Help needed with Realms (Freeradius) Urgent!
|
View:
New views
19 Messages
—
Rating Filter:
Alert me
|
 |
Help needed with Realms (Freeradius) Urgent!
by virulence
::
Rate this Message:
Currently I have my multiple realms up at proxy.conf up and going but everytime I do a radtest my user is able to authenticate with the multiple realms which I do not want to after stripping the realm.
e.g. abc@company.com : login ok abc@company1500.com :login ok Is there a way to just "bind" the user abc to auth to just company.com and prevent cross authentication. Any help is appreciated or does anyone know how to specify a user to a single realm. Thanks |
|
|
Re: Help needed with Realms (Freeradius) Urgent!
by Bill Brunton
::
Rate this Message:
Change the config setting in proxy.config from strip to nostrip for all domains.... Then I suspect that you will have to have the domain on the username in the users file or it will not match. On Thu, 15 Mar 2007, virulence wrote: > Date: Thu, 15 Mar 2007 22:29:00 -0700 (PDT) > From: virulence <virulence34@...> > Reply-To: FreeRadius users mailing list > <freeradius-users@...> > To: freeradius-users@... > Subject: Help needed with Realms (Freeradius) Urgent! > > > Currently I have my multiple realms up at proxy.conf up and going but > everytime I do a radtest my user is able to authenticate with the multiple > realms which I do not want to after stripping the realm. > > e.g. abc@... : login ok > abc@... :login ok > > Is there a way to just "bind" the user abc to auth to just company.com and > prevent cross authentication. > > Any help is appreciated or does anyone know how to specify a user to a > single realm. Thanks > -- Bill bbrunton@... http://www.brunton.net http://www.video-records.com http://www.icu.net KA0SEP NNN0HQA/OK ATP CFII BE200 BE300 BE300F BE1900 BE2000 BE2000S CE500 The Internet... The place to be! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Help needed with Realms (Freeradius) Urgent!
by virulence
::
Rate this Message:
But however, I needed the realms to be stripped as all my users auth by only their username and password... Is there another way of doing it?
|
|
|
Re: Help needed with Realms (Freeradius) Urgent!
by virulence
::
Rate this Message:
But however, I needed the realms to be stripped as all my users auth by only
their username and password... Is there another way of doing it?
|
|
|
Double entries in Radacct
by Matthew Neumark
::
Rate this Message:
Hello,
I have a MikroTik router that is passing accounting data to the freeradius database. I look in radacct and every entry is has duplicates with the exact same information. Does anyone know if this is the MikroTik causing this or freeradius? How do I fix this? Thanks, Matt Neumark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Help needed with Realms (Freeradius) Urgent!
by Alan DeKok-2
::
Rate this Message:
virulence wrote:
> But however, I needed the realms to be stripped as all my users auth by only > their username and password... Is there another way of doing it? If you're insisting that the realms MUST be stripped, then you will have the problem you noted, which you say you don't want. The problem is a direct result of your requirement that the realms be stripped. The message you responded to told you how to solve the problem. Try the method that was suggested to you. Alternately, if you're not going to follow the help given on this list, I'm not sure why you're asking for help. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Help needed with Realms (Freeradius) Urgent!
by virulence
::
Rate this Message:
So sorry, there was a misunderstanding in what was allocated to me and I would try what you said when I get back to office on Monday.
Btw, for the realms, the configuration is just by putting nostrip under the realm as in the proxy.conf but for the users file, would putting realm = company.com work for binding realm @company.com to abc user for example. Or may I know what is the full configuration. Sorry for the trouble as this is the first time I'm using freeradius. Thanks
|
|
|
Re: Help needed with Realms (Freeradius) Urgent!
by virulence
::
Rate this Message:
So sorry, there was a misunderstanding in what was allocated to me and I
would try what you said when I get back to office on Monday. Btw, for the realms, the configuration is just by putting nostrip under the realm as in the proxy.conf but for the users file, would putting realm = company.com work for binding realm @company.com to abc user for example. Or may I know what is the full configuration. Sorry for the trouble as this is the first time I'm using freeradius. Thanks
|
|
|
Re: Help needed with Realms (Freeradius) Urgent!
