Adding vendor specefic attributes

anoop c anoop.cherilthody at sifycorp.com
Tue Apr 28 06:21:34 CEST 2009


Hi 
   Thanks for the response. I am using free RADIUS version 1.1.7.I just
require MAC authentication alone. Is anything wrong in the 'users' file

NAS will support the VSA in this case.
Vendor has given the following details
Network Access Server Vendor- (Code for the specific vendor)
Vendor Assigned Attribute number-1 (for Input/Uplink)
					   2  (for Output/Downlink)
Attribute format decimal
Attribute value-(Desired Input/Output bandwidth) 

How I can configure this attribte?

Thanks and regards
Anoop

-----Original Message-----
From: freeradius-users-bounces+anoop_c=sifycorp.com at lists.freeradius.org
[mailto:freeradius-users-bounces+anoop_c=sifycorp.com at lists.freeradius.org]
On Behalf Of freeradius-users-request at lists.freeradius.org
Sent: Monday, April 27, 2009 10:57 PM
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 48, Issue 114

Send Freeradius-Users mailing list submissions to
	freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
	freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
	freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. Re: %RADIUS-4-RADIUS_ALIVE | %RADIUS-4-RADIUS_DEAD help
      (A.L.M.Buxey at lboro.ac.uk)
   2. Re: [Wimax TTLS with Alcatel - Lucent ASN GW] (Ivan Kalik)
   3. RE: Adding vendor specefic attributes (Ivan Kalik)
   4. Re: %RADIUS-4-RADIUS_ALIVE | %RADIUS-4-RADIUS_DEAD help
      (Borislav Dimitrov)
   5. freeradius with active directory (David N'DAKPAZE)
   6. Re: radpostauth sql logging of bad passwords (Guy Fraser)
   7. Re: freeradius with active directory (bastardinho69)
   8. Re: radpostauth sql logging of bad passwords (Alan DeKok)


----------------------------------------------------------------------

Message: 1
Date: Mon, 27 Apr 2009 13:41:38 +0100
From: A.L.M.Buxey at lboro.ac.uk
Subject: Re: %RADIUS-4-RADIUS_ALIVE | %RADIUS-4-RADIUS_DEAD help
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <20090427124138.GC7926 at lboro.ac.uk>
Content-Type: text/plain; charset=us-ascii

Hi,
> Same box.

and you do live accounting database insertions?  This sounds
to me very much like the classic 'tables have now grown just too
big' - everything works fine then barfs one day. the
request isnt getting serviced in time therefore its marking
as dead..check your query times...remove wrong/unused indexes
or move to 'out of band' accounting inserts - very easy with 2.1.x

alan


------------------------------

Message: 2
Date: Mon, 27 Apr 2009 14:36:54 +0100 (BST)
From: "Ivan Kalik" <tnt at kalik.net>
Subject: Re: [Wimax TTLS with Alcatel - Lucent ASN GW]
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID:
	<57087.194.176.105.43.1240839414.squirrel at webmail.kalik.net>
Content-Type: text/plain;charset=utf-8

> Anyway If I may reask a new question about adding multiple attribute to
> reply on the radius that proxy.
>
> The solution you gave me, (eg use users file and match the Realm
> Attribute,
> DEFAULT	Realm == whatever) is ok for a "ISP" radius (eg end radius),
not
> for a "Wholesale" radius (eg radius that proxy).
> According to what I saw in debug, Realm attribute is only use in the
> request (eg add by the proxy radius), but even if I force it in the reply
> of the end radius, it won't be consider in the reply by the proxy radius.
>
> So that I can not add the wanted attribute as I would like too.
>
> For now what I do, is use the attrs file for first attribute, then use
> unlang in post auth to add the second attribute.
>

Files module supports use of files in post-auth and post-proxy. Add this
to raddb/modules/files:

postproxy_usersfile = ${confdir}/postproxy_users

Then create postproxy_users in raddb directory (where other users files
are) and list that DEAFAULT entry there.

