confusion in nas topic!!!!!
rina maharjan
rinab01 at yahoo.com
Sun Dec 10 08:43:43 CET 2006
hello,
i configure freeradiusd server and it is working fine. but i really confuse about nas table and its entry. In my radiusd server ,people can login multiple with same username and password.i couldn't made simultaneouse login =1 at a same time for that similar username. i try so much to made this simutaneouse login =1 but i couldn't so i feel that it that a problem of naslist because i get this kind of messege in radiusd log file when i start the rasdiusd server. i attached this radiusd log file with this posting.
regards
rina
freeradius-users-request at lists.freeradius.org wrote: Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: PEAP+MSCHAP+AD (please help) (Phil Mayers)
2. How to pass information between modules? (Martin Gadbois)
3. Re: How to pass information between modules? (Alan DeKok)
4. Re: LDAP->RADIUS Attribute Mapping (Alan DeKok)
5. Re: How to pass information between modules? (Martin Gadbois)
6. Re: Choosing The best replication system. (Sarkis Gabriel)
7. Re: TTLS : where to indicate User/Password ? (Bruno Costacurta)
----------------------------------------------------------------------
Message: 1
Date: Fri, 08 Dec 2006 18:31:37 +0000
From: Phil Mayers
Subject: Re: PEAP+MSCHAP+AD (please help)
To: FreeRadius users mailing list
Message-ID: <4579AF89.3010307 at imperial.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hector.Ortiz at swisscom.com wrote:
> Hi there, this is an old issue, but AFAIAC hasn't been solved yet, that's why I'm asking for help with this problem which is driving me crazy.
>
>
> In the first attempt the user has checked the option "Automatically use my Windows logon name and password (and domain if any)", user account is valid in the domain and is not locked out, however user authentication fails.
>
> In the next attempt the user has unchecked this option, so everytime he connects to the network he has to type his credentials in. After clicking "Connect" he gets access.
>
> Why if Windows sends the same user information only in the latter case user is able to get in?
>
> Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=c61ad7019723b68d --nt-response=70fb1b0438208667d0bac6eb895ea8644b413566785d5785
> Exec-Program output: Logon failure (0xc000006d)
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
> Exec-Program: returned: 1
> rlm_mschap: External script failed.
> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
> modcall[authenticate]: module "mschap" returns reject for request 7
It failed because the client returned the wrong challenge
> Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=aea3ef9fe78f8ac2 --nt-response=8c6a735e29ed7cddb8c02ae601424aca79d115544324731d
> Exec-Program output: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF
> Exec-Program-Wait: plaintext: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF
> Exec-Program: returned: 0
> modcall[authenticate]: module "mschap" returns ok for request 16
> modcall: leaving group MS-CHAP (returns ok) for request 16
> MSCHAP Success
Whereas that worked.
It looks to me as if you've edited the debug output so I can't be sure,
but I'd suggest looking at the client - the radius server is configured
correctly. Perhaps the client is not in fact logging on to the laptop
with the correct username and password.
------------------------------
Message: 2
Date: Fri, 08 Dec 2006 14:02:36 -0500
From: Martin Gadbois
Subject: How to pass information between modules?
To: FreeRadius users mailing list
Message-ID: <4579B6CC.5010406 at colubris.com>
Content-Type: text/plain; charset=UTF-8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
Let's say I have the following authorize {} section:
authorize {
ldap
sql
}
What would be the best way to pass information between ldap and sql?
For example, if I were to extract a group name from "ldap" and pass it
to "sql" to get all the RADIUS attributes associated to this group, what
would be the strategy to acheive that?
In other words, how to configure those modules if the "ldap" contains
the group info, but "sql" the actual RADIUS attribute per group?
Thanks!
- --
============== +----------------------------------------------+
Martin Gadbois | "Windows might take you from 0 to 60 faster, |
S/W Developer | but to go to 100 you need Unix." |
Colubris Networks Inc. +----------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFebbM9Y3/iTTCEDkRAlbtAJ9xef4aCw0IGd5SIJXXn7UxLtUwEACZAf/e
hPg7eJ53Xt+PgxSYPpFecPM=
=K9c0
-----END PGP SIGNATURE-----
------------------------------
Message: 3
Date: Fri, 08 Dec 2006 11:11:27 -0800
From: Alan DeKok
Subject: Re: How to pass information between modules?