by TNT-3
::
Rate this Message:
Just change username from abc to abc@... . If you don't strip
and put Realm = whatever as check item, username abc still won't match. Ivan Kalik Kalik Informatika ISP Dana 18/3/2007, "virulence" <virulence34@...> piše: > >So sorry, there was a misunderstanding in what was allocated to me and I >would try what you said when I get back to office on Monday. > >Btw, for the realms, the configuration is just by putting nostrip under the >realm as in the proxy.conf >but for the users file, would putting realm = company.com work for binding >realm @company.com to abc user for example. Or may I know what is the full >configuration. Sorry for the trouble as this is the first time I'm using >freeradius. Thanks > > > >Alan DeKok-4 wrote: >> >> virulence wrote: >>> But however, I needed the realms to be stripped as all my users auth by >>> only >>> their username and password... Is there another way of doing it? >> >> If you're insisting that the realms MUST be stripped, then you will >> have the problem you noted, which you say you don't want. The problem >> is a direct result of your requirement that the realms be stripped. >> >> The message you responded to told you how to solve the problem. Try >> the method that was suggested to you. Alternately, if you're not going >> to follow the help given on this list, I'm not sure why you're asking >> for help. >> >> Alan DeKok. >> -- >> http://deployingradius.com - The web site of the book >> http://deployingradius.com/blog/ - The blog >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> > >-- >View this message in context: http://www.nabble.com/Help-needed-with-Realms-%28Freeradius%29-Urgent%21-tf3412705.html#a9537046 >Sent from the FreeRadius - User mailing list archive at Nabble.com. > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Help needed with Realms (Freeradius) Urgent!
by virulence
::
Rate this Message:
Alright so it's
usernameabc@realm Password := xyz Framed sdfds = sfsdffs Realm = company.com Am I getting it right?
|
|
|
Re: Help needed with Realms (Freeradius) Urgent!
by TNT-3
::
Rate this Message:
First line will check the password. You might need to add Auth-Type:=
Local there. On other lines you put reply items like Service-Type, Framed-IP-Address etc. If there are items that are same for all users put them in DEFAULT entry. Don't put Realm there or anywhere else in users file. Ivan Kalik Kalik Informatika ISP Dana 18/3/2007, "virulence" <virulence34@...> piše: > >Alright so it's > >usernameabc@realm Password := xyz > Framed sdfds = sfsdffs > Realm = company.com > >Am I getting it right? > > >tnt wrote: >> >> Just change username from abc to abc@... . If you don't strip >> and put Realm = whatever as check item, username abc still won't match. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> >> Dana 18/3/2007, "virulence" <virulence34@...> piĹĄe: >> >>> >>>So sorry, there was a misunderstanding in what was allocated to me and I >>>would try what you said when I get back to office on Monday. >>> >>>Btw, for the realms, the configuration is just by putting nostrip under >the >>>realm as in the proxy.conf >>>but for the users file, would putting realm = company.com work for binding >>>realm @company.com to abc user for example. Or may I know what is the full >>>configuration. Sorry for the trouble as this is the first time I'm using >>>freeradius. Thanks >>> >>> >>> >>>Alan DeKok-4 wrote: >>>> >>>> virulence wrote: >>>>> But however, I needed the realms to be stripped as all my users auth by >>>>> only >>>>> their username and password... Is there another way of doing it? >>>> >>>> If you're insisting that the realms MUST be stripped, then you will >>>> have the problem you noted, which you say you don't want. The problem >>>> is a direct result of your requirement that the realms be stripped. >>>> >>>> The message you responded to told you how to solve the problem. Try >>>> the method that was suggested to you. Alternately, if you're not going >>>> to follow the help given on this list, I'm not sure why you're asking >>>> for help. >>>> >>>> Alan DeKok. >>>> -- >>>> http://deployingradius.com - The web site of the book >>>> http://deployingradius.com/blog/ - The blog >>>> - >>>> List info/subscribe/unsubscribe? See >>>> http://www.freeradius.org/list/users.html >>>> >>>> >>> >>>-- >>>View this message in context: >http://www.nabble.com/Help-needed-with-Realms-%28Freeradius%29-Urgent%21-tf3412705.html#a9537046 >>>Sent from the FreeRadius - User mailing list archive at Nabble.com. >>> >>>- >>>List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html >>> >>> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> > >-- >View this message in context: http://www.nabble.com/Help-needed-with-Realms-%28Freeradius%29-Urgent%21-tf3412705.html#a9539717 >Sent from the FreeRadius - User mailing list archive at Nabble.com. > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Help needed with Realms (Freeradius) Urgent!
