Re: Proxy problem in FreeRADIUS 1.1.3
"Chris A. Kalin" <[EMAIL PROTECTED]> wrote: > This makes sense. What I don't get is why the request is sailing > through the proxy module (where it apparently receives an > "Access-Accept") and then continues INTO the files/unix part of the > config, The debug log you posted for 1.1.3 doesn't show that. And again, the server behavior hasn't changed. If you think the configurations you have are the same, they're not. > Here's an output of the 0.8 server's debug log handling the exact same > request: > users: Matched DEFAULT at 54 >modcall[authorize]: module "files" returns ok The 1.1.3 configuration you posted shows it matching TWO entries in the users file. This debug log shows ONE. Please believe me when I say that the behavior HAS NOT changed, and that the problem IS in your local config. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy problem in FreeRADIUS 1.1.3
Alan DeKok wrote: "Chris A. Kalin" <[EMAIL PROTECTED]> wrote: Right, the users file has a default Auth-Type := System Yes, which doesn't affect anything, because the unix module is only used during authentication, and it's proxying, so it's not hitting the unix module. This makes sense. What I don't get is why the request is sailing through the proxy module (where it apparently receives an "Access-Accept") and then continues INTO the files/unix part of the config, which is where the failure occurs - with no log of the failure to radius.log. Here's an output of the 0.8 server's debug log handling the exact same request: rad_recv: Access-Request packet from host yy.yy.yy.31:1354, id=2, length=60 User-Name = "[EMAIL PROTECTED]" User-Password = "" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm domain.com for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm domain.com rlm_realm: Adding Stripped-User-Name = "bob" rlm_realm: Proxying request from user bob to realm domain.com rlm_realm: Adding Realm = "domain.com" rlm_realm: Preparing to proxy authentication request to realm domain.com modcall[authorize]: module "realmat" returns updated rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "monthlycounter" returns noop users: Matched DEFAULT at 54 modcall[authorize]: module "files" returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "monthlycounter" returns noop modcall: group authorize returns updated Sending Access-Request of id 1 to xx.xx.xx.xx:1645 User-Name = "bob" User-Password = "\004\315\007\274\t\214\006\315\315JO\344\330\337\275I" NAS-IP-Address = yy.yy.yy.31 Proxy-State = "2" --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Accept packet from host xx.xx.xx.xx:1645, id=1, length=47 Service-Type = Framed-User Framed-Protocol = PPP Session-Timeout = 57600 Idle-Timeout = 900 Proxy-State = 0x32 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Proxy reply, or no user name. Ignoring. modcall[authorize]: module "realmat" returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "monthlycounter" returns noop users: Matched DEFAULT at 54 modcall[authorize]: module "files" returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "monthlycounter" returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type System rad_check_password: Auth-Type = Accept, accepting the user Login OK: [EMAIL PROTECTED]/Password] (from client yy.yy.yy.31 port 0) Sending Access-Accept of id 2 to yy.yy.yy.31:1354 Service-Type = Framed-User Framed-Protocol = PPP Session-Timeout = 57600 Idle-Timeout = 900 Finished request 0 Going to the next request rl_next: returning NULL Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 2 with timestamp 4501e9a6 Nothing to do. Sleeping until we see a request. I'll admit there are some steps in there that don't make sense to me either, which suggests that maybe I was relying on a bug or bad behavior before. But even so, if nothing changed, then I should be getting the same bug or bad behavior now, right? If I'm doing this completely wrong in the first place and was simply lucking out before, tell me that and I'll try to learn the correct way. The users file is identical in the 0.8 and 1.1.3 servers, and the radiusd.conf file had minimal changes - I can upload the 0.8 radiusd.conf if you think it'll help. Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy problem in FreeRADIUS 1.1.3
