Proxy accounting message
Ashwin Gobind
Ashwin.Gobind at vodacom.co.za
Fri Sep 30 12:21:31 CEST 2005
But doesn't this mean there has to be a realm in the username eg
name at realm1
The problem is the user-name attribute does not contain a realm. Is it
still possible to proxy the accounting start and stop messages
originating from as certain NAS-IP-ADDRESS.
-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
freeradius-users-request at lists.freeradius.org
Sent: 29 September 2005 06:22 PM
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 5, Issue 98
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Proxy of Accounting Requests (Ashwin Gobind)
2. Re: Proxy of Accounting Requests (Nicolas Baradakis)
3. RE: Proxy of Accounting Requests (Jonathan De Graeve)
4. Re: LDAP and groups (Dusty Doris)
5. Re: LDAP and groups (Kenneth Grady)
6. Re: SSL3_GET_CLIENT_KEY_EXCHANGE (Juan Daniel Moreno)
7. (no subject) (msah at otitelecom.bj)
8. Postgresql+freeradius configuration (msah at otitelecom.bj)
----------------------------------------------------------------------
Message: 1
Date: Thu, 29 Sep 2005 12:18:37 +0200
From: "Ashwin Gobind" <Ashwin.Gobind at vodacom.co.za>
Subject: Proxy of Accounting Requests
To: <freeradius-users at lists.freeradius.org>
Message-ID:
<753BF83740BB6C48BF8A15B5C61C88470BB847D7 at zamdc02100.vodacom.corp>
Content-Type: text/plain; charset="us-ascii"
Good day. I am using freeradius 1.05
I want to proxy accounting requests originating from certain hosts to
another server, how can I do this. Also I am using Jradius to handle
accounting request. But this certain request I don't want JRadius to
handle, but freeradius just to proxy it. Here is an example of the
request
Thanks
Acct-Session-Id = C42EA2A31F96530
Framed-Protocol = GPRS-PDP-Context
Called-Station-Id = vlive
Calling-Station-Id = 27829800529
Framed-IP-Address = 10.19.128.6
3GPP-IMSI = 655019800002252
3GPP-Charging-ID = 33121584
3GPP-PDP-Type = 0
3GPP-GGSN-Address = 196.46.162.163
3GPP-IMSI-MCC-MNC = 65501
3GPP-GGSN-MCC-MNC = 65501
3GPP-NSAPI = 5
3GPP-Selection-Mode = 0
3GPP-Charging-Gateway-Address = 10.25.0.10
3GPP-GPRS-Negotiated-QoS-profile = 99-23931F9396979774FB0808
3GPP-SGSN-Address = 196.6.254.49
User-Name = 27829800529
Cisco-AVPair = connect-progress=Call Up
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port-Type = Virtual
Cisco-NAS-Port = GGSN
NAS-Port = 60000
Class = [Binary Data]
Service-Type = Framed-User
NAS-IP-Address = 10.31.1.122
NAS-Identifier = GMC-GGSN0-12-2
Acct-Delay-Time = 0
Client-IP-Address = 10.113.60.6
Acct-Unique-Session-Id = b30a3d4d494c8a87
"This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.net/legal/email.aspx "
------------------------------
Message: 2
Date: Thu, 29 Sep 2005 13:55:16 +0200
From: Nicolas Baradakis <nbk at sitadelle.com>
Subject: Re: Proxy of Accounting Requests
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <20050929115516.GA2365 at asuka.tech.sitadelle.com>
Content-Type: text/plain; charset=us-ascii
Ashwin Gobind wrote:
> I want to proxy accounting requests originating from certain hosts to
> another server, how can I do this.
You could add something like this in file "acct_users":
DEFAULT Client-IP-Address == 10.0.0.1, Proxy-To-Realm := realm1
DEFAULT Client-IP-Address == 10.0.0.2, Proxy-To-Realm := realm2
--
Nicolas Baradakis
------------------------------
Message: 3
Date: Thu, 29 Sep 2005 15:56:33 +0200
From: "Jonathan De Graeve" <Jonathan.De.Graeve at imelda.be>
Subject: RE: Proxy of Accounting Requests
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Message-ID:
<FFA36DAA4D9D62438D6DD1947C631316073263 at exchangesrv.imz.be>
Content-Type: text/plain; charset="us-ascii"
Can you also do this in SQL?