by virulence
::
Rate this Message:
Alright bro, after doing that i get a message that
Error: WARNING: Possible DoS attack from host 172.16. 1.104: Too many attributes in request (received 201, max 200 are allowed). but after that it is ok.... any idea how to get rid of this error?
|
|
|
Re: Help needed with Realms (Freeradius) Urgent!
by Alan DeKok-2
::
Rate this Message:
tnt@... wrote:
> First line will check the password. You might need to add Auth-Type:= > Local there. In 1.1.4 and following, that is no longer necessary. Do NOT recommend the use of Auth-Type. It's almost always wrong. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Help needed with Realms (Freeradius) Urgent!
by Alan DeKok-2
::
Rate this Message:
virulence wrote:
> Alright bro, after doing that i get a message that > > Error: WARNING: Possible DoS attack from host 172.16. > 1.104: Too many attributes in request (received 201, max 200 are allowed). > > but after that it is ok.... any idea how to get rid of this error? read radiusd.conf, look in the "security" section. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Help needed with Realms (Freeradius) Urgent!
by virulence
::
Rate this Message:
Alright bro, after doing that i get a message that
Error: WARNING: Possible DoS attack from host 172.16. 1.104: Too many attributes in request (received 201, max 200 are allowed). but after that it is ok.... any idea how to get rid of this error? any one know wad's wrong... I'm still stuck at this...
|
|
|
Re: Help needed with Realms (Freeradius) Urgent!
by virulence
::
Rate this Message:
Dropping request (1025 is too many): from clie
nt abc :1818 - ID: 97 Info: WARNING: Please check the radiusd.conf file. ?T he value for 'max_requests' is probably set too low. apparently this is what i get after setting the attrbutes to a higher level. May I know what constitutes to the attribute level and how can i go about this. I dun think it is a problem from the max-requests.
|
|
|
Re: Help needed with Realms (Freeradius) Urgent!
by Alan DeKok-2
::
Rate this Message:
vir\ulence wrote:
> Dropping request (1025 is too many): from clie > nt abc :1818 - ID: 97 > Info: WARNING: Please check the radiusd.conf file. ?T > he value for 'max_requests' is probably set too low. > > apparently this is what i get after setting the attrbutes to a higher level. Then I would say that something is seriously wrong in your network. Having more than 200 attributes in a RADIUS packet is extremely rare. As in: If it happens, it's probably because you're being attacked, and you should go investigate. That's what the log message says. So... did you check that the packets are what you expect? Why are there 200 attributes in the packet? And if the server is handling more than 1024 packets at a time, it's either too slow (i.e. databases are slow or down), or it's being attacked. It looks like you just want configuration changes to make the error messages go away. That is absolutely the wrong approach. Find the cause of the problem, and fix it. The messages will go away once the problem goes away. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Help needed with Realms (Freeradius) Urgent!
by virulence
::
Rate this Message:
Sorry Alan,
I do not really understand you. firstly, the server is a totally empty server as it was set up by my colleague for me for testing before implementation and secondly is there a way to check the packets that i am suppose to be expecting. By the way, the results came as a result of a radtest. Sorry for the noobness.
|
|
|
Re: Help needed with Realms (Freeradius) Urgent!
by Alan DeKok-2
::
Rate this Message:
virulence wrote:
> Sorry Alan, > I do not really understand you. firstly, the server is a totally empty > server as it was set up by my colleague for me for testing before > implementation That doesn't matter. The client is sending packets. The configuration items that generate those error messages are about the packets that the client is sending. > and secondly is there a way to check the packets that i am > suppose to be expecting. By the way, the results came as a result of a > radtest. Sorry for the noobness. Ah. If the "more than 200 attributes" packet came in via radtest, then you've configured the server wrong. i.e. You've told the server to proxy requests to itself. Don't do that. See "proxy.conf". One of the "realms" entries has the same IP and port that the server is listening on. Change that IP:port to "LOCAL". Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
| Free embeddable forum powered by Nabble | Forum Help |
