<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On 1 Sep 2011, at 15:40, 2394263740 wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Phil,</div>
<div> </div>
<div>Thanks a lot for your great help.</div>
<div> </div>
<div>I understand the scripts you wrote. But I don't know where I should put it in.</div>
<div> </div>
<div>Can you please kindly advise which file I should edit?</div>
<div> </div>
<div>/usr/local/etc/raddb/sites-available/default?</div></blockquote><div><br></div><div>Yes in the authorize section, thats why the script is encapsulated within and authorize {} stanza :)</div><div><br></div><div>-Arran</div><br><blockquote type="cite"><font class="Apple-style-span" color="#000000"><br></font>
<div><includetail>
<div> </div>
<div> </div>
<div style="COLOR: #000">
<div style="PADDING-BOTTOM: 2px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; FONT-FAMILY: Arial Narrow; FONT-SIZE: 12px; PADDING-TOP: 2px">------------------ Original ------------------</div>
<div style="PADDING-BOTTOM: 8px; PADDING-LEFT: 8px; PADDING-RIGHT: 8px; BACKGROUND: #efefef; FONT-SIZE: 12px; PADDING-TOP: 8px">
<div id="menu_sender"><b>From: </b> "freeradius-users"<<a href="mailto:freeradius-users-request@lists.freeradius.org">freeradius-users-request@lists.freeradius.org</a>>;</div>
<div><b>Date: </b> Thu, Sep 1, 2011 02:51 AM</div>
<div><b>To: </b> "freeradius-users"<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>>; <wbr></div>
<div></div>
<div><b>Subject: </b> Freeradius-Users Digest, Vol 76, Issue 108</div></div>
<div> </div>Send Freeradius-Users mailing list submissions to<br><a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br><br>To subscribe or unsubscribe via the World Wide Web, visit<br>http://lists.freeradius.org/mailman/listinfo/freeradius-users<br>or, via email, send a message with subject or body 'help' to<br>freeradius-users-request@lists.freeradius.org<br><br>You can reach the person managing the list at<br>freeradius-users-owner@lists.freeradius.org<br><br>When replying, please edit your Subject line so it is more specific<br>than "Re: Contents of Freeradius-Users digest..."<br><br><br>Today's Topics:<br><br> 1. Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS<br> server (Phil Mayers)<br> 2. Re: Special WIFI Router MAC check for the user?s first<br> connection. (Phil Mayers)<br> 3. Using rlm_passwd as a substitute for hunt groups<br> (Jan.Weiss@t-systems.com)<br> 4. problem with LDAP backend (Frank Bonnet)<br> 5. Re: problem with chillispot (Alan DeKok)<br> 6. Re: problem with LDAP backend (Alan DeKok)<br> 7. Rating usage (Shreya Shah)<br> 8. Re: problem with chillispot (Goke M Aruna)<br><br><br>----------------------------------------------------------------------<br><br>Message: 1<br>Date: Wed, 31 Aug 2011 14:48:00 +0100<br>From: Phil Mayers <p.mayers@imperial.ac.uk><br>Subject: Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS<br>server<br>To: freeradius-users@lists.freeradius.org<br>Message-ID: <4E5E3B90.2020109@imperial.ac.uk><br>Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br><br>On 30/08/11 21:12, Glenn Machin wrote:<br>> Phil - thanks for the feedback.<br>><br>> I just ended up proxying out to the IAS server usernames starting with<br>> "DOMAIN\".<br><br>Ok. Obviously that will fail if enters their wireless credentials <br>without a domain.<br><br>><br>> I configured the freeradius server to not support mschapv2 but will<br>> support PEAP/GTC EAP/TLS.<br>><br>><br>> It seems to be working fine with the Macs, iPads and Linux systems while<br>> the windows systems are happy to talk to the IAS server.<br>><br>><br>> It still bugs that ntlm_auth would not authenticate to the domain<br>> controllers the challenge and nt-response.<br><br>I repeat: if you send debug info, people may be able to help.<br><br>><br>><br>> I assume no one else is having any issues using ntlm_auth to W2008<br>> servers? It may be some Windows GPO at our site for all I know.<br><br>Exactly which version of windows (2008 or 2008R2?) and at which <br>functional level is your domain?