Re: CISCO LEAP
On Wed, 2002-11-13 at 16:06, Jeremy Salch wrote: > On Wednesday 13 November 2002 06:52 pm, Mike Paneth wrote: > > We are about to setup a wireless network based on CISCO 1200 APs and need > > to control access. > > > > Does anyone know how to get Freeradius working with CISCO LEAP? > > It can't. Not yet anyway. > LEAP is a Cisco Proprietary EAP type to cisco.. Yes. > you'll have to shell out the cash for this one. I don't think that's necessarily true. Someone just have to write a FreeRADIUS module for it. There are public descriptions of the protocol (http://www.missl.cs.umd.edu/wireless/ethereal/leap.txt) and it doesn't seem hard to implement. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: using FreeRADIUS SecurID/RSA?
What about using the radius server built into the SecurID product and let Freeradius proxy to it for that function? Just a thought. Gene Parks VIP Direct - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CISCO LEAP
On Wednesday 13 November 2002 06:52 pm, Mike Paneth wrote: > We are about to setup a wireless network based on CISCO 1200 APs and need > to control access. > > Does anyone know how to get Freeradius working with CISCO LEAP? It can't. . LEAP is a Cisco Proprietary EAP type to cisco.. you'll have to shell out the cash for this one. > > Mike Paneth > Melbourne Australia -- http://tblx.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP/TLS
you need to find out these two library! If u follow the howto setup! It will at /usr/local/openssl/lib so before u run radiusd you must $ export LD_LIBRARY_PATH=/usr/local/openssl/lib Regard, Jeffery ¦b ¶g¥|, 2002-11-14 08:26, Ynjiun P. Wang ¼g¹D¡G > More information: > I checked rlm_eap_tls-0.8-pre.so using ldd and found that "libssl.so.0.9.8 => not >found". Is this normal? If not, how to > fix it? Thanks. > > [root@curve EAP]# ldd /usr/local/lib/rlm_eap_tls-0.8-pre.so > libssl.so.0.9.8 => not found > libcrypto.so.0.9.8 => not found > libnsl.so.1 => /lib/libnsl.so.1 (0x40025000) > libresolv.so.2 => /lib/libresolv.so.2 (0x4003a000) > libpthread.so.0 => /lib/i686/libpthread.so.0 (0x4004b000) > libc.so.6 => /lib/i686/libc.so.6 (0x4200) > /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x8000) > > -Original Message- > From: Ynjiun P. Wang [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, November 13, 2002 3:15 PM > To: [EMAIL PROTECTED] > Subject: EAP/TLS > > > Hi, > > I was able to get Radius running with EAP/TLS. But when I get my Windows XP >logon through 802.11 (with root.der and > cert-clt.p12 installed), after couple rounds of exchanges of info with Radius >server, I got : > "rlm_eap_tls: Invalid ACK received > modcall[authenticate]: module "eap" returns invalid" > end up with "Access-Reject" > I cut out part of the log info as below. Does anyone encounter this problem? What >causing it? What's the fix? Please > help. Thanks. > > -Paul > > > Called-Station-Id = "004096495de0" > Calling-Station-Id = "0006250baad2" > NAS-Identifier = "AP350-495de0" > NAS-Port = 37 > Framed-MTU = 1400 > State = >0xdbe3f75a75d354c306c7870c1762e63dc8d4d23d9ec744a89fcd5df6fd96d72d69fecdab > NAS-Port-Type = Wireless-802.11 > Service-Type = Login-User > EAP-Message = "\002\272\000\006\r" > Message-Authenticator = 0x7c7f78aa5e807d1d3ed5aaddbca89613 > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "eap" returns updated > rlm_realm: No '@' in User-Name = "kevin", looking up realm NULL > rlm_realm: No such realm NULL > modcall[authorize]: module "suffix" returns noop > users: Matched kevin at 95 > modcall[authorize]: module "files" returns ok > modcall: group authorize returns updated > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate > rlm_eap: Request found, released from the list > rlm_eap: EAP_TYPE - tls > rlm_eap: processing type tls > rlm_eap_tls: Received EAP-TLS ACK message > rlm_eap_tls: Invalid ACK received > modcall[authenticate]: module "eap" returns invalid > modcall: group authenticate returns invalid > auth: Failed to validate the user. > Delaying request 2 for 1 seconds > Finished request 2 > Going to the next request > Waking up in 6 seconds... > rad_recv: Access-Request packet from host 66.135.138.204:19375, id=56, length=183 > Sending Access-Reject of id 56 to 66.135.138.204:19375 > EAP-Message = "\004\272\000\004" > Message-Authenticator = 0x > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regard, Jeffery Huang iMining Technology Inc., 8F-4, No.432, Sec.1 Keelung Rd., Taipei,Taiwan Tel:886-2-27235122 ext 20 Fax:886-2-27232287 http://www.imining.com.tw email:[EMAIL PROTECTED] w - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CISCO LEAP
We are about to setup a wireless network based on CISCO 1200 APs and need to control access. Does anyone know how to get Freeradius working with CISCO LEAP? Mike Paneth Melbourne Australia
RE: EAP/TLS
