Re: authorization
At 01:14 PM 8/9/2001 +0200, you wrote: I want to enable the authorization. I have done so on the NAS (still cisco), but cannot get authorized: If i type an inexistant login i get this: Username: inexistant Password: % Access denied If I type an existing one (with its right password ) I get : Username: userrad Password: % Authorization failed. (only if I type the right password else I get the Access denied message) My users file contain just 1 entry: userrad Auth-Type == Local, Password == testing Login-Service = Telnet, Login-TCP-Port = 23 Is this right ? why it doesn't work ? I have set up my NAS with this option: aaa authorization exec radius YOu have not configured you cisco and radius server properly. Please search Google ( http://cisco.google.com/cisco ) for configuaration examples. Cisco has lots of docs with sample configs on their website. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
request for help
I'm new to radius, but nevertheless I'm trying to build and configure a radius proxy. I've downloaded and built version 1.16 and set it up to service one client. in clients.conf: client 212.64.222.9 { secret = mysecret shortname = itsmax } in proxy.conf: realm DEFAULT { type= radius authhost= 195.13.105.131:1812 accthost= 195.13.105.131:1813 secret = myothersecret } This is what I get in the log file: Thu Aug 9 14:41:44 2001 : Info: Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Thu Aug 9 14:41:44 2001 : Info: Ready to process requests. Thu Aug 9 14:46:14 2001 : Error: ERROR! Unreachable code reached, at client.c:254 Thu Aug 9 14:46:14 2001 : Proxy: No request found for proxy reply from server UNKNOWN-CLIENT - ID 1 Thu Aug 9 14:46:18 2001 : Info: Sending duplicate authentication reply to client itsmax:1025 - ID: 56 Can anyone suggest what I'm doing wrong? Thanks, Ken Waters - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sem_init problem in FreeBSD
I'm not able to upgrade my system now, it's a production system and something like that has to be done very carefully so I need a way around this. Besides, because I was told it was something related with the threading I ran configure with the --without-threads options and everything was the same. Version 0.1 compiles with threads enable but the new one 0.2 does not in my FreeBSD 3.2 system, the compilation process complains about all kinds of sem_??? stuff. Any advice would be appreciated. There is nothing you can really do except either use FreeRADIUS-0.1 or upgrade your BSD box. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DNIS authentication
Cisco (our Cisco AS5300) doesn't send Called-Station-ID attribute in the access request RADIUS packet, therefore you can't use it for auth. Uhm, you certainly can. If your telco sends you DNIS info the NAS will send it to you. I'd confirm with you telco that they are sending DNIS info to you. I have 200 cisco's all happily sending Called-Station-ID, so it is definitely supported. :) -Chris I think it depends on the environment. I use AS5300 for VoIP and our TCL script is in Cisco clid_col_npw_3. It doesn't sends in auth request CLID. If I rewrite the script I CAN do auth with CLID in the way of: User-Name = CLID, Password = (or something what I want). Sometimes we need to look into the system/scripts for solving some problems - it is true for Cisco 2 time :-) In Cisco does exist a feature called ISDN Preauth (aaa preauth) but it doesn't works with VoIP - this is not written in any documentation. Have a nice day, Thomas p.s.: I sent a couble weeks ago a cisco_vsa_hack patch. THis patch went to /dev/null or there is in a processing queue. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DNIS authentication
At 09:03 PM 8/9/2001 +0200, Thomas Jalsovsky wrote: Cisco (our Cisco AS5300) doesn't send Called-Station-ID attribute in the access request RADIUS packet, therefore you can't use it for auth. Uhm, you certainly can. If your telco sends you DNIS info the NAS will send it to you. I'd confirm with you telco that they are sending DNIS info to you. I have 200 cisco's all happily sending Called-Station-ID, so it is definitely supported. :) -Chris I think it depends on the environment. I use AS5300 for VoIP and our TCL script is in Cisco clid_col_npw_3. It doesn't sends in auth request CLID. If I rewrite the script I CAN do auth with CLID in the way of: User-Name = CLID, Password = (or something what I want). Well, see, it *is* sent. It's just not a regular radius packet, as it's VOIP auth. p.s.: I sent a couble weeks ago a cisco_vsa_hack patch. THis patch went to /dev/null or there is in a processing queue. Thanks. It may have been lost in the shuffle. Please repost it here and it'll be reviewed. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd
I am totally new to RADIUS. I just downloaded the latest version of FreeRadius and installed it on one of our machines. After I started the RADIUS daemon by running radiusd in /usr/local/sbin, the 7 radiusd processes seemed to be always in the idle state. The following is the display from running ps. ps aux | fgrep rad root 23354 0.0 1.2 12984 1620 ?SAug08 0:00 radiusd root 23355 0.0 1.2 12984 1620 ?SAug08 0:00 radiusd root 23356 0.0 1.2 12984 1620 ?SAug08 0:00 radiusd root 23357 0.0 1.2 12984 1620 ?SAug08 0:00 radiusd root 23358 0.0 1.2 12984 1620 ?SAug08 0:00 radiusd root 23359 0.0 1.2 12984 1620 ?SAug08 0:00 radiusd root 23360 0.0 1.2 12984 1620 ?SAug08 0:00 radiusd ps axl | fgrep rad 140 0 23354 1 0 0 12984 1620 do_sel S? 0:00 radiusd 040 0 23355 23354 0 0 12984 1620 do_pol S? 0:00 radiusd 040 0 23356 23355 0 0 12984 1620 rt_sig S? 0:00 radiusd 040 0 23357 23355 0 0 12984 1620 rt_sig S? 0:00 radiusd 040 0 23358 23355 0 0 12984 1620 rt_sig S? 0:00 radiusd 040 0 23359 23355 0 0 12984 1620 rt_sig S? 0:00 radiusd 040 0 23360 23355 0 0 12984 1620 rt_sig S? 0:00 radiusd When I ran radtest or radclient, it always said no response from server. I am not sure if the server is running incorrectly, or the configurations weren't setup properly. Would someone with more experience give me a pointer? Thanks a lot! Jane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Accounting Question
On Thursday 09 August 2001 07:52 pm, you wrote: Is there a message type for accounting to keep track of failed login attempts? What is the industry standard for this? Do most radius users keep track of invalid login attempts and if so how? They are logged to radius.log,the location of this depends on how you specified this while running configure. Look at radiusd.conf for logging options you may not have them turned on. log_auth = yes # # Log passwords with the authentication requests. # log_auth_badpass - logs password if it's rejected # log_auth_goodpass - logs password if it's correct # # allowed values: {no, yes} # log_auth_badpass = yes log_auth_goodpass = no you can grep for failed logins: Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The Dial-Up clients don?t recive a default gateway with cisco 2511
Hi all! this is the history: i have 3 type of NAS: cisco 2511 (IOS totalcontrol patton and i have radius intalled on solaris 7 (x86) and my dial-up clients (users who have a PC w/windows and conect to the internet with PPP) do not recive a default gateway so they can?t navegate if they are conected to the cisco BUT they can if they are conected to the totalcontrol or to the patton so ...some idea? i check this with winipcfg and on the default gateway field is getting empty i think is my configuration on cisco but i don?t understand what happening... do you think about some problem with IOS? ciscoISP#sh ver Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-C-L), Version 12.0(5), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Tue 15-Jun-99 20:46 by phanguye Image text-base: 0x0302CF60, data-base: 0x1000 ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE BOOTFLASH: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE SOFT) ciscoISP uptime is 5 weeks, 2 days, 28 minutes System restarted by power-on System image file is flash:c2500-c-l_120-5.bin cisco 2511 (68030) processor (revision D) with 4096K/2048K bytes of memory. Processor board ID 02280100, with hardware revision Bridging software. SuperLAT software (copyright 1990 by Meridian Technology Corp). X.25 software, Version 3.0.0. TN3270 Emulation software. 1 Ethernet/IEEE 802.3 interface(s) 2 Serial network interface(s) 16 terminal line(s) 32K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read ONLY) Configuration register is .. or what? thanks! sorry my english! :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html