attribute exec-programm

2002-05-15 Thread Eric 

Hi
I use FreeRadius-0.5 and MySql-3.23.49 on FreeBsd-4.5.
How differs attribute Exec-Program and Exec-Program-Wait?
Send me examples of use of these attribute in database MySQL,
examples of scripts which cause these attribute
(with data processing database MySQL), please.

-- 
Best regards,
Eric  mailto:[EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE : Freeradius-Users -- confirmation of subscription -- request 645149

2002-05-15 Thread proidea 


> Freeradius-Users -- confirmation of subscription -- request 645149
> 
> We have received a request from 211.39.1.29 for subscription of your
> email address, <[EMAIL PROTECTED]>, to the
> [EMAIL PROTECTED] mailing list.  To confirm the
> request, please send a message to
> [EMAIL PROTECTED], and either:
> 
> - maintain the subject line as is (the reply's additional "Re:" is
> ok),
> 
> - or include the following line - and only the following line - in the
> message body: 
> 
> confirm 645149
> 
> (Simply sending a 'reply' to this message should work from most email
> interfaces, since that usually leaves the subject line in the right
> form.)
> 
> If you do not wish to subscribe to this list, please simply disregard
> this message.  Send questions to
> [EMAIL PROTECTED]
> 
> 


 
--
°íÅÂÁ¾([EMAIL PROTECTED])
017-737-3407
ICQ 58835124
http://proidea.dnip.net:81/
ÁøÁ¤ÇÑ GNU Á¤½ÅÀ» À§ÇÏ¿©
--

--
PrOiDeA(http://www.neoidea.pe.kr/)
°íÅÂÁ¾([EMAIL PROTECTED])
017-737-3407
ICQ:58835124
ÁøÁ¤ÇÑ GNU Á¤½ÅÀ» À§ÇÏ¿©
--






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Free Radius and Open Ldap

2002-05-15 Thread Mazen R. Kassem 

Could u pls send me an example of the configuration on using ldap and radius and which 
version of freeradius more stable u think 

-Original Message-
From: Kostas Kalevras [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, May 15, 2002 5:51 PM
To: [EMAIL PROTECTED]
Subject: Re: Free Radius and Open Ldap


On Wed, 15 May 2002, Michael Fuller wrote:

> Hi all,
>
> This is from a Linux Newbei.
>
> I am using Free Radius with Open Ldap authentication. The config is 
> straight forward, with no special add ons. How do I control user 
> attributes ? I need one set of users to have administrative access, 
> and the other only framed PPP access.
>
> Any help will be greatly appreciated.
>
> Thanks and regards,
> Michael S Fuller

Read doc/rlm_ldap. You should use the Default and Regular profiles.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radzap...old issue

2002-05-15 Thread Vector 

I am unable to use radzap to get an entry out of radutmp.  I had to reboot
the router today and there are some stale entries in there that I must
remove.  radzap yields the following:

# radzap name-of-termserver 14 "user@realm"
radzap: zapping termserver ip.addr.of.termserver, port 14, user user@realm
radzap: no response from server

I then do a radwho and sure enough, the entry is still there.  I need it to
go away even if it can't talk to the termserver.  Alan commented on this
last time I posted about this problem claiming that radzap didn't work this
way, but it is again giving me grief and I'd rather not have to wipe out the
entire radutmp file like I did before...any suggestions?  Thanks,

vec



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Cisco 350 & WinXP

2002-05-15 Thread Artur Hecker 

hi folks

it seems to me that somebody has written something on Cisco 340 and
EAP/MD5 with XP. cant find it though... Sorry because it's kind of out
of scope, but if you have a fast help on this one before i begin to
investigate, it would be appreciated:

i check the eap/md5 field and 802.1x auth in XP properties of the lan
connection and configure AP340 to use network-eap but the latter keeps
on saying "unknown authentication protocol" in its log. whats wrong?

thanx,

artur


-- 
Artur Hecker Groupe Accès et Mobilité
[EMAIL PROTECTED]Département Informatique et Réseaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr  ENST Paris

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security

2002-05-15 Thread Artur Hecker 


hi

> > > > >   Anybody making NAS boxes that support IPSec tunnelling?

you can still install a small linux-box tunnelling the packet from each
NAS through to the server... ugly, i know; but it could be a diskless
thin client, for example... or you replace your nas by a software nas
running at this box - could even come out cheaper...


> > > > Yes, but the number that support IPSec tunneling of radius packets is
> > > > about equal to the number that support EAP authentication.  :\

what is EAP supposed to do with IPSec??? sorry, i didn't get this one.


> > >   I'm curious if there would be any use/interest in hacking FreeRADIUS
> > >to "encrypt" packets it's sending to a proxy.
> >
> > I wouldn't invent a proprietary method.

IMHO radius proxy feature should definitely be protected by an
underlayer method, i.e. IPSec (since tls doesn't work with udp...). in
this case you are going to travel between some public unknown networks
and the used algorithm never ever been considered being strong crypto...
it's basically "just a hash" used for hiding secrets what was not its
original purpose. it should be used with care. besides, IPSec provides
much more than what a udp higher level protocol could ever do unless it
implements the whole suite itself... so, Alan, i don't think it would be
necessary to have a "proxy-encrypt-hack". modularity with crypto-systems
is what we need; otherwise it's a horrible work to verify their quality.

small remark to what's been said before: IPSec doesn't need to be tunnel
the packets. I would even suggest to install IPSec at the Radius-servers
themselves and use the transport mode if it is possible. It appears that
the tranport mode is far more efficient. that's what we do here.

chris (sorry if it wasn't your comment): even if i agree that the
attacks against RADIUS are mostly theoretical, we should keep in mind
that, statistically, the most attacks against IT systems come from
inside of the networks. so i wouldn't insist too much on the fact that
you need to be within the network to raise an attack against RADIUS,
since that's probably exactly what you can expect.

chris: what exactly did you mean by incorporating IPSec support?

alan wrote:
>  You can get a LOT of information about what's going on in the
> network just by looking at ports and packet sizes.
> So my question is: What purpose would be served by encrypting
> packets?  What information do you want to hide from prying eyes?

talking about IPSec: ESP would hide the actual size of the packets, e.g.
not talking about the ports. but the problem with IPSec is that it can
hardly be found in the NAS, so you probably will have to setup an
additional box just before NAS...