J.
--
Jonathan De Graeve
Network/System Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
jonathan.de.graeve at imelda.be
---------
Always read the manual for the correct way to do things because the
number of incorrect ways to do things is almost infinite
---------
-----Oorspronkelijk bericht-----
Van: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] Namens Nicolas
Baradakis
Verzonden: donderdag 29 september 2005 13:55
Aan: FreeRadius users mailing list
Onderwerp: Re: Proxy of Accounting Requests
Ashwin Gobind wrote:
> I want to proxy accounting requests originating from certain hosts to
> another server, how can I do this.
You could add something like this in file "acct_users":
DEFAULT Client-IP-Address == 10.0.0.1, Proxy-To-Realm := realm1
DEFAULT Client-IP-Address == 10.0.0.2, Proxy-To-Realm := realm2
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
------------------------------
Message: 4
Date: Thu, 29 Sep 2005 10:06:30 -0400 (EDT)
From: Dusty Doris <freeradius at mail.doris.cc>
Subject: Re: LDAP and groups
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <20050929100414.M98082 at mail.doris.name>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
> Hello there,
>
> I have a small problem. And I read the documentation. And I can't find
> what's wrong.
>
> I have a corporate LDAP with users and group.
>
> Each group is a "groupOfUniqueNames", with "uniquemember".
> In the user defintion, no group definition is set.
>
> I need to authenticate members of a certain groups, and not of another
...
>
> Every doc I read mention that you have to create an attribute "per
user" ...
>
> Any other way ?
>
I chose to do groups per user with radiusgroupname attribute, which is
in
the ldap_howto. However, you don't have to do it that way. Try reading
radiusd.conf in the ldap section under the default
groupmembership_filter.
Or reading doc/rlm_ldap.
If you are trying that and not having success, then post your debug
output.
------------------------------
Message: 5
Date: Thu, 29 Sep 2005 08:11:27 -0600
From: Kenneth Grady <klg at lanl.gov>
Subject: Re: LDAP and groups
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <1128003087.27966.29.camel at grady.lanl.gov>
Content-Type: text/plain
ldapsearch -x cn=my_group
#
# filter: cn=my_group
# requesting: ALL
#
# my_group, group, lanl, gov
dn: cn=my_group,ou=group,dc=lanl,dc=gov
objectClass: groupOfNames
cn: my_group
member: employeeNumber=0067,ou=people,dc=lanl,dc=gov
member: employeeNumber=0068,ou=people,dc=lanl,dc=gov
...
----------------------------------
radiusd.conf (file)
...modules
ldap My-group_Users {
server = "ldap"
net_timeout = 1
timeout = 3
timelimit = 4
ldap_connections_number = 5
basedn = "dc=lanl,dc=gov"
#access_attr = "employeeNumber"
filter =
"(&(cn=my-group)(member=employeeNumber=%{Stripped-User-Name:-%{User-Name
}},ou=people,dc=lanl,dc=gov))"
start_tls = no
groupname_attribute = cn
groupmembership_filter = ""
groupmembership_attribute = my_group
dictionary_mapping = ${raddbdir}/ldap.attrmap
compare_check_items = yes
access_attr_used_for_allow = yes
}
... authorize
Autz-Type MY-GROUP {
redundant {
My-group_Users
notfound = reject
}
}
----------------------------------
users (file)
...
DEFAULT NAS-IP-Address =~ "^123.123", Autz-Type := MY-GROUP
There's probably a better way, but this worked for what I wanted.
On Thu, 2005-09-29 at 03:10, Jean-Francois Gobin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello there,
>
> I have a small problem. And I read the documentation. And I can't find
> what's wrong.
>
> I have a corporate LDAP with users and group.