To: FreeRadius users mailing list
Message-ID: <4579B8DF.6030008 at deployingradius.com>
Content-Type: text/plain; charset=UTF-8
Martin Gadbois wrote:
> What would be the best way to pass information between ldap and sql?
In the same way that all of the other modules do it: Put the
information into attributes. That's what the "config item" list is for.
> For example, if I were to extract a group name from "ldap" and pass it
> to "sql" to get all the RADIUS attributes associated to this group, what
> would be the strategy to acheive that?
Put it into an attribute in the config items.
> In other words, how to configure those modules if the "ldap" contains
> the group info, but "sql" the actual RADIUS attribute per group?
You can use the "LDAP-Group" attribute, see the rlm_ldap documentation.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
------------------------------
Message: 4
Date: Fri, 08 Dec 2006 11:21:59 -0800
From: Alan DeKok
Subject: Re: LDAP->RADIUS Attribute Mapping
To: FreeRadius users mailing list
Message-ID: <4579BB57.5040504 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Owen DeLong wrote:
> We have historically used the AuthorizedService attribute in LDAP to
> control the level
> of access available to the user. We would like to continue to do so.
> However, in order
> for that to work, I need to map AuthorizedService to different RADIUS
> attributes in
> the response depending on the authentication client.
Do it in two steps. Map the AuthorisedService LDAP attribute to a
RADIUS attribute (invent a local one, see the dictionary docs), and then
depending on the NAS, map that to another attribute.
The reason for doing it this way is that the LDAP -> RADIUS attribute
mapping is simple, and should be kept simple.
> Ideally, I'd like to be able to map RADIUS clients into "groups" and
> have a mapping
> of AuthorizedService values for each group. The client groups would,
> ideally,
> be defined by matching the client IP address. An example of what I'd
> like that
> mapping to look like is below:
Use rlm_passwd to map clients to groups (see it's documentation), and
then the "users" file to map AuthorizedService to another RADIUS
attribute, as described above.
> Alan, your flames and RTFM comments are welcome, but, please understand,
> I've done my best to RTFM before posting this.
As I tell my co-workers, "Remember, there are no stupid questions.
There are only stupid people.".
And they still speak to me after that. :)
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
------------------------------
Message: 5
Date: Fri, 08 Dec 2006 15:41:28 -0500
From: Martin Gadbois
Subject: Re: How to pass information between modules?
To: FreeRadius users mailing list
Message-ID: <4579CDF8.5090207 at colubris.com>
Content-Type: text/plain; charset=UTF-8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Alan DeKok wrote:
>> What would be the best way to pass information between ldap and sql?
>
> In the same way that all of the other modules do it: Put the
> information into attributes. That's what the "config item" list is for.
My subconscious FreeRADIUS mind was saying that as well; but how to use
config items and what makes them different from RADIUS Reply attributes?
An theoritical example:
modules {
file users {
...
}
file groups {
...
}
}
authorized {
users
groups
}
file users:
martin User-Password == "gadbois"
Group = "staff"
file groups:
DEFAULT Group == "staff"
Reply-Message = "Hello Staff!"
I expect this to set "martin" into the "staff" group, and a RADIUS
request returns Reply-Message "Hello Staff!!"
This does not work:
[/etc/raddb/users]:223 WARNING! Check item "Group" ?found in reply item
list for user "martin". ?This attribute MUST go on the first line with
the other check items
Some explaination, a C function or a URL would greatly help!
>
>> In other words, how to configure those modules if the "ldap" contains
>> the group info, but "sql" the actual RADIUS attribute per group?
>
> You can use the "LDAP-Group" attribute, see the rlm_ldap documentation.
I got it now; LDAP-Group is like a callback into the "ldap" module,
where the LDAP group is going to be checked to the value.
I'll go update the FR LDAP Wiki.. ;-)
Thanks Alan for the quick reply.
