-----Ursprüngliche Nachricht-----
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED]
Gesendet: Donnerstag, 21. Oktober 2004 17:24
An: [EMAIL PROTECTED]
Betreff: Freeradius-Users digest, Vol 1 #3878 - 8 msgs
Send Freeradius-Users mailing list submissions to
[EMAIL PROTECTED]
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific than "Re: Contents
of Freeradius-Users digest..."
Today's Topics:
1. Re: UDPFROMTO and Proxy Problem (Raimund Sacherer)
2. FreeRADIUS and DTC Radius interoperability (Benoit ROVERA)
3. Re: gnugk+freeradius+mysql works well,but how to configure for prepaid?? (Alan
DeKok)
4. Re: problem authenticating to passwd/shadow files (Alan DeKok)
5. RE: Reauthenticate User (Nurul Faizal Bin M.Shukeri)
6. Re: WPA - Freeradius external script problem (Alan DeKok)
7. Re: Missing db_mssql.sql in 1.0.1 distribution (Alan DeKok)
8. Re: Password Encryption (Alan DeKok)
--__--__--
Message: 1
Organization: eWave
Date: Thu, 21 Oct 2004 17:03:28 +0200
Subject: Re: UDPFROMTO and Proxy Problem
Date: Thu, 21 Oct 2004 17:03:28 +0200
From: "Raimund Sacherer" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
--=-gwod5HvytZ7RIAWLVMwZ
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hi Nicolas, Thomas!
Here is a more detailed description of our scenario:=20
+--------------+
+---+ | NAS/Roaming | (NAS/Roaming Partner may not be
| 1 | | RadiusServer | part of our Network and can have their
+---+ +--------------+ own Public/Private IP Networks)
|
|
|
+--------------+
| Our |
+-------->-------| FireWall/ |
| | IPSEC |
| | Tunnel |
| | Endpoint |
| +--------------+
| |
| +---+ |
| | 2 | +----+----+
| +---+ | |
| Clients which Clients with=20
| comes from "direct"
| IPSec Tunnels Internet Access
| | |
| | |
| eth0:1 eth0
| 10.0.0.10 62.62.62.62
| | |
| +--------------+
| | Our |-eth1-<->-[internal AdminLan]
| | RadiusServer |
| +--------------+
| | |
| +---+ eth0:1 eth0
| | 3 | 10.0.0.10 62.62.62.62
| +---+ | |
+-------<----------+---<-----+
1. Packet comes from NAS or from a Roaming Partner, either from internet or via IPSEC
Tunnel, which terminates on "Our Firewall".
2. The Firewall routes the Packet to our Radius Server.
3. The radius server auth/acct local realms and proxies all other realms to the
appropriate foreign radius proxy/server back via "Our Firewall". If the packet has to
go to a partner which needs an IPSEC Tunnel it is proxied over eth0:1, otherwise over
eth0.
That's the point of our problem.
In our case the default gateway points to the public ip_address of the internal
interface of "Our Firewall". For a Proxy Packet the
Packet->src_ipaddr is empty. As the sendmsg function has no src_ipaddr
it uses the default gateway as src_ipaddr for this packet. Therefore the IPSEC tunnel
on "Our Firewall" discards the proxy packet because they expect the packet from
10.0.0.10 (LeftSide/RightSide IPSEC). Even if the IPSEC tunnel would allow our
packets, the foreign radius server would silently discard the packet as it uses the
wrong src_ipaddr.
In your scenario you are direct connected to the networks where your proxyserver
resides so you don't need to use a default gateway to reach your servers.
My previously posted patch adds configuration items for the proxy.conf config file
where you can define the ip_addr which should be used for each Realm.
