problem with radutmp, radwtmp
Hi! I run radiusd and authenticate successful many times but radutmp is still empty. When I try radiusd -x=10 pa. 23 12:27:59: [3315]: leakdetect.c:95:efree:free(0x8098518) pa. 23 12:27:59: [3315]: leakdetect.c:95:efree:free(0x8098538) pa. 23 12:27:59: [3315]: leakdetect.c:95:efree:free(0x8099850) pa. 23 12:27:59: [3315]: leakdetect.c:45:xmalloc:malloc(20) = 0x8099850 pa. 23 12:27:59: [3315]: leakdetect.c:95:efree:free(0x8097c60) pa. 23 12:27:59: [3315]: leakdetect.c:45:xmalloc:malloc(17) = 0x8097c60 pa. 23 12:27:59: [3315]: leakdetect.c:95:efree:free(0x80984e8) pa. 23 12:27:59: [3315]: leakdetect.c:45:xmalloc:malloc(17) = 0x80984e8 .. What's a problem? How can I use /var/log/radstat? Why can't find radwtmp? Bets regards Zdzich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic Mysql Config questions + IP+Nas_port questions
I encrypt passwords with ENCRYPT(). I never tried to use plaintext passwords with mysql. ok .. will try that immediatly. (is this related to using chap or pap ?) I use PAP. You cannot use encryption with CHAP. Look in sql.conf to find out how rlm_sql handles passwords. There is a little trick there. i DID find the db_mysql.sql that creates the tables .. but could not find the script you mention to populate the dictionary and nas tables ... is it a contributed module ? Don't remember. I used some script and passed it dictionary file in the command line, but now I can't find it.Ask this in the mail list. I populated NAS table manually but it seems rlm_sql don't use it. Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: SQL authorization with operatos
On Monday, October 22, 2001 21:21 [EMAIL PROTECTED] wrote: I'm looking for volunteers to check the patch which provides (as I suppose) operator support in SQL authorization mode. Look here: This looks reasonable to me, but I can't test it. If anyone else has success with it, I'll commit it. Otherwise, I'll wait a few days, and commit it anyhow. :) Please don't. I think only tested patches should be applied. In that patch I added support only for 'check' AV pairs. Shall I add operator support for 'reply' AV pairs too? Mitry. PS. However, if you do commit, we get a great amount of testers :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with group authentication
Hi! I'm using FreeRadius 0.2 and I have a problem with group authentication. When a user tries to authenticate, several lines appear (in the /var/log/radius/radius.log file) like the following: Mon Oct 22 18:53:11 2001 : Error: group = /etc/group However, the user authenticates correctly and the group rules apply. In the users file I have several lines that check group permissions, like the following: DEFAULT Group == group1 Filter-Id = filter1.in, Fall-Through = Yes DEFAULT Group == group2 Filter-Id = hf.in, Fall-Through = Yes DEFAULT Group == group3, Called-Station-Id = called_id1 Auth-Type = Reject DEFAULT Group == group4, Called-Station-Id = called_id2 Auth-Type = Reject Somebody has a clue about what's happening? Is it a configuration error? Could it be a problem with the operating system? Thanks in advance for any help. Regards, -- Fernando Gonzalez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP Auth
At 09:48 AM 10/23/2001 -0400, you wrote: Is it possible to do CHAP authentication and PAP using the unix auth module? Currently it does not seem to support it. I setup the NAS as a ascend which in the ascend dictionary seems to support CHAP but it did not fix the problem. Any suggestions? http://www.freeradius.org/faq/#4.4 Read the FAQ. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modifying username before proxying?
[EMAIL PROTECTED] wrote: Need to modifying the username attribute before it gets sent on to the proxy based upone number that is dialed, only for certain numbers and not others. rlm_attr_rewrite should be updated to also look for rewrite information in the list of configuration items. But that requires more source code patches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
stripping the prefixes for accounting
Hi List, Is there simple way to use Stripped-User-Name for accounting. I'm trying to do something like: DEFAULT Prefix == pref User-Name := %{Stripped-User-Name} in acct_users file If acct_users works only with existing attributes there should be other way to strip prefixes for accounting ? Regards, -- B. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with radutmp, radwtmp
[EMAIL PROTECTED] wrote: I run radiusd and authenticate successful many times but radutmp is still empty. So? radutmp stores *accounting* records, not authentication records. When I try radiusd -x=10 That won't work. If it does, you're not running freeradius. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: SQL authorization with operatos
Mitry Matyushkov [EMAIL PROTECTED] wrote: Please don't. I think only tested patches should be applied. In that patch I added support only for 'check' AV pairs. Shall I add operator support for 'reply' AV pairs too? Yes. My reason for adding the patch was that it can always be removed if there's a problem. And unless the patch is added to the main source, few, if any, people will try it. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with group authentication
Gonzalez B., Fernando [EMAIL PROTECTED] wrote: Hi! I'm using FreeRadius 0.2 and I have a problem with group authentication. When a user tries to authenticate, several lines appear (in the /var/log/radius/radius.log file) like the following: Mon Oct 22 18:53:11 2001 : Error: group = /etc/group However, the user authenticates correctly and the group rules apply. Don't worry about it. Upgrade to 0.3, or to the latest CVS snapshot, and the problem will go away. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stripping the prefixes for accounting
Bobi [EMAIL PROTECTED] wrote: Is there simple way to use Stripped-User-Name for accounting. Yes... if it exists, it will go into the detail record. I'm trying to do something like: DEFAULT Prefix == pref User-Name := %{Stripped-User-Name} in acct_users file Uh, why? If acct_users works only with existing attributes Yes. It only uses attributes which already exist in the request. there should be other way to strip prefixes for accounting ? Why do you want to strip the prefixes only for accounting? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_users confusion
