Re: NIS and FreeRadius?
On Mon, Mar 18, 2002 at 11:46:40PM -0500, Todd R. Stroup wrote: Is there a way to get NIS to work with FreeRadius? Use rlm_unix. Don't specify a password file in the config. It should then use the system facilities, which means if you have nis listed in your /etc/nsswitch.conf that will be consulted. If the system this runs on doesn't do NIS auth, but you want freeradius to do so, there's not currently a module to handle this. It shouldn't be too hard to write one, if you have some system programming skills. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can I store password in MD5 format ?
Hi, all. I am using FreeRadius version 0.4 with MySQL database. Now I am putting the user password in Crypt-Password attribute (using MySQL's function : encrypt). It's OK. But,I want to move password to MD5 format. How can I do that?And What attributes can I use? Thank you !
Time limit.
Hello. I'm using FreeRadius version 0.4 with MySQL database on Slackware Linux. What is the easiest way to create mounthly time-limit for dialup users? Best regards, Alexey A. Shishkin mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compatibility with icradius
hi i'm working in an ISP and we use icradius 0.18 and mysql 3.23.36 under linux redhat 7.2 for customers authentication, i think that now freeradius is of a much better use if we carry on using open source, i have installed freeradius 4.0 this week and configure it to use the mysql DB, but the Max-Hours, total-time-limit and Activation attributes which are used by icradius are not recognized by freeradius automatically. is there anyone who tell me what i have to do whitout changing attributes and still using DB with the 2 radius servers. Thanks, _ Téléchargez MSN Explorer gratuitement à l'adresse http://explorer.msn.fr/intl.asp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Defining Radius groups with specific abilitations against LDAP attribute
Hi There, I'm trying to define radius groups, so that I can manage specific permissions for users against LDAP entries. Group of users must be handled on Radius against the value of an LDAP attribute. I tried some configurations, but still does not work. Any idea about that ? Thxs in advance. Pierre. . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PIX v6.1 accounting problem
Hi again, I need to account acesses made on a PIX firewall v6.1 on the Radius server. Debugging of the radiusd process shows that requests are correctly sent to the radius accounting port, but are not handled, because of some non conform VSA ... Any dictionary for PIX v6.1 ? :-) Regards, Pierre. . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: username in radius accounting
At 04:53 PM 3/18/2002 -0800, Bond Bonds wrote: Hi, I'm using Freeradius 0.4 on Redhat 7.2. I'm using the radius server to log radius accounting from Cisco gateways into an Oracle database. I noticed that the sql module returned a 'fail' status if the username is null. Is it okay if I just remark the line that 'set, escape, and check user attr'? I've tried this and it recompiles without any problem. And it seems to work. But I was wondering what are the implication of doing this? Are there anyone who could tell me, or maybe, hava a better solution for this? FYI, I *must* regard the username attr because I'm only doing a voip accounting log, where there are no username involved in doing so. See this list archives. You can set the SQL query so that is uses the User-Name attribute *if present* or uses 'None' if it is not. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PIX v6.1 accounting problem
At 02:55 PM 3/19/2002 +0100, Pierre Strazza wrote: Hi again, I need to account acesses made on a PIX firewall v6.1 on the Radius server. Debugging of the radiusd process shows that requests are correctly sent to the radius accounting port, but are not handled, because of some non conform VSA ... Won't stop it from logging the request. May stop it from logging human readable formats. Can you elaborate on 'not handled'? Any dictionary for PIX v6.1 ? :-) PIX is cisco. Are you enabling the use of 'dictionary.cisco'? -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group Attribute on an Ascend TNT
Willie Bollinger [EMAIL PROTECTED] wrote: I am running version 0.5 and am trying to set it up using the group settings in radius to disallow access from a certain unix group of hosts. When I add the group setting to radius to disallow users from group mailbox from authenticating. All of a sudden the MaxTNT starts denying all connections. Did the server start rejecting the requests? Did you run it in debugging mode? It seems as tho the TNT does not like seeing that group attribute at all. No. The group attribute is never sent over the wire. Run the server in debugging mode, like it says in the README and in the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_attr_filter + Ascend-Data-Filter