I would be glad if someone can confirm this as problem and my patch as the right
solution ;-)
For our 2.nd Problem i stated previously in this thread (that the above scenario is
NOT working if eth0:1 is a physical interface) we will rebuild our test-scenario to
post better debugging information.
best regards
Raimund Sacherer
On Wed, 2004-10-20 at 16:34 +0200, Thomas MARCHESSEAU wrote:
> Hi Raimund,
>=20
> Nicolas and I did some test on proxy forwarding , we use this model :
>=20 =20
>=20
> CLIENT 172.16.69.1
> |
> vlan 69
> |
> 172.16.69.3 (virtual ip=20
> handled by keepalived)
> |
> 172.16.69.2 (eth2)
> |
> +---------------------+
> | PROXY with udpfromto|
> | and bind_addr * |
> | ldflag =3D round_robin|
> +---------------------+
> | |
> eth0 eth3
> 192.168.7.241 10.17.1.243
> | |
> | |
> +-<vlan7>---------+ +-<vlan1017>--+
> | |
> | |
> +------------------+ =20
> +------------------+
> | Radius Srv | | Radius=20
> Srv |
> | 192.168.7.243 | |=20
> 10.17.10.242 |
> +------------------+ =20
> +------------------+
>=20
>=20
> We hope that it match with your goal .
>=20
> 1/
> rad_recv: Access-Request packet from host 172.16.69.1:32914,
>id=3D15,=20 length=3D77
> User-Name =3D "[EMAIL PROTECTED]"
> User-Password =3D "24r3iis"
> NAS-IP-Address =3D 1.2.3.4
> NAS-Port-Type =3D xDSL
> NAS-Port =3D 0
> Sending Access-Request of id 0 to 192.168.7.243:1812
> User-Name =3D "[EMAIL PROTECTED]"
> User-Password =3D "24r3iis"
> NAS-IP-Address =3D 1.2.3.4
> NAS-Port-Type =3D xDSL
> NAS-Port =3D 0
> Proxy-State =3D 0x3135
> rad_recv: Access-Accept packet from host 192.168.7.243:1812,
>id=3D0,=20 length=3D103
> Tunnel-Server-Endpoint:0 =3D "172.16.128.1"
> Tunnel-Assignment-Id:0 =3D "172.16.128.1"
> Service-Type =3D Framed-User
> Framed-Protocol =3D PPP
> Tunnel-Type:0 =3D L2TP
> Tunnel-Medium-Type:0 =3D IP
> Tunnel-Password:0 =3D "secret"
> Proxy-State =3D 0x3135
> Login OK: [EMAIL PROTECTED]/24r3iis] (from client lodoss port 0) Sending
>Access-Accept of id 15 to 172.16.69.1:32914
> Tunnel-Server-Endpoint:1 =3D "172.16.128.1"
> Tunnel-Assignment-Id:1 =3D "172.16.128.1"
> Service-Type =3D Framed-User
> Framed-Protocol =3D PPP
> Tunnel-Type:1 =3D L2TP
> Tunnel-Medium-Type:1 =3D IP
> Tunnel-Password:1 =3D "secret"
>=20
> 2/
> rad_recv: Access-Request packet from host 172.16.69.1:32914,
>id=3D13,=20 length=3D77
> User-Name =3D "[EMAIL PROTECTED]"
> User-Password =3D "24r3iis"
> NAS-IP-Address =3D 1.2.3.4
> NAS-Port-Type =3D xDSL
> NAS-Port =3D 0
> Sending Access-Request of id 0 to 10.17.1.11:1812
> User-Name =3D "[EMAIL PROTECTED]"
> User-Password =3D "24r3iis"
> NAS-IP-Address =3D 1.2.3.4
> NAS-Port-Type =3D xDSL
> NAS-Port =3D 0
> Proxy-State =3D 0x3133
> rad_recv: Access-Accept packet from host 10.17.1.11:1812, id=3D0,
>length=
=3D103
> Tunnel-Server-Endpoint:0 =3D "172.16.128.1"
> Tunnel-Assignment-Id:0 =3D "172.16.128.1"
> Service-Type =3D Framed-User
> Framed-Protocol =3D PPP
> Tunnel-Type:0 =3D L2TP
> Tunnel-Medium-Type:0 =3D IP
> Tunnel-Password:0 =3D "secret"
> Proxy-State =3D 0x3133
> Login OK: [EMAIL PROTECTED]/24r3iis] (from client lodoss port 0)
>Sending Access-Accept of id 13 to 172.16.69.1:32914
> Tunnel-Server-Endpoint:1 =3D "172.16.128.1"
> Tunnel-Assignment-Id:1 =3D "172.16.128.1"
> Service-Type =3D Framed-User
> Framed-Protocol =3D PPP
> Tunnel-Type:1 =3D L2TP
> Tunnel-Medium-Type:1 =3D IP
> Tunnel-Password:1 =3D "secret"
>=20
> As you can see above , the proxy receives response on both Interfaces
>.=20 we dont find any problems with this kind of setup , you might
>check=20 again if its really a problem with Freeradius or your
>network config [=20 iptables , routing problems, tcpwrapper ... ] We
>re using freeradius 1.0.1 + udpfromto patch, on debian sid + 2.4.26-gr=
sec
>=20
> Regards
> Nicolas , Thomas .
