Upgradeing from 0.5 to 0.6
I have a proxy radius server running freeradius 0.5 and i am wanting to update it to 0.6 should i just be able to compile 0.6, do a make install and restart the service? using the same config files -- Business website -- www.granbury.com Personal website -- www.tblx.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DBM file usage
Hi, I am trying to get freeradius 0.6.6 to use our dbm file containing users and passwords. I have already compiled radius to have dbm support, but when I try to start radius with the -d option, I just get the usage screen meaning I have something wrong. Can anyone help me tell freeradius to use my dbm file? Thanks, Brad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgradeing from 0.5 to 0.6
On Friday 05 July 2002 11:06 am, Alan DeKok wrote: Jeremy Salch [EMAIL PROTECTED] wrote: should i just be able to compile 0.6, do a make install and restart the service? using the same config files That should work, yes. But I would test it, first. Playing with live systems requires great care. :) I will. thanks Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Business website -- www.granbury.com Personal website -- www.tblx.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying problem Help needed
I have 2 numbers and 2 realms i'm trying to proxy. what i want to happen is i want it to proxy by realm first and if they don't have a realm then proxy by the number they dialed. and as i understand it the user file processed until a match is found.. with just this listed it will proxy based upon phone number but not based on realm. it sends the username and the realm to the proxy server and then i have to set up proxying on that server also if i want to send the realm to the proper server.. these two are put together because they are both the same number but sometimes the phone company sends me one number and sometimes they send me a different number DEFAULT Called-Station-Id == 5735309, Proxy-To-Realm := realm2 DEFAULT Called-Station-Id == 5309, Proxy-To-Realm := realm2 DEFAULT Called-Station-Id == 5730606, Proxy-To-Realm := realm1.net -- this is what i tryed to add to make it proxy based upon realm befor the phone number so i put this befor the DEFAULT entries for phone number .. #DEFAULT # Realm == realm1.net, # Proxy-to-Realm := realm1.net # # #DEFAULT # Realm == realm2, # Proxy-to-Realm := realm2 but when i entered it into the config and restarted the radius server these lines below would not work. for some reason it caused them to not work. DEFAULT Called-Station-Id == 5735309, Proxy-To-Realm := realm2 DEFAULT Called-Station-Id == 5309, Proxy-To-Realm := realm2 this line still worked DEFAULT Called-Station-Id == 5730606, Proxy-To-Realm := realm1.net and proxy.conf still worked.. but the problem is getting it to proxy based upon realm then phone number. -- Business website -- www.realm2 Personal website -- www.tblx.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP Cert trust list
I've been trying to
get the EAP-TLS going but I haven't been able to figure out what need to so be
use for the trusted CA list.
How do I generate
this file? I used OpenSSL to generate the keys.
thanx/doug
---
#
Extensible Authentication Protocol
# # For all EAP related
authentications eap
{
# Invoke the default supported EAP type
when
# EAP-Identity response is
received
default_eap_type = tls
# Default expiry time to clean the EAP
list,
# It is maintained to co-relate
the
# EAP-response for each EAP-request
sent.
timer_expire = 60
# Supported
EAP-types
md5
{
}
## FIXME: EAP-TLS is highly experimental EAP-Type at the moment.
# Please give
feedback.
tls
{
private_key_password =xxx
private_key_file = /etc/1x/sparcy-cert-srv.pem
KEYS GENERATED FROM THE OPENSSL CERT AUTHORITY
# Sometimes Private key Certificate
are
located
# in the same file, then private_key_file
certificate_le
# must contain the same file
name.
certificate_file = /etc/1x/sparcy-cert-srv.pem
# Trusted Root CA
list# CA_file =
/path/filename CA_file = /etc/1x/r/CA.pam HERE IS THE PROBLEM
ABOVE
RADIUSD LOG SHOWS EAP WON'T INITIALIZE CANT
READ TRUSTED CA FILE.
WHERE DOES ONE GET THIS
FILE?
dh_file =
/etc/1x/r/dh
random_file = /etc/1x/r/random
Re: EAP Cert trust list
De Yong, Doug wrote:
I've been trying to get the EAP-TLS going but I haven't been able to
figure out what need to so be use for the trusted CA list.
How do I generate this file? I used OpenSSL to generate the keys.
basically, it contains the public key of your CA. in the case of OpenSSL
it's a pem file. The howto (by ken roser) or adam (www.open1x.org)
explain how to generate it in detail.
one remark below though:
KEYS GENERATED FROM THE OPENSSL CERT AUTHORITY
# Sometimes Private key Certificate are
located
# in the same file, then private_key_file
certificate_le
# must contain the same file name.
certificate_file = /etc/1x/sparcy-cert-srv.pem
# Trusted Root CA list
# CA_file = /path/filename
CA_file = /etc/1x/r/CA.pam
HERE IS THE PROBLEM ABOVE
RADIUSD LOG SHOWS EAP WON'T INITIALIZE CANT READ TRUSTED CA
FILE.