At 08:29 AM 3/19/2002 -0700, Charlie Watts wrote: On Wed, 13 Mar 2002, Chris Parker wrote: I'd just confirm that you are loading the latest libraries. I'm not able to duplicate the problem here with. It *could* be a library mismatch. The next step would be, as described above to get the raw binary data for the attribute that's being passed to 'print_abinary()' to see if it's the data that's bad or the function that's wrong. So it does work for you? With multiple Ascend-Data-Filter items? I did actually get this to duplicate. Not sure what exactly caused it. I'm checking more into it currently. I so hate being different. Hrm. :-/ It doesn't appear to be just you. Don't worry. :) I'm certain I've got the correct libraries. The only rlm_ files I have outside the source are in /usr/local/lib. If I remove them, the server doesn't work. It still doesn't work after a `make install`. Okay, that means it's a current bug. I would appreciate any other suggestions. Thanks for your time so far. I'll post a fix and commit it once you've verified it works for you as well. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group Attribute on an Ascend TNT
On Tue, Mar 19, 2002 at 11:24:07AM -0500, Alan DeKok wrote: Willie Bollinger [EMAIL PROTECTED] wrote: I have the following entries in the radius server DEFAULTGroup == mailtest, Auth-Type := Reject Reply-Message = Your account has been disabled., That will disallow users who are in the Unix group named mailtest That is what I want it to do, but it is actually authenticating them And when I run it in debug using the mailtest user who is in group mailtest it authenticates it as tho the stop check is not there Do you have the 'unix' nodule listed in the 'authorize' section? If not, then the server doesn't know anything about Unix groups. This is how the config file is set up. This is running on FreeBSD unix { # # Cache /etc/passwd, /etc/shadow, and /etc/group # # The default is to cache them. # # For FreeBSD, you do NOT want to enable the cache, # as it's password lookups are done via a database. # # allowed values: {no, yes} cache = no # Reload the cache every 600 seconds (10mins). 0 to disable. cache_reload = 600 # # Define the locations of the normal passwd, shadow, and # group files. # # 'shadow' is commented out by default, because not all # systems have shadow passwords. # # To force the module to use the system password functions, # instead of reading the files, comment out the 'passwd' # and 'shadow' configuration entries. This is required # for some systems, like FreeBSD. # #passwd = /etc/passwd # shadow = /etc/shadow group = /etc/group Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Willie Bollinger, ABSnet Internet Service Voice 410-361-8160 E-Mail [EMAIL PROTECTED] http://www.abs.net --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: System Auth Problems
The HUA factor has been negated. Still having a problem running as uid radius and gid radius, but I am thinking that it is a BSD permissions issue tho. Anyone have any tips? Cheers, Tom Alan DeKok wrote: Thomas Keitel [EMAIL PROTECTED] wrote: I read the docs, but why would freeradius .5 be able to authenticate someone with system auth with running as root in debug mode, but not as root not in debug mode? This is a FreeBSD 4.5 system with the shadow and passord lines commented out. In debug mode, the server doesn't change it's uid/gid. Read 'radiusd.conf', foir 'user' and 'group' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group Attribute on an Ascend TNT
On Tue, 19 Mar 2002, Alan DeKok wrote: Do you have the 'unix' nodule listed in the 'authorize' section? If not, then the server doesn't know anything about Unix groups. If I put 'unix' into 'authorize', I get: radiusd: radiusd.conf: System modules aren't allowed in 'authorize' sections -- they have no suchmethod. authorize { preprocess suffix unix files } Works without it. -- Charlie Watts [EMAIL PROTECTED] Frontier Internet, Inc. http://www.frontier.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Defining Radius groups with specific abilitations against LDAP at tribute
Ok for the princip, but can you explain me more about functionality ? I do not practically understand ho I can implement this to define more than 1 group against an attribute parameter. Thxs again, Pierre. -Message d'origine- De : Kostas Kalevras [mailto:[EMAIL PROTECTED]] Envoyé : mardi 19 mars 2002 16:39 À : [EMAIL PROTECTED] Objet : Re: Defining Radius groups with specific abilitations against LDAP at tribute On Tue, 19 Mar 2002, Pierre Strazza wrote: Hi There, I'm trying to define radius groups, so that I can manage specific permissions for users against LDAP entries. Group of users must be handled on Radius against the value of an LDAP attribute. I tried some configurations, but still does not work. Any idea about that ? Thxs in advance. Pierre. You can do one of the following: o Use default/regular profiles. Just add the DN of the profile entry in the corresponding user entries using the profile_attribute defined in the ldap module configuration. Something like: dn: uid=group1-dialup,ou=people,dc=company,dc=com objectclass: radiusprofile radiusPortLimit: 1 dn: uid=user1,ou=people,dc=company,dc=com objectclass: radiusprofile dialupregularprofile: uid=group1-dialup,ou=people,dc=company,dc=com o Create ldap groups containing all the users for which you want to pass specific information. Then you can do something like this: dn: cn=group1,ou=groups,dc=company,dc=com objectclass: groupofuniquenames uniquemember: uid=user1,ou=people,dc=company,dc=com [...] users file: DEFAULT Group == group1 Port-Limit = 1 In general take a look at doc/rlm_ldap. It is quite helpfull. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . . . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a newbie question please help me.
