Re: virtual server configuration
[EMAIL PROTECTED] wrote: > The first comment might be giving you just another place to provide your > CA cert, whereas the second comment clearly talks about not permiting > EAP-TLS. I say this, because I don't see why the CA would be required at > all if EAP-TLS will be denied. Because PEAP uses certificates, too. The requirement for a CA cert comes from the requirements on certificate chains. It is not a PEAP requirement. PEAP just inherits that requirement because PEAP uses certificates. > All you need is a server cert and private > key. In PEAP, the client is the one who needs the CA cert, if he wants > to verify the server cert, but even that is optional. The CA cert is needed by OpenSSL to validate the server cert. > Anyway, can we say now that not providing a CA_file doesn't work? Provide a CA cert as instructed, either in CA_file or in certificate_file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: incorrect shared secret entry authenticates successfully forfreerradius
[EMAIL PROTECTED] wrote: > Do you mean the clients.conf file? I don't see > require_message_authenticator there. If it is some other file then > please let me know the details. I am a new user so not much aware of the > configuration files. It's in 2.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: incorrect shared secret entry authenticates successfully forfreerradius
Hi Phil, Do you mean the clients.conf file? I don't see require_message_authenticator there. If it is some other file then please let me know the details. I am a new user so not much aware of the configuration files. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] dius.org] On Behalf Of Phil Mayers Sent: Tuesday, March 18, 2008 10:25 PM To: FreeRadius users mailing list Subject: Re: incorrect shared secret entry authenticates successfully forfreerradius Alan DeKok wrote: > Phil Mayers wrote: >> If your NAS supply Message-Authenticator, you could refuse packets >> without one: > > Edit the "client" section and set "require_message_authenticator = yes". Ah thanks - I didn't know about that > > The recommendations of RFC 5080 have been implemented in FreeRADIUS. > Sometimes years before any other RADIUS server. > > Apparently Radiator didn't do duplicate detection until RFC 5080... > see their changelog for the 4.x series. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual server configuration
I'm using FreeRADIUS Version 2.0.2, for host i686-suse-linux-gnu, built on Feb 14 2008 at 15:20:55 I got back to testing allowing only PEAP-GTC on one virtual server. I used the included self-signed certs this time, but as I suspected, the results were the same whenever I comment out CA_file: Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.key" certificate_file = "/etc/raddb/certs/server-ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } rlm_eap: SSL error error::lib(0):func(0):reason(0) rlm_eap_tls: Error reading Trusted root CA list (null) rlm_eap: Failed to initialize type tls I think we might be trying the wrong thing. Although the comments together say: # If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/wifiserver.pem # This parameter is used only for EAP-TLS, # when you issue client certificates. If you do # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. #CA_file = ${cadir}/wifiserver.pem The first comment might be giving you just another place to provide your CA cert, whereas the second comment clearly talks about not permiting EAP-TLS. I say this, because I don't see why the CA would be required at all if EAP-TLS will be denied. All you need is a server cert and private key. In PEAP, the client is the one who needs the CA cert, if he wants to verify the server cert, but even that is optional. Anyway, can we say now that not providing a CA_file doesn't work? If there's something else I should test, just mention it. Thanks. On Thu, 13 Mar 2008 11:58:48 +0100, "Alan DeKok" <[EMAIL PROTECTED]> said: > [EMAIL PROTECTED] wrote: > > Except that my server cert does contain a CA cert. I'm not 100% sure > > it's sufficient, because it was issued from an intermediate CA (it needs > > to be the signer(s) not the issuer, right?), so I went to another CA got > > a webserver cert in pem format directly from the root. Downloaded the > > root CA cert in pem format and appended them same error: > > You generally want to use self-signed certs for 802.1x. See > raddb/certs/README > > > Do we know this mode is working (No CA_File, but certificate file with > > server cert + ca cert)? In any case, I'd be willing to experiment more. > > It should work in 2.0.2. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- [EMAIL PROTECTED] -- http://www.fastmail.fm - I mean, what is it about a decent email service? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unix group authentication