"Chris A. Kalin" <[EMAIL PROTECTED]> wrote: > Right, the users file has a default Auth-Type := System Yes, which doesn't affect anything, because the unix module is only used during authentication, and it's proxying, so it's not hitting the unix module. > So just so I completely understand, _did_ the server's (or one or more > modules') behavior related to all this change between 0.8 and 1.1.3? If > not, why did this work in an older version and not now? No. The behavior did not change. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy problem in FreeRADIUS 1.1.3
Alan DeKok wrote: "Chris A. Kalin" <[EMAIL PROTECTED]> wrote: That's exactly riight, but why is it even getting to my users file? Because you configured it that way? It's supposed to be proxying the auth request to another box, and apparently does, but then it charges ahead and checks the username against the local password database anyway What local password database? It's looking at the "users" file. Right, the users file has a default Auth-Type := System, so when I was talking about the "users" file, I was talking about "the users file where either passwords are specifically stored or it tells RADIUS to use /etc/passwd authentication." Sorry for not being specific enough. My bad. If you don't want it to look at the "users" file, update the configuration so that the "users" file is run ONLY when the realm module doesn't find a realm. See the debug output for what the realm module returns when it does/doesn't find a realm, and see doc/configurable_failover for how to configure the "authorize" section to run "files" only if a realm isn't found. An identical users file with the same proxy.conf and (as similiar as it can be) radiusd.conf under an older FreeRADIUS doesn't do this. You're saying it used to stop processing "authorize" after the "realms" module was run, simply because the module added Proxy-To-Realm. The server NEVER did that. Ever. So just so I completely understand, _did_ the server's (or one or more modules') behavior related to all this change between 0.8 and 1.1.3? If not, why did this work in an older version and not now? Thanks for all your help! Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy problem in FreeRADIUS 1.1.3
"Chris A. Kalin" <[EMAIL PROTECTED]> wrote: > That's exactly riight, but why is it even getting to my users file? Because you configured it that way? > It's supposed to be proxying the auth request to another box, and > apparently does, but then it charges ahead and checks the username > against the local password database anyway What local password database? It's looking at the "users" file. If you don't want it to look at the "users" file, update the configuration so that the "users" file is run ONLY when the realm module doesn't find a realm. See the debug output for what the realm module returns when it does/doesn't find a realm, and see doc/configurable_failover for how to configure the "authorize" section to run "files" only if a realm isn't found. > An identical users file with the same proxy.conf and (as similiar as > it can be) radiusd.conf under an older FreeRADIUS doesn't do this. You're saying it used to stop processing "authorize" after the "realms" module was run, simply because the module added Proxy-To-Realm. The server NEVER did that. Ever. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy problem in FreeRADIUS 1.1.3
Alan DeKok wrote: "Chris A. Kalin" <[EMAIL PROTECTED]> wrote: Sending Access-Reject of id 3 to xx.xx.xx.xx port 4587 Reply-Message = "Your account has been disabled." That message does not appear in the server source. It's added somewhere by your local config. Right, in the users file. I knew that one already, sorry I didn't post the users files. Fri Sep 8 12:37:40 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 2 Fri Sep 8 12:37:40 2006 : Debug: users: Matched entry DEFAULT at line 54 Fri Sep 8 12:37:40 2006 : Debug: users: Matched entry DEFAULT at line 72 Check those two lines. Find the entry in your configuration files that adds that Reply-Message, it's setting Auth-Type := Reject, too. That's exactly riight, but why is it even getting to my users file? It's supposed