quintum with freeradius
Dear members, I have installed freeradius 0.7 on redhat linux 7.2 and quintum 800 is configured to that server. My users file contain just 1234567890 password == 1234567890 this entry. My radius server Accepting accounting number and pin number. But quintum tenor says that. Received OnAccessAccept by the reason = -1 and call is terminating. Now I fedup with this configuration .Can any one in the list help me rgds this matter. Thanks Rgds Nihal Piyasiri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: solaris/sparc Forte
On Mon, 4 Nov 2002 20:07:46 -0500 Gene Parks [EMAIL PROTECTED] wrote: I had a similar problem when I ran make on my Solaris 8 box but I decided to take another route. I installed SUSE 7.3 for SPARC and everything is working great now. Gene Parks VIP Direct Finally! Another SuSE user on the list! Any luck with getting an rpm build to work yet? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc msg10713/pgp0.pgp Description: PGP signature
Cisco VPN 3000 Series Concentrator/Cisco VPN Client: Freeradius ConfigurationExample
Dear all, I assume somebody out there has managed to get Freeradius authenticate a VPN connection between a W2k Cisco VPN Client (IPSec) and a Cisco 3000 VPN Concentrator. Although I have been extensively searching the documentation as well as the net (and this list) I have not found a users file configuration example to start with. Is there any kind soul willing to share this information? Many thanks, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
quintum
Hello any body. I try to use quintum tenor. My Users file: #Entry for billing model 123 Auth-Type := Accept Quintum-h323-return-code = h323-return-code=0, Quintum-h323-credit-amount = h323-credit-amount=124, Quintum-h323-credit-time = h323-credit-time=10 #I think will be better to use smart program, which return some attributes dynamicaly #Entry for Post pay model 456Auth-Type := Local, User-Password == 789 Quintum-h323-return-code = h323-return-code=0 DEFAULT Auth-Type := Reject Quintum-h323-return-code = h323-return-code=1 I have installed freeradius 0.7 on redhat linux 7.2 and quintum 800 is configured to that server. My users file contain just 1234567890 password == 1234567890 this entry. My radius server Accepting accounting number and pin number. But quintum tenor says that. Received OnAccessAccept by the reason = -1 and call is terminating. I have some qustion concerning VSA. In radiusd.conf there is with_cisco_vsa_hack = yes Is this parameter using only wiht cisco? how can i get such behaviour with Quintum? Remind, i need have instead H323-Attribute = h323-attribute=value this h323-attribute=value Best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: quintum
I have some qustion concerning VSA. In radiusd.conf there is with_cisco_vsa_hack = yes Is this parameter using only wiht cisco? how can i get such behaviour with Quintum? Remind, i need have instead H323-Attribute = h323-attribute=value this h323-attribute=value This hack is only for Cisco VSAs (there is hardcoded Cisco's Vendor ID - 9). It is very simple to make a small hack to have that feature for Quintum... take a look for rlm_preprocess.c file Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New EAP/TLS + MPPE WinXP HOWTO questions with creating Certificate Authority (CA)
Augustine wrote: Where do your find Raymond Mckay's file? http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
creating ldap module with Solaris 9.
Hi all: I have recently downloaded the 0.7.1 version of freeradius, to be used with a LDAP server built on solaris 9 with SunOne (netscape) directory server 5.X. My problem is with the call of libraries although I have ber_decode and other commands/headers on the ldap library -lldap, the configure of that module insist call -llber; can any body tell me if I can workaround this and how..? copying libraries and renaming??? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: creating ldap module with Solaris 9.
Randall Badilla [EMAIL PROTECTED] wrote: I have recently downloaded the 0.7.1 version of freeradius, to be used with a LDAP server built on solaris 9 with SunOne (netscape) directory server 5.X. I think that the module is for OpenLDAP, not Netscape LDAP. It would need patches to make it work with netscape, sorry. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql accounting and custom attributes
Hello All,
doc/variables.txt mentions that you can use %{Attribute-Name},
but what if there are several attributes with the same name,
eg Cisco-AVpair?
