setting idle-time based on port
Hello, I'm trying to configure freeradius to send a rule to allow a max idle time in an session to be 20 min for a certain port. So, if a user comes in to port 0, his/her idle times is 20 min If a user comes in anohter port. his/her idle time is unlimmited. is this dooable? thanks. --- Aamer Akhter / [EMAIL PROTECTED] NSITE - cisco Systems - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using MySQL with freeradius
I downloaded and compiled successfully the 9/20/01 snapshot of freeradius. I'm able to authenticate users defined in my /etc/passwd file. I've already verified that MySQL is running, and I've already created a database called 'radius'. I'm able to query the tables defined in radius. I'm trying to see if I can use the users defined in MySQL db for authentication. What do I need to do to accomplish this? Changes in radiusd.conf and/or sql.conf files? Also, is it possible to use both unix and sql to authenticate users? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
File Locking in rlm_detail
I am in the process of writing a detail parser that will sort my detail files based on the Class attribute as suggested in the docs/duplicate_users file. I saw that the rlm_module is include fcntl.h header so I am assuming this is a feature that is planned to be added at some time? I didn't see any calls to fcntl in the code so unless this is being locked somewhere else? The actions that my program will perform is to move/rename the existing detail file before processing it. However I really don't want to do this until the radius process is done writing its accounting data. I realize that we are dealing with fractions of a second here and the possibility of me moving the file while radius writes to it should be in my favor since I will only process the files once a day or so. But I would rather have a little piece of mind rather than small possiblity of failure. -- Joe Modjeski Systems Administrator CommSpeed [EMAIL PROTECTED] -- "If man evolved from monkeys and apes, why do we still have monkeys and apes?" - From someone out there - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password encoding in radcheck table? (MySQL)
> Joe Modjeski wrote: > >> The ENCRYPT() function should be the one to use since MySQL just >> passes it through to your systems crypt() function. I know on the >> American version of the crypto libs on FreeBSD(using export controlled >> crypto) and Linux you can control the type of password created by the >> salt that was used to create the hash. >> >> A good test is to to encrypt in MySQL the same password you use to >> login to your UNIX box passing it the system hashed version (out of >> /etc/passwd or /etc/shadow) of the password as the salt. ie >> >> SELECT ENCRYPT('mypass',''); >> >> MySQL should return an exact copy of . If not then it is >> possible that MySQL is linked to the wrong crypto libs. > > This might be true. I use MD5 passwords on my RH7.1 box, but the return > value of ENCRYPT() looks decidedly like the old crypt() (it's SHORT!) > > I'm not at the office right now; when I get there I'll simply try to > copy the password field from /etc/shadow into the table and see what > happens. > >> I have FreeRadius running on 4 RH7 boxes using both DES and MD5 >> crypted hashes and have had no problems. With the exeption of some >> old FreeBSD hashes that used a 16 character MD5 salt. > > But do you use MySQL, especifically the stock RedHat RPM one (like me)? > It might have been miscompiled. > Yes I am using MySQL, but no I am not using the binary version. The stock RedHat RPM should be linked to the proper crypto libs (I would hope). I just did a test(on RH7.1 with stock RedHat RPM MySQL) and by default it seems that mysql will use a DES salt to the ENCRYPT() call. I have to support CHAP authentications so all of my new users are using clear-text passwords. I do have alot of crypted passwords (both DES and MD5) left over from legacy implementations. I would agree with Alan though, starting to store clear-text passwords now would be a good thing unless you don't ever plan on supporting CHAP. I got stung a half a year ago with 5000 crypted passwords and a new provider that would only send me CHAP requests. Needless to say it was a LONG migration to CHAP. This brings up another point though, the attribute row that stores the password in the radcheck table. You are using the 'Crypt-Password' attribute instead of the 'Password' attribute? I got stung by this when I did my initial import from my MySQL patched Cistron. Joe >> Joe > > -- > Juan Carlos Castro y Castro | "Standing up to an evil system is > [EMAIL PROTECTED] | exhilarating." -Richard Stallman > Rio de Janeiro - Brazil | > DC4DC #25 | http://www.vialink.com.br/~jcastro > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Joe Modjeski Systems Administrator CommSpeed [EMAIL PROTECTED] -- "If man evolved from monkeys and apes, why do we still have monkeys and apes?" - From someone out there - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password encoding in radcheck table? (MySQL)
