've installed multiple servers, commercial and open source. Most say that the FreeRADIUS documentation is more than adequate for their needs.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This thread has already dragged out beyond reason but I feel since I'm being attacked I should defend myself. #1) I know how to read. #2) First Alan claimed that I and my University wanted something for nothing. "Free" #3) Then you come along and claim I'm an idiot for being willing to pay for support. I don't know where you work chief but here where I work, I have other things to do than spend countless hours reading out of date man pages and listserve archives with no responses or brilliant answers like go read the faq. I spend two weeks trying to wrap my head around this software and I asked a simple question which only ONE person was kind enough to respond to.Obviously neither you nor Alan could be bothered to read or reply to my first email but you all seem to have time to respond to this one. It really makes me wonder if either of you have ever attended University. I have interns work for me every semester. I answer the same question over and over and I never use that excuse to be an asshole. You see, where it might be an old question to me, it's a new one to that student. I'm glad our faculty don't have your attitude our we'd be out of business. After all, these kids have the text book the documentation is there so why do these lazy kids need us to answer their dumb questions when they answer is right in their hand. I belong to several auto forums and we welcome new people all the time. Some with experience some without. Some are too lazy to search and some just don't know what to ask yet. Either way none are treated like I've been treated here. This "I know something you don't know and therefore I'm great and you're dumb attitude" disgusts me. This is the last response I'll give on this topic. And since you were kind enough to curse at me, I'll reply: G.F.Y. If you don't know what it means Goggle it or perhaps check the faq's. Your a smart guy. Figure it out. Spend countless hours on it if you have to. Apparently you have the time. I'll go unsubscribe now. Thanks for the warm welcome, assholes. --Paul Paul Kuchinski Network Administrator Smeal College of Business Administration Penn State University email: pbk105@psu.edu phone: (814)865-0366 fax: (814)865-1845 Eric Hilden wrote:
Sorry to jump in here, but I feel like I have to defend something I believe in now.
I haven't read this entire thing, but I can say I have seen this a hundred times. If you cannot read or clearly understand the topic in the extensive documentation provided. Then you need to find someone else who knows Unix or BSD. There is no way anyone is going to give you a simple answer. The FreeBSD/Unix/Linux community provides vast amounts of documentation, research, and help. First look for your answer by going through old mailing lists, type in errors you are receiving in google, or other easy troubleshooting tips. But don't expect to say I can't get it to work and tell me how to make it work. I will admit I am a complete FreeBSD/Unix noob, but I have spent countless hours now playing with the operating system, pulling my hair out, and ready to blow it up. But that frustrating process is the knowledge base I develop in knowing how a particular program works.
As far as paying someone or a commercial product. Go for it. 1000% mark up on something that is already free. If you do not have the time, patience, or know how, then by all means this is your best solution. 99% of the companies go look at licensing agreements. You will see a lot of it documents back to what is already Open Source and Free.
PS. As an end note it is just as fucking stupid as I post Message of Days for employees that never read it and always ask what are we doing. I can't answer 100's of the same question everyday. That is why the DOCUMENTATION is very well written generally, and lots of time goes into it. Hell you can figure out Unix by just installing the MAN pages and taking the time to play with the commands; then I see you as one of my fellow X-Employees that lied on resume of knowing how to READ something that is right in front of you everyday. So don't expect people not to get pissed face.
P. K. wrote:
And Mr. Friendly wrote:
Yes. It's clear you're not willing to pay for FreeRADIUS support, and would rather go with a commercial solution.
Huh? Well, that comment makes no sense but I'll try to squeeze something useful out of it.... Just so I'm clear, because this would be news to me, FreeRadius paid support is available? From where?
It's also clear you're upset that you didn't get immediate answers to all of your questions, for free. There's little anyone can do to solve that problem.
Ah, okay. So you do operate under the "you get what you pay for" philosophy. And BTW Thanks for taking the time to respond to this email with insults and accusations. Does the paid for service come with your snide responses as well? I'd just love to be able to pay real money for the honor of subjecting myself to your charismatic attitude.
--Paul
Paul Kuchinski Network Administrator Smeal College of Business Administration Penn State University
email: pbk105@psu.edu phone: (814)865-0366 fax: (814)865-1845
Alan DeKok wrote:
"P. K." <pbk105@psu.edu> wrote:
Thanks for your reply. Unfortunately, the FreeRadius documentation and support is so abysmal and my experience too limited to make good use of the advice you gave. Each OSS package has its benefits and weaknesses I guess. For instance I've used ISC DHCP server for years and it has stellar support from the programmer, great on-line information and documentation so much so that I can't imagine using anything else.
ISC DHCP has one, maybe two full-time programmers working on it, ISC has 100's of 1000's of dollars in funds to support it, and companies have paid large sums of money to for ISC to write additional documentation.
Perhaps in the future the FreeRadius writer's will realize how useless their software is with the level of documentation and support they are providing and choose to make improvements or maybe they'll just continue to operate on a "you get what you pay for basis."
Yes. It's clear you're not willing to pay for FreeRADIUS support, and would rather go with a commercial solution. It's also clear you're upset that you didn't get immediate answers to all of your questions, for free. There's little anyone can do to solve that problem.
