Re: AS5300, selecting IP pool

2003-01-07 Thread Evren Yurtesen 
You just cant get radius send the required attribute or it sends the
attribute but the as5300 somehow doesnt care?

Here is a good example(although this is not actually freeradius)
http://lists.cistron.nl/pipermail/cistron-radius/2001-July/001555.html

Evren

On Wed, 8 Jan 2003, Nader Skaros wrote:

> 
> Hi Guys,
> 
> Im a bit of a newbie when it comes to access servers, but we have got a cisco as5300 
>for our dialup customers and also our admin. We would like two different ip-address 
>pools, and securing users access using ACL's.
> 
> Would anyone be able to give me a quick rundown on how to do this? I have tried many 
>different ways of doing this and in each case I just cant get free radius to send the 
>Cisco-AVPair attribute over. the nas keeps giving ip's from the default pool
> 
> Thanx in advance
> =)
> 
> 
> MyVoice http://www.myvoiceonline.net
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

(no subject)

2003-01-07 Thread Nader Skaros 

Hi Guys,

Im a bit of a newbie when it comes to access servers, but we have got a cisco as5300 
for our dialup customers and also our admin. We would like two different ip-address 
pools, and securing users access using ACL's.

Would anyone be able to give me a quick rundown on how to do this? I have tried many 
different ways of doing this and in each case I just cant get free radius to send the 
Cisco-AVPair attribute over. the nas keeps giving ip's from the default pool

Thanx in advance
=)


MyVoice http://www.myvoiceonline.net

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Solaris Issue

2003-01-07 Thread Brian Leung 
hi all,

when i type the command /usr/ccs/bin/ld /usr/local/openldap/lib/libldap.so

SSL_get_error /usr/local/openldap/lib/libldap.so
sk_value /usr/local/openldap/lib/libldap.so
ber_memalloc /usr/local/openldap/lib/libldap.so
ber_strdup /usr/local/openldap/lib/libldap.so
ber_sockbuf_free /usr/local/openldap/lib/libldap.so
ERR_get_error_line /usr/local/openldap/lib/libldap.so
SSL_load_client_CA_file /usr/local/openldap/lib/libldap.so
SSL_free /usr/local/openldap/lib/libldap.so
X509V3_EXT_d2i /usr/local/openldap/lib/libldap.so
res_query /usr/local/openldap/lib/libldap.so
SSL_pending /usr/local/openldap/lib/libldap.so
ber_skip_tag /usr/local/openldap/lib/libldap.so
ERR_peek_error /usr/local/openldap/lib/libldap.so
SSL_get_peer_certificate /usr/local/openldap/lib/libldap.so
ber_pvt_log_print /usr/local/openldap/lib/libldap.so
ber_alloc_t /usr/local/openldap/lib/libldap.so
SSL_read /usr/local/openldap/lib/libldap.so
ber_sockbuf_add_io /usr/local/openldap/lib/libldap.so
sk_num /usr/local/openldap/lib/libldap.so
SSL_accept /usr/local/openldap/lib/libldap.so
X509_NAME_oneline /usr/local/openldap/lib/libldap.so
connect /usr/local/openldap/lib/libldap.so
ld: fatal: Symbol referencing errors. No output written to a.out

is it relate to the compile problem?

Brian



chris wrote:

>Just jumpin' in here real quick without knowin' the full story...  just
>trying to help:
>
>Check your LD_LIBRARY_PATH env var.  Make sure it has a path to your SSL
>libs.
>
>Also, you can use a linker option to include the path.  If you're using GCC,
>add a -R /path/to/lib  in the makefile in the appropriate place.
>
>Good luck.
>
>Chris Bunnell
>Senior Engineer - Network Implementation
>Avantac Technologies, Inc. - Formerly Sonic Internet Services
>9719 Lincoln Village Drive #503
>Sacramento, CA. 95827
>(916) 854-5940
>www.avantac.com
>
>- Original Message -
>From: "Frank Cusack" <[EMAIL PROTECTED]>
>To: "Brian Leung" <[EMAIL PROTECTED]>
>Cc: <[EMAIL PROTECTED]>
>Sent: Monday, January 06, 2003 5:49 PM
>Subject: Re: Solaris Issue
>
>
>  
>
>>No idea what the problem was.  You didn't quote the original message.
>>/fc
>>
>>On Tue, Jan 07, 2003 at 09:46:27AM +0800, Brian Leung wrote:
>>
>>
>>>hi all,
>>>
>>>i think the problem may be caused by the fact that the freeradius can't
>>>find the ssl library but i already tried to compile the ssl lib in
>>>/usr/local/lib. is there any method to specify the  path of ssl library
>>>before compile the radius?
>>>thank you
>>>
>>>Brian
>>>
>>>  
>>>
>>-
>>List info/subscribe/unsubscribe? See
>>
>>
>http://www.freeradius.org/list/users.html
>  
>
>
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>  
>




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NT auth ...