>
> Each group is a "groupOfUniqueNames", with "uniquemember".
> In the user defintion, no group definition is set.
>
> I need to authenticate members of a certain groups, and not of another
...
>
> Every doc I read mention that you have to create an attribute "per
user"
> ...
>
> Any other way ?
>
> Regards,
> Jean-Francois Gobin
>
> - ----------
> Jean-Francois Gobin - Administrateur gobinjf.be
> http://www.gobinjf.be mailto:gobin at gobinjf.be
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (FreeBSD)
> Comment: Made with pgp4pine 1.76
>
> iD8DBQFDO6+pkkg3QInH2uURAkoTAJ9CiiYoljx0B2zP/tInkSG4TwiwIgCbBWft
> g16kNx6wUzO1va189DJmHRA=
> =kTQn
> -----END PGP SIGNATURE-----
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
------------------------------
Message: 6
Date: Thu, 29 Sep 2005 16:22:12 +0200
From: Juan Daniel Moreno <juanitomoreno at gmail.com>
Subject: Re: SSL3_GET_CLIENT_KEY_EXCHANGE
To: freeradius-users at lists.freeradius.org
Message-ID: <2e33d53305092907226e2de3a4 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
>
> The protocol specification describes this. The implementation in
> src/modules/rlm_eap/ contains diagrams of the packets it expects to
> receive.
>
> Alan DeKok.
>
>
Thank you Alan, but now I have a new problem. I have been reading the
src/modules/rlm_eap/ to understand my problem but I don't find the
issue. In TLS establishment, the public key in the server.cert is 128
bytes length. I generate a random string of 46 bytes and the protocol
version (TLS 1.0 (0x03, 0x01)) and I use the SSL function
RSA_public_encrypt() with server's public key to encrypt the
PreMasterSecret. As a result I get a 128 length string. As I send this
data to the server, I get a "tls rsa encrypted length is wrong:
s3_srvr.c: 1450:"
Can anybody please tell me where can be my problem? Here is my code
for exemple.
void Client_Key_Exchange (SSLData *ClientSSLData, unsigned short
*length, char *HandshakeMessages, unsigned short *length_Hndshk, char
*buff)
{
char *PreMasterSecret = (char*) _MEMORY_Allocate
(58 , true);
char *EncryptedPreMasterSecret = (char*) _MEMORY_Allocate (128,
true);
char *temp = (char*)
_MEMORY_Allocate (58 , true);
unsigned char *tmpCert = _MEMORY_Allocate
(ClientSSLData->certificate_len + 128, true);
_RANDOM_MakeCharString (temp, 46);
PreMasterSecret [0] = 0x03;
PreMasterSecret [1] = 0x01;
for (register int i = 0; i<46; i++)
{
PreMasterSecret[i+2] = temp
[i];
ClientSSLData->PreMasterSecret[i] =
PreMasterSecret[i];
}
for (i = 0; i < ClientSSLData->certificate_len; i++)
tmpCert[i] =(unsigned char)
ClientSSLData->certificate[i];
//----- OpenSSL Functions -----
RSA *server_public_key;
X509 *cert = X509_new ();
EVP_PKEY *evp = EVP_PKEY_new ();
X509 *err = d2i_X509 (&cert, (unsigned char**) &tmpCert,
(ClientSSLData->certificate_len) );
//----- d2i_509 Function retrives tmpCert pointer advanced the
number
of bytes read -----
tmpCert = tmpCert - (ClientSSLData->certificate_len);
//----- We get the public key from the Server certificate -----
evp = X509_get_pubkey(cert);
server_public_key = (RSA *) evp->pkey.ptr;
int rsasize = RSA_size(server_public_key);
//----- We get the PreMasterSecret encrypted -----
int Encrypted_len = RSA_public_encrypt(48, (BYTE*)
PreMasterSecret,
(unsigned char*)EncryptedPreMasterSecret, server_public_key,
RSA_PKCS1_PADDING);
ClientSSLData->bufferSSL[(*length)++] = 0x16; //
Handshake Message
ClientSSLData->bufferSSL[(*length)++] = 0x03; //
Version
ClientSSLData->bufferSSL[(*length)++] = 0x01; //
Version
ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len + 6) /
256; // Length
ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len + 6) %
256; // Length
ClientSSLData->bufferSSL[(*length)++] = 0x10; //