> =20
>=20
>=20
>=20
>=20
>=20
> Raimund Sacherer wrote:
>=20
> >Here is our Scenario which is working now:
> >
> >Some Partners depend on an IPSec tunnel.
> >
> >
> > +--------------+
> > | Our |
> > | RadiusServer |
> > +--------------+
> > | |
> > eth0:1 eth0
> > 10.0.0.10 62.62.62.62
> > | |
> > | |
> > | |
> > | |
> > +-<IPSec Tunnel>--+ +-<Internet>--+
> > | |
> > | |
> >+------------------+ +------------------+ =20
> >| Other Radius Srv | | Other Radius Srv |
> >| from RaomPartner | | from RaomPartner |
> >+------------------+ +------------------+ =20
> >
> >
> >
> >If eth0:1 is another physical device (e.g. eth1) then it is NOT
> >working. Netstat -uan displays that the radius server is listening on
> >all
> >(interfaces/ip-addresses) on port 1814.=20
> >
> >Sending an request-package to our Roaming Partner is working (from
> >the correct IP also, but the respond from the Roaming Partner is not
> >recognized by our Radius Server but tcpdump shows that the Roaming
> >Partner sends an Respond (either Access Reject or Access Accept) and
> >that it's incoming on our interface (eth1).=20
> >
> >If i move the IP from eth1 to eth0:1 as an alias, all is working
> >again.
> >
> >Strange is, if i locally connect with netcat to eth1 udp port 1814,
> >our Radius Server IS answering.=20
> >
> >I do not really know where the problem exists, it works with
> >IPAliases, but i would feel much more secure if we can find a working
> >solution for eth1 also.
> >
> >Here is an example from our configuration:
> >
> >--- SNIP radiusd.conf---
> >#bind_address =3D *
> >#bind_address =3D 10.0.0.10
> >
> >listen {
> > ipaddr =3D 10.0.0.10
> > type=3Dauth
> >}
> >
> >listen {
> > ipaddr =3D 10.0.0.10
> > type=3Dacct
> >}
> >
> >listen {
> > ipaddr =3D 62.62.62.62
> > type=3Dauth
> >}
> >
> >listen {
> > ipaddr =3D 62.62.62.62
> > type=3Dacct
> >}
> >--- SNIP ---
> >
> >--- SNIP proxy.conf---
> >proxy server {
> > synchronous =3D no
> > retry_delay =3D 10
> > retry_count =3D 6
> > dead_time =3D 0
> > default_fallback =3D no
> > post_proxy_authorize =3D no
> > proxyip =3D 62.62.62.62
> >}
> >
> >realm veryFrightenedRoamingPartner {
> > type =3D radius
> > authhost =3D 172.172.172.172:1812
> > accthost =3D 172.172.172.172:1813
> > proxyip =3D 10.10.10.10
> > secret =3D "<SECRET>"
> >}
> >--- SNIP ---
> >
> >
> >On Tue, 2004-10-12 at 16:47 +0200, Raimund Sacherer wrote: =20
> >
> >>Hi,
> >>
> >>i compiled freeradius (1.0.1) with the UDPFROMTO configure option
> >>and i applied the patch from nicolas
> >>(http://www.mail-archive.com/[EMAIL PROTECTED]/m
> >>sg0=
9417.html)
> >>and now receiving/sending local auth/acct packets with more than one
> >>ip address works as expected.
> >>
> >>There where two problems with proxying, first, i listen to 2 ip
> >>addresses, if those where on different interfaces (eth0/eth1) it is
> >>not working, the problem is, the packet is sent to the
> >>roamingpartner, but the response is not recognized by freeradius
> >>(where a local test with netcat is recognized), but i can see it
> >>clearly with tcpdump.
> >>
> >>It works well if these 2 ip addresses are on the same interface
> >>(with ip-alias).