2003-01-07 Thread Joe Maimon 
Might I recommend you look at the possibility of proxy radius to the 
nt/w2k server which has "Internet Autentication Service" (installed in 
windows components) configured with remote access policies ?

Rodrigo Hidalgo wrote:

Hi all,

New to this list, hopefully you can help me with my question.

Setup:

FreeRadius 0.8

PM3
|
Radius_server using module rlm_smb
|
NT_domain_controller

My question is can i with rlm_smb deny a user access when the domain user 
has "grant dialin permission" denied ??

If no is there any other way to get this working ?? PAM maybe.

BR

Rodrigo Hidalgo


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error about:rlm_eap_md5: No password configured for this user.

2003-01-07 Thread Shawn Adams 


Thanks for the responses to my queries. I have the EAP/MD5 working
with the win2k supplicant across a Nortel BS450 switch.

users.conf:

lunatic Auth-Type := Local, User-Password = "test"

clients.conf:

client 192.168.17.247 {
secret  = test
shortname   = bs450_1
nastype = other
}

radius.conf is as in the EAP-MD5 howto, only difference might be I 
installed freeradius 0.8.1

I guess my big dissapointent is the user password is in clear text in 
the /etc/raddb/users.conf file. Which is just another administrative 
task to maintain.

Anyone have ideas/suggestions/experience to utilize an already existing, 
perhaps more centralized management for the EAP user/passwords ?

thanks very much.



--
Shawn Adams
[EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius vs SteelBelted, Tuning of Ports and Packets. Logs included!!!

2003-01-07 Thread Alan DeKok 
Marnix Petrarca <[EMAIL PROTECTED]> wrote:
> The windows client gives an error-message: Error 734: The PPP link control 
> protocol was terminated. The latest trailing messages logged by my 
> FreeRadius daemon are different from the first, which leads me to think I 
> have a combined problem: It seems I forgot to chown radius to the 
> appropriate directories - am checking that out currently.

  That shouldn't affect authentication.  But if your PPP daemon gives
little information about WHY the connection was terminated, then it
makes the problem MUCH more difficult to solve.

> *** Contents of my users file, which has simple entries for testing as yet: 
> I'm still confused which attributes should work the same way as the 
> Steel-Belted ''Standard Radius",

  The standard RADIUS attributes, as defined in the RFC's, should work
the same.  The others are server-specific, and may not work the same.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NT auth ...

2003-01-07 Thread Alan DeKok 
Rodrigo Hidalgo <[EMAIL PROTECTED]> wrote:
> My question is can i with rlm_smb deny a user access when the domain user 
> has "grant dialin permission" denied ??

  No.  The SMB module only does password checking.  If you want
something else to happen, you need to use another module in addition
to rlm_smb.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: user subnet

2003-01-07 Thread Roger 
Joe Maimon wrote:


You can use the Framed-Route attribute in your reply if the Ascend box 
supports it and limit the login to once.


Limiting the times the user is logged in wasn't my goal..  My goal was 
to assign user xyz to a certain range of ips..

Sorry about the confusion..

--
Rock River Internet  Roger Grunkemeyer
202 W. State St, 8th Floor[EMAIL PROTECTED]
Rockford, IL 61101815-968-9888





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius0.8+RH8.0+Oracle9i: problem - growing of connections

2003-01-07 Thread Alan DeKok 
Ruslan Spivak <[EMAIL PROTECTED]> wrote:
> I have noticed this problem with my configuration:
> 
> Freeradius0.8 + RH8.0 + Oracle9i
> 
> I can see that number of connections to my DB constantly grows:

  Upgrade to 0.8.1.  The problem is fixed there.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Solaris Issue

2003-01-07 Thread chris 
Just jumpin' in here real quick without knowin' the full story...  just
trying to help:

Check your LD_LIBRARY_PATH env var.  Make sure it has a path to your SSL
libs.