Ivan Kalik
Kalik Informatika ISP



------------------------------

Message: 3
Date: Mon, 27 Apr 2009 14:43:25 +0100 (BST)
From: "Ivan Kalik" <tnt at kalik.net>
Subject: RE: Adding vendor specefic attributes
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID:
	<64565.194.176.105.44.1240839805.squirrel at webmail.kalik.net>
Content-Type: text/plain;charset=utf-8

>    Is it possible to configure vendor specific attributes in Free RADIUS.
> Please guide where can  I edit the configuration.

Nowhere.

> I am using MAC authentication by editing the user file shown below.
>
> '020a6-5a7fd9 Auth-Type:=Local,User-Password=="secret"
>

There is so much wrong with this unless you are using a very, very, very
old server version.

>
> MAC authentication is working and I would like to add a vendor specific
> attribute.
>

You add vendor specific attributes - just like any other. Just make sure
that you have the dictionary for that vendor in your installation (it's a
text file share/dictionary.vendor_name) and that that dictionary contains
attribute you want to use.

Ivan Kalik
Kalik Informatika ISP



------------------------------

Message: 4
Date: Mon, 27 Apr 2009 17:44:10 +0300
From: Borislav Dimitrov <b.dimitrov at ngsystems.net>
Subject: Re: %RADIUS-4-RADIUS_ALIVE | %RADIUS-4-RADIUS_DEAD help
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <618820F7-3340-4483-BEBB-7937BB8B5C62 at ngsystems.net>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes

Hi,

As far as I can see, the people on the list have provided you with a  
lot of very useful suggestions on what could cause the problem. As I  
said earlier (let me clarify) and to help you narrow things a little  
bit - it's probably due to the RADIUS response timing out hence the  
NAS complains the server is dead and later when it responds finally it  
marks it as alive again. The reasons can be different depending on  
your setup - slow network, database, custom module (like rlm_perl/ 
python etc) or as I suggested (from my personal experiences)  
improperly configured concurrence settings of FR itself. See which  
component of your setup is causing the slow responds (it can be the  
backend, or messed up FR configuration) and fix it. Just for  
completeness check your NASs manuals - most have these settings  
configurable - response timeouts, retransmits, marking the server as  
dead etc but playing with the NAS while possibly useful is probably  
not the main issue in your setup - check what is slowing things down.

On 27.04.2009, at 15:41, A.L.M.Buxey at lboro.ac.uk wrote:

> Hi,
>> Same box.
>
> and you do live accounting database insertions?  This sounds
> to me very much like the classic 'tables have now grown just too
> big' - everything works fine then barfs one day. the
> request isnt getting serviced in time therefore its marking
> as dead..check your query times...remove wrong/unused indexes
> or move to 'out of band' accounting inserts - very easy with 2.1.x
>
> alan
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



------------------------------

Message: 5
Date: Mon, 27 Apr 2009 16:50:14 +0000
From: "David N'DAKPAZE" <lndakpaze at gmail.com>
Subject: freeradius with active directory
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID:
	<16ad49990904270950v1fb0855bnff32138292a50585 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

hello,
I am configuring freeradius for authentication with active directory.I've
used http://deployingradius.com/documents/configuration/active_directory
but freeradius reject all the requests because of no known password.It
what
i have when i make a request:

Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 51084, id=198,
length=61
        User-Name = "azerty"
        User-Password = "uiop"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "azerty", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect: [azerty/uiop] (from client localhost port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> azerty
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 198 to 127.0.0.1 port 51084
Waking up in 4.9 seconds.
Cleaning up request 0 ID 198 with timestamp +27

Thanks for your help
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/2009042
7/de60d04d/attachment.html>

------------------------------

Message: 6
Date: Mon, 27 Apr 2009 11:00:27 -0600
From: Guy Fraser <guy at incentre.net>
Subject: Re: radpostauth sql logging of bad passwords
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <DB980911-CE6D-478D-99CB-0200CA28D95C at incentre.net>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes

I am obviously missing something.