<br><br>Did you try increasing the debug level for winbind using "smbcontrol" <br>and then examining the debug logs after a failed auth?<br><br>For what it's worth, we have no problems with Windows 2008R2 domain <br>controllers and the "samba3x" package available under RHEL5 (samba <br>version 3.5.4-0.70.el5). We did have problems with earlier (Samba 3.3) <br>versions after we'd upgraded to 2008R2 and upgraded functional level.<br><br><br>------------------------------<br><br>Message: 2<br>Date: Wed, 31 Aug 2011 14:55:35 +0100<br>From: Phil Mayers <p.mayers@imperial.ac.uk><br>Subject: Re: Special WIFI Router MAC check for the user?s first<br>connection.<br>To: freeradius-users@lists.freeradius.org<br>Message-ID: <4E5E3D57.2000903@imperial.ac.uk><br>Content-Type: text/plain; charset=UTF-8; format=flowed<br><br>On 31/08/11 12:38, 2394263740 wrote:<br><br>> For example, WIFI AP 26, has the MAC address MAC26. I need ensure one<br>> WIFI user, say user 58, must connect to WIFI AP 26 for the first time.<br>> After the first connection, user 58 can connect to any WIFI AP in the<br>> network.<br>> Can someone give some advice on how to do it?<br><br> 1. Create a whitelist of users who can authenticate to any AP using <br>files, rlm_passwd or ideally SQL - see the FreeRADIUS wiki<br><br> 2. If they are *not* found in the whitelist, check the <br>"Called-Station-Id" attribute, which usually contains the MAC address of <br>the AP. If your equipment uses a different attribute, check that.<br><br> 3. If the AP MAC is the correct one, add the user to the whitelist, <br>else reject<br><br>For example:<br><br>authorize {<br><br> ...<br> update control {<br> Tmp-String-0 := "%{sql:select 1 from whitelist where <br>username='%{User-Name}'}"<br> }<br> if (control:Tmp-String-0 == 1) {<br> # user is in whitelist<br> }<br> elsif (Called-Station-Id == "aa-bb-cc-dd-ee-ff") {<br> # user is connecting to the "whitelist" AP<br> update control {<br> Tmp-String-0 = "%{sql:insert into whitelist (username) values <br>('%{User-Name}')}"<br> }<br> }<br> else {<br> reject<br> }<br> ...<br><br>}<br><br><br>------------------------------<br><br>Message: 3<br>Date: Wed, 31 Aug 2011 16:11:48 +0200<br>From: Jan.Weiss@t-systems.com<br>Subject: Using rlm_passwd as a substitute for hunt groups<br>To: <freeradius-users@lists.freeradius.org><br>Message-ID:<br><3DD77603D0726248A46541D5119607CE27DFC71606@HE111524.emea1.cds.t-internal.com><br><br>Content-Type: text/plain; charset="us-ascii"<br><br>>Did you remember to actually define 'My-Device-Group' as an attribute?<br>><br>>-Arran<br>><br>>Arran Cudbard-Bell<br>>a.cudbardb@freeradius.org<br>><br>>RADIUS - Half the complexity of Diameter<br><br><br>Dictionary:<br>ATTRIBUTE My-Device-Group 3000 string<br><br><br>------------------------------<br><br>Message: 4<br>Date: Wed, 31 Aug 2011 17:02:32 +0200<br>From: Frank Bonnet <f.bonnet@esiee.fr><br>Subject: problem with LDAP backend<br>To: freeradius-users@lists.freeradius.org<br>Message-ID: <4E5E4D08.5060109@esiee.fr><br>Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br><br>Hello<br><br>Still trying to use freeradius with chillispot I still have problems<br><br>I'm trying to use mixed authentication<br><br>MAC addresses for some video devices in the "users" file<br>as follows :<br><br>00-06-F4-0D-08-66 Auth-Type := Local, User-Password == "xxxxxxxx"<br> Framed-IP-Address = 192.168.182.213,<br> Fall-Through = Yes<br><br>LDAP backend for "real" users at the end of the "users" file I have this <br>statement<br><br>DEFAULT Auth-Type = LDAP<br> Fall-Through = 1<br><br>This configuration were working well on a very old debian machine which <br>died suddenly<br><br>When I try to access the the chilli portal it ask radius for authentication<br>but it dows not work. See below the debug trace of radius daemon.<br>Help greatly appreciated, thank you.