Freeradius-Users Digest, Vol 93, Issue 78

Tzvika Gelber daragaard at gmail.com
Mon Jan 28 22:25:06 CET 2013


My version of 2.1.10 was the one i got when i did the ever so popular sudo
apt-get install freeradius, so i guess i need for my distro to get the
update in the source files - that's ok as my Freeradius is not connected to
the internet.

Thank you all for the response.


On Mon, Jan 28, 2013 at 11:40 AM, <
freeradius-users-request at lists.freeradius.org> wrote:

> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. move /etc/raddb/users file to mysql (Stefan K?nig)
>    2. Re: dialup.conf custom attributes failure in freeradius 2.2
>       (A.L.M.Buxey at lboro.ac.uk)
>    3. Re: upgrading freeradius (Mathieu Simon)
>    4. Re: Help Needed !!! FreeRADIUS Integration with MS AD (Pradyumna)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 28 Jan 2013 09:25:00 +0100
> From: Stefan K?nig <montiburns at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: move /etc/raddb/users file to mysql
> Message-ID: <510635DC.2080103 at gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hello List,
>
> I inherited an old freeradius 1.1.8 system which is configured to use a
> mysql DB.
> So far so good, but now I discovered, that someone also created a
> /etc/raddb/users file with some DEFAULT information in it.
> The funny thing is, that I have also some DEFAULT information in my DB
> in radgroupreply, which is where I think the data from the "users" file
> belongs.
> As far as I see in our config, the flat files have precedence over SQL.
>
> I am not very deep into freeradius, so I have some questions which I
> hope someone can answer:
>
> 1) Does the data from the "users" file go into radgroupreply table?
> 2) I have a DEFAULT groupname in the DB and in the flat file, will I
> have to rename the flat file DEFAULT groupname to something else to
> avoid problems?
> 3) "op" needs to be "=~" and ":=" for the first to settings and "==" for
> all the following?
>
> For your reference here is the anonymized content of my users file:
>
> DEFAULT User-Name =~"@example\.net$",
>         Auth-Type := "Accept"
>         Context-Name == local,
>         Tunnel-Domain == 1,
>         Tunnel-Type == L2TP,
>         Tunnel-Medium-Type == IP,
>         Tunnel-Client-Endpoint == xxx.xxx.xxx.xxx,
>         Tunnel-Server-Endpoint == yyy.xxx.xxx.xxx,
>         Tunnel-Password == password,
>         Tunnel-Assignment-Id == zzz.xxx.xxx.xxx,
>         Tunnel-Function == 1,
>         Tunnel-Local-Name == EXAMPLE.NET
>
>
> Thanks for any help or hints!
>
>
> regards
> Stefan
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 28 Jan 2013 09:03:32 +0000
> From: A.L.M.Buxey at lboro.ac.uk
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: dialup.conf custom attributes failure in freeradius 2.2
> Message-ID: <20130128090332.GF28146 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> >    Hi, I need some help with inserting custom attributes to MySQL
> server. It
> >    seems that version 2.2 broke it, at least on my server... When I
> revert
> >    back to 2.1 it immediately starts to work with same config files.
> >    Below are config files and traces for both versions.
>
>
> >    Any idea?
>
> yes, you dont seem to have 3GPP-IMSI in your dictionary file. thus the
> string
> expansion fails as per
>
>
> >    [sql] WARNING: Unknown module "3GPP-IMSI" in string expansion "%',
>
>
> thats my first guess anyway! ;-)
>
> alan
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 28 Jan 2013 10:12:21 +0100
> From: Mathieu Simon <mathieu.sim at gmail.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: upgrading freeradius
> Message-ID: <510640F5.6000009 at gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Am 27.01.2013 21:52, schrieb A.L.M.Buxey at lboro.ac.uk:
> > Hi,
> >
> >> 2.1.10 is the version delivered by your distribution - and contains
> >> backported security bugfixes released until 2.2.0. In terms of security,
> >> your version is fine.
> > why? why do that? why not simple release 2.2.0 - you are CONFUSING your
> users
> > and CONFUSING those people who support them.
> >
> > if it says 2.1.10 then one can only ASSUME that its 2.1.10
> Yes, somewhat true, but that's how a couple of distribution consider
> 'stable' releases:
> Stick with a version of a software and backport (bug and) security
> updates to this version.
> (and only update the version of a package at new distro release)
>
> Enterprise distributions or commercial unix often do much heavier
> backporting than
> what Debian/Ubuntu do, just to deliver the very same version during the
> period of time
> the package is bundled with a release of their distro/software.
>
> You have to outweight the advantages vs. disadvantages like breaking
> support from
> your distributor, in this case Canonical. But I agree that asking on
