Needed Freeradius 2.x + MySQL + Dynamic DHCP.. its possible?
Hi.. Im working with Freeradius 2.1.8 + Mysql Support. The Auth system works well. The only thing to do its add DHCP support. This is the Scenario: Client Connects to AP1. AP1 do the request/replies from/to FreeRadius Server.. Client get Authenticated and asking IP from DHCP.. I dont want use the DHCP Server like ISC because i dont want send IPs to my Wired LAN, only for Wireless. So, If the clients auths from AP1, i need freeradius send DHCP data to my client using one dinamic IP Pool like 192.168.1.0/24 with DefaultGateway, NetworkMask and DNS server. If the same client auths from AP2, send DHCP data to the client using another dinamic IP pool like 192.168.2.0/24 with DefaultGW, Netmask and DNS server. Is it possible to that? Im working with DaloRadius... -- Ing. Rogelio C. Sevilla Fernandez Direccion de Desarrollo Telematico / Secretaria de Administracion Gobierno del Estado de Colima Tel (312)3162062 / (312)3162000 ext 2360
Rogelio Sevilla Fernandez wrote:
So, If the clients auths from AP1, i need freeradius send DHCP data to my client using one dinamic IP Pool like 192.168.1.0/24 with DefaultGateway, NetworkMask and DNS server.
It's possible... but not really easy to do right now. Peter Nixon apparently has some updates to the sql ippool module which makes this work. Alan DeKok.
Hello, in my post-auth section I use a self-created exec-module, that is supposed to execute a shell script. This shell script exists and its modifiers are 777. But every time, it should be executed, something like this appears on debug output: # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} /bin/bash: /root/bin/dhcp/update_dhcp_from_radius.sh: Permission denied Exec-Program output: Exec-Program: returned: 126 ++[dhcpd_start] returns fail Using Post-Auth-Type Reject The system is: Debian 6.0, Freeradius 2.1.10; FreeRadius is used for Wifi->802.1x via EAP-PEAP Calling a program instead of bash tells me "Permission denied", too. What could be the problem? Thank you Marten The exec module is: # -*- text -*- # # $Id$ # # This is a more general example of the execute module. # # This one is called "dhcp_man". # # Attribute-Name = `%{dhcp_man:/path/to/program args}` # # If you wish to execute an external program in more than # one section (e.g. 'authorize', 'pre_proxy', etc), then it # is probably best to define a different instance of the # 'exec' module for every section. # # The return value of the program run determines the result # of the exec instance call as follows: # (See doc/configurable_failover for details) # # < 0 : fail the module failed # = 0 : ok the module succeeded # = 1 : reject the module rejected the user # = 2 : fail the module failed # = 3 : ok the module succeeded # = 4 : handled the module has done everything to handle the request # = 5 : invalid the user's configuration entry was invalid # = 6 : userlock the user was locked out # = 7 : notfound the user was not found # = 8 : noop the module did nothing # = 9 : updated the module updated information in the request # > 9 : fail the module failed # exec dhcpd_start { # # Wait for the program to finish. # # If we do NOT wait, then the program is "fire and # forget", and any output attributes from it are ignored. # # If we are looking for the program to output # attributes, and want to add those attributes to the # request, then we MUST wait for the program to # finish, and therefore set 'wait=yes' wait = yes # # The name of the program to execute, and it's # arguments. Dynamic translation is done on this # field, so things like the following example will # work. # program = "/bin/bash /root/bin/dhcp/update_dhcp_from_radius.sh post-auth Start %{User-Name} %{Calling-Station-Id} %{NAS-IP-Address}" # program = "/bin/bash whoami" # # The attributes which are placed into the # environment variables for the program. # # Allowed values are: # # request attributes from the request # config attributes from the configuration items list # reply attributes from the reply # proxy-request attributes from the proxy request # proxy-reply attributes from the proxy reply # # Note that some attributes may not exist at some # stages. e.g. There may be no proxy-reply # attributes if this module is used in the # 'authorize' section. # input_pairs = request # # Where to place the output attributes (if any) from # the executed program. The values allowed, and the # restrictions as to availability, are the same as # for the input_pairs. # # output_pairs = reply # # When to execute the program. If the packet # type does NOT match what's listed here, then # the module does NOT execute the program. # # For a list of allowed packet types, see # Note that some attributes may