openLDAP & freeRADIUS
Title: openLDAP & freeRADIUS Hi All As I mentioned before I have installed LDAP successfully on Linux 7.1 and able to add users and search the data base on top of that I installed freeradius 5 and follows the instructions " radius authentication using LDAP " but the test command "radtest " always reply with the message " radius_client: no response from the server" Plus I tried to telnet to that server but also hopeless "login incorrect" I'm attaching my configured files pls if I missed something or there is additional step to follow ,,guide me Thanks Mazen <> <> <> <> <> <> Integrated Networks Co. Tel: 2734474 x 148 Fax: 2734117 x 148 Mob: 054170626 Email: [EMAIL PROTECTED] clients Description: clients dictionary Description: dictionary radiusd.conf Description: radiusd.conf slapd.conf Description: slapd.conf users Description: users logmessages Description: logmessages
downloadable ACLs
I see in the Cisco PIX documentation that the PIX firewall supports downloadable ACLs: instead of storing them on the PIX and pass the ACL ID from RADIUS, you can download them by request. Is this something doable with FreeRadius? -- Florin Andrei Democracy is three wolves and a sheep voting on what to have for dinner. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy and replicate
On Wed, 2002-05-22 at 07:40, Chris Parker wrote: > > proxy server acts as the middle-man. The remote server sees the request > coming from the proxy server. The only indication the remote server has > regarding the origin of the request is via the NAS-IP-Address or NAS- > Identifier. The source IP address of the packet as seen by the remote > server will be the > The source-ip of the packets they receive will be the ip of proxying > server. That source-ip is what is used to determine the shared-secret > to use. If what you are trying to avoid is having to configure all of > your NAS into the auth servers, then that is how proxy is meant to work. Yes, this is what i'm trying to do: keep the configuration on the authentication servers simple (no NAS addresses), and do all the gory authorisation stuff with FreeRadius, in MySQL. Good point about the shared-secret too. There's only one more thing: my authentication Radius servers sit on top of a proprietary one-time-password application that has it's own mechanisms to control the authorisation. For each user, it has the so-called "pass-actions" fields, containing the NAS IP addresses that are acceptable for that user. It looks like i have to dig into the documentation and figure out whether the pass-actions are determined based on the source IP of the packets, or based on the NAS-IP-Address field. If the authentication is done based on the NAS-IP-Address, then i guess i'll configure the proxy to authenticate via PAM, and i'll install and configure the PAM authentication module. This way, i'm sure i'll be able to totally hide the NAS address, no matter what the RFC says. :-) -- Florin Andrei Democracy is three wolves and a sheep voting on what to have for dinner. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: possible to add realm in huntgroup
At 04:49 PM 5/22/2002 -0600, [EMAIL PROTECTED] wrote: >I'm playing with an idea to try to hide realm information from users, >basically so I >can do things without having to change to much on their end. The setup is >this: > > NAS -> radius1 (freeradius) -> radius2 (safeword) > >At the moment I have it so if you login as [EMAIL PROTECTED] into the NAS, >radius1 will >proxy the authentication request to radius2. This works like a champ. > >I'd like to be able to drop the @sybase.com for people dialing into the >NAS, but still be >able to proxy them to radius2. Setup the realm 'sybase.com' as you have now. Add entries to the users file that contain the 'Proxy-To-Realm' attribute. Usage is the same as the 'Replicate-To-Realm' attribute discussed on this list a short time ago. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
possible to add realm in huntgroup
I'm playing with an idea to try to hide realm information from users, basically so I can do things without having to change to much on their end. The setup is this: NAS -> radius1 (freeradius) -> radius2 (safeword) At the moment I have it so if you login as [EMAIL PROTECTED] into the NAS, radius1 will proxy the authentication request to radius2. This works like a champ. I'd like to be able to drop the @sybase.com for people dialing into the NAS, but still be able to proxy them to radius2. Something like this on radius1 if (from NAS and NAS-Port-Type == Async) proxy to radius2 else system authentication locally I was trying to think of a way of doing this in huntgroups. I know that I can do something like this in huntgroups: NAS NAS-IP-Address == xx.xx.xx.xx, NAS-Port-Type == Async User-Name = user But I don't know if I can use the variable substitution to add something to user, that being @sybase.com so that after the preprocess step the username is really [EMAIL PROTECTED] If this can't currently be handled, any suggestions where to start trying to add this? -jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fix for Exec-Program-Wait
I am testing it right nowthe only thing I changed is: radlog(L_DBG, "Exec-Program: returned: %d", status); to radlog(L_INFO, "Exec-Program: returned: %d", status); To allow me to quickly watch any problem with the external auth program... Regards, Rodrigo Gonzalez. - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 22, 2002 4:05 PM Subject: Fix for Exec-Program-Wait > I've just committed a fix to the tree which should *hopefully* fix > the problem with the server locking up, when using Exec-Program-Wait. > > If you're using Exec-Program-Wait, and are willing to test the CVS > snapshot from tonight, please try it out, and report success/failure > to the list. > > If this change doesn't solve the problem, then there's more work to > do. If it DOES solve the problem, then it would help enormously to > know that. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
C++ radius client library ...