I just want to log ras-tx-speed and ras-rx-speed attributes
from the cisco in sql table. Is there any trick?
--
Best regards,
Alexey Chetroi
---
Smile... Tomorrow will be worse. (c) Murphy's law
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN 3000 Series Concentrator/Cisco VPN Client: Freeradius Configuration Example
David Knecht [EMAIL PROTECTED] wrote: I assume somebody out there has managed to get Freeradius authenticate a VPN connection between a W2k Cisco VPN Client (IPSec) and a Cisco 3000 VPN Concentrator. Although I have been extensively searching the documentation as well as the net (and this list) I have not found a users file configuration example to start with. The server does NOT come with instructions on setting up every possible combination of NAS, network, and other configuration. Instead, it comes with instructions on how to understand the configuration... So the questions you should be asking yourself are: - What attributes does the RADIUS client send in a request? - What attributes does the RADIUS client need in a response? There's really nothing else. And that information can be found by reading the client documentation, and by running the server in debugging mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius attributes in SQL INSERT
Mieczyslaw Maciejewski (EPO) wrote: For some purposes it is better to have numeric values in database. We have GUI which then presents data in user friendly fashion. And numbers in the database are easier to understand than names? OK. If I comment out attributes in dictionary, then everything will work for me. Is there any other way to do it without changing dictionary? Right now, no. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius attributes in SQL INSERT
Thx Numbers in the database are easier to understand for some programs which do whimsical operations and finally present data in a graphical way. MM -Original Message- From: Alan DeKok [mailto:aland;ox.org] Sent: Tuesday, November 05, 2002 4:35 PM To: [EMAIL PROTECTED] Subject: Re: Radius attributes in SQL INSERT Mieczyslaw Maciejewski (EPO) wrote: For some purposes it is better to have numeric values in database. We have GUI which then presents data in user friendly fashion. And numbers in the database are easier to understand than names? OK. If I comment out attributes in dictionary, then everything will work for me. Is there any other way to do it without changing dictionary? Right now, no. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Front End for Free radius
Mody Sachin (Princeton) [EMAIL PROTECTED] wrote: Does anyone know of any front-end tools for FreeRadius? Like dialup_admin (web gui), which is included in the distribution? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius attributes in SQL INSERT
Mieczyslaw Maciejewski (EPO) wrote: Numbers in the database are easier to understand for some programs which do whimsical operations and finally present data in a graphical way. Huh? The numbers assigned to Acct-Status-Type values are meaningless. You can't graph them, as they have no relationship to each other. I still don't understand why it's an issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN 3000 Series Concentrator/Cisco VPN Client: FreeradiusConfiguration Example
André, Fyi... David [EMAIL PROTECTED] schrieb: From: Alan DeKok [EMAIL PROTECTED]@lists.cistron.nl on 05.11.2002 10:33 EST Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: Subject: Re: Cisco VPN 3000 Series Concentrator/Cisco VPN Client: Freeradius Configuration Example David Knecht [EMAIL PROTECTED] wrote: I assume somebody out there has managed to get Freeradius authenticate a VPN connection between a W2k Cisco VPN Client (IPSec) and a Cisco 3000 VPN Concentrator. Although I have been extensively searching the documentation as well as the net (and this list) I have not found a users file configuration example to start with. The server does NOT come with instructions on setting up every possible combination of NAS, network, and other configuration. Instead, it comes with instructions on how to understand the configuration... So the questions you should be asking yourself are: - What attributes does the RADIUS client send in a request? - What attributes does the RADIUS client need in a response? There's really nothing else. And that information can be found by reading the client documentation, and by running the server in debugging mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- David Knecht, AnyWeb AG, Technoparkstrasse 1, CH-8005 Zuerich \ \ \ / Independent Networking Training and Services / \ny / /eb Certified Cisco Silver Partner http://www.anyweb.ch Fon: +41 1 445 1981 Fax: +41 1 445 1990 [EMAIL PROTECTED] [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql accounting and custom attributes
Alexey Chetroi [EMAIL PROTECTED] wrote:
doc/variables.txt mentions that you can use %{Attribute-Name},
but what if there are several attributes with the same name,
eg Cisco-AVpair?