More information: I checked rlm_eap_tls-0.8-pre.so using ldd and found that "libssl.so.0.9.8 => not found". Is this normal? If not, how to fix it? Thanks. [root@curve EAP]# ldd /usr/local/lib/rlm_eap_tls-0.8-pre.so libssl.so.0.9.8 => not found libcrypto.so.0.9.8 => not found libnsl.so.1 => /lib/libnsl.so.1 (0x40025000) libresolv.so.2 => /lib/libresolv.so.2 (0x4003a000) libpthread.so.0 => /lib/i686/libpthread.so.0 (0x4004b000) libc.so.6 => /lib/i686/libc.so.6 (0x4200) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x8000) -Original Message- From: Ynjiun P. Wang [mailto:ypw@;worldnet.att.net] Sent: Wednesday, November 13, 2002 3:15 PM To: [EMAIL PROTECTED] Subject: EAP/TLS Hi, I was able to get Radius running with EAP/TLS. But when I get my Windows XP logon through 802.11 (with root.der and cert-clt.p12 installed), after couple rounds of exchanges of info with Radius server, I got : "rlm_eap_tls: Invalid ACK received modcall[authenticate]: module "eap" returns invalid" end up with "Access-Reject" I cut out part of the log info as below. Does anyone encounter this problem? What causing it? What's the fix? Please help. Thanks. -Paul Called-Station-Id = "004096495de0" Calling-Station-Id = "0006250baad2" NAS-Identifier = "AP350-495de0" NAS-Port = 37 Framed-MTU = 1400 State = 0xdbe3f75a75d354c306c7870c1762e63dc8d4d23d9ec744a89fcd5df6fd96d72d69fecdab NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = "\002\272\000\006\r" Message-Authenticator = 0x7c7f78aa5e807d1d3ed5aaddbca89613 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "kevin", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched kevin at 95 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: Invalid ACK received modcall[authenticate]: module "eap" returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 66.135.138.204:19375, id=56, length=183 Sending Access-Reject of id 56 to 66.135.138.204:19375 EAP-Message = "\004\272\000\004" Message-Authenticator = 0x - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ppp authentication & windows NT domain
I'm confused. What do you mean with "That's not true" Alan DeKok wrote: > > Miriam Benham <[EMAIL PROTECTED]> wrote: > > PAP works great with my existing NT domain authentication configuration, > > but if I use CHAP it fails. I've read that I have to create users > > credentials on the freeradius server if I want to use CHAP. > > That's not true. PAP is fine. > As for why CHAP fails, see the FAQ. The problem with SMB > authentication is exactly the same as for Unix authentication against > /etc/passwd > > > Question: Is there anyway around the username/password duplication on > > the freeradius server. Is there any way to have the password encrypted > > through the phone line (using CHAP) and get authenticated by the NT > > domain server without using "password in the clear" PAP. > > No. See the FAQ. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS
Hi, I was able to get Radius running with EAP/TLS. But when I get my Windows XP logon through 802.11 (with root.der and cert-clt.p12 installed), after couple rounds of exchanges of info with Radius server, I got : "rlm_eap_tls: Invalid ACK received modcall[authenticate]: module "eap" returns invalid" end up with "Access-Reject" I cut out part of the log info as below. Does anyone encounter this problem? What causing it? What's the fix? Please help. Thanks. -Paul Called-Station-Id = "004096495de0" Calling-Station-Id = "0006250baad2" NAS-Identifier = "AP350-495de0" NAS-Port = 37 Framed-MTU = 1400 State = 0xdbe3f75a75d354c306c7870c1762e63dc8d4d23d9ec744a89fcd5df6fd96d72d69fecdab NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = "\002\272\000\006\r" Message-Authenticator = 0x7c7f78aa5e807d1d3ed5aaddbca89613 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "kevin", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched kevin at 95 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: Invalid ACK received modcall[authenticate]: module "eap" returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 66.135.138.204:19375, id=56, length=183 Sending Access-Reject of id 56 to 66.135.138.204:19375 EAP-Message = "\004\272\000\004" Message-Authenticator = 0x - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ppp authentication & windows NT domain
On Wed, Nov 13, 2002 at 03:58:48PM -0500, Alan DeKok wrote: > Miriam Benham <[EMAIL PROTECTED]> wrote: > > PAP works great with my existing NT domain authentication configuration, > > but if I use CHAP it fails. I've read that I have to create users > > credentials on the freeradius server if I want to use CHAP. > That's not true. PAP is fine. > As for why CHAP fails, see the FAQ. The problem with SMB > authentication is exactly the same as for Unix authentication against > /etc/passwd Unless you're doing MS-CHAP. Then you only have implementation obstacles to overcome, rather than matters of mathematical certainty. :) -- Steve Langasek postmodern programmer msg10996/pgp0.pgp Description: PGP signature
Re: ppp authentication & windows NT domain
Miriam Benham <[EMAIL PROTECTED]> wrote: > PAP works great with my existing NT domain authentication configuration, > but if I use CHAP it fails. I've read that I have to create users > credentials on the freeradius server if I want to use CHAP. That's not true. PAP is fine. As for why CHAP fails, see the FAQ. The problem with SMB authentication is exactly the same as for Unix authentication against /etc/passwd > Question: Is there anyway around the username/password duplication on > the freeradius server. Is there any way to have the password encrypted > through the phone line (using CHAP) and get authenticated by the NT > domain server without using "password in the clear" PAP. No. See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ppp authentication & windows NT domain