WHERE DOES ONE GET THIS FILE?
the line should probably be:
CA_file = /etc/1x/r/CA.pem
(pem replaces pam) i suppose it's a typo.
greetings,
artur
--
Artur Hecker
artur[at]hecker.info
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple IPs to a Dial-in user.
Hmm I think I found the answer, if someone could confirm for me userAuth-Type = Local, Password = blegh Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.5.78, Framed-Route = 192.168.5.64/28 0.0.0.0 1 On Friday 05 July 2002 9:43, Lee W wrote: Hi all, I'm in a pinch. I have a customer that needs a more then one IP routed to his ISDN connection so he can have server at his location. If I can't get one to him he will have no choice but to go someware else. Anyway, Is there a way to do this is freeradius? I have a static ip for him now. its assigns the static to one channel and pulls one out of the pool for the other channel. Thanks Lee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ||| \ ~ ~ / | @ @ | --oOo---(_)---oOo Lee Wolf EMR Data Services [EMAIL PROTECTED] 623-764-0870 cell 623-581-0842 voice 623-582-9499 fax EMR Internet A Serious Internet Experience ** 56K Dial-up **DSL ** Web-hosting ** ** Co-location **T1s ** ISDN ** ** High-Speed Fiber Backbone ** Linux powered ** ** Custom Web Design ** Site Development ** ** Search Engine Placement Web Consultation ** Visit us at http://www.emr.net! Ask about our reseller programs! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple authentication profiles...
All: I have the following situation -- 1) Provider A uses PAP and doesn't want Ascend-Data-Filters 2) Provider B uses PAP and DOES want Ascend-Data-Filters 3) Provider C uses CHAP and doen't want Ascend-Data-Filters 4) They all want to use ports 1645/1646 Everything is authenticated from a central MySQL database where I store both crypted and plaintext passwords, where needed. Is it possible to support all four of the above conditions in a single instance of freeradius? Right now I am doing it by running a copy of cistron and two copies of freeradius on three machines. I would prefer to have the three machines have an identical configuration and use them for backup to each other, but I am not sure how I could go about differentiating between the three different providers; maybe place some directives in the clients.conf file? Any assistance/pointers to the appropriate FM to R would be appreciated. Dave = David C. Troy [[EMAIL PROTECTED]] 410-544-6193 Sales ToadNet - Want to go fast?410-544-1329 FAX 570 Ritchie Highway, Severna Park, MD 21146-2925 www.toad.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple authentication profiles...
David C. Troy [EMAIL PROTECTED] wrote: I have the following situation -- 1) Provider A uses PAP and doesn't want Ascend-Data-Filters 2) Provider B uses PAP and DOES want Ascend-Data-Filters 3) Provider C uses CHAP and doen't want Ascend-Data-Filters 4) They all want to use ports 1645/1646 Everything is authenticated from a central MySQL database where I store both crypted and plaintext passwords, where needed. Is it possible to support all four of the above conditions in a single instance of freeradius? I don't see why not. I would prefer to have the three machines have an identical configuration and use them for backup to each other, but I am not sure how I could go about differentiating between the three different providers; maybe place some directives in the clients.conf file? No, that won't help. Some comments: - all using 1645/1646 is fine. FreeRADIUS will do that. - using PAP/CHAP is unimportant. FreeRADIUS will authenticate whatever comes in the RADIUS request. - if you want to FORCE the use of PAP or CHAP, that's a bit harder, but I don't see why it would be useful, or necessary. So you're left with the problem of getting Ascend-Data-Filters to two providers, but not the third. The answer is to find out what distinguishes the provider A/C packets from provider B. Once you know that, the answer is easy. If A/C come from client-A/client-C, and B comes from client-B, then you can do in the 'users' file: DEFAULT Client-IP-Address == client-A Ascend-Data-Filters... Fall-Through = Yes DEFAULT Client-IP-Address == client-C Ascend-Data-Filters... Fall-Through = Yes Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users -- confirmation of subscription -- request 485700
- Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 05, 2002 5:05 PM Subject: Freeradius-Users -- confirmation of subscription -- request 485700 Freeradius-Users -- confirmation of subscription -- request 485700 We have received a request from 200.165.162.7 for subscription of your email address, [EMAIL PROTECTED], to the [EMAIL PROTECTED] mailing list. To confirm the request, please send a message to [EMAIL PROTECTED], and either: - maintain the subject line as is (the reply's additional Re: is ok), - or include the following line - and only the following line - in the message body: confirm 485700 (Simply sending a 'reply' to this message should work from most email interfaces, since that usually leaves the subject line in the right form.) If you do not wish to subscribe to this list, please simply disregard this message. Send questions to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication problem with PIX-515
I am using FreeRadius 0.5 and Cisco PIX-515 Firewall.
