Freeradius-Users Digest, Vol 27, Issue 121
tnt at kalik.co.yu
tnt at kalik.co.yu
Thu Jul 19 16:49:15 CEST 2007
Let me answer in the same way - read the article:
http://wiki.freeradius.org/Cisco#Per_User_Privilege_Level
First thing it explains is how to give shell access and what happens when
user then types enable.
Ivan Kalik
Kalik Informatika ISP
Dana 19/7/2007, "ashish verma" <ashish.scit at gmail.com> piše:
>Hi,
>
>I read the document. I think i put my question in a wrong way.
>Let me put it in a different way.
>
>I dont want the user to go directly in priv mode.
>through priv level = 15 we can direclty go into priv level right.
>
>what i want is first the user get into user level and then with another
>password in level 2. (not with enable password)..it should be through RADIUS
>server.
>
>I hope it makes it easy.
>
>On 7/19/07, freeradius-users-request at lists.freeradius.org <
>freeradius-users-request at lists.freeradius.org> wrote:
>>
>> Send Freeradius-Users mailing list submissions to
>> freeradius-users at lists.freeradius.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> http://lists.freeradius.org/mailman/listinfo/freeradius-users
>> or, via email, send a message with subject or body 'help' to
>> freeradius-users-request at lists.freeradius.org
>>
>> You can reach the person managing the list at
>> freeradius-users-owner at lists.freeradius.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Freeradius-Users digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Re: mod_auth_radius (Nick Owen)
>> 2. Re: Quirky question about rewriting usernames (Cliff Cole)
>> 3. "Time-out" Problem with Huntgroups in conjunction with MYSQL
>> Backend (thomas at buddybase.at)
>> 4. Level 2 authentication with RADIUS. (ashish verma)
>> 5. Re: Level 2 authentication with RADIUS. (Stefan Winter)
>> 6. Re: Level 2 authentication with RADIUS. (Stefan Winter)
>> 7. Re: TLS cant connect ldap+freeradius+novell
>> (Reimer Karlsen-Masur, DFN-CERT)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Thu, 19 Jul 2007 09:14:28 -0400
>> From: "Nick Owen" <nowen at wikidsystems.com>
>> Subject: Re: mod_auth_radius
>> To: "FreeRadius users mailing list"
>> <freeradius-users at lists.freeradius.org>
>> Message-ID:
>> <415a28910707190614v586aceb1re81767278eb9fccf at mail.gmail.com>
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>> On 7/19/07, Rascher, Markus <markus.mr.rascher at siemens.com> wrote:
>> >
>> >
>> > Hi All,
>> >
>> > is there a tutorial how to install mod_auth_radius on an apache 2.xxserver?
>> > The howto on the freeradius webpage is a little bit deprecated i guess.
>> > i get an error when starting the apache server after installing
>> > mod_auth_radius:
>> >
>> > # service httpd start
>> > Starting httpd: httpd: Syntax error on line 205 of
>> > /etc/httpd/conf/httpd.conf: Cannot load
>> > /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server:
>> > /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined
>> > symbol: ap_snprintf
>> > [FAILED]
>>
>> You might try mod_auth_xradius. I have done a couple of apache +
>> radius + WiKID 2FA docs that might help:
>>
>> http://www.wikidsystems.com/documentation/howtos/how-to-add-two-factor-authentication-to-apache/
>>
>> http://www.howtoforge.com/apache_radius_two_factor_authentication
>>
>> The latter is more recent.
>>
>> HTH,
>>
>> nick
>>
>> --
>> Nick Owen
>> WiKID Systems, Inc.
>> 404.962.8983
>> http://www.wikidsystems.com
>> Commercial/Open Source Two-Factor Authentication
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Thu, 19 Jul 2007 09:35:13 -0400
>> From: "Cliff Cole" <clifflcole at gmail.com>
>> Subject: Re: Quirky question about rewriting usernames
>> To: "FreeRadius users mailing list"
>> <freeradius-users at lists.freeradius.org>
>> Message-ID:
>> <5da254220707190635u50d33d86sb39bfbb7250c7a12 at mail.gmail.com>
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>> Thanks for the reply. I'm new to free radius and have been
>> overwhelmed with documentation the past few days. Let me explain in
>> some logic and maybe I can make some sense as to what I'm trying to
>> do.