The server doesn't handle that right now.
I just want to log ras-tx-speed and ras-rx-speed attributes
from the cisco in sql table. Is there any trick?
That's an even more difficult problem. You don't know the order of
the attributes, so you want to log Cisco-AVpair attributes which
contain certain values.
Your best bet right now is to use some kind of external program to
do the work, or to write a module to pull the information you want out
of the attributes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup admin
I'm getting a strange behaviour from the dialup admin code where the $login value does not get set when I put in the user name and click show user in the user_admin.php3. Its strange because I can see the value that I inserted in the field because it shows up in my URL, but in the code itself the $login value is ''. I am running the page on the Apache 1.3.27 web server and PHP 4.2.3 with the Netscape web browser. Has anyone else seen this behaviour. I need to get this working so that I can test the Oracle support that I added. Thanks. Adam Joncas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: oracle AND mysql module simultaniously
Robin Elfrink [EMAIL PROTECTED] wrote: sql: driver =3D rlm_sql_mysql rlm_sql: Driver rlm_sql_mysql loaded and linked rlm_sql: Attempting to connect to [EMAIL PROTECTED]:/dbname Init: Oracle logon failed: 'Error while trying to retrieve text for ... Weird. It loads the MySQL driver, and then tries to connect via Oracle? That's *very* odd. The function used to open a connection to the database is closely related to the driver name (and is in the same data structure). So I don't see how that can happen, unless the dynamic linker is doing the wrong thing... Try grabbing the CVS snapshot from later tonight. I've updated a lot of the error messages in the SQL module to be more helpful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reporting minor bugs/fixes
Chris Krusch [EMAIL PROTECTED] wrote: How do I best report a bug I found and fixed in the 0.7.1 release? Is there somewhere I can look to see if fixes of this sort have already been made? Not really, no. There's a bug in valuepair.c with parsing of octets. In my users file, when I attempt to set the class attribute to a string value (e.g. class = ou=default), the length field is erroneously set to 0. If you provide the string in raw octets (e.g. class = 0x158239), all is OK. This broke my ability to return text class attributes to our VPN server that worked in previous releases. The fix to valuepair.c is very minor - I believe that this fix is already in the latest CVS version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-User Questions
WA Support [EMAIL PROTECTED] wrote: What I am trying to do is support the case where I have a user at IPS1 with the same username as a user at IPS2. For general information about this situation, see: doc/duplicate-users From what I can read, freeradius just queries the CVX (in this case) for the username and if it sees a session with that username, it will not allow another one, correct? Yes. How can I make freeradius check for the username AND the Called-Number? No, it checks for a specific user has logged into a specific port. The issue appears to be that you want to keep track of users locally by information OTHER than their username, but to check for Simultaneous-Use on the NAS by username and NAS port. I'm not sure how to do this right now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
more Kerberos fun
Hello again,
Thanks again to the folks who helped me get kerberos compiled in my
freeradius. Unfortunately, the fun didn't stop there...
I've been trying to find some information on how I need to configure the
server to authenticate with kerberos. I found a few others asking the
question, and I found Alan's answer that DEFAULT Auth-Type = Kerberos
should do it. So, in my /usr/local/etc/raddb/users file, I have:
DEFAULT Auth-Type = Kerberos
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Routing = Broadcast-Listen,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
Unfortunately, this doesn't appear to work for me (I'm not sure if it's
'Auth-Type = ' or 'Auth-Type := ', I've tried both). I've uncommented
some lines in radiusd.conf that startup choked on (specifically
/etc/shadow being commented out under the 'unix' module part), but other
than that I've left it untouched. I noticed that there doesn't seem to be
any entry in it for rlm_krb5. Does there need to be something in there?