And I will note that I've dealt with many people who've installed multiple servers, commercial and open source. Most say that the FreeRADIUS documentation is more than adequate for their needs.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"P. K." <pbk105@psu.edu> wrote:
This thread has already dragged out beyond reason but I feel since I'm being attacked I should defend myself.
You posted two messages, and didn't get much response. You then posted an insulting message about how people here sucked, how the documentation sucked, how the software sucked, and how you were going to buy a commercial product. Go buy it. Please. It's obvious no one here can help you. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
What a poor attitude and even more, Free support is dedicated by those with Free time. Think twice before bitching about someones work when they have already posted the how to and know how to do it. If you don't understand it that is fine and pay someone for the service. I have no problem with that. I'm trying to get you to understand how this community works. If you feel like you are personally being attacked that is own aptitude of how you are seeing things. Don't get upset if someone tells you go re-read something. They are simply trying to get the LIGHT BULB effect to go off in your head. IT IS LIKE POSTING A GIANT BILLBOARD WITH ANSWERS TO THE TEST ON IT except you don't know how to apply it. There are three reasons why people won't do something. 1.) They don't know how. 2.) They don't why they should do it. 3.) They don't care. You fall into category 3. Have a nice day. Eric Hilden CyberCrime Investigation Colorado Technical University P. K. wrote:
This thread has already dragged out beyond reason but I feel since I'm being attacked I should defend myself.
#1) I know how to read. #2) First Alan claimed that I and my University wanted something for nothing. "Free" #3) Then you come along and claim I'm an idiot for being willing to pay for support.
I don't know where you work chief but here where I work, I have other things to do than spend countless hours reading out of date man pages and listserve archives with no responses or brilliant answers like go read the faq. I spend two weeks trying to wrap my head around this software and I asked a simple question which only ONE person was kind enough to respond to.Obviously neither you nor Alan could be bothered to read or reply to my first email but you all seem to have time to respond to this one. It really makes me wonder if either of you have ever attended University. I have interns work for me every semester. I answer the same question over and over and I never use that excuse to be an asshole. You see, where it might be an old question to me, it's a new one to that student. I'm glad our faculty don't have your attitude our we'd be out of business. After all, these kids have the text book the documentation is there so why do these lazy kids need us to answer their dumb questions when they answer is right in their hand.
I belong to several auto forums and we welcome new people all the time. Some with experience some without. Some are too lazy to search and some just don't know what to ask yet. Either way none are treated like I've been treated here. This "I know something you don't know and therefore I'm great and you're dumb attitude" disgusts me.
This is the last response I'll give on this topic. And since you were kind enough to curse at me, I'll reply: G.F.Y. If you don't know what it means Goggle it or perhaps check the faq's. Your a smart guy. Figure it out. Spend countless hours on it if you have to. Apparently you have the time.
I'll go unsubscribe now. Thanks for the warm welcome, assholes.
--Paul
Paul Kuchinski Network Administrator Smeal College of Business Administration Penn State University
email: pbk105@psu.edu phone: (814)865-0366 fax: (814)865-1845
Eric Hilden wrote:
Sorry to jump in here, but I feel like I have to defend something I believe in now.
I haven't read this entire thing, but I can say I have seen this a hundred times. If you cannot read or clearly understand the topic in the extensive documentation provided. Then you need to find someone else who knows Unix or BSD. There is no way anyone is going to give you a simple answer. The FreeBSD/Unix/Linux community provides vast amounts of documentation, research, and help. First look for your answer by going through old mailing lists, type in errors you are receiving in google, or other easy troubleshooting tips. But don't expect to say I can't get it to work and tell me how to make it work. I will admit I am a complete FreeBSD/Unix noob, but I have spent countless hours now playing with the operating system, pulling my hair out, and ready to blow it up. But that frustrating process is the knowledge base I develop in knowing how a particular program works.
As far as paying someone or a commercial product. Go for it. 1000% mark up on something that is already free. If you do not have the time, patience, or know how, then by all means this is your best solution. 99% of the companies go look at licensing agreements. You will see a lot of it documents back to what is already Open Source and Free.
PS. As an end note it is just as fucking stupid as I post Message of Days for employees that never read it and always ask what are we doing. I can't answer 100's of the same question everyday. That is why the DOCUMENTATION is very well written generally, and lots of time goes into it. Hell you can figure out Unix by just installing the MAN pages and taking the time to play with the commands; then I see you as one of my fellow X-Employees that lied on resume of knowing how to READ something that is right in front of you everyday. So don't expect people not to get pissed face.
P. K. wrote:
And Mr. Friendly wrote:
Yes. It's clear you're not willing to pay for FreeRADIUS support, and would rather go with a commercial solution.
Huh? Well, that comment makes no sense but I'll try to squeeze something useful out of it.... Just so I'm clear, because this would be news to me, FreeRadius paid support is available? From where?
It's also clear you're upset that you didn't get immediate answers to all of your questions, for free. There's little anyone can do to solve that problem.