Hello, Does anyone know about some C++ based radius client library or C++ wrapper on libradius? Thank you EMir Mulabegovic(); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fix for Exec-Program-Wait
Is this the problem that I have been seeing? You mentioned Exec-Program-Wait in prior emails. If so, I'll try this out tonight. cheers, john Quoting Alan DeKok <[EMAIL PROTECTED]>: > I've just committed a fix to the tree which should *hopefully* fix > the problem with the server locking up, when using Exec-Program-Wait. > > If you're using Exec-Program-Wait, and are willing to test the CVS > snapshot from tonight, please try it out, and report success/failure > to the list. > > If this change doesn't solve the problem, then there's more work to > do. If it DOES solve the problem, then it would help enormously to > know that. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > John Hogenmiller, kb3dfz Systems Administrator, Pennswoods.net 877.716.2002 x 529 --- Anyone could say, "What fantastic and expensive items you have! Oh, how I wish they were mine!" But I have proven my sincerity by going that extra mile and actually robbing you blind. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fix for Exec-Program-Wait
I've just committed a fix to the tree which should *hopefully* fix the problem with the server locking up, when using Exec-Program-Wait. If you're using Exec-Program-Wait, and are willing to test the CVS snapshot from tonight, please try it out, and report success/failure to the list. If this change doesn't solve the problem, then there's more work to do. If it DOES solve the problem, then it would help enormously to know that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql problem?
eh.. i just vacuum radacct.. thx anyway On Wed, 22 May 2002, Alexandre Strube wrote: > On Wed, 22 May 2002 16:50:06 +0300 (EEST), Petre L. Daniel wrote: > > Was the radiusd stopped? Are you running it with supervise or something like > that? > This happens here when radius is not responding on the very same moment > that the dialup user disconnects, because of the obvious fact that the STOP > packet is not logged on mysql. Some days ago, I don't know why, both supervise > and radiusd stopped working at 3am. As the stop packets weren't logged, my > dialup-admin was a mess. I had to delete all invalid entries... > > The quickest way to do this is to remove all lines from sql which have the >AcctStopTime > filled with -00-00 00:00:00 > > Something like DELETE FROM radacct WHERE AcctStopTime = '-00-00 00:00:00' > > As the dialup users will eventually disconnect, the correct stop times will be >logged and > everything will come back to normal. > > >heyah. > >it seems that since some days ago my dialup admin interface shows users > >that logged off long time ago and doesn show the new users when the max > >line is reached. > >like i think something is not updated and i cant see in real time who's > >logged in.. > >what could be the problem? > >thx in advance. > > > As opiniões formuladas neste e-mail são de caráter > exclusivamente pessoal. Minha opinião não necessariamente > representa a opinião do meu Moto Grupo nem da empresa onde > trabalho. > > Mene Sakkhet ur-seveh > Alexandre Ganso - Diretor Steel Goose Moto Group > 6, 7 e 8 de setembro - Aniversario 10 anos Steel Goose - Ouro Branco - MG > 500 Four Vermelha > [EMAIL PROTECTED] > ICQ# 3778773 > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Petre L. Daniel,System Administrator, Canad Systems Pitesti SRL Romania, tel:+4048206200,+4048206201 email:[EMAIL PROTECTED] http://www.cyber.ro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sqlcounter.