to be proxying the auth request to another box, and apparently does, but then it charges ahead and checks the username against the local password database anyway, and finds a local user with a GID that generates the "Your account has been disabled" message. It's like it's proxying the request but doesn't stop once it gets a hit. An identical users file with the same proxy.conf and (as similiar as it can be) radiusd.conf under an older FreeRADIUS doesn't do this. And more importantly, it's not logging _anything_ to my radius.log (in the event of this particular failure I mean, other logs work fine), which is the first time I've ever seen that happen in FreeRADIUS. If the remote end rejects the user I get a "remote host says so" or similar error. Right now I'm not getting anything. Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy problem in FreeRADIUS 1.1.3
"Chris A. Kalin" <[EMAIL PROTECTED]> wrote: > Sending Access-Reject of id 3 to xx.xx.xx.xx port 4587 > Reply-Message = "Your account has been disabled." That message does not appear in the server source. It's added somewhere by your local config. > Fri Sep 8 12:37:40 2006 : Debug: modsingle[authorize]: calling files > (rlm_files) for request 2 > Fri Sep 8 12:37:40 2006 : Debug: users: Matched entry DEFAULT at > line 54 > Fri Sep 8 12:37:40 2006 : Debug: users: Matched entry DEFAULT at > line 72 Check those two lines. Find the entry in your configuration files that adds that Reply-Message, it's setting Auth-Type := Reject, too. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy problem in FreeRADIUS 1.1.3
Please post a config & debug logs from 1.1.3. OK, I took out blank lines, commented lines, and obfuscated IPs and passwords. Let me know if there's anything else I can provide, and thanks in advance for all your help! -- radiusd -X -x debug output rad_recv: Access-Request packet from host xx.xx.xx.xx:4587, id=3, length=60 User-Name = "[EMAIL PROTECTED]" User-Password = "" Fri Sep 8 12:37:40 2006 : Debug: Processing the authorize section of radiusd.conf Fri Sep 8 12:37:40 2006 : Debug: modcall: entering group authorize for request 2 Fri Sep 8 12:37:40 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 2 Fri Sep 8 12:37:40 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 2 Fri Sep 8 12:37:40 2006 : Debug: modcall[authorize]: module "preprocess" returns ok for request 2 Fri Sep 8 12:37:40 2006 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 2 Fri Sep 8 12:37:40 2006 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 2 Fri Sep 8 12:37:40 2006 : Debug: modcall[authorize]: module "chap" returns noop for request 2 Fri Sep 8 12:37:40 2006 : Debug: modsingle[authorize]: calling realmsuffix (rlm_realm) for request 2 Fri Sep 8 12:37:40 2006 : Debug: rlm_realm: Looking up realm "domain.com" for User-Name = "[EMAIL PROTECTED]" Fri Sep 8 12:37:40 2006 : Debug: rlm_realm: Found realm "domain.com" Fri Sep 8 12:37:40 2006 : Debug: rlm_realm: Adding Stripped-User-Name = "bob" Fri Sep 8 12:37:40 2006 : Debug: rlm_realm: Proxying request from user bob to realm domain.com Fri Sep 8 12:37:40 2006 : Debug: rlm_realm: Adding Realm = "domain.com" Fri Sep 8 12:37:40 2006 : Debug: rlm_realm: Preparing to proxy authentication request to realm "domain.com" Fri Sep 8 12:37:40 2006 : Debug: modsingle[authorize]: returned from realmsuffix (rlm_realm) for request 2 Fri Sep 8 12:37:40 2006 : Debug: modcall[authorize]: module "realmsuffix" returns updated for request 2 Fri Sep 8 12:37:40 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 2 Fri Sep 8 12:37:40 2006 : Debug: users: Matched entry DEFAULT at line 54 Fri Sep 8 12:37:40 2006 : Debug: users: Matched entry DEFAULT at line 72 Fri Sep 8 12:37:40 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 2 Fri Sep 8 12:37:40 2006 : Debug: modcall[authorize]: module "files" returns ok for request 2 Fri Sep 8 12:37:40 2006 : Debug: modsingle[authorize]: calling monthlycounter (rlm_sqlcounter) for request 2 Fri Sep 8 12:37:40 2006 : Debug: rlm_sqlcounter: Entering module authorize code Fri Sep 8 12:37:40 2006 : Debug: rlm_sqlcounter: Could not find Check item value pair Fri Sep 8 12:37:40 2006 : Debug: modsingle[authorize]: returned from monthlycounter (rlm_sqlcounter) for