'authorize' module

classic Classic list List threaded Threaded
14 messages Options
| Threaded
Open this post in threaded view
|

'authorize' module

Edgars
still fighting with test configuration..

I have created two rlm_passwd modules. Afterwards, have put them under
'authorize' section one by one. Why the deamon is accepting the request
depending only on the rlm_passwd file where User-Password is present and
ignoring the one which should check NAS-IP-Address and Realm? My aim is
to make it so that if the last mentioned returns "wrong", the whole
request is wrong.

Please assist me with ideas.

Edgars
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 'authorize' module

Alan DeKok
Edgars Klavinskis <[hidden email]> wrote:
> I have created two rlm_passwd modules. Afterwards, have put them under
> 'authorize' section one by one. Why the deamon is accepting the request
> depending only on the rlm_passwd file where User-Password is present and
> ignoring the one which should check NAS-IP-Address and Realm?

  Read the debug log.

> My aim is to make it so that if the last mentioned returns "wrong",
> the whole request is wrong.

  Read doc/configurable_failover

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 'authorize' module

Edgars
Alan,

how to do authentication based on attribute checking (attr_compar or
something like this)?
I mean, if I am adding some atributes to config_items via rlm_passwd how
to check those attributes in the authenticate section? User-Password is
only checkd, nothing more. For example, I want to check Framed-Protocol,
and am adding it to config_items. Where does these config_items go to?
How to compare them?

  modcall[authorize]: module "edg_pass" returns ok for request 0
rlm_passwd: Added Framed-IP-Address: '2.2.2.6' to reply_items
  modcall[authorize]: module "edg_pass_group" returns ok for request 0
rlm_passwd: Added Framed-Protocol: 'PPP' to config_items
rlm_passwd: Added Auth-Type: 'ACCEPT' to config_items
  modcall[authorize]: module "edg_check" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type ACCEPT
auth: type "ACCEPT"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
  WARNING! Asked to process empty group.  Returning reject.
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
Login incorrect: [edgars/edgars] (from client lalala port 2549 cli 1.1.1.2)

Edgars


Alan DeKok wrote:

>Edgars Klavinskis <[hidden email]> wrote:
>  
>
>>I have created two rlm_passwd modules. Afterwards, have put them under
>>'authorize' section one by one. Why the deamon is accepting the request
>>depending only on the rlm_passwd file where User-Password is present and
>>ignoring the one which should check NAS-IP-Address and Realm?
>>    
>>
>
>  Read the debug log.
>
>  
>
>>My aim is to make it so that if the last mentioned returns "wrong",
>>the whole request is wrong.
>>    
>>
>
>  Read doc/configurable_failover
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>  
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 'authorize' module

Alan DeKok
Edgars Klavinskis <[hidden email]> wrote:
> I mean, if I am adding some atributes to config_items via rlm_passwd how
> to check those attributes in the authenticate section?

  You don't.  I don't understand why you would want to check them
there.

> User-Password is only checkd, nothing more.

  No.

> For example, I want to check Framed-Protocol, and am adding it to
> config_items.

  Why?  Please explain.

>   rad_check_password:  Found Auth-Type ACCEPT
> auth: type "ACCEPT"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
>   WARNING! Asked to process empty group.  Returning reject.

  Hmmm... I don't see why that would be happening, unless you
configured an "ACCEPT" group in radiusd.conf.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 'authorize' module

Edgars

>>For example, I want to check Framed-Protocol, and am adding it to
>>config_items.
>>    
>>
>
>  Why?  Please explain.
>  
>
When I am receiving an request from some client, I want to check Realm
and User-Password depending on Nas-IP-Address and User-Name as key
fields placed in rlm_passwd files.
It's because of the fact that someone could use not the correct realm
when connecting to some box, I want to decline such persons.

Edgars

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 'authorize' module

Alan DeKok
Edgars Klavinskis <[hidden email]> wrote:
> When I am receiving an request from some client, I want to check Realm
> and User-Password depending on Nas-IP-Address and User-Name as key
> fields placed in rlm_passwd files.
> It's because of the fact that someone could use not the correct realm
> when connecting to some box, I want to decline such persons.

  So check in the "authorise" section.  I don't understand why it's so
important to check it in the "authenticate" section.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 'authorize' module

Edgars
it not required for me to check this in authenticate section, i just
though it is the only place where I could check these passwd attributes.
Can you please tell me how to check them in authorize section assuming
that they are added to config_items?