At 06:48 PM 3/19/2002 +0200, Daniel Becheanu wrote: The problem is that the radacct table is updated only when Acct-Status-Type attribute has Stop value. i want that it should be updated every 6 seconds.. as i read the NAS should pass a Accounting-Request package to radius with Acct-Status-Type set to Intertrim-Update is that right or just a false presumtion. That's a function of the NAS. The radius server cannot request that accounting data be sent, only the NAS can cause it to be sent. Another problem is that i want to make radius update the value from Session-Timeout atribute in RadReply table.. Not currently. You would need to modify the existing code, or create a new module to perform this kind of task. Alternatively, you could look at the functionality provided by the 'counter' module. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PIX v6.1 accounting problem
The request is not loggued since an error message is reported in the radius.log file, indicating some non conform attributes - not proceeded. the dictionary.cisco seems to be already included in the dictionary file by default .. Any idea ? Pierre. -Message d'origine- De : Chris Parker [mailto:[EMAIL PROTECTED]] Envoyé : mardi 19 mars 2002 16:09 À : [EMAIL PROTECTED] Objet : Re: PIX v6.1 accounting problem At 02:55 PM 3/19/2002 +0100, Pierre Strazza wrote: Hi again, I need to account acesses made on a PIX firewall v6.1 on the Radius server. Debugging of the radiusd process shows that requests are correctly sent to the radius accounting port, but are not handled, because of some non conform VSA ... Won't stop it from logging the request. May stop it from logging human readable formats. Can you elaborate on 'not handled'? Any dictionary for PIX v6.1 ? :-) PIX is cisco. Are you enabling the use of 'dictionary.cisco'? -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . . . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Reject response for Authentication Request is very slow on Freeradius 0.5
Sagara Wijetunga [EMAIL PROTECTED] wrote: I have observed with freeradius-0.5 that Access-Accept response takes about 17 milliseconds and Access-Reject response takes about 3500 milliseconds. This type of long delay for Access-Reject response was not experienced with freeradius-0.4. Please read the 'radiusd.conf' file distributed with 0.5. It includes new security features which help to prevent an attack from disabling the server. The main side effect is that by default, authentication rejects are delayed for a configurable amount. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access Reject response for Authentication Request is very slow on Freeradius 0.5
I use Intel Pentium III based PC servers, Red Hat Linux 7.2, Linux Kernel: 2.4.7-10custom, Portslave 2002-01-19, Freeradius 0.5 and MySQL 3.23.41. My modem is 3Com US Robotics 56K Faxmodem. I do not use any NAS or Digital RAS card. I have observed with freeradius-0.5 that Access-Accept response takes about 17 milliseconds and Access-Reject response takes about 3500 milliseconds. This type of long delay for Access-Reject response was not experienced with freeradius-0.4. _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Reject response for Authentication Request is very slow on Freeradius 0.5
At 12:34 AM 3/20/2002 +0600, Sagara Wijetunga wrote: I use Intel Pentium III based PC servers, Red Hat Linux 7.2, Linux Kernel: 2.4.7-10custom, Portslave 2002-01-19, Freeradius 0.5 and MySQL 3.23.41. My modem is 3Com US Robotics 56K Faxmodem. I do not use any NAS or Digital RAS card. I have observed with freeradius-0.5 that Access-Accept response takes about 17 milliseconds and Access-Reject response takes about 3500 milliseconds. This type of long delay for Access-Reject response was not experienced with freeradius-0.4. See the response just posted to this list earlier today. FreeRADIUS 0.5 has a new configurable time delay to sent rejects, to prevent runaway NAS from flooding the server with rejects. You can modify ( or completely disable ) this delay. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: System Auth Problems
In article [EMAIL PROTECTED], Thomas Keitel [EMAIL PROTECTED] wrote: The HUA factor has been negated. Still having a problem running as uid radius and gid radius, but I am thinking that it is a BSD permissions issue tho. Anyone have any tips? Yes, BSD uses a shadow-like password file by default. You HAVE to be root or you can't check paswords. From the top of my head: read man 5 master.passwd Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Defining Radius groups with specific abilitations against LDAP at tribute
