Re: f-cking kissing sisters
On Fri, Feb 07, 2003 at 09:11:51PM +0100, kayla wrote: HELLO GUYS...MY SISTER AND I JUST GOT THROUGH FILMING SOME VERY DIRTY SISTER ACTION [...] The question of making this mailist closed was asked not once. Maybe we should permit posting to list only for subscribe users??? -- WBR, Vitaliy Karlov [KV1670-RIPE] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP not working
Dear Frank Keeney, Plese get new version from CVS, I've changed importance of SMB-Account-Control attribute a couple of days ago, but didn't checked default value is valid, so it fails if this attribute doesn't present. --Friday, February 7, 2003, 9:58:23 PM, you wrote to [EMAIL PROTECTED]: FK I can't seem to get MS-CHAP to work. We've spent many hours with various FK configuration but always seem to have an error. We've tried smbpasswd and FK other options without success. FK Is there an example MS-CHAP config that I can use for a model? I've been FK through all the docs and the mailing list. The NAS is a SMC EliteConnect. FK We keep seeing this message and others: FK rlm_mschap: No LM/NT password configured. Check authorization. FK modcall[authenticate]: module mschap returns invalid FK Thank you, Configs and dump below: FK FK Applicable parts of the config: FK mschap { FK authtype = MS-CHAP FK use_mppe = yes FK require_encryption = yes FK } FK authorize { FKmschap FK } FK authenticate { FK authtype PAP { FK pap FK } FK authtype CHAP { FK chap FK } FK authtype MS-CHAP { FK mschap FK } FK } FK preacct { FK preprocess FK suffix FK files FK } FK FK Test user file: FK test11Auth-Type := Local, User-Password := test FK test12Auth-Type := MS-CHAP, User-Password := test FK FK Radius dump: FK Ready to process requests. FK rad_recv: Access-Request packet from host 192.168.16.3:1176, id=130, length=110 FK User-Name = test12 FK MS-CHAP-Challenge = 0x2c1096fe257fe7d558cd07dee6ea1638 FK MS-CHAP2-Response = 0x3d1602735c6db434c3145b04dc81a12325833ba5078dd3cd1fc0f070e6ae98ee629e73bb4d1742a2 FK rad_lowerpair: User-Name now 'test12' FK rad_rmspace_pair: User-Name now 'test12' FK modcall: entering group authorize FK modcall[authorize]: module preprocess returns ok FK users: Matched DEFAULT at 1 FK modcall[authorize]: module files returns ok FK modcall[authorize]: module mschap returns notfound FK modcall: group authorize returns ok FK rad_check_password: Found Auth-Type MS-CHAP FK auth: type MS-CHAP FK modcall: entering group authtype FK rlm_mschap: No LM/NT password configured. Check authorization. FK modcall[authenticate]: module mschap returns invalid FK modcall: group authtype returns invalid FK auth: Failed to validate the user. FK Login incorrect: [test12] (from client smc port 0) FK Delaying request 0 for 1 seconds FK Finished request 0 FK Going to the next request FK --- Walking the entire request list --- FK Waking up in 1 seconds... FK --- Walking the entire request list --- FK Waking up in 1 seconds... FK --- Walking the entire request list --- FK Sending Access-Reject of id 130 to 192.168.16.3:1176 FK MS-CHAP-Error = \000E=691 R=1 FK Waking up in 4 seconds... FK --- Walking the entire request list --- FK Cleaning up request 0 ID 130 with timestamp 3e43ffcc FK Nothing to do. Sleeping until we see a request. FK Radius dump number 2: FK --- Walking the entire request list --- FK Threads: total/active/spare threads = 5/1/4 FK Waking up in 5 seconds... FK Thread 1 handling request 0, (1 handled so far) FK User-Name = test12 FK MS-CHAP-Challenge = 0x6227301276f8a2625c5e1b17f5cf8c4b FK MS-CHAP2-Response = 0x5e2f83723e193f82d54c210d15bab6744a1ee29726edf3a348188e0d4c5c4a59c6542ff9637ec90d FK rad_lowerpair: User-Name now 'test12' FK rad_rmspace_pair: User-Name now 'test12' FK modcall: entering group authorize FK modcall[authorize]: module preprocess returns ok FK rlm_chap: Could not find proper Chap-Password attribute in request FK modcall[authorize]: module chap returns noop FK users: Matched test12 at 1075 FK modcall[authorize]: module files returns ok FK modcall[authorize]: module mschap returns ok FK modcall: group authorize returns ok FK rad_check_password: Found Auth-Type MS-CHAP FK auth: type MS-CHAP FK modcall: entering group authtype FK rlm_mschap: doing MS-CHAPv2 with NT-Password FK rlm_mschap: Authentication failed FK rlm_mschap: Nothing in the packet I recognise: Rejecting the user FK modcall[authenticate]: module mschap returns reject FK modcall: group authtype returns reject FK auth: Failed to validate the user. FK Login incorrect: [test12] (from client smc port 0) FK Delaying request 0 for 1 seconds FK Finished request 0 FK Going to the next request FK Thread 1 waiting to be assigned a request FK --- Walking the entire request list --- FK Threads: total/active/spare threads = 5/0/5 FK Sending Access-Reject of id 56 to 192.168.16.3:1102 FK MS-CHAP-Error = \000E=691 R=1 FK Waking up in 1 seconds... FK Error receiving packet: Connection refused FK rl_next: returning NULL FK