Raghu wrote:
> I think, for now EAP-TTLS does not have any added advantage over IPSec.

At least, in the wireless LANs (802.11), EAP begins after the
association, i.e. after the logical port assignment. So, the assignment
of the logical port is *not* authenticated. One could imagine attacks
based on that even if they need a lot of technical understanding how to
push away the actual participator who has really been authenticated.
Additionally: does EAP-TTLS provides for any packet signing?


just my six pences...

artur



-- 
Artur Hecker
artur[at]hecker.info


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using ippool with two radius servers?

2002-05-15 Thread Miquel van Smoorenburg 

In article <[EMAIL PROTECTED]>,
Gelson Dias Santos  <[EMAIL PROTECTED]> wrote:
>> -Original Message-
>> From: Miquel van Smoorenburg [mailto:[EMAIL PROTECTED]]
>
>> >Yes, I kown I can have 'N' different ip pools 
>> configured, one for
>> >each NAS , but I'm talking about 30.000 dial ports, so I 
>> can't allocate
>> >30.000 * N ips available.
>> 
>> In that case you are also talking about 30.000 routes in your
>> internal routing protocol - and with that many dialup ports,
>> hundreds of route-flaps per second.
>> 
>> It won't work. Your network and routers will fall over
>> and die screaming.
>
>   Why should I have 30.000 host routes

Well, you're talking about 30.000 ports. If you are going to
assign each of them an IP address using radius, you need
a routing protocol to get the packets to the NAS.

>All I have is one /17
>summarized route. All those IP's are on the same CIDR block.

Ah, you only have one terminal server with 30.000 ports on it?
In that case, route the /17 to that NAS and be done with it.
But you likely have tens or hundreds of NASes.

Either you're way ahead of me, or you really need to think this over.

Mike.
-- 
"Insanity -- a perfectly rational adjustment to an insane world."
  - R.D. Lang


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security

2002-05-15 Thread Milan P. Stanic 

On Wed, May 15, 2002 at 11:54:38AM -0400, Alan DeKok wrote:
> > Yes, but the number that support IPSec tunneling of radius packets is
> > about equal to the number that support EAP authentication.  :\
> 
>   I'm curious if there would be any use/interest in hacking FreeRADIUS
> to "encrypt" packets it's sending to a proxy.
> 
>   Pro: Some minor peace of mind
> 
>   Con: It's only interopable with itself.
> 
>   Con: There's no guarantee that anything we can come up with will be
> secure or even useful.
 
Let the RADIUS server to be just that. IPSec is network layer protocol
and should stay there. Why bloat freeRADIUS server?

Actually, you did a great job and you can extend freeras as you want
but, IMHO wouldn't be better to make it more stable. Bug hunting
isn't so challenging like adding new features, I know.

BTW, it is easy to set-up IPSec tunnel between machine on which RADIUS
server running and NAS on most operating systems today.
If NAS supports IPSec ;-)

Milan

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Using ippool with two radius servers?

2002-05-15 Thread Gelson Dias Santos 
Title: RE: Using ippool with two radius servers?







> -Original Message-
> From: Chris Parker [mailto:[EMAIL PROTECTED]]
 
> > Is there a way to syncronize the ip databases 
> between two (or 
> > more) radius servers when using module ippool? If not, how 
> do we avoid 
> > giving the same ip to two users at the same time if the primay and 
> > secondary radius does not share infop about the ips already in use?


> 
> Why would you not want the NAS to handle their own ip pools?
> 
> -Chris


    This is the way things work right now, but I need to add different classes of services, like dial backup and VPDN using the same dial ports, and these services require different ip addresses than those in the NAS pools. So, I have to set different pools for different classes of users. 

    I was thinking about use hints to differentiate users, so a user xxx.vpdn could match an entry like this:


    DEFAULT Hint == "vpdn", Pool-Name := vpdnpool


    But then, how do I avoid conflict when allocating IP's from pool vpdnpool if I have two Radius servers?


    Gelson

Re: Using ippool with two radius servers?

2002-05-15 Thread Alan DeKok 

Gelson Dias Santos <[EMAIL PROTECTED]> wrote:
>   Back to the original question; can I have two Radius server managing
> the same IP address pool?

  It's difficult.  Both RADIUS servers have to be kep in PERFECT
synchronization, otherwise duplicate IP's are assigned.

  Your best bet may be to come up with some other solution...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Using ippool with two radius servers?

2002-05-15 Thread Chris Parker 

At 05:28 PM 5/15/2002 -0300, Gelson Dias Santos wrote:


> > -Original Message-
> > From: Miquel van Smoorenburg 
> [mailto:[EMAIL PROTECTED]]
>
> > > Yes, I kown I can have 'N' different ip pools
> > configured, one for
> > >each NAS , but I'm talking about 30.000 dial ports, so I
> > can't allocate
> > >30.000 * N ips available.
> >
> > In that case you are also talking about 30.000 routes in your
> > internal routing protocol - and with that many dialup ports,
> > hundreds of route-flaps per second.
> >
> > It won't work. Your network and routers will fall over
> > and die screaming.
>
> Why should I have 30.000 host routes All I have is one /17 
> summarized route. All those IP's are on the same CIDR block.