On Wed, 22 May 2002 07:55:06 -0400, Randy Moore wrote: >>Hi, I just upgraded Freeradius 0.5 to freeradius-snapshot-20020521. >>I altered the old radiusd.conf file to reflect some changes, and have >>included SQLcounter module. I wish to limit access to users on a >>three-month basis, but only some users, and this 3-month time is >>individual. >> >>What I did: >>Raidusd.conf >> sqlcounter monthlycounter { >> counter-name = Monthly-Session-Time >> check-name = Max-Monthly-Session >> sqlmod-inst = sql >> key = User-Name >> reset = 3m >>} >>authorize { >> preprocess >> suffix >> monthlycounter >> sql >> monthlycounter >>} >Since you are defining your Check Item in your SQL database, you should not >need to include 'monthlycounter' twice. The copy *after* sql is the only >one you should need. Ok, I've removed it. >>accounting { >> acct_unique >> sql >> radutmp >>} >>The user can log ok if there's nothing on table radcheck about Monthly >>Sessions. But if I >>insert a row like >>username=surak >>attribute=Max-Monthly-Session >>value= 200 (Any) >>op= ":=" without quotes, obviosly >This looks fine. Anyway, looks like there is something missing somewhere. >>The radius rejects the user with the following message on debug: >>modcall: entering group authorize () >>rlm_sqlcounter: Entering module authorize code >>rlm_sqlcounter: Could not find Check item value pair >> modcall[authorize]: module "monthlycounter" returns noop >Since you called 'monthlycounter' twice, it should appear twice in the >debug output. The first time should appear just as it does above because >the check item has not yet been read from your SQL database. But you don't >include the logs for the second call. Did they appear? If so what do they >indicate? No, this is the only information that appears. Now, with only the second monthlycounter defined on authorize section, the result is the same. Just to remember: If I drop this row ( surak Max-Monthly-Session 20 := ) from radcheck table, it authorizes the user normally. Follows the output from radiusd -X. The first is the one which has the row with Max-Montly-Session. The second output is executed right after it, just dropping the Max-Monthly-Session from radcheck table. -First output-- modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm NULL for User-Name = "surak" rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop radius_xlat: 'surak' sql_escape in: 'surak' sql_escape out: 'surak' sql_set_user: escaped user --> 'surak' radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radcheck WHERE Username = 'surak' ORDER BY id' rlm_sql: Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value FROM radgroupcheck,usergroup WHERE usergroup.Username = 'surak' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radreply WHERE Username = 'surak' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value FROM radgroupreply,usergroup WHERE usergroup.Username = 'surak' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: Pairs do not match [surak] rlm_sql: Released sql socket id: 4 modcall[authorize]: module "sql" returns notfound rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "monthlycounter" returns noop modcall: group authorize returns ok auth: No Auth-Type configuration for the request, rejecting the user auth: Failed to validate the user. Delaying request 9 for 1 seconds Second output-- modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm NULL for User-Name = "surak" rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop radius_xlat: 'surak' sql_escape in: 'surak' sql_escape out: 'surak' sql_set_user: escaped user --> 'surak' radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radcheck WHERE Username = 'surak' ORDER BY id' rlm_sql: Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value FROM radgroupcheck,usergroup WHERE usergroup.Username = 'surak' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radreply WHERE Username = 'surak' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,rad
Re: mysql problem?
On Wed, 22 May 2002 16:50:06 +0300 (EEST), Petre L. Daniel wrote: Was the radiusd stopped? Are you running it with supervise or something like that? This happens here when radius is not responding on the very same moment that the dialup user disconnects, because of the obvious fact that the STOP packet is not logged on mysql. Some days ago, I don't know why, both supervise and radiusd stopped working at 3am. As the stop packets weren't logged, my dialup-admin was a mess. I had to delete all invalid entries... The quickest way to do this is to remove all lines from sql which have the AcctStopTime filled with -00-00 00:00:00 Something like DELETE FROM radacct WHERE AcctStopTime = '-00-00 00:00:00' As the dialup users will eventually disconnect, the correct stop times will be logged and everything will come back to normal. >heyah. >it seems that since some days ago my dialup admin interface shows users >that logged off long time ago and doesn show the new users when the max >line is reached. >like i think something is not updated and i cant see in real time who's >logged in.. >what could be the problem? >thx in advance. As opiniões formuladas neste e-mail são de caráter exclusivamente pessoal. Minha opinião não necessariamente representa a opinião do meu Moto Grupo nem da empresa onde trabalho. Mene Sakkhet ur-seveh Alexandre Ganso - Diretor Steel Goose Moto Group 6, 7 e 8 de setembro - Aniversario 10 anos Steel Goose - Ouro Branco - MG 500 Four Vermelha [EMAIL PROTECTED] ICQ# 3778773 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General question