<br><br><br>Wed Aug 31 16:52:39 2011 : Debug: Processing the authorize section of <br>radiusd.conf<br>Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authorize for <br>request 15<br>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling <br>preprocess (rlm_preprocess) for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from <br>preprocess (rlm_preprocess) for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module <br>"preprocess" returns ok for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling eap <br>(rlm_eap) for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: rlm_eap: No EAP-Message, not doing EAP<br>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from <br>eap (rlm_eap) for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "eap" <br>returns noop for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling files <br>(rlm_files) for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: users: Matched entry DEFAULT at <br>line 398<br>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from <br>files (rlm_files) for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "files" <br>returns ok for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling ldap <br>(rlm_ldap) for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authorize<br>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing user <br>authorization for xxxxxxxx<br>Wed Aug 31 16:52:39 2011 : Debug: radius_xlat: '(uid=xxx)'<br>Wed Aug 31 16:52:39 2011 : Debug: radius_xlat: 'ou=Users,dc=esiee,dc=fr'<br>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0<br>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0<br>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing search in <br>ou=Users,dc=esiee,dc=fr, with filter (uid=hrazdira)<br>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: checking if remote access <br>for xxxxxxxx is allowed by uid<br>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for check items in <br>directory...<br>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for reply items in <br>directory...<br>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: user xxxxxxxx authorized to <br>use remote access<br>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0<br>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from <br>ldap (rlm_ldap) for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "ldap" <br>returns ok for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling pap <br>(rlm_pap) for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: rlm_pap: WARNING! No "known good" <br>password found for the user. Authentication may fail because of this.<br>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from <br>pap (rlm_pap) for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "pap" <br>returns noop for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authorize <br>(returns ok) for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: rad_check_password: Found Auth-Type <br>LDAP<br>Wed Aug 31 16:52:39 2011 : Debug: auth: type "LDAP"<br>Wed Aug 31 16:52:39 2011 : Debug: Processing the authenticate section <br>of radiusd.conf<br>Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authenticate <br>for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authenticate]: calling <br>ldap (rlm_ldap) for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authenticate<br>Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is <br>required for authentication. Cannot use "CHAP-Password".<br>Wed Aug 31 16:52:39 2011 : Debug: modsingle[authenticate]: returned <br>from ldap (rlm_ldap) for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: modcall[authenticate]: module "ldap" <br>returns invalid for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authenticate <br>(returns invalid) for request 15<br>Wed Aug 31 16:52:39 2011 : Debug: auth: Failed to validate the user.<br>Wed Aug 31 16:52:39 2011 : Debug: Delaying request 15 for 1 seconds<br>Wed Aug 31 16:52:39 2011 : Debug: Finished request 15<br>Wed Aug 31 16:52:39 2011 : Debug: Going to the next request<br>Wed Aug 31 16:52:39 2011 : Debug: --- Walking the entire request list ---<br><br><br><br>------------------------------<br><br>Message: 5<br>Date: Wed, 31 Aug 2011 12:27:36 -0400<br>From: Alan DeKok <aland@deployingradius.com><br>Subject: Re: problem with chillispot<br>To: FreeRadius users mailing list<br><freeradius-users@lists.freeradius.org><br>Message-ID: <4E5E60F8.8070409@deployingradius.com><br>Content-Type: text/plain; charset=ISO-8859-1<br><br>Goke M Aruna wrote:<br>> Is it bug on freeradius v2?