>>
>> User authentication comes from "NAS A"
>>
>> IF the username does not have @domain.com and NAS = "NAS A"
>> THEN append @domain.com
>>
>> IF the username has @domain.com and NAS = "NAS A"
>> THEN continue with username as is.
>>
>> Hope this helps to clear up what I'm trying to do. I appologize for
>> not being very clear.
>>
>> Thanks
>>
>> Cliff
>>
>>
>>
>> On 7/19/07, Pshem Kowalczyk <pshem.k at gmail.com> wrote:
>> > Hi
>> >
>> > On 19/07/07, Cliff Cole <clifflcole at gmail.com> wrote:
>> > > Hello all.
>> > >
>> > > Here is my issue. This is very weird and would only affect one NAS.
>> > > I'm not sure freeradius is capable of this. I want a username that
>> > > comes in to check for an @domainname. If the domainname is there I
>> > > want it to be stripped and added back later. If the domainname is not
>> > > there I'd like it to continue and have to domainname added later in
>> > > the authentication process. I hope this makes sense and any help is
>> > > appreciated
>> >
>> > What do you mean by 'later' you can definitely check for the presence
>> > of domain, you can strip it and add it again. you just have to define
>> > the flow. rlm_attr will be of help to you (for both stripping and
>> > adding).
>> >
>> > kind regards
>> > Pshem
>> > -
>> > List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> >
>>
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Thu, 19 Jul 2007 15:38:54 +0200
>> From: thomas at buddybase.at
>> Subject: "Time-out" Problem with Huntgroups in conjunction with MYSQL
>> Backend
>> To: freeradius-users at lists.freeradius.org
>> Message-ID: <20070719153854.9aj0e3hdesk04sw8 at webmail.buddybase.at>
>> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes";
>> format="flowed"
>>
>> Hello FR users,
>>
>> I am running FreeRadius 1.1.3 together with MySQL 5.0.27
>> I use huntgroups to allow access to specific devices only to certain users
>> belonging to a certain group (I use huntgroups since "I" didnt find a way
>> to do it via MySQL)
>> I have the following issue:
>> When for a longer period (e.g. over night) no one logs into one of the
>> devices (so the radius server sits idle), it happens that the first time
>> in
>> the morning someone tries to login he fails because FR rejects the Request
>> with "invalid user" - only after 3 or 4 tries the login-attempt is
>> successfull
>> The reason seems to be, that after such a "long" dormant period, when the
>> first RADIUS-request(s) arrive, FR has to re-connect to the MySQL DB to
>> query the user's group-membership
>> Since this re-connect takes "too long" the query returns "Not found" and
>> the user is rejected as "unknown"
>>
>> Here is what you see in the radius.log file:
>> Tue Jul 17 08:05:16 2007 : Info: rlm_sql_mysql: Starting connect to MySQL
>> server for #9
>> Tue Jul 17 08:05:16 2007 : Error: rlm_sql (sql): failed after re-connect
>> Tue Jul 17 08:05:16 2007 : Auth: No huntgroup access: [xxx] (from client
>> ATWRE22e7601 port 1 cli 10.0.0.31)
>> Tue Jul 17 08:05:16 2007 : Auth: Invalid user: [xxx] (from client
>> ATWRE22e7601 port 1 cli 10.0.0.31)
>> Tue Jul 17 08:05:25 2007 : Info: rlm_sql_mysql: Starting connect to MySQL
>> server for #8
>> Tue Jul 17 08:05:25 2007 : Error: rlm_sql (sql): failed after re-connect
>> Tue Jul 17 08:05:25 2007 : Auth: No huntgroup access: [xxx] (from client
>> ATWRE22e7601 port 0)
>> Tue Jul 17 08:05:25 2007 : Auth: Invalid user: [xxx] (from client
>> ATWRE22e7601 port 0)
>> Tue Jul 17 08:05:38 2007 : Info: rlm_sql_mysql: Starting connect to MySQL
>> server for #7
>> Tue Jul 17 08:05:38 2007 : Error: rlm_sql (sql): failed after re-connect
>> Tue Jul 17 08:05:38 2007 : Auth: No huntgroup access: [xxx] (from client
>> ATWRE22e7601 port 0)
>> Tue Jul 17 08:05:38 2007 : Auth: Invalid user: [xxx] (from client
>> ATWRE22e7601 port 0)
>> Tue Jul 17 08:06:00 2007 : Info: rlm_sql_mysql: Starting connect to MySQL
>> server for #6
>> Tue Jul 17 08:06:00 2007 : Auth: Login OK: [xxx] (from client ATWRE22b7201
>> port 2 cli 10.0.0.31)
>>
>> Hope the logfile is sufficient, otherwise I would have to let FR run in
>> debug-mode over night....
