Freeradius-Users Digest, Vol 27, Issue 121

ashish verma ashish.scit at gmail.com
Thu Jul 19 16:29:41 CEST 2007


Hi,

I read the document.  I think i put my question in a wrong way.
Let me put it in a different way.

I dont want the user to go directly in priv mode.
through priv level = 15 we can direclty go into priv level right.

what i want is first the user get into user level  and then with another
password in level 2. (not with enable password)..it should be through RADIUS
server.

I hope it makes it easy.

On 7/19/07, freeradius-users-request at lists.freeradius.org <
freeradius-users-request at lists.freeradius.org> wrote:
>
> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Re: mod_auth_radius (Nick Owen)
>    2. Re: Quirky question about rewriting usernames (Cliff Cole)
>    3. "Time-out" Problem with Huntgroups in conjunction with MYSQL
>       Backend (thomas at buddybase.at)
>    4. Level 2 authentication with RADIUS. (ashish verma)
>    5. Re: Level 2 authentication with RADIUS. (Stefan Winter)
>    6. Re: Level 2 authentication with RADIUS. (Stefan Winter)
>    7. Re: TLS cant connect ldap+freeradius+novell
>       (Reimer Karlsen-Masur, DFN-CERT)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 19 Jul 2007 09:14:28 -0400
> From: "Nick Owen" <nowen at wikidsystems.com>
> Subject: Re: mod_auth_radius
> To: "FreeRadius users mailing list"
>         <freeradius-users at lists.freeradius.org>
> Message-ID:
>         <415a28910707190614v586aceb1re81767278eb9fccf at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 7/19/07, Rascher, Markus <markus.mr.rascher at siemens.com> wrote:
> >
> >
> > Hi All,
> >
> > is there a tutorial how to install mod_auth_radius on an apache 2.xxserver?
> > The howto on the freeradius webpage is a little bit deprecated i guess.
> > i get an error when starting the apache server after installing
> > mod_auth_radius:
> >
> > # service httpd start
> > Starting httpd: httpd: Syntax error on line 205 of
> > /etc/httpd/conf/httpd.conf: Cannot load
> > /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server:
> > /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined
> > symbol: ap_snprintf
> > [FAILED]
>
> You might try mod_auth_xradius.  I have done a couple of apache +
> radius + WiKID 2FA docs that might help:
>
> http://www.wikidsystems.com/documentation/howtos/how-to-add-two-factor-authentication-to-apache/
>
> http://www.howtoforge.com/apache_radius_two_factor_authentication
>
> The latter is more recent.
>
> HTH,
>
> nick
>
> --
> Nick Owen
> WiKID Systems, Inc.
> 404.962.8983
> http://www.wikidsystems.com
> Commercial/Open Source Two-Factor Authentication
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 19 Jul 2007 09:35:13 -0400
> From: "Cliff Cole" <clifflcole at gmail.com>
> Subject: Re: Quirky question about rewriting usernames
> To: "FreeRadius users mailing list"
>         <freeradius-users at lists.freeradius.org>
> Message-ID:
>         <5da254220707190635u50d33d86sb39bfbb7250c7a12 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Thanks for the reply.  I'm new to free radius and have been
> overwhelmed with documentation the past few days.  Let me explain in
> some logic and maybe I can make some sense as to what I'm trying to
> do.
>
> User authentication comes from "NAS A"
>
> IF the username does not have @domain.com and NAS = "NAS A"
> THEN append @domain.com
>
> IF the username has @domain.com and NAS = "NAS A"
> THEN continue with username as is.
>
> Hope this helps to clear up what I'm trying to do.  I appologize for
> not being very clear.
>
> Thanks
>
> Cliff
>
>
>
> On 7/19/07, Pshem Kowalczyk <pshem.k at gmail.com> wrote:
> > Hi
> >
> > On 19/07/07, Cliff Cole <clifflcole at gmail.com> wrote:
> > > Hello all.
> > >
> > > Here is my issue.  This is very weird and would only affect one NAS.
> > > I'm not sure freeradius is capable of this.  I want a username that
> > > comes in to check for an @domainname.  If the domainname is there I
> > > want it to be stripped and added back later.  If the domainname is not
> > > there I'd like it to continue and have to domainname added later in
> > > the authentication process.  I hope this makes sense and any help is
> > > appreciated
> >
> > What do you mean by 'later' you can definitely check for the presence
> > of domain, you can strip  it and add it again. you just have to define
> > the flow. rlm_attr will be of help to you (for both stripping and
> > adding).
> >
> > kind regards
> > Pshem
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 19 Jul 2007 15:38:54 +0200
> From: thomas at buddybase.at
> Subject: "Time-out" Problem with Huntgroups in conjunction with MYSQL
>         Backend
> To: freeradius-users at lists.freeradius.org
> Message-ID: <20070719153854.9aj0e3hdesk04sw8 at webmail.buddybase.at>
> Content-Type: text/plain;       charset=ISO-8859-1;     DelSp="Yes";