I figured this out on my own... DEFAULT Called-Station-Id == 5, Replicate-To-Realm := isp1.com DEFAULT Called-Station-Id == 6, Replicate-To-Realm := isp2.com Thanks, Brian - Original Message - From: Brian Gordon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 23, 2001 12:28 PM Subject: acct_users confusion I am confused by the accounting methods of this software. I am using this program to proxy requests to other radius servers based upon callingstation-id. This is working great now, however the accounting records by the syntax of the example in acct_users show that it sends a copy of the records only to one realm?? I am confused by this. I would like the accounting to be copied to what ever realm is used by that customer. If done by NAS-IP-Address like this looks like you can only copy accounting records to one proxy server. I guess I don't understand what to put in here to get my desired result. # ISP 1 DEFAULT NAS-IP-Address == 127.0.0.1, Replicate-To-Realm := isp1.com # ISP 2 DEFAULT NAS-IP-Address == 127.0.0.1, Replicate-To-Realm := isp2.com If the records are coming from the same NAS how to I get them to replicate to both realms? Would I have to query off calledstation id instead? Thanks, Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL authorization with operatos
On Tuesday, October 23, 2001 18:47 [EMAIL PROTECTED] wrote: Please don't. I think only tested patches should be applied. In that patch I added support only for 'check' AV pairs. Shall I add operator support for 'reply' AV pairs too? Yes. OK. The patch is getting much simple. Here are the new patch location: http://todes.org.by/~mitry/freeradius/rlm_sql/README.patch http://todes.org.by/~mitry/freeradius/rlm_sql/rlm_sql.diff Mitry. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SecurID support
Does the FreeRADIUS support security token products from RSA Inc. (SecurID/ACE server) ? XJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SecurID support
Xj Wang [EMAIL PROTECTED] wrote: Does the FreeRADIUS support security token products from RSA Inc. (SecurID/ACE server) ? No, sorry. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Changing RADIUS Passwords
Hi, I'm looking into using RADIUS for authentication of remote dial-in and VPN users and, since I'm completely new to RADIUS, I was hoping I could pose a few questions to the list... 1. freeRADIUS is officially listed as beta software but is anyone using it in production and/or do you feel that it is mature and stable enough to do so. 2. We would like to give users the ability to change their passwords and since, as far as I can tell, this is not a built-in feature of freeRADIUS or any other RADIUS server I was wondering what strategies people are using to allow this other than simply using Auth-Type = System and having them telnet to the RADIUS server and change their password. Thanks. John Blumel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing RADIUS Passwords
John Blumel [EMAIL PROTECTED] wrote: 1. freeRADIUS is officially listed as beta software but is anyone using it in production and/or do you feel that it is mature and stable enough to do so. A number of people use it in production, and it seems to be stable. 2. We would like to give users the ability to change their passwords and since, as faras I can tell, this is not a built-in feature of freeRADIUS or any other RADIUS serverI was wondering what strategies people are using to allow this other than simply using Auth-Type = System and having them telnet to the RADIUS server and change their password. Set their shell on the Unix system to '/bin/passwd', or whatever other password changing tool you want. They can then log in to change their password, and do nothing else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP Auth
At 05:18 PM 10/23/2001 -0400, Russell Enderby wrote: The FAQ says to do this: So, if you're using CHAP, for each user entry you must use: Auth-Type = Local, Password = stealme If you're using only PAP, you can get away with: Auth-Type = System In the users file I changed the default line from Auth-Type=System to Auth-Type := Local, Password == stealme and by doing this all users have to use 'stealme' as their password then to authenticate. Certainly this is not how CHAP protocol is supposed to work. What I need is to be able to do PAP and CHAP using the System to check the unix shadow file for their password to authenticate correctly. It seems this change does no do that. Does anyone else know how to do this kind of authentication? Read further. You can't. In order to do CHAP you *must* store the passwords in plaintext locally in the users file ( or sql database ). You *CANNOT* use CHAP authentication with encrypted system passwords. Sorry, that's how CHAP was designed. If you want to support both, you need to cater to the least common denominator, and that's CHAP. PAP: Works with encrypted and non-encrypted passwords. CHAP: Works with non-encrypted passwords. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stripping the prefixes for accounting
Hi Alan, I'm migrating from heavy patched by me Livingston radius. Freeradius is most configurable one I managed to find and it was really easy (with 2-3 slight patches like %{raw:Attr-Name} in xlat anyway :) to switch it for all my needs. One of the very few things i still need to do is sql accounting for one type of prefix to be done with stripped User-Name. It will be nice sql accounting to be configurable as easy as sql authentication. Possibility for calling different sql accounting sub functions just like calling different sql authentication subfunctions will be very handy. One more thing I think isn't configurable enough in rlm_sql: Only plain text and unix style encrypted passwords can be checked. Maybe it's good idea to add external password checking. Someone may be using sql password() or (like me) it's own password encrypting function. Regards, B. [cut] If acct_users works only with existing attributes Yes. It only uses attributes which already exist in the request. there should be other way to strip prefixes for accounting ? Why do you want to strip the prefixes only for accounting? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html