Re: Freeradius-Users Digest, Vol 27, Issue 121
Hi, I read the document. I think i put my question in a wrong way. Let me put it in a different way. I dont want the user to go directly in priv mode. through priv level = 15 we can direclty go into priv level right. what i want is first the user get into user level and then with another password in level 2. (not with enable password)..it should be through RADIUS server. I hope it makes it easy. On 7/19/07, freeradius-users-request@lists.freeradius.org < freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: mod_auth_radius (Nick Owen) 2. Re: Quirky question about rewriting usernames (Cliff Cole) 3. "Time-out" Problem with Huntgroups in conjunction with MYSQL Backend (thomas@buddybase.at) 4. Level 2 authentication with RADIUS. (ashish verma) 5. Re: Level 2 authentication with RADIUS. (Stefan Winter) 6. Re: Level 2 authentication with RADIUS. (Stefan Winter) 7. Re: TLS cant connect ldap+freeradius+novell (Reimer Karlsen-Masur, DFN-CERT)
----------------------------------------------------------------------
Message: 1 Date: Thu, 19 Jul 2007 09:14:28 -0400 From: "Nick Owen" <nowen@wikidsystems.com> Subject: Re: mod_auth_radius To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <415a28910707190614v586aceb1re81767278eb9fccf@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 7/19/07, Rascher, Markus <markus.mr.rascher@siemens.com> wrote:
Hi All,
is there a tutorial how to install mod_auth_radius on an apache 2.xxserver? The howto on the freeradius webpage is a little bit deprecated i guess. i get an error when starting the apache server after installing mod_auth_radius:
# service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf [FAILED]
You might try mod_auth_xradius. I have done a couple of apache + radius + WiKID 2FA docs that might help:
http://www.wikidsystems.com/documentation/howtos/how-to-add-two-factor-authe...
http://www.howtoforge.com/apache_radius_two_factor_authentication
The latter is more recent.
HTH,
nick
-- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication
------------------------------
Message: 2 Date: Thu, 19 Jul 2007 09:35:13 -0400 From: "Cliff Cole" <clifflcole@gmail.com> Subject: Re: Quirky question about rewriting usernames To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <5da254220707190635u50d33d86sb39bfbb7250c7a12@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Thanks for the reply. I'm new to free radius and have been overwhelmed with documentation the past few days. Let me explain in some logic and maybe I can make some sense as to what I'm trying to do.
User authentication comes from "NAS A"
IF the username does not have @domain.com and NAS = "NAS A" THEN append @domain.com
IF the username has @domain.com and NAS = "NAS A" THEN continue with username as is.
Hope this helps to clear up what I'm trying to do. I appologize for not being very clear.
Thanks
Cliff
On 7/19/07, Pshem Kowalczyk <pshem.k@gmail.com> wrote:
Hi
On 19/07/07, Cliff Cole <clifflcole@gmail.com> wrote:
Hello all.
Here is my issue. This is very weird and would only affect one NAS. I'm not sure freeradius is capable of this. I want a username that comes in to check for an @domainname. If the domainname is there I want it to be stripped and added back later. If the domainname is not there I'd like it to continue and have to domainname added later in the authentication process. I hope this makes sense and any help is appreciated
What do you mean by 'later' you can definitely check for the presence of domain, you can strip it and add it again. you just have to define the flow. rlm_attr will be of help to you (for both stripping and adding).