Shawn Storey wrote: > I have compiled and installed successfully FreeRADIUS2.0.3 on Debian > (had to add a trailer to debian/changelog after the 2.0.3 section) and > have setup EAP-TTLS for authenticating wireless users to UNIX accounts. > What I would like to do is have FreeRADIUS check if the user is a member > of the UNIX group "wireless" that I created and only allow members of > that group to authenticate. Is this possible, and if so how? Something similar is in the FAQ. Put this at the top of the "users" file: DEFAULT Group != Wireless, Auth-Type := Reject That's it. > We are > planning to migrate all of our servers to OpenLDAP in the summer, which > we have tested successfully, but I was hoping to get FreeRADIUS to do > this in the meantime. You can't ask for much better than a 1-line change to a configuration file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem Freeradius+Ipcop ProxyAdv with mysql
1. There is quite a clear warning in the debug. 2. Comment out the entry in users file setting Auth-Type System if you are not using it. Ivan Kalik Kalik Informatika ISP Dana 18/3/2008, "vabbè" <[EMAIL PROTECTED]> piše: > >Ok, thank you for reply. >This is the log of radiusd -X >http://www.nabble.com/file/p16128173/radius.txt radius.txt > >-- >View this message in context: >http://www.nabble.com/Problem-Freeradius%2BIpcop-ProxyAdv-with-mysql-tp16122096p16128173.html >Sent from the FreeRadius - User mailing list archive at Nabble.com. > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem Freeradius+Ipcop ProxyAdv with mysql
Ok, thank you for reply. This is the log of radiusd -X http://www.nabble.com/file/p16128173/radius.txt radius.txt -- View this message in context: http://www.nabble.com/Problem-Freeradius%2BIpcop-ProxyAdv-with-mysql-tp16122096p16128173.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unix group authentication
Hello, I have compiled and installed successfully FreeRADIUS2.0.3 on Debian (had to add a trailer to debian/changelog after the 2.0.3 section) and have setup EAP-TTLS for authenticating wireless users to UNIX accounts. What I would like to do is have FreeRADIUS check if the user is a member of the UNIX group "wireless" that I created and only allow members of that group to authenticate. Is this possible, and if so how? We are planning to migrate all of our servers to OpenLDAP in the summer, which we have tested successfully, but I was hoping to get FreeRADIUS to do this in the meantime. Thanks - Looking for the perfect gift? Give the gift of Flickr!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libpam-radius-auth password problem
Fabio Pedretti wrote: > When I try to authenticate with ssh into the machine I noticed that > freeradius receive this password "\010\n\r\177INCORRECT", that it's not > the one I typed. That's a PAM problem. There's little you can do to RADIUS to fix that. I suggest asking on a PAM list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
libpam-radius-auth password problem
I am trying to configure a linux machine (Ubuntu 8.04 alpha, 32 bit) with radius authentication using libpam-radius-auth. I installed freeradius-2.0.3 (from selfbuilded deb package) on the same machine and added this line at the top of users file: testuser Cleartext-Password := "testing" Then I installed libpam-radius-auth 1.3.17-0ubuntu1 from the ubuntu repositories. I added the radius entry in /etc/pam.d/sshd: [...] auth required pam_env.so envfile=/etc/default/locale auth sufficient pam_radius_auth.so debug # Standard Un*x authentication. @include common-auth [...] and this on pam_radius_auth.conf: # server[:port] shared_secret timeout (s) 127.0.0.1 testing123 1 When I try to authenticate with ssh into the machine I noticed that freeradius receive this password "\010\n\r\177INCORRECT", that it's not the one I typed. This is the output of auth.log: Mar 18 18:05:59 test sshd[2533]: pam_radius_auth: Got user name testuser