SQL reading as user DEFAULT
modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "attr_filter" returns noop modcall[authorize]: module "suffix" returns ok radius_xlat: '[EMAIL PROTECTED]' sql_escape in: '[EMAIL PROTECTED]' sql_escape out: '[EMAIL PROTECTED]' sql_set_user: escaped user --> '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql: Reserving sql socket id: 4 query: SELECT id,UserName,Attribute,Value FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id rlm_postgresql Status: PGRES_TUPLES_OK sql_postgresql: affected rows = sql_escape in: 'DEