How to deny access to Switch Cisco by Group
Usuário do Sistema
maiconlp at ig.com.br
Fri Oct 4 01:05:00 CEST 2013
Thanks.
I have done your tip but I'm get the follow error
rlm_ldap::ldap_groupcmp: Group cisco not found or user is not a member.
[ldap] performing search in o=dohler, with filter
(&(cn=cisco)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames
(uniquemember=))))
[ldap] object not found
I have created the group "cisco" in the Ldap and put the user inside
it but the logs from freeradius shows that group not found.
maybe there is mismatch at the searching ldap from freeradius that I
have fit it.
any tip about ?
Thanks
2013/10/3 <freeradius-users-request at lists.freeradius.org>:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Running RADIUS in permanent debug mode with rotating log
> (Arran Cudbard-Bell)
> 2. Re: Wifi APs Models compatible with by username dynamic vlan
> assignment (Arran Cudbard-Bell)
> 3. How to deny access to Switch Cisco by Group (Usu?rio do Sistema)
> 4. Re: How to deny access to Switch Cisco by Group (Alan DeKok)
> 5. Re: Running RADIUS in permanent debug mode with rotating log
> (A.L.M.Buxey at lboro.ac.uk)
> 6. RE: radwho not working (Clint Petty)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 3 Oct 2013 11:04:42 +0100
> From: Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Running RADIUS in permanent debug mode with rotating log
> Message-ID: <414C50CC-A53F-4480-B111-14FB8A774FBC at freeradius.org>
> Content-Type: text/plain; charset=us-ascii
>
>
> On 3 Oct 2013, at 10:14, <stefan.paetow at diamond.ac.uk> wrote:
>
>>> How can we run radiusd -x > "logname" such that we have different
>>> logname for each day?
>>
>> Clement, may I suggest a cron job?
>>
>> At midnight, move the log, kill and restart the radius server with a new log in the name? Of course you run the risk of possibly killing any authentication attempts that happen at that point in time, but... that's something you need to take into account?
>
> Please don't. Use a crontab by all means but just use the main log file and enable additional debugging (-xx).
>
> As of 2.2.1 you can use the radmin control socket to reopen the log file handle without restarting the server, or sending a -HUP.
>
> It's not just the fact you'll kill any EAP auth sessions in progress, but you'll will clear out any cached entries (rlm_cache),
> and where proxying is being performed upstream server state will be lost.
>
> It's also dangerous in that if someone has messed with the configurations, or overwritten the radiusd/freeradius(debian) binary
> you'll experience an unexpected migration to the new binary/config on next restart.
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 3 Oct 2013 11:08:34 +0100
> From: Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Wifi APs Models compatible with by username dynamic vlan
> assignment
> Message-ID: <F7069EC1-C670-405B-9FC0-B962BE10E07A at freeradius.org>
> Content-Type: text/plain; charset=us-ascii
>
>
> On 3 Oct 2013, at 10:57, matthew pideil <matthew.pideil at teledetection.fr> wrote:
>
>> Hello,
>>
>> I want to perform dynamic VLAN assignment by username through wifi
>> access. I set up this configuration few time ago but didn't works.
>>
>> I want to know which WiFi APs are compatible and/or what is the term to
>> search for in devices specifications ...
>
>
> Look for claimed compliance with RFC3580/RFC4675 in the specifications of your
> Access-Point.
>
> -Arran
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 3 Oct 2013 09:37:57 -0300
> From: Usu?rio do Sistema <maiconlp at ig.com.br>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: How to deny access to Switch Cisco by Group
> Message-ID:
> <CAMTjHrxN6PQ-7Dc8BXF8LggbeyUYY4OSVO2ThN0V3SO+vdK4Fw at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hello,
> I have just installed a FreeRADIUS Version 2.1.12. it's integrate
> with OpenLdap and I'm able to use it that way.
> my issue is how to deny users aren't member of the any group.
> For exemple, I should like authorize users do login in the my devices
> Cisco from a group of the my data base LDAP. if user doesn't inside in
> that group the freeradius must DENY it. currently my freeradius is
> allow any user from LDAP. if the user is created on LDAP it's able
> login in my Cisco devices.