Mar 18 18:05:59 test sshd[2533]: pam_radius_auth: Sending RADIUS request code 1 Mar 18 18:05:59 test sshd[2533]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -1211761632. Mar 18 18:06:00 test sshd[2533]: pam_radius_auth: RADIUS server 127.0.0.1 failed to respond Mar 18 18:06:00 test sshd[2533]: pam_radius_auth: All RADIUS servers failed to respond. Mar 18 18:06:00 test sshd[2533]: pam_radius_auth: authentication failed Mar 18 18:06:00 test sshd[2533]: pam_unix(sshd:auth): check pass; user unknown Mar 18 18:06:00 test sshd[2533]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fabio-mac.local Mar 18 18:06:02 test sshd[2533]: Failed password for invalid user testuser from 10.33.4.8 port 57680 ssh2 This is the output of freeradius -X rad_recv: Access-Request packet from host 127.0.0.1 port 3558, id=65, length=93 User-Name = "testuser" User-Password = "\010\n\r\177INCORRECT" NAS-IP-Address = 127.0.1.1 NAS-Identifier = "sshd" NAS-Port = 2533 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "fabio-mac.local" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound users: Matched entry testuser at line 50 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "? INCORRECT" rlm_pap: Using clear text password "testing" rlm_pap: Passwords don't match ++[pap] returns reject auth: Failed to validate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [testuser/\010\n\r\177INCORRECT] (from client localhost port 2533 cli fabio-mac.local) WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 65 to 127.0.0.1 port 3558 Waking up in 4.9 seconds. Cleaning up request 2 ID 65 with timestamp +135 Ready to process requests. Testig with radtest works fine. I noticed a similar problem some time ago, that seemed to be related to 64 bit machines: http://lists.cistron.nl/pipermail/freeradius-users/2006-August/055877.html However I am using a 32 bit machine on an updated system. Where could be the problem? Thanks, Fabio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem Freeradius+Ipcop ProxyAdv with mysql
>This is radiusd -x log when I try an access from browser: radiusd -X (capital x) Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem Freeradius+Ipcop ProxyAdv with mysql
vabbè wrote: > This is radiusd -x log when I try an access from browser: Use "radiusd -X". The upper-case X is important, and is suggested everywhere. > What is the problem?? Run "radiusd -X". It will tell you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: incorrect shared secret entry authenticates successfully for freerradius
Alan DeKok wrote: Phil Mayers wrote: If your NAS supply Message-Authenticator, you could refuse packets without one: Edit the "client" section and set "require_message_authenticator = yes". Ah thanks - I didn't know about that The recommendations of RFC 5080 have been implemented in FreeRADIUS. Sometimes years before any other RADIUS server. Apparently Radiator didn't do duplicate detection until RFC 5080... see their changelog for the 4.x series. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem Freeradius+Ipcop ProxyAdv with mysql
Hi, excuse me for my english. I used freeradius in this scenery: - A server with Centos 4.6 + freeradius - A pc with Ipcop firewall + Advanced Proxy for radius authentication - A pc with Windows Xp or Ubuntu with a browser configured for proxy connection (ipcop ip) If I use only freeradius without mysql everything works well, but if I use freeradius with a mysql database, the browser authentication doesn't work. Dialupadmin is ok, mysql database is ok but authentication fails. I used clear text password too, but the problem is not resolved. This is radiusd -x log when I try an access from browser: Starting - reading configuration files ... Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.1:32770, id=1, length=59 User-Name = "user1" User-Password = "user" NAS-Port = 111 NAS-IP-Address = 192.168.0.1 rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 Login incorrect: [utente1/utente] (from client ipcop port 111) rad_recv: Access-Request packet from host 192.168.0.1:32770, id=1, length=59 Sending Access-Reject of id 1 to 192.168.0.1 port 32770 What is the problem?? Thank you very much. -- View this message in context: http://www.nabble.com/Problem-Freeradius%2BIpcop-ProxyAdv-with-mysql-tp16122096p16122096.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 2.0.2
