Use freepbx for Asterisk VOIP
Mohamad Yazdian
m.programer at gmail.com
Tue Sep 6 08:12:29 CEST 2016
Hello everyone
Can I use freepbx for Asterisk VOIP accounting?
On Mon, Sep 5, 2016 at 4:31 PM, <
freeradius-users-request at lists.freeradius.org> wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Salted SHA512 (Stefan Paetow)
> 2. Re: Salted SHA512 (Alan DeKok)
> 3. How to configure non-priveleged LDAP bind in FreeRADIUS
> 3.0.11 (Bogdan Rudas)
> 4. FreeRadius reboot needed on adding a NAS ? (Frederic Fichter)
> 5. Re: FreeRadius reboot needed on adding a NAS ? (Alan DeKok)
> 6. Re: How to configure non-priveleged LDAP bind in FreeRADIUS
> 3.0.11 (Alan DeKok)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 5 Sep 2016 10:32:46 +0000
> From: Stefan Paetow <Stefan.Paetow at jisc.ac.uk>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Salted SHA512
> Message-ID: <C4E4EB29-B07F-4065-B879-AABF94592823 at jisc.ac.uk>
> Content-Type: text/plain; charset="utf-8"
>
> > Hmm, not sure where to look. It seems both OpenVPN and StrongSwan send
> EAP requests to FreeRADIUS, but from when I can see, EAP only supports MD5
> and Crypt? Does that mean I should change it to PAP instead of EAP?
>
> Do StrongSwan and OpenVPN allow you to set the inner authentication method
> for EAP, i.e. EAP-TTLS/EAP-GTC or EAP-TTLS/EAP-MSCHAPv2 (outer/inner)? If
> you can, configure your EAP-TTLS or EAP method to use GTC (Generic Token
> Card), which in FreeRADIUS is set up to use PAP. Of course, if they allow
> you to set PAP as the inner, you can go straight to PAP in the inner tunnel
> :-)
>
> Stefan Paetow
> Moonshot Industry & Research Liaison Coordinator
>
> t: +44 (0)1235 822 125
> gpg: 0x3FCE5142
> xmpp: stefanp at jabber.dev.ja.net
> skype: stefan.paetow.janet
>
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited by
> guarantee which is registered in England under Company No. 5747339, VAT No.
> GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
> Bristol, BS2 0JA. T 0203 697 5800.
>
>
>
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 496 bytes
> Desc: Message signed with OpenPGP using GPGMail
> URL: <http://lists.freeradius.org/pipermail/freeradius-users/
> attachments/20160905/d72f198e/attachment-0001.sig>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 5 Sep 2016 09:03:23 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Salted SHA512
> Message-ID: <5980D243-97A7-4E4F-A663-C6F929540E81 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Sep 4, 2016, at 7:36 PM, Laurens Vets <laurens at daemon.be> wrote:
> > Hmm, not sure where to look. It seems both OpenVPN and StrongSwan send
> EAP requests to FreeRADIUS, but from when I can see, EAP only supports MD5
> and Crypt?
>
> EAP just carries authentication data. There are multiple kinds of
> authentication types within EAP.
>
> > Does that mean I should change it to PAP instead of EAP?
>
> You won't be able to.
>
> > The goal is to have OpenVPN and StrongSwan authenticate users with
> FreeRADIUS and have their password encrypted in the radius database.
>
> It may be possible. It might not be possible.
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
> Alan DeKok.
>
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 5 Sep 2016 16:24:48 +0300
> From: Bogdan Rudas <brudas at exadel.com>
> To: freeradius-users at lists.freeradius.org
> Subject: How to configure non-priveleged LDAP bind in FreeRADIUS
> 3.0.11
> Message-ID:
> <CAO+XWgkgFXm+poBTMJzMWXro3=q=rDZUHmA3GsF1v=GcefOd2w at mail.
> gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Hi,
>
> I would like to configure LDAP authentication for WiFi users with OpenLDAP
> back-ends (passwords are hashed). To perform initial bind to LDAP database
> I use restricted account which can read directory tree, determine DN on
> user and most of it's attributes but can't read passwords hashes. Then I
> expect FreeRadius to bind with DN found on previous step and user-supplied
> password. But instead of this I've got messages:
>
> Ready to process requests
> (0) User-Name = "brudas"
> (0) User-Password = "clearpass"
> (0) NAS-IP-Address = 127.0.0.1
> (0) NAS-Port = 10
> (0) Message-Authenticator = 0x86f22bc484991235fa4335a8b959a351
> (0) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /@\./) {
> (0) if (&User-Name =~ /@\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "brudas", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0) [suffix] = noop
> (0) eap: No EAP-Message, not doing EAP
> (0) [eap] = noop
> (0) [files] = noop
> rlm_ldap (ldap): Reserved connection (0)
> (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (0) ldap: --> (uid=brudas)
> (0) ldap: Performing search in "ou=users,dc=office,dc=local" with filter
> "(uid=brudas)", scope "sub"
> (0) ldap: Waiting for search result...
> (0) ldap: User object found at DN "cn=Rudas
> Bogdan,ou=users,dc=office,dc=local"
> (0) ldap: Processing user attributes
> *(0) ldap: WARNING: No "known good" password added. Ensure the admin user
> has permission to read the password attribute*
> (0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
> (if that is what you were trying to configure)
> rlm_ldap (ldap): Released connection (0)
> rlm_ldap (ldap): Need 5 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://ldap.office.local:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (0) [ldap] = ok
> (0) pap: WARNING: No "known good" password found for the user. Not setting
> Auth-Type
> (0) pap: WARNING: Authentication will fail unless a "known good" password
> is available
> (0) [pap] = noop
> (0) } # authorize = ok
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
> Reject
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file /etc/freeradius/sites-enabled/default
> (0) Post-Auth-Type REJECT {
> (0) attr_filter.access_reject: EXPAND %{User-Name}
> (0) attr_filter.access_reject: --> brudas
> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (0) [attr_filter.access_reject] = updated
> (0) [eap] = noop
> (0) policy remove_reply_message_if_eap {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (0) else {
> (0) [noop] = noop
> (0) } # else = noop
> (0) } # policy remove_reply_message_if_eap = noop
> (0) } # Post-Auth-Type REJECT = updated
>
> When I use admin user account (which can read password hashes) for initial
> bind, authentication test with *radtest *works well, but it is not what I
> want to do.