>         format="flowed"
>
> Hello FR users,
>
> I am running FreeRadius 1.1.3 together with MySQL 5.0.27
> I use huntgroups to allow access to specific devices only to certain users
> belonging to a certain group (I use huntgroups since "I" didnt find a way
> to do it via MySQL)
> I have the following issue:
> When for a longer period (e.g. over night) no one logs into one of the
> devices (so the radius server sits idle), it happens that the first time
> in
> the morning someone tries to login he fails because FR rejects the Request
> with "invalid user" - only after 3 or 4 tries the login-attempt is
> successfull
> The reason seems to be, that after such a "long" dormant period, when the
> first RADIUS-request(s) arrive, FR has to re-connect to the MySQL DB to
> query the user's group-membership
> Since this re-connect takes "too long" the query returns "Not found" and
> the user is rejected as "unknown"
>
> Here is what you see in the radius.log file:
> Tue Jul 17 08:05:16 2007 : Info: rlm_sql_mysql: Starting connect to MySQL
> server for #9
> Tue Jul 17 08:05:16 2007 : Error: rlm_sql (sql): failed after re-connect
> Tue Jul 17 08:05:16 2007 : Auth: No huntgroup access: [xxx] (from client
> ATWRE22e7601 port 1 cli 10.0.0.31)
> Tue Jul 17 08:05:16 2007 : Auth: Invalid user: [xxx] (from client
> ATWRE22e7601 port 1 cli 10.0.0.31)
> Tue Jul 17 08:05:25 2007 : Info: rlm_sql_mysql: Starting connect to MySQL
> server for #8
> Tue Jul 17 08:05:25 2007 : Error: rlm_sql (sql): failed after re-connect
> Tue Jul 17 08:05:25 2007 : Auth: No huntgroup access: [xxx] (from client
> ATWRE22e7601 port 0)
> Tue Jul 17 08:05:25 2007 : Auth: Invalid user: [xxx] (from client
> ATWRE22e7601 port 0)
> Tue Jul 17 08:05:38 2007 : Info: rlm_sql_mysql: Starting connect to MySQL
> server for #7
> Tue Jul 17 08:05:38 2007 : Error: rlm_sql (sql): failed after re-connect
> Tue Jul 17 08:05:38 2007 : Auth: No huntgroup access: [xxx] (from client
> ATWRE22e7601 port 0)
> Tue Jul 17 08:05:38 2007 : Auth: Invalid user: [xxx] (from client
> ATWRE22e7601 port 0)
> Tue Jul 17 08:06:00 2007 : Info: rlm_sql_mysql: Starting connect to MySQL
> server for #6
> Tue Jul 17 08:06:00 2007 : Auth: Login OK: [xxx] (from client ATWRE22b7201
> port 2 cli 10.0.0.31)
>
> Hope the logfile is sufficient, otherwise I would have to let FR run in
> debug-mode over night....
>
> The funny thing is, that this problem doesn't occure when all entries in
> the huntgroups file are "commented out"
>
> So my question is, is there a config parameter to tell FR to "wait" a bit
> longer in the preprocess module (I assume) for the MYSQL query to deliver
> its answer?
>
> thanks alot
> regards
> thomas pudil
>
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 19 Jul 2007 19:11:35 +0530
> From: "ashish verma" <ashish.scit at gmail.com>
> Subject: Level 2 authentication with RADIUS.
> To: freeradius-users at lists.freeradius.org
> Message-ID:
>         <11b554120707190641g6abce7b3o2535671040dc5327 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi all,
> I am new to the list and for RADIUS too so i might ask some repetitive
> questions.
>
> Here is my question:
> Can we have level 2 (enable) authentication too with Radius server as we
> have for level 1(user level)?
>
> If yes, can someone provide me some documentation. I tried to search for
> it
> but couldnt find any.
>
> Thanks in advance,
> Ashish
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/d418ae1e/attachment-0001.html
>
> ------------------------------
>
> Message: 5
> Date: Thu, 19 Jul 2007 15:45:44 +0200
> From: Stefan Winter <stefan.winter at restena.lu>
> Subject: Re: Level 2 authentication with RADIUS.
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Message-ID: <200707191545.48147.stefan.winter at restena.lu>
> Content-Type: text/plain; charset="utf-8"
>
> >  Can we have level 2 (enable) authentication too with Radius server as
> we
> > have for level 1(user level)?
>
> If you say "enable" I suspect you are talking about Cisco equipment? Then
> enable is really level 15. And the following link was posted just MINUTES
> ago
> on this list. Did you read the etiquette thing about "read the mail
> archives
> before asking?"?
>
> http://wiki.freeradius.org/Cisco#Per_User_Privilege_Level
>
> Stefan
>
> --
> Stefan WINTER
>
> Stiftung RESTENA - R?seau T?l?informatique de l'Education Nationale et de
> la Recherche
> Ingenieur Forschung & Entwicklung
>
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> E-Mail: stefan.winter at restena.lu ? ? Tel.:  ? ?+352 424409-1
> http://www.restena.lu ? ? ? ? ? ?  ? Fax: ? ? ?+352 422473
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 189 bytes
> Desc: This is a digitally signed message part.
> Url :
> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/dd1d78bb/attachment-0001.bin
>
> ------------------------------
>
> Message: 6