Debug (radiusd -X). Ivan Kalik Kalik Informatika ISP Dana 18/3/2008, "srdjan mish" <[EMAIL PROTECTED]> piše: >OK, I solved problem I asked before... > >But I have another... When I try to authorise with Chap-Password he selects >row from MySql Table, and returns cleartext-password in debug same as one in >database, but radius says it is wrong password... > >Anyone has any clue... I put my old configuration, it works fine on 2.0.1 >radius server... > >Please, help I need it ASAP > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 2.0.2
OK, I solved problem I asked before... But I have another... When I try to authorise with Chap-Password he selects row from MySql Table, and returns cleartext-password in debug same as one in database, but radius says it is wrong password... Anyone has any clue... I put my old configuration, it works fine on 2.0.1 radius server... Please, help I need it ASAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error EAP
Hi, > rlm_eap: No such sub-type for default EAP type peap looks like you didn't configure the peap { } stanza in eap.conf, but listed peap as default eap-type near the beginning of the eap.conf file. That is a quite obvious contradiction, you should fix that. Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: incorrect shared secret entry authenticates successfully for freerradius
Phil Mayers wrote: > If your NAS supply Message-Authenticator, you could refuse packets > without one: Edit the "client" section and set "require_message_authenticator = yes". The recommendations of RFC 5080 have been implemented in FreeRADIUS. Sometimes years before any other RADIUS server. Apparently Radiator didn't do duplicate detection until RFC 5080... see their changelog for the 4.x series. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: incorrect shared secret entry authenticates successfully for freerradius
[EMAIL PROTECTED] wrote: > - However when the same cases are tried for CHAP we can see the > difference. In the first case the authentication is successful; however > when we give a junk shared secret the authentication should ideally have > been rejected. The key word is "ideally". RADIUS isn't ideal. This weakness has been known for over 10 years in RADIUS. All RADIUS servers are vulnerable to this issue. It isn't news. RFC 5080 (of which I am co-author) suggests that all RADIUS clients add a Message-Authenticator to the Access-Request. This additional enables the RADIUS server to catch the case of an incorrect shared secret. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: incorrect shared secret entry authenticates successfully for freerradius
[EMAIL PROTECTED] wrote: Hi, I am using the following configuration: O/S: rhel4_u5_i386 Freeradius 1.1.7 Client to test: NTRadPing 1.5 Steps undertaken: - Installed a fresh system with rhel4_u5_i386 - Build and compile freeradius 1.1.7 on it. - Update the clients.conf file to add the client entries for the machine that uses NTRadPing 1.5 (IP of the client machine and the shared secret) - Start the radiusd daemon in debug mode (radiusd -X) - Now generate a simple PAP authentication request using NTRadPing. (Port is 1812, also provide the shared secret correctly). The authentication passes successfully as it should. Now give a junk secret key in the NTRadPing utility. The access is rejected. - However when the same cases are tried for CHAP we can see the difference. In the first case the authentication is successful; however when we give a junk shared secret the authentication should ideally have been rejected. However the authentication passes successfully. NOTE: I tried the same for MSCHAPv1 and MSCHAPv2 authentication using VPN client. There I can see clearly that the access is not granted to the VPN client. However when we look at the radius logs it can be seen that the Authentication requests responds with a Successful message. Any help or info in this regards would be highly appreciated. Only certain radius AVPs are encrypted with the shared secret: fgrep encrypt /usr/share/freeradius/dictionary* User-Password is one, so PAP fails if the shared secret is wrong. The CHAP attributes are not, so the request succeeds. The MS-CHAP-MPPE-Keys or MS-MPPE-Send-Key/MS-MPPE-Recv-Key reply attributes are encrypted, so MS-CHAP will fail. Many recent radius clients support the Message-Authenticator attribute, which is a signature over the entire packets AVPs encrypted with the shared secret. This will cause incorrect shared secrets to reject an entire packet. See section 3.2 of RFC3579. If your NAS supply Message-Authenticator, you could refuse packets without one: DEFAULT Message-Authenticator !* ANY, Auth-Type := Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