>
> I want to keep my OpenLDAP password policy working, this requires true LDAP
> bind attempt with credential of end-user.
>
> My final destination is EAP-TTLS with PAP inside. Please, help me to
> establish desired LDAP authorization schema. As far as I know it was
> possible in FreeRadius 2.1.x and I believe some additional configuration
> required here.
>
> Thank you.
>
> --
> Bogdan Rudas
> Head of Minsk IT Support Department
> Exadel Inc.
> http://www.exadel.com/
> E-mail: brudas at exadel.com
> Skype ID: bogdan.rudas
>
> --
>
>
> CONFIDENTIALITY NOTICE: This email and files attached to it are
> confidential. If you are not the intended recipient you are hereby notified
> that using, copying, distributing or taking any action in reliance on the
> contents of this information is strictly prohibited. If you have received
> this email in error please notify the sender and delete this email.
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 05 Sep 2016 15:26:01 +0200
> From: Frederic Fichter <ffichter at mac.com>
> To: freeradius-users at lists.freeradius.org
> Subject: FreeRadius reboot needed on adding a NAS ?
> Message-ID: <20160905132601.GA5280 at bigass.home>
> Content-Type: text/plain; charset=us-ascii
>
> Hi gang,
>
> I thought - but could not remember where I've read/dreamt that - that NAS
> defined within a SQL db could be added or removed dynamically (i.e. without
> the need to stop/start FreeRADIUS) ?
>
> Doesn't look to be the case in my lab. OpenWRT NAS, FreeRADIUS 3.0.11. On
> inserting a new NAS in the NAS table (MySQL db), requests are ignored by
> FreeRADIUS (as they come from an unknown NAS). Reloading (kill -HUP) the
> FreeRADIUS process doesn't change the problem, restarting the FreeRADIUS
> process solves it.
>
> Is this by design ? Any workaround available to avoid restarting
> FreeRADIUS everytime we add a NAS ?
>
> Thanks a lot for your help !
>
> Best,
>
> Fred
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 5 Sep 2016 09:27:48 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: FreeRadius reboot needed on adding a NAS ?
> Message-ID: <6C1C2F8A-6973-4D83-BB79-C5579BC2B345 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Sep 5, 2016, at 9:26 AM, Frederic Fichter <ffichter at mac.com> wrote:
> > I thought - but could not remember where I've read/dreamt that - that
> NAS defined within a SQL db could be added or removed dynamically (i.e.
> without the need to stop/start FreeRADIUS) ?
>
> No FreeRADIUS documentation says that.
>
> > Doesn't look to be the case in my lab. OpenWRT NAS, FreeRADIUS 3.0.11.
> On inserting a new NAS in the NAS table (MySQL db), requests are ignored by
> FreeRADIUS (as they come from an unknown NAS). Reloading (kill -HUP) the
> FreeRADIUS process doesn't change the problem, restarting the FreeRADIUS
> process solves it.
>
> By default, FreeRADIUS doesn't poll the SQL DB for new clients.
>
> > Is this by design ? Any workaround available to avoid restarting
> FreeRADIUS everytime we add a NAS ?
>
> Read raddb/sites-available/dynamic-clients
>
> Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 5 Sep 2016 09:31:08 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: Bogdan Rudas <brudas at exadel.com>, FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: How to configure non-priveleged LDAP bind in FreeRADIUS
> 3.0.11
> Message-ID: <A240E621-D12B-4B0F-93E0-1422B2991378 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Sep 5, 2016, at 9:24 AM, Bogdan Rudas via Freeradius-Users <
> freeradius-users at lists.freeradius.org> wrote:
> > I would like to configure LDAP authentication for WiFi users with
> OpenLDAP
> > back-ends (passwords are hashed). To perform initial bind to LDAP
> database
> > I use restricted account which can read directory tree, determine DN on
> > user and most of it's attributes but can't read passwords hashes.
>
> That's may work, if you configure it correctly.
>
> > Then I
> > expect FreeRadius to bind with DN found on previous step and
> user-supplied
> > password.
>
> Does the rlm_ldap module documentation say it does that?
>
> > When I use admin user account (which can read password hashes) for
> initial
> > bind, authentication test with *radtest *works well, but it is not what I
> > want to do.
>
> Why not?
>
> > I want to keep my OpenLDAP password policy working, this requires true
> LDAP
> > bind attempt with credential of end-user.
> >
> > My final destination is EAP-TTLS with PAP inside. Please, help me to
> > establish desired LDAP authorization schema. As far as I know it was
> > possible in FreeRadius 2.1.x and I believe some additional configuration
> > required here.
>
> You have to force Auth-Type LDAP.
>
> authorize {
> ...
> pap
> if (noop && User-Password) {
> update control {
> Auth-Type := LDAP
> }
> }
> }
>
> Do this in raddb/sites-enabled/default, and raddb/sites-enabled/inner-tunnel.
> And also add "ldap" to the "authenticate" section for both virtual servers.
>
> Alan DeKok.
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 137, Issue 13
> *************************************************
>
More information about the Freeradius-Users
mailing list