Hi there, I'm new using/configuring freeradius, and it's working great so far. I now would like to use it to authenticate our remote PPP users. I want to use our NT domain server so as not to have to create a new password file for all the users on the freeradius server. I currently have NT domain authentication working using PAM/SMB and PAP. PAP works great with my existing NT domain authentication configuration, but if I use CHAP it fails. I've read that I have to create users credentials on the freeradius server if I want to use CHAP. Question: Is there anyway around the username/password duplication on the freeradius server. Is there any way to have the password encrypted through the phone line (using CHAP) and get authenticated by the NT domain server without using "password in the clear" PAP. Thanks, Miriam Benham - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: limiting DSL users bandwidth
Dan <[EMAIL PROTECTED]> wrote: > Is there any way to limit the amount of bandwidth available to a user > through radius? Only if your NAS supports it in a RADIUS attribute. > running radiusd in full debug I dont even see it sending this back > to the user. and the user is not limited at all. Then there's something else in your configuration preventing this. > I thought I'd try a very simple config like this: > > testuser Auth-Type := System > Framed-Ip-Address = > Cisco-AVPair = "lcp:interface-config=rate-limit output 128000 32000 >64000 > conform-action transmit exceed-action drop" Try 'Cisco-AVPair += ' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group reject with realm problem
At 12:28 PM 11/13/2002 -0600, you wrote: OK so other group setup with realm will not work ie: DEFAULT group == "isdn", Simultaneous-Use := 2 So how can i setup 2 port connection for user ? You might want to use Cistron Radius (which Freeradius was based on) until this problem is fixed in Freeradiushttp://www.radius.cistron.nl/ Unless you want to use Mysql or Ldap, etc. as your Authentication/Authorization mechanism. I think most of the people that are using Freeradius are using alternate Authentication/Authorization mechanisms like Mysql and LDAP, which mostly work, so the "Group" check problem and Realms with Unix passwd/group files has not been that big an issue. (but it has been reported a few times over the last several months to this list.). vince - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS re-keying
> From: BUTTI Laurent FTRD/DTL/ISS [mailto:laurent.butti@;rd.francetelecom.com]
> Sent: den 13 november 2002 18:43
> To: [EMAIL PROTECTED]
> Subject: EAP-TLS re-keying
> I have an Orinoco AP-2000 (2.0.2) and a windows XP client SP1.
> MPPE-{Send/Recv}-key seems to be successfully interpreted by the
> AP-2000, as 3 EAPOL-Key frames are sent to the client.
The access points we have tested seem to send two EAPOL-Key messages,
one with the unicast key and one with a broadcast (default) key.
What are key index fields in the three messages you see? Does the AP
send two broadcast (default) keys with different indexes?
> So this scheme is
> different than Cisco's scheme that seems to send only one EAPOL-Key
> according to Lars Viklund.
Not quite. It will send (at least) two EAPOL-Key messages but the unicast
one does not include the actual key.
> Moreover, re-keying seems to work by configuring a short key lifetime on
> AP-2000, every time t : 3 new EAPOL-Key frames are sent from AP-2000 to
> WinXP client.
> What i'm trying to do is : validating that the new WEP key sent by
> AP-2000 using EAPOL-Key is really used.
> I have several questions / remarks :
> * Sending a new WEP key doesn't prove that it is really used on both
> client and access point sides. It should be dependent on both hardware
> (as WEP ciphering should be done in firmware WLAN card, so WLAN card
> drivers must support 802.1X) and software in Windows XP.
True, although if your traffic is WEP encrypted and still gets through after
the rekeying then either the new keys are used on both sides or not at all.
> * I didn't tested re-keying on Cisco, but if Cisco use MPPE-Send-Key to
> have data-link ciphering with WEP (truncating the MPPE-Send key); it is
> necessary to have a full re-authentication if we want a real
> "re-keying", am i wrong ?
I think you're correct. One could think of other schemes that would handle
this though, see this thread for instance:
http://www.mail-archive.com/freeradius-users@;lists.cistron.nl/msg07532.html
> * Do you know any tip to validate that ?
> - By using NDIS hooking ?
Probably possible but I have no idea how.
> - By any debug mode on AP-2000 ?
Since you obviously don't trust the AP-2000 to use the new keys after it has
sent the new EAPOL-Key messages, would you trust debug output from it? :-)
> - Any other idea ?
You could:
Test with xsupplicant instead of Win XP. That way you can easily
verify that the supplicant actually changes the keys when it receives
the new EAPOL-Key messages.
or
Get the MPPE-{Send/Recv}-Keys generated by the RADIUS server, e.g.
