SV: Freeradius-Users Digest, Vol 63, Issue 75

Saleh Abuzid Saleh.Abuzid at hist.no
Mon Jul 26 06:56:14 CEST 2010


Hello,

Im resending agian this question with a hope that someone can respond.

-----Opprinnelig melding-----
Fra: freeradius-users-bounces+saleh.abuzid=hist.no at lists.freeradius.org [mailto:freeradius-users-bounces+saleh.abuzid=hist.no at lists.freeradius.org] På vegne av freeradius-users-request at lists.freeradius.org
Sendt: 20. juli 2010 20:37
Til: freeradius-users at lists.freeradius.org
Emne: Freeradius-Users Digest, Vol 63, Issue 75

Send Freeradius-Users mailing list submissions to
	freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
	freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
	freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. proxy everyone (marco perugini)
   2. Re: Redirection to the NAS of an external CoA request (newtownz)
   3. Re: proxy everyone (Alan DeKok)
   4. Re: Redirection to the NAS of an external CoA request (Alan DeKok)
   5. Re: Acct-Interim-Interval not working (Alan DeKok)
   6. AD groups in user file for dynamic Vlans (Saleh Abuzid)


----------------------------------------------------------------------

Message: 1
Date: Tue, 20 Jul 2010 19:12:45 +0200
From: marco perugini <m.perugini at 4it.it>
Subject: proxy everyone
To: freeradius-users at lists.freeradius.org
Message-ID: <4C45D90D.2070909 at 4it.it>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed

hi list!
i'm setting up my freeradius architecture with a single proxy and 
multiple servers;
here's my scenario:
freeradius server # 1 -> my own server [realm local.net]
freeradius server # 2 -> external server [realm ext.net]
freeradius proxy -> i know everything about users i proxy towards my 
server [# 1] but i don't know anything about users i proxy towards 
external server [# 2]. i would proxy every_username at ext.net just to log 
requests.

so this is my question for you: can i use rlm_realm to proxy an entire 
realm without knowing the usernames just to trace auth/acct requests? or 
i'm crazy at all?

i hope you'll understand my question......... ;)

thanks,
duffy


------------------------------

Message: 2
Date: Tue, 20 Jul 2010 10:38:32 -0700 (PDT)
From: newtownz <jean466 at sympatico.ca>
Subject: Re: Redirection to the NAS of an external CoA request
To: freeradius-users at lists.freeradius.org
Message-ID: <29216134.post at talk.nabble.com>
Content-Type: text/plain; charset=us-ascii


Here are a few lines from my cfg files:

In radiusd.conf:

proxy_requests  = yes
$INCLUDE proxy.conf


In proxy.conf:

#(this is where I want to forward)
home_server aruba {
        type = coa
        ipaddr = xx.yy.110.148
        port = 1812
        src_ipaddr = xx.yy.110.128
        coa {
                # Initial retransmit interval: 1..5
                irt = 2

                # Maximum Retransmit Timeout: 1..30 (0 == no maximum)
                mrt = 16

                # Maximum Retransmit Count: 1..20 (0 == retransmit forever)
                mrc = 5

                # Maximum Retransmit Duration: 5..60
                mrd = 30
                }
        secret = testing123
     }

home_server_pool to_aruba {
                home_server = aruba
        }

###Not really sure about the validity of the last 3 lines...

And now I'm puzzled as to how to set the Home-server-pool
as stated in recv-coa section of coa:

 recv-coa {
                #  CoA && Disconnect packets can be proxied in the same
                #  way as authentication or accounting packets.
                #  Just set Proxy-To-Realm, or Home-Server-Pool, and the
                #  packets will be proxied.

I tried to find the way that it is done for authentication packet
and did not succeed.

Also I just want to know if my understanding about the whole
process of proxying the CoA is right:

The default server config file is of no use here, in the coa
I have to state somehow that I want the request to be forwarded
to the controller and in the proxy.conf file I have to create
this controller-server so that freeradius won't complain about
an unknown IP address.

Jean
                


Alan DeKok-2 wrote:
> 
> newtownz wrote:
>> I'm trying to figure out how to send a CoA from freeRadius
>> to the NAS.  The set-up I have involves two servers and an 
>> Aruba controller.  
> 
>   i.e. proxying CoA packets through FreeRADIUS to the NAS.
> 
>   While this should work, it's not a deeply tested scenario.
> 
>>  In this test set-up the client authenticates locally on the
>> freeRadius server.  The server listen on port 3799 for a CoA request
>> that is generated from another computer, the freeRadius accepts
>> the request and sends a ACK to the generator but it does not
>> send anything to the NAS, 
> 
>   Did you configure the server to proxy the CoA request?  Look for
> "proxy" in raddb/sites-available/coa in 2.1.9.
> 
>> I tried to supply in the request a
>> NAS-IP-Address attribute and also tried with Packet-Dst-IP-Address
>> with no success. Also tried different things in CoA and Originate-CoA
>> with the same results.
> 
>   Well.. the "coa" documents exactly what you need to do.  Trying random
> *undocumented* things won't make it work.
> 
>> The goal I'm trying to reach is to supply the user-name in the
>> CoA request that will force the client to silently reconnect and
>> in the meantime I will have changed the Access-List accessible to
>> the client.
> 
>   Use a Disconnect-Request packet to make the client disconnect.
> 
>> 1: Is it possible to send a CoA request to the freeRadius server
>> and then have it relay the request to the Aruba controller?
> 
>   Yes.  This is called "proxying"
> 
>> 2: If it is possible what do I have to put in the configs file
>> and where?
> 
>   This is documented.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: http://old.nabble.com/Redirection-to-the-NAS-of-an-external-CoA-request-tp29206196p29216134.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.