> >>
> >>The second problem with proxying is that it used the interface which
> >>wa=
s
> >>defined to send data to the standard gateway as the src-ip address
> >>for sending proxy-packets.
> >>
> >>That was a problem for our scenario, as we have roamingpartners
> >>which are listening for our packets on the first ip and others on
> >>the other, therefore i patched freeradius to except in the
> >>realm-configuration another parameter which tells the proxy_send
> >>method which src-ip it should use to send the data, this is working
> >>and solved this second problem, i have the patch attached and would
> >>be happy if it made it's way into the source.
> >>
> >>Technical Detail about the Patch:
> >>1. Add Proxy IP Address to CONF_PARSER proxy_config[], MAIN_CONFIG_T
> >>an=
d
> >>into the REALM struct.
> >>
> >>2. In generate_realms check if there is a proxy_ip set for this
> >>realm o=
r
> >>a global (mainconfig.proxy_ipaddr) one. If so, apply it.
> >>
> >>3. In proxy_send check if in the REALM is an IP address set, if so,
> >>set it in request->proxy->src_ipaddr so we have a src IP.
> >>
> >>
> >>--- snip ---
> >>
> >>--- freeradius-1.0.0-pre2/src/include/radiusd.h 2004-10-04
> >>10:27:37.000000000 +0200
> >>+++ /tmp/freeradius-1.0.0-pre2-ewave/src/include/radiusd.h 2004-10-12
> >>12:45:24.353286104 +0200
> >>@@ -124,6 +124,7 @@
> >> char server[64];
> >> char acct_server[64];
> >> uint32_t ipaddr; /* authentication */
> >>+ uint32_t proxy_ipaddr; /* proxy via interface, rsacherer */
> >> uint32_t acct_ipaddr;
> >> u_char secret[32];
> >> time_t last_reply; /* last time we saw a packet */
> >>@@ -194,6 +195,7 @@
> >> int proxy_retry_count;
> >> int proxy_retry_delay;
> >> int proxy_fallback;
> >>+ char *proxy_ipaddr; /* proxy via interface, rsacherer */
> >> int reject_delay;
> >> int status_server;
> >> int max_request_time;
> >>--- freeradius-1.0.0-pre2/src/main/mainconfig.c 2004-10-04
> >>10:27:38.000000000 +0200
> >>+++ /tmp/freeradius-1.0.0-pre2-ewave/src/main/mainconfig.c 2004-10-12
> >>12:45:16.593465776 +0200
> >>@@ -76,6 +79,7 @@
> >> { "dead_time", PW_TYPE_INTEGER, 0, &mainconfig.proxy_dead_time,
> >>Stringify(DEAD_TIME) },
> >> { "post_proxy_authorize", PW_TYPE_BOOLEAN, 0,
> >>&mainconfig.post_proxy_authorize, "yes" },
> >> { "wake_all_if_all_dead", PW_TYPE_BOOLEAN, 0,
> >>&mainconfig.wake_all_if_all_dead, "no" },
> >>+ { "proxyip", PW_TYPE_STRING_PTR, 0, &mainconfig.proxy_ipaddr, NULL
> >>+},
> >> { NULL, -1, 0, NULL, NULL }
> >> };
> >>=20
> >>@@ -347,7 +351,7 @@
> >> CONF_SECTION *cs;
> >> REALM *my_realms =3D NULL;
> >> REALM *c, **tail;
> >>- char *s, *t, *authhost, *accthost;
> >>+ char *s, *t, *authhost, *accthost, *proxy_ipaddr;
> >> char *name2;
> >>=20
> >> tail =3D &my_realms;
> >>@@ -369,6 +373,28 @@
> >> c->secret[0] =3D '\0';
> >>=20
> >> /*
> >>+ * Check first if a realm IP is set, if not
> >>+ * check the Mainconfig item, else it means 0 ;-)
> >>+ * rsacherer
> >>+ */
> >>+ if ((proxy_ipaddr =3D cf_section_value_find(cs, "proxyip"))
> >>+=3D=3D N=
ULL) {
> >>+ proxy_ipaddr =3D mainconfig.proxy_ipaddr;
> >>+ }
> >>+ =09
> >>+ if (proxy_ipaddr =3D=3D NULL) {
> >>+ c->proxy_ipaddr =3D htonl(INADDR_NONE);
> >>+ } else {
> >>+ c->proxy_ipaddr =3D ip_getaddr(proxy_ipaddr);
> >>+ if (c->proxy_ipaddr =3D=3D htonl(INADDR_NONE)) {
> >>+ radlog(L_ERR, "%s[%d]: Host %s not found",
> >>+ filename, cf_section_lineno(cs),
> >>+ proxy_ipaddr);
> >>+ return -1;
> >>+ }
> >>+ }
> >>+
> >>+
> >>+ /*
> >> * No authhost means LOCAL.
