Re: Newbie documentation/instruction request
Hi, I think that before configuring Radius, you should first read what it means (Miquel and Milan gived you some stuff for thet) but after you should consider what is your needs and what are your knowledges. Freeradius is higly flexible so that you can manage thousand of custommer via SQL or 10 pupils in a flat unix base, it depends of how ease you feel with Unix in fact. Nicolas - Original Message - From: "James Jones" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, January 14, 2002 10:13 PM Subject: Newbie documentation/instruction request > I can't find a way to search the archives so please forgive me! > > Can someone point me in a direction to documentation or instruction for a > RADIUS server? > > > Our provider has given us a super deal on Dial-Up POPS but they said we > would have to provide a RAIDUS server for authentication. All the guys in > our department looked at themselves and each said "What is a RADIUS > server?". We are newbies to this stuff so please be gentle. We are a > public school system that will be providing VERY low cost Dial-Up to the > students and to the teachers. > > So if not for me, do it for the kids!!! > > If you would like to send sample configs or docs please feel free. They > would be greatly appreciated! > > Jim Jones > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Which radius server for usage reporting?
Hello All, I will rephrase my previous query. So far my Internet search is concerned ICradius lets "users to check their usage history". But icradius had its last release in June, 2001. Any suggestion on this? Any page for a comprehensive comparison of radius servers? Thanks a lot for your response. -- A list is only as strong as its weakest link -- Don Knuth Dr. Muhammad Masroor Ali Associate Professor and Associate Director Institute of Information and Communication Technology Bangladesh University of Engineering and Technology Dhaka-1000, Bangladesh Phone: 880 2 966 5602 (Work), 880 2 966 5700 (Residence) FAX: 880 2 861 3046, 880 2 861 3026 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql/op ...
[EMAIL PROTECTED] wrote: > > Do-Risika RAFIEFERANTSIARONJY <[EMAIL PROTECTED]> wrote: > > It's really what I need, but what should happen if some of these > > attributes are not provided by the nas ? (because some of our nas > > provides Ascend-Data-Rate, but the others no ...) > > Then their values will be zero. > > Alan DeKok. Ah, ok, that is well for me ! @+ -- DouRiX - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What to do to show usage statistics?
Hello All, I will rephrase my previous query. So far my Internet search is concerned ICradius lets "users to check their usage history". But icradius had its last release in June, 2001. Any suggestion on this issue? Any page for a comprehensive comparison of radius servers? Thanks a lot for your response. -- A list is only as strong as its weakest link -- Don Knuth Dr. Muhammad Masroor Ali Associate Professor and Associate Director Institute of Information and Communication Technology Bangladesh University of Engineering and Technology Dhaka-1000, Bangladesh Phone: 880 2 966 5602 (Work), 880 2 966 5700 (Residence) FAX: 880 2 861 3046, 880 2 861 3026 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling rlm_sql_mysql
Hi, As I had the sam compiling problem a few days ago, WIth the help of this list I resolved it by forcing the 'libdir' param in radiusd.conf Nicolas - Original Message - From: "Joe Maimon" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, January 13, 2002 10:16 PM Subject: Re: compiling rlm_sql_mysql > fixed the #$%^*! > My bad as usual > need to install Mysql-shared rpm package! > > Thanks > > Kevin wrote: > > > On Sat, 12 Jan 2002, Joe Maimon wrote: > > > Hey all, > > > > > > I have been poking around a few hours trying to get the rlm_sql module > > > to run..this is the error from radiusd -xx > > > > > > rlm_sql: Could not link driver rlm_sql_mysql: file not found > > > rlm_sql: Make sure it (and all its dependent libraries!) are in the > > > search path of your sy > > > stem's ld. > > > radiusd.conf[4]: sql: Module instantiation failed. > > > > > > So I got the mysql-3.23.devel rpm and installed, ran configure again and > > > compiled freeradius again. This is what I get as pertains to rlm_sql- > > > > > > /home/joe/download/radius/freeradius-snapshot-20020111/libtool > > > --mode=compile gcc -g -O2 > > > -D_REENTRANT -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual > > > -Wcast-align -Wwr > > > ite-strings -Wstrict-prototypes -Wmissing-prototypes > > > -Wmissing-declarations -Wnested-exter > > > ns -I../.. -I../../../../include -c sql_mysql.c > > > mkdir .libs > > > gcc -g -O2 -D_REENTRANT -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith > > > -Wcast-qual -Wcast > > > -align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes > > > -Wmissing-declarations -Wn > > > ested-externs -I../.. -I../../../../include -c sql_mysql.c -fPIC -DPIC > > > -o .libs/sql_mysql > > > .lo > > > gcc -g -O2 -D_REENTRANT -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith > > > -Wcast-qual -Wcast > > > -align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes > > > -Wmissing-declarations -Wn > > > ested-externs -I../.. -I../../../../include -c sql_mysql.c -o > > > sql_mysql.o >/dev/null 2>&1 > > > mv -f .libs/sql_mysql.lo sql_mysql.lo > > > /home/joe/download/radius/freeradius-snapshot-20020111/libtool > > > --mode=link gcc -module -ex > > > port-dynamic -g -O2 -D_REENTRANT -Wall -D_GNU_SOURCE -g -Wshadow > > > -Wpointer-arith -Wcast-q > > > ual -Wcast-align -Wwrite-strings -Wstrict-prototypes > > > -Wmissing-prototypes -Wmissing-declar > > > ations -Wnested-externs -I../.. -I../../../../include \ > > > -o rlm_sql_mysql.la -rpath /usr/local/lib sql_mysql.lo -L/usr/lib/mysql > > > -lmysqlclient -l > > > z > > > rm -fr .libs/rlm_sql_mysql.la .libs/rlm_sql_mysql.* > > > .libs/rlm_sql_mysql.* > > > > > > *** Warning: This library needs some functionality provided by > > > -lmysqlclient. > > > *** I have the capability to make that library automatically link in > > > when > > > *** you link to this library. But I can only do this if you have a > > > *** shared version of the library, which you do not appear to have. > > > > > > *** Warning: libtool could not satisfy all declared inter-library > > > *** dependencies of module rlm_sql_mysql. Therefore, libtool will > > > create > > > *** a static module, that should work as long as the dlopening > > > *** application is linked with the -dlopen flag. > > > /usr/bin/ar cru .libs/rlm_sql_mysql.a sql_mysql.o > > > ranlib .libs/rlm_sql_mysql.a > > > creating rlm_sql_mysql.la > > > (cd .libs && rm -f rlm_sql_mysql.la && ln -s ../rlm_sql_mysql.la > > > rlm_sql_mysql.la) > > > > > > I have tried passing configure the mysl lib and include dirs- no luck > > > there. My system is a stock RedHat 7.0 > > > And yes - I am a newbie > > > > > > Thanks Much! > > > Joe > > > > > > > > > - > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > Try using just /usr/lib instead of /usr/lib/mysql. > > > > Kevin Bonner > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pb With MySQL Auth
Hi,
Of course I've read "processing_users_file" , "module_interface" and README
files and I've also seen http://www.frontios.com/freeradius.html ... but I
still have some problems with SQL.
FR0.4 with MySQL Authenticates Well only if the user exists in radcheck, it
seems not to consider the DEFAULT entry in usergroup and/or the DEFGROUP
entry in radgroupcheck why ? In fact I want to have Freeradius
authenticate users by searching a DEFAULT key in SQL bases in order to look
at shadow/passwd for authenticating.
--- radiusd.conf ---
authorize {
sql
files
}
authenticate {
sql
unix
}
--- end
--- Logs
rlm_sql: Pairs do not match [DEFAULT]
modcall[authorize]: module "sql" returns notfound => It doesn't accept the
DEFAULT entry
users: Matched DEFAULT at 146 => It reads the file users and see the
DEFAULT Entry
modcall[authorize]: module "files" returns ok => OK
modcall: group authorize returns ok => OK one of the both "Authorise" was
found
rad_check_password: Found Auth-Type System => Corresponding to the "file"
parameter found
auth: type "System"
modcall: entering group authenticate
rlm_unix: [radius]: invalid password => WHY ? of course my user/pass is
OK
modcall[authenticate]: module "unix" returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user
--- end
Some advise would be very very apreciated,
Nicolas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ascend-data-filter not in abinary format
Thanks for your suggestions. Turns out I had it working properly, the isp with the proxy was screwing things up for me. PSingh _ Chat with friends online, try MSN Messenger: http://messenger.msn.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ms-chap and ms-chapv2
On Thu, Jan 17, 2002 at 06:09:54PM -0800, Lance Uyehara wrote: > OK. 3 patches have been posted. 1 committed as-is; the others by fixing the actual problem rather than the symptom. thanks /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: patch for src/main/auth.c
whoops, committed, thanks.