Artur Hecker wrote: > > hi > > > >Please change it as below > > > > > >artur Auth-Type := System, User-Password == "hello" > > > Reply-Message = "Hello, %u" > > > > > >Please note the := before Sytem. > > > > I asked to change the operator('='), as it was causing the problem, > > ie User-Password was never being picked up into the config_items. > > You mean that the "System" itself just doesn't matter at all in this > context, don't you? So I can put in what I want? Is it ignored? > Yes. As long as your authorize block contains eap. ie authorize { files, eap } EAP module overwrites any other Auth-Type with EAP, if present in authorize block. > I'm currently trying to analyze what's happening with Ethereal, as you > advised me. On which link would it be better to use Ethereal? On the > wireless (between user and client) or on the wired? (between client and > server?) > > I'm currently trying between server and client and I see the following > in the Ethereal: > Server & Client. Which version of Ethereal are you using? Try the latest one, It can tell you the EAP type and content in the Radius packets. > ap -> server: Access Request(1) (id=11) > server -> ap: Accounting challenge(11) (id=11) > ap -> server: Access Request(1) (id=12) > server -> ap: Access Reject(3) (id=12) > > then a sequence of ignored requests follows: > ap -> server: Access Request(1) (id=13) > > As you know, the second Request is interpreted as a Notification message > causing the reject... > > Which data would be interesting? > RADIUS/EAP data 1. with your old configuration 2. with Auth-Type := EAP -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General question
hi > >Please change it as below > > > >artur Auth-Type := System, User-Password == "hello" > > Reply-Message = "Hello, %u" > > > >Please note the := before Sytem. > > I asked to change the operator('='), as it was causing the problem, > ie User-Password was never being picked up into the config_items. You mean that the "System" itself just doesn't matter at all in this context, don't you? So I can put in what I want? Is it ignored? I'm currently trying to analyze what's happening with Ethereal, as you advised me. On which link would it be better to use Ethereal? On the wireless (between user and client) or on the wired? (between client and server?) I'm currently trying between server and client and I see the following in the Ethereal: ap -> server: Access Request(1) (id=11) server -> ap: Accounting challenge(11) (id=11) ap -> server: Access Request(1) (id=12) server -> ap: Access Reject(3) (id=12) then a sequence of ignored requests follows: ap -> server: Access Request(1) (id=13) As you know, the second Request is interpreted as a Notification message causing the reject... Which data would be interesting? Thank you artur -- Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 750746, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General question
Artur Hecker wrote: > > hi > > > > deciding where to take the password from in the authorize {} section in > > > radiusd.conf file and to authenticate with the ... appropriate module in > > > authenticate {} ? > > > > The 'unix' module. It's called 'system' for historical reasons. > > Why would i do Auth-Type := System for EAP/MD5 then??? That's what Raghu > said I should do. > What does Local mean then? "files"? > No. What I meant is, Your user file configuration was >> users: >> >> >> artur Auth-Type = System, User-Password == "hello" >> Reply-Message = "Hello, %u" >> >> >Please change it as below > >artur Auth-Type := System, User-Password == "hello" > Reply-Message = "Hello, %u" > >Please note the := before Sytem. I asked to change the operator('='), as it was causing the problem, ie User-Password was never being picked up into the config_items. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP 350 to EAP/LDAP...
Please respect the rules of this list and do not include VCF attachments in your posts. Thank you. At 10:56 AM 5/22/2002, Ricardo Stella <[EMAIL PROTECTED]> wrote: >So the problem is Radius is sending the wrong attribute back to the AP >? That would make sense as to why the AP keeps on retrying to get the >EAP message from the server. Would just the dictionary be needed to be >modified ? Where and what to ? Anyone ? > >TIA... > >Alan DeKok wrote: > > > > > > And in the middle: > > > > The Session Key (SK) is sent from RS to AP in the final packet. It > > is carried in a cisco-avpair vendor specific radius attribute. The > > value of the attribute is: "leap:session-key=" where is > > 34 octets of binary data as described in SK below. > > > > Yuck. I have vendor-specific extensions to standard protocols. > > * Eric Reischer [EMAIL PROTECTED] "The universe is full of magical things patiently waiting for our wits to grow sharper." -- Eden Phillpots * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General question
> Ok, 'man 5 files' really DOES explain the difference, thank you and > sorry for bothering. I meant "man 5 users", sorry. Artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General question
hi > > deciding where to take the password from in the authorize {} section in > > radiusd.conf file and to authenticate with the ... appropriate module in > > authenticate {} ? > > The 'unix' module. It's called 'system' for historical reasons. Why would i do Auth-Type := System for EAP/MD5 then??? That's what Raghu said I should do. What does Local mean then? "files"? > > Why do we have to use different tokens anyway? Why is "User-Password == > > something" during "Auth-Type := something"? Can it be "Auth-Type == > > something"? Are those not both just Radius-attributes? > > No. The password is a string given by the user, and sent via RADIUS > to the server.. The Auth-Type is a *control* attribute, which is > internal to the server, which tells the server how to authenticate the user. Ok, 'man 5 files' really DOES explain the difference, thank you and sorry for bothering. > They are. See 'raddb/dictionary', and the comments in it. ok, got this. Greetings, artur -- Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 750746, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql tables in freeradius