Is this true for Oracle as well? Does Oracle pass encryption down to the OS libraries too? - Original Message - From: "Juan Carlos Castro y Castro" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, September 27, 2001 7:21 PM Subject: Re: Password encoding in radcheck table? (MySQL) > Joe Modjeski wrote: > > > The ENCRYPT() function should be the one to use since MySQL just passes it > > through to your systems crypt() function. I know on the American version of > > the crypto libs on FreeBSD(using export controlled crypto) and Linux you can > > control the type of password created by the salt that was used to create the > > hash. > > > > A good test is to to encrypt in MySQL the same password you use to login to > > your UNIX box passing it the system hashed version (out of /etc/passwd or > > /etc/shadow) of the password as the salt. ie > > > > SELECT ENCRYPT('mypass',''); > > > > MySQL should return an exact copy of . If not then it is possible > > that MySQL is linked to the wrong crypto libs. > > This might be true. I use MD5 passwords on my RH7.1 box, but the return value of > ENCRYPT() looks decidedly like the old crypt() (it's SHORT!) > > I'm not at the office right now; when I get there I'll simply try to copy the > password field from /etc/shadow into the table and see what happens. > > > I have FreeRadius running on 4 RH7 boxes using both DES and MD5 crypted hashes > > and have had no problems. With the exeption of some old FreeBSD hashes that > > used a 16 character MD5 salt. > > But do you use MySQL, especifically the stock RedHat RPM one (like me)? It might > have been miscompiled. > > > Joe > > -- > Juan Carlos Castro y Castro | "Standing up to an evil system is > [EMAIL PROTECTED] | exhilarating." -Richard Stallman > Rio de Janeiro - Brazil | > DC4DC #25 | http://www.vialink.com.br/~jcastro > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: High CPU Load
"Mustafa N. Deeb" <[EMAIL PROTECTED]> wrote: > I have moved 10 access servers today to FreeRadius, everything seems to > be fine > > But the more access servers I add, the higher CPU gets > > Radius.log is full of these entries, it says authentication, but 1646 is > the accounting port > > Thu Sep 27 09:08:32 2001 : Error: Dropping conflicting authentication > packet from client XXX:1646 - ID: 183 Yes. Upgrade to the latest CVS snapshot. There's at least a work-around for this problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying to Cistron
"Mustafa N. Deeb" <[EMAIL PROTECTED]> wrote: > Accounting through proxy does not work > > You have to the changes below and recompile, I hope FreeRadius > programmers will add this in next releases I don't recall seeing that patch, and it's for an *old* version of the source. All patches should be against the latest CVS version, as the bugs may have been fixed, or the code may have been re-arranged. > in acct.c > line 57 > > /* > * Do accounting > */ > reply = module_accounting(request); > > /* > * Maybe one of the preacct modules has decided > * that a proxy should be used. If so, get out of > * here and send the packet. > */ > if(pairfind(request->config_items, PW_PROXY_TO_REALM)) { > module_accounting(request); <- ADD THIS > > return reply; > } No, I don't think that's the solution. And it's a patch to an older version of the source. Please upgrade to the latest CVS snapshot. I think that will fix the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time Question:
Walter Wagner <[EMAIL PROTECTED]> wrote: > The password is being authenticated from the mysql database. We seem > to be able to login within the specified time frame only, but from > what I could gather it should logout the user if they are allready > logged in and have exceeeded that time frame, and this isn't > happening. The server doesn't log anyone out. It doesn't kick anyone off line. It just rejects the authentication, and the NAS drops them. That being said, there are issues with Login-Time, and the 0.2 release. Please try the latest CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password encoding in radcheck table? (MySQL)
Juan Carlos Castro y Castro <[EMAIL PROTECTED]> wrote: > Thanks to Scott Bartlett's kind help, my radiusd now queries MySQL for > usernames/passwords, but I don't know how to encrypt the latter. Hence, > by now I always get authentication failures. I tried encrypt() and > md5(). I hereby annoy you a second time asking for help. ;) FreeRADIUS *should* eventually come with a utility to encrypt passwords. But it doesn't now, sorry. Still, I'm not sure I would suggest encrypting passwords in your database. It IS more secure to encrypt them, but it means that CHAP won't work. If you're willing to live without CHAP, then by all means, encrypt the passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS + LDAP
"Toth Zoltan" <[EMAIL PROTECTED]> wrote: > Can I use freeRadius with novell LDAP server? I don't see why not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password encoding in radcheck table? (MySQL)