<br><br> No.<br><br>> I got the chillispot working with freeradius 1.7 then and still tested<br>> same recently but v2 of radius give same error while v1 work<br>> seamlessly. I compiled this on centos 5.6.<br><br> You mistyped the shared secret.<br><br> Alan DeKok.<br><br><br>------------------------------<br><br>Message: 6<br>Date: Wed, 31 Aug 2011 12:30:45 -0400<br>From: Alan DeKok <aland@deployingradius.com><br>Subject: Re: problem with LDAP backend<br>To: FreeRadius users mailing list<br><freeradius-users@lists.freeradius.org><br>Message-ID: <4E5E61B5.2000601@deployingradius.com><br>Content-Type: text/plain; charset=ISO-8859-1<br><br>Frank Bonnet wrote:<br>> MAC addresses for some video devices in the "users" file<br>> as follows :<br>> <br>> 00-06-F4-0D-08-66 Auth-Type := Local, User-Password == "xxxxxxxx"<br><br> That's wrong. See the debug output for reasons why. See the FAQ for<br>correct examples.<br><br>> LDAP backend for "real" users at the end of the "users" file I have this<br>> statement<br>> <br>> DEFAULT Auth-Type = LDAP<br>> Fall-Through = 1<br><br> That's not needed.<br><br>> Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is<br>> required for authentication. Cannot use "CHAP-Password".<br><br> That's pretty clear. The NAS is sending a CHAP request. You can't do<br>that with "Auth-Type LDAP"<br><br> Instead, list "ldap" in the "authorize" section.<br><br> Don't set Auth-Type. It's almost always wrong.<br><br> Alan DeKok.<br><br><br>------------------------------<br><br>Message: 7<br>Date: Wed, 31 Aug 2011 13:23:20 -0400<br>From: Shreya Shah <shreya.nshah@gmail.com><br>Subject: Rating usage<br>To: FreeRadius users mailing list<br><freeradius-users@lists.freeradius.org><br>Message-ID:<br><CANN_Z9KOKD0HfM+s_wVmZTyobN=8qcLxbfdQBBrX+KBPUBo-2w@mail.gmail.com><br>Content-Type: text/plain; charset="iso-8859-1"<br><br>Is it possible to rate users based on their data usage and reject<br>authentication to those users exceeding the limit ?<br><br>I think I can achieve rating using counter.conf and reading the usage from<br>radacct but not sure how to reject this user from authenticating when he<br>exceeds this usage limit ?<br><br>Thanks,<br>Shreya.<br>-------------- next part --------------<br>An HTML attachment was scrubbed...<br>URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110831/ad586a05/attachment.html><br><br>------------------------------<br><br>Message: 8<br>Date: Wed, 31 Aug 2011 19:51:20 +0100<br>From: Goke M Aruna <goksie@gmail.com><br>Subject: Re: problem with chillispot<br>To: FreeRadius users mailing list<br><freeradius-users@lists.freeradius.org><br>Message-ID:<br><CAE=DitpQoroJHxQA7u+BtCuXhEh0_1V-TahmuW1ntgiO9_e69Q@mail.gmail.com><br>Content-Type: text/plain; charset=UTF-8<br><br>Hi Allan,<br>Mistyped shared-secret? How can I confirm that?<br><br>Thank you.<br><br>On 8/31/11, Alan DeKok <aland@deployingradius.com> wrote:<br>> Goke M Aruna wrote:<br>>> Is it bug on freeradius v2?<br>><br>> No.<br>><br>>> I got the chillispot working with freeradius 1.7 then and still tested<br>>> same recently but v2 of radius give same error while v1 work<br>>> seamlessly. I compiled this on centos 5.6.<br>><br>> You mistyped the shared secret.<br>><br>> Alan DeKok.<br>> -<br>> List info/subscribe/unsubscribe? See<br>> http://www.freeradius.org/list/users.html<br>><br><br>-- <br>Sent from my mobile device<br><br><br>------------------------------<br><br>-<br>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<br><br><br>End of Freeradius-Users Digest, Vol 76, Issue 108<br>*************************************************<br></div></includetail></div>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a></blockquote></div><br><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Arran Cudbard-Bell</div><div><a href="mailto:a.cudbardb@freeradius.org">a.cudbardb@freeradius.org</a></div><div><br></div><div>RADIUS - Half the complexity of Diameter</div></div></span></span>
</div>
<br></body></html>