Hello, I am using freeradius-snapshot-20020506 on debian. I want to use mysql for authorize and accounting. I have been using the users file for user/pass and mysql for accounting and now want to move all the users/passes to mysql. My question is this: If I do not use groups do I need the tables called radgroupreply, radgroupcheck, and usergroup? Or are they required? Here is how I have my users file setup, showing the various types of definitions I use: top of file... DEFAULT Auth-Type := Local, Simultaneous-Use := 1 Fall-Through = Yes #Joe Blow joe Password == "blow" User-Service-Type = Framed-User, Framed-Protocol = PPP #John Doe johnPassword == "doe", Simultaneous-Use := 2 User-Service-Type = Framed-User, Framed-Address = 208.42.21.201, Framed-Protocol = PPP #Bill Bob billy Password == "bob", Simultaneous-Use := 3 User-Service-Type = Framed-User, Framed-Protocol = PPP more users with similar info... I would like to use just the radcheck, radreply, and radacct to make things simple. I have noticed a few posts where people use the radgroupcheck table for the Simultaneous-Use Attribute. I guess I could just make everyone the same group, but I just wondered if anyone had some advice/input into this idea?? It's not that I cannot add those tables, I would just like to make it as simple as possible. Thanks, Nick -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force Gateway profile
You may want to visit http://portmasters.com/tech/docs/manuals.html and take a look at choicenet I have not used it in a while but it was designed to provide filtered content on the PM's. At 09:45 -0500 05/22/2002, Chris Parker wrote: >At 11:56 AM 5/22/2002 +0200, De Schrijver Peter wrote: >> Hi ! >> >> I´d like to set up a profile to force some users to take a >>certain route (gateway?) to the internet. Other users using the >>same box (lucent NAS) should be able to take a direct route (other >>gateway). >> >> Purpose is to have an optionally "content filtered" way >>for the users to surf the net. >> >> Is this possible with radius? > >Yes, if the appropriate attributes are created and defined by the NAS >under Vendor-Specific attributes. > >You mention Lucent, which means that you should be able to support the >'Ascend-IP-Direct' attribute. This sets the 'next-hop' address for traffic >from the user's session. > >IE, if you have your normal gateway at 10.0.0.1, and web proxy server at >10.0.0.2, and you want to force certain traffic through the proxy, you would >return the attribute pair: > >Ascend-IP-Direct = 10.0.0.2 > >for the sessions you want to redirect. You'll need to make sure that you >have the NAS and the radius server configured the same in terms of VSA vs. >Vendor-Proprietary. > >Further questions should be directed to a support list for the NAS you are >using, as FreeRADIUS is certainly capable of returning any attribute to >the NAS. What attributes are required are up the the NAS vendor. > >-Chris >-- >\\\|||/// \ StarNet Inc. \ Chris Parker >\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering >| @ @ |\ http://www.starnetwx.net \ (847) 963-0116 >oOo---(_)---oOo--\-- > \ Wholesale Internet Services - http://www.megapop.net > > > >- List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html -- Scott A Silzer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LEAP
Is LEAP supported on FreeRadius. It is my understanding that LEAP is just a type of EAP. I have free-radius complied and have successfully authenticated using EAP-TLS on LINUX. Unfortunately EAP-TLS is not supported on Windows platforms except XP. Any ideas or suggestions would be greatly appreciated. Bryan Tolka West Virginia University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP 350 to EAP/LDAP...
Ricardo Stella <[EMAIL PROTECTED]> wrote: > So the problem is Radius is sending the wrong attribute back to the > AP? Sort of. The RADIUS server is trying to talk EAP, and the AP is trying to talk LEAP. Never the twain shall meet, > That would make sense as to why the AP keeps on retrying to get the > EAP message from the server. Would just the dictionary be needed to be > modified ? Where and what to ? Anyone ? No. You've got to create code in the server: src/modules/rlm_eap/types/rlm_eap_leap which will handle the LEAP protocol. See: http://www.missl.cs.umd.edu/wireless/ethereal/leap.txt for a clearer description. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP 350 to EAP/LDAP...
So the problem is Radius is sending the wrong attribute back to the AP ? That would make sense as to why the AP keeps on retrying to get the EAP message from the server. Would just the dictionary be needed to be modified ? Where and what to ? Anyone ? TIA... Alan DeKok wrote: > > > And in the middle: > > The Session Key (SK) is sent from RS to AP in the final packet. It > is carried in a cisco-avpair vendor specific radius attribute. The > value of the attribute is: "leap:session-key=" where is > 34 octets of binary data as described in SK below. > > Yuck. I have vendor-specific extensions to standard protocols. > begin:vcard adr;dom:;;;Lawrenceville;NJ;08648; adr:;;2083 Lawreceville Road;Lawrenceville;NJ;08648; n:Stella;Ricardo tel;fax:1-208-330-8297 tel;work:1-609-896-5000 x7436 x-mozilla-html:FALSE url:http://poseidon.rider.edu org:Rider University;O.I.T. version:2.1 title:Manager x-mozilla-cpt:;-3024 fn:Ricardo Stella end:vcard
RE: IPPOOL is not giving all the ip addresses.