/fc
On Thu, Jan 17, 2002 at 06:06:20PM -0800, Lance Uyehara wrote:
> Missing {
>
> -Lance
>
> --- src/main/auth.orig Thu Jan 17 14:43:39 2002
> +++ src/main/auth.c Thu Jan 17 14:43:53 2002
> @@ -260,7 +260,7 @@
> else
> password_pair = pairfind(request->config_items,
> PW_PASSWORD);
>
> - if (auth_type < 0)
> + if (auth_type < 0) {
> if (password_pair) {
> auth_type = PW_AUTHTYPE_LOCAL;
> } else {
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch for src/modules/rlm_eap/mem.c
Fixes a param mismatch in the way eap_packet_alloc is called.
-Lance
--- src/modules/rlm_eap/mem.origThu Jan 17 14:40:03 2002
+++ src/modules/rlm_eap/mem.c Thu Jan 17 14:40:18 2002
@@ -27,7 +27,7 @@
/*
* Allocate a new EAP_PACKET
*/
-EAP_PACKET *eap_packet_alloc()
+EAP_PACKET *eap_packet_alloc(int unused)
{
EAP_PACKET *rp;
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ms-chap and ms-chapv2
> "Lance Uyehara" <[EMAIL PROTECTED]> wrote: > > I got the 20020117 snapshot and had to make some changes (4, in 3 files) to > > compile it. Is anyone interested in some patches? All are quick and dirty to > > get compiled (on freebsd 4.3-release), but I can post them somewhere if > > anyone cares. > > If they're small, post them here. OK. 3 patches have been posted. -Lance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch for src/modules/rlm_eap/eap.h
Two fixes: 1. Fix a problem finding u_int_32_t 2. Fix a prototype mismatch with the way eap_packet_alloc() is called. -Lance --- src/modules/rlm_eap/eap.origThu Jan 17 14:37:29 2002 +++ src/modules/rlm_eap/eap.h Thu Jan 17 14:39:35 2002 @@ -2,6 +2,7 @@ #define _EAP_H #if HAVE_NETINET_IN_H +#include /* fix an error about u_int32_t */ #include #endif @@ -169,7 +170,7 @@ void list_clean(EAP_LIST **list, time_t limit); int list_add(EAP_LIST **list, EAP_DS *auth); -EAP_PACKET *eap_packet_alloc(void); +EAP_PACKET *eap_packet_alloc(int); /* mem.c calls with a parameter */ EAP_DS *eap_ds_alloc(void); void eap_packet_free(EAP_PACKET **eap_packet_ptr); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch for src/main/auth.c
Missing {
-Lance
--- src/main/auth.orig Thu Jan 17 14:43:39 2002
+++ src/main/auth.c Thu Jan 17 14:43:53 2002
@@ -260,7 +260,7 @@
else
password_pair = pairfind(request->config_items,
PW_PASSWORD);
- if (auth_type < 0)
+ if (auth_type < 0) {
if (password_pair) {
auth_type = PW_AUTHTYPE_LOCAL;
} else {
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: select() error about freeradius-0.4
Hi,alan, > What platform are you running it on? WHat changes have you made to >the source? What else are you doing to the system? My platform is RedHat 7.2, I did not make changes to the source except a moudles/rlm_sql.c patch, and I did not do anything to the system. When I met this , I enter the 0.3 directory, #make, #make install, then the 0.3 radiusd can run normally. Otherwise, the 0.4 radiusd can run in debug mode (radiusd -X) normally. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ms-chap and ms-chapv2
"Lance Uyehara" <[EMAIL PROTECTED]> wrote: > I got the 20020117 snapshot and had to make some changes (4, in 3 files) to > compile it. Is anyone interested in some patches? All are quick and dirty to > get compiled (on freebsd 4.3-release), but I can post them somewhere if > anyone cares. If they're small, post them here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank You Alan (was Re: ms-chap and ms-chapv2)
Lance Uyehara wrote: > > "Lance Uyehara" <[EMAIL PROTECTED]> wrote: > > > The problem I have is I am expeecting some other attributes from the > > > radius server, but they don't appear in the packet. > > > > > > For MS-CHAP I need the MS-CHAP-MPPE-KEYS attribute > > > For MS-CHAPv2 I need the MS-CHAP2-Success, MS-MPPE-Send-Key and > > > MS-MPPE-Recv-Key.=20 > > > > The code to make these attributes work is not in 0.4. You MUST > > upgrade to the latest CVS snapshot. See the web page for details on > > downloading it. > > I got the 20020117 snapshot and had to make some changes (4, in 3 files) to > compile it. Is anyone interested in some patches? All are quick and dirty to > get compiled (on freebsd 4.3-release), but I can post them somewhere if > anyone cares. > > I will try to see if the mschap stuff now works. Yay. It works. Thank you Alan. Thansk, Lance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pools