request 2 Fri Sep 8 12:37:40 2006 : Debug: modcall[authorize]: module "monthlycounter" returns noop for request 2 Fri Sep 8 12:37:40 2006 : Debug: modcall: leaving group authorize (returns updated) for request 2 Fri Sep 8 12:37:40 2006 : Debug: Cancelling proxy as request was already rejected Fri Sep 8 12:37:40 2006 : Debug: Request 2 rejected in proxy_send. Fri Sep 8 12:37:40 2006 : Debug: Server rejecting request 2. Sending Access-Reject of id 3 to xx.xx.xx.xx port 4587 Reply-Message = "Your account has been disabled." Fri Sep 8 12:37:40 2006 : Debug: Finished request 2 Fri Sep 8 12:37:40 2006 : Debug: Going to the next request Fri Sep 8 12:37:40 2006 : Debug: --- Walking the entire request list --- Fri Sep 8 12:37:40 2006 : Debug: Waking up in 6 seconds... Fri Sep 8 12:37:46 2006 : Debug: --- Walking the entire request list --- Fri Sep 8 12:37:46 2006 : Debug: Cleaning up request 2 ID 3 with timestamp 4501aa64 Fri Sep 8 12:37:46 2006 : Debug: Nothing to do. Sleeping until we see a request. -- radiusd.conf - prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid user = root group = radius max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 8000 bind_address = xx.xx.xx.xx port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log_stripped_names = no log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 0 status_ser
Re: Proxy problem in FreeRADIUS 1.1.3
"Chris A. Kalin" <[EMAIL PROTECTED]> wrote: > We have [EMAIL PROTECTED] and bob. Bob (the local user) is disabled, he's > in a certain group on my server that locks him out completely. On my > backup RADIUS server, which is version 0.8-pre, I get the expected > behavior - if bob tries to log in, he gets a "Your account has been > disabled" message, but if [EMAIL PROTECTED] tries to log in, the proxy > request goes to the remote server and it'll work. OK... > But on 1.1.3 I get weird results. Bob (local) gets the same "disabled" > message, but so does [EMAIL PROTECTED] But if I take bob out of the local > passwd file, [EMAIL PROTECTED] proxies to where it's supposed to go and > works fine. What's even weirder is in the above failure, I don't even > get anything in radius.log about [EMAIL PROTECTED] failing auth - I have to > hear about it from the customer himself. In 1.1.3, the account lockouts in /etc/passwd are handled by the unix module, unless you've got something else set up. And the unix module only has an "authenticate" handler. That means it's run only if "Auth-Type = System", and never for proxying. Please post a config & debug logs from 1.1.3. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Problem maybe a bug!
Mitaine Yoann <[EMAIL PROTECTED]> wrote: > There was no case of Acces challenge resquest ,I added it > (case PW_ACCESS_CHALLENGE). > And now the proxy request works ! > I would like to know if the change is correct and if somebody already had > this error . It's a bug, and a fairly stupid one at that. I can't help but feel at least partially responsible, as I was the last one who touched that code. I'll commit a fix shortly. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy problem/question
Hi ! > Is this possible ? Should it work ? Is it possible to proxy ms-chap-v2 ? Yes. My guess is that the other RADIUS server doesn't understand MS-CHAPv2. The solution was to add a "nostrip" in proxy.conf file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy problem/question
Hi ! > If I send ms-chap, then the proxy works. But if I send ms-chap-v2 then > i get this error message (from debug) : That's nice. What does the debug log on the other RADIUS server say? Sorry no debug information, but here is some from the ms w2k3 ias log file : vent Type: Warning Event Source: IAS Event Category: None Event ID: 2 Date: 06.03.2006 Time: 09:03:06 User: N/A Computer: XX Description: User edprp was denied access. Fully-Qualified-User-Name = DOMAIN\username NAS-IP-Address = 192.168.1.10 NAS-Identifier = vpn.domain.com Called-Station-Identifier = Calling-Station-Identifier = Client-Friendly-Name = freeradius.domain.com Client-IP-Address = 192.168.1.1 NAS-Port-Type = Virtual NAS-Port = 0 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = Policy-Name = Authentication-Type = MS-CHAPv2 EAP-Type = Reason-Code = 16 Reason = Authentication was not successful because an unknown user name or incorrect password was used. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 2e 05 07 80 ...~@ > Is this possible ? Should it work ? Is it possible to proxy ms-chap-v2 ? Yes. My guess is that the other RADIUS server doesn't understand MS-CHAPv2. The other radius server is a Microsoft 2003 IAS server. Just for the test i have installed a local vpn server which is able to send ms-chap-v2 authentication to the same ms radius server and this is working 100% - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy problem/question