>>
>> The funny thing is, that this problem doesn't occure when all entries in
>> the huntgroups file are "commented out"
>>
>> So my question is, is there a config parameter to tell FR to "wait" a bit
>> longer in the preprocess module (I assume) for the MYSQL query to deliver
>> its answer?
>>
>> thanks alot
>> regards
>> thomas pudil
>>
>>
>>
>>
>>
>> ------------------------------
>>
>> Message: 4
>> Date: Thu, 19 Jul 2007 19:11:35 +0530
>> From: "ashish verma" <ashish.scit at gmail.com>
>> Subject: Level 2 authentication with RADIUS.
>> To: freeradius-users at lists.freeradius.org
>> Message-ID:
>> <11b554120707190641g6abce7b3o2535671040dc5327 at mail.gmail.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Hi all,
>> I am new to the list and for RADIUS too so i might ask some repetitive
>> questions.
>>
>> Here is my question:
>> Can we have level 2 (enable) authentication too with Radius server as we
>> have for level 1(user level)?
>>
>> If yes, can someone provide me some documentation. I tried to search for
>> it
>> but couldnt find any.
>>
>> Thanks in advance,
>> Ashish
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/d418ae1e/attachment-0001.html
>>
>> ------------------------------
>>
>> Message: 5
>> Date: Thu, 19 Jul 2007 15:45:44 +0200
>> From: Stefan Winter <stefan.winter at restena.lu>
>> Subject: Re: Level 2 authentication with RADIUS.
>> To: FreeRadius users mailing list
>> <freeradius-users at lists.freeradius.org>
>> Message-ID: <200707191545.48147.stefan.winter at restena.lu>
>> Content-Type: text/plain; charset="utf-8"
>>
>> > Can we have level 2 (enable) authentication too with Radius server as
>> we
>> > have for level 1(user level)?
>>
>> If you say "enable" I suspect you are talking about Cisco equipment? Then
>> enable is really level 15. And the following link was posted just MINUTES
>> ago
>> on this list. Did you read the etiquette thing about "read the mail
>> archives
>> before asking?"?
>>
>> http://wiki.freeradius.org/Cisco#Per_User_Privilege_Level
>>
>> Stefan
>>
>> --
>> Stefan WINTER
>>
>> Stiftung RESTENA - R?seau T?l?informatique de l'Education Nationale et de
>> la Recherche
>> Ingenieur Forschung & Entwicklung
>>
>> 6, rue Richard Coudenhove-Kalergi
>> L-1359 Luxembourg
>> E-Mail: stefan.winter at restena.lu ? ? Tel.: ? ?+352 424409-1
>> http://www.restena.lu ? ? ? ? ? ? ? Fax: ? ? ?+352 422473
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: not available
>> Type: application/pgp-signature
>> Size: 189 bytes
>> Desc: This is a digitally signed message part.
>> Url :
>> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/dd1d78bb/attachment-0001.bin
>>
>> ------------------------------
>>
>> Message: 6
>> Date: Thu, 19 Jul 2007 15:53:13 +0200
>> From: Stefan Winter <stefan.winter at restena.lu>
>> Subject: Re: Level 2 authentication with RADIUS.
>> To: FreeRadius users mailing list
>> <freeradius-users at lists.freeradius.org>
>> Message-ID: <200707191553.13723.stefan.winter at restena.lu>
>> Content-Type: text/plain; charset="utf-8"
>>
>> > enable is really level 15. And the following link was posted just
>> MINUTES
>> > ago on this list. Did you read the etiquette thing about "read the mail
>> > archives before asking?"?
>>
>> Wait a minute. That link was sent in reply to YOUR question! Did you even
>> read
>> it?
>>
>> --
>> Stefan WINTER
>>
>> Stiftung RESTENA - R?seau T?l?informatique de l'Education Nationale et de
>> la Recherche
>> Ingenieur Forschung & Entwicklung
>>
>> 6, rue Richard Coudenhove-Kalergi
>> L-1359 Luxembourg
>> E-Mail: stefan.winter at restena.lu ? ? Tel.: ? ?+352 424409-1
>> http://www.restena.lu ? ? ? ? ? ? ? Fax: ? ? ?+352 422473
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: not available
>> Type: application/pgp-signature
>> Size: 189 bytes
>> Desc: This is a digitally signed message part.