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kostas Kalevras Sent: Wednesday, May 22, 2002 9:41 AM To: [EMAIL PROTECTED] Subject: RE: IPPOOL is not giving all the ip addresses. On Wed, 22 May 2002, Abel Alejandro wrote: >> Forgot to mention, I am running radiusd -X > radius.log >Stupid question. Is the ippool module listed in the accounting section in >radiusd.conf? >The accounting packet should be an accounting stop for a nas/port >combination >that has an allocated ip assigned to it. Yes its. The ippool module is called 'arecibo' and its in both authorize and accounting. For example, when I started radiusd this morning the first IP to be assigned was 196.12.182.73. Then radiusd got the Acct-Status-Type = Stop for 196.12.182.73 and it said "modcall[accounting]: module "arecibo" returns ok" But no deallocationg was done. *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force Gateway profile
At 11:56 AM 5/22/2002 +0200, De Schrijver Peter wrote: > Hi ! > > I´d like to set up a profile to force some users to take a > certain route (gateway?) to the internet. Other users using the same box > (lucent NAS) should be able to take a direct route (other gateway). > > Purpose is to have an optionally "content filtered" way for the > users to surf the net. > > Is this possible with radius? Yes, if the appropriate attributes are created and defined by the NAS under Vendor-Specific attributes. You mention Lucent, which means that you should be able to support the 'Ascend-IP-Direct' attribute. This sets the 'next-hop' address for traffic from the user's session. IE, if you have your normal gateway at 10.0.0.1, and web proxy server at 10.0.0.2, and you want to force certain traffic through the proxy, you would return the attribute pair: Ascend-IP-Direct = 10.0.0.2 for the sessions you want to redirect. You'll need to make sure that you have the NAS and the radius server configured the same in terms of VSA vs. Vendor-Proprietary. Further questions should be directed to a support list for the NAS you are using, as FreeRADIUS is certainly capable of returning any attribute to the NAS. What attributes are required are up the the NAS vendor. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPPoE: auth+acct via PAM
Ilja A Marchew <[EMAIL PROTECTED]> wrote: > I use rp-pppoe to serve PPPoE users. Well, I think use FR with it is a good > idea, but cannot imagine which lines in /etc/pam.d/ppp I need. It is > right -- libpam-freeradius-auth There is no such thing. There *is* the pam_radius_auth module, but that's probably different. > cannot help my efforts to log time/traffic for users in FR's base? > It only authorizes? No, it does accounting too. List it in the 'session' section of the configuration file, and it will send accounting packets to the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy and replicate
At 05:14 PM 5/21/2002 -0700, Florin Andrei wrote: >What's the difference between proxy and replicate? > >I mean, i think i know what it is, but i'm not sure: >- replicate means, rebuild the request and send it to the authentication >Radius server; the authentication server sees the request as coming from >the original NAS (and therefore might apply its own authorisation rules >based on IPs) >- proxy means, strip the request from every refference to the initial IP >of the NAS, and send it to the authentication Radius server; the >authentication server sees all proxied requests as coming from the >FreeRadius machine (thinks FreeRadius is the NAS) > >Is that correct? Not quite. :) Proxy - The request cannot be completed locally and must be sent to another server ( and a response received from the other server ) for handling. The proxy server acts as the middle-man. The remote server sees the request coming from the proxy server. The only indication the remote server has regarding the origin of the request is via the NAS-IP-Address or NAS- Identifier. The source IP address of the packet as seen by the remote server will be the An Access-Request SHOULD contain a User-Name attribute. It MUST contain either a NAS-IP-Address attribute or a NAS-Identifier attribute (or both). In proxy-mode the proxying server waits for a reply from the remote server before sending a reply to the NAS. Replication - done the same as proxying, but the remote server's response is not used. Replication allows you to send the same data ( say an accounting packet ) to multiple remote servers. This can be done to keep accounting data in synch ( or attempt to ). >If there is such a difference, how do i trigger one or the other >behaviour? The normal behaviour when using a realm is to proxy. You can also cause the server to replicate a packet using the 'Replicate-To-Realm := foobar' attribute. >I ask this because i need to trick my authentication Radius servers into >thinking that the original source of all requests are the Radius >proxies. The source-ip of the packets they receive will be the ip of proxying server. That source-ip is what is used to determine the shared-secret to use. If what you are trying to avoid is having to configure all of your NAS into the auth servers, then that is how proxy is meant to work. >My authentication servers need to know nothing about the IP addresses of >the NASes (i need to "hide" the NAS from the authentication server, >using a proxy, and do all IP-based authorisation in the proxies). Is >that doable with FreeRadius? The authetication will know the NAS identifiers/ips as stated above. It is a requirement of the RFC that these attributes are present. I suppose the proxying server could re-write those to contain it's own IP, I'm not certain that would be a violation of the RFC in letter. That is not something the server does currently, so you'd have to patch it to do that if that's really what you want. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql problem?
heyah. it seems that since some days ago my dialup admin interface shows users that logged off long time ago and doesn show the new users when the max line is reached. like i think something is not updated and i cant see in real time who's logged in.. what could be the problem? thx in advance. -- Petre L. Daniel,System Administrator, Canad Systems Pitesti SRL Romania, tel:+4048206200,+4048206201 email:[EMAIL PROTECTED] http://www.cyber.ro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPPOOL is not giving all the ip addresses.
