Hi, I am a newbie for FreeRadius. I need some information on freeradius regarding my requirement for authentication and session control. I want to setup the system like.. 1 One centralized server running on a Linux machine for authentication. 2 Client Linux machine in the network which should connect to the server whenever any user log in into the machine. 3 Once authenticated, the user should be allowed the single-sign on. 4 The session for that user should be restricted to one in simultaneous log in. i.e The user which is already log in should not be allowed to login into other machine in the network. 5 The machine should not allow any user to log in by using the local log in setting (/etc/passwd). i.e The machine should be connected the network or Internet for log in. I found that freeradius has the feature of authentication and session control, but not sure that the above setup can be supported and how to configure freeradius for this. Thanks in advance for the reply. Waiting for the reply. Regards Manoj
Praveen Kumar wrote:
I am a newbie for FreeRadius. I need some information on freeradius regarding my requirement for authentication and session control.
I don't think RADIUS can do that. I'm not even sure LDAP can do that.
3 Once authenticated, the user should be allowed the single-sign on.
Single sign on?
4 The session for that user should be restricted to one in simultaneous log in. i.e The user which is already log in should not be allowed to login into other machine in the network.
This involves tracking things centrally. You'll need to write custom scripts to track this. And how will you tell when the user logs off?
5 The machine should not allow any user to log in by using the local log in setting (/etc/passwd). i.e The machine should be connected the network or Internet for log in.
Hmm... That doesn't sound right. Alan DeKok.
Hi Alan, LDAP does provide the centralized authentication, but the simultaneous login can not be restricted to 1. But i have seen in the freeRadius features that the simultaneous login can be restricted. http://freeradius.org/features.html If I Do like this in the /etc/raddb/users file DEFAULT Auth-Type := LDAP, Simultaneous-Use := 1 Fall-Through = 1 Will this restrict the simultaneous login.. I am trying to configure the FreeRadius Server on My Linux machine and test it with pam_radius having the /etc/raddb/server file pointing to the localhost. It is not able to authenticate and showing Auth: login incorrect (rlm_ldap: Bind as user failed): [root/r1.\341\362...] (from client localhost port 2616) But when I try to test the radius server using the command radtest root root localhost 2 secret it gives -- rad_recv: Access-Access packet from host 127.0.0.1:1812, id=120, length=20 I feel the password it provide as r1.\341\362... like this, may be in some encrypted form which not authenticated by the server, while with radtest the password root given as clear text. Could you please tell some thing solve this, so that i can use the pam_radius module to authenticate the username/password , when i log in the machine. Regards On 9/4/08, Alan DeKok <aland@deployingradius.com> wrote:
Praveen Kumar wrote:
I am a newbie for FreeRadius. I need some information on freeradius regarding my requirement for authentication and session control.
I don't think RADIUS can do that. I'm not even sure LDAP can do that.
3 Once authenticated, the user should be allowed the single-sign on.
Single sign on?
4 The session for that user should be restricted to one in simultaneous log in. i.e The user which is already log in should not be allowed to login into other machine in the network.
This involves tracking things centrally. You'll need to write custom scripts to track this.
And how will you tell when the user logs off?
5 The machine should not allow any user to log in by using the local log in setting (/etc/passwd). i.e The machine should be connected the network or Internet for log in.
Hmm... That doesn't sound right.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Praveen Kumar wrote:
But i have seen in the freeRadius features that the simultaneous login can be restricted.
Yes, I'm aware of that. I wrote that page. But that's referring to ISP's, who have users logging into a NAS. It is NOT referring to "single sign on", or to restricting shell access to Linux machines.
If I Do like this in the /etc/raddb/users file ... Will this restrict the simultaneous login..
As I told you already: No.
I feel the password it provide as r1.\341\362... like this, may be in some encrypted form which not authenticated by the server, while with radtest the password root given as clear text.
If you had bothered to run FreeRADIUS in debug mode as suggested in the FAQ, README, INSTALL, and pretty much daily on this list, you would have seen what the problem is. The server would have printed out messages telling you what the problem is, and how to fix it.
Could you please tell some thing solve this, so that i can use the pam_radius module to authenticate the username/password , when i log in the machine.
Follow the documentation, and run the server in debugging mode. And even if you get pam_radius working, you will NOT be able to use Simultaneous-Use for Linux shell users. Alan DeKok.
On Fri, 2008-09-05 at 14:30 +0200, Alan DeKok wrote: ... snip
Will this restrict the simultaneous login..
As I told you already: No.
I feel the password it provide as r1.\341\362... like this, may be in some encrypted form which not authenticated by the server, while with radtest the password root given as clear text.
If you had bothered to run FreeRADIUS in debug mode as suggested in the FAQ, README, INSTALL, and pretty much daily on this list, you would have seen what the problem is. The server would have printed out messages telling you what the problem is, and how to fix it.
Could you please tell some thing solve this, so that i can use the pam_radius module to authenticate the username/password , when i log in the machine.
Follow the documentation, and run the server in debugging mode.