"VannMann32 ." <[EMAIL PROTECTED]> wrote: > If I send ms-chap, then the proxy works. But if I send ms-chap-v2 then > i get this error message (from debug) : That's nice. What does the debug log on the other RADIUS server say? > Is this possible ? Should it work ? Is it possible to proxy ms-chap-v2 ? Yes. My guess is that the other RADIUS server doesn't understand MS-CHAPv2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy problem
The information bellow is the server that will autheticate the domain users (Realm TESTE): Debug with the problem. /usr/local/radius/sbin/radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/radius/etc/raddb/users" files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/radius/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 172.22.2.32:1746, id=254, length=98 User-Name = "[EMAIL PROTECTED]" EAP-Message =
Re: proxy problem
Post your debug output (radiusd -X), with both a successful and unsuccessful login. On Fri, 28 Jan 2005, Israel Fabio Alves wrote: > If I do a test, login without domain, only with username and password, > the authentication occurs. > > We can see this information in the files "proxy1.txt" and "realmTESTE1.txt" > > If someone can help me. > > Very Thanks. > > > Israel Fabio Alves wrote: > > > The file "proxy.txt" is the freeradius that receive de request from Switch. > > > > The file "realmTESTE.txt" is the freeradius that will authenticate users > > for domain TESTE. At this moment, the autentication is in files. > > > > > > > > Dustin Doris wrote: > > > >> Do you have nostrip setup in proxy.conf to not strip the username? > >> Please > >> post debug info (radiusd -X). > >> > >> > >> On Fri, 28 Jan 2005, Israel Fabio Alves wrote: > >> > >> > >>> I do not know right if is a problem of freeradius, it is possible that > >>> is my configuration. > >>> > >>> When I do a test using just the user and password, I loggin OK, but when > >>> using username, password and domain, occurr the login failed. > >>> > >>> If somebody have information taht help me, I will very happy. > >>> > >>> > >>> > >>> > >>> Alan DeKok wrote: > >>> > >>> > Israel Fabio Alves <[EMAIL PROTECTED]> wrote: > > > > I try to do 802.1x with proxy autentication, when user loggin from > > Windows XP, he put username, password and domain. The Switch will > > send a > > request authentication for a freeradius server, that will proxy the > > request conform user domain. When a try this, I get the erros bellow. > > > > What part of the errors are unclear? > > > > > Sending Access-Request of id 0 to 172.22.3.69:1812 > > > ... > > > > rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, > > length=108 > > > > The other server rejected the user. Why would you think this is a > problem in FreeRADIUS? > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > >>> > >>> > >>> -- > >>> Israel Alves - Gerente de Infraestrutura > >>> Quantiza Systems - 55(51) 598-2343 > >>> > >>> - > >>> List info/subscribe/unsubscribe? See > >>> http://www.freeradius.org/list/users.html > >>> > >> > >> > >> - List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > > > > > > > > > > > > Starting - reading configuration files ... > > reread_config: reading radiusd.conf > > Config: including file: /usr/local/radius/etc/raddb/proxy.conf > > Config: including file: /usr/local/radius/etc/raddb/clients.conf > > Config: including file: /usr/local/radius/etc/raddb/snmp.conf > > Config: including file: /usr/local/radius/etc/raddb/eap.conf > > Config: including file: /usr/local/radius/etc/raddb/sql.conf > > main: prefix = "/usr/local/radius" > > main: localstatedir = "/usr/local/radius/var" > > main: logdir = "/usr/local/radius/var/log/radius" > > main: libdir = "/usr/local/radius/lib" > > main: radacctdir = "/usr/local/radius/var/log/radius/radacct" > > main: hostname_lookups = no > > main: max_request_time = 30 > > main: cleanup_delay = 5 > > main: max_requests = 1024 > > main: delete_blocked_requests = 0 > > main: port = 0 > > main: allow_core_dumps = no > > main: log_stripped_names = yes > > main: log_file = "/usr/local/radius/var/log/radius/radius.log" > > main: log_auth = yes > > main: log_auth_badpass = yes > > main: log_auth_goodpass = yes > > main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" > > main: user = "(null)" > > main: group = "(null)" > > main: usercollide = no > > main: lower_user = "no" > > main: lower_pass = "no" > > main: nospace_user = "no" > > main: nospace_pass = "no" > > main: checkrad = "/usr/local/radius/sbin/checkrad" > > main: proxy_requests = yes > > proxy: retry_delay = 5 > > proxy: retry_count = 3 > > proxy: synchronous = no > > proxy: default_fallback = yes > > proxy: dead_time = 120 > > proxy: post_proxy_authorize = yes > > proxy: wake_all_if_all_dead = no > > security: max_attributes = 200 > > security: reject_delay = 1 > > security: status_server = no > > main: debug_level = 0 > > read_config_files: reading dictionary > > read_config_files: reading naslist > > Using deprecated naslist file. Support for this will go away soon. > > read_config_files: reading clients > > read_config_files: reading realms > > radiusd: entering modules setup > > Module: Library search path is /usr/local/radius/lib > > Module: Loaded exec > > exec: wait = yes > > exec: program = "(null)" > > exec: input_pairs = "request" > > exec: output_pairs = "(null)" > > exec: packet_type = "(null)" > > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > > Mod
Re: proxy problem
If I do a test, login without domain, only with username and password, the authentication occurs. We can see this information in the files "proxy1.txt" and "realmTESTE1.txt" If someone can help me. Very Thanks. Israel Fabio Alves wrote: The file "proxy.txt" is the freeradius that receive de request from Switch. The file "realmTESTE.txt" is the freeradius that will authenticate users for domain TESTE. At this moment, the autentication is in files. Dustin Doris wrote: Do you have nostrip setup in proxy.conf to not strip the username? Please post debug info (radiusd -X). On Fri, 28 Jan 2005, Israel Fabio Alves wrote: I do not know right if is a problem of freeradius, it is possible that is my configuration. When I do a test using just the user and password, I loggin OK, but when using username, password and domain, occurr the login failed. If somebody have information taht help me, I will very happy. Alan DeKok wrote: Israel Fabio Alves <[EMAIL PROTECTED]> wrote: I try to do 802.1x with proxy autentication, when user loggin from Windows XP, he put username, password and domain. The Switch will send a request authentication for a freeradius server, that will proxy the request conform user domain. When a try this, I get the erros bellow. What part of the errors are unclear? Sending Access-Request of id 0 to 172.22.3.69:1812 ... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 The other server rejected the user. Why would you think this is a problem in FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493
Re: proxy problem
The file "proxy.txt" is the freeradius that receive de request from Switch. The file "realmTESTE.txt" is the freeradius that will authenticate users for domain TESTE. At this moment, the autentication is in files. Dustin Doris wrote: Do you have nostrip setup in proxy.conf to not strip the username? Please post debug info (radiusd -X). On Fri, 28 Jan 2005, Israel Fabio Alves wrote: I do not know right if is a problem of freeradius, it is possible that is my configuration. When I do a test using just the user and password, I loggin OK, but when using username, password and domain, occurr the login failed. If somebody have information taht help me, I will very happy. Alan DeKok wrote: Israel Fabio Alves <[EMAIL PROTECTED]> wrote: I try to do 802.1x with proxy autentication, when user loggin from Windows XP, he put username, password and domain. The Switch will send a request authentication for a freeradius server, that will proxy the request conform user domain. When a try this, I get the erros bellow. What part of the errors are unclear? Sending Access-Request of id 0 to 172.22.3.69:1812 ... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 The other server rejected the user. Why would you think this is a problem in FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded fi
