Re: authorization

[Chris Parker]

At 01:14 PM 8/9/2001 +0200, you wrote:
I want to enable the authorization.
I have done so on the NAS (still cisco), but cannot get authorized:

If i type an inexistant login i get this:
Username: inexistant
Password:
% Access denied

If I type an existing one (with its right password ) I get :
Username: userrad
Password:
% Authorization failed.
(only if I type the right password else I get the Access denied message)

My users file contain just 1 entry:
userrad Auth-Type == Local, Password == testing
Login-Service = Telnet,
Login-TCP-Port = 23
Is this right ?
why it doesn't work ?
I have set up my NAS with this option:
aaa authorization exec radius

YOu have not configured you cisco and radius server properly.  Please
search Google ( http://cisco.google.com/cisco ) for configuaration examples.
Cisco has lots of docs with sample configs on their website.

-Chris
--
\\\|||///  \  Chris Parker-Manager, Development Engineering
\ ~   ~ /   \   WX *is* Wireless!\   [EMAIL PROTECTED]
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Without C we would have 'obol', 'basi', and 'pasal'


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

request for help

[Ken Waters]

I'm new to radius, but nevertheless I'm trying to build and configure a
radius proxy.  I've downloaded and built version 1.16 and set it up to
service one client.

in clients.conf:

client 212.64.222.9 {
secret  = mysecret
shortname   = itsmax
}

in proxy.conf:

realm DEFAULT {
type= radius
authhost= 195.13.105.131:1812
accthost= 195.13.105.131:1813
secret  = myothersecret
}

This is what I get in the log file:

Thu Aug  9 14:41:44 2001 : Info: Listening on IP address *, ports 1812/udp
and 1813/udp, with proxy on 1814/udp.
Thu Aug  9 14:41:44 2001 : Info: Ready to process requests.
Thu Aug  9 14:46:14 2001 : Error: ERROR!  Unreachable code reached, at
client.c:254
Thu Aug  9 14:46:14 2001 : Proxy: No request found for proxy reply from
server UNKNOWN-CLIENT - ID 1
Thu Aug  9 14:46:18 2001 : Info: Sending duplicate authentication reply to
client itsmax:1025 - ID: 56

Can anyone suggest what I'm doing wrong?
Thanks,
Ken Waters


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sem_init problem in FreeBSD

[Greg Skouby]

 
 I'm not able to upgrade my system now, it's a production system and
 something like that has to be done very carefully so I need a way around
 this. Besides, because I was told it was something related with the
 threading I ran configure with the --without-threads options and
 everything was the same.
 
 Version 0.1 compiles with threads enable but the new one 0.2 does not in
 my FreeBSD 3.2 system, the compilation process complains about all kinds
 of sem_??? stuff.
 
 Any advice would be appreciated.
 


There is nothing you can really do except either use FreeRADIUS-0.1 or
upgrade your BSD box. 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: DNIS authentication

[Thomas Jalsovsky]

 Cisco (our Cisco AS5300) doesn't send Called-Station-ID attribute in the
 access request RADIUS packet, therefore you can't use it for auth.

 Uhm, you certainly can.  If your telco sends you DNIS info the NAS will
 send it to you.  I'd confirm with you telco that they are sending DNIS
 info to you.

 I have 200 cisco's all happily sending Called-Station-ID, so it is
 definitely supported.  :)

 -Chris
I think it depends on the environment. I use AS5300 for VoIP and our TCL
script is in Cisco clid_col_npw_3. It doesn't sends in auth request CLID.
If I rewrite the script I CAN do auth with CLID in the way of: User-Name =
CLID, Password =  (or something what I want).
Sometimes we need to look into the system/scripts for solving some
problems - it is true for Cisco 2 time :-)
In Cisco does exist a feature called ISDN Preauth (aaa preauth) but it
doesn't works with VoIP - this is not written in any documentation.

Have a nice day,
Thomas

p.s.: I sent a couble weeks ago a cisco_vsa_hack patch. THis patch went to
/dev/null or there is in a processing queue. Thanks.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: DNIS authentication

[Chris Parker]

At 09:03 PM 8/9/2001 +0200, Thomas Jalsovsky wrote:

  Cisco (our Cisco AS5300) doesn't send Called-Station-ID attribute in the
  access request RADIUS packet, therefore you can't use it for auth.
 
  Uhm, you certainly can.  If your telco sends you DNIS info the NAS will
  send it to you.  I'd confirm with you telco that they are sending DNIS
  info to you.
 