Uhm.  Unless you have only one NAS, you'll have major issues.  Each
user will get a /32 ip.  If you have many NAS and the /32's are handed
out by the radius server, then you need to have all the NAS telling
each other about which /32's they have connected.

If that is not clear, you need to study routing, route summarization,
and ip subnetting some more.

>Back to the original question; can I have two Radius server 
> managing the same IP address pool?

No.  ( And you really really really don't want to for 30,000 ips ).

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: cisco_vsa_hack doesn't run - success.. and a question..

2002-05-15 Thread Michael Shurtleff 

OK, now it works. Now could someone on the development side tell me the
purpose of the following statement in the code inside cisco_vsa_hack() in
the rlm_preprocess.c file (which I commented out to make the vsa_hack
work). I don't want to solve one problem in order to create another.

if ((vp->attribute & 0x) != 1) continue;

Thanks,

mike

On Wed, 15 May 2002, Michael Shurtleff wrote:

> After some more checking I see that I was mistaken. Despite the noop from
> preprocess, the cisco_vsa_hack routine is entered. It is just not doing
> anything. Now I have to find out why. I am assuming that this routine
> should strip off the names and equal signs from the values sent by cisco
> before freeradius loads them into the database.
> 
> Has anyone had any experience with this?
> 
> mike
> 

-- 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Using ippool with two radius servers?

2002-05-15 Thread Gelson Dias Santos 
Title: RE: Using ippool with two radius servers?







> -Original Message-
> From: Miquel van Smoorenburg [mailto:[EMAIL PROTECTED]]


> > Yes, I kown I can have 'N' different ip pools 
> configured, one for
> >each NAS , but I'm talking about 30.000 dial ports, so I 
> can't allocate
> >30.000 * N ips available.
> 
> In that case you are also talking about 30.000 routes in your
> internal routing protocol - and with that many dialup ports,
> hundreds of route-flaps per second.
> 
> It won't work. Your network and routers will fall over
> and die screaming.


    Why should I have 30.000 host routes All I have is one /17 summarized route. All those IP's are on the same CIDR block.

    Back to the original question; can I have two Radius server managing the same IP address pool?


    Gelson

Re: Using ippool with two radius servers?

2002-05-15 Thread Miquel van Smoorenburg 

In article <[EMAIL PROTECTED]>,
Gelson Dias Santos  <[EMAIL PROTECTED]> wrote:
>   Is there a way to syncronize the ip databases between two (or more)
>radius servers when using module ippool? If not, how do we avoid giving the
>same ip to two users at the same time if the primay and secondary radius
>does not share infop about the ips already in use?
>   Yes, I kown I can have 'N' different ip pools configured, one for
>each NAS , but I'm talking about 30.000 dial ports, so I can't allocate
>30.000 * N ips available.

In that case you are also talking about 30.000 routes in your
internal routing protocol - and with that many dialup ports,
hundreds of route-flaps per second.

It won't work. Your network and routers will fall over
and die screaming.

Mike.
-- 
"Insanity -- a perfectly rational adjustment to an insane world."
  - R.D. Lang


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using ippool with two radius servers?

2002-05-15 Thread Chris Parker 

At 03:51 PM 5/15/2002 -0300, Gelson Dias Santos wrote:

> Is there a way to syncronize the ip databases between two (or 
> more) radius servers when using module ippool? If not, how do we avoid 
> giving the same ip to two users at the same time if the primay and 
> secondary radius does not share infop about the ips already in use?
>
> Yes, I kown I can have 'N' different ip pools configured, one for 
> each NAS , but I'm talking about 30.000 dial ports, so I can't allocate 
> 30.000 * N ips available.

Why would you not want the NAS to handle their own ip pools?

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Using ippool with two radius servers?

2002-05-15 Thread Gelson Dias Santos 
Title: Using ippool with two radius servers?





    Is there a way to syncronize the ip databases between two (or more) radius servers when using module ippool? If not, how do we avoid giving the same ip to two users at the same time if the primay and secondary radius does not share infop about the ips already in use?

    Yes, I kown I can have 'N' different ip pools configured, one for each NAS , but I'm talking about 30.000 dial ports, so I can't allocate 30.000 * N ips available.

    Gelson

Re: Security

2002-05-15 Thread Chris Parker 

At 11:28 AM 5/15/2002 -0700, Raghu wrote:
>Chris Parker wrote:
> >
> > Yes, but that has far less support ( at the moment ) than IPSec and is
> > still draft.  :\
> >
>
>I think, for now EAP-TTLS does not have any added advantage over IPSec.
>
>Just curious, how did you find that it has less support?

 From the dialup NAS side of the house, it's got far less support.

 From the 802.11a/b side of the house, it does have wider support.

I'm pretty dialup-centric in my viewpoints, so that shades my perception.  :)

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security

2002-05-15 Thread Raghu 

Chris Parker wrote:
> 
> Yes, but that has far less support ( at the moment ) than IPSec and is
> still draft.  :\
>

I think, for now EAP-TTLS does not have any added advantage over IPSec.

Just curious, how did you find that it has less support?

-Raghu

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security

2002-05-15 Thread Chris Parker 

At 01:24 PM 5/15/2002 -0400, Alan DeKok wrote:
>Josh Howlett <[EMAIL PROTECTED]> wrote:
> > I would certainly find this capability useful.  I don't see the harm in
> > _open_ extensions provided that they're documented and are inactive by
> > default.
>
>   There's also the problem of traffic analysis.
>
>   e.g. Packets to port 1812 are authentication requests.  Packets to
>port 1813 are accounting requests.  Small packets from port 1812 are
>authentication rejects.  Larger packets from port 1812 are
>authentication accepts.
>
>   You can get a LOT of information about what's going on in the
>network just by looking at ports and packet sizes.
>
>   So my question is: What purpose would be served by encrypting
>packets?  What information do you want to hide from prying eyes?