Re: proxy problem
Do you have nostrip setup in proxy.conf to not strip the username? Please post debug info (radiusd -X). On Fri, 28 Jan 2005, Israel Fabio Alves wrote: > I do not know right if is a problem of freeradius, it is possible that > is my configuration. > > When I do a test using just the user and password, I loggin OK, but when > using username, password and domain, occurr the login failed. > > If somebody have information taht help me, I will very happy. > > > > > Alan DeKok wrote: > > > Israel Fabio Alves <[EMAIL PROTECTED]> wrote: > > > >>I try to do 802.1x with proxy autentication, when user loggin from > >>Windows XP, he put username, password and domain. The Switch will send a > >>request authentication for a freeradius server, that will proxy the > >>request conform user domain. When a try this, I get the erros bellow. > > > > > > What part of the errors are unclear? > > > > > >>Sending Access-Request of id 0 to 172.22.3.69:1812 > > > > ... > > > >>rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 > > > > > > The other server rejected the user. Why would you think this is a > > problem in FreeRADIUS? > > > > Alan DeKok. > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > -- > Israel Alves - Gerente de Infraestrutura > Quantiza Systems - 55(51) 598-2343 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy problem
I do not know right if is a problem of freeradius, it is possible that is my configuration. When I do a test using just the user and password, I loggin OK, but when using username, password and domain, occurr the login failed. If somebody have information taht help me, I will very happy. Alan DeKok wrote: Israel Fabio Alves <[EMAIL PROTECTED]> wrote: I try to do 802.1x with proxy autentication, when user loggin from Windows XP, he put username, password and domain. The Switch will send a request authentication for a freeradius server, that will proxy the request conform user domain. When a try this, I get the erros bellow. What part of the errors are unclear? Sending Access-Request of id 0 to 172.22.3.69:1812 ... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 The other server rejected the user. Why would you think this is a problem in FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy problem
Israel Fabio Alves <[EMAIL PROTECTED]> wrote: > I try to do 802.1x with proxy autentication, when user loggin from > Windows XP, he put username, password and domain. The Switch will send a > request authentication for a freeradius server, that will proxy the > request conform user domain. When a try this, I get the erros bellow. What part of the errors are unclear? > Sending Access-Request of id 0 to 172.22.3.69:1812 ... > rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 The other server rejected the user. Why would you think this is a problem in FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy problem (EAP)
Alan DeKok schrieb: > Yes please see the existing TTLS and > PEAP code which does exactly this. You have > working examples in front of you. > Use them. Thanks, that put me on the right track again... I stupidly was searching for a configuration error and missed the (now obvious) error in my code. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy problem (EAP)
[EMAIL PROTECTED] wrote: > I hacked rlm_eap_md5 to actually generate a fake request > containing FreeRADIUS-Proxied-To, Username, CHAP-Challenge > and CHAP-Response attributes and call "rad_authenticate" rad_authenticate doesn't do proxying. > However, the whole point of my modification was to be able to > proxy the generated CHAP request to some non-EAP-enabled RADIUS > server (similar to proxying inner PAP/CHAP/MSCHAP request of > EAP-TTLS to another server). Yes please see the existing TTLS and PEAP code which does exactly this. You have working examples in front of you. Use them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Problem with attrs and Cisco-AVPair