Lee W <[EMAIL PROTECTED]> wrote: > I setup my freeradius three days ago so my question is newbee, I'm sure. I > have set it up with a IP pool starting, lets use 192.168.x.x+ . I know the > plus sets the IP as the base/first IP, but is there a way other then a mask > i.e. (Framed-IP-Netmask) to set the top, or last IP in the pool? No. > Also, do I need to remove the pools from my modem bank if I want to use them > in freeradius? You would be MUCH better leaving the pools on the NAS, for the reasons outlined above. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ascend-data-filter not in abinary format
Download NTRADPING. Great utility for checking your radius. I used it extensively while trying to get the filters to work. It prints the binary strings great. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 17, 2002 4:10 PM To: [EMAIL PROTECTED] Subject: Re: ascend-data-filter not in abinary format "Prudesh Singh" <[EMAIL PROTECTED]> wrote: > Problem: > In both radiusd -X debug output, and also radtest output, the values being > sent appear to be in string format, not abinary. The string printed by 'radiusd -X' is the EXACT string you used in the 'users' file. You wrote it as text, so it's printing as text. The 'radtest' output decodes most 'abinary' types, and prints them as humanly readable strings. > What's going on here? Does -X debug output and radtest automatically > translate the abinary back into a string before display? Pretty much, yes. > If so how can I turn that off? I need to see the abinary format. You can't. If you want to see the exact values, you'll have to edit the source to print that out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pools
HI, I setup my freeradius three days ago so my question is newbee, I'm sure. I have set it up with a IP pool starting, lets use 192.168.x.x+ . I know the plus sets the IP as the base/first IP, but is there a way other then a mask i.e. (Framed-IP-Netmask) to set the top, or last IP in the pool? It looks like this DEFAULT Service-Type == Framed-User, Huntgroup-Name == "mypool" Framed-IP-Address = 192.168.x.x+, Fall-Through = Yes Also, do I need to remove the pools from my modem bank if I want to use them in freeradius? Thanks Lee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Filter-ID
Hi Again all, I have been working on getting the Filter-Id attribute to work. Here is what I have. A portmaster 2e ComOS version 3.5 I am trying to get filter-id to work for me with freeradius using mysql. Authentications and realms work fine and when running radius in debug (-xxyz) I see that the filter-id attribute is passed as below: Login OK: [user/pass] (from nas analog port 7) Sending Access-Accept of id 19 to w.x.y.z:1026 Service-Type = Framed-User Framed-Protocol = PPP Filter-Id = "test.in" Finished request 17 The filter is saved as test.in and it has only one rule: deny port 80 but when I login - I still get web stuff :-( Any thoughts about what I might be doing wrong? Thanks In Advance, David
CHAP/LDAP authenticate
freeradius 0.4, solaris 8, openldap 2.0.18
My problem is this, I can authenticate fine against LDAP, but when I enable
CHAP in my testing client, I get Attribute "Password" is required for
authentication. Cannot use "CHAP-Password". If I remove ldap from the
authenticate section of radiusd.conf and add chap, add ldap and chap to the
authorize section, I get the following error:
auth: type "Ldap"
auth: Failed to validate the user.
