about FreeRADIUS password encrypt

2007-09-22 Thread yangcuilin 
Hello,

I will appreciate it very much, if you do me a favour.

 

My customer asks us to store the encrypted password into the FreeRADIUS (DB
has Configured Mysql). 

The password I have passed to FreeRADIUS is clear text.

 

Can the FreeRadius be configured like that? 

 

Pls give me some advice

.

Rock

 

 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: about FreeRADIUS password encrypt

2007-09-22 Thread tnt 
That depends on authentication protocol you are using. If you are using
PAP there is no problem. Just replace Cleartext-Password with the
ecrypted one and appropriate attribute (Crypt-Password for crypt()
etc.). If you are using something like MSCHAP, then your options are
much more limited. You can only use NT-Password. Have a look at the
protocol/encryption table:

http://deployingradius.com/documents/protocols/compatibility.html

Ivan Kalik
Kalik Informatika iSP


Dana 22/9/2007, yangcuilin [EMAIL PROTECTED] piše:

HelloŁŹ

I will appreciate it very much, if you do me a favour.

 

My customer asks us to store the encrypted password into the FreeRADIUS (DB
has Configured Mysql). 

The password I have passed to FreeRADIUS is clear text.

 

Can the FreeRadius be configured like that? 

 

Pls give me some advice

..

Rock

 

 





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Configuration for Cisco DSL Users

2007-09-22 Thread DFN Systems Office 
I'm new both to freeradius and the *nix operating system. I have
successfully implemented freeradius for users dialing in through Portmaster3
Access Servers using FreeRadius 1.0.1-1 on Fedora.
I am currently authenticating DSL users locally on a Cisco 7206VXR Router. I
would like to authenticate the DSL users on the FreeRadius Server, but
attempts have been unsuccessful. The Accounting works. Even now with DSL
Users set to Auth locally on the Router, Radius is faithfully logging the
activity.

With Radius Auth, the DSL modem will not connect and I get no entry in the
Radius accounting log.
 
AAA Debug is virtually Identical to the Local Auth output! The only
difference was the line Method=local changed to Method=Radius.
 
Both log entry sets have Status = PASS and both show the virtual-access
change to up!
 
So now I'm thinking the AAA/Radius is working but I have a communications
issue. When a DSL user authenticates locally, he then gets an IP address
from the local pool on the Cisco. When the same DSL User authenticates on
Radius, all communication seems to stop.

Here are the relevant config sections from the Cisco.

aaa new-model
aaa authentication login default line [*currently set to local]
aaa authentication ppp default group radius local [see*above]
aaa authorization network default group radius local 
aaa accounting delay-start
aaa accounting network default start-stop group radius
interface Loopback1
 description DSL
 ip address 206.206.89.1 255.255.255.0 secondary
 ip address 206.206.88.161 255.255.255.240 secondary
 ip address 206.206.86.1 255.255.255.0
interface Virtual-Template2
 description DFN NEW Template
 ip unnumbered Loopback1
 ip mroute-cache
 peer default ip address pool OsoGranDSL OsoGranDsl2
 ppp authentication pap
radius-server host [omitted] auth-port 1645 acct-port 1646
radius-server host [omitted] auth-port 1645 acct-port 1646
radius-server key [omitted] 


Heres an example entry from my users file:
 
username  Auth-Type := Local, User-Password == omitted
  User-Service-Type = Framed-User,
  Framed-Protocol = PPP,
  Framed-Address = 255.255.255.254,
  Framed-Netmask = 255.255.255.255,
  Framed-Routing = Broadcast-Listen,
  Framed-Filter-Id = std.ppp,
  Framed-MTU = 1500,
  Framed-Compression = Van-Jacobsen-TCP-IP

I think I'm close, and I have a hunch the users file settings that work for
PortMasters may not be good for Cisco. Any suggestions or sample configs
would be appreciated.

Bill Green
Dfn Systems

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Configuration for Cisco DSL Users

2007-09-22 Thread tnt 
You will need to do debug ppp negotiation to see is IP address allocation
the problem. If it is, you can always use Freeradius ippool (or
sqlippool in latest versions) to alocate IPs.