by having the rlm_eap_tls module log them. Capture the EAPOL-Key
messages sent by the AP and decrypt the key fields to get the WEP
keys. Capture data frames sent between the AP and the STA, decrypt
them and verify the ICV (or verify that the MSDU is correct some
other way).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
limiting DSL users bandwidth
I can't seem to figure out how to do this. the users are dynamic DSL users (get their IP from the router ip pool). I've tried absolutely everything I can, I've read the docs, faqs, archives (as much as I can), and vendor websites. Is there any way to limit the amount of bandwidth available to a user through radius? We use cisco 7507 router for our DSL connectivity, and yes, I've tried all the Cisco-AVPair configs I can find, and none of them seem to work. running radiusd in full debug I dont even see it sending this back to the user. and the user is not limited at all. I thought I'd try a very simple config like this: testuser Auth-Type := System Framed-Ip-Address = Cisco-AVPair = "lcp:interface-config=rate-limit output 128000 32000 64000 conform-action transmit exceed-action drop" there's no sign of this during debug. I have also tried the very long config examples from Cisco's site, but those don't have any effect either. Can anyone show me an example that does work ? or how to get this working another way? I've tried this with Merit, Cistron, and freeradius (if that matters a hill of beans) aaa vsa send accounting is turned on, on the router Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
groups not working in user file
I just copied the configuration over from cistron to freeradius (making necessary modifications) and we can't get group checking to work in the user file. this is freeradius 0.71, I've even tried the default samples in the users file, such as: DEFAULT Group == ''disabled", Auth-Type := Reject Reply-Message = "Account Disabled" Nothing matches this, although it should... I have tried a user with a primary group "disabled" and secondary group "disabled"... nothing works. Everything comes through like this: modcall: group authorize returns ok Why isn't the user matching the group check ? Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication of users ADSL
"Samyr Alves" <[EMAIL PROTECTED]> wrote: > how to configure radius for authentication of users ADSL? Read the docs? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group reject with realm problem
I try to use realms or proxy.cong with deferent options: nostrip norealm
But non of the combination do the job.
Chris Parker wrote:
> At 10:43 AM 11/13/2002 -0600, Marcin Groszek wrote:
>
> >realm hostplus.net {
> > type= radius
> > authhost= LOCAL
> > accthost= LOCAL
> >}
> >
> >and file realms
> >hostplus.netLOCAL
>
> You'll want to use one or the other. I recommend not using 'realms'
> as that is an older syntax and has fewer features than 'proxy.conf'.
>
> Something else you could try to to set the users 'shell' entry in the
> system password to '/bin/false' or some other shell that is not
> listed in /etc/shells. This should also allow the users to be rejected,
> even if the password matches.
>
> -Chris
> --
> \\\|||/// \ StarNet Inc. \ Chris Parker
> \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
> | @ @ |\ http://www.starnetwx.net \ (847) 963-0116
> oOo---(_)---oOo--\--
>\ Wholesale Internet Services - http://www.megapop.net
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Best Regards: Marcin Groszek
Http://www.hostplus.net
Where we offer:
Server Co-location, Web Site Hosting and Internet Access.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS re-keying
Title: EAP-TLS re-keying
Hi,
I have an Orinoco AP-2000 (2.0.2) and a windows XP client SP1.
MPPE-{Send/Recv}-key seems to be successfully interpreted by the
AP-2000, as 3 EAPOL-Key frames are sent to the client. So this scheme is
different than Cisco's scheme that seems to send only one EAPOL-Key
according to Lars Viklund.
Moreover, re-keying seems to work by configuring a short key lifetime on
AP-2000, every time t : 3 new EAPOL-Key frames are sent from AP-2000 to
WinXP client.
What i'm trying to do is : validating that the new WEP key sent by
AP-2000 using EAPOL-Key is really used.
I have several questions / remarks :
* Sending a new WEP key doesn't prove that it is really used on both
client and access point sides. It should be dependent on both hardware
(as WEP ciphering should be done in firmware WLAN card, so WLAN card
drivers must support 802.1X) and software in Windows XP.
* I didn't tested re-keying on Cisco, but if Cisco use MPPE-Send-Key to
have data-link ciphering with WEP (truncating the MPPE-Send key); it is
necessary to have a full re-authentication if we want a real
"re-keying", am i wrong ?
* Do you know any tip to validate that ?
- By using NDIS hooking ?
- By any debug mode on AP-2000 ?
- Any other idea ?
Thank you very much for any help.
Best regards,
Laurent.
Re: Some another basic questions about features
On Wed, 13 Nov 2002, Remus Anca wrote:
>
> 1. I want that if a user is not found in files, to find in sql
> Is that possible? in sequence like this? :
> authorize{
> preprocess
> suffix
> files
> sql
> }
See doc/configurable_failover. It includes all the information necessary
to do what you describe.
Franklin
--
Franklin Trumpy, NFA, MNGS, GSc | Say not, "I have found the truth,"
Sr. UNIX Systems Administrator | but rather, "I have found a truth."
Lighthouse Communications |
[EMAIL PROTECTED] | Say not, "I have found the path of the soul."
(515)244-1115 | Say rather, "I have met the soul walking
(888)953-3278 | upon my path."
http://www.lh.net |
| -Kahlil Gibran, _The Prophet_, 1923
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group reject with realm problem
At 10:43 AM 11/13/2002 -0600, Marcin Groszek wrote:
realm hostplus.net {
type= radius
authhost= LOCAL
accthost= LOCAL
}
and file realms
hostplus.netLOCAL
You'll want to use one or the other. I recommend not using 'realms'
as that is an older syntax and has fewer features than 'proxy.conf'.
Something else you could try to to set the users 'shell' entry in the
system password to '/bin/false' or some other shell that is not
listed in /etc/shells. This should also allow the users to be rejected,
even if the password matches.
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group reject with realm problem
realm hostplus.net {
type = radius
authhost= LOCAL
accthost= LOCAL
}
and file realms
hostplus.netLOCAL
Chris Parker wrote:
> At 10:11 AM 11/13/2002 -0600, Marcin Groszek wrote:
> >I have try this and i did not get any positive results.
> >user get reject but user@realm did not.
> >I thind i will wait for version 0.8.