- --
============== +----------------------------------------------+
Martin Gadbois | "Windows might take you from 0 to 60 faster, |
S/W Developer | but to go to 100 you need Unix." |
Colubris Networks Inc. +----------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFec349Y3/iTTCEDkRAsgfAJ45vsoHrRKwsPkITrUBuPsFgbGBXACgm1yU
gjlFYOPYrcMsN80odSYfAWA=
=6TFA
-----END PGP SIGNATURE-----
------------------------------
Message: 6
Date: Fri, 8 Dec 2006 22:53:07 +0100
From: "Sarkis Gabriel"
Subject: Re: Choosing The best replication system.
To: FreeRadius users mailing list
Message-ID: <20061208215219.M71831 at raycon.net>
Content-Type: text/plain; charset=iso-8859-1
Anyone out there with some guide or atleast some pitfalls i should try and avoid on
Replicating the radius server ?
Sarky
---------- Original Message -----------
From: "Sarkis Gabriel"
To: FreeRadius users mailing list
Sent: Thu, 7 Dec 2006 17:29:22 +0100
Subject: Choosing The best replication system.
> Hello all,
>
> With the way work is and the pops are growing looks like i need to start
> centralising the database.
>
> At the moment i have 4 pops around the country and all are feeding from a
> satellite links, as the company is growing it is becoming very hard to
> maintain and we are looking to have a central MySQL DB in the UK which feeds
> the slave machines with the updated info.
>
> Each pop will have a live radius / mysql db feeding info back to a master
> machine in the UK and that would replicate the info down to the slaves on the
> other pops, this is the wishfull thinking i have :).
>
> I have read about Replication with MySQL (One-Way) and radrelay, then i
> noticed there is rlm_slq_log and radsqlrelay.
>
> One thing I must mention there is a lot of LAG on satellite connection looking
> at approx 650ms and because of BW cost we do rely on proxies which makes BW
> usage during the day very expensive, so i would like to be able to replicate
> maybe once a night lets say at midnight being less busy and cheaper.
>
> Any one out there with some ideas they can send my way..
>
> Thanks
>
> Sarky
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------- End of Original Message -------
------------------------------
Message: 7
Date: Sat, 9 Dec 2006 00:12:01 +0100
From: Bruno Costacurta
Subject: Re: TTLS : where to indicate User/Password ?
To: FreeRadius users mailing list
Message-ID: <200612090012.01376.pubmb01 at skynet.be>
Content-Type: text/plain; charset="iso-8859-1"
On Monday 04 December 2006 22:21, Alan DeKok wrote:
> Bruno Costacurta wrote:
> > I'm trying to configure FreeRadius using TTLS (certificate on server side
> > only) and MySQL. Client is a Linux laptop using wpa_supplicant.
> > I'm in a learning curve regarding 802.1x and FreeRadius and especially
> > TTLS.
>
> That should work without too much effort.
>
> > Questions:
> > - TTLS available authentications are: CHAP,PAP,MS-CHAP,EAP (correct ?)
>
> Yes.
>
> > - 'Auth-Type=local' means CHAP,PAP and MS-CHAP (correct ?)
>
> No, just CHAP and PAP. You shouldn't be using it at all.
>
> > - for the learning curve :
> > --- which is the easiest authentications to start with ?
>
> PAP.
>
> > --- MySQL will be removed at the first stage to ease debugging / setup of
> > the config (good idea ?)
>
> Yes.
>
> Alan DeKok.
> --
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Dear Alan,
thanks for your answers.
Indeed starting from a fresh FreeRadius install, following instructions
http://deployingradius.com/documents/configuration/
I'm now able to authenticate via TTLS.
Thanks again for attention.
Bye,
Bruno
------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 20, Issue 29
************************************************
---------------------------------
Access over 1 million songs - Yahoo! Music Unlimited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061209/963ebc17/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius.log
Type: text/x-log
Size: 908 bytes
Desc: 1913154445-radius.log
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061209/963ebc17/attachment.bin>
More information about the Freeradius-Users
mailing list