> >> */
> >> if ((authhost =3D cf_section_value_find(cs, "authhost")) =3D=3D
> >> NULL=
) {
> >>--- freeradius-1.0.0-pre2/src/main/proxy.c 2004-10-04 10:27:38.00000000=
0
> >>+0200
> >>+++ /tmp/freeradius-1.0.0-pre2-ewave/src/main/proxy.c 2004-10-12
> >>12:45:16.701449360 +0200
> >>@@ -430,6 +430,14 @@
> >> request->proxy->timestamp =3D request->timestamp - (delaypair ?
> >>delaypair->lvalue : 0);
> >>=20
> >> /*
> >>+ * Add the proxy_ipaddr as the source ip address, if one is set
> >>+ * rsacherer
> >>+ */
> >>+ if (realm->proxy_ipaddr !=3D htonl(INADDR_NONE)) {
> >>+ request->proxy->src_ipaddr =3D realm->proxy_ipaddr;
> >>+ }
> >>+
> >>+ /*
> >> * Do pre-proxying
> >> */
> >> rcode =3D module_pre_proxy(request);
> >>
> >> =20
> >>
>=20
>=20
> -=20
> List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users=
.html
--=-gwod5HvytZ7RIAWLVMwZ
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQEVAwUAQXfPwOTxUxMppsJ8AQKUuwf/W5jZ7P9RFGCiw1yp31drb0DwGksdxWkk
hnb5MheOA/jFJBFZpujbjrWYLSmuL9sy+RgANMqiyt5ycCz6w2pbr+IFC+BWkc5z
joNp0aUBoa53oEcitz8wQA69Grn1Ek+eFxCfCqNVGAHeSx4hz7nGizLXQ/e2d78t
ViRa2sRmI4P9K+LuKFwTtx1axw9dN98tucXXV/SaT+357uki52/LWzDLFXRBwiIW
3WmuJ+f/t6tCeX7+BjJjFIwnCcW0BBK02siNzl6zm1KH+/BiAvSznsV4GZlDweWV
9ndufrabk8ci018xS2xICIZcNHl3D1LAZZYZUKFTt4eOKY04wB6Ueg==
=gpxR
-----END PGP SIGNATURE-----
--=-gwod5HvytZ7RIAWLVMwZ--
--__--__--
Message: 2
Date: Thu, 21 Oct 2004 17:34:27 +0200
From: Benoit ROVERA <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: FreeRADIUS and DTC Radius interoperability
Reply-To: [EMAIL PROTECTED]
Hi there,
I'm experiencing some troubles to receive some RADIUS requests using my FreeRADIUS
server. The RADIUS server who sends the requests is a DTC Radius server :
http://www.dtc.co.jp/Radius2.0/RelNoteE.html.
I get the following error message :
"Error: WARNING: Malformed RADIUS packet from host x.x.x.x : Vendor-Specific has
invalid length 0"
I captured the datagrams coming from the DTC radius server. I noticed that the
datagrams are well formed but the length field value is 2.
Does anybody know how to deal with this issue ?
Thanks for your help.
Benoit
--
Benoit ROVERA
Quiconnect <http://www.quiconnect.com>
This message may contain privileged or confidential information
--__--__--
Message: 3
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: gnugk+freeradius+mysql works well,but how to configure for prepaid??
Date: Thu, 21 Oct 2004 12:25:04 -0400
Reply-To: [EMAIL PROTECTED]
Stefan Bosnjakovic <[EMAIL PROTECTED]> wrote:
> We need to implement pre-paid cards as well. Users can buy 30, 60,
> 120mins cards.
rlm_sqlcounter should do exactly this. Set up users in groups, and then configure
the maximum session time per-group.
Alan DeKok.
