Carlos Peñafiel wrote:
Hello!!!
I want to send from my radius server several attributes to the client, but I've been looking at the documenation. I can do that if my attribute-ID is between 1 and 100 (I guess, maybe is it 256), but also the documentation says that a new attribute has to have an ID greater than 3000.
So, are not "the attributes between 100 (256) and 3000" sent to the client radius? (I guess, they could be used for local management) If it is not, how can I create an attribute with id grater that 3000 and send to the radius client?
If you are creating your own attributes, get an IANA enterprise number (either apply for one or re-use one if AND ONLY IF you're certainly it will only be used internally) and use a vendor-specific attribute space. See the dictionary.$vendor files for examples.
Alternatively, have a dig in the dictionary files and/or RFCs for an existing attribute that closely matches the purpose. What are you trying to do?
Obviously you'll have to have control over the radius client to make it actually use the new attribute. Most will only use attributes they already know about.
Hello and thank you to answer so soon. I am trying to do something like "amount of quality of service" that a user have. I have the control over the radius client because I am using a HostAP, but looking at the documentation and on Google, I cant find a way to solve this. can you help me a little but more? Thank you in advance.
=?iso-8859-1?B?Q2FybG9zIFBl8WFmaWVs?= <carpeher@hotmail.com> wrote:
I am trying to do something like "amount of quality of service" that a user have.
What does that mean?
I have the control over the radius client because I am using a HostAP, but looking at the documentation and on Google, I cant find a way to solve this. can you help me a little but more?
Edit the source code to the client to look for, and interpret, the new attribute. Re-use an attribute of a similar name, or invent a new one. If the attribure is used only in your local deployment, it doesn't really matter what number you pick. It just has to be a number that goes into a RADIUS packet. Alan DeKok.
Hello, I set up FreeRadius in order to proxy certain realm to another Radius server (which is not under my control at all). The shared secret is the same. I put the address of the other Radius server in the proxy.conf file. My Radius sends the request 5 times to the other Radius server and then gives up marking the server dead (but it is not). This is what comes out : Cleaning up request 104 ID 0 with timestamp 444f845d Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.3.1.60:2050, id=0, length=147 User-Name = "testyyyy@xxxx.es" NAS-IP-Address = 10.3.1.60 Called-Station-Id = "0014bfef3609" Calling-Station-Id = "001124a87bc6" NAS-Identifier = "0014bfef3609" NAS-Port = 21 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200001601746573746963666f4063657363612e6573 Message-Authenticator = 0xb82a0c651648b9bab3d9860388e081db Processing the authorize section of radiusd.conf modcall: entering group authorize for request 105 modcall[authorize]: module "preprocess" returns ok for request 105 radius_xlat: '/usr/local/var/log/radius/radacct/10.3.1.60/auth- detail-20060426' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/ auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 10.3.1.60/auth-detail-20060426 modcall[authorize]: module "auth_log" returns ok for request 105 rlm_realm: Looking up realm "xxxx.es" for User-Name = "testyyyy@xxxx.es" rlm_realm: Found realm "DEFAULT" rlm_realm: Proxying request from user testyyyy to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Preparing to proxy authentication request to realm "DEFAULT" modcall[authorize]: module "suffix" returns updated for request 105 rlm_eap: Request is supposed to be proxied to Realm DEFAULT. Not doing EAP. modcall[authorize]: module "eap" returns noop for request 105 users: Matched entry DEFAULT at line 161 modcall[authorize]: module "files" returns ok for request 105 rlm_ldap: - authorize rlm_ldap: performing user authorization for testyyyy@xxxx.es radius_xlat: '(uid=testyyyy@xxxx.es)' radius_xlat: 'ou=People, dc=yyyy, dc=es' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People, dc=yyyy, dc=es, with filter (uid=testyyyy@xxxx.es) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 105 