Client key exchange
ClientSSLData->bufferSSL[(*length)++] = 0x00;
// Length
ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len ) / 256;
// Length
ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len ) % 256;
// Length
//----- Public key exchange -----
for (i = 0; i < Encrypted_len; i++)
{
buff[i] = EncryptedPreMasterSecret[i];
HandshakeMessages[(*length_Hndshk)++] =
EncryptedPreMasterSecret[i];
}
free (PreMasterSecret);
free (EncryptedPreMasterSecret);
free (temp);
free (tmpCert);
}
Thank you for your help. Juan Daniel MORENO
------------------------------
Message: 7
Date: Thu, 29 Sep 2005 16:59:00 +0100
From: msah at otitelecom.bj
Subject: (no subject)
Cc: freeradius-users at lists.freeradius.org
Message-ID: <20050929165900.j5qtkf92v5cso808 at webmail.otitelecom.bj>
Content-Type: text/plain; charset=ISO-8859-1
Good morning!!!!!
I have successfully configured freeradius server with using postgresql
database
to storage users which i want to authenticate.
when i put it in debug mode to test he works well. But when I run it as
deamon
the server radius don't see the postgresql server. In the radius's log
file i
look this:
Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked
Info: rlm_sql (sql): Attempting to connect to
radiusadmin at localhost:/radiusdb
Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server
radiusadmin at localhost:radiusdb
Error: rlm_sql_postgresql: Postgresql error 'could not connect to
server:
Permission denied ?Is the server running on host "localhost" and
accepting
?TCP/IP connections on port 5432? '
Error: rlm_sql (sql): Failed to connect DB handle #0
Info: Ready to process requests.
I use fedora core4 as Operating System and freeradius 1.0.4-1,
postgresql
8.0.3-1.
In the postgresql's file pg_hba.conf i make this configuration:
#TYPE DATABASE USER CIDR-ADDRESS METHOD
#IPv4 local connections:
host radiusdb radiusadmin 127.0.0.1/32 trust
I don't why this dysfonctionnement
Please help me and thanks for your assistance.
------------------------------
Message: 8
Date: Thu, 29 Sep 2005 17:00:47 +0100
From: msah at otitelecom.bj
Subject: Postgresql+freeradius configuration
To: freeradius-users at lists.freeradius.org
Message-ID: <20050929170047.yclw6uck1huss8g0 at webmail.otitelecom.bj>
Content-Type: text/plain; charset=ISO-8859-1
Good morning!!!!!
I have successfully configured freeradius server with using postgresql
database
to storage users which i want to authenticate.
when i put it in debug mode to test he works well. But when I run it as
deamon
the server radius don't see the postgresql server. In the radius's log
file i
look this:
Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked
Info: rlm_sql (sql): Attempting to connect to
radiusadmin at localhost:/radiusdb
Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server
radiusadmin at localhost:radiusdb
Error: rlm_sql_postgresql: Postgresql error 'could not connect to
server:
Permission denied ?Is the server running on host "localhost" and
accepting
?TCP/IP connections on port 5432? '
Error: rlm_sql (sql): Failed to connect DB handle #0
Info: Ready to process requests.
I use fedora core4 as Operating System and freeradius 1.0.4-1,
postgresql
8.0.3-1.
In the postgresql's file pg_hba.conf i make this configuration:
#TYPE DATABASE USER CIDR-ADDRESS METHOD
#IPv4 local connections:
host radiusdb radiusadmin 127.0.0.1/32 trust
I don't why this dysfonctionnement
Please help me and thanks for your assistance.
------------------------------
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 5, Issue 98
***********************************************
“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.net/legal/email.aspx "
More information about the Freeradius-Users
mailing list