Re: RADIUS response from incorrect interface
In article [EMAIL PROTECTED], Alan DeKok [EMAIL PROTECTED] wrote: John Gruber [EMAIL PROTECTED] wrote: But bind on * should work too.. and the reply should come from the address for the interface the request was sent to. It just doesn't, and I did not have the time at the time to see why in the code. It only works if you call bind() immediately upon receiving a packet. That's expensive, and causes the server to do a *lot* of work. You mean immediately before sending a reply. But that creates a race condition, since you can then not receive packets from other interfaces anymore. Unless you use a seperate send and receive socket. However then you need to lock around the bind() / sendto() calls, to prevent race conditions between threads. It's not worth it. It's also impossible for another reason: you cannot know on which interface a certain UDP packet was received. recvfrom() only records the clients IP address, not the address of the interface the packet was received on. With Linux, you can use recvmsg() / sendmsg() with IP_PKTINFO in the ancillary data to get / set the local address, but that is not portable (though *BSD appears to have something similar). A better solution is to explicitely list the addresses the server listens on, which is much less expensive, but requires a bit more code. And just open one socket for each address/port to listen on. Yes, that is the easiest solution by far. Mike. -- Anyone who is capable of getting themselves made President should on no account be allowed to do the job -- Douglas Adams. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to implement Class and Vendor-Specific attributes, accounting question
Dave Mason [EMAIL PROTECTED] wrote: Woops - I should have held my fire a bit, I see the answer now. Do you just add your module to the accounting block in radiusd.conf? My next question is can I use an EAP sub-module here? Not really. My next question is: Is there EAP information in the accounting packet? If not, then the accounting should *not* be in the EAP module. With that, maybe I need to use eap in the accounting block, and have an eap_accounting() function to handle my accounting behavior. Or, even though the client was authenticated with EAP, accounting really doesnt involve EAP, so maybe I should define a new RLM module for my new behavior? The EAP related code should go into rlm_eap. I also need to add a new function in preaccounting to grab some data and stick it in the accounting record before it's recorded. What do you think? That's possible. If you want to tie an EAP request/response to an accounting packet, see the 'Class' attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy.conf, realm definition and LDAP
I'm running freeradius-0.8.1 on RedHat 7.3. On another server, I'm running OpenLDAP 2.0.1 on RedHat 7.3. I'm having problems getting Radius to proxy LDAP authentications. For starters, I have three classes of users: 1) local - use local Radius authentication 2) my_radius - use remote Radius authentication (also running freeradius-0.8.1 on RedHat 7.3) 3) my_partner - authenticate against a remote OpenLDAP server Therefore, I'm trying to use realms and let the local Radius server proxy the two other remote authentications. In my radiusd.conf, I've enabled proxying, added the ldap module and have defined it as: ldap { server = 123.123.123.123 port = 389 basedn = ou=People, o=%{Realm} filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no tls_mode = no ldap_connections_number = 30 timeout = 5 timelimit = 5 net_timeout = 5 identity = cn=Manager, o=%{Realm} password = foo } I want to use realms such as [EMAIL PROTECTED] to authorize against the remote LDAP server and my_radius/bob to authorize against the remote RADIUS server. Here's an excerpt from my proxy.conf: realm local { type = radius authhost = LOCAL accthost = LOCAL } realm my_radius { type = radius authhost = radius.us.com:1812 accthost = radius.us.com:1813 secret = foo } realm my_partner { type = ldap authhost = LOCAL accthost = LOCAL } I think that the last realm, 'my_partner', is wrong. How would I define the realm to authorize against a remote LDAP? Do I have to have the remote LDAP user in my users conf file? Thanks in advance, Mark Gaither - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html