modcall: leaving group authorize (returns updated) for request 105 Processing the pre-proxy section of radiusd.conf modcall: entering group pre-proxy for request 105 radius_xlat: '/usr/local/var/log/radius/radacct/10.3.1.60/pre-proxy- detail-20060426' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/ pre-proxy-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 10.3.1.60/pre-proxy-detail-20060426 modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 105 modcall: leaving group pre-proxy (returns ok) for request 105 Sending Access-Request of id 12 to aa.bb.cc.dd port 1812 User-Name = "testyyyy@xxxx.es" NAS-IP-Address = 10.3.1.60 Called-Station-Id = "0014bfef3609" Calling-Station-Id = "001124a87bc6" NAS-Identifier = "0014bfef3609" NAS-Port = 21 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200001601746573746963666f4063657363612e6573 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.3.1.60:2050, id=0, length=147 Dropping conflicting packet from client APtest:2050 - ID: 0 due to unfinished request 105 --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Re-sending Access-Request of id 12 to aa.bb.cc.dd port 1812 User-Name = "testyyyy@xxxx.es" NAS-IP-Address = 10.3.1.60 Called-Station-Id = "0014bfef3609" Calling-Station-Id = "001124a87bc6" NAS-Identifier = "0014bfef3609" NAS-Port = 21 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200001601746573746963666f4063657363612e6573 Message-Authenticator = 0x00000000000000000000000000000000 Client-IP-Address = 10.3.1.60 Realm = "DEFAULT" EAP-Type = Identity Module-Failure-Message = "rlm_ldap: User not found" Realm = "DEFAULT" Proxy-State = 0x30 Waking up in 5 seconds... --- Walking the entire request list --- Re-sending Access-Request of id 12 to aa.bb.cc.dd port 1812 User-Name = "testyyyy@xxxx.es" NAS-IP-Address = 10.3.1.60 Called-Station-Id = "0014bfef3609" Calling-Station-Id = "001124a87bc6" NAS-Identifier = "0014bfef3609" NAS-Port = 21 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200001601746573746963666f4063657363612e6573 Message-Authenticator = 0x00000000000000000000000000000000 Client-IP-Address = 10.3.1.60 Realm = "DEFAULT" EAP-Type = Identity Module-Failure-Message = "rlm_ldap: User not found" Realm = "DEFAULT" Proxy-State = 0x30 Waking up in 5 seconds... --- Walking the entire request list --- Server rejecting request 105. marking authentication server aa.bb.cc.dd:1812 for realm DEFAULT dead Waking up in 0 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 10.3.1.60 port 2050 Cleaning up request 105 ID 0 with timestamp 444f84d5 Nothing to do. Sleeping until we see a request. Why is there a "Module-Failure-Message = "rlm_ldap: User not found""? Of course the user won't be found in the local ldap database since this realm is supposed to be proxied. The radius server is obviously looking in the local ldap database with the unstriped username before proxying this request. Is there not a way, in case the realm of the username has to be proxied not to look for it locally in the ldap database fisrt? If anyone has an idea why i don't get any answer, i would be gratefull. Thank you.
Axel Seguin <axel.seguin@icfo.es> wrote:
My Radius sends the request 5 times to the other Radius server and then gives up marking the server dead (but it is not).
Then why isn't it responding? Are there firewall rules that filter out the response or request?
Why is there a "Module-Failure-Message = "rlm_ldap: User not found""? Of course the user won't be found in the local ldap database since this realm is supposed to be proxied.
Then why did you configure the server to look the user up in LDAP? It doesn't come configured to do that by default, so you must have added that to your local config.
The radius server is obviously looking in the local ldap database with the unstriped username before proxying this request. Is there not a way, in case the realm of the username has to be proxied not to look for it locally in the ldap database fisrt?
Yes. See doc/configurable_failover && doc/Autz-Type
If anyone has an idea why i don't get any answer, i would be gratefull.
Use 'tcpdump' to see where the packets are going. See if you can run 'radclient" on the same machine as the RADIUS server, and get a response from the other server. Alan DeKok.
participants (3)
-
Alan DeKok -
Axel Seguin -
Carlos Peñafiel