Ivan Kalik
Kalik Informatika ISP


Dana 22/9/2007, DFN Systems Office [EMAIL PROTECTED] piše:

I'm new both to freeradius and the *nix operating system. I have
successfully implemented freeradius for users dialing in through Portmaster3
Access Servers using FreeRadius 1.0.1-1 on Fedora.
I am currently authenticating DSL users locally on a Cisco 7206VXR Router. I
would like to authenticate the DSL users on the FreeRadius Server, but
attempts have been unsuccessful. The Accounting works. Even now with DSL
Users set to Auth locally on the Router, Radius is faithfully logging the
activity.

With Radius Auth, the DSL modem will not connect and I get no entry in the
Radius accounting log.

AAA Debug is virtually Identical to the Local Auth output! The only
difference was the line Method=local changed to Method=Radius.

Both log entry sets have Status = PASS and both show the virtual-access
change to up!

So now I'm thinking the AAA/Radius is working but I have a communications
issue. When a DSL user authenticates locally, he then gets an IP address
from the local pool on the Cisco. When the same DSL User authenticates on
Radius, all communication seems to stop.

Here are the relevant config sections from the Cisco.

aaa new-model
aaa authentication login default line [*currently set to local]
aaa authentication ppp default group radius local [see*above]
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting network default start-stop group radius
interface Loopback1
 description DSL
 ip address 206.206.89.1 255.255.255.0 secondary
 ip address 206.206.88.161 255.255.255.240 secondary
 ip address 206.206.86.1 255.255.255.0
interface Virtual-Template2
 description DFN NEW Template
 ip unnumbered Loopback1
 ip mroute-cache
 peer default ip address pool OsoGranDSL OsoGranDsl2
 ppp authentication pap
radius-server host [omitted] auth-port 1645 acct-port 1646
radius-server host [omitted] auth-port 1645 acct-port 1646
radius-server key [omitted]


Heres an example entry from my users file:

username  Auth-Type := Local, User-Password == omitted
  User-Service-Type = Framed-User,
  Framed-Protocol = PPP,
  Framed-Address = 255.255.255.254,
  Framed-Netmask = 255.255.255.255,
  Framed-Routing = Broadcast-Listen,
  Framed-Filter-Id = std.ppp,
  Framed-MTU = 1500,
  Framed-Compression = Van-Jacobsen-TCP-IP

I think I'm close, and I have a hunch the users file settings that work for
PortMasters may not be good for Cisco. Any suggestions or sample configs
would be appreciated.

Bill Green
Dfn Systems

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Possible FreeBSD Jail problem, or other bug in/with FreeRADIUS 2.0.0-pre2

2007-09-22 Thread Scott Lambert 
On Sat, Sep 22, 2007 at 04:59:25AM +0200, Alan DeKok wrote:
 Scott Lambert wrote:
  I've been expecting that there would be a similar chunk of code in the
  server that I could go find if you thought I was on the right track.
 
   Unfortunately, there isn't.

Okay, I'm not going crazy then...
 
  I've been using radclient to debug because you indicated that it
  used the same library for matching up packets.  If the above is
  legitimately the bug I was looking for, I'll have to solve the proxy
  issue seperately, but with a better idea of what I am looking for.
 
   Or, simply tell the server to listen on the jail IP address.  That
 will solve the problem, without code changes.

Yeah, I'm running with that workaround.  I was just hoping I wouldn't
have to maintain config differences between the multiple server
instances.  But it's definitely acceptable.
 
   One patch which *would* help is the ability to set the source IP
 address for proxying.  It's likely not difficult to do, but the code
 hasn't been written yet.

I'm speaking from ignorance here.

Could the server do the bind calls for the listen sockets and check
to see if the bound IP is the same as the one specified in the bind
call and if not, update the server to use the bound IP rather than the
configured IP at least in the case of listen { ipaddr = * }.

pseudo code:
server_addr = read_from_config_file;

bind (sockfd, {listensocketinfo} );
if ( server_addr == INADDR_ANY  sockfd-ipaddr != server_addr ) {
   server_addr = fd-ipaddr;
}

At that point, would the existing code work alright for this wierd and
wonderful jail environment without breaking other environments?

I suspect it might not be workable due to the udpfromto stuff.

I think this is the last message I will bother you with on this topic.
My problem is resolved by specifying the IP address in the config file
and doing anything more generic is probably beyond my skills at this
point.

Thank you for your time and patience.

-- 
Scott LambertKC5MLE   Unix SysAdmin
[EMAIL PROTECTED]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html