kind regards Pshem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
Message: 3 Date: Thu, 19 Jul 2007 15:38:54 +0200 From: thomas@buddybase.at Subject: "Time-out" Problem with Huntgroups in conjunction with MYSQL Backend To: freeradius-users@lists.freeradius.org Message-ID: <20070719153854.9aj0e3hdesk04sw8@webmail.buddybase.at> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed"
Hello FR users,
I am running FreeRadius 1.1.3 together with MySQL 5.0.27 I use huntgroups to allow access to specific devices only to certain users belonging to a certain group (I use huntgroups since "I" didnt find a way to do it via MySQL) I have the following issue: When for a longer period (e.g. over night) no one logs into one of the devices (so the radius server sits idle), it happens that the first time in the morning someone tries to login he fails because FR rejects the Request with "invalid user" - only after 3 or 4 tries the login-attempt is successfull The reason seems to be, that after such a "long" dormant period, when the first RADIUS-request(s) arrive, FR has to re-connect to the MySQL DB to query the user's group-membership Since this re-connect takes "too long" the query returns "Not found" and the user is rejected as "unknown"
Here is what you see in the radius.log file: Tue Jul 17 08:05:16 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #9 Tue Jul 17 08:05:16 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:16 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 1 cli 10.0.0.31) Tue Jul 17 08:05:16 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 1 cli 10.0.0.31) Tue Jul 17 08:05:25 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #8 Tue Jul 17 08:05:25 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:25 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:25 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:38 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #7 Tue Jul 17 08:05:38 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:38 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:38 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:06:00 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #6 Tue Jul 17 08:06:00 2007 : Auth: Login OK: [xxx] (from client ATWRE22b7201 port 2 cli 10.0.0.31)
Hope the logfile is sufficient, otherwise I would have to let FR run in debug-mode over night....
The funny thing is, that this problem doesn't occure when all entries in the huntgroups file are "commented out"
So my question is, is there a config parameter to tell FR to "wait" a bit longer in the preprocess module (I assume) for the MYSQL query to deliver its answer?
thanks alot regards thomas pudil
------------------------------
Message: 4 Date: Thu, 19 Jul 2007 19:11:35 +0530 From: "ashish verma" <ashish.scit@gmail.com> Subject: Level 2 authentication with RADIUS. To: freeradius-users@lists.freeradius.org Message-ID: <11b554120707190641g6abce7b3o2535671040dc5327@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1"
Hi all, I am new to the list and for RADIUS too so i might ask some repetitive questions.
Here is my question: Can we have level 2 (enable) authentication too with Radius server as we have for level 1(user level)?
If yes, can someone provide me some documentation. I tried to search for it but couldnt find any.
Thanks in advance, Ashish
Let me answer in the same way - read the article: http://wiki.freeradius.org/Cisco#Per_User_Privilege_Level First thing it explains is how to give shell access and what happens when user then types enable. Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, "ashish verma" <ashish.scit@gmail.com> piše:
Hi,
I read the document. I think i put my question in a wrong way. Let me put it in a different way.
I dont want the user to go directly in priv mode. through priv level = 15 we can direclty go into priv level right.
what i want is first the user get into user level and then with another password in level 2. (not with enable password)..it should be through RADIUS server.
I hope it makes it easy.
On 7/19/07, freeradius-users-request@lists.freeradius.org < freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: mod_auth_radius (Nick Owen) 2. Re: Quirky question about rewriting usernames (Cliff Cole) 3. "Time-out" Problem with Huntgroups in conjunction with MYSQL Backend (thomas@buddybase.at) 4. Level 2 authentication with RADIUS. (ashish verma) 5. Re: Level 2 authentication with RADIUS. (Stefan Winter) 6. Re: Level 2 authentication with RADIUS. (Stefan Winter) 7. Re: TLS cant connect ldap+freeradius+novell (Reimer Karlsen-Masur, DFN-CERT)
----------------------------------------------------------------------
Message: 1 Date: Thu, 19 Jul 2007 09:14:28 -0400 From: "Nick Owen" <nowen@wikidsystems.com> Subject: Re: mod_auth_radius To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <415a28910707190614v586aceb1re81767278eb9fccf@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 7/19/07, Rascher, Markus <markus.mr.rascher@siemens.com> wrote:
Hi All,
is there a tutorial how to install mod_auth_radius on an apache 2.xxserver? The howto on the freeradius webpage is a little bit deprecated i guess. i get an error when starting the apache server after installing mod_auth_radius:
# service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf [FAILED]
You might try mod_auth_xradius. I have done a couple of apache + radius + WiKID 2FA docs that might help:
http://www.wikidsystems.com/documentation/howtos/how-to-add-two-factor-authe...
http://www.howtoforge.com/apache_radius_two_factor_authentication
The latter is more recent.