> how to deny access by group ? if user is member of the group it's able
> login in otherwise the user is deny
>
> thanks
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 03 Oct 2013 08:57:06 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: How to deny access to Switch Cisco by Group
> Message-ID: <524D69A2.2040302 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Usu?rio do Sistema wrote:
>> how to deny access by group ? if user is member of the group it's able
>> login in otherwise the user is deny
>
> See the FAQ. Put this at the top of the "users" file:
>
> DEFAULT LDAP-Group != "allowed", Auth-Type := Reject
>
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 3 Oct 2013 16:29:41 +0100
> From: A.L.M.Buxey at lboro.ac.uk
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Running RADIUS in permanent debug mode with rotating log
> Message-ID: <20131003152941.GA4711 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> this is FreeRADIUS list, not general Linux lsit - I'd suggest looking at some guides for
> the EXACT thing you need eg
>
> http://www.cyberciti.biz/faq/linux-unix-formatting-dates-for-display/
>
> (and ensure your escape quotes are the right way around)
>
> alan
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 3 Oct 2013 17:10:17 +0000
> From: Clint Petty <cpetty at luthresearch.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: RE: radwho not working
> Message-ID:
> <64d95a19c8744c0ca70e1343e2118371 at DM2PR04MB334.namprd04.prod.outlook.com>
>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi Alan,
>
> Below is the results from radiusd -X (debug mode), while logging in:
>
> rad_recv: Access-Request packet from host xx.xx.xx.79 port 40379, id=79, length=138
> User-Name = "test"
> NAS-Port-Type = Virtual
> Service-Type = Framed-User
> NAS-Port = 53
> NAS-Port-Id = "ios"
> NAS-IP-Address = xx.xx.xx.79
> Called-Station-Id = "xx.xx.xx.79[4500]"
> Calling-Station-Id = "xx.xx.xx.150[32055]"
> EAP-Message = 0x02000009016a646f65
> NAS-Identifier = "strongSwan"
> Message-Authenticator = 0x13a0846c40f521e3c009161546f6f3fb
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "test", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 0 length 9
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for test
> [ldap] expand: (&(uid=%u)) -> (&(uid=test))
> [ldap] expand: ou=People,dc=company,dc=com -> ou=People,dc=company,dc=com
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] attempting LDAP reconnection
> [ldap] (re)connect to xx.xx.xx.126:389, authentication 0
> [ldap] bind as cn=Admin,dc=company,dc=com/xxxx to xx.xx.xx.126:389
> [ldap] waiting for bind result ...
> [ldap] Bind was successful
> [ldap] performing search in ou=People,dc=company,dc=com, with filter (&(uid=test))
> [ldap] looking for check items in directory...
> [ldap] userPassword -> User-Password == "password"
> [ldap] userPassword -> Password-With-Header == "password"
> [ldap] sambaNtPassword -> NT-Password == 0x38424235443
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] Config already contains "known good" password. Ignoring Password-With-Header
> [pap] Normalizing NT-Password from hex encoding
> [pap] WARNING: Auth-Type already set. Not setting to PAP
> ++[pap] returns noop
> Found Auth-Type = EAP
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! Replacing User-Password in config items with Cleartext-Password. !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! Please update your configuration so that the "known good" !!!
> !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type md5
> rlm_eap_md5: Issuing Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 79 to xx.xx.xx.79 port 40379
> EAP-Message = 0x010100160410c73f50e02103b6473c8f5ed51995e29f
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x2310bb7d2311bf963fc3fbc63c331669
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host xx.xx.xx.79 port 40379, id=80, length=169
> User-Name = "test"
> NAS-Port-Type = Virtual
> Service-Type = Framed-User
> NAS-Port = 53
> NAS-Port-Id = "ios"
> NAS-IP-Address = xx.xx.xx.79
> Called-Station-Id = "xx.xx.xx.79[4500]"
> Calling-Station-Id = "xx.xx.xx.150[32055]"
> EAP-Message = 0x020100160410958ab4a6a9b38188febc74cc0c573b96
> NAS-Identifier = "strongSwan"
> State = 0x2310bb7d2311bf963fc3fbc63c331669
> Message-Authenticator = 0xdb77c116ca06726a60a2d3a224bc2e22
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "test", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 1 length 22
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for test
> [ldap] expand: (&(uid=%u)) -> (&(uid=test))
> [ldap] expand: ou=People,dc=company,dc=com -> ou=People,dc=company,dc=com
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] performing search in ou=People,dc=company,dc=com, with filter (&(uid=test))
> [ldap] looking for check items in directory...
> [ldap] userPassword -> User-Password == "password"
> [ldap] userPassword -> Password-With-Header == "password"
> [ldap] sambaNtPassword -> NT-Password == 0x38424235443
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] Config already contains "known good" password. Ignoring Password-With-Header
> [pap] Normalizing NT-Password from hex encoding
> [pap] WARNING: Auth-Type already set. Not setting to PAP
> ++[pap] returns noop
> Found Auth-Type = EAP
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! Replacing User-Password in config items with Cleartext-Password. !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! Please update your configuration so that the "known good" !!!
> !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/md5
> [eap] processing type md5
> [eap] Freeing handler
> ++[eap] returns ok
> Login OK: [test] (from client localhost port 53 cli xx.xx.xx.150[32055])
> # Executing section post-auth from file /etc/raddb/sites-enabled/default
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 80 to xx.xx.xx.79 port 40379
> EAP-Message = 0x03010004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "test"
> Finished request 1.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 79 with timestamp +20
> Cleaning up request 1 ID 80 with timestamp +20
> Ready to process requests.
>
>
>
> -----Original Message-----
> From: freeradius-users-bounces+me=company.com at lists.freeradius.org [mailto:freeradius-users-bounces+me=company.com at lists.freeradius.org] On Behalf Of A.L.M.Buxey at lboro.ac.uk
> Sent: Thursday, October 03, 2013 1:32 AM
> To: FreeRadius users mailing list
> Subject: Re: radwho not working
>
> Hi,
>> I would like to display the active Radius connections. When I run radwho I get the following results (showing nothing but the titles) even though I know I have an active connection:
>
> using the utmp/wtmp modules? what does your FreeRADIUS debug show when
> someone logging in?
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> End of Freeradius-Users Digest, Vol 102, Issue 11
> *************************************************
More information about the Freeradius-Users
mailing list