In a proxy environment, realms can indicate business relationships
which might otherwise not be publicly known.

In all environments, the attacks against breaking the shared secret
are sped up by having access to the cypher-text in User-Password as
well as by being able to correlate "like" packets.

In a wholesale environment radius packets may be traversing unknown
or untrusted third party networks.

Also, any information contained in the unencrypted other attributes
can yield a lot of information as well.  ( Phone numbers calling
from/to, destinations for login/telnet, etc. ).

Having a username and a phone number calling from, one could imagine
some social engineering attacks...

Yes it is pretty paranoid to think that someone would be interested
in that, but it also appears that it might not be overly hard to
add IPSec hooks, either.

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security

2002-05-15 Thread Chris Parker 

At 10:22 AM 5/15/2002 -0700, Raghu wrote:
>Alan DeKok wrote:
> >   I'm curious if there would be any use/interest in hacking FreeRADIUS
> > to "encrypt" packets it's sending to a proxy.
> >
>
>http://www.ietf.org/internet-drafts/draft-ietf-pppext-eap-ttls-01.txt
>
>If my understanding is right, EAP-TTLS does just that.
>Only after the successful handshake is done,
>Radius attributes are passed,encrypted, to perform PAP, CHAP etc

Yes, but that has far less support ( at the moment ) than IPSec and is
still draft.  :\

You can set IPSec options and policy on a per-socket basis ( at least with
*BSD ) via 'setsockopt()' and 'ipsec_set_policy()' calls.  So the radius
server *could* setup IPSec for specific clients/proxies...

*BSD:
http://www.gsp.com/cgi-bin/man.cgi?section=3&topic=ipsec_set_policy

Solaris:
Supported in Solaris8

Linux:
http://www.freeswan.org/intro.html

Others:
?

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security

2002-05-15 Thread Alan DeKok 

Josh Howlett <[EMAIL PROTECTED]> wrote:
> I would certainly find this capability useful.  I don't see the harm in
> _open_ extensions provided that they're documented and are inactive by
> default.

  There's also the problem of traffic analysis.

  e.g. Packets to port 1812 are authentication requests.  Packets to
port 1813 are accounting requests.  Small packets from port 1812 are
authentication rejects.  Larger packets from port 1812 are
authentication accepts.


  You can get a LOT of information about what's going on in the
network just by looking at ports and packet sizes.

  So my question is: What purpose would be served by encrypting
packets?  What information do you want to hide from prying eyes?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security

2002-05-15 Thread Raghu 

Alan DeKok wrote:
>   I'm curious if there would be any use/interest in hacking FreeRADIUS
> to "encrypt" packets it's sending to a proxy.
> 

http://www.ietf.org/internet-drafts/draft-ietf-pppext-eap-ttls-01.txt

If my understanding is right, EAP-TTLS does just that.
Only after the successful handshake is done,
Radius attributes are passed,encrypted, to perform PAP, CHAP etc


-Raghu

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security

2002-05-15 Thread Josh Howlett 

On Wed, 15 May 2002, Chris Parker wrote:

> At 11:54 AM 5/15/2002 -0400, Alan DeKok wrote:
> >Chris Parker <[EMAIL PROTECTED]> wrote:
> > > That could be solved by establishing an IPSec tunnel between our radius
> > > and your servers, setting up a direct network connection ( peering point )
> > > for exchange of radius/authentication traffic, or installing a server
> > > at our colo facility so auth traffic never crosses a third-party network.
> > >
> > > >   Anybody making NAS boxes that support IPSec tunnelling?
> > >
> > > Yes, but the number that support IPSec tunneling of radius packets is
> > > about equal to the number that support EAP authentication.  :\
> >
> >   I'm curious if there would be any use/interest in hacking FreeRADIUS
> >to "encrypt" packets it's sending to a proxy.
>
> I wouldn't invent a proprietary method.

I would certainly find this capability useful.  I don't see the harm in
_open_ extensions provided that they're documented and are inactive by
default.

josh.


Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security

2002-05-15 Thread Chris Parker 

At 11:54 AM 5/15/2002 -0400, Alan DeKok wrote:
>Chris Parker <[EMAIL PROTECTED]> wrote:
> > That could be solved by establishing an IPSec tunnel between our radius
> > and your servers, setting up a direct network connection ( peering point )
> > for exchange of radius/authentication traffic, or installing a server
> > at our colo facility so auth traffic never crosses a third-party network.
> >
> > >   Anybody making NAS boxes that support IPSec tunnelling?
> >
> > Yes, but the number that support IPSec tunneling of radius packets is
> > about equal to the number that support EAP authentication.  :\
>
>   I'm curious if there would be any use/interest in hacking FreeRADIUS
>to "encrypt" packets it's sending to a proxy.

I wouldn't invent a proprietary method.

>   Pro: Some minor peace of mind
>
>   Con: It's only interopable with itself.

Maybe.  I think support somehow for enabling IPSec to be used between
selected clients would accomplish this.  It would also serve to "hide"
the radius attributes that are all sent clear-text ( making MitM and
sniffing attacks ) significantly more difficult.

Would that be done at the freeradius level, or at the kernel/ip stack
level though... H I'm intriguied now.  :)

>   Con: There's no guarantee that anything we can come up with will be
>secure or even useful.

If we could incorporate IPSec support somehow, it'd be interoperable
with anything else that speaks IPSec.  :)

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security

2002-05-15 Thread Alan DeKok 

Chris Parker <[EMAIL PROTECTED]> wrote:
> That could be solved by establishing an IPSec tunnel between our radius
> and your servers, setting up a direct network connection ( peering point )
> for exchange of radius/authentication traffic, or installing a server
> at our colo facility so auth traffic never crosses a third-party network.
> 
> >   Anybody making NAS boxes that support IPSec tunnelling?
> 
> Yes, but the number that support IPSec tunneling of radius packets is
> about equal to the number that support EAP authentication.  :\

  I'm curious if there would be any use/interest in hacking FreeRADIUS
to "encrypt" packets it's sending to a proxy.