>> Url :
>> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/966acda1/attachment-0001.bin
>>
>> ------------------------------
>>
>> Message: 7
>> Date: Thu, 19 Jul 2007 16:06:46 +0200
>> From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur at dfn-cert.de>
>> Subject: Re: TLS cant connect ldap+freeradius+novell
>> To: FreeRadius users mailing list
>> <freeradius-users at lists.freeradius.org>
>> Message-ID: <469F6FF6.6070408 at dfn-cert.de>
>> Content-Type: text/plain; charset="us-ascii"
>>
>> Hi.
>>
>> Martin G wrote:
>> > Hello!
>> >
>> > Im new to both this mailinglist and to novell/linux/ldap/freeradius but
>> iv
>> > tried my best to install a radius/ldap linuxserver to pass on
>> > radius-requests from a Aruba-controller to our novell-server.
>> >
>> > IPs:
>> > Novell 10.10.0.11
>> > Aruba 10.10.0.28
>> > Linux (freeradius+ldap) 10.10.0.132
>> >
>> > Iv tried to change tls_mode, port and tls_start on and off a couple of
>> times
>> > without any good result and when i go use ldapsearch -vvv -h 10.10.0.11-x
>> > -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta"
>> > i recieve "TLS: hostname does not match CN in peer certificate".
>>
>> At least this means that your ldap server understands STARTTLS on the
>> standard ldap port.
>>
>> So in FreeRADIUS ldap config section you should *not* set port and
>> tls_mode
>> options at all.
>>
>> You should set start_tls=yes though.
>>
>>
>>
>> As for the ldap server certificate name mismatch
>>
>> > So i have some thoughts about the certificate, but iv exported the
>> > selfsigned novell-certificate from the novellserver and verifyed it. But
>> im
>> > not sure how to use a "client-certificate" on the linux.
>> >
>> > When i use "freeradius -XXX -A" on the linuxserver and i trie to do a
>> > radius-request, the aruba gets a timeout and the linuxserver tells me
>> the
>> > following logg:
>>
>> Now for the certificates. Since your ldap server is using a server
>> certificate you must configure FreeRADIUS to trust the issuing CA.
>>
>> Since identity and password are set it seems you do not use SSL client
>> authentication to authenticate the FreeRADIUS server (acting as ldap
>> client)
>> at the ldap server.
>>
>> Hence don't set tls_certfile and tls_keyfile options.
>>
>> Either use tls_cacertfile xor tlc_cacertdir option.
>>
>> If using former, put in all the CA certificate chain validating the ldap
>> servers certificate in PEM format. Concatenate the CA certs into the file
>> named by this option.
>>
>> If using the latter, put all CA certs of the chain validating the ldap
>> servers certificate in PEM format with .pem file extension into that
>> directory. cd into this directory and execute
>>
>> # c_rehash .
>>
>> to build some symlinks. The dot (.) for the current directory seems vital.
>> c_rehash is a tool that comes with openssl.
>>
>> Be aware that the openldap client configuration file on the system or for
>> that user running FreeRADIUS is being used. That is ~/.ldap.conf or system
>> wide something like /etc/openldap/ldap.conf or what ever fits your FS
>> layout
>> and ldap installation on the FreeRADIUS server.
>>
>> To ease ldap debugging within FreeRADIUS set "loglevel -1" in the
>> ldap.conf
>> file. Debugging output is to be found in files configured by syslogd more
>> than likely in /var/log/messages or similar.
>>
>> HTH & good luck
>>
>> --
>> Beste Gruesse / Kind Regards
>>
>> Reimer Karlsen-Masur
>>
>> DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
>> --
>> Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
>> DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
>> Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: smime.p7s
>> Type: application/x-pkcs7-signature
>> Size: 5853 bytes
>> Desc: S/MIME Cryptographic Signature
>> Url :
>> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/c6f96b9a/attachment.bin
>>
>> ------------------------------
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>> End of Freeradius-Users Digest, Vol 27, Issue 121
>> *************************************************
>>
>
>
More information about the Freeradius-Users
mailing list