And even if you get pam_radius working, you will NOT be able to use Simultaneous-Use for Linux shell users.
Alan DeKok.
I hope this list doesn't mind me presenting my "new to this list" perspective. There is a vast area of knowledge between getting started and having years of radius experience. To me, it seems, the biggest problem beginners have with what is currently presented in the Freeradius domain is not documentation, but context. Someone can respond to a question by saying "do the obvious" but if a person doesn't understand the meaning of the words of the response, it may seem like the person isn't listening. I really do appreciate the effort people put into these free open-source projects and from my limited experience with tennis, I find it's no fun playing with someone below your own skill level. So, what might help is a 2 x 4 to the head link on the main webpage taking beginners to content or links covering the very basics of what Freeradius is, why should we care,and in what situations it might be appropriate. With modern Linux distributions many users will never see a README or INSTALL file let alone wonder what they are. With Freeradius able to run on many OS's, who knows what contexts a beginner will bring with them. Some here may say "Well, I got myself through the gauntlet, others should too". The problem is that a gauntlet is a test. I believe more beginners will become users by taking a journey rather than a test. The more beginners can take themselves along the journey the fewer repeated questions will turn up here on the list. Newly successful users could be a good asset for creating a beginners starting point. Not that I expect to get a free ride, but I can get further along the journey, sooner, with a little self-help guidance. My two cents. Kirk
Kirk Wallace wrote:
There is a vast area of knowledge between getting started and having years of radius experience.
There's also a big difference between people who *try* and people who don't. The documentation isn't perfect, but text like "run the server in debugging mode" is scattered EVERYWHERE. Yet there's a continual stream of people who ask questions *without* doing this. Then there are the people who ask questions, and argue over the answers. I have no clue why people "ask the experts" for help, and then tell the experts that their answers are wrong. It's retarded.
I really do appreciate the effort people put into these free open-source projects ... what might help is a 2 x 4 to the head link on the main webpage taking beginners to content or links covering the very basics of what Freeradius is, why should we care,and in what situations it might be appropriate.
Great! Submit some documentation. I won't hold my breath. After 10 years of doing this, I can honestly tell you that pretty much everyone who suggests "better documentation" doesn't have the time or interest to do it themselves. The result is that the suggestion is a request for *us* to do more work.
With modern Linux distributions many users will never see a README or INSTALL file let alone wonder what they are.
The "man" page gets installed. It suggests what to do. All distributions install the README's in a documentation directory. Maybe people can try looking there.
With Freeradius able to run on many OS's, who knows what contexts a beginner will bring with them.
Context is almost irrelevant if people have the *methods* to be able to learn. I don't know anything about a lot of subjects. But I can go to a library and ask. I can search google for answers. I can read documentation, and ask questions saying "what does this mean?" That is the *minimal* ability we expect here. People who follow that behavior get polite responses. They get quick bug fixes. People who don't follow that behavior get told bluntly that they need to change their methods.
Some here may say "Well, I got myself through the gauntlet, others should too". The problem is that a gauntlet is a test. I believe more beginners will become users by taking a journey rather than a test. The more beginners can take themselves along the journey the fewer repeated questions will turn up here on the list.
I'd very much like to believe that. The problem is that there will *always* be a set of people who aren't interested in anything other than regurgitated documentation on the list. The *proper* response to them is to be blunt.
Newly successful users could be a good asset for creating a beginners starting point. Not that I expect to get a free ride, but I can get further along the journey, sooner, with a little self-help guidance.
Which is what's being done here, quite frankly. Some people make it clear that they haven't bothered to read any of the existing documentation, or that they haven't bothered to follow the instructions on this list. Why should we give "self-help guidance" in those situations? They've made it clear that they're not interested in helping themselves. Should we fight their laziness, and convince them that they need to do work to solve their problem, and *then* also help them with any technical issues? I think not. If someone can't be bothered to help themselves, we can't be bothered to help them, either. It's tough, but any other response is madness. Alan DeKok.
If I Do like this in the /etc/raddb/users file
DEFAULT Auth-Type := LDAP, Simultaneous-Use := 1 Fall-Through = 1
Will this restrict the simultaneous login..
Remove the Auth-Type. It should.
I am trying to configure the FreeRadius Server on My Linux machine and test it with pam_radius having the /etc/raddb/server file pointing to the localhost. It is not able to authenticate and showing Auth: login incorrect (rlm_ldap: Bind as user failed): [root/r1.\341\362...] (from client localhost port 2616)
That's because your shred secret is wrong.
But when I try to test the radius server using the command
radtest root root localhost 2 secret
it gives -- rad_recv: Access-Access packet from host 127.0.0.1:1812, id=120, length=20
That's when shares secret is correct.
I feel the password it provide as r1.\341\362... like this, may be in some encrypted form which not authenticated by the server, while with radtest the password root given as clear text.
No, it's because shared secret on the server and the client is not the same. It must be mentioned in the debug. Ivan Kalik Kalik Informatika ISP
participants (4)
-
Alan DeKok -
Kirk Wallace -
Praveen Kumar -
tnt@kalik.net