Thanks.
Edgars

Alan DeKok wrote:

>Edgars Klavinskis <[hidden email]> wrote:
>  
>
>>When I am receiving an request from some client, I want to check Realm
>>and User-Password depending on Nas-IP-Address and User-Name as key
>>fields placed in rlm_passwd files.
>>It's because of the fact that someone could use not the correct realm
>>when connecting to some box, I want to decline such persons.
>>    
>>
>
>  So check in the "authorise" section.  I don't understand why it's so
>important to check it in the "authenticate" section.
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>  
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 'authorize' module

Alan DeKok
Edgars Klavinskis <[hidden email]> wrote:
> it not required for me to check this in authenticate section, i just
> though it is the only place where I could check these passwd attributes.
> Can you please tell me how to check them in authorize section assuming
> that they are added to config_items?

  In the CVS head, rlm_policy.  In 1.0.x, you can't.

  You also can't check them in the authenticate section in 1.0.x.
It's a rare enough request that the server doesn't do it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Error in DB

Michael Cooper
Hey Guys,

       I am trying to install the freeradius in sql on my server when I do
the db dump I get the following error:

mysql -uxxxx -pxxxxxx radius < db_mysql.sql
ERROR 1067 (42000) at line 155: Invalid default value for 'id'

This is the line in question:

->  id int(10) DEFAULT '0' NOT NULL auto_increment, <--
Does anyone know How I can fix this problem?

Thanks in Advance,
Michael A Cooper
BCCISP.net
http://www.bccisp.net
281-854-2079
"Technology that counts, voices that matter!"
----- Original Message -----
From: "Alan DeKok" <[hidden email]>
To: "FreeRadius users mailing list" <[hidden email]>
Sent: Saturday, June 18, 2005 10:52 AM
Subject: Re: 'authorize' module


> Edgars Klavinskis <[hidden email]> wrote:
>> it not required for me to check this in authenticate section, i just
>> though it is the only place where I could check these passwd attributes.
>> Can you please tell me how to check them in authorize section assuming
>> that they are added to config_items?
>
>  In the CVS head, rlm_policy.  In 1.0.x, you can't.
>
>  You also can't check them in the authenticate section in 1.0.x.
> It's a rare enough request that the server doesn't do it.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.7.8/22 - Release Date: 6/17/2005
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 'authorize' module

Edgars
In reply to this post by Alan DeKok
any doc on rlm_policy?

Edgars



Alan DeKok wrote:

>Edgars Klavinskis <[hidden email]> wrote:
>  
>
>>it not required for me to check this in authenticate section, i just
>>though it is the only place where I could check these passwd attributes.
>>Can you please tell me how to check them in authorize section assuming
>>that they are added to config_items?
>>    
>>
>
>  In the CVS head, rlm_policy.  In 1.0.x, you can't.
>
>  You also can't check them in the authenticate section in 1.0.x.
>It's a rare enough request that the server doesn't do it.
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>  
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 'authorize' module

Alan DeKok
Edgars Klavinskis <[hidden email]> wrote:
> any doc on rlm_policy?

  Have you tried the "man" page?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 'authorize' module

Edgars
ok, got it. Thanks. But it is still very unclear for me how to check
attributes coming from rlm_passwd files in configure_items array.
Any comments or example on this?

Edgars



Alan DeKok wrote:

>Edgars Klavinskis <[hidden email]> wrote:
>  
>
>>any doc on rlm_policy?
>>    
>>
>
>  Have you tried the "man" page?
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>  
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 'authorize' module

Alan DeKok
Edgars Klavinskis <[hidden email]> wrote:
> ok, got it. Thanks. But it is still very unclear for me how to check
> attributes coming from rlm_passwd files in configure_items array.
> Any comments or example on this?

  The documentation?  It says EXPLICITLY how to get attributes from
the configuration items.

  Look for the word "configuration".

  I have NO diea why this is so hard.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 'authorize' module

Edgars
sorry, man! just googled for rlm_policy and found your tread about doc
under raddb/, didn't look at one under man.

Edgars



Alan DeKok wrote:

>Edgars Klavinskis <[hidden email]> wrote:
>  
>
>>ok, got it. Thanks. But it is still very unclear for me how to check
>>attributes coming from rlm_passwd files in configure_items array.
>>Any comments or example on this?
>>    
>>
>
>  The documentation?  It says EXPLICITLY how to get attributes from
>the configuration items.
>
>  Look for the word "configuration".
>
>  I have NO diea why this is so hard.
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>  
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html