On Tue, 19 Mar 2002, Pierre Strazza wrote: Ok for the princip, but can you explain me more about functionality ? I do not practically understand ho I can implement this to define more than 1 group against an attribute parameter. Thxs again, Pierre. Could you please give me an example of what you are trying to do? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_attr_filter + Ascend-Data-Filter
At 10:31 AM 3/19/2002 -0600, Chris Parker wrote: At 08:29 AM 3/19/2002 -0700, Charlie Watts wrote: On Wed, 13 Mar 2002, Chris Parker wrote: I'd just confirm that you are loading the latest libraries. I'm not able to duplicate the problem here with. It *could* be a library mismatch. The next step would be, as described above to get the raw binary data for the attribute that's being passed to 'print_abinary()' to see if it's the data that's bad or the function that's wrong. So it does work for you? With multiple Ascend-Data-Filter items? I did actually get this to duplicate. Not sure what exactly caused it. I'm checking more into it currently. It looks like it's caused by the way FreeRADIUS is building the binary interpretation of the filter. Good attribute ( ip in forward tcp est ): Ascend-Data-Filter = \001\001\001\000\000\000\000\000\000\000\000\000 \000\000\006\001\000\000\000\000\000\000\000\000 Bad attribute ( ip in forward tcp est ): Ascend-Data-Filter = \001\001\001\000\000\000\000\000\000\000\000\000 \000\000\000\000\000\000\000\000\000\000\000\000 \000\000\000\000\000\000\000\000 There are extra bytes, and the 'tcp' and 'est' bytes are not set. I'm looking into this further, it is definitely a problem with the current server. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-0.5 crashing
Freeradius is crashing on me. I've resorted to running it with radwatch. We've just gone operational with freeradius when 0.5 came out. I've been running 0.4 or some CSV snapshot since then in development, but weren't getting nearly the number of requests that we are getting now, so I don't know if this was a problem in 0.4 or if it was introduced in 0.5 I'm using SQL and simultanious logins. It's happening when I get a request from a bogus IP address. I'm not sure why I'm getting requests from these IP address, maybe it's an attack??? Reguardless freeradius shouldn't crash from this. It looks like it might be related to checkrad. These are the errors I get in the logs before it crashes: Tue Mar 19 19:47:02 2002 : Error: Check-TS: timeout waiting for checkrad Tue Mar 19 19:47:02 2002 : Error: Trying to look up name of unknown client 40.69.22.64. Tue Mar 19 19:47:02 2002 : Error: Accounting-Request packet sent to a non-accounting port from client UNKNOWN-CLIENT:0 - ID 10 : IGNORED Tue Mar 19 19:47:02 2002 : Error: CHILD: exit on signal (11) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-0.5 crashing
At 05:28 PM 3/19/2002 -0500, Jeremy Kusnetz wrote: Freeradius is crashing on me. I've resorted to running it with radwatch. We've just gone operational with freeradius when 0.5 came out. I've been running 0.4 or some CSV snapshot since then in development, but weren't getting nearly the number of requests that we are getting now, so I don't know if this was a problem in 0.4 or if it was introduced in 0.5 I'm using SQL and simultanious logins. It's happening when I get a request from a bogus IP address. I'm not sure why I'm getting requests from these IP address, maybe it's an attack??? Reguardless freeradius shouldn't crash from this. It looks like it might be related to checkrad. Does it run stable is you remove the Simultaneous-Use checks? ( Yes, I know you want them, but this would help narrow where the problem lies ). -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-0.5 crashing
quite possibly script kiddies we were seeing a bunch of radius traffic from china and occaisionally from canada ipfilter is your friend ;) I'm getting a lot of those UKNOWN client errors with bogus IP's. I have an access list blocking access to the radius daemon from anywhere but the RASs. What's going on there? Alan? - [EMAIL PROTECTED]BackPack Software, Inc.www.backpack.com +1 651.645.7550 voice Life is an Adventure. +1 651.645.9798 faxDon't forget your BackPack! - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-0.5 crashing
