Grant Access
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Sep 14 08:50:13 CEST 2011
On 14 Sep 2011, at 03:27, 2394263740 wrote:
> Arran,
>
> I'm using PEAP. Do you have any suggestion to grant access?
PEAP uses MSCHAPv2 as the inner method, and MSCHAPv2 requires that the client and the server both know the password, else authentication will fail.
One option is to set some static credentials for when the database is offline. But honestly that'll just cause more trouble, because A) Users won't remember what the emergency credentials were, and B) even if they do enter the new password, half of them will screw up re-entering their original password when the service returns to normal.
You could also dump the list of SQL users out into a password file and use that instead? Same syntax that I posed before, but change:
> update control {
> Auth-Type := 'Accept'
> }
To an instance of the password module.
-Arran
>
> Thanks!
>
>
> ------------------ Original ------------------
> From: "freeradius-users"<freeradius-users-request at lists.freeradius.org>;
> Date: Tue, Sep 13, 2011 11:59 PM
> To: "freeradius-users"<freeradius-users at lists.freeradius.org>;
> Subject: Freeradius-Users Digest, Vol 77, Issue 50
>
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Grant Access ( 2394263740 )
> 2. Re: Grant Access (Arran Cudbard-Bell)
> 3. Quick enable/disable user account. ( 2394263740 )
> 4. Re: Quick enable/disable user account. (Alan DeKok)
> 5. Re: Quick enable/disable user account. (Arran Cudbard-Bell)
> 6. RE: Quick enable/disable user account. (Tim Sylvester)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 13 Sep 2011 23:07:31 +0800
> From: " 2394263740 " <2394263740 at qq.com>
> Subject: Grant Access
> To: " freeradius-users " <freeradius-users at lists.freeradius.org>
> Message-ID: <tencent_1ABBB04B470455063AD97831 at qq.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello,
> I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1.
> OS: Linux Enterprise Server 6.1
> Radius: free radius server 2.1.11
> Database: Mysql
>
> When the system goes wrong, I would like temporary grant all access request.
>
> Which means during the service is down, any username/password will be grant access.
>
> Can you please advise the solution?
>
> Thanks!
>
> Tom
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110913/89760c49/attachment.html>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 13 Sep 2011 17:16:02 +0200
> From: Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> Subject: Re: Grant Access
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <9285C1EC-7439-4652-8AEC-22FBAD42A485 at freeradius.org>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> On 13 Sep 2011, at 17:07, 2394263740 wrote:
>
> > Hello,
> > I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1.
> > OS: Linux Enterprise Server 6.1
> > Radius: free radius server 2.1.11
> > Database: Mysql
> >
> > When the system goes wrong, I would like temporary grant all access request.
> >
> > Which means during the service is down, any username/password will be grant access.
> >
> > Can you please advise the solution?
>
> sql
> if(fail){
> update control {
> Auth-Type := 'Accept'
> }
> }
>
> This will not work for protocols like PEAP. But should work for PAP, and CHAP.
>
> -Arran
>
> Arran Cudbard-Bell
> a.cudbardb at freeradius.org
>
> RADIUS - Waging war on ignorance and apathy one Access-Challenge at a time.
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110913/b2a99bf6/attachment.html>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 13 Sep 2011 23:32:43 +0800
> From: " 2394263740 " <2394263740 at qq.com>
> Subject: Quick enable/disable user account.
> To: " freeradius-users " <freeradius-users at lists.freeradius.org>
> Message-ID: <tencent_604FCE075B879FA320DD1DCF at qq.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello,
> I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1.
> OS: Linux Enterprise Server 6.1
> Radius: free radius server 2.1.11
> Database: Mysql
>
>
>
> Sometime, I need disable a user account in mysql database. And then enable it later on after some check complete.
>
>
>
> Can you please advise how to toggle such status?
>
>
>
> There're may be multiple solutions, please advise them all, so I can choose a one most fit the needs.
>
>
>
> Thanks!
>
>
>
> Tom
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110913/3f186dfc/attachment.html>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 13 Sep 2011 17:39:48 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Quick enable/disable user account.
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4E6F7944.5050204 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> 2394263740 wrote:
> > Sometime, I need disable a user account in mysql database. And then
> > enable it later on after some check complete.
> >
> > Can you please advise how to toggle such status?
>
> See the MySQL documentation for how to write to rows in MySQL.
>
> > There're may be multiple solutions, please advise them all, so I can
> > choose a one most fit the needs.
>
> Try harder.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 13 Sep 2011 17:42:54 +0200
> From: Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> Subject: Re: Quick enable/disable user account.
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <AF7E673D-1735-467E-B0C8-06C49AC33E87 at freeradius.org>
> Content-Type: text/plain; charset="iso-8859-1"
>
> No. You're treating this like paid support. Go and find out the answer for yourself, this is not a FeeRADIUS question.
>
> -Arran
>
> Arran Cudbard-Bell
> a.cudbardb at freeradius.org
>
> RADIUS - Waging war on ignorance and apathy one Access-Challenge at a time.
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110913/1d2cbd68/attachment.html>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 13 Sep 2011 08:59:15 -0700
> From: "Tim Sylvester" <tim.sylvester at networkradius.com>
> Subject: RE: Quick enable/disable user account.
> To: "'FreeRadius users mailing list'"
> <freeradius-users at lists.freeradius.org>
> Message-ID: <041301cc722e$1745e360$45d1aa20$@networkradius.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Set Auth-Type := Reject in radcheck.
>
>
>
> http://deployingradius.com/documents/configuration/auth_type.html
>
>
>
> Tim
>
>
>
>
>
> From:
> freeradius-users-bounces+tim.sylvester=networkradius.com at lists.freeradius.or
> g
> [mailto:freeradius-users-bounces+tim.sylvester=networkradius.com at lists.freer
> adius.org] On Behalf Of 2394263740
> Sent: Tuesday, September 13, 2011 8:33 AM
> To: freeradius-users
> Subject: Quick enable/disable user account.
>
>
>
> Hello,
> I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1.
> OS: Linux Enterprise Server 6.1
> Radius: free radius server 2.1.11
> Database: Mysql
>
>
>
> Sometime, I need disable a user account in mysql database. And then enable
> it later on after some check complete.
>
>
>
> Can you please advise how to toggle such status?
>
>
>
> There're may be multiple solutions, please advise them all, so I can choose
> a one most fit the needs.
>
>
>
> Thanks!
>
>
>
> Tom
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110913/044b7e97/attachment.html>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 77, Issue 50
> ************************************************
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudbardb at freeradius.org
RADIUS - Waging war on ignorance and apathy one Access-Challenge at a time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110914/9e31200b/attachment.html>
More information about the Freeradius-Users
mailing list