Also, you can use a linker option to include the path.  If you're using GCC,
add a -R /path/to/lib  in the makefile in the appropriate place.

Good luck.

Chris Bunnell
Senior Engineer - Network Implementation
Avantac Technologies, Inc. - Formerly Sonic Internet Services
9719 Lincoln Village Drive #503
Sacramento, CA. 95827
(916) 854-5940
www.avantac.com

- Original Message -
From: "Frank Cusack" <[EMAIL PROTECTED]>
To: "Brian Leung" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, January 06, 2003 5:49 PM
Subject: Re: Solaris Issue


> No idea what the problem was.  You didn't quote the original message.
> /fc
>
> On Tue, Jan 07, 2003 at 09:46:27AM +0800, Brian Leung wrote:
> > hi all,
> >
> > i think the problem may be caused by the fact that the freeradius can't
> > find the ssl library but i already tried to compile the ssl lib in
> > /usr/local/lib. is there any method to specify the  path of ssl library
> > before compile the radius?
> > thank you
> >
> > Brian
> >
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

NT auth ...

2003-01-07 Thread Rodrigo Hidalgo 
Hi all,

New to this list, hopefully you can help me with my question.

Setup:

FreeRadius 0.8

PM3
|
Radius_server using module rlm_smb
|
NT_domain_controller

My question is can i with rlm_smb deny a user access when the domain user 
has "grant dialin permission" denied ??

If no is there any other way to get this working ?? PAM maybe.

BR

Rodrigo Hidalgo


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Netware LDAP & free Radius

2003-01-07 Thread markcapelle 
Lyle:

I have been using FreeRadius against Novell LDAP(Netware 5.1) for over
a year now.  It works like a dream...  there were a few small tweaks I
needed to get it working, but nothing major.  I would have to go back and
look at my notes, but I believe the main things were to create a "CN" LDAP
attribute, allow anonymous BINDs to NDS LDAP, and make the CN attribute
readable to "Public".  I would recommend setting up server and do some
ldapsearches against it to get the correct DN attributes and see what is
available via your current LDAP setup.

Regards,
Mark Capelle (CNE5, CNE4, A+)
Senior Network Administrator

Message: 5
From: "Lyle Giese" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Netware LDAP & free Radius
Date: Sat, 4 Jan 2003 09:29:40 -0600
Reply-To: [EMAIL PROTECTED]

I am playing with freeRadius a bit and had a question.  Has anyone built
freeRadius to connect to a Netware 5(or higher) via LDAP for authenication?

This seems interesting as one of my clients wants a VPN solution and we
want
to keep user administration  tasks to a minum by utilizing the existing
user
database in Netware.  I worked with Novell's VPN solution and it has some
severe drawbacks deep down inside.  I am looking at Wolverine now as the
VPN
server and could use a way to intregrate the user database via LDAP or
another method.

Thanks,
Lyle



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius0.8+RH8.0+Oracle9i: problem - growing of connections

2003-01-07 Thread Ruslan Spivak 
Hello, freeradius users!

I have noticed this problem with my configuration:

Freeradius0.8 + RH8.0 + Oracle9i

I can see that number of connections to my DB constantly grows:

select status, count(*) from v$session group by status;

and in 3-4 days number of allowed connections to my db exceeds and i 
need to restart my freeradius, after that it's ok.

Can you point me what's the problem and how to solve it?
Your help is very, very appreciated.
Tahnks in advance,
Ruslan.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius vs SteelBelted, Tuning of Ports and Packets. Logs included!!!