>
> What is the realm entry you have in proxy.conf for this realm?
>
> -Chris
> --
> \\\|||/// \ StarNet Inc. \ Chris Parker
> \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
> | @ @ |\ http://www.starnetwx.net \ (847) 963-0116
> oOo---(_)---oOo--\--
>\ Wholesale Internet Services - http://www.megapop.net
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Best Regards: Marcin Groszek
Http://www.hostplus.net
Where we offer:
Server Co-location, Web Site Hosting and Internet Access.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group reject with realm problem
At 10:11 AM 11/13/2002 -0600, Marcin Groszek wrote: I have try this and i did not get any positive results. user get reject but user@realm did not. I thind i will wait for version 0.8. What is the realm entry you have in proxy.conf for this realm? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius server not accounting, and dumping core...
13-Nov-02 at 10:11, Simon White ([EMAIL PROTECTED]) wrote : > I have FreeRADIUS working, with MySQL db and even have tested with a USR > Netserver NAS and it works fine on default port 1812 (which I can set > the NAS to authenticate to)... so I have got somewhere. However there > are two issues I'd like feedback on, if anyone can help. > > 1) Core dumping on port 1645 with debugging on > > -- First of all the version etc > FreeRADIUS Version 0.7.1, for host i686-pc-linux-gnu > gcc-2.96-81 > glibc-2.2.4-24 > kernel-2.4.18 hand rolled > /usr/sbin/mysqld Ver 3.23.49a > > -- Now the lines in my config file that I think make a difference > radiusd.conf > port = 1645 # also tried port = 0 and changed /etc/services > > Now if I start radiusd, it will state "Ready to serve requests" and then > soon after (1-30 seconds) dump core with a segfault. I haven't tried > this with all flags, etc, but with debugging (-xx) on, it dumps core > unless I leave it on port 1812. This isn't handy for testing. I'm > testing it now without debugging and I will get back to you. More on this: FREERadius has not stayed stable all day for me. It has segfaulted/dumped core several times, sometimes while attempting to authenticate to my test RAS, sometimes when just launched Wed Nov 13 15:56:24 2002 : Info: Listening on IP address 194.204.200.53, ports 1645/udp and 1646/udp. Wed Nov 13 15:56:24 2002 : Info: Ready to process requests. Wed Nov 13 15:56:25 2002 : Error: MASTER: exit on signal (11) Wed Nov 13 15:57:27 2002 : Info: Listening on IP address 194.204.200.53, ports 1645/udp and 1646/udp. (no attempt to authenticate) Wed Nov 13 15:57:27 2002 : Info: Ready to process requests. Wed Nov 13 16:01:27 2002 : Error: MASTER: exit on signal (11) (no parameters changed, attempt to auth) Wed Nov 13 16:11:37 2002 : Info: Listening on IP address 194.204.200.53, ports 1645/udp and 1646/udp. Wed Nov 13 16:11:37 2002 : Info: Ready to process requests. Wed Nov 13 16:11:38 2002 : Error: MASTER: exit on signal (11) (and again) At other times it has worked, it will account properly and mysql works fine. I can't get it to stay stable in debug (-xx or -X) mode so I can't tell if something is causing this. What is wrong? Sometimes it will work fine and authenticate me a few times... > 2) Accounting not working > > I'm still not sure on this, since I haven't quite got around to full > testing - my NAS doesn't have an option to set the port for accounting > so I assumed (perhaps incorrectly) that it uses authport+1 as FreeRADIUS > does. However with many tests on port 1812 I didn't seem to get any > accounting, I haven't figured out yet if the packets that came from the > NAS were on the right port (I am still working on this) but to help me > speed things up right now I'd appreciate if anyone has a script handy > that can generate accounting packets for me. Out of interest... this does work now, but only with port 1646... -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group reject with realm problem
I have try this and i did not get any positive results. user get reject but user@realm did not. I thind i will wait for version 0.8. Chris Parker wrote: > At 08:21 PM 11/12/2002 -0600, Marcin Groszek wrote: > >Version 0.7.1 > >I am using default radius.config file and i experience problem with > >denying access to group of users. > >Normally I use realm, hunt-group work fine port limit also work but > > > >Wen i send request to server with realm the server responds OK for user > >in reject group > >but wen i send same request to same server without realm the request is > >getting reject as should be. > >realms file is setup to LOCAL for my realm. > >I include debug from auth. > > > >rad_recv: Access-Request packet from host 127.0.0.1:1025, id=2, length=57 > > User-Name = "marcin" > >modcall: entering group authorize > > modcall[authorize]: module "preprocess" returns ok > > rlm_realm: Looking up realm NULL for User-Name = "marcin" > > rlm_realm: No such realm NULL > > modcall[authorize]: module "suffix" returns noop > > HASH: user marcin found in hashtable bucket 68338 > > HASH: matched user marcin in group users > > users: Matched DEFAULT at 71 > > modcall[authorize]: module "files" returns ok > >modcall: group authorize returns ok > > rad_check_password: Found Auth-Type Reject > > > > > >rad_recv: Access-Request packet from host 127.0.0.1:1025, id=6, length=70 > > User-Name = "[EMAIL PROTECTED]" > >modcall: entering group authorize > > modcall[authorize]: module "preprocess" returns ok > > rlm_realm: Looking up realm hostplus.net for User-Name = > > "[EMAIL PROTECTED]" > > rlm_realm: Found realm hostplus.net > > rlm_realm: Adding Stripped-User-Name = "marcin" > > rlm_realm: Proxying request from user marcin to realm hostplus.net > > rlm_realm: Adding Realm = "hostplus.net" > >rlm_realm: Authentication realm is LOCAL. > >rlm_realm: auth_port is not set. proxy cancelled > > modcall[authorize]: module "suffix" returns noop > > users: Matched DEFAULT at 152 > > modcall[authorize]: module "files" returns ok > >modcall: group authorize returns ok > > rad_check_password: Found Auth-Type System > > This seems like a bug in the operation of the server. Assuming you > have an entry along the lines of: > > DEFAULT Group == "reject", Auth-Type := Reject > Fall-Through = No > > You could try adding the realm to the check items in a second entry > such that you now have: > > DEFAULT Group == "reject", Auth-Type := Reject > Fall-Through = No > > DEFAULT Group == "reject", Realm == "hostplus.net", Auth-Type := Reject > Fall-Through = No > > That may or may not work. I suspect the problem lies with the Group > lookup attempting to use 'User-Name' which I think will still contain > '[EMAIL PROTECTED]'. Can you include your realm entry for the realm? > > -Chris > -- > \\\|||/// \ StarNet Inc. \ Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- >\ Wholesale Internet Services - http://www.megapop.net > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards: Marcin Groszek Http://www.hostplus.net Where we offer: Server Co-location, Web Site Hosting and Internet Access. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho
I've read all about this subject from archives. My radutmp file is created, (and writed) when someone is logged on, but the file have always 0 size, and radwho just print the head of raport (if i remove the radutmp, radwho doesn't display a thing, adn, logically, with strace, says that radutmp not found, but after a client logon, the file is created, but 0 size ...) please advise thx -- Remus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group reject with realm problem
At 08:21 PM 11/12/2002 -0600, Marcin Groszek wrote: Version 0.7.1 I am using default radius.config file and i experience problem with denying access to group of users. Normally I use realm, hunt-group work fine port limit also work but Wen i send request to server with realm the server responds OK for user in reject group but wen i send same request to same server without realm the request is getting reject as should be. realms file is setup to LOCAL for my realm. I include debug from auth. rad_recv: Access-Request packet from host 127.0.0.1:1025, id=2, length=57 User-Name = "marcin" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm NULL for User-Name = "marcin" rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop HASH: user marcin found in hashtable bucket 68338 HASH: matched user marcin in group users users: Matched DEFAULT at 71 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Reject rad_recv: Access-Request packet from host 127.0.0.1:1025, id=6, length=70 User-Name = "[EMAIL PROTECTED]" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm hostplus.net for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm hostplus.net rlm_realm: Adding Stripped-User-Name = "marcin" rlm_realm: Proxying request from user marcin to realm hostplus.net rlm_realm: Adding Realm = "hostplus.net" rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System This seems like a bug in the operation of the server. Assuming you have an entry along the lines of: DEFAULT Group == "reject", Auth-Type := Reject Fall-Through = No You could try adding the realm to the check items in a second entry such that you now have: DEFAULT Group == "reject", Auth-Type := Reject Fall-Through = No DEFAULT Group == "reject", Realm == "hostplus.net", Auth-Type := Reject Fall-Through = No That may or may not work. I suspect the problem lies with the Group lookup attempting to use 'User-Name' which I think will still contain '[EMAIL PROTECTED]'. Can you include your realm entry for the realm? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: duplicate-users and mySQL
Would it be possible to use both the username and password in the authentication query? I could then customize the database to work with my user database. Brian J. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:freeradius-users-admin@;lists.cistron.nl] On Behalf Of > Alan DeKok > Sent: Tuesday, November 12, 2002 11:03 AM > To: [EMAIL PROTECTED] > Subject: Re: duplicate-users and mySQL > > > "Brian Johnson" <[EMAIL PROTECTED]> wrote: > > Does anyone have a solution for implementing duplicate > users with mySQL. > > You've got to get BOTH user's passwords out of the SQL database, and > then convince the authentication methods to try both, too. > > Right now, that's not possible without source code patches. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem
Hello,
I am trying to use Simultaneous-Use for group users through mysql with
freeradius-snapshot-20021101.
radiusd.conf:
==
# Session database, used for checking Simultaneous-Use. The radutmp module
# handles this
session {
# radutmp
sql
}
sql.conf:
==
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress,
NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1}
WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
radgroupcheck:
==
GroupName Attribute op Value
ppp-simul Simultaneous-Use:=3D1
I've also used op=":="
And now users from another groups (not "ppp-simul") hasn't access too:
Multiple logins (max 1) : [ppgip] (from client riak port 11)
Sending Access-Reject of id 250 to XXX.XX.XX.XX:1026
Reply-Message := "\r\nYou are already logged in - access denied\r\n\n"
I think "GroupName" wasn't checked. Why?