incorrect shared secret entry authenticates successfully for freerradius
Hi, I am using the following configuration: O/S: rhel4_u5_i386 Freeradius 1.1.7 Client to test: NTRadPing 1.5 Steps undertaken: - Installed a fresh system with rhel4_u5_i386 - Build and compile freeradius 1.1.7 on it. - Update the clients.conf file to add the client entries for the machine that uses NTRadPing 1.5 (IP of the client machine and the shared secret) - Start the radiusd daemon in debug mode (radiusd -X) - Now generate a simple PAP authentication request using NTRadPing. (Port is 1812, also provide the shared secret correctly). The authentication passes successfully as it should. Now give a junk secret key in the NTRadPing utility. The access is rejected. - However when the same cases are tried for CHAP we can see the difference. In the first case the authentication is successful; however when we give a junk shared secret the authentication should ideally have been rejected. However the authentication passes successfully. NOTE: I tried the same for MSCHAPv1 and MSCHAPv2 authentication using VPN client. There I can see clearly that the access is not granted to the VPN client. However when we look at the radius logs it can be seen that the Authentication requests responds with a Successful message. Any help or info in this regards would be highly appreciated. Thanks. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with proxying certain packets
On Tue, Mar 18, 2008 at 02:36:25AM +0100, Alan DeKok wrote: > Dmytro O. Redchuk wrote: > >So, when some conditions occur, i need freeradius to proxy such a > >request to first, specific destination (not "default" one). > > That should be relatively easy. I have got working config for authorization in like this way: -- radiusd.conf: - modules { ... files files_default { # ... as default -- acct_users etc } files files_specific { # ... acct_users.specific etc } # this python "module" sets Autz-Type to "Specific" # if some conditions occur: python my_py_specific { # ... } ... } authorize { preprocess my_py_specific files_default Autz-Type Specific { files_specific } } -- -- users: DEFAULT Called-Station-Id == "KLMNOPQ", Proxy-To-Realm := "specific" DEFAULT Proxy-To-Realm := "DEFAULT" -- -- users.specific: --- DEFAULT Proxy-To-Realm := "specific" -- This works for authorization, but i could not get it working for accounting, i dont know why. ("pre-acct {my_py_specific}" and then Acct-Type in "accounting {...}, right?) But my question now is: is this "right way"? How i could do this better? > >I have FreeRADIUS 1.1.7 with rlm_python. > > I suggest upgrading to 2.0.3. It has a large number of bugs fixed > over 1.1.7, and is generally compatible with the 1.1.7 configuration files. Tried to rebuild and will try (and possibly ask,) of course. I have to use rpm builds only on that server. Thank you. > > Alan DeKok. -- Dmytro O. Redchuk (+380) 44 2474832 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + openldap + 802.1x - Solved....
>But now... i would like to know.. if there is any way to check the >Group that the user is. > >I would like to configure to accept all users from the group "Users". Regardless of the passwords? > >How can i do it? > DEFAULT Ldap-Group == "Users", Auth-Type := Accept Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error EAP
You have broken eap.conf. Go back to the default and try again. Read instructions in the file first and *don't* delete anything you are not certain about. Ivan Kalik Kalik Informatika ISP Dana 17/3/2008, "Gustavo Chavelas" <[EMAIL PROTECTED]> piše: >Hi to all. > > > >I'm installing freeradius-server-2.0.2.tar.gz,i was to configured it, but >when I try to start radiusd -X, I have an error : > >rlm_eap: No such sub-type for default EAP type peap > >/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap" > >/usr/local/etc/raddb/radiusd.conf[1944]: Failed to find module "eap". > >/usr/local/etc/raddb/radiusd.conf[1891]: Errors parsing authenticate >section. > >} > >} > >Errors initializing modules > > > >Im searching for solve this error, something have any suggest? > > > >Saludos cordiales, > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Execute Script