2003-01-07 Thread Marnix Petrarca 
Ready to process requests.

rad_recv: Access-Request packet from host 10.10.254.252:1812, id=243, 
length=107

	NAS-Identifier = "GS5.gv-C1"
	User-Name = "job"
	User-Password = "x"
	NAS-IP-Address = 10.10.254.252
	NAS-Port-Type = Virtual
	Calling-Station-Id = "316"
	Called-Station-Id = "xxx.nl"
	Acct-Session-Id = "344a07911ea9"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
  modcall[authorize]: module "chap" returns noop
  modcall[authorize]: module "mschap" returns notfound
rlm_realm: No '@' in User-Name = "job", looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module "suffix" returns noop
users: Matched job at 80
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password

Login OK: [job/kunst] (from client nas1.kpn.com port 0 cli 31620017455)

Sending Access-Accept of id 243 to 10.10.254.252:1812
	Service-Type = Login-User
	Framed-Protocol = PPP
	Framed-IP-Address = 10.10.0.4
	Framed-IP-Netmask = 255.255.255.255
	Framed-Routing = Broadcast-Listen
	Framed-Filter-Id = "std.ppp"
	Framed-MTU = 1500
	Framed-Compression = Van-Jacobson-TCP-IP
Finished request 0

Going to the next request

SMUX connect try 2
Can't connect to SNMP agent with SMUX: Connection refused

--- Walking the entire request list ---

Waking up in 6 seconds...

rad_recv: Accounting-Request packet from host 10.10.254.252:1812, id=244, 
length=135
	NAS-Identifier = "GS5.gv-C1"
	User-Name = "job"
	Acct-Status-Type = Start
	NAS-IP-Address = 10.10.254.252
	NAS-Port-Type = Virtual
	Calling-Station-Id = "316"
	Called-Station-Id = "xxx.nl"
	Acct-Session-Id = "344a07911ea9"
	Framed-IP-Address = 10.10.0.4
	X-Ascend-IPX-Alias = 0x0204088149f9
	X-Ascend-Metric = 43294
	X-Ascend-PRI-Number-Type = 0
	X-Ascend-Dial-Number = "\221\007J4"
	X-Ascend-Route-IP = 2433174055

modcall: entering group preacct
  modcall[preacct]: module "preprocess" returns noop
rlm_realm: No '@' in User-Name = "job", looking up realm NULL
rlm_realm: No such realm NULL
  modcall[preacct]: module "suffix" returns noop
  modcall[preacct]: module "files" returns noop
modcall: group preacct returns noop
modcall: entering group accounting
rlm_acct_unique: WARNING: Attribute 87 was not found in request, unique ID 
MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 10.10.254.252,NAS-IP-Address 
= 10.10.254.252,Acct-Session-Id = "344a07911ea9",User-Name = "job"'
rlm_acct_unique: Acct-Unique-Session-ID = "a5045ec781c51f68".
  modcall[accounting]: module "acct_unique" returns ok
radius_xlat:  '/usr/local/var/log/radius/radacct/10.10.254.252/detail-20030107'
rlm_detail: 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d 
expands to /usr/local/var/log/radius/radacct/10.10.254.252/detail-20030107
rlm_detail: Failed to create directory 
/usr/local/var/log/radius/radacct/10.10.254.252: Permission denied
  modcall[accounting]: module "detail" returns fail
modcall: group accounting returns fail
Finished request 1
Going to the next request
SMUX connect try 3
Can't connect to SNMP agent with SMUX: Connection refused
Cleaning up request 1 ID 244 with timestamp 3e1af415
rl_next:  returning NULL
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 10.10.254.252:1812, id=244, 
length=135
	NAS-Identifier = "GS5.gv-C1"
	User-Name = "job"
	Acct-Status-Type = Start
	NAS-IP-Address = 10.10.254.252
	NAS-Port-Type = Virtual
	Calling-Station-Id = "316"
	Called-Station-Id = "xxx.nl"
	Acct-Session-Id = "344a07911ea9"
	Framed-IP-Address = 10.10.0.4
	X-Ascend-IPX-Alias = 0x0204088149f9
	X-Ascend-Metric = 43294
	X-Ascend-PRI-Number-Type = 0
	X-Ascend-Dial-Number = "\221\007J4"
	X-Ascend-Route-IP = 2433174055

Here the weird stuff starts happening, probably due to my forgetting to 
chown radius to the various dirs.

modcall: entering group preacct
  modcall[preacct]: module "preprocess" returns noop
rlm_realm: No '@' in User-Name = "job", looking up realm NULL
rlm_realm: No such realm NULL
  modcall[preacct]: module "suffix" returns noop
  modcall[preacct]: module "files" returns noop
modcall: group preacct returns noop
modcall: entering group accounting
rlm_acct_unique: WARNING: Attribute 87 was not found in request, unique ID 
MAY be inconsistent
rlm_acct_unique: Hashing ',