Also, in one of the mails Alan answered he mentioned that the kerberos
daemon does all the work. Does this mean that kerberos server must be
running on the same machine as the radius server? There is a main campus
kerberos server and I'm trying to run the radius server on my workstation,
so unfortunately I won't be able to run the kerberos server on my machine,
unless I can tell the server to pass on authentication to the real kerb
server.
Unfortunately, when we try to authenticate, nothing is coming up in
radius.log, so I can't find out anything there. Doing a tcpdump on the
radius server, I get:
15:16:44.747466 $SOMEIPADDRESS.1059 hythloth.netcom.duke.edu.datametrics:
rad-access-req 71 [id 67] Attr[ User{username} Pass [|radius]
15:16:48.741356 $SOMEIPADDRESS.1059 hythloth.netcom.duke.edu.datametrics:
rad-access-req 71 [id 67] Attr[ User{username} Pass [|radius]
15:16:48.741556 hythloth.netcom.duke.edu.datametrics $SOMEIPADDRESS.1059:
rad-access-reject 20 [id 67] (DF)
This is the latest stable version (0.7.1) of freeradius and Red Hat 8.0.
I've tried to find the answer and have had little luck, so any help that
someone in a similar predicament (or those fortunate enough not to be but
know the answers) can give me will be greatly appreciated.
Many Thanks!
Brian Johnson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more Kerberos fun
Brian Johnson [EMAIL PROTECTED] wrote: So, in my /usr/local/etc/raddb/users file, I have: DEFAULT Auth-Type = Kerberos Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP Unfortunately, this doesn't appear to work for me What, exactly do you mean by that? What does the server say in debugging mode? I noticed that there doesn't seem to be any entry in it for rlm_krb5. Does there need to be something in there? If you want it to do Kerberos authentication, yes. Also, in one of the mails Alan answered he mentioned that the kerberos daemon does all the work. Does this mean that kerberos server must be running on the same machine as the radius server? No. It just means that the RADIUS server must somehow be able to access the kerberos server. Unfortunately, when we try to authenticate, nothing is coming up in radius.log, so I can't find out anything there. So run the server in debugging mode, as it suggests in the README, the documention, and in the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-User Questions
On 5 Nov 2002, at 14:44, WA Support wrote: From: WA Support [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: Simultaneous-User Questions Send reply to: [EMAIL PROTECTED] mailto:freeradius-users-request;lists.cistron.nl?subject=subscribe mailto:freeradius-users-request;lists.cistron.nl?subject=unsubscribe Date sent: Tue, 05 Nov 2002 14:44:19 -0700 What I want to do is check for username and called-station-id. The NAS reporst this back to freeradius, since it is recorded in the detail file. It should be very simple to rework the source for freeradius, i.e., radiusd.c, and check for both the username and the called-station-id, right? If all you want to do is to check username and called-station-id, then why not use some regx logic: proxy to here... # Can we talk? tester Auth-Type := Reject, Called-Station != number # Good, then let me in? tester Auth-Type := XYZ, Password == letmein, Simultaneous-Use := 1 Fall-Through = Yes DEFAULT ... etc bernie [EMAIL PROTECTED] But, from the perl world, checkrad.pl is used to check for simultaneous use, according to the docs that came with freeradius. However, I can not see that anything calls checkrad.pl. Does anyone know what does call checkrad.pl? Thanks, Murrah Boswell Alan DeKok wrote: WA Support [EMAIL PROTECTED] wrote: What I am trying to do is support the case where I have a user at IPS1 with the same username as a user at IPS2. For general information about this situation, see: doc/duplicate-users From what I can read, freeradius just queries the CVX (in this case) for the username and if it sees a session with that username, it will not allow another one, correct? Yes. How can I make freeradius check for the username AND the Called-Number? No, it checks for a specific user has logged into a specific port. The issue appears to be that you want to keep track of users locally by information OTHER than their username, but to check for Simultaneous-Use on the NAS by username and NAS port. I'm not sure how to do this right now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. This communication may contain material protected by the attorney-client privilege. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have receive this email in error, please immediately notify the sender by email. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-User Questions