HTH,
nick
-- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication
------------------------------
Message: 2 Date: Thu, 19 Jul 2007 09:35:13 -0400 From: "Cliff Cole" <clifflcole@gmail.com> Subject: Re: Quirky question about rewriting usernames To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <5da254220707190635u50d33d86sb39bfbb7250c7a12@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Thanks for the reply. I'm new to free radius and have been overwhelmed with documentation the past few days. Let me explain in some logic and maybe I can make some sense as to what I'm trying to do.
User authentication comes from "NAS A"
IF the username does not have @domain.com and NAS = "NAS A" THEN append @domain.com
IF the username has @domain.com and NAS = "NAS A" THEN continue with username as is.
Hope this helps to clear up what I'm trying to do. I appologize for not being very clear.
Thanks
Cliff
On 7/19/07, Pshem Kowalczyk <pshem.k@gmail.com> wrote:
Hi
On 19/07/07, Cliff Cole <clifflcole@gmail.com> wrote:
Hello all.
Here is my issue. This is very weird and would only affect one NAS. I'm not sure freeradius is capable of this. I want a username that comes in to check for an @domainname. If the domainname is there I want it to be stripped and added back later. If the domainname is not there I'd like it to continue and have to domainname added later in the authentication process. I hope this makes sense and any help is appreciated
What do you mean by 'later' you can definitely check for the presence of domain, you can strip it and add it again. you just have to define the flow. rlm_attr will be of help to you (for both stripping and adding).
kind regards Pshem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
Message: 3 Date: Thu, 19 Jul 2007 15:38:54 +0200 From: thomas@buddybase.at Subject: "Time-out" Problem with Huntgroups in conjunction with MYSQL Backend To: freeradius-users@lists.freeradius.org Message-ID: <20070719153854.9aj0e3hdesk04sw8@webmail.buddybase.at> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed"
Hello FR users,
I am running FreeRadius 1.1.3 together with MySQL 5.0.27 I use huntgroups to allow access to specific devices only to certain users belonging to a certain group (I use huntgroups since "I" didnt find a way to do it via MySQL) I have the following issue: When for a longer period (e.g. over night) no one logs into one of the devices (so the radius server sits idle), it happens that the first time in the morning someone tries to login he fails because FR rejects the Request with "invalid user" - only after 3 or 4 tries the login-attempt is successfull The reason seems to be, that after such a "long" dormant period, when the first RADIUS-request(s) arrive, FR has to re-connect to the MySQL DB to query the user's group-membership Since this re-connect takes "too long" the query returns "Not found" and the user is rejected as "unknown"
Here is what you see in the radius.log file: Tue Jul 17 08:05:16 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #9 Tue Jul 17 08:05:16 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:16 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 1 cli 10.0.0.31) Tue Jul 17 08:05:16 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 1 cli 10.0.0.31) Tue Jul 17 08:05:25 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #8 Tue Jul 17 08:05:25 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:25 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:25 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:38 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #7 Tue Jul 17 08:05:38 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:38 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:38 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:06:00 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #6 Tue Jul 17 08:06:00 2007 : Auth: Login OK: [xxx] (from client ATWRE22b7201 port 2 cli 10.0.0.31)
Hope the logfile is sufficient, otherwise I would have to let FR run in debug-mode over night....
The funny thing is, that this problem doesn't occure when all entries in the huntgroups file are "commented out"
So my question is, is there a config parameter to tell FR to "wait" a bit longer in the preprocess module (I assume) for the MYSQL query to deliver its answer?
thanks alot regards thomas pudil
------------------------------
Message: 4 Date: Thu, 19 Jul 2007 19:11:35 +0530 From: "ashish verma" <ashish.scit@gmail.com> Subject: Level 2 authentication with RADIUS. To: freeradius-users@lists.freeradius.org Message-ID: <11b554120707190641g6abce7b3o2535671040dc5327@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1"
Hi all, I am new to the list and for RADIUS too so i might ask some repetitive questions.
Here is my question: Can we have level 2 (enable) authentication too with Radius server as we have for level 1(user level)?
If yes, can someone provide me some documentation. I tried to search for it but couldnt find any.
Thanks in advance, Ashish
participants (2)
-
ashish verma -
tnt@kalik.co.yu