Joe Modjeski wrote: > The ENCRYPT() function should be the one to use since MySQL just passes it > through to your systems crypt() function. I know on the American version of > the crypto libs on FreeBSD(using export controlled crypto) and Linux you can > control the type of password created by the salt that was used to create the > hash. > > A good test is to to encrypt in MySQL the same password you use to login to > your UNIX box passing it the system hashed version (out of /etc/passwd or > /etc/shadow) of the password as the salt. ie > > SELECT ENCRYPT('mypass',''); > > MySQL should return an exact copy of . If not then it is possible > that MySQL is linked to the wrong crypto libs. This might be true. I use MD5 passwords on my RH7.1 box, but the return value of ENCRYPT() looks decidedly like the old crypt() (it's SHORT!) I'm not at the office right now; when I get there I'll simply try to copy the password field from /etc/shadow into the table and see what happens. > I have FreeRadius running on 4 RH7 boxes using both DES and MD5 crypted hashes > and have had no problems. With the exeption of some old FreeBSD hashes that > used a 16 character MD5 salt. But do you use MySQL, especifically the stock RedHat RPM one (like me)? It might have been miscompiled. > Joe -- Juan Carlos Castro y Castro | "Standing up to an evil system is [EMAIL PROTECTED] | exhilarating." -Richard Stallman Rio de Janeiro - Brazil | DC4DC #25 | http://www.vialink.com.br/~jcastro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying to Cistron
On Thu, Sep 27, 2001 at 10:12:58AM +0600, Mojahedul Hoque Abul Hasanat wrote: > On Wed, Sep 26, 2001 at 09:49:50PM +, Miquel van Smoorenburg wrote: > > >radius.log. For any request that came to it from the FreeRADIUS Holly Shit! I prayed then installed a recent snapshot (20010924). It couldn't have worked better! I did some tcpdumps and debugs with the 0.2 beta, it was receiving the proxy reply alright, but just forgot to send a reply back to the NAS. I'm going to try it out on our production box again. Thanks to the FreeRADIUS team for a superb product. -- Mojahed System Administrator Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
High CPU Load
Hi, I have moved 10 access servers today to FreeRadius, everything seems to be fine But the more access servers I add, the higher CPU gets Radius.log is full of these entries, it says authentication, but 1646 is the accounting port Thu Sep 27 09:08:32 2001 : Error: Dropping conflicting authentication packet from client XXX:1646 - ID: 183 Thu Sep 27 09:08:32 2001 : Error: Dropping conflicting authentication packet from client XXX:1646 - ID: 185 Thu Sep 27 09:08:34 2001 : Error: Dropping conflicting authentication packet from client X:1646 - ID: 95 Thu Sep 27 09:08:36 2001 : Error: Dropping conflicting authentication packet from client :1646 - ID: 98 Thu Sep 27 09:08:36 2001 : Error: Dropping conflicting authentication packet from client :1646 - ID: 102 Thu Sep 27 09:08:37 2001 : Error: Dropping conflicting authentication packet from client XXX:1646 - ID: 233 Thu Sep 27 09:08:37 2001 : Error: Dropping conflicting authentication packet from client XXX:1646 - ID: 235 Thu Sep 27 09:08:42 2001 : Error: Dropping conflicting authentication packet from client :1646 - ID: 112 Thu Sep 27 09:08:43 2001 : Error: Dropping conflicting authentication packet from client X:1646 PID USERNAME PRI NICE SIZERES STATETIME WCPUCPU COMMAND 92572 nobody51 0 7156K 5640K RUN 16:01 98.00% 98.00% radiusd I hope someone have any idea about this! Note: FreeRadius is working as a proxy machine, proxying to 4 machines... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxying to Cistron
I have the same problem, On the mailing list for freeRadius, there is a posted patch for this. Accounting through proxy does not work You have to the changes below and recompile, I hope FreeRadius programmers will add this in next releases in acct.c line 57 reply = RLM_MODULE_OK; /* * Do accounting */ reply = module_accounting(request); /* * Maybe one of the preacct modules has decided * that a proxy should be used. If so, get out of * here and send the packet. */ if(pairfind(request->config_items, PW_PROXY_TO_REALM)) { module_accounting(request); <- ADD THIS return reply; } Cheers -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Aaron Weiker Sent: Thursday, September 27, 2001 1:01 AM To: [EMAIL PROTECTED] Subject: Re: Proxying to Cistron > Cistron does send the ack packet correctly, but FreeRADIUS > remains oblivious to it and keeps on sending the acc start and > stop packets for nearly 20 times. > > > -- > Mojahed > System Administrator > Agni Systems Limited I'm currently using Steel-Belted and I had this similar experience recently proxying to a Cistron AAA server. What appeared to be the problem was an incorrect shared secret. You may want to double check that. It's definatly something that is easily overlooked. Aaron Weiker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRADIUS + LDAP
Hi Can I use freeRadius with novell LDAP server? Thanks ZoltanT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html