rad_recv: Access-Request packet from host XXX.XX.XX.XX:1026, id=250, length=82
User-Name = "ppgip"
User-Password = "XXX"
NAS-IP-Address = XXX.XX.XX.XX
NAS-Port = 11
NAS-Port-Type = Async
Connect-Info = "14400"
Framed-Protocol = PPP
Service-Type = Framed-User
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
radius_xlat: 'ppgip'
sql_set_user: escaped user --> 'ppgip'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'ppgip' ORDER BY id'
rlm_sql: Reserving sql socket id: 2
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'ppgip' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'ppgip' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'ppgip' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql: Released sql socket id: 2
modcall[authorize]: module "sql" returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module "noresetcounter" returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module "dailycounter" returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module "monthlycounter" returns noop
users: Matched DEFAULT at 12
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
auth: type Local
auth: user supplied User-Password matches local User-Password
modcall: entering group session
radius_xlat: 'ppgip'
sql_set_user: escaped user --> 'ppgip'
radius_xlat: 'SELECT COUNT(*) FROM radacct WHERE UserName='ppgip' AND
AcctStopTime = 0'
rlm_sql: Reserving sql socket id: 1
radius_xlat: 'SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress,
NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE
UserName='ppgip' AND AcctStopTime = 0'
rlm_sql: Released sql socket id: 1
modcall[session]: module "sql" returns ok
modcall: group session returns ok
Multiple logins (max 1) : [ppgip] (from client riak port 11)
Sending Access-Reject of id 250 to XXX.XX.XX.XX:1026
Reply-Message := "\r\nYou are already logged in - access denied\r\n\n"
Finished request 5
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP/TLS?
what does "ldd /usr/local/radiusd/lib/rlm_eap_tls-0.8-pre.so" do? Jeffery Huang wrote: > Thanks Artur, >I have follow the document to compile freeradius! But I got a new > problem now! :( > > ./radiusd: relocation error: > /usr/local/radiusd/lib/rlm_eap_tls-0.8-pre.so: undefined symbol: > EVP_des_cbc > > this error let me cannot startup radiusd :( > > how can I resolve it? > > Regard, > Jeffery > > ¦b ¶g¤G, 2002-11-12 19:49, Artur Hecker ¼g¹D¡G > >>hi >> >>Jeffery Huang wrote: >> >>>Hi! guys, >>> >>> I use freeradius via certificate got the following error message: >>> >>>./radiusd: relocation error: >>>/usr/local/radiusd/lib/rlm_eap_tls-0.8-pre.so: undefined symbol: >>>SSL_set_msg_callback >>> >>>Why it occur! how do I resolve the problem! >> >>try "ldd /usr/local/radiusd/lib/rlm_eap_tls-0.8-pre.so" and see if there >>are errors. if not, consider correcting your makefile in >>./src/modules/rlm_eap/types/rlm-eap_tls manually as explained in >>http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm >> >> >>ciao >>artur >> >> >>-- >>Artur Hecker >>artur[at]hecker.info >> >>- >>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Artur Hecker Groupe Acce`s et Mobilite' hecker[at]enst[dot]fr De'partement Informatique et Re'seaux +33 1 45 81 750746, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius-0.7.1 EAP/MD5 packet problem about RADIUS-ID/EAP-ID
Hello: We are developing Wireless Access-Point currently. When we test our Access-Point with 802.1x enable,we find this problem. environment: Windows XP <--> Access-Point <--> FreeRadius-0.7.1 The 802.1x on 802.11 conversation: XPAccess-Point FreeRadius - --- --- 1) EAPOL-Start --> 2) <--EAP-Request/Identity 3)EAP-Response/Identity--> 4) Radius-Access-Request--> Radius-Access-Challenge 5) <--/EAP-Request-MD5-challenge 6) <--EAP-Request 7)EAP-Response /MD5-Challenge--> 8) Radius-Access-Request--> 9) <--Radius-Access-Accept 10) <-- EAP-Success It seems that freeradius will take Radius-ID in packet 4) as the value in packet 5)'s EAP-ID. When we test 802.1x, packet 2),3)'s EAP/ID and packet 4)'s Radius-ID are happening to the same value:1 . As the result, packet 5),6)'s EAP-ID are all the value:1 as packet 2),3). So,when windows XP receive packet 6), it replys packet 3) instend of packet 7) ,then.. an endless loop. here is packet dump with ethereal, http://www.ethereal.com Window XP <--> Access-Point http://ultra.swing.idv.tw/~ala/ap-xp Access-Point <--> FreeRadius http://ultra.swing.idv.tw/~ala/ap-freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius server not accounting, and dumping core...
On Wed, Nov 13, 2002 at 10:11:45AM +, Simon White wrote: > speed things up right now I'd appreciate if anyone has a script handy > that can generate accounting packets for me. radclient is part of freeradius and can generate accounting packets. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration date check
On Wed, 13 Nov 2002 11:30:43 +0200
Squire Valakos Yorgos uttered the following:
> -Original Message-
> From: Valakos Yorgos [mailto:valakosg@;ipnet.gr]
> Sent: Wednesday, November 06, 2002 9:48 AM
> To: '[EMAIL PROTECTED]'
> Subject: Expiration date check
>
> Hello all and thanks for your help !
>
> I have freeradius 0.7 running under SuSe linux 8.0 on intel platform ( I
> have to remind to all of you that I am a newcomer to both the linux and
> freeradius world ) so here is my question : What do I have to do to make
> freeradius to check authorization requests against an expiration date ?
