Freeradius-Users Digest, Vol 49, Issue 100

Fri May 22 11:37:48 CEST 2009

Hi Ivan, 
>>   4. Proxying packets from a fixed source IP address (Alan DeKok)

It is good idea.

Thank for your help.  
The solution works fine.

Marco

-----Original Message-----
From: freeradius-users-bounces+marco.de.magistris=ericsson.com at lists.freeradius.org [mailto:freeradius-users-bounces+marco.de.magistris=ericsson.com at lists.freeradius.org] On Behalf Of freeradius-users-request at lists.freeradius.org
Sent: giovedì 21 maggio 2009 18.50
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 49, Issue 100

Send Freeradius-Users mailing list submissions to
	freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
	freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
	freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."

Today's Topics:

   1. Re: Freeradius-Users Digest, Vol 49, Issue 95 (Alan DeKok)
   2. RE: Freeradius-Users Digest, Vol 49, Issue 95 (Ivan Kalik)
   3. Re: question about session resumption and reply attributes
      (Alan DeKok)
   4. Proxying packets from a fixed source IP address (Alan DeKok)
   5. Re: Rewriting User-Name in pre-proxy (William Taylor)
   6. Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
      (Just E. Mail)
   7. Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
      (A.L.M.Buxey at lboro.ac.uk)
   8. Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
      (John Dennis)
   9. Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
      (Just E. Mail)

----------------------------------------------------------------------

Message: 1
Date: Thu, 21 May 2009 15:00:51 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: Freeradius-Users Digest, Vol 49, Issue 95
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <4A155083.1020604 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Marco De Magistris wrote:
> In my opinion the packet (received from Radius Client) is sent towards
> the default gateway.

  Yes.  That's how neteworking works.

> The following link describes the same scenario:
> 
> http://www.opensubscriber.com/message/freeradius-users@lists.freeradius.org/82575.html
>
> They introduce *proxyip = 10.10.10.10* in proxy.conf.

  In 2.x, you can define the addresses that the server opens for
proxying.  See the "listen" section of radiusd.conf.  That may help.

  Alan DeKok.

------------------------------

Message: 2
Date: Thu, 21 May 2009 14:27:51 +0100 (BST)
From: "Ivan Kalik" <tnt at kalik.net>
Subject: RE: Freeradius-Users Digest, Vol 49, Issue 95
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID:
	<17832.194.176.105.43.1242912471.squirrel at webmail.kalik.net>
Content-Type: text/plain;charset=utf-8

> 3. RE: Freeradius-Users Digest, Vol 49, Issue 93 (Ivan Kalik)
>
> ____________________________________________________________________________
>
>> Radius Client    -->  Radius Proxy
>
>> 192.168.1.2      192.168.1.3  192.168.14.3  --> IPS1(192.168.14.4)
>
>>                               192.168.24.3  --> IPS2(192.168.24.4)
>
> ____________________________________________________________________________
>
> You say:
>
>>>Yes. Proxy server will change NAS-IP-Address from the original NAS
>>> >>address into it's own. That is OK.
>
>
>
> It not works. In my scenario I have two different NAS-IP-Address(a
> NAS-IP-Address for ISP1 and a NAS-IP-Address for ISP2).
>

That's because that can't work:

  # Note: "type = proxy" lets you control the source IP used for
  # proxying packets, with some limitations:
  #
  # * Only ONE proxy listener can be defined.
  # * A proxy listener CANNOT be used in a virtual server section.
  # * You should probably set "port = 0".
  # * Any "clients" configuration will be ignored.

You can't define two IPs on which to proxy. You need two proxy servers for
that:

proxy1 gets requests from NAS -> if it's for isp1 proxy to 192.168.14.4
from 192.168.14.3

if it's for isp2, proxy to proxy2 (also from 192.168.14.3)

proxy2 will have 192.168.24.3 configured as proxy port and proxy to
192.168.24.4 (isp2)

You can even have proxy1 and proxy2 on the same machine, one listening on
1812+ ports and other on 1645+ ports. They just can't be the same radiusd
process.