  Pro: Some minor peace of mind

  Con: It's only interopable with itself.

  Con: There's no guarantee that anything we can come up with will be
secure or even useful.


  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Group authentication

2002-05-15 Thread Alan DeKok 

"Lester Gock-Young" <[EMAIL PROTECTED]> wrote:
> I'm running FreeRadius 0.5 on FreeBSD 4.2, and I'm having some trouble with
> UNIX group authentication.

  Upgrade to the latest CVS version, or grab the rlm_unix directory
from the latest CVS version.  0.5 had a bug with Unix groups.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security

2002-05-15 Thread Chris Parker 

At 08:39 AM 5/15/2002 -0700, Bill Campbell wrote:
>On Wed, May 15, 2002 at 08:58:17AM -0500, Chris Parker wrote:
> >At 03:18 PM 5/15/2002 +1000, Andrew Tait wrote:
> >>http://www.untruth.org/~josh/security/radius/radius-auth.html
> >>
> >>For those interested in finding out how easy.
> >
> >All predicated on the assumption that the attacker has access to the
> >network traffic between the client ( NAS ) and the radius server.  Like
> >I said before, if an attacker has access to your network in such a manner
> >there are *lot* of interesting things they can do, cracking radius is
> >just one of them.  :)
>
>The attacker doesn't necessarily have to have access to your net if say the
>radius traffic originates from a dialup wholesaler like megapop.

Didn't say they had to be on your LAN, they just need to be able to "snoop"
traffic anywhere between you and the radius client talking to your server.
Using a wholesaler ( btw, I work for StarNet/MegaPOP ) shouldn't expose you
to anymore susceptibility ( unless you don't trust the path between us ).

That could be solved by establishing an IPSec tunnel between our radius
and your servers, setting up a direct network connection ( peering point )
for exchange of radius/authentication traffic, or installing a server
at our colo facility so auth traffic never crosses a third-party network.

>   Anybody making NAS boxes that support IPSec tunnelling?

Yes, but the number that support IPSec tunneling of radius packets is
about equal to the number that support EAP authentication.  :\

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security

2002-05-15 Thread Alan DeKok 

"Andrew Tait" <[EMAIL PROTECTED]> wrote:
> Lets say that someone has the ability to sniff traffic between our NAS and
> radius server.
> 
> What are the chances of them finding out the shared secrets, or actual
> usernames and passwords?

  Shared secrets: NONE.  They never go over the wire.

  Usernames: ALWAYS.  They go over the wire in the clear.

  Passwords: ALMOST NONE.  The passwords are encrypted using the
shared secret, and never go over the wire in the clear.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security

2002-05-15 Thread Bill Campbell 

On Wed, May 15, 2002 at 08:58:17AM -0500, Chris Parker wrote:
>At 03:18 PM 5/15/2002 +1000, Andrew Tait wrote:
>>http://www.untruth.org/~josh/security/radius/radius-auth.html
>>
>>For those interested in finding out how easy.
>
>All predicated on the assumption that the attacker has access to the
>network traffic between the client ( NAS ) and the radius server.  Like
>I said before, if an attacker has access to your network in such a manner
>there are *lot* of interesting things they can do, cracking radius is
>just one of them.  :)

The attacker doesn't necessarily have to have access to your net if say the
radius traffic originates from a dialup wholesaler like megapop.  Anybody
making NAS boxes that support IPSec tunnelling?

Bill
--
INTERNET:   [EMAIL PROTECTED]  Bill Campbell; Celestial Software LLC
UUCP:   camco!bill  PO Box 820; 6641 E. Mercer Way
FAX:(206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/

``Anyone who thinks Microsoft never does anything truly innovative isn't
paying attention to the part of the company that pushes the state of
its art: Microsoft's legal department.'' 
   --Ed Foster, InfoWorld Gripe Line columnist

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: cisco_vsa_hack doesn't run (fwd)

2002-05-15 Thread Michael Shurtleff 

After some more checking I see that I was mistaken. Despite the noop from
preprocess, the cisco_vsa_hack routine is entered. It is just not doing
anything. Now I have to find out why. I am assuming that this routine
should strip off the names and equal signs from the values sent by cisco
before freeradius loads them into the database.

Has anyone had any experience with this?

mike
-- 


-- Forwarded message --
Date: Wed, 15 May 2002 09:53:20 -0400 (EDT)
From: Michael Shurtleff <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: cisco_vsa_hack doesn't run

Nico,

Thanks for Dthe suggestion. However, I tried switching the order but in
any case I am getting noops on both files and preprocess. Suffix is
returning ok however, and group preacct returns ok as well.

I do need preprocess to work, in order to use cisco_vsa_hack.

mike

On Wed, 15 May 2002 [EMAIL PROTECTED] wrote:

> Hi,
> 
> I also had a problem in this part,
> 
> the cause was the preprocess entry being mentioned AFTER the files entry.
> (I wanted to proxy the accounting records to backup server
> which also didnt; work.)
> 
> after puting the files entry after preprocessing this worked, maybe this
> has the same cause?
> 
> regards,
> Nico Baggus
> --
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] at INET-1
> > Sent: Tuesday, May 14, 2002 15:21
> > To: <[EMAIL PROTECTED]> at INET-1
> > Subject: cisco_vsa_hack doesn't run
> >
> >
> >
> > I am using Freeradius 0.5 with Cisco AS5300 VoIP gateways,
> > using only the
> > accounting part of radius. I configured the with_cisco_vsa_hack in
> > radiusd.conf, but on further investigation I found that the
> > pre-accounting
> > preprocessing was giving a noop, and that the vsa_hack was
> > not running.
> >
> > This is the only part of the system that isn't functioning
> > normally as far
> > as I can see; the server is generating accounting records in
> > MySQL with no
> > problem.
> >
> > My question is the following:
> > What is required for the preacct preprocessing to run
> > normally and what
> > part of the config could be causing this failure?
> >
> > Mike
> > --
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> 
> 
> -
> ATTENTION:
> The information in this electronic mail message is private and
> confidential, and only intended for the addressee. Should you
> receive this message by mistake, you are hereby notified that
> any disclosure, reproduction, distribution or use of this
> message is strictly prohibited. Please inform the sender by
> reply transmission and delete the message without copying or
> opening it.
> 
> Messages and attachments are scanned for all viruses known.
> If this message contains password-protected attachments, the
> files have NOT been scanned for viruses by the ING mail domain.
> Always scan attachments before opening them.
> -
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

