how i can create a profile for two different NAS (Cisco & MicroTek) with different attributes.
i don't know if there is a way to make if statement depend on the IP of NAS or not.
for more explanation:
i use daloradius to manage the freeradius, i can't manage the speed because now i have for example 10M profile with attribute Cisco-AVPair=ip:sub-qos-policy-in=10Mbps but in MikroTek is different it used Mikrotik-Rate-Limit=10M so i need one profile treat with both if the user connect to the cisco will use his policymap and when he connect to MikroTek use the other attribute
You can define arbitrary attributes associated with a NAS in clients.conf
For example:
client 192.168.0.1 {
secret = testing123
my_attribute = 'foo'
}
Then access them with the %{client:<attribute>} xlat.
authorize {
update reply {
Reply-Message := "User connecting to NAS with attribute %{client:my_attribute}"
}
}
This is significantly more efficient that huntgroups or the other grouping mechanisms.
Related
My company is on an enterprise plan and behind a FW. This means I cannot IMPORT... in a Google Sheet to any URL inside the corporate network.
Is there way to make it so files in my company's G-Suite organization (example.com) can access my internal corporate network? Like some kind of virtual private network or something?
If I'm not mistaken, you need to whitelist all these hosts in the firewall side for it to work
For the following hosts, [N] means any single decimal digit and * means any string not containing a period.
www.google.com:443/HTTPS
accounts.google.com:443/HTTPS
googledrive.com:443/HTTPS
drive.google.com:443/HTTPS
*.drive.google.com:443/HTTPS
docs.google.com:443/HTTPS
*.docs.google.com:443/HTTPS
*.c.docs.google.com:443/HTTPS
sheets.google.com:443/HTTPS
slides.google.com:443/HTTPS
talk.google.com:5222/XMPP (needed only for Backup and Sync)
takeout.google.com:443/HTTPS
gg.google.com:443/HTTPS
script.google.com:443/HTTPS
ssl.google-analytics.com:443/HTTPS
video.google.com:443/HTTPS
s.ytimg.com:443/HTTPS
apis.google.com:443/HTTPS
*.clients[N].google.com:443/HTTPS
*.googleapis.com:443/HTTPS
*.googleusercontent.com:443/HTTPS
*.gstatic.com:443/HTTPS
*.gvt1.com:443/HTTPS
lh[N].google.com:443/HTTPS
[N].client-channel.google.com:443/HTTPS
clients[N].google.com:443/HTTPS
inputtools.google.com:443/HTTPS
sites.google.com:443/HTTPS
sites.google.com:80/HTTP
sites.google.com:443/HTTPS
*.sites.google.com:443/HTTPS
*.googlegroups.com:443/HTTPS
ipv4.google.com:443/HTTPS
ipv4.google.com:80/HTTP
Documentation can be found here
I would like to test 802.1X function for an Ethernet Switch (NAS).
I have a Workstation (Windows 10) and an Ubuntu server : I want to test EAP-MSCHAPv2.
I see a tutorial to configure FreeRADIUS : https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO
Problem is I don't have a Windows server. Is it possible to test EAP-MSCHAPv2 without it ? How to configure FreeRADIUS ? ... I just want to test a static configuration with one login+password.
Currently my FreeRADIUS works with EAP-MD5 : I already created user profile and NAS config
You need to set the MS-CHAP-Use-NTLM-Auth attribute to No in the control list. The mschap module will then do the authentication internally, rather than trying to call out to AD.
This is documented more extensively in raddb/mods-available/mschap.
For example you could create a user bob with password test in the raddb/users file thus:
bob Cleartext-Password := "test", MS-CHAP-Use-NTLM-Auth := No
Note that this attribute must be in the control list, not in the reply list, so appears on the same line as the username.
Is there a way to uniquely identify a user that has logged on my application based on his device/machine ?