Ivan Kalik
Kalik Informatika ISP

------------------------------

Message: 3
Date: Thu, 21 May 2009 16:05:39 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: question about session resumption and reply attributes
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <4A155FB3.7010700 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Arran Cudbard-Bell wrote:
> Yes, so have it tell the outer server... Insert the (attached) snippet
> into the authorize section of the inner server.

$ git format-patch

  ?

> I believe the User-Name attribute in outer.reply is cached, and
> available for use on session resumption. 

  Yes.

> Once you've got the policies moved to post-auth, then any scripts or
> lookups used for authorisation will only be run once, so far greater
> efficiency with complex policies. Rejects are still handled properly
> even within the Post-Auth section (jumps to Post-Auth-Type reject).

  Documentation suggestions are always welcome.

  Alan DeKok.

------------------------------

Message: 4
Date: Thu, 21 May 2009 17:02:35 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Proxying packets from a fixed source IP address
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <4A156D0B.8010403 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Ivan Kalik wrote:
> That's because that can't work:
> 
>   # Note: "type = proxy" lets you control the source IP used for
>   # proxying packets, with some limitations:
>   #
>   # * Only ONE proxy listener can be defined.

  That's actually wrong.  It was true a while ago, but it's not true in
2.1.6.

  However... defining two proxy listeners won't do what he wants in 2.1.6.

  I've committed a patch to git head.  See
http://git.freeradius.org/pre/ for a snapshot of 2.1.7-pre that includes
the fixes.  See raddb/proxy.conf, and look for "src_ipaddr".

  Alan DeKok.

------------------------------

Message: 5
Date: Thu, 21 May 2009 08:37:41 -0700
From: William Taylor <williamt at corp.sonic.net>
Subject: Re: Rewriting User-Name in pre-proxy
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <F5737B03-7986-4D26-994E-A4AA0875A7E8 at corp.sonic.net>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes

On May 18, 2009, at 11:16 AM, William Taylor wrote:

> Im currently using freeradius 2.1.4
> I need to lookup a username in a dbm and rewrite it before sending  
> off the proxy request.
> I have achieved this by using the below method. But I was wondering  
> if there was a better way.
> It would seem that invoking perl with every auth request might be bad.
>
> Thanks in advance!
>
> -William
>
>
> In: /etc/raddb/dictionary
>
> 	ATTRIBUTE My-Local-String 3000 string
>
> In: sites-available/default
>
> 	pre-proxy {
>        	rewrite
> 	        update proxy-request {
>        	        User-Name := "%{proxy-request:My-Local-String}"
> 	        }
> 	}
>
> In: /etc/raddb/modules/rewrite
>
> 	exec rewrite {
> 		wait = yes
> 		program = "/etc/raddb/rewriteusername.pl %{User-Name} %{Stripped- 
> User-Name} %{Realm}"
> 		input_pairs = proxy-request
> 		output_pairs = proxy-request
> 		shell_escape = yes
> 	}
>
> In: /etc/raddb/rewriteusername.pl
>
> #!/usr/bin/perl
> use strict;
> use DB_File;
>
> my %h;
> tie %h, "DB_File", "/etc/raddb/rewritemap.db", O_RDONLY, 0444,  
> $DB_HASH
>               or die "Cannot open file rewritemap.db: $!\n";
>
> my $fuser  = $ARGV[0];
> my $suser = $ARGV[1];
> my $realm = $ARGV[2];
>
> if($realm eq "foobee.net") {
>
>    if($h{$suser}) {
>        print "My-Local-String=" . $h{$suser};
>    } else {
>        print "My-Local-String=$suser";
>    }
>
> } else {
>    print "My-Local-String=$suser";
> }
>
> exit 0;
>

Anyone doing something similar ?