> (If expiration date >= current date then allow access else deny) Is this
> possible ? I have freeradius using MySql database for both
> authentication and accounting. And one more minor ... I want to keep
> start records on MySql s radius database s radacct table and stop
> records on another table of the same database (which I named 'radstop')
> I have altered sql.conf to match that and created radstop table in
> radius database ( I actually copied and pasted radacct and renamed it )
> but freeradius is still writing both records in radacct table ..what
> more do I have to do ?
>
>
> Thanks again for your help and for that splendid software you ve made
> for us ...
Hi Yorgos
It's nice to see other SuSE users using freeradius :-)
Regarding the epiration date, I believe this is very easy to do, although I
have not done it myself. I think a quick search through the archives will
give you the answer.
With the sql.conf problem, infact there is a mistake in the file (I am just
about to update the CVS to fix it now). While the file has at the top:
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = "radacct"
acct_table2 = "radacct"
it never actually uses the variable "acct_table2" anywhere :-(
What you need to do is find the line near the bottom (of sql.conf) starting
with:
accounting_stop_query = "UPDATE ${acct_table1} SET AcctStop
and change to:
accounting_stop_query = "UPDATE ${acct_table2} SET AcctStop
Also you need to change:
accounting_stop_query_alt = "INSERT into radacct (RadAcct
to:
accounting_stop_query_alt = "INSERT into ${acct_table2} (RadAcct
That should fix that problem :-)
Note: I will have some new SuSE 8.0 rpms for freeradius available as soon
as freeradius 0.8 is released (Any minute/day now) at
http://www.susesecurity.com/files/
Cheers
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
msg10972/pgp0.pgp
Description: PGP signature
Radius server not accounting, and dumping core...
Hello, I have FreeRADIUS working, with MySQL db and even have tested with a USR Netserver NAS and it works fine on default port 1812 (which I can set the NAS to authenticate to)... so I have got somewhere. However there are two issues I'd like feedback on, if anyone can help. 1) Core dumping on port 1645 with debugging on -- First of all the version etc FreeRADIUS Version 0.7.1, for host i686-pc-linux-gnu gcc-2.96-81 glibc-2.2.4-24 kernel-2.4.18 hand rolled /usr/sbin/mysqld Ver 3.23.49a -- Now the lines in my config file that I think make a difference radiusd.conf port = 1645 # also tried port = 0 and changed /etc/services Now if I start radiusd, it will state "Ready to serve requests" and then soon after (1-30 seconds) dump core with a segfault. I haven't tried this with all flags, etc, but with debugging (-xx) on, it dumps core unless I leave it on port 1812. This isn't handy for testing. I'm testing it now without debugging and I will get back to you. 2) Accounting not working I'm still not sure on this, since I haven't quite got around to full testing - my NAS doesn't have an option to set the port for accounting so I assumed (perhaps incorrectly) that it uses authport+1 as FreeRADIUS does. However with many tests on port 1812 I didn't seem to get any accounting, I haven't figured out yet if the packets that came from the NAS were on the right port (I am still working on this) but to help me speed things up right now I'd appreciate if anyone has a script handy that can generate accounting packets for me. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Some another basic questions about features
1. I want that if a user is not found in files, to find in sql
Is that possible? in sequence like this? :
authorize{
preprocess
suffix
files
sql
}
2. I want to use Filter-Id to filter users
I must enter in radgroupreplay
grupname attribute value op prio
mygrup Filter-Id name_of_filter_defined_on_NAS ? ?
but who can i specified if the filter is for INPUT or OUTPUT for users
3. what exactly means tables? this is what i understand:
usergroup - users and their groups (can be a user in more than one group)
radcheckusers with their passwords (and other particular features)
radgroupcheck all features for a group
radgroupreplay?
radreplay ?
what's the function of these tables with ...replay name
thanks
--
Remus
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Expiration date check
-Original Message- From: Valakos Yorgos [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 06, 2002 9:48 AM To: '[EMAIL PROTECTED]' Subject: Expiration date check Hello all and thanks for your help ! I have freeradius 0.7 running under SuSe linux 8.0 on intel platform ( I have to remind to all of you that I am a newcomer to both the linux and freeradius world ) so here is my question : What do I have to do to make freeradius to check authorization requests against an expiration date ? (If expiration date >= current date then allow access else deny) Is this possible ? I have freeradius using MySql database for both authentication and accounting. And one more minor ... I want to keep start records on MySql s radius database s radacct table and stop records on another table of the same database (which I named 'radstop') I have altered sql.conf to match that and created radstop table in radius database ( I actually copied and pasted radacct and renamed it ) but freeradius is still writing both records in radacct table ..what more do I have to do ? Thanks again for your help and for that splendid software you ve made for us ... Yorgos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL authentification
The mysql module at the moment (first it did.. but it's removed for the better) does not do the actual "authenticate" process. This means, you can NOT include 'sql' in the 'authenticate' part of the radiusd.conf file. Instead, mysql adds attributes so the 'chap' or 'pap' module can do the 'authenticate' part. see http://www.swx.nl/freeradius/freeradiussql.html > configuration > step 3 .. So it is completely possible to "store passwords (or their hashes) in a database not in a file"... > Hi, > > why sql module is not allowed for authentification? When I place "sql" in authenticate section of radiusd.conf radius says: > Error: radiusd.conf: "SQL" modules aren't allowed in 'authenticate' sections -- they have no such method. > > So, if that is ok, what is the reason for radcheck table in radius database for MySQL? > I really need to store passwords (or their hashes) in a database not in a file. How can I do that? > > connor > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