This is odd to me because I am able to authenticate against the ldap when i
re-add ldap to authenticate
auth: type "Ldap"
modcall: entering group authenticate
rlm_ldap: - authenticate
modcall[authenticate]: module "ldap" returns ok
modcall: group authenticate returns ok
Sending Access-Accept of id 52 to 10.10.1.141:39493
Finished request 0
Is there something wrong with this config file?
ldap {
server = "slabauth01"
identity = "cn=radiusAuth,o=west"
password = passWord
basedn = "o=west"
filter = "(& (RadiusUserID=%u) (accountStatus=1))"
dictionary_mapping = ${raddbdir}/ldap.attrmap
timeout = 4
timelimit = 3
net_timeout = 1
password_header = "{clear}"
password_attribute = userPassword
}
chap {
AuthType = CHAP
}
authorize {
preprocess
ldap
chap
}
authenticate {
unix
#ldap
authtype CHAP{
chap
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ms-chap and ms-chapv2
> "Lance Uyehara" <[EMAIL PROTECTED]> wrote: > > The problem I have is I am expeecting some other attributes from the > > radius server, but they don't appear in the packet. > > > > For MS-CHAP I need the MS-CHAP-MPPE-KEYS attribute > > For MS-CHAPv2 I need the MS-CHAP2-Success, MS-MPPE-Send-Key and > > MS-MPPE-Recv-Key.=20 > > The code to make these attributes work is not in 0.4. You MUST > upgrade to the latest CVS snapshot. See the web page for details on > downloading it. I got the 20020117 snapshot and had to make some changes (4, in 3 files) to compile it. Is anyone interested in some patches? All are quick and dirty to get compiled (on freebsd 4.3-release), but I can post them somewhere if anyone cares. I will try to see if the mschap stuff now works. Thanks, -Lance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP/LDAP authenticate
"Smith, Steven N" <[EMAIL PROTECTED]> wrote: > My problem is this, I can authenticate fine against LDAP, but when I enable > CHAP in my testing client, I get Attribute "Password" is required for > authentication. Cannot use "CHAP-Password". See the FAQ, and the mail archives for an answer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Remote logging
[EMAIL PROTECTED] wrote: > Has anyone had luck getting Freeradius to send it's logs to a remote server? No. > I would like to have all of my radius servers logging to a single > source to make it easier to parse the logs. I have tried to run > 'radiusd -l syslog -g local5' and then have the local syslog redirect > the logs to a different server, but the logdir entries in the > radiusd.conf file seem to override the flags. Yes. And the 'log_dir' configuration directive is over-used. The code SHOULD be changed so that 'log_dir' configuration directive can ONLY point to a directory. Then all of the modules can use that. For the server core, it's logging should go to 'radiusd.log' in that directory, OR to syslog, if a syslog configuration parameter is set. This isn't done yet. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP/LDAP authenticate
freeradius
0.4, solaris 8, openldap 2.0.18
My problem is
this, I can authenticate fine against LDAP, but when I enable CHAP in my testing
client, I get Attribute "Password" is required for authentication. Cannot use
"CHAP-Password". If I remove ldap from the authenticate section of
radiusd.conf and add chap, add ldap and chap to the authorize section, I get the
following error:
auth: type
"Ldap"auth: Failed to validate the user.
This is odd to
me because I am able to authenticate against the ldap when i re-add ldap to
authenticate
auth: type
"Ldap"modcall: entering group authenticaterlm_ldap: -
authenticatemodcall[authenticate]: module "ldap" returns okmodcall:
group authenticate returns okSending Access-Accept of id 52 to
10.10.1.141:39493Finished request 0
Is there
something wrong with this config file?
ldap
{
server =
"slabauth01"
identity =
"cn=radiusAuth,o=west"
password
= passWord
basedn =
"o=west"
filter = "(& (RadiusUserID=%u)
(accountStatus=1))"
dictionary_mapping =
${raddbdir}/ldap.attrmap
timeout =
4
timelimit =
3
net_timeout =
1
password_header =
"{clear}"
password_attribute = userPassword
}
chap
{
AuthType = CHAP
}
authorize
{
preprocess
ldap chap}
authenticate {
unix#ldap
authtype
CHAP{
chap }
}
ascend-data-filter not in abinary format
Hello, I have freeradius 0.4 sending Ascend-Data-Filter = "" with access-accept packet. The dictionary.ascend file contains the appropriate lines: ATTRIBUTE Ascend-Data-Filter 242 abinary Ascend ATTRIBUTE Ascend-Call-Filter 243 abinary Ascend I am certain this file is being read and included at startup. Problem: In both radiusd -X debug output, and also radtest output, the values being sent appear to be in string format, not abinary. I have ./configure --with-ascend-binary just to make sure it was included. Just to check I have also applied the un-smash patch to freeradius 0.1 and the same exact thing happens. I have compiled 0.4 on a separate freebsd server and the same thing happens. Users file entry: userCrypt-Password == "$1$EcD4B36z$", Huntgroup-Name == "test" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.0.254, Framed-IP-Netmask = 255.255.255.254, Ascend-Data-Filter += "ip in forward tcp est", Ascend-Data-Filter += "ip in forward dstip 192.168.0.1/24", Ascend-Data-Filter += "ip in drop tcp dstport = 25", Ascend-Data-Filter += "ip in forward", Fall-Through = No radtest output: /root# radtest user pass radius.server radius secret Sending Access-Request of id 177 to 192.168.0.1:1645 User-Name = "user" Password = "\243P\2210\253Z@\304>8D'_\201\021\352" NAS-IP-Address = 192.168.0.2 NAS-Port-Id = "radius" rad_recv: Access-Accept packet from host 192.168.0.1:1645, id=177, length=204 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 192.168.0.254 Framed-IP-Netmask = 255.255.255.254 Ascend-Data-Filter = "ip input forward tcp" Ascend-Data-Filter = "ip input forward 0 dstip 192.168.0.1/24" Ascend-Data-Filter = "ip input drop tcp dstport = 25" Ascend-Data-Filter = "ip input forward 0" What's going on here? Does -X debug output and radtest automatically translate the abinary back into a string before display? If so how can I turn that off? I need to see the abinary format. Any help would be appreciated. Thanks PSingh _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ascend-data-filter not in abinary format
"Prudesh Singh" <[EMAIL PROTECTED]> wrote: > Problem: > In both radiusd -X debug output, and also radtest output, the values being > sent appear to be in string format, not abinary. The string printed by 'radiusd -X' is the EXACT string you used in the 'users' file. You wrote it as text, so it's printing as text. The 'radtest' output decodes most 'abinary' types, and prints them as humanly readable strings. > What's going on here? Does -X debug output and radtest automatically > translate the abinary back into a string before display? Pretty much, yes. > If so how can I turn that off? I need to see the abinary format. You can't. If you want to see the exact values, you'll have to edit the source to print that out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time Parser
"Bartschies, Thomas" <[EMAIL PROTECTED]> wrote: > seems that this Parser has some Problems. I'm using Full-Day > abbreviations like 'wk','tu' and so on. Some work, some not. That's bad... > Seems that every time more than 6 Days are involved, the routine just > fails. If I understand the README correctly, all of these combinations are > possible. > > Does anyone has a solution? BTW. I'm using freeradius-0.4 here. Have you looked at the Cistron code to parse this attribute? While much of FreeRADIUS is based on Cistron, Cistron may have had some bug fixes we've missed. I think you can also go to 'src/main/timestr.c', and compile it as a stand-along program. You can then feed it strings, and poke at it until it works... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ms-chap and ms-chapv2
"Lance Uyehara" <[EMAIL PROTECTED]> wrote: > The problem I have is I am expeecting some other attributes from the > radius server, but they don't appear in the packet. > > For MS-CHAP I need the MS-CHAP-MPPE-KEYS attribute > For MS-CHAPv2 I need the MS-CHAP2-Success, MS-MPPE-Send-Key and > MS-MPPE-Recv-Key.=20 The code to make these attributes work is not in 0.4. You MUST upgrade to the latest CVS snapshot. See the web page for details on downloading it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ms-chap and ms-chapv2
I have setup freeradius 0.4 to use auth-type=ms-chap, and the authentication works such that I receive the access-accept response from the radius server. Yay. The problem I have is I am expeecting some other attributes from the radius server, but they don't appear in the packet. For MS-CHAP I need the MS-CHAP-MPPE-KEYS attribute For MS-CHAPv2 I need the MS-CHAP2-Success, MS-MPPE-Send-Key and MS-MPPE-Recv-Key. Can someone please point me to the documentation needed to set this up. Thanks, Lance Uyehara
Re: Auth-Type := Reject
At 08:49 PM 1/17/2002 +0200, Igor Chen wrote: >Hi! i use free radius 0.3 and postgresql, and i want to set Auth-Type := >Reject for some users in radreply table. As i know, i must add column >'op' to check/reply tables and modify sql.conf. Is it nessesary >upgrade to freeradius 0.4? Yes. Or the latest CVS. The server is still in development, so the latest version is generally much better than something from several months ago. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth-Type := Reject
Hi! i use free radius 0.3 and postgresql, and i want to set Auth-Type := Reject for some users in radreply table. As i know, i must add column 'op' to check/reply tables and modify sql.conf. Is it nessesary upgrade to freeradius 0.4? -- cron-ripe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attr_rewrite functions (was: Tacking a realm onto a username?)
Michael Hare <[EMAIL PROTECTED]> wrote: > Do I need to do anything special besides defining a rewrite function in > radiusd.conf to get this to work? Yes... you've got to tell it WHEN to do the rewrite. That is, add the module to the 'authorize' section, probably. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql/op ...
Do-Risika RAFIEFERANTSIARONJY <[EMAIL PROTECTED]> wrote: > It's really what I need, but what should happen if some of these > attributes are not provided by the nas ? (because some of our nas > provides Ascend-Data-Rate, but the others no ...) Then their values will be zero. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: select() error about freeradius-0.4
Rubby <[EMAIL PROTECTED]> wrote: > I update freeradius 0.3 to 0.4, but when I start radiusd, it failed. > Here is the radius.log below: > > Wed Jan 16 12:05:51 2002 : Info: Ready to process requests. > Wed Jan 16 12:05:51 2002 : Error: Unexpected error in select(): Bad file descriptor That's bad. > Here sees the select() error, why? It's doing a select() on a file descriptor which doesn't exist. That's bad, because the server only uses the file descriptors which are open... > And freeradius-0.3 works well, why? I have no idea. What platform are you running it on? WHat changes have you made to the source? What else are you doing to the system? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-Route
Thanks, I am just now looking at Filter-ID :-) DB - Original Message - From: "Mike Cathey" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, January 17, 2002 10:55 AM Subject: Re: Framed-Route > Filter-List redirect for that user (you will have to use a fall-through > if you use DEFAULT for everyone else)... > > David Bronson wrote: > > > Hello All, > > > > I would like to have all dialup customers proxied through our squid box at > > 10.0.10.1. I have set a static ip for one user to test but I am having with > > the syntax for framed routing (I think). Not all users are to be filtered, > > so - I am not able to send all traffic to the proxy. Anyone have any advice > > for me? > > > > Thank You, > > > > David > > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-Route
Filter-List redirect for that user (you will have to use a fall-through if you use DEFAULT for everyone else)... David Bronson wrote: > Hello All, > > I would like to have all dialup customers proxied through our squid box at > 10.0.10.1. I have set a static ip for one user to test but I am having with > the syntax for framed routing (I think). Not all users are to be filtered, > so - I am not able to send all traffic to the proxy. Anyone have any advice > for me? > > Thank You, > > David > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attr_rewrite functions (was: Tacking a realm onto a username?)
Alan-
Thanks for the info. I agree that the functionality given the by
attr_rewrite function should do the job. My inital explanation was confusing.
Do I need to do anything special besides defining a rewrite function in
radiusd.conf to get this to work? I didn't see anything in the FAQ, in the
doc/ dir, or on the messageboards. Running radiusd -X seems to show that
my function isn't being used or isn't matching correctly, as it's not
trying to proxy to the server I have defined in the WISC realm.
For example, I'm tryng to replace a non-realm attached username with a name
with a realm attached in the User-Name attribute. Here's my config
attr_rewrite fixusername {
attribute = User-Name
# may be "packet", "reply", or "config"
searchin = packet
searchfor = "mikeh"
replacewith = "mdhare@WISC"
ignore_case = no
max_matches = 1
}
-Michael
At 04:15 PM 1/16/2002 -0500, [EMAIL PROTECTED] wrote:
>Michael Hare <[EMAIL PROTECTED]> wrote:
> > Is there currently a way to tack a realm onto a username via the USERS
> > file? I can get the functionality I need by having the user specify a
> > realm during login, but I'd like this to be transparent to the end user.
>
> The attr_rewrite module can do some re-writes, but it's not very
>flexible.
>
> > (I'd like to have different users have different authentication methods by
> > specifying the realm per user)
>
> Why? If you know to re-write the username to '@realmX' during the
>authentication, and then to use auth-type X for realmX, then you know
>which authentication mechanism to use at the start!
>
> So I don't understand why you need to add on the realm.
>
> Alan DeKok.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
Michael Hare
UW-Madison Network Engineering / Hostmaster
WiscNet Network Engineering
My phone: 608-262-5236
24-Hour NOC: 608-263-4188
WiscNet: 608-265-6761
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Framed-Route
Hello All, I would like to have all dialup customers proxied through our squid box at 10.0.10.1. I have set a static ip for one user to test but I am having with the syntax for framed routing (I think). Not all users are to be filtered, so - I am not able to send all traffic to the proxy. Anyone have any advice for me? Thank You, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql/op ...
Aleksandr Kuzminsky wrote:
>
> On Wed, 16 Jan 2002, Do-Risika RAFIEFERANTSIARONJY wrote:
>
> > * can I add some attributes (already in the dictionary such as DataRate
> > or XMitRate) into the radacct table ? I think of modifying the table and
> > the accounting queries in the radiusd.conf but I'm not sure it would
> > work ...
> Yes. I did so. I had a look to the detail files, and added some attributes
> to radacct table.
Ok, so I added three attributes in my radacct table :
AcctMultiSessionId, AscendDataRate and XmitDataRate, and i modified the
accounting_stop_query and accounting_stop_query_alt in my sql.conf as
that.
It's really what I need, but what should happen if some of these
attributes are not provided by the nas ? (because some of our nas
provides Ascend-Data-Rate, but the others no ...)
-- here are my accounting_stop_queries --
accounting_stop_query = "UPDATE ${acct_table1} SET AcctStopTime = '%S',
AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
'%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}',
AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}',
AcctMultiSessionId = '%{Acct-Multi-Session-Id}', AscendDataRate =
'%{Ascend-Data-Rate}', AscendXmitRate = '%{Ascend-Xmit-Rate}' WHERE
AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}'
AND NASIPAddress = '%{NAS-IP-Address}'"
accounting_stop_query_alt = "INSERT into radacct (RadAcctId,
AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime,
AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets,
AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause,
ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay,
AcctStopDelay, AcctMultiSessionId, AscendDataRate, AscendXmitRate)
values('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port-Id}',
'%{NAS-Port-Type}', '0', '%S', '%{Acct-Session-Time}',
'%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}',
'%{Acct-Output-Octets}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}',
'%{Acct-Multi-Session-Id}', '%{Asce\
nd-Data-Rate}', '%{Ascend-Xmit-Rate}')"
@+
--
DouRiX
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about database table fields
Hi, Can anybody help me? I've a freeradius-0.4 and Oracle8. I've nas table among others tables. SQL> describe nas; Name Null?Type - IDNOT NULL NUMBER(38) NASNAMEVARCHAR2(128) SHORTNAME VARCHAR2(32) IPADDR VARCHAR2(15) TYPE VARCHAR2(30) PORTS NUMBER(38) SECRET VARCHAR2(60) COMMUNITY VARCHAR2(50) SNMP VARCHAR2(10) What values must be appropriated in PORTS and SNMP fields? -- My best wishes, Kirill Tyan Metrocom JSC Tech. Dep. Tel: +7(812)118-3224 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