Jeremy Kusnetz wrote: Freeradius is crashing on me. I've resorted to running it with radwatch. We've just gone operational with freeradius when 0.5 came out. I've been running 0.4 or some CSV snapshot since then in development, but weren't getting nearly the number of requests that we are getting now, so I don't know if this was a problem in 0.4 or if it was introduced in 0.5 I'm using SQL and simultanious logins. It's happening when I get a request from a bogus IP address. I'm not sure why I'm getting requests from these IP address, maybe it's an attack??? Reguardless freeradius shouldn't crash from this. It looks like it might be related to checkrad. These are the errors I get in the logs before it crashes: Tue Mar 19 19:47:02 2002 : Error: Check-TS: timeout waiting for checkrad Tue Mar 19 19:47:02 2002 : Error: Trying to look up name of unknown client 40.69.22.64. Tue Mar 19 19:47:02 2002 : Error: Accounting-Request packet sent to a non-accounting port from client UNKNOWN-CLIENT:0 - ID 10 : IGNORED Tue Mar 19 19:47:02 2002 : Error: CHILD: exit on signal (11) Did you just copy over radiusd or did you do a make install? I got sig 11's because I just copied the new radiusd over the 0.4 one. Bad idea. After I did a 'make install', it overwrote the libs in /usr/local/lib and the world was good. I'm getting a lot of those UKNOWN client errors with bogus IP's. I have an access list blocking access to the radius daemon from anywhere but the RASs. What's going on there? Alan? Cheers, Mike -- Mike Cathey - http://www.mikecathey.com/ Network Administrator RTC Internet - http://www.catt.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-0.5 crashing
Mike Cathey [EMAIL PROTECTED] wrote: I'm getting a lot of those UKNOWN client errors with bogus IP's. I have an access list blocking access to the radius daemon from anywhere but the RASs. What's going on there? Alan? Maybe there are bad packets. I find it hard to figure out how the server will create bogus packets for itself... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap patch
I just got the snapshot and see your fix. Thank you. I thought of using a goto, but having drilled into me that if you can use something else, do it, I choose to restructure. Perhaps this is one of those exceptions where a goto is the cleanest way. Thanks for your work. - Dan Perik On Mon, 2002-03-18 at 20:38, Kostas Kalevras wrote: On 18 Mar 2002, Dan Perik wrote: As promised, here's the patch I threw together for the rlm_ldap module to solve the problem of failed auth when the LDAP server disconnects the idle connection. Basically, I took the ldap_connect code out of the perform_search function into it's own search_connect function. Then, if ldap_search_st returns LDAP_SERVER_DOWN, it sets inst-bound to 0, does search_connect to try to reconnect to the server, and tries the ldap_search_st one more time. Again, my understanding of all this stuff is very limited. For all I know I created a vast memory leak that will rot your hard drive and cause your business to go bankrupt. - Dan -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG Bug fixed in cvs. The fix was a little different than your patch but anyway thanks for the bug note. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED]National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_attr_filter + Ascend-Data-Filter
At 03:42 PM 3/19/2002 -0600, Chris Parker wrote: It looks like it's caused by the way FreeRADIUS is building the binary interpretation of the filter. Turned out to actually be problem with 'attr_filter' module. :\ Here's the patch ( it will be in CVS shortly ): *** rlm_attr_filter.c 2002/03/14 16:49:53 1.7 --- rlm_attr_filter.c 2002/03/19 23:55:13 *** static int attr_filter_authorize(void *i *** 300,308 tmp-lvalue = check_item-lvalue; break; default: !strNcpy((char *)tmp-strvalue, (char *)check_item-strvalue, !sizeof(tmp-strvalue)); tmp-length = check_item-length; break; } --- 300,308 tmp-lvalue = check_item-lvalue; break; default: !memcpy((char *)tmp-strvalue, (char *)check_item-strvalue, !check_item-length); tmp-length = check_item-length; break; } -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PIX v6.1 accounting problem
Here is the radius.log extract : Wed Mar 20 01:41:30 2002 : Error: WARNING: Malformed RADIUS packet from host x.x.x.x: Vendor specific attributes do not exactly fill Vendor-Specific Same error is reported while running in debug mode. No further accounting information is logged. The cisco box is a PIX firewall v6.1, authenticating users thru the freeradius server for VPN access. Pierre. -Message d'origine- De : Chris Parker [mailto:[EMAIL PROTECTED]] Envoyé : mardi 19 mars 2002 19:13 À : [EMAIL PROTECTED] Objet : RE: PIX v6.1 accounting problem At 05:19 PM 3/19/2002 +0100, Pierre Strazza wrote: The request is not loggued since an error message is reported in the radius.log file, indicating some non conform attributes - not proceeded. the dictionary.cisco seems to be already included in the dictionary file by default .. Any idea ? It would really really really help if you could provide the error message printed by the server, as well as any printed when you run it in debug mode. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . . . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Defining Radius groups with specific abilitations against LDA P at tribute