On Wed, 22 May 2002, Abel Alejandro wrote: > Forgot to mention, I am running radiusd -X > radius.log > Stupid question. Is the ippool module listed in the accounting section in radiusd.conf? The accounting packet should be an accounting stop for a nas/port combination that has an allocated ip assigned to it. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPPOOL is not giving all the ip addresses.
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kostas Kalevras Sent: Wednesday, May 22, 2002 9:31 AM To: [EMAIL PROTECTED] Subject: RE: IPPOOL is not giving all the ip addresses. On Wed, 22 May 2002, Abel Alejandro wrote: >> Okay one more thing I got now from the logs. Right now I have rm -rf the >> db* >> And restarted radiusd, a (cmd: cat radius.log | grep "= Stop" | wc -l) >> reports 66 stop's, but I don't see a "rlm_ippool: Deallocated entry for >> ip/port:" not even one in the radius.log >> >> It seems radiusd can not deallocate ip's? >That is a debugging message and it will not normally show up in the radius.log Forgot to mention, I am running radiusd -X > radius.log *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPPOOL is not giving all the ip addresses.
On Wed, 22 May 2002, Abel Alejandro wrote: > Okay one more thing I got now from the logs. Right now I have rm -rf the > db* > And restarted radiusd, a (cmd: cat radius.log | grep "= Stop" | wc -l) > reports 66 stop's, but I don't see a "rlm_ippool: Deallocated entry for > ip/port:" not even one in the radius.log > > It seems radiusd can not deallocate ip's? That is a debugging message and it will not normally show up in the radius.log -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPPOOL is not giving all the ip addresses.
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kostas Kalevras Sent: Wednesday, May 22, 2002 9:06 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: IPPOOL is not giving all the ip addresses. On Wed, 22 May 2002, Abel Alejandro wrote: >> IPPOOL seems that it cannot give all the ip addresses on the range, >> it starts giving addresses but if there are 50 ip's it only gives 10. >Hmm, from what i tested right now it will give out all the ips. Okay one more thing I got now from the logs. Right now I have rm -rf the db* And restarted radiusd, a (cmd: cat radius.log | grep "= Stop" | wc -l) reports 66 stop's, but I don't see a "rlm_ippool: Deallocated entry for ip/port:" not even one in the radius.log It seems radiusd can not deallocate ip's? *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL is not giving all the ip addresses.
On Wed, 22 May 2002, Abel Alejandro wrote: > IPPOOL seems that it cannot give all the ip addresses on the range, > it starts giving addresses but if there are 50 ip's it only gives 10. Hmm, from what i tested right now it will give out all the ips. > > FreeBSD 4.5-STABLE running Freeradius from of 19/05/02 (cvs). > > ippool arecibo { > session-db = ${dbdir}/arecibo.db > ip-index = ${dbdir}/arecibo-ip.db > range-start = 196.12.182.65 > range-stop = 196.12.182.121 > netmask = 255.255.255.192 > cache-size = 1024 > } > > That is the configuration for the ippool, it runs fine, it assigns addresses > and everything looks okay. > However looking it in debug mode, I see a not very normal behaviour. It > start giving the address > on random sequences for example, instead of first assign 196.12.182.65 it > give 196.12.182.73 (first time, with virgin db). That has to do with the gdbm library. The db is not a linked list but a hash and there isn't any way to tell how they will be ordered inside the file. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf > > I modified rlm_ippool.c to be a little more verbose, and on the creation of > the database it does create > the ip address list in order. Like this: > > Adding IP 196.12.182.65 state 0 > Adding IP 196.12.182.66 state 0 > Adding IP 196.12.182.67 state 0 > Adding IP 196.12.182.68 state 0 > > Until it reaches 196.12.182.121 (which is correct.) > > In the other hand when looking for ip address (virgin db, all ip are suposed > to be state 0) > it search them in random order. Like this: > > rlm_ippool: Searching for an entry for nas/port: 10.50.2.1/3328 > Found IP 196.12.182.114 state 1 > Found IP 196.12.182.82 state 0 > > It started with 114 then jumped back to 82. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sqlcounter.
