Freeradius-Users Digest, Vol 49, Issue 89
Marco De Magistris
marco.de.magistris at ericsson.com
Wed May 20 13:08:55 CEST 2009
Hi Ivan,
> 4. RE: Freeradius-Users Digest, Vol 49, Issue 87 (Ivan Kalik)
>And how will you know to which ISP does the user belong to? Normally they
>enter names like user at ISP1 and user at ISP2. That way you know to which home
>server to proxy to.
The ISP is identified using @ISP1 in User-Name attribute.
The problem is the following:
The customers ask me if possible send them the packets from an interface defined.
My Radius proxy listen on an IP address (i.e. 192.168.1.3) for authentication packet and forwarding them towards two different networks (i.e. 192.168.14.4(Customer1) and 192.168.24.4(Customer2))
Thanks
Marco
-----Original Message-----
From: freeradius-users-bounces+marco.de.magistris=ericsson.com at lists.freeradius.org [mailto:freeradius-users-bounces+marco.de.magistris=ericsson.com at lists.freeradius.org] On Behalf Of freeradius-users-request at lists.freeradius.org
Sent: mercoledì 20 maggio 2009 12.00
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 49, Issue 89
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Dynamic clients and NAS-Identifier (Alan DeKok)
2. Re: question about windows users (Ivan Kalik)
3. Re: Is it possible to share bandwidth or maximum downloaded
bytes (Ivan Kalik)
4. RE: Freeradius-Users Digest, Vol 49, Issue 87 (Ivan Kalik)
5. Freeradius LDAP weird login issue (cktan)
6. RE: Dynamic clients and NAS-Identifier (Santiago Balaguer Garc?a)
7. Re: Dynamic clients and NAS-Identifier (Ivan Kalik)
----------------------------------------------------------------------
Message: 1
Date: Wed, 20 May 2009 11:04:52 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: Dynamic clients and NAS-Identifier
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <4A13C7B4.2070803 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Johan Meiring wrote:
> I realise, i've asked for the before, and it is on your todo list, but
> I'd like to make a case again for maybe getting it moved up higher onto
> the list.
My "to do" list right now is:
- consulting work (my *only* source of income is FreeRADIUS)
- 3 IETF documents that I'm author / co-author
- White paper for a linux conference
> The current "clients" structure identify the NAS's by ip address.
> While this is perfect for corporate environments, it is not so perfect
> for the hotspot environment in which we operate.
RADIUS was never designed to work that way. It's insecure.
One of the documents I'm writing involves leveraging SSL to allow that
capability. But implementations are a long ways out.
> We need to somehow authenticate the nas, so someone can not send "rough"
> accounting info to radius.
You could always write a simple RADIUS proxy that did those checks.
It likely could be done in ~200-300 lines of Perl.
> I'm sure that I'm not the only one that have NAS's behind dynamic IPs,
> and this would make radius traffic from such NAS's much more secure.
Maybe...
Alan DeKok.
------------------------------
Message: 2
Date: Wed, 20 May 2009 10:38:45 +0100 (BST)
From: "Ivan Kalik" <tnt at kalik.net>
Subject: Re: question about windows users
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Message-ID:
<30072.194.176.105.43.1242812325.squirrel at webmail.kalik.net>
Content-Type: text/plain;charset=utf-8
> could you give me good freeradius guide for dummies - I think I need it :)
>
Guide: don't make any changes to the default configuration unless you know
what you are doing. That's it.
Server is configured by default to handle EAP-TLS. There is nothing that
you need to do to make it happen.
Now, about your problem: freeradius uses fake realm example.com - for
examples. Of proxying, fail-over home servers, use of vitual servers etc.
Why are *you* using it as well? These examples are not what you want to
do.
Use your own domain. For EAP-TLS - no modification needed. I have seen you
going on about PEAP as well. If those users are also using format
user at your_domain, then create local realm your_domain - it won't interfere
with EAP-TLS and will create Stripped-User-Name that can be used for
authentication.
Ivan Kalik
Kalik Informatika ISP
------------------------------
Message: 3
Date: Wed, 20 May 2009 10:43:21 +0100 (BST)
From: "Ivan Kalik" <tnt at kalik.net>
Subject: Re: Is it possible to share bandwidth or maximum downloaded
bytes
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Message-ID:
<10246.194.176.105.43.1242812601.squirrel at webmail.kalik.net>
Content-Type: text/plain;charset=utf-8
> I have 3 users and I want to give them 1Mbps/256Kbps bandwidth. They must
> not have this bandwidth individually but must share it. Is it possible to
> do
> with freeRADIUS. If so can you help me on what I have to do.
No, radius can't do that. But you can fix their IPs or make them a small
pool and then limit that IP range as a bundle on your router.
Ivan Kalik
Kalik Informatika ISP
------------------------------
Message: 4
Date: Wed, 20 May 2009 10:47:08 +0100 (BST)
From: "Ivan Kalik" <tnt at kalik.net>
Subject: RE: Freeradius-Users Digest, Vol 49, Issue 87
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Message-ID:
<47671.194.176.105.43.1242812828.squirrel at webmail.kalik.net>
Content-Type: text/plain;charset=utf-8
> Hi Alan,
>
>
>
>> 1. Radius Client sends packets towards Radius Proxy (from 192.168.1.2
>
>> to 192.168.1.3)
>
>> 2. Radius proxy listen on 192.168.1.3 for authentication packet and
>
>> forwarding them towards two different network (192.168.14.4 and
>
>> 192.168.24.4)
>
>
>
> 192.168.14.4 and 192.168.24.4 are 2 different Radius Servers.