------------------------------

Message: 3
Date: Tue, 20 Jul 2010 20:01:29 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: proxy everyone
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <4C45E479.8020700 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

marco perugini wrote:
> so this is my question for you: can i use rlm_realm to proxy an entire
> realm without knowing the usernames just to trace auth/acct requests? 

  Yes.  That's what realms are for.  People have been doing this with
RADIUS since 1995 or so.

  Alan DeKok.


------------------------------

Message: 4
Date: Tue, 20 Jul 2010 20:03:03 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: Redirection to the NAS of an external CoA request
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <4C45E4D7.4010508 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

newtownz wrote:
> And now I'm puzzled as to how to set the Home-server-pool
> as stated in recv-coa section of coa:

  recv-coa {
	...
	update control {
		Home-Server-Pool := to_aruba
	}
	...
  }

> I tried to find the way that it is done for authentication packet
> and did not succeed.

  raddb/proxy.conf documents proxying for Access-Request &&
Accounting-Request packets.

> Also I just want to know if my understanding about the whole
> process of proxying the CoA is right:
> 
> The default server config file is of no use here, in the coa
> I have to state somehow that I want the request to be forwarded
> to the controller and in the proxy.conf file I have to create
> this controller-server so that freeradius won't complain about
> an unknown IP address.

  Yes.  You have to define WHERE it will be proxied.  Since RADIUS uses
shared secrets, you have to define the shared secret, too.

  Alan DeKok.


------------------------------

Message: 5
Date: Tue, 20 Jul 2010 20:26:55 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: Acct-Interim-Interval not working
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <4C45EA6F.2000001 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Bishal wrote:
>  I am using freeradius 2.1.6 on FreeBSD 7.2 and using rp-pppoe server
> 3.10 on gentoo linux. During live session it is not updating
> acct-input/ouput-octets.

  Is the NAS sending packets with those fields?  What does debug mode say?

> Earlier with mpd pppoe server on freebsd it was
> working fine accounting input and output octets were updating every
> 5mins as configured in mpd server but now I have migrated my pppoe
> server to rp-pppoe and it's not updating account values.

  Well... this really sounds like an issue with rp-pppoe.

  Alan DeKok.


------------------------------

Message: 6
Date: Tue, 20 Jul 2010 20:37:09 +0200
From: "Saleh Abuzid" <Saleh.Abuzid at hist.no>
Subject: AD groups in user file for dynamic Vlans
To: <freeradius-users at lists.freeradius.org>
Message-ID:
	<0A3AB621FFABE848BCA6FB42DB2E5A13045673 at EX-VS01.ad.hist.no>
Content-Type: text/plain; charset="iso-8859-1"

Hello Freeradiususers,

 

I m trying to get freeradius to send vlan id to some group in AD( win 2003), but it seems that radius can not pull out the info. about the groups even that the radius is joined in AD. Radius ignores the group and goes back to the default or preferred Vlan. I m runing the last vers. of FreeRadius, her is my config :

 

 

 DEFAULT  Ldap-Group == XXXXXXXXX, NAS-IP-Address == "xxx.xxx.xxx.xxx"

      Service-Type = Login-User,

      Tunnel-Type = VLAN,

      Tunnel-Medium-Type = IEEE-802,

      Tunnel-Private-Group-Id = 210,

      Fall-Through = no

 

When I remove the Ldap-Group then radius can send a req. to vlan 210.

 

Just for info  I m abel to pull out info. via wbinfo -g,  I wonder if we have to do something in :

 

/etc/freeradius/modules/mschap in last lines:

 

        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=AD --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"  

}

 

Any sugg. 

 

Best regards

 

Saleh Abuzid

 

Gunnerus gate 1

H?gskolen i S?r-Tr?ndlag (HiST)

 SPO-IKT

Avdelingsingeni?r

 

tlf: 73559672

E-mail: Saleh.Abuzid at hist.no

 

 

Saleh Abuzid

 

Gunnerus gate 1

H?gskolen i S?r-Tr?ndlag (HiST)

 SPO-IKT

Avdelingsingeni?r

 

tlf: 73559672

E-mail: Saleh.Abuzid at hist.no

 

 

Saleh Abuzid

 

Gunnerus gate 1

H?gskolen i S?r-Tr?ndlag (HiST)

 SPO-IKT

Avdelingsingeni?r

 

tlf: 73559672

E-mail: Saleh.Abuzid at hist.no

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100720/38cd0756/attachment.html>

------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 63, Issue 75
************************************************




More information about the Freeradius-Users mailing list