In a lot of cases, the IP is enough, but in case when the client has multiple machines behind a NAT, then the same IP is exposed, so I can't tell them apart. it should have same id irrespective of browser.
for e.g. If the user logs in on his account with computer A, then log in on the same account with computer B that share the same router, I need to get id apart those two devices.
I don't know if this is possible, but it would be life saving if it is.
I was faced with this problem where I wanted to ask for Google Authenticator on sign in but only once for each device used by a user. I used a function to give me a device id based on the hostname, the MAC address, and the IP address. I know the MAC address isn't always reliable so I thought combining the data into one string might be a way round it. Our application is limited to <100 users and most of them access from the office or home so I feel it should be good enough.
I put the IP address function (which gets the IPV4) into a separate function as I check whether they are in office (on 192.168..) or external before checking the device ID. The list of device ID's associated with a user is stored in a SQL table and checked after username/password entry but before log in is completed to decide whether to request a 2FA code.
Here's the code:
dim thisDeviceId as String=GetClientDeviceId()
public Function GetClientDeviceId() As string
Dim mac As String = String.Empty
For Each netInterface In NetworkInterface.GetAllNetworkInterfaces()
If _
netInterface.NetworkInterfaceType = NetworkInterfaceType.Wireless80211 OrElse
netInterface.NetworkInterfaceType = NetworkInterfaceType.Ethernet Then
Dim address = netInterface.GetPhysicalAddress()
mac = BitConverter.ToString(address.GetAddressBytes())
End If
Next
return string.Format("{0}-{1}-{2}",dns.GetHostEntry(HttpContext.current.Request.ServerVariables("REMOTE_ADDR")).HostName, mac,GetClientDeviceIpAddress())
End Function
public Function GetClientDeviceIpAddress() As string
Dim ipv4Address As String = String.Empty
For Each currentIpAddress As IPAddress In Dns.GetHostAddresses(Dns.GetHostName())
If currentIpAddress.AddressFamily.ToString() = System.Net.Sockets.AddressFamily.InterNetwork.ToString() Then
ipv4Address = currentIpAddress.ToString()
Exit For
End If
Next
return ipv4Address
End Function
Even though it's not bulletproof and could be improved upon it might help someone.
We have a requirement to get the printer IP Address configured in the default printer driver in Control Panel in our UWP app.
I was able to retrieve the "System.DeviceInterface.PrinterPortName" by fetching interface class GUID and passing this above property for retrieval.
But I couldn't get "System.Devices.IpAddress" similarly.
Code pasted below for PortName.
I badly need the IP address as the port name is user's choice and could be modified to any name removing the IP address.
Kindly help sharing working code to retrieve the IP Address using above property or any other way in UWP app.
Below is Working Code for Port Name, Kindly help to fetch IP Address of the same port similarly.
string aqsFilter = "System.Devices.InterfaceClassGuid:=\"{0ecef634-6ef0-472a-8085-5ad023ecbccd}\"";
string[] propertiesToRetrieve = new string[] { "System.DeviceInterface.PrinterPortName"};
DeviceInformationCollection deviceInfoCollection = await DeviceInformation.FindAllAsync(aqsFilter, propertiesToRetrieve);
foreach (DeviceInformation deviceInfo in deviceInfoCollection)
{
if (deviceInfo.IsDefault == true)
{
string strPortName = (string)deviceInfo.Properties["System.DeviceInterface.PrinterPortName"];
if (!string.IsNullOrEmpty(strPortName))
{
strPortName = await ParsePortName(strPortName);
if (!string.IsNullOrEmpty(strPortName))
{
_strIPAddress = strPortName;
}
}
break;
}
}
This is not endorsed because the IP address can change and so it is unreliable.
That being said, if your printer is installed using wsd, it is technically supported
E.g.,
DEVPKEY_PNPX_IpAddress DEVPROP_TYPE_STRING_LIST 32 "10.137.192.202"
But there is no way to reliably use this without a lot of various scenario checks since the IP address may change.