-- 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: Security

2002-05-15 Thread 3APA3A 

Dear Chris Parker,

There is more info on this issue on
http://www.security.nnov.ru/search/news.asp?binid=1563

It  should  also  be pointed that some attacks require ability to modify
traffic.  It's  possible  if  one of routers compromised directly or via
spoofed  arp  entry.  There  is  no attack to succeed immdeiatly and all
attack  require  long  time  to  succeed (if you change shared secret on
regular basis it will be hard to attack you). There are few points where
traffic  modification  allow  privelege  escalation (for example NAS may
send  request  for shell access, this request will be changed by M-i-t-M
to  PPP access request. RADIUS will authenticate PPP access and attacker
will get shell access to device instead of PPP. There is also a weakness
in a way MS-CHAP implemented in RADIUS.

In fact, most of these attack are theoretical and it's almost impossible
to use in practice.

--Wednesday, May 15, 2002, 5:58:17 PM, you wrote to [EMAIL PROTECTED]:

CP> At 03:18 PM 5/15/2002 +1000, Andrew Tait wrote:
>>http://www.untruth.org/~josh/security/radius/radius-auth.html
>>
>>For those interested in finding out how easy.

CP> All predicated on the assumption that the attacker has access to the
CP> network traffic between the client ( NAS ) and the radius server.  Like
CP> I said before, if an attacker has access to your network in such a manner
CP> there are *lot* of interesting things they can do, cracking radius is
CP> just one of them.  :)

CP> -Chris
CP> --
CP> \\\|||///  \  StarNet Inc.  \ Chris Parker
CP> \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
CP> | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
CP> oOo---(_)---oOo--\--
CP>\ Wholesale Internet Services - http://www.megapop.net



CP> - 
CP> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
~/ZARAZA
Åñòü òàì âåðñèè Îòåëëî, ãäå Äåçäåìîíà äóøèò Ìàâðà. (Ëåì)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Free Radius and Open Ldap

2002-05-15 Thread Kostas Kalevras 

On Wed, 15 May 2002, Michael Fuller wrote:

> Hi all,
>
> This is from a Linux Newbei.
>
> I am using Free Radius with Open Ldap authentication. The config is straight
> forward, with no special add ons. How do I control user attributes ? I need
> one set of users to have administrative access, and the other only framed
> PPP access.
>
> Any help will be greatly appreciated.
>
> Thanks and regards,
> Michael S Fuller

Read doc/rlm_ldap. You should use the Default and Regular profiles.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

(no subject)

2002-05-15 Thread Mazen Kassem 



hi guys i have installed openldap and its runing properly and i installed 
freeradius-0.2 but i don't know how to integrate them could somebody help me 
in here i will appreciate if there any running case so i can follow


my email [EMAIL PROTECTED]


thanks

_
Chat with friends online, try MSN Messenger: http://messenger.msn.com


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ID hang in Hiper

2002-05-15 Thread Chris Parker 

At 06:18 PM 5/15/2002 +0530, Uma wrote:
>Hello,
> We have 3com RAS box. What happens is that after the dial-up user 
> disconnects the Hiper is not sending the Stop accounting packet to RADIUS 
> . The user id got hanged and so when he tries to reconnect he is failed.
>
>Psl help in solving this..

Fix the 3com hiper so it sends accounting.  Not much the server can do
there.

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: about the debug

2002-05-15 Thread Chris Parker 

At 05:53 PM 5/15/2002 +0800, Kenneth Lee wrote:

>dear all,
>
>after reading the source code, I find that there are many DEBUG() and
>DEBUG2(), I would like to ask how can I force the program to print this
>debug statement our while running?
>
>e.g.:
>DEBUG2("rlm_counter: (Check item - counter) is greater than zero");

-x sets debug level to one, prints all DEBUG() statements.

-x -x sets debug level to two, prints all DEBUG() and DEBUG2() statements.

-x -x -x sets debug level to three, prints all DEBUG() and DEBUG2()
  statements with timestamp information.

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS redundant sql

2002-05-15 Thread Chris Parker 

At 10:33 AM 5/15/2002 +0100, [EMAIL PROTECTED] wrote:
>Hello!
>I have install 2 freeradius (primary and secondairy) with counter module
>and 2 sql redundant.

I'd recommend the latest CVS versions, there have been some updates to
the SQL module since earlier versions.

>1- is it normal when sql1 are offline radius1 gone down ? I use radwatch to
>restart automaticly radius.

That doesn't sound normal, but we'd need more information.

>2- I use rsync to syncronise the 2 radius server (accouting, counter and
>file configuration).

That shouldn't be a problem for config files.  Not sure what you mean by
accounting, are you rsynching the 'detail' files?

>But when a user have a counter limit the second radius ignore this limit.
>why ?

If you are using the 'counter' and not 'sqlcounter' module, then the
used values are known only locally to each server.  You could use the
'sqlcounter' which would allow you to centralize the counter data to an
sql server that both radius servers would query/update.