> this list is likely yield
> the answer "upgrade first" in case of problems.
>
> A Ubuntu PPA can be a very good thing - but you have to trust a third
> party.
> That said, I really like PPAs when the packagers do good work and care
> about
> updating the packages - thanks Fajar for maintaining this repository!
>
> -- Mathieu
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 28 Jan 2013 15:10:14 +0530
> From: Pradyumna <neomatrixgem at gmail.com>
> To: "A.L.M.Buxey at lboro.ac.uk" <A.L.M.Buxey at lboro.ac.uk>
> Cc: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Help Needed !!! FreeRADIUS Integration with MS AD
> Message-ID: <E751B5FB-B309-402E-8C4E-6D77FE3958AB at gmail.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi,
>
> Am not able to see my authorization happening because I don't see the
> value-attr or reply message. Please help. Logs attached.
> rad_recv: Access-Request packet from host 192.168.0.2 port 39662, id=92,
> length=62
>         User-Name = "radiustest"
>         User-Password = "password at 123"
>         NAS-IP-Address = 192.168.0.2
>         NAS-Port = 1812
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [auth_log]      expand:
> /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
> /var/log/radius/radacct/192.168.0.2/auth-detail-20130128
> [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.0.2/auth-detail-20130128
> [auth_log]      expand: %t -> Mon Jan 28 10:12:16 2013
> ++[auth_log] returns ok
> [ldap] performing user authorization for radiustest
> [ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
> for details
> [ldap]  ... expanding second conditional
> [ldap]  expand: %{User-Name} -> radiustest
> [ldap]  expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) ->
> (&(sAMAccountName=radiustest))
> [ldap]  expand: cn=users,dc=example,dc=com -> cn=users,dc=example,dc=com
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] performing search in cn=users,dc=example,dc=com, with filter
> (&(sAMAccountName=radiustest))
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that
> the user is configured correctly?
> [ldap] Setting Auth-Type = ldap
> [ldap] user radiustest authorized to use remote access
>   [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "radiustest", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [ldap] performing user authorization for radiustest
> [ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
> for details
> [ldap]  ... expanding second conditional
> [ldap]  expand: %{User-Name} -> radiustest
> [ldap]  expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) ->
> (&(sAMAccountName=radiustest))
> [ldap]  expand: cn=users,dc=example,dc=com -> cn=users,dc=example,dc=com
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] performing search in cn=users,dc=example,dc=com, with filter
> (&(sAMAccountName=radiustest))
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that
> the user is configured correctly?
> [ldap] user radiustest authorized to use remote access
>   [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
>  Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = ldap
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group LDAP {...}
> [ldap] login attempt by "radiustest" with password "password at 123"
> [ldap] user DN: CN=radiustest,CN=Users,DC=example,DC=com
>   [ldap] (re)connect to 192.168.0.3:389, authentication 1
>   [ldap] bind as CN=radiustest,CN=Users,DC=example,DC=com/password at 123 to
> 192.168.0.3:389
>   [ldap] waiting for bind result ...
>   [ldap] Bind was successful
> [ldap] user radiustest authenticated succesfully
> ++[ldap] returns ok
> # Executing section post-auth from file /etc/raddb/sites-enabled/default
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 92 to 192.168.0.2 port 39662
> Finished request 2.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 2 ID 92 with timestamp +88
> Ready to process requests.
>
> Regards,
> /Neo
> Sent from my iPhone
>
> On 25-Jan-2013, at 3:32 AM, A.L.M.Buxey at lboro.ac.uk wrote:
>
> > Hi,
> >
> >>   Do you mean the below in the "users" file?
> >>
> >>   cisco Auth-Type := LDAP
> >>
> >>   Service-Type = Administrative-User,
> >>   cisco-avpair = "shell:priv-lvl=15"
> >
> > no.
> >
> > cisco Auth-Type := LDAP
> >    Service-Type = Administrative-User,
> >    cisco-avpair = "shell:priv-lvl=15"
> >
> >
> > (see all the examples in the users file)
> >
> > alan
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130128/a6a02077/attachment.html
> >
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> End of Freeradius-Users Digest, Vol 93, Issue 78
> ************************************************
>



-- 
____
Sometimes you just glow in the dark...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130128/4d333258/attachment-0001.html>


More information about the Freeradius-Users mailing list