  I have 200 cisco's all happily sending Called-Station-ID, so it is
  definitely supported.  :)
 
  -Chris
I think it depends on the environment. I use AS5300 for VoIP and our TCL
script is in Cisco clid_col_npw_3. It doesn't sends in auth request CLID.
If I rewrite the script I CAN do auth with CLID in the way of: User-Name =
CLID, Password =  (or something what I want).

Well, see, it *is* sent.  It's just not a regular radius packet, as
it's VOIP auth.

p.s.: I sent a couble weeks ago a cisco_vsa_hack patch. THis patch went to
/dev/null or there is in a processing queue. Thanks.

It may have been lost in the shuffle.  Please repost it here and it'll
be reviewed.

-Chris
--
\\\|||///  \  Chris Parker-Manager, Development Engineering
\ ~   ~ /   \   WX *is* Wireless!\   [EMAIL PROTECTED]
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Without C we would have 'obol', 'basi', and 'pasal'


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radiusd

[Jane Sun]

I am totally new to RADIUS.  I just downloaded the latest version of
FreeRadius and installed it on one of our machines.  After I started 
the RADIUS daemon by running radiusd in /usr/local/sbin, the 7 radiusd 
processes seemed to be always in the idle state.  The following is the 
display from running ps.

 ps aux | fgrep rad
root 23354  0.0  1.2 12984 1620 ?SAug08   0:00 radiusd
root 23355  0.0  1.2 12984 1620 ?SAug08   0:00 radiusd
root 23356  0.0  1.2 12984 1620 ?SAug08   0:00 radiusd
root 23357  0.0  1.2 12984 1620 ?SAug08   0:00 radiusd
root 23358  0.0  1.2 12984 1620 ?SAug08   0:00 radiusd
root 23359  0.0  1.2 12984 1620 ?SAug08   0:00 radiusd
root 23360  0.0  1.2 12984 1620 ?SAug08   0:00 radiusd

 ps axl | fgrep rad
140 0 23354 1   0   0 12984 1620 do_sel S?  0:00 radiusd
040 0 23355 23354   0   0 12984 1620 do_pol S?  0:00 radiusd
040 0 23356 23355   0   0 12984 1620 rt_sig S?  0:00 radiusd
040 0 23357 23355   0   0 12984 1620 rt_sig S?  0:00 radiusd
040 0 23358 23355   0   0 12984 1620 rt_sig S?  0:00 radiusd
040 0 23359 23355   0   0 12984 1620 rt_sig S?  0:00 radiusd
040 0 23360 23355   0   0 12984 1620 rt_sig S?  0:00 radiusd

When I ran radtest or radclient, it always said no response from server.  
I am not sure if the server is running incorrectly, or the configurations 
weren't setup properly.

Would someone with more experience give me a pointer?  Thanks a lot!
Jane

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Accounting Question

[Scott R . Pesato]

On Thursday 09 August 2001 07:52 pm, you wrote:
 Is there a message type for accounting to keep track of failed login
 attempts? What is the industry standard for this? Do most radius users
 keep track of invalid login attempts and if so how?

They are logged to radius.log,the location of this depends on how you 
specified this while running configure.

Look at radiusd.conf for logging options you may not have them turned on.

log_auth = yes
 
#
#  Log passwords with the authentication requests.
#  log_auth_badpass  - logs password if it's rejected
#  log_auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
log_auth_badpass = yes
log_auth_goodpass = no

 you can grep for failed logins:

Scott

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

The Dial-Up clients don?t recive a default gateway with cisco 2511

[Homero Borgo Valdez]

Hi all!

this is the history:

i have 3 type of NAS:
cisco 2511  (IOS
totalcontrol
patton
and i have radius intalled on solaris 7 (x86) and my dial-up clients (users
who have a PC w/windows and conect to the internet with PPP) do not recive a
default gateway so they can?t navegate if they are conected to the cisco
BUT they can if they are conected to the totalcontrol or to the patton
so ...some idea?

i check this with winipcfg and on the default gateway field is getting
empty

i think is my configuration on cisco but i don?t understand what
happening...

do you think about some problem with IOS?

ciscoISP#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-C-L), Version 12.0(5), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 15-Jun-99 20:46 by phanguye
Image text-base: 0x0302CF60, data-base: 0x1000

ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE
BOOTFLASH: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE
SOFT)

ciscoISP uptime is 5 weeks, 2 days, 28 minutes
System restarted by power-on
System image file is flash:c2500-c-l_120-5.bin

cisco 2511 (68030) processor (revision D) with 4096K/2048K bytes of memory.
Processor board ID 02280100, with hardware revision 
Bridging software.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
X.25 software, Version 3.0.0.
TN3270 Emulation software.
1 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
16 terminal line(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read ONLY)

Configuration register is 
..

or what?

thanks!
sorry my english!  :)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html