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security

2002-05-15 Thread Chris Parker 

At 02:33 PM 5/15/2002 +1000, Gary Barnden wrote:
>Andrew,
>
>Pretty easy actually, easier than one would think

Really, do tell.  Depending on the type of authentication ( assuming CHAP
or PAP, leaving out EAP for now ), the password is never transmitted in the
clear from the NAS to the Radius.

With PAP, the password is sent encoded as a reversable MD5 hash.  Reversing
the hash will result in the cleartext password for that user.  Knowing the
'shared secret' will allow the reversal of the MD5 hash.

With CHAP, the password itself is not sent, but rather a computed value
by the end-user that uses the password and known vector as the inputs.  It
is not possible to extract the actual password from this method.

The downside ( IMHO ) to CHAP is that it requires you to store passwords
in either plaintext or a reversible hash ( as the radius server *must*
also have access to the plaintext password to verify the authentication ).

If someone has the ability to sniff traffic between your NAS and the
radius server, you probably have a lot more issues to worry about, in terms
of physical security on your network.  I'd be more worried about a single
compromise of the radius server exposing *all* of your users passwords
in the case of CHAP, than possibly extracting *some* of your users passwords
via the use of PAP, where a server compromise would expose your shared
secrets, but not your user passwords.

EAP also addresses many of these issues, but is not yet widely supported
on dialup NAS, though it does seem to be used on quite a few
Wireless/Ethernet access products.

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security

2002-05-15 Thread Chris Parker 

At 03:18 PM 5/15/2002 +1000, Andrew Tait wrote:
>http://www.untruth.org/~josh/security/radius/radius-auth.html
>
>For those interested in finding out how easy.

All predicated on the assumption that the attacker has access to the
network traffic between the client ( NAS ) and the radius server.  Like
I said before, if an attacker has access to your network in such a manner
there are *lot* of interesting things they can do, cracking radius is
just one of them.  :)

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: cisco_vsa_hack doesn't run

2002-05-15 Thread Michael Shurtleff 

Nico,

Thanks for Dthe suggestion. However, I tried switching the order but in
any case I am getting noops on both files and preprocess. Suffix is
returning ok however, and group preacct returns ok as well.

I do need preprocess to work, in order to use cisco_vsa_hack.

mike

On Wed, 15 May 2002 [EMAIL PROTECTED] wrote:

> Hi,
> 
> I also had a problem in this part,
> 
> the cause was the preprocess entry being mentioned AFTER the files entry.
> (I wanted to proxy the accounting records to backup server
> which also didnt; work.)
> 
> after puting the files entry after preprocessing this worked, maybe this
> has the same cause?
> 
> regards,
> Nico Baggus
> --
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] at INET-1
> > Sent: Tuesday, May 14, 2002 15:21
> > To: <[EMAIL PROTECTED]> at INET-1
> > Subject: cisco_vsa_hack doesn't run
> >
> >
> >
> > I am using Freeradius 0.5 with Cisco AS5300 VoIP gateways,
> > using only the
> > accounting part of radius. I configured the with_cisco_vsa_hack in
> > radiusd.conf, but on further investigation I found that the
> > pre-accounting
> > preprocessing was giving a noop, and that the vsa_hack was
> > not running.
> >
> > This is the only part of the system that isn't functioning
> > normally as far
> > as I can see; the server is generating accounting records in
> > MySQL with no
> > problem.
> >
> > My question is the following:
> > What is required for the preacct preprocessing to run
> > normally and what
> > part of the config could be causing this failure?
> >
> > Mike
> > --
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> 
> 
> -
> ATTENTION:
> The information in this electronic mail message is private and
> confidential, and only intended for the addressee. Should you
> receive this message by mistake, you are hereby notified that
> any disclosure, reproduction, distribution or use of this
> message is strictly prohibited. Please inform the sender by
> reply transmission and delete the message without copying or
> opening it.
> 
> Messages and attachments are scanned for all viruses known.
> If this message contains password-protected attachments, the
> files have NOT been scanned for viruses by the ING mail domain.
> Always scan attachments before opening them.
> -
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

-- 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ID hang in Hiper

2002-05-15 Thread Dyachek Andrey 



Ask 3com about this problem. Freeradius works 
well, does not it?

  - Original Message - 
  From: 
  Uma 
  To: [EMAIL PROTECTED] 
  
  Sent: Wednesday, May 15, 2002 6:48 
  PM
  Subject: ID hang in Hiper
  
  Hello,
          We have 
  3com RAS box. What happens is that after the dial-up user disconnects the 
  Hiper is not sending the Stop accounting packet to RADIUS . The user id 
  got hanged and so when he tries to reconnect he is failed.
   
  Psl help in solving this..
   
  Regards.
  Uma.

ID hang in Hiper

2002-05-15 Thread Uma 



Hello,
        We have 3com 
RAS box. What happens is that after the dial-up user disconnects the Hiper is 
not sending the Stop accounting packet to RADIUS . The user id got hanged 
and so when he tries to reconnect he is failed.
 
Psl help in solving this..
 
Regards.
Uma.

Free Radius and Open Ldap

2002-05-15 Thread Michael Fuller 

Hi all,

This is from a Linux Newbei.

I am using Free Radius with Open Ldap authentication. The config is straight 
forward, with no special add ons. How do I control user attributes ? I need 
one set of users to have administrative access, and the other only framed 
PPP access.

Any help will be greatly appreciated.