Ben Butler <[EMAIL PROTECTED]> wrote: > Just tried something out of desperation and commented out EAP in post-proxy, > and guess what, cooking with gas. It's a bug in 0.9.3, which is fixed in the latest CVS snapshots. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy Problem with attrs and Cisco-AVPair
Um, typical. Just tried something out of desperation and commented out EAP in post-proxy, and guess what, cooking with gas. Thanks anyways. Ben -Original Message- From: Ben Butler [mailto:[EMAIL PROTECTED] Sent: 10 May 2004 23:59 To: '[EMAIL PROTECTED]' Subject: Proxy Problem with attrs and Cisco-AVPair Hi All, I have two servers running freeradius-0.9.3, I am trying to proxy radius request for a specific realm from one server (server1) to the other (server2). I believe I have updated radius.conf and attrs correctly as well as proxy.conf and clients.conf. Using radtest on server2 to initiate a query against server1 and then viewing the debug -X log on server1 I can see the request is being proxied and coming back and then seems to be getting stuck in the post-proxy section. This is where I am now stuck. I need to be able to return multiple variable Cisco-AVPair attributes in the proxied request ip:dns-servers and ip:route. I have included below information that I thought may be useful to help with this request. Thanks for any and all help Kind Regards Ben Attrs file DEFAULT Service-Type == Framed-User, Service-Type == Login-User, Login-Service == Telnet, Login-Service == Rlogin, Login-Service == TCP-Clear, Login-TCP-Port <= 65536, Framed-IP-Address == 255.255.255.254, Framed-IP-Netmask == 255.255.255.255, Framed-Protocol == PPP, Framed-Protocol == SLIP, Framed-Compression == Van-Jacobson-TCP-IP, Framed-MTU >= 576, Framed-Filter-ID =* ANY, Reply-Message =* ANY, Proxy-State =* ANY, Session-Timeout <= 28800, Idle-Timeout <= 600, Port-Limit <= 2, Cisco-AVPair =* ANY radiusd.conf file section post-proxy { # attr_rewrite attr_filter eap } Debug: Listening on IP address *, ports 1645/udp and 1646/udp, with proxy on 1647/udp. Ready to process requests. rad_recv: Access-Request packet from host 213.170.128.11:32802, id=233, length=80 User-Name = "[EMAIL PROTECTED]" User-Password = "testing" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/213.170.128.11/auth-detail-20040510' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/213.170.128.11/auth-detail-20040510 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "realmslash" returns noop for request 0 rlm_realm: Looking up realm "proxy.c2internet.net" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "proxy.c2internet.net" rlm_realm: Proxying request from user testing to realm proxy.c2internet.net rlm_realm: Adding Realm = "proxy.c2internet.net" rlm_realm: Preparing to proxy authentication request to realm "proxy.c2internet.net" modcall[authorize]: module "suffix" returns updated for request 0 users: Matched DEFAULT at 166 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns updated for request 0 Sending Access-Request of id 1 to 213.170.128.11:1645 User-Name = "[EMAIL PROTECTED]" User-Password = "testing" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Proxy-State = 0x32 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Accept packet from host 213.170.128.11:1645, id=1, length=159 Framed-IP-Address = 10.10.10.1 Cisco-AVPair = "ip:route=213.170.150.8 255.255.255.252 10.10.10.1" Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Cisco-AVPair = "ip:dns-servers=213.170.128.16 213.170.128.150" Proxy-State = 0x32 modcall: entering group post-proxy for request 0 attr_filter: Matched entry DEFAULT at line 84 modcall[post-proxy]: module "attr_filter" returns updated for request 0 Kind Regards Ben Butler ++ C2 Internet Ltd Alvaston House Alvaston Business Park Nantwich Cheshire CW5 6PF W http://www.c2internet.net/ T +44-(0)845-658-0020 F +44-(0)845-658-0070 All quotes & services from C2 are bound by our standard terms and conditions which are available on our website at: http://www.c2internet.net/legal/main.htm#tandc - - C2i Business Internet