Re: Seeking recommendations for Radius implementation
On Wed, Feb 06, 2002 at 11:23:49PM -0800, CLEOPHAS TOE wrote: Hi all, Sorry, I am very new to this. I am looking to implement a FREE radius server in our production environment for about 70 users only. I have a few requirements 1- caching should be supported 2- I would like to mirror them (Actually by installing two that will sync there DB) 3- Should run on linux (Redhad 7.2) 4- Should support MySQL as DB 5- should be stable enough 6- support keystroke logging Can anyone point me to the right product? You're here. Freeradius does all that. Except #6. How would any radius server possibly do that? And #2 you'll have to implement yourself; if you're using MySQL the easiest thing might be to use its replication features. I dunno if it does multiple master though, so if one server fails you might have an issue propagating the info back when it is restored. What processing power do I need? (RAM, CPU) 70 users? Minimal. Your standard bargain PC can handle it. Does the log file on radius grow very quickly? Is the earth big? That is to say, it depends. If 1 user logs in per day, it will grow quite slowly. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Identical attributes on auth
Thomas Jalsovsky [EMAIL PROTECTED] wrote: my nas sends: ... h323-ivr-out=transactionID:13880 h323-ivr-out=type:test.tcl ... I want to check by the h323-ivr-out line, so I would like to make decision (about accept/reject) by the attribute h323-ivr-out which has value 'type:something'. When I test the attribute, the first line is tested and I don't know how should I write a rule for this. Yes. The current code checks for the FIRST appearance of an attribute, and stops if it doesn't match. It *could* be changed to look for any other copy of an attribute, if the first one didn't match. That may be preferable, in fact. The code in src/main/valuepair.c, function paircmp() should be changed so that IF there isn't a match, it loops back to check for another copy of the same attribute. This will slow the server down a little, but not significantly. The patch would be fairly small, too. If people think it's terribly useful, I'll take a look at doing it in the next few days. Alan DeKok. OK, I see that in the last CVS is the paircmp fix. I compiled the latest CVS, and made som debugs. Unfortunately I can't make it working. rad_recv: Access-Request packet from host 193.41.203.20:1645, id=181, length=244 NAS-IP-Address = 193.41.203.20 Cisco-NAS-Port = ISDN 3:D:31 NAS-Port-Type = Async User-Name = 160045 h323-conf-id = h323-conf-id=A0F37603 1AE911D6 B7E0FCCE C908BF0C Calling-Station-Id = 169 Password = Cisco-AVPair = in-portgrp-id=(Local PBX) Cisco-AVPair = h323-ivr-out=transactionID:16112 Cisco-AVPair = h323-ivr-out=type:pp modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall: entering group redundant rlm_sql: Reserving sql socket id: 19 radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '160045' ORDER BY id' radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '160045' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '160045' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '160045' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: Released sql socket id: 19 rlm_sql: Pairs do not match [] modcall[authorize]: module sql_primary returns notfound modcall: group redundant returns notfound modcall: group authorize returns notfound auth: No Auth-Type configuration for the request, rejecting the user auth: Failed to validate the user. I looked for the SQL queryes: mysql SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE - Username = '160045' ORDER BY id; +--+--++-+--+ | id | UserName | Attribute | Value | op | +--+--++-+--+ | 1856 | 160045 | Crypt-Password | *** | NULL | +--+--++-+--+ mysql SELECT - radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op - FROM radgroupcheck,usergroup WHERE usergroup.Username = '160045' AND - usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id; ++---+--+---+--+ | id | GroupName | Attribute| Value | op | ++---+--+---+--+ | 16 | prepaid | h323-ivr-out | type:pp | NULL | ++---+--+---+--+ mysql SELECT id,UserName,Attribute,Value,op FROM radreply WHERE - Username = '160045' ORDER BY id; Empty set (0.00 sec) mysql SELECT - radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op - FROM radgroupreply,usergroup WHERE usergroup.Username = '160045' AND - usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id; ++---+---+-+--+ | id | GroupName | Attribute | Value | op | ++---+---+-+--+ | 1 | prepaid | Exec-Program-Wait | /scripts/prepaid.pl | NULL | | 3 | prepaid | Cisco-AVPair | h323-ivr-in=type:pp | NULL | ++---+---+-+--+ My tables: mysql select * from usergroup; +++---+ | id | UserName | GroupName | +++---+ | 2 |
Startup script for Solaris 2.8
Hi,
on Solaris, freeradius 0.4 installs rc.radiusd in /usr/local/sbin. However,
rc.radiusd uses start-stop-daemon, which is Linux-specific.
I took the shhd start/stop script that comes with OpenSSH, and changed it to
suit radiusd. I've pasted the contents of startup-script.in below.
Using the suggested symlinks, radiusd would be started last in run-level 2.
Does this sound worthy of inclusion to the next release?
Regards
Shawn
#!/bin/sh
#
# Start/Stop the FreeRadius radiusd daemon.
#
# Adapted from sshd start/stop script which was written by Michael Haardt,
1996.
#
# Shawn for solaris 2.8:
# cp startup-script /etc/init.d/radiusd
# ln -s /etc/init.d/radiusd /etc/rc2.d/S99radiusd
# ln -s /etc/init.d/radiusd /etc/rc2.d/K99radiusd
PATH=/bin:/usr/bin
RADIUSD=@sbindir@/radiusd
PID=@localstatedir@/run/radiusd.pid
case $1 in
#{{{script}}}#{{{ start
'start')
start=false
if [ ! -s $PID ]
then
start=true
else
kill -0 `cat $PID` /dev/null 21 || start=true
fi
if [ $start = true -a -x $RADIUSD ]
then
$RADIUSD
echo 'FreeRadius daemon started.'
else
echo 'FreeRadius daemon not started.'
fi
;;
#}}}
#{{{ stop
'stop')
if [ -s $PID ]
then
if kill `cat $PID` /dev/null 21
then
echo 'FreeRadius daemon terminated.'
fi
fi
;;
#}}}
#{{{ *
*)
echo 'Usage: /etc/init.d/radiusd start|stop'
;;
#}}}
esac
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sample ldif file
On Wed, 6 Feb 2002, Matthew Schumacher wrote:
Hello all,
I am having trouble getting radius to work with ldap. I think I have
the config file setup corretly because I see ldap requests in the debug.
I want to use pap and {crypt} for password encryption and accourding to
the docs that should work. But I can't seem to get it working in my
lab. Can anyone provide a sample ldif file that I could look at?
I would prefer for radius to bind as the user to get the attributes and
authenticate. It seems that this should work if I disable the identity
option in the ldap module.
Well, actually if the identity/password options are set to NULL the module will
connect to the server anonymously. What you are asking for cannot happen because
that is not the way the module works. The module maintains persistent
connections to the ldap server which it uses to query the server for user
attributes. It will make a new connection *only* to authenticate the user
through an ldap operation. Binding as the user will mean that the module will do
the authentication before the authorization which is not the way things work in
freeradius. It will also mean rewriting a big part of the module and destroying
performance so i don't think it can happen.
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius with 802.1x
I am trying to configure FreeRaduis to work with 802.1x LEAP/CISCO 350 Access Point and CISCO 350 card. Has anyone been able to get this working? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Identical attributes on auth
Thomas Jalsovsky [EMAIL PROTECTED] wrote: OK, I see that in the last CVS is the paircmp fix. I compiled the latest CVS, and made som debugs. Unfortunately I can't make it working. It would be easier to debug the problem if you used a simple test entry in the 'users' file, and poked at the server with radclient. That will get you the MINIMUM of confusing log messages, which may not have anything to do with the problem. Something I do wrong or the paircmp fix doesn't solve this problem? What I can see is that the 'op' field is NULL. You probably want to put the operator their. If you had tested this with the 'users' file first, you would have been able to verify if the feature worked. It would probably have then been obvious that the issue was NOT the new feature, but some misconfiguration or bug in the SQL module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Reject
On Thu, 7 Feb 2002, Alan DeKok wrote: Thomas Jalsovsky [EMAIL PROTECTED] wrote: I would like to send an Access reject packet to NAS when the User-Name and User-Password fields match (successfull auth.) Hmm... the server isn't really set up to do that now. But it still returns Access accept and the sw in the NAS requires Access reject. Why does the NAS require and access reject when the username and password are OK? Alan DeKok. The sw in the NAS does: does ISDN preauthentication - AAA with phone number,reject if the auth. failed, it means, the use can continue, the ISDN line should be picked up. If not, the ISDN disconnect will applied (it is important for toll free - 800 - numbers). If the poneno,reject isn't in the database, the user can continue, the script tries authentication by the phone number in way: AAA phone number,accept if auth is successful, auth is done; if not account and pin are asked from the user Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Identical attributes on auth
Thomas Jalsovsky [EMAIL PROTECTED] wrote: I searched in the docs and in the mailing list archives but I didn't find the clear definition of op values. Can somebody decribe me? For ex. what does the += op do in a radreply table? 'man users' If I make sure with the users file, what can I do with the problem in SQL? You can verify that the *server* can do what you want, independently of whether the *SQL* module can do it. If the server can do it and SQL can't, then at least you know where to look to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP PPPoE == DoS in disguise
Neal Rauhauser [EMAIL PROTECTED] wrote: We've been fighting a weird problem today - our FreeRadius would run for anywhere from two minutes to two hours, then CPU utilization would shoot to 100% and no one could log in anywhere on the network. Yeah, other people have been having similar problems. Some may be due to bugs in the server, but bugs in the PPPoE client are annoying. I'm always on users about picking decent passwords - you can imagine my surprise at discovering one of our windows XP customers presenting a sixty four *thousand* character password. How the heck does that fit into a RADIUS packet? Do they send multiple User-Password attributes in teh same packet? He has an impressive typing speed, too, about 124,387 wpm to judge by the number of login requests coming through. Even more impressive, he appears to be telekinetic, since he was doing this while out of town :-) So there are a large number of requests, too. So, if you've got XP customers running the M$ PPPoE that comes with the OS, and you're having weird authentication problems, you might want to get out your favorite sniffer and start digging. Can you please tell us some way of recognizing these packets? That will allos us to hack the server to throw these garbage requests away, without using all of the CPU. Putting an ascii copy of tcpdump's output for this problem on the web somewhere would help enormously. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL group auth problem
usergroup +++---+ | id | UserName | GroupName | +++---+ | 5 | 0905835218 | test | +++---+ radgroupcheck ++--+---+---+--+ | id | GroupName| Attribute | Value | op | ++--+---+---+--+ | 18 | test | User-Password | accept| == | | 19 | test | Auth-Type | Local | := | ++--+---+---+--+ I filled out these tables, and tryed to auth. 0905835218,accept The user was rejected. Why? How can I allow access for that user (with groups)? Thanks, Thomas ps.: radcheck, radreply, radgroupreply are empty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting stop query
I have accounting_stop_query set up to capture the on-line duration for each user, thus deduct dollar amount according to the corresponding rates, the problem is, when the user uses up the time and was disconnected forcefully, the accounting_stop_query is not doing anything, even it receives the accounting stop packets. Any thought? Thanks, J.E. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: CHILD: exit on signal (11)
Anyboday know of a good way I can debug this so that I can let everyone know the source of this problem? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FREERadius installation guide
Could somebody please point me to a step-by-step installation and configuration guide for Freeradius 0.4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more inof on accounting stop query
Hello, Look for the following line in src/modules/rlm_sql/conf.h and comment it out, then recomplie freeradius. #define CISCO_ACCOUNTING_HACK It sounds like you would prefer to keep data in STOP packets with zero session length. At 05:23 PM 2/7/2002 -0500, you wrote: Can someone help? This is what I got from the debug mode: modcall: entering group accounting rlm_sql: Reserving sql socket id: 4 radius_xlat: 'rlm_sql: Stop packet with zero session length. (user '8111233409', nas '219.200.106.135')' rlm_sql: Stop packet with zero session length. (user '8111233409', nas '219.200.106.135') rlm_sql: Released sql socket id: 4 modcall[accounting]: module sql returns fail modcall: group accounting returns fail -Original Message- From: J.E. Wu [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 07, 2002 3:38 PM To: '[EMAIL PROTECTED]' Subject: accounting stop query I have accounting_stop_query set up to capture the on-line duration for each user, thus deduct dollar amount according to the corresponding rates, the problem is, when the user uses up the time and was disconnected forcefully, the accounting_stop_query is not doing anything, even it receives the accounting stop packets. Any thought? Thanks, J.E. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Randy Moore Axion Information Technologies, Inc. email [EMAIL PROTECTED] phone 301-408-1200 fax301-445-3947 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Java frontend
Is there any java front end to FreeRadius on Linux (redhat 7.2). Sorry I am completely new to it. = = Cleophas Toe, CISSP | Phone:650-980-3686 Sr. Info. Security Officer | Cell: 510-858-9700 Yodlee, Inc | www.Yodlee.com = __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