If you had read the original message that I sent, you would see what I am trying to do. I have to be able to check both username and called-station-id. Thanks, Murrah Boswell CTA wrote: On 5 Nov 2002, at 14:44, WA Support wrote: From: WA Support [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: Simultaneous-User Questions Send reply to: [EMAIL PROTECTED] mailto:freeradius-users-request;lists.cistron.nl?subject=subscribe mailto:freeradius-users-request;lists.cistron.nl?subject=unsubscribe Date sent: Tue, 05 Nov 2002 14:44:19 -0700 What I want to do is check for username and called-station-id. The NAS reporst this back to freeradius, since it is recorded in the detail file. It should be very simple to rework the source for freeradius, i.e., radiusd.c, and check for both the username and the called-station-id, right? If all you want to do is to check username and called-station-id, then why not use some regx logic: proxy to here... # Can we talk? tester Auth-Type := Reject, Called-Station != number # Good, then let me in? tester Auth-Type := XYZ, Password == letmein, Simultaneous-Use := 1 Fall-Through = Yes DEFAULT ... etc bernie [EMAIL PROTECTED] But, from the perl world, checkrad.pl is used to check for simultaneous use, according to the docs that came with freeradius. However, I can not see that anything calls checkrad.pl. Does anyone know what does call checkrad.pl? Thanks, Murrah Boswell Alan DeKok wrote: WA Support [EMAIL PROTECTED] wrote: What I am trying to do is support the case where I have a user at IPS1 with the same username as a user at IPS2. For general information about this situation, see: doc/duplicate-users From what I can read, freeradius just queries the CVX (in this case) for the username and if it sees a session with that username, it will not allow another one, correct? Yes. How can I make freeradius check for the username AND the Called-Number? No, it checks for a specific user has logged into a specific port. The issue appears to be that you want to keep track of users locally by information OTHER than their username, but to check for Simultaneous-Use on the NAS by username and NAS port. I'm not sure how to do this right now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. This communication may contain material protected by the attorney-client privilege. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have receive this email in error, please immediately notify the sender by email. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-User Questions
On Tuesday 05 November 2002 16:44, WA Support wrote: What I want to do is check for username and called-station-id. The NAS reporst this back to freeradius, since it is recorded in the detail file. It should be very simple to rework the source for freeradius, i.e., radiusd.c, and check for both the username and the called-station-id, right? Run the radius server in debugging mode (-x) and see what the NAS actually sends to the server when a person tries to authenticate. That will show you the data you can use in the users file to help determine where packets get proxied. I believe the Called-Station-Id is sent only in accounting packets, which is sent after successful authentication. Have you looked into using realms? Kevin Bonner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration date check
Hello all and thanks for your help ! I have freeradius 0.7 running under SuSe linux 8.0 on intel platform ( I have to remind to all of you that I am a newcomer to both the linux and freeradius world ) so here is my question : What do I have to do to make freeradius to check authorization requests against an expiration date ? (If expiration date = current date then allow access else deny) Is this possible ? I have freeradius using MySql database for both authentication and accounting. And one more minor ... I want to keep start records on MySql s radius database s radacct table and stop records on another table of the same database (which I named 'radstop') I have altered sql.conf to match that and created radstop table in radius database ( I actually copied and pasted radacct and renamed it ) but freeradius is still writing both records in radacct table ..what more do I have to do ? Thanks again for your help and for that splendid software you ve made for us ... Yorgos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