Ah, okay. So you do operate under the "you get what you pay for" philosophy. And BTW Thanks for taking the time to respond to this email with insults and accusations. Does the paid for service come with your snide responses as well? I'd just love to be able to pay real money for the honor of subjecting myself to your charismatic attitude.
--Paul
Paul Kuchinski Network Administrator Smeal College of Business Administration Penn State University
email: pbk105@psu.edu phone: (814)865-0366 fax: (814)865-1845
Alan DeKok wrote:
"P. K." <pbk105@psu.edu> wrote:
Thanks for your reply. Unfortunately, the FreeRadius documentation and support is so abysmal and my experience too limited to make good use of the advice you gave. Each OSS package has its benefits and weaknesses I guess. For instance I've used ISC DHCP server for years and it has stellar support from the programmer, great on-line information and documentation so much so that I can't imagine using anything else.
ISC DHCP has one, maybe two full-time programmers working on it, ISC has 100's of 1000's of dollars in funds to support it, and companies have paid large sums of money to for ISC to write additional documentation.
Perhaps in the future the FreeRadius writer's will realize how useless their software is with the level of documentation and support they are providing and choose to make improvements or maybe they'll just continue to operate on a "you get what you pay for basis."
Yes. It's clear you're not willing to pay for FreeRADIUS support, and would rather go with a commercial solution. It's also clear you're upset that you didn't get immediate answers to all of your questions, for free. There's little anyone can do to solve that problem.
And I will note that I've dealt with many people who've installed multiple servers, commercial and open source. Most say that the FreeRADIUS documentation is more than adequate for their needs.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I already sent separate email to P.K. with details of our setup, since it seems to be close to what he wants to do. A couple of comments on this discussion:
"P. K." <pbk105@psu.edu> wrote:
Thanks for your reply. Unfortunately, the FreeRadius documentation and support is so abysmal ...
Alan DeKok wrote:
And I will note that I've dealt with many people who've installed multiple servers, commercial and open source. Most say that the FreeRADIUS documentation is more than adequate for their needs.
Strange as it may seem, I agree with both of you: - Alan: The documentation is adequate; I've learned everything I need to know about FreeRadius from the included documentation, as well as from websites and asking careful questions on this list. - P.K.: It is abysmal: a collection of man pages, assorted text files, sample scripts and source code comments, with no overarching organization or index (except for 'grep'). As I said in private email, it's like a hologram: all the information is there, but you have to look at all of it to make sense out of how FR works. I've never complained on this mailing list about the quality of the documentation, because I already know the answer I'll get: "Write something better and submit it." When I get time (IF I get time) I'll do that. Until then, I'll make do with what's there. -- George C. Kaplan gckaplan@ack.berkeley.edu IST - Infrastructure Services 510-643-0496 University of California at Berkeley
"George C. Kaplan" <gckaplan@ack.berkeley.edu> wrote:
I've never complained on this mailing list about the quality of the documentation, because I already know the answer I'll get: "Write something better and submit it." When I get time (IF I get time) I'll do that. Until then, I'll make do with what's there.
I'm writing a book to solve just this problem. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi,
Thanks for your reply. Unfortunately, the FreeRadius documentation and support is so abysmal and my experience too limited to make good use of the advice you gave. Each OSS package has its benefits and weaknesses I
thousands of others would disagree with you - perhaps as many would agree with you. I've been away on holiday/vacation so missed your initial post or problem - and I'm not sure whether your post here is some form of bait to get someone to stand up and prove that they can help you - or verify that wht you're trying to do can/can't be done - which is it? you're example of ISC DHCP doesnt quite agree with me - but thats my own opinion.
doubt it doesn't. I've spent about two weeks now struggling to make the software do what I want and at this point I give up. I'm moving on to Radiator. I just can't spend any more time spinning my wheels.
IAS is very good if you like simple GUIs and a fully supported system ;-)
providing and choose to make improvements or maybe they'll just continue to operate on a "you get what you pay for basis." Either way it's not worth the frustration. It's a shame really because it's obvious that it is a really good piece of software.
I'd try the current FreeRADIUS book from O'Reilly. It might not give you word for word examples which match exactly what you are trying to do (in fact, if you read through the users mailing list you'll see that almost no-ones situation or required recipe are the same...everyone has unique local requirements - or are simply not reading each line of the config - or validating their requirement before implementing it) FWIW we are using LDAP lookups to fidn what groups people are in (and then returning the VLAN they should be on), authorization is via kerberos5 for plaintext PAP stuff, and via SAMBA winbind for PEAP MSCHAPv2 conenctions, we proxy to the national RADIUS system for remote users and accept incoming proxied for our users at other sites...we also have FreeRADIUS gathering packet counters and use time-valid accounts for certain systems - with a 'cafe style' ticket system... we dont, however use it with oracle, postgresql, we dont use bit buckets or connection speed/quality (eg chilispot style options) - yet - and there are various other modules we dont use here and i havent gone through yet - so such are the range of questions you can throw my way (in an ad-hoc community-support style way). alternatively there _are_ people on this list who will happily do work for you/help you out for the required fees. if you like the idea of commercial support, there are such people. alan
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Eric Hilden -
George C. Kaplan -
P. K.