At 07:32 PM 5/21/2002 -0300, you wrote: >Hi, I just upgraded Freeradius 0.5 to freeradius-snapshot-20020521. >I altered the old radiusd.conf file to reflect some changes, and have >included SQLcounter module. I wish to limit access to users on a >three-month basis, but only some users, and this 3-month time is >individual. > >What I did: >Raidusd.conf > sqlcounter monthlycounter { > counter-name = Monthly-Session-Time > check-name = Max-Monthly-Session > sqlmod-inst = sql > key = User-Name > reset = 3m >} >authorize { > preprocess > suffix > monthlycounter > sql > monthlycounter >} Since you are defining your Check Item in your SQL database, you should not need to include 'monthlycounter' twice. The copy *after* sql is the only one you should need. >accounting { > acct_unique > sql > radutmp >} > >The user can log ok if there's nothing on table radcheck about Monthly >Sessions. But if I >insert a row like >username=surak >attribute=Max-Monthly-Session >value= 200 (Any) >op= ":=" without quotes, obviosly This looks fine. >The radius rejects the user with the following message on debug: >modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > rlm_realm: Looking up realm NULL for User-Name = "surak" > rlm_realm: No such realm NULL > modcall[authorize]: module "suffix" returns noop >rlm_sqlcounter: Entering module authorize code >rlm_sqlcounter: Could not find Check item value pair > modcall[authorize]: module "monthlycounter" returns noop Since you called 'monthlycounter' twice, it should appear twice in the debug output. The first time should appear just as it does above because the check item has not yet been read from your SQL database. But you don't include the logs for the second call. Did they appear? If so what do they indicate? Randy Moore Axion Information Technologies, Inc. email [EMAIL PROTECTED] phone 301-408-1200 fax301-445-3947 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPOOL is not giving all the ip addresses.
IPPOOL seems that it cannot give all the ip addresses on the range, it starts giving addresses but if there are 50 ip's it only gives 10. FreeBSD 4.5-STABLE running Freeradius from of 19/05/02 (cvs). ippool arecibo { session-db = ${dbdir}/arecibo.db ip-index = ${dbdir}/arecibo-ip.db range-start = 196.12.182.65 range-stop = 196.12.182.121 netmask = 255.255.255.192 cache-size = 1024 } That is the configuration for the ippool, it runs fine, it assigns addresses and everything looks okay. However looking it in debug mode, I see a not very normal behaviour. It start giving the address on random sequences for example, instead of first assign 196.12.182.65 it give 196.12.182.73 (first time, with virgin db). I modified rlm_ippool.c to be a little more verbose, and on the creation of the database it does create the ip address list in order. Like this: Adding IP 196.12.182.65 state 0 Adding IP 196.12.182.66 state 0 Adding IP 196.12.182.67 state 0 Adding IP 196.12.182.68 state 0 Until it reaches 196.12.182.121 (which is correct.) In the other hand when looking for ip address (virgin db, all ip are suposed to be state 0) it search them in random order. Like this: rlm_ippool: Searching for an entry for nas/port: 10.50.2.1/3328 Found IP 196.12.182.114 state 1 Found IP 196.12.182.82 state 0 It started with 114 then jumped back to 82. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
two radius servers with rlm_counter modules
Dear Kenneth 1. The rlm_counter is wrote using gdbm interface to access data file "db.counter". You may write code to synchronize. You may also try "rsync" (http://rsync.samba.org), scp to update the data file. 3. The reset action is done at the beginning of each login session When user login , freeradius reset the user's counter record if needed. When user logoff, freeradius update the session usage to the counterdatabase. Daniel Yeung - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Force Gateway profile
Hi ! I´d like to set up a profile to force some users to take a certain route (gateway?) to the internet. Other users using the same box (lucent NAS) should be able to take a direct route (other gateway). Purpose is to have an optionally "content filtered" way for the users to surf the net. Is this possible with radius? Cu Pete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPPoE: auth+acct via PAM
Ilja: I am sorry. I can't answer your question. Because I'm a beginner of RADIUS.I don't know your problem.8) Good luck! boyknight mailto:[EMAIL PROTECTED] - Original Message - From: "Ilja A Marchew" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 22, 2002 4:33 PM Subject: PPPoE: auth+acct via PAM > Hello freeradius-users. > > I use rp-pppoe to serve PPPoE users. Well, I think use FR with it is a good > idea, but cannot imagine which lines in /etc/pam.d/ppp I need. It is > right -- libpam-freeradius-auth cannot help my efforts to log > time/traffic for users in FR's base? It only authorizes? Any > ideas/solutions to my problem? Thank you and sorry for my english. > > - --- > With respect, > Ilja mailto:[EMAIL PROTECTED] > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html â²Ø§~ì¹»®&Þþéì¹»®&ÞI硶Úÿ0~·§bºÊ+ùb²ßî±êìÙ¥
PPPoE: auth+acct via PAM
Hello freeradius-users. I use rp-pppoe to serve PPPoE users. Well, I think use FR with it is a good idea, but cannot imagine which lines in /etc/pam.d/ppp I need. It is right -- libpam-freeradius-auth cannot help my efforts to log time/traffic for users in FR's base? It only authorizes? Any ideas/solutions to my problem? Thank you and sorry for my english. - --- With respect, Ilja mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html