Furthermore, looking at this example, you are not hitting the DAF providers but looking for devices. You are using 0ecef634-6ef0-472a-8085-5ad023ecbccd which is the printer class guid. It also does not look like IP address is propagated in the PnP Explorer property bag so the IP address is not accessible.
I ran into an issue while I was helping a customer to configure SSO (with Kerberos) for our Software.
But first, let's give you some context:
As you can see in the attatched krb5.ini we want to do Cross Domain/Realm Kerberos and we have four different (Active Directory; all have 2008 R2 forest/domain function level) domains.
1) test.local 2) subdomain.test.local (which is obviously a child domain of test.local) 3) example.local 4) dummy.local
A two-way transitive trust was (manually) setup between test.local and example.local as well as between test.local and example.local.
And there is (of course) the default trust between test.local and subdomain.test.local.
[libdefaults]
default_realm = TEST.LOCAL
default_tkt_enctypes = rc4-hmac aes128-cts aes256-cts des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac aes128-cts aes256-cts des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac aes128-cts aes256-cts des-cbc-crc des-cbc-md5
[realms]
TEST.LOCAL = {
kdc = dc001.TEST.local
kdc = dc002.TEST.local
}
EXAMPLE.LOCAL = {
kdc = dc001.example.local
kdc = dc002.example.local
}
SUBDOMAIN.TEST.LOCAL = {
kdc = dc001.SUBDOMAIN.TEST.local
kdc = dc002.SUBDOMAIN.TEST.local
}
DUMMY.LOCAL = {
kdc = dc001.dummy.local
kdc = dc002.dummy.local
}
[domain_realm]
test.local=TEST.LOCAL
.test.local=TEST.LOCAL
example.local=EXAMPLE.LOCAL
.example.local=EXAMPLE.LOCAL
dummy.local=DUMMY.LOCAL
.dummy.local=DUMMY.LOCAL
subdomain.test.local=SUBDOMAIN.TEST.LOCAL
.subdomain.test.local=SUBDOMAIN.TEST.LOCAL
Cross domain name resolution works just fine.
The webserver is a linux box (if I remember correctly it was a RedHat or CentOS installation). The fqdn is web001.test.local.
The clients (separately from the domain they are a member of) treat the fqdn web001.test.local as member of the local intranet zone.
We successfully created a service user and a corresponding keytab file for the webserver.
If we query test.local and search for the spn we get the correct response:
<service user)>
HTTP/web001.test.local#TEST.LOCAL
HTTP/web001.test.local
HTTP/web001
After that we started testing and Kerberos worked just fine (if the users are members of test.local or subdomain.test.local) until we tried to login with a test user from dummy.local and example.local.
Every time a user tries to login from these particular domains we get the following stacktrace:
09:44:25.447 WARN REQUEST[10.50.50.45]
o.s.s.k.w.a.SpnegoAuthenticationProcessingFilter - Negotiate Header was
invalid: Negotiate YIIJ...
org.springframework.security.authentication.BadCredentialsException:
Kerberos validation not successful
Caused by: java.security.PrivilegedActionException: null
Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
Caused by: java.security.GeneralSecurityException: Checksum failed
As I said before: Kerberos works with clients/users within the test.local and the subdomain.test.local realm/domain.
But I don't get why it is not working with the other domains/realms.
Can someone enlighten me or at least give me a hint?
Thanks in advance.
P.S. Regarding debugging/responding: I do not have direct access to the customer domains (active directories) and the webserver. So debugging and responding to your answers may take a few days.
Okay, the issue was the trust configuration! As mentioned before, it was a two way transitive trust. Sadly it was neither (except for the child domain) a child nor a forest trust. It was an external trust. This way, there was no name routing convention for kerberos active.
I found this article (https://jorgequestforknowledge.wordpress.com/2011/09/14/kerberos-authentication-over-an-external-trust-is-it-possible-part-6/) and we configured the name routing manually via a GPO. This did the trick.
Thanks to Bernhard which pointed me into the right direction with his question.