not exist at some # stages. e.g. There may be no proxy-reply # attributes if this module is used in the # 'authorize' section. # input_pairs = request # # Where to place the output attributes (if any) from # the executed program. The values allowed, and the # restrictions as to availability, are the same as # for the input_pairs. # # output_pairs = reply # # When to execute the program. If the packet # type does NOT match what's listed here, then # the module does NOT execute the program. # # For a list of allowed packet types, see # the 'dictionary' file, and look for VALUEs # of the Packet-Type attribute. # # By default, the module executes on ANY packet. # Un-comment out the following line to tell the # module to execute only if an Access-Accept is # being sent to the NAS. # packet_type = Access-Request # # Should we escape the environment variables? # # If this is set, all the RADIUS attributes # are capitalised and dashes replaced with # underscores. Also, RADIUS values are surrounded # with double-quotes. # # That is to say: User-Name=BobUser => USER_NAME="BobUser" shell_escape = yes }
Marten Pape wrote:
Hello, in my post-auth section I use a self-created exec-module, that is supposed to execute a shell script. This shell script exists and its modifiers are 777. But every time, it should be executed, something like this appears on debug output:
# Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} /bin/bash: /root/bin/dhcp/update_dhcp_from_radius.sh: Permission denied
The script is owned by "root", and the server is running as user "radiusd". Alan DeKok.
Alan DeKok schrieb:
The script is owned by "root", and the server is running as user "radiusd".
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This is correct, but the script has access rights for everyone (777 = rwx;rwx;rwx). I changed the ownership of the file to freerad:freerad but there's no different output. A user called "radiusd" doesn't exist on my system. Marten
On 20/03/2011 17:27, Marten Pape wrote:
Alan DeKok schrieb:
The script is owned by "root", and the server is running as user "radiusd".
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This is correct, but the script has access rights for everyone (777 = rwx;rwx;rwx). I changed the ownership of the file to freerad:freerad but there's no different output. A user called "radiusd" doesn't exist on my system.
Check the access permissions on /root and the other directories in that path as well. One of those probably won't have permission for the radius user to enter them. Paul.
Paul Thornton schrieb:
On 20/03/2011 17:27, Marten Pape wrote:
Alan DeKok schrieb:
The script is owned by "root", and the server is running as user "radiusd".
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This is correct, but the script has access rights for everyone (777 = rwx;rwx;rwx). I changed the ownership of the file to freerad:freerad but there's no different output. A user called "radiusd" doesn't exist on my system.
Check the access permissions on /root and the other directories in that path as well. One of those probably won't have permission for the radius user to enter them.
Paul. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ouch, that's it! /root didn't have the correct rights. Thanks, Marten
Marten Pape wrote:
ouch, that's it! /root didn't have the correct rights.
Wrong. /root probably had the correct rights - usually 710. That is root's home directory and should not be readable by any other user. Put the script and anything it calls in a more appropriate place. If it needs to be hidden from the general public, maybe under the home dir for the user running radius, which should also be 750 or more restrictive like 710. Andrew -- REALITY.SYS not found: Universe halted.
Or maybe, exist the form to only auth via MySQL and do the Pool via files? Alan DeKok <aland@deployingradius.com> escribió:
Rogelio Sevilla Fernandez wrote:
So, If the clients auths from AP1, i need freeradius send DHCP data to my client using one dinamic IP Pool like 192.168.1.0/24 with DefaultGateway, NetworkMask and DNS server.
It's possible... but not really easy to do right now. Peter Nixon apparently has some updates to the sql ippool module which makes this work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Este mensaje ha sido analizado por MailScanner del Gobierno del Estado de Colima en busca de virus y otros contenidos peligrosos, y se considera que está limpio.
-- Ing. Rogelio C. Sevilla Fernandez Direccion de Desarrollo Telematico / Secretaria de Administracion Gobierno del Estado de Colima Tel (312)3162062 / (312)3162000 ext 2360
participants (6)
-
Alan DeKok -
Andrew Hood -
Marinko Tarlac -
Marten Pape -
Paul Thornton -
Rogelio Sevilla Fernandez