> Date: Thu, 19 Jul 2007 15:53:13 +0200
> From: Stefan Winter <stefan.winter at restena.lu>
> Subject: Re: Level 2 authentication with RADIUS.
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Message-ID: <200707191553.13723.stefan.winter at restena.lu>
> Content-Type: text/plain; charset="utf-8"
>
> > enable is really level 15. And the following link was posted just
> MINUTES
> > ago on this list. Did you read the etiquette thing about "read the mail
> > archives before asking?"?
>
> Wait a minute. That link was sent in reply to YOUR question! Did you even
> read
> it?
>
> --
> Stefan WINTER
>
> Stiftung RESTENA - R?seau T?l?informatique de l'Education Nationale et de
> la Recherche
> Ingenieur Forschung & Entwicklung
>
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> E-Mail: stefan.winter at restena.lu ? ? Tel.:  ? ?+352 424409-1
> http://www.restena.lu ? ? ? ? ? ?  ? Fax: ? ? ?+352 422473
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 189 bytes
> Desc: This is a digitally signed message part.
> Url :
> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/966acda1/attachment-0001.bin
>
> ------------------------------
>
> Message: 7
> Date: Thu, 19 Jul 2007 16:06:46 +0200
> From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur at dfn-cert.de>
> Subject: Re: TLS cant connect ldap+freeradius+novell
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Message-ID: <469F6FF6.6070408 at dfn-cert.de>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi.
>
> Martin G wrote:
> > Hello!
> >
> > Im new to both this mailinglist and to novell/linux/ldap/freeradius but
> iv
> > tried my best to install a radius/ldap linuxserver to pass on
> > radius-requests from a Aruba-controller to our novell-server.
> >
> > IPs:
> > Novell 10.10.0.11
> > Aruba 10.10.0.28
> > Linux (freeradius+ldap) 10.10.0.132
> >
> > Iv tried to change tls_mode, port and tls_start on and off a couple of
> times
> > without any good result and when i go use ldapsearch -vvv -h 10.10.0.11-x
> > -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta"
> > i recieve "TLS: hostname does not match CN in peer certificate".
>
> At least this means that your ldap server understands STARTTLS on the
> standard ldap port.
>
> So in FreeRADIUS ldap config section you should *not* set port and
> tls_mode
> options at all.
>
> You should set start_tls=yes though.
>
>
>
> As for the ldap server certificate name mismatch
>
> > So i have some thoughts about the certificate, but iv exported the
> > selfsigned novell-certificate from the novellserver and verifyed it. But
> im
> > not sure how to use a "client-certificate" on the linux.
> >
> > When i use "freeradius -XXX -A" on the linuxserver and i trie to do a
> > radius-request, the aruba gets a timeout and the linuxserver tells me
> the
> > following logg:
>
> Now for the certificates. Since your ldap server is using a server
> certificate you must configure FreeRADIUS to trust the issuing CA.
>
> Since identity and password are set it seems you do not use SSL client
> authentication to authenticate the FreeRADIUS server (acting as ldap
> client)
> at the ldap server.
>
> Hence don't set tls_certfile and tls_keyfile options.
>
> Either use tls_cacertfile xor tlc_cacertdir option.
>
> If using former, put in all the CA certificate chain validating the ldap
> servers certificate in PEM format. Concatenate the CA certs into the file
> named by this option.
>
> If using the latter, put all CA certs of the chain validating the ldap
> servers certificate in PEM format with .pem file extension into that
> directory. cd into this directory and execute
>
> # c_rehash .
>
> to build some symlinks. The dot (.) for the current directory seems vital.
> c_rehash is a tool that comes with openssl.
>
> Be aware that the openldap client configuration file on the system or for
> that user running FreeRADIUS is being used. That is ~/.ldap.conf or system
> wide something like /etc/openldap/ldap.conf or what ever fits your FS
> layout
> and ldap installation on the FreeRADIUS server.
>
> To ease ldap debugging within FreeRADIUS set "loglevel -1" in the
> ldap.conf
> file. Debugging output is to be found in files configured by syslogd more
> than likely in /var/log/messages or similar.
>
> HTH & good luck
>
> --
> Beste Gruesse / Kind Regards
>
> Reimer Karlsen-Masur
>
> DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
> --
> Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
> DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
> Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 5853 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/c6f96b9a/attachment.bin
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 27, Issue 121
> *************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/e8a05a6f/attachment.html>


More information about the Freeradius-Users mailing list