http://www.freeradius.org/radiusd/doc/variables.txt Ivan Kalik Kalik Informatika ISP Dana 17/3/2008, "fvt3" <[EMAIL PROTECTED]> piše: >I understand that it is possible to have Freeradius execute a script when a >user authenticate. What I want to do is to be able to pass that user name and >the client's ip address to the script. This is my setup, I have freeradius >with mysql setup. > >radgroupreply table: >testprogramExec-Program-Wait==/usr/local/etc/raddb/test.pl > >When user Joe authenticates with his credential, radius would look in mysql >and execute the test.pl script. How can I pass the user name "joe" and >client's ip address to the test.pl script? > > > > > >Never miss a thing. Make Yahoo your home page. >http://www.yahoo.com/r/hs >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rpmbuild freeradius-server-2.0.3.tar.gz
Andrew Long wrote: > Just hoping that these changes get written into the next release OR > that someone can point out my stupidity and where I am erring in the > build process that the initial rpmbuild fails with the supplied spec > file. I think it's because the server installs dictionaries in /usr/share/freeradius, and the spec file expects to see them in /user/share/freeradius-server. Change this line: %{_datadir}/%{name} to: %{_datadir}/freeradius The spec file *should* then work with the freeradius-server-2.0.3.tar.gz file, subject to the _incdir comments below. > Also, I think I am not alone in using CentOS, so a note might be nice > in the INSTALL or README regarding the need to add %_incdir > /usr/include to .rpmmacros on Cent (or, to change it to _includedir - > as pointed out by Richard Siddal). Ok... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Postgres SQL Alarm on duplicated record
HI, I supposed you have in radiusd.conf file this code: # Create a unique accounting session Id. Many NASes re-use or# repeat values for Acct-Session-Id, causing no end of# confusion.# # This module will add a (probably) unique session id# to an accounting packet based on the attributes listed# below found in the packet. See doc/rlm_acct_unique for# more information.# acct_unique {key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"} However, it is true that there is sometimes a duplicate key. This is because of in the original configuration of database schema, the primary key of radacct table is only radacctid. I modified the primary keys by (radacctid, acctuniqueid) CREATE TABLE radacct( radacctid bigserial NOT NULL, acctsessionid varchar(32) NOT NULL, acctuniqueid varchar(32) NOT NULL, username varchar(127), realm varchar(30), nasipaddress inet NOT NULL, nasportid varchar(32), nasporttype varchar(32), acctstarttime timestamptz, acctstoptime timestamptz, acctsessiontime int8, acctauthentic varchar(32), connectinfo_start varchar(32), connectinfo_stop varchar(32), acctinputoctets int8, acctoutputoctets int8, calledstationid varchar(50), callingstationid varchar(50), acctterminatecause varchar(32), servicetype varchar(32), framedprotocol varchar(32), framedipaddress inet, acctstartdelay int8, acctstopdelay int8, nasidentifier varchar(40), clientipaddress inet, CONSTRAINT radacct_pkey PRIMARY KEY (acctuniqueid, radacctid)) > Date: Fri, 14 Mar 2008 03:38:52 -0700> From: [EMAIL PROTECTED]> To: > freeradius-users@lists.freeradius.org> Subject: Postgres SQL Alarm on > duplicated record> > > Hello.> Some times my NAS resend START record to > RADIUS. > > The And I get the alarm messages like that , because the > differences in this> start record is only in Start time and > radacct_acctuniqueid_key are always> equal for such sessions.> :> > Wed Mar > 12 18:05:10 2008 : Error: rlm_sql (sql): Couldn't insert SQL> accounting > START record - ERROR: duplicate key violates unique constraint> > "radacct_acctuniqueid_key" > > But, in any case all such start records are > put to database.> > How I cat stop put such duplicate records?> > -- > View > this message in context: > http://www.nabble.com/Postgres-SQL-Alarm-on-duplicated-record-tp16046727p16046727.html> > Sent from the FreeRadius - User mailing list archive at Nabble.com.> > -> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN Video. http://video.msn.com/?mkt=es-es- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html