I tried commenting out that section and it did not work I then changed  
it to :

post-auth {
	reply_log
	sql
	sql_log
	exec
	Post-Auth-Type REJECT {
		sql_log
	}
}

Could someone toss me a bone or tell me what document I need to read?

On 2009-Apr-17, at 11:12, Alan DeKok wrote:

> Guy Fraser wrote:
>> I thought this would be enough to make it log failed  
>> authentications :
>
>  Yes.  But to flat-text files, not to SQL.
>
>> post-auth {
>>    reply_log
>>    sql
>>    sql_log
>
>  This says "log to SQL on success".
>
>>    exec
>>    Post-Auth-Type REJECT {
>>        attr_filter.access_reject
>
>  You could put SQL logging here, too.
>
>> The configuration has changed significantly since I last  
>> contributed to
>> this project.
>
>  The main changes are moving text from one file to another.  e.g. the
> large chunks of "authorize", etc. in radiusd.conf have moved to  
> separate
> files.
>
>  But the main configuration is still pretty much the same.  Older
> configuration files can be used *almost* unchanged.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-- 
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787



------------------------------

Message: 7
Date: Mon, 27 Apr 2009 20:12:28 +0300
From: bastardinho69 <bastardinho69 at gmail.com>
Subject: Re: freeradius with active directory
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <49F5E77C.5030809 at gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

David N'DAKPAZE wrote:
> hello,
> I am configuring freeradius for authentication with active 
> directory.I've used 
> http://deployingradius.com/documents/configuration/active_directory 
>  but freeradius reject all the requests because of no known 
> password.It what i have when i make a request:
>  
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1 port 51084, 
> id=198, length=61
>         User-Name = "azerty"
>         User-Password = "uiop"
>         NAS-IP-Address = 127.0.0.1
>         NAS-Port = 0
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> [suffix] No '@' <mailto:%27@%27> in User-Name = "azerty", looking up 
> realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  
> Authentication may fail because of this.
> ++[pap] returns noop
> No authenticate method (Auth-Type) configuration found for the 
> request: Rejecting the user
> Failed to authenticate the user.
> Login incorrect: [azerty/uiop] (from client localhost port 0)
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> azerty
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 198 to 127.0.0.1 port 51084
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 198 with timestamp +27
>  
> Thanks for your help
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
As far as i know, u should use mschap to authenticate against AD ;)


------------------------------

Message: 8
Date: Mon, 27 Apr 2009 19:27:15 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: radpostauth sql logging of bad passwords
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <49F5EAF3.9080402 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Guy Fraser wrote:
> I am obviously missing something.
> 
> I tried commenting out that section and it did not work I then changed
> it to :

  So... what happens?

  Alan DeKok.


------------------------------

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 48, Issue 114
*************************************************
No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.0.238 / Virus Database: 270.12.4/2081 - Release Date: 04/26/09
09:44:00



Get your world in your inbox!

Mail, widgets, documents, spreadsheets, organizer and much more with your Sifymail WIYI id!
Log on to http://www.sify.com

********** DISCLAIMER **********
Information contained and transmitted by this E-MAIL is proprietary to 
Sify Limited and is intended for use only by the individual or entity to 
which it is addressed, and may contain information that is privileged, 
confidential or exempt from disclosure under applicable law. If this is a 
forwarded message, the content of this E-MAIL may not have been sent with 
the authority of the Company. If you are not the intended recipient, an 
agent of the intended recipient or a  person responsible for delivering the 
information to the named recipient,  you are notified that any use, 
distribution, transmission, printing, copying or dissemination of this 
information in any way or in any manner is strictly prohibited. If you have 
received this communication in error, please delete this mail & notify us 
immediately at admin at sifycorp.com



More information about the Freeradius-Users mailing list