RE: Binding to multiple ip's
we 've had similar problems with completely other systems (I mean nothing related with radius but the source IP was important as well). It seems not so easy to force the traffic leaving a unix-like machine on the "right" (logical) subinterface. Alternatives are : define static routes in the machine or use the same IP address above both subinterfaces (like IPMP can do with solaris) (but I see in your email that you are probably using linux ;-). I can imagine that both solutions here might not fit you set-up... If someone knows about other alternative(s), I would be interested as well... Regards. Benoit -Original Message- From: lance [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 12, 2002 2:40 AM To: [EMAIL PROTECTED] Subject: Binding to multiple ip's I need to have radius bound to two ip's on a server, one for an internal network and one for external, but run up against a problem. With bind_address * , if a request comes in on the 2nd ip, freeradius sends the response out of the 1st ip, eg :- eth0 10.0.0.1 eth0:1 10.0.0.2 Request on eth0:1 response gets sent with source ip of eth0 :( This causes the proxy to reject the packet as coming from the wrong place. Also - is it a bug or a feature that unless debug_level is set to 0 in radiusd.conf all logging stops ??? Regards Lance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Subscribe to REALISE - the online magazine from BT Ignite http://www.ignite.com/realise - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and Acct-Status-Type
On Mon, Mar 11, 2002 at 01:11:54PM +0800, M Z Rahman wrote: > I was trying to run an external perl script to do some customised logging > depending on the Acct-Status-Type in the users file: > > DEFAULT Acct-Status-Type == "Start" >Exec-Program-Wait = "/radius/raddb/startstopacct %u %s %e %f %n %c %i > %o %d %t %r %h" > ... > free-radius read the execparams file for the argument vectors for the Looks like you confused XtRadius with FreeRADIUS. -- Mojahed System Administrator, Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Binding to multiple ip's
I need to have radius bound to two ip's on a server, one for an internal network and one for external, but run up against a problem. With bind_address * , if a request comes in on the 2nd ip, freeradius sends the response out of the 1st ip, eg :- eth0 10.0.0.1 eth0:1 10.0.0.2 Request on eth0:1 response gets sent with source ip of eth0 :( This causes the proxy to reject the packet as coming from the wrong place. Also - is it a bug or a feature that unless debug_level is set to 0 in radiusd.conf all logging stops ??? Regards Lance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_attr_filter + Ascend-Data-Filter
On Mon, 11 Mar 2002, Chris Parker wrote: > At 10:18 AM 3/11/2002 -0700, Charlie Watts wrote: > >I'm having trouble with rlm_attr_filter and Ascend-Data-Filter. > > > >attrs: > >acsinc.net > > Ascend-Data-Filter := "ip in forward tcp est", > > Ascend-Data-Filter := "ip in forward dstip 199.45.141.0/24", > > Ascend-Data-Filter := "ip in drop tcp dstport = 25", > > Ascend-Data-Filter := "ip in forward" > > Hmmm, perhaps try using the += operator there. I don't get them back at all when I use +=. And looking at the docs & source, += doesn't seem to be supported. > >And here's some output from the debug log: > >Sending Access-Accept of id 173 to 199.45.141.1:1026 > > Ascend-Data-Filter = "ip input forward 0" > > Ascend-Data-Filter = "ip input forward 0" > > Ascend-Data-Filter = "ip output drop 0" > > Ascend-Data-Filter = "ip input forward 0" > > Here they are set as separate attributes, so it's not a problem with > the rlm_attr_filter module. So is it in rlm_attr_filter or the core that the attributes are getting mangled? > >And here's what I get back: Vendor-Specific = > >>"V529:T242:L34::T1:L1::T1:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0:" > > What is this output from? Hrm, that's a non-freeradius "radtest" client. I was assuming that was the non-decoded binary Ascend-Data-Filter, but it might just be garbage. The freeradius "radtest" returns the same thing that the debug log shows. I uncommented your DEBUG2 lines in rlm_attr_filter.c and re-compiled. Here's an example of what I see when using the := syntax: modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok attr_filter: Matched entry realm.test at line 79 attr_filter: creating vp Service-Type - 1 - 2 attr_filter: creating vp Login-Service - 1 - 1 attr_filter: creating vp Ascend-Data-Filter - 4 - 0 attr_filter: creating vp Ascend-Data-Filter - 4 - 0 attr_filter: creating vp Ascend-Data-Filter - 4 - 0 attr_filter: creating vp Ascend-Data-Filter - 4 - 0 modcall[authorize]: module "attr_filter" returns updated modcall[authorize]: module "suffix" returns ok modcall[authorize]: module "files" returns notfound modcall: group authorize returns updated rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [[EMAIL PROTECTED]] (from nas UNKNOWN-NAS port 0) Sending Access-Accept of id 230 to 199.45.200.140:1484 Service-Type = Framed-User Login-Service = Rlogin Ascend-Data-Filter = "ip input forward 0" Ascend-Data-Filter = "ip input forward 0" Ascend-Data-Filter = "ip output drop 0" Ascend-Data-Filter = "ip input forward 0" Finished request 0 It doesn't work even if I just use one Ascend-Data-Filter: realm.test Ascend-Data-Filter := "ip in forward dstip 199.45.141.0/24" Still comes out as "ip input forward 0". (I see some comments in the source about Fall-Through being incomplete. I notice that it -always- falls through, despite Fall-Through = No being set.) Appreciate your time. -- Charlie Watts [EMAIL PROTECTED] Frontier Internet, Inc. http://www.frontier.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Are 2 different auth types allowed
On Tue, 2002-03-12 at 01:29, Alan DeKok wrote: > Dan Perik <[EMAIL PROTECTED]> wrote: > > Now, I'd like to extend that and allow FreeRadius to also try SQL > > auth. So it would try LDAP first, and if the user isn't found (or > > even on a bad password), I would like FreeRadius to then try to auth > > against sql. Is this possible, and if so how? > > See 'doc/configurable_failover' > > Alan DeKok. Excellent. Works beautifully. Thank you. - Dan -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can we import UNIX account data to a Radius server?
Normand Dionne <[EMAIL PROTECTED]> wrote: > What if we could import our Unix names and passwords to a Radius server? No. The RADIUS server is a daemon which does authentication. It's not a database of username/passwords. It *uses* a database, one of which can be the Unix /etc/passwd file. > I'll check out SAMBA too and Mike H suggested. For doing authentication from a Windows machine, Samba is your ONLY answer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can we import UNIX account data to a Radius server?
What about looking at it this way... What if we could import our Unix names and passwords to a Radius server? Does this sound like what Radius is used for? I'll check out SAMBA too and Mike H suggested. Mahalo for your help. Normand Dionne Academic Computing Services UH Hilo website: www.uhh.hawaii.edu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Alan DeKok Sent: Monday, March 11, 2002 11:19 AM To: [EMAIL PROTECTED] Subject: Re: New membership Normand Dionne <[EMAIL PROTECTED]> wrote: > We run several PC labs at our campus, all of which require an NT or 2000 > logon. We are now looking for a way to authenticate by proxy to a Unix name > and password for our students. You should use Samba on Unix. There are really no alternatives. You *may* be able to get Samba to authenticate via RADIUS, but there probably wouldn't be much point. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New membership
I think SAMBA may be able to do this when acting as a PDC. http://www.samba.org/ > We run several PC labs at our campus, all of which require an NT or 2000 > logon. We are now looking for a way to authenticate by proxy to a Unix name > and password for our students. > > Your comments are most welcome. > > Normand Dionne > Academic Computing Services > UH Hilo website: www.uhh.hawaii.edu > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htm > l - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New membership
Normand Dionne <[EMAIL PROTECTED]> wrote: > We run several PC labs at our campus, all of which require an NT or 2000 > logon. We are now looking for a way to authenticate by proxy to a Unix name > and password for our students. You should use Samba on Unix. There are really no alternatives. You *may* be able to get Samba to authenticate via RADIUS, but there probably wouldn't be much point. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New membership
We run several PC labs at our campus, all of which require an NT or 2000 logon. We are now looking for a way to authenticate by proxy to a Unix name and password for our students. Your comments are most welcome. Normand Dionne Academic Computing Services UH Hilo website: www.uhh.hawaii.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql error
At 03:09 PM 3/11/2002 -0500, CGI wrote: >After all my tests, I just connect the radius server >to Mysql, but from the first fire up I had this >message: > >rlm_sql: Could not link driver rlm_sql_mysql: file not >found >rlm_sql: Make sure it (and all its dependent >libraries!) are in the search path >of your system's ld. >radiusd.conf[4]: sql: Module instantiation failed. > > >Where is looking radius to find the file? Most likely /usr/local/lib >[root@localhost root]# find / -name mysql -print >/var/lib/mysql >/var/lib/mysql/mysql >/var/lock/subsys/mysql >/etc/rc.d/init.d/mysql >/etc/logrotate.d/mysql >/usr/bin/mysql >/usr/lib/mysql >/usr/share/mysql >/usr/include/mysql Yup, it didn't build and install it. Change to the ~radiusd/src/modules/rlm_sql/drivers/rlm_sql_mysql/ directory, and try running 'make' and 'make install' to determine why it's not building and installing it. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auto-dropping on Attribute 0?
Hello,
I work for an ISP that has recently started to provide *DSL to
companies, and uses a freeradius server to handle proxied RADIUS
requests from the DSL supplier. Installation, configuration and initial
testing all went fine; however, when the first live clients were
activated today the server appeared to refuse to answer any connections.
A closer look at the log files revealed the following repeated error
message:
Mon Mar 11 20:36:54 2002 : Error: WARNING: Malformed RADIUS packet from
host aaa.bbb.ccc.ddd: Invalid attribute 0
Calling the network people at the supplier revealed they had had a
similar problem with other clients; that this was a 'cosmetic flaw only'
and didn't have any real impact. But yet, the server remained silent.
Some testing from another site using the freeradius client and
hand-hacked parameters had no problems logging in, unless I added the
"bogus" attribute with ID 0 to the dictionary and sent it along, at
which point the same error occured.
Looking into the source, I found that the error lay in src/lib/radius.c
lines 713-721: (With apologies for the long lines)
/*
* Attribute number zero is NOT
* defined.
*/
if (attr[0] == 0) {
librad_log("WARNING: Malformed RADIUS packet from host %s: %Invalid
%attribute %0",
ip_ntoa(host_ipaddr, packet->src_ipaddr));
free(packet);
return NULL;
}
What I'd like to know is what exactly the reasoning is behind so drastic
a response. Is there some inherent security flaw or overflow
vulnerability when an attribute is zero? Are there serious specification
problems with it?
I'd prefer not to have to disable this without knowing the reason behind
the check. If anyone would care to enlighten me?
Thanks in advance,
--
Rens Houben
Systemec Internet Services
msg03914/pgp0.pgp
Description: PGP signature
Mysql error
After all my tests, I just connect the radius server to Mysql, but from the first fire up I had this message: rlm_sql: Could not link driver rlm_sql_mysql: file not found rlm_sql: Make sure it (and all its dependent libraries!) are in the search path of your system's ld. radiusd.conf[4]: sql: Module instantiation failed. Where is looking radius to find the file? [root@localhost root]# find / -name mysql -print /var/lib/mysql /var/lib/mysql/mysql /var/lock/subsys/mysql /etc/rc.d/init.d/mysql /etc/logrotate.d/mysql /usr/bin/mysql /usr/lib/mysql /usr/share/mysql /usr/include/mysql Thanks in advance Jo __ Find, Connect, Date! http://personals.yahoo.ca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: About RADIUS experimental support for EAP/TLS
>Hi everybody >I am not familiar with RADIUS server and I would like >to know more about it. >Could anybody explain me what is meant by RADIUS >experimental support for EAP/TLS? Is it currently in >experimentation or is it just a hypothesis? >thank you in advance EAP/TLS is not a highly tested. So It means Evaluate Yourself and share your experience. Comments, feedback, bugs, patches... are welcome. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP question
>Nope. Triple-checked the shared secret. They match. > >Only one RADIUS server in this setup, not separate auth and acct (or did I >misunderstand your suggestion?). If shared secret is right then we need to figure out, where the problem is. Can you send the radius logs. As Alan suggested can you also verify that Nortel switch that you are using is rfc 2869 compliant for Message Authenticator. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_attr_filter + Ascend-Data-Filter
At 10:18 AM 3/11/2002 -0700, Charlie Watts wrote: >I'm having trouble with rlm_attr_filter and Ascend-Data-Filter. > >Indeed, there is a comment in the source: > >/* THIS SECTION NEEDS LOTS OF WORK TO GET THE ATTRIBUTE > * FILTERING LOGIC WORKING PROPERLY. RIGHT NOW IT DOES > * THINGS MOSLTY RIGHT. IT HAS SOME ISSUES WHEN YOU HAVE > * MULTIPLE A/V PAIRS FROM THE SAME ATTRIBUTE ( IE, VSA'S ). > * THAT NEEDS A BIT OF WORK STILL [EMAIL PROTECTED] > */ Yup, that comment is there, but that's not the problem you're having. >Here's my config: > >attrs: >acsinc.net > Ascend-Data-Filter := "ip in forward tcp est", > Ascend-Data-Filter := "ip in forward dstip 199.45.141.0/24", > Ascend-Data-Filter := "ip in drop tcp dstport = 25", > Ascend-Data-Filter := "ip in forward" Hmmm, perhaps try using the += operator there. >And here's some output from the debug log: >Sending Access-Accept of id 173 to 199.45.141.1:1026 > Ascend-Data-Filter = "ip input forward 0" > Ascend-Data-Filter = "ip input forward 0" > Ascend-Data-Filter = "ip output drop 0" > Ascend-Data-Filter = "ip input forward 0" Here they are set as separate attributes, so it's not a problem with the rlm_attr_filter module. >And here's what I get back: >Vendor-Specific = >"V529:T242:L34::T1:L1::T1:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0:" What is this output from? -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_attr_filter + Ascend-Data-Filter
I'm having trouble with rlm_attr_filter and Ascend-Data-Filter. Indeed, there is a comment in the source: /* THIS SECTION NEEDS LOTS OF WORK TO GET THE ATTRIBUTE * FILTERING LOGIC WORKING PROPERLY. RIGHT NOW IT DOES * THINGS MOSLTY RIGHT. IT HAS SOME ISSUES WHEN YOU HAVE * MULTIPLE A/V PAIRS FROM THE SAME ATTRIBUTE ( IE, VSA'S ). * THAT NEEDS A BIT OF WORK STILL [EMAIL PROTECTED] */ Simpler things work fine; I can set the MTU, etc, just fine. Also, Ascend-Data-Filter gets returned correctly from user-file entries. Any suggestions? Here's my config: attrs: acsinc.net Ascend-Data-Filter := "ip in forward tcp est", Ascend-Data-Filter := "ip in forward dstip 199.45.141.0/24", Ascend-Data-Filter := "ip in drop tcp dstport = 25", Ascend-Data-Filter := "ip in forward" And here's some output from the debug log: Sending Access-Accept of id 173 to 199.45.141.1:1026 Ascend-Data-Filter = "ip input forward 0" Ascend-Data-Filter = "ip input forward 0" Ascend-Data-Filter = "ip output drop 0" Ascend-Data-Filter = "ip input forward 0" Service-Type = Framed-User Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-Protocol = PPP Framed-MTU = 1500 And here's what I get back: Vendor-Specific = "V529:T242:L34::T1:L1::T1:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0:" Vendor-Specific = "V529:T242:L34::T1:L1::T1:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0:" Vendor-Specific = "V529:T242:L34::T1:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0:" Vendor-Specific = "V529:T242:L34::T1:L1::T1:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0:" -- Charlie Watts [EMAIL PROTECTED] Frontier Internet, Inc. http://www.frontier.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP question
"McNutt, Justin M." <[EMAIL PROTECTED]> wrote: > [Date] Error: Received packet from 128.206.95.215 with invalid > Message-Authenticator! That means either your shared secret is wrong, OR the Message-Authenticator attribute is something else (i.e. Ascend attribute), OR there's a bug in the code. > [Date] Info: Sending duplicate authentication reply to client > 128.206.95.215:1026 - ID: 63 Hmm... If the Message-Authenticator is invalid, then the packet MUST be discarded. This message probably has nothing to do with the previous one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connection ?
CGI <[EMAIL PROTECTED]> wrote: > 1. Can I use the same database to authenticate 3 > different devices: a Nortel VPN box, a Checkpoint > firewall and a 3COM modem chassis. If they all do RADIUS, yes. > 2. can I add in the database some information > regarding what the user is allow it to do, for example > the user to access the email and DNS server, but not > access to server X or Y Sure, if your NAS supports that. > 3. Can I use a browser interface to add, delete a > user? The latest CVS snapshots include 'dialup_admin', which does this. > 4. Can I print "something" regarding usage per user? Uh, sure. Just look up the information in whatever database you stored it in. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and Acct-Status-Type
"M Z Rahman" <[EMAIL PROTECTED]> wrote: > I was trying to run an external perl script to do some customised logging > depending on the Acct-Status-Type in the users file: That won't work. 'users' is for authorization/authentication. Look at 'acct_users' > Now, my question is does free-radius read the execparams file for > the argument vectors for the external file to be run? There is no 'execparams' file in FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Are 2 different auth types allowed
Dan Perik <[EMAIL PROTECTED]> wrote: > Now, I'd like to extend that and allow FreeRadius to also try SQL > auth. So it would try LDAP first, and if the user isn't found (or > even on a bad password), I would like FreeRadius to then try to auth > against sql. Is this possible, and if so how? See 'doc/configurable_failover' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple Exec-Program ...
Hi all, is it possible to put multiple 'Exec-Program' for one user ? Thanx, -- Do-Risika RAFIEFERANTSIARONJY mailto:[EMAIL PROTECTED] Simicro Internet, mailto:[EMAIL PROTECTED], http://internet.simicro.mg Tel : (+261) 20 22 648 83 (GMT +3), Fax : (+261) 20 22 661 83 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Newbie
Hi, I have a server running on Linux (Suse 7.2 enterprise). I want to build an AAA-server using Freeradius. I have install the freeradius.rpm packages. So far, no problem. Next I want to configure a client. The client machine is running OS, Solaris 7. At this point i don't have any idea how to configure to Sun;s. Please, can someone help me ? Thanx ! Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
About RADIUS experimental support for EAP/TLS
Hi everybody I am not familiar with RADIUS server and I would like to know more about it. Could anybody explain me what is meant by RADIUS experimental support for EAP/TLS? Is it currently in experimentation or is it just a hypothesis? thank you in advance ___ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