------------------------------

Message: 6
Date: Thu, 21 May 2009 10:13:36 -0600
From: "Just E. Mail" <justemail at imwell-usa.com>
Subject: Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <4A157DB0.7090103 at imwell-usa.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

John Dennis wrote:
> Just E. Mail wrote:
>   
>> I am trying to install freeRADIUS on a CentOS 5.3 machine with
>> PostgreSQL-8.3.7. My plan is to first install freeRADIUS and test it
>> then setup PostgreSQL as the backend to store data.
>>
>> Is there any freeRADIUS RPMS V#2.1.4 or newer for CentOS?
>>     
>
> No, the version in RHEL and CentOS is 1.1.3. The following link explains
> why and also explains how to acquire and build a current FreeRADIUS RPM
> for RHEL/CentOS (but read the rest of this email, pre-built versions are
> coming).
>
> http://wiki.freeradius.org/Red_Hat_FAQ
>   
I read response from  John Dennis and looked at the web site URL he 
provided. I am ready to install FR and I have one more question!

In my setup, I plan to (1) Install FR and test it and if everything 
works, then (2) setup PostgreSQL backend at a SQL server and test it 
again. I noticed that at the URL listed by John Dennis, there are two files;

freradius-2.2.1.6-1.el5.i386.rpm
freradius-postgresql-2.2.1.6-1.el5.i386.rpm

I am pretty new to FR so please advice; do I need to install both of 
these RPMs or just the second for my setup to work?

------------------------------

Message: 7
Date: Thu, 21 May 2009 17:16:52 +0100
From: A.L.M.Buxey at lboro.ac.uk
Subject: Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <20090521161652.GB10004 at lboro.ac.uk>
Content-Type: text/plain; charset=us-ascii

Hi,

> freradius-2.2.1.6-1.el5.i386.rpm
> freradius-postgresql-2.2.1.6-1.el5.i386.rpm
>
> I am pretty new to FR so please advice; do I need to install both of  
> these RPMs or just the second for my setup to work?

both. the second one adds the postgres support.

alan

------------------------------

Message: 8
Date: Thu, 21 May 2009 12:29:02 -0400
From: John Dennis <jdennis at redhat.com>
Subject: Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <4A15814E.2040908 at redhat.com>
Content-Type: text/plain; charset=us-ascii

Just E. Mail wrote:
> John Dennis wrote:
>>
>> http://wiki.freeradius.org/Red_Hat_FAQ
>>   
> I read response from  John Dennis and looked at the web site URL he
> provided. I am ready to install FR and I have one more question!
> 
> In my setup, I plan to (1) Install FR and test it and if everything
> works, then (2) setup PostgreSQL backend at a SQL server and test it
> again. I noticed that at the URL listed by John Dennis, there are two
> files;
> 
> freradius-2.2.1.6-1.el5.i386.rpm
> freradius-postgresql-2.2.1.6-1.el5.i386.rpm
> 
> I am pretty new to FR so please advice; do I need to install both of
> these RPMs or just the second for my setup to work?

Did you read the FAQ listed at the top. The section "Why are there
optional subpackages instead of just one package?" should have explained
it, was it not clear? If so I'll update it to make it clearer if you
explain what was not clear.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

------------------------------

Message: 9
Date: Thu, 21 May 2009 10:50:06 -0600
From: "Just E. Mail" <justemail at imwell-usa.com>
Subject: Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <4A15863E.6080705 at imwell-usa.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

John Dennis wrote:
> Did you read the FAQ listed at the top. The section "Why are there
> optional subpackages instead of just one package?" should have explained
> it, was it not clear? If so I'll update it to make it clearer if you
> explain what was not clear.
>   

Yes I read it and read it again after receiving the above email.Missed 
it both times. Thank for your HELP.

Jennifer

------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

End of Freeradius-Users Digest, Vol 49, Issue 100
*************************************************