>
> 192.168.14.4: Radius Server for IPS 1.
>
> 192.168.24.4: Radius Server for IPS 2.
>
>
>
> I need send the packets towards ISP1 using VLAN1 and towards ISP2 using
> VLAN2.
>
And how will you know to which ISP does the user belong to? Normally they
enter names like user at ISP1 and user at ISP2. That way you know to which home
server to proxy to.
Ivan Kalik
Kalik Informatika ISP
------------------------------
Message: 5
Date: Wed, 20 May 2009 17:48:52 +0800
From: cktan <cktan at ocesb.com.my>
Subject: Freeradius LDAP weird login issue
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <4A13D204.1080706 at ocesb.com.my>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
Hi all,
I'm using freeradius+LDAP for the PPPoE dialup access control for a
while. Lately I noticed there is weird issue whereby an user login with
username as "user=5C=5C=5C=5Cuser at domain" and surprisingly freeradius
allow it to login although the actual username should be "user at domain".
I've run radius in -X mode and capture the log for your reference as
below. In radiusd -X, we noticed server received Access-Request with
username "user=5C=5C=5C=5Cuser at domain" but when reach to radius_xlat,
the uid will become "user" only and when it query my LDAP the account
for "user" is available and it will accept the access request. The
question is why "user=5C=5C=5C=5Cuser" = "user"? We try the username
with xC (i.e. 1C, 2C, 3C and so on...) and all are able to login because
radius will take as user at domain. After login, the username in radacct
will become "user=5C=5C=5C=5Cuser at domain" instead of "user at domain". As
the consequence, the smart user may have multiple logins (by using
user=1C/2C/3C....) and the records in radacct is different and therefore
we will out of control for multiple login with single account. Any idea
to fix this?
rad_recv: Access-Request packet from host 127.0.0.1:32877, id=87, length=93
User-Name = *"user=5C=5C=5C=5Cuser at domain"*
User-Password = "password"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rlm_ldap: performing user authorization for *user=5c=5c=5c=5cuser*
radius_xlat: * '(uid=user)'*
Regards
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090520/dd79b56f/attachment.html>
------------------------------
Message: 6
Date: Wed, 20 May 2009 09:51:49 +0000
From: Santiago Balaguer Garc?a <santiagoawa at hotmail.com>
Subject: RE: Dynamic clients and NAS-Identifier
To: Lista de correo RADIUS <freeradius-users at lists.freeradius.org>
Message-ID: <BAY143-W6D91A9DFFF280017E8BD5B0580 at phx.gbl>
Content-Type: text/plain; charset="iso-8859-1"
> > I'm sure that I'm not the only one that have NAS's behind dynamic IPs,
> > and this would make radius traffic from such NAS's much more secure.
OK, if you have Dynamic public IP you have two options:
1) use a DNS to identify the dynamic IP of your hotspot. It means that your DSL router or hotspot has capability to update its public IP every x minutes. You can use dyndns.org service. DSL routers normally have this feature.
2) Install a VPN tunnel like PPPTP/L2TP/OVPN... and route all the autentication request for this range. For instance, you have your radius server with IP 10.200.0.11 and your NASes with 10.200.0.x range. All the auth request are sent by the tunnel, so all ones are valid.
I tried both methods with good results. However second option is better because you have another way to access to your hotspots since you know which is hotspot IP (tunnel IP (10.200.0.x)).
Santiago
_________________________________________________________________
?Qu?tate unos clics! Ahora, Internet Explorer 8 tiene todo lo que te gusta de Windows Live ?Cons?guelo gratis!
http://ie8.msn.com/microsoft/internet-explorer-8/es-es/ie8.aspx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090520/5f2d07ba/attachment.html>
------------------------------
Message: 7
Date: Wed, 20 May 2009 10:59:19 +0100 (BST)
From: "Ivan Kalik" <tnt at kalik.net>
Subject: Re: Dynamic clients and NAS-Identifier
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Message-ID:
<47988.194.176.105.43.1242813559.squirrel at webmail.kalik.net>
Content-Type: text/plain;charset=utf-8
> The problem is that the hotspots can be anywhere. They are mostly
> behind ADSL lines. The source ip address of the radius packet is
> therefore not predictable.
>
Ahem, it's not. But subnet is. There can't be that many IP pools ADSL
providers can use. And you configure the subnet, not exact IP in
dynamic-clients. Just make one for each ADSL pool.
> The only other way I can thing of is identifying the nas by the
> NAS-Identifier.
>
Why "other"? That's a bad idea.
> To sum up.
> Currently a nas is "authenticated" by ip address/radius secret.
> I feel that being able to "authenticate" a nas by nas identifier/radius
> secret is a very good enhancement.
>
> I'm sure that I'm not the only one that have NAS's behind dynamic IPs,
> and this would make radius traffic from such NAS's much more secure.
>
No, that would be less secure. Enhancement woud be to have NAS-Identifier
*on top* of Packet-Src-IP-Address. Then you could assign individual shared
secrets to each hotspot (at present whole range has to have same shared
secret).
Ivan Kalik
Kalik Informatika ISP
------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 49, Issue 89
************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090520/ce896af9/attachment.html>
More information about the Freeradius-Users
mailing list