Authentication is denied and it looks exactly like the secret key is
misspelled on PIX, however I already checked that and it is not. 'radtest'
utility works just fine. Does anyone know if there is something specific
with PIX that would cause this problem?
Here is a portion of clients.conf file and the debug output:
client 10.10.1.1 {
secret = jg8d63196hfg
shortname = pix
}
rad_recv: Access-Request packet from host 10.10.1.1:1645, id=74, length=57
User-Name = mario
NAS-IP-Address = 10.10.1.1
User-Password = \303\035s.\343\000\255l\323\236Z\217DG*\033
NAS-Port = 5
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_eap: EAP-Message not found
modcall[authorize]: module eap returns noop
modcall[authorize]: module suffix returns ok
radius_xlat: 'mario'
sql_escape in: 'mario'
sql_escape out: 'mario'
sql_set_user: escaped user -- 'mario'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'mario' ORDER BY id'
rlm_sql: Reserving sql socket id: 4
rlm_postgresql Status: PGRES_TUPLES_OK
sql_postgresql: affected rows =
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'mario' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_postgresql Status: PGRES_TUPLES_OK
sql_postgresql: affected rows =
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'mario' ORDER BY id'
rlm_postgresql Status: PGRES_TUPLES_OK
sql_postgresql: affected rows =
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = 'mario' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_postgresql Status: PGRES_TUPLES_OK
sql_postgresql: affected rows =
radius_xlat: 'SELECT Value,Attribute FROM radcheck WHERE UserName = 'mario'
AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute =
'Crypt-Password' ) ORDER BY Attribute DESC'
rlm_postgresql Status: PGRES_TUPLES_OK
sql_postgresql: affected rows =
rlm_sql: Released sql socket id: 4
modcall[authorize]: module sql returns ok
modcall: group authorize returns ok
auth: type Local
auth: Failed to validate the user.
Login incorrect: [mario/s\222,\252\031\362\217\314gw\371\352\345\350\260*]
(from nas pix port 5)
WARNING: Unprintable characters in the password. ? Double-check the
shared secret on the server and the NAS!
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 74 to 10.10.1.1:1645
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 74 with timestamp 3d25f8e9
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple authentication profiles...
Alan -- Thanks for the help. One further bit of clarification -- the Providers A, B, C each have about 10-20 proxy boxes. I would prefer to define them as classes of proxies rather than have to set up individual profiles in the 'users' file. Is there any reasonable way to do this, or am I really stuck putting a users entry for each proxy box? Regards, Dave = David C. Troy [[EMAIL PROTECTED]] 410-544-6193 Sales ToadNet - Want to go fast?410-544-1329 FAX 570 Ritchie Highway, Severna Park, MD 21146-2925 www.toad.net On Fri, 5 Jul 2002, Alan DeKok wrote: David C. Troy [EMAIL PROTECTED] wrote: I have the following situation -- 1) Provider A uses PAP and doesn't want Ascend-Data-Filters 2) Provider B uses PAP and DOES want Ascend-Data-Filters 3) Provider C uses CHAP and doen't want Ascend-Data-Filters 4) They all want to use ports 1645/1646 Everything is authenticated from a central MySQL database where I store both crypted and plaintext passwords, where needed. Is it possible to support all four of the above conditions in a single instance of freeradius? I don't see why not. I would prefer to have the three machines have an identical configuration and use them for backup to each other, but I am not sure how I could go about differentiating between the three different providers; maybe place some directives in the clients.conf file? No, that won't help. Some comments: - all using 1645/1646 is fine. FreeRADIUS will do that. - using PAP/CHAP is unimportant. FreeRADIUS will authenticate whatever comes in the RADIUS request. - if you want to FORCE the use of PAP or CHAP, that's a bit harder, but I don't see why it would be useful, or necessary. So you're left with the problem of getting Ascend-Data-Filters to two providers, but not the third. The answer is to find out what distinguishes the provider A/C packets from provider B. Once you know that, the answer is easy. If A/C come from client-A/client-C, and B comes from client-B, then you can do in the 'users' file: DEFAULT Client-IP-Address == client-A Ascend-Data-Filters... Fall-Through = Yes DEFAULT Client-IP-Address == client-C Ascend-Data-Filters... Fall-Through = Yes Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