Thanks and regards,
Michael S Fuller

_
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: cisco_vsa_hack doesn't run

2002-05-15 Thread Nico . Baggus 

Hi,

I also had a problem in this part,

the cause was the preprocess entry being mentioned AFTER the files entry.
(I wanted to proxy the accounting records to backup server
which also didnt; work.)

after puting the files entry after preprocessing this worked, maybe this
has the same cause?

regards,
Nico Baggus
--


> -Original Message-
> From: [EMAIL PROTECTED] at INET-1
> Sent: Tuesday, May 14, 2002 15:21
> To: <[EMAIL PROTECTED]> at INET-1
> Subject: cisco_vsa_hack doesn't run
>
>
>
> I am using Freeradius 0.5 with Cisco AS5300 VoIP gateways,
> using only the
> accounting part of radius. I configured the with_cisco_vsa_hack in
> radiusd.conf, but on further investigation I found that the
> pre-accounting
> preprocessing was giving a noop, and that the vsa_hack was
> not running.
>
> This is the only part of the system that isn't functioning
> normally as far
> as I can see; the server is generating accounting records in
> MySQL with no
> problem.
>
> My question is the following:
> What is required for the preacct preprocessing to run
> normally and what
> part of the config could be causing this failure?
>
> Mike
> --
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS redundant sql

2002-05-15 Thread mberzig 

Hello!
I have install 2 freeradius (primary and secondairy) with counter module
and 2 sql redundant.
1- is it normal when sql1 are offline radius1 gone down ? I use radwatch to
restart automaticly radius.
2- I use rsync to syncronise the 2 radius server (accouting, counter and
file configuration).
But when a user have a counter limit the second radius ignore this limit.
why ?
Sincerly.




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: about the time quota

2002-05-15 Thread Kenneth Lee 

one more thing, if I need to add a user, what is the profile looks like?
is that enough?

DEFAULT 

.(skipped)

a   Auth-Type := Local, User-Password == "a",
Service-Type = Framed-User,
Framed-Protocol = PPP

Thanks again!

Kenneth


On Wed, 15 May 2002, Kenneth Lee wrote:

>
> Dear all,
>
> I have tried different methods, but still cannot limit the time quota, can
> anyone post a sample configuration so that I can have a test? Really
> thanks very much to all!
>
> Kenneth
>
>
>
> >
> > Well, first of all it worked just great here. Try sending manually an
> > Accounting-Stop with Acct-Session-Time around 100 and see what happens.
> >
> > Now counter-name and check-item are two separate things. The first one is an
> > attribute 'produced' by the counter module when you do a comparison. What
> > happens is that the counter module registers a compare function for that
> > attribute. This function has nothing to do with the counter module authorize
> > function. You could remove it from the authorize section and it would work just
> > great. The check-item is another attribute created by the counter module. This
> > is a check item which should contain the allowed daily/weekly/monthly/whatever
> > session for a user. The idea is to be able to set this limit for each user. You
> > can use it like this:
> >
> > DEFAULT Max-Daily-Session := 14400
> > Fall-Through = Yes
> >
> > --
> > Kostas Kalevras Network Operations Center
> > [EMAIL PROTECTED]  National Technical University of Athens, Greece
> > Work Phone: +30 10 7721861
> > 'Go back to the shadow' Gandalf
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: about the time quota

2002-05-15 Thread Kenneth Lee 


Dear all,

I have tried different methods, but still cannot limit the time quota, can
anyone post a sample configuration so that I can have a test? Really
thanks very much to all!

Kenneth



>
> Well, first of all it worked just great here. Try sending manually an
> Accounting-Stop with Acct-Session-Time around 100 and see what happens.
>
> Now counter-name and check-item are two separate things. The first one is an
> attribute 'produced' by the counter module when you do a comparison. What
> happens is that the counter module registers a compare function for that
> attribute. This function has nothing to do with the counter module authorize
> function. You could remove it from the authorize section and it would work just
> great. The check-item is another attribute created by the counter module. This
> is a check item which should contain the allowed daily/weekly/monthly/whatever
> session for a user. The idea is to be able to set this limit for each user. You
> can use it like this:
>
> DEFAULT   Max-Daily-Session := 14400
>   Fall-Through = Yes
>
> --
> Kostas Kalevras   Network Operations Center
> [EMAIL PROTECTED]National Technical University of Athens, Greece
> Work Phone:   +30 10 7721861
> 'Go back to the shadow'   Gandalf
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

about the debug

2002-05-15 Thread Kenneth Lee 


dear all,

after reading the source code, I find that there are many DEBUG() and
DEBUG2(), I would like to ask how can I force the program to print this
debug statement our while running?

e.g.:
DEBUG2("rlm_counter: (Check item - counter) is greater than zero");

Thanks a lot!

Kenneth


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Group authentication

2002-05-15 Thread Lester Gock-Young 

Hi all,

I'm running FreeRadius 0.5 on FreeBSD 4.2, and I'm having some trouble with
UNIX group authentication. This radius server accepts authentication
requests from various sources, and I want to be able to give particular
users access to different systems based on their UNIX group. For instance,
the cfguser group lets netadmins log into Cisco routers.

So I tried:

DEFAULT NAS-Port-Type == Virtual, Group == "cfguser", Auth-Type := System
Service-Type = NAS-Prompt-User

but this doesn't match any users. (I match Cisco telnet logins by checking
NAS-Port-Type.)

Here's the radiusd -X output fragment:

modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm NULL for User-Name = "admin"
rlm_realm: No such realm NULL
  modcall[authorize]: module "suffix" returns noop
  modcall[authorize]: module "files" returns notfound
modcall: group authorize returns ok
auth: No Auth-Type configuration for the request, rejecting the user
auth: Failed to validate the user.

and the radiusd.conf:

[dispair:/usr/local/etc/raddb]# diff radiusd.conf.sample radiusd.conf
100c100
< group = root
---
> group = wheel
468c468
<   cache = yes
---
>   cache = no
485c485
<   passwd = /etc/passwd
---
>   #passwd = /etc/passwd

the /etc/group file entry:

cfguser:*:100:admin,lester

Is this the right way to do group authentication? Any pointers appreciated.

Thanks,
Lester


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html