I'm trying to pass specific configuration parameters for users listed in a LDAP directory. The selection has to be made against an attribute value. The main problem is that the LDAP structure (Domino server .. urgl) cannot be changed, and is not homogen :) but anyway, directory is ordered like this : O=Org |_ some CN (not to be considered) |_ some OU |_ some CN=User Name |_ attributes |_ cn=userid (used for authentication, rlm_ldap basedn=O=Org, filter=(cn=%u)) |_ user_profile_attribute=groupname (this is the attribute I need to use to specify config parms) I need to do something like : DEFAULT Auth-Type := Ldap, Group-Name == groupname_1 Specific_config_group_1 DEFAULT Auth-Type := Ldap, Group-Name == groupname_2 Specific_config_group_2 ... I solved the problem by something not really clean and fast, but working, like this : rlm_ldap: basedn=O=Org filter=(cn=%uid) ... group is searched against attribute user_profile_attribute group_filter is, again, (cn=%u) users: DEFAULT Auth-Type := Ldap, Group-Name == groupname_1 (value for attribute user_profile_attribute) Specific_config_group_1 DEFAULT Auth-Type := Ldap, Group-Name == groupname_2 Specific_config_group_2 This is fine working right now, but I'm sure this is not the best way to do. Any experience ? Thxs, Pierre. ...-Message d'origine- De : Kostas Kalevras [mailto:[EMAIL PROTECTED]] Envoyé : mardi 19 mars 2002 21:24 À : [EMAIL PROTECTED] Objet : RE: Defining Radius groups with specific abilitations against LDA P at tribute On Tue, 19 Mar 2002, Pierre Strazza wrote: Ok for the princip, but can you explain me more about functionality ? I do not practically understand ho I can implement this to define more than 1 group against an attribute parameter. Thxs again, Pierre. Could you please give me an example of what you are trying to do? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . . . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL can't authenticate after 0.4 - 0.5 upgrade
Hello, I've been testing out the 0.5 release. But now it seems to not let me auth to sql. I've looked over the messages to the list over the last bit, and noticed others with the same problem. The answers didn't seem clear to me, so perhaps I can beg some more help. Under 0.4 I had (in radiusd.conf): authenticate { authtype LDAPORSQL { group { sql { fail = 1 notfound = 2 noop = return ok = return updated = return reject = 3 userlock = return invalid = return handled = return notfound = return } ldap { fail = 1 notfound = 2 noop = return ok = return updated = return reject = 3 userlock = return invalid = return handled = return notfound = return } } } } (in users): DEFAULTAuth-Type := LDAPORSQL Fall-Through = 1 This would allow me to auth to either LDAP or SQL. But in 0.5, SQL modules aren't allowed in 'authenticate' sections -- they have no such method. How do I do what I want to do now? What should I put in my authenticate section of radiusd.conf (if sql can't be there any more)? What should I put in my users file? Thanks, Dan -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_attr_filter + Ascend-Data-Filter
On Tue, 19 Mar 2002, Chris Parker wrote: At 03:42 PM 3/19/2002 -0600, Chris Parker wrote: It looks like it's caused by the way FreeRADIUS is building the binary interpretation of the filter. Turned out to actually be problem with 'attr_filter' module. :\ You'll probably hate me for it, but I'm glad to hear it. Glad to hear you found it, that is. Thanks. :-) -- Charlie Watts [EMAIL PROTECTED] Frontier Internet, Inc. http://www.frontier.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to limit MAC address to access the network??
Hello All, How to limit the MAC address to access the network? any sample file? Thanks a lot!!! Wallace
Re: compatibility with icradius
Bensalah Mustapha wrote: hi i'm working in an ISP and we use icradius 0.18 and mysql 3.23.36 under linux redhat 7.2 for customers authentication, i think that now freeradius is of a much better use if we carry on using open source, i have installed freeradius 4.0 this week and configure it to use the mysql DB, but the Max-Hours, total-time-limit and Activation attributes which are used by icradius are not recognized by freeradius automatically. see the rlm_counter_module with freeradius, @+ -- Do-Risika RAFIEFERANTSIARONJY mailto:[EMAIL PROTECTED] Simicro Internet, mailto:[EMAIL PROTECTED], http://internet.simicro.mg Tel : (+261) 20 22 648 83 (GMT +3), Fax : (+261) 20 22 661 83 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html