--__--__--
Message: 4
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: problem authenticating to passwd/shadow files
Date: Thu, 21 Oct 2004 12:28:03 -0400
Reply-To: [EMAIL PROTECTED]
"Cameron Birky" <[EMAIL PROTECTED]> wrote:
> I encrypt at my client and then the pptpd calls the freeradius plugin
> for authentication. does anyone know if pptpd decrypts before it
> passes the string to freeradius for authentication?
Q: How do you "encrypt" at the client?
Q: How could pptpd decrypt the password?
If the answer to the second question is "it can't", then FreeRADIUS probably can't
decrypt it, either.
Alan DeKok.
--__--__--
Message: 5
From: "Nurul Faizal Bin M.Shukeri" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: RE: Reauthenticate User
Date: Thu, 21 Oct 2004 12:59:51 -0700
Organization: Pusat Komputer, USM
Reply-To: [EMAIL PROTECTED]
I use two level of authentication.First username and password (EAP-PEAP) and then
check for MAC Addresses. I've try to use session-timeout, but when I use this
attribute, cache for user info will lost and we need to enter username & password
again. Hope u can help me Julius Igugu. TQ very much for your respose.
Nurul Faizal Bin M.Shukeri
Pusat Komputer,
Universiti Sains Malaysia.
--------------------------------
What do you use for authentication?
MAC Addresses, 802.1x, etc?
--- "Nurul Faizal Bin M.Shukeri" <[EMAIL PROTECTED]> wrote:
> I've got cisco aironet 350 series AP.
>
>
>
> ---
>
>
>
> This will depend on your NAS/RAS.
>
>
>
> Which one do you have?
>
>
>
> --- "Nurul Faizal Bin M.Shukeri" <[EMAIL PROTECTED]> wrote:
>
>
>
> > Hi again..,
>
> >
>
> >
>
> >
>
> > Anyone plz help me. How to reauthenticate user every example 30 min
> without
>
> > reenter username and password ?
>
> >
>
>
>
> Nurul Faizal Bin M.Shukeri
>
> Pusat Komputer,
>
> Universiti Sains Malaysia.
>
>
>
>
--__--__--
Message: 6
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: WPA - Freeradius external script problem
Date: Thu, 21 Oct 2004 12:31:20 -0400
Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
> Ok. I wasn't explaining the situation clear enough. The script always
> succeeds only for testing. Later on I will implement some logic to it
> which will check the received user account from external systems and
> returns exit value 0 or 1 depending on the external authentication. I
> print out the password because I thought it was needed in the
> freeradius to authenticate EAP-PEAP authentication request. Obviously
> I'm wrong?
You are contradicting yourself again. If your script authenticates the user, then
FreeRADIUS doesn't need to authenticate the user. If your script is simply printing a
User-Password, and expects FreeRADIUS to use that password to authenticate the user,
then your script is not authenticating the user.
If your script doesn't understand PEAP, then it can't authenticate the user.
Move your script to the "authorize" section, and let FreeRADIUS decide how to
authenticate the user.
Alan DeKok.
--__--__--
Message: 7
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: Missing db_mssql.sql in 1.0.1 distribution
Date: Thu, 21 Oct 2004 12:32:25 -0400
Reply-To: [EMAIL PROTECTED]
"Rogier Mulder" <[EMAIL PROTECTED]> wrote:
> While digging deeper into the src tree, I'm getting the feeling that
> there is more I'm missing. In
> src/modules/rlm_sql/drivers/rlm_sql_freetds there is only Makefile. It
> references sql_freetds.c which is not on the system.
The freetds support was deleted.
> What do I need to do, to make a plain-vanilla 1.0.1 distribution to
> work with MS SQL Server 7/2000?
This was answered on the list yesterday, I believe. See rlm_sql_iodbc.
Alan DeKok.
--__--__--
Message: 8
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: Password Encryption
Date: Thu, 21 Oct 2004 12:33:34 -0400
Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
> I'm working with PPP Dial-In connections to a Cisco box with CHAP
> authentication. My users are authenticated through Radius server
> (freeradius 1.0.1) and the user profiles are load in a MySQL database
> created with the script provided in a freeradius.tar.gz file. All is
> working fine. However all passwords are in clear text and I'd like to
> work with Encrypted password.
No. It's impossible. Stop trying.
> Do you have some suggestions about this issue?
Leave the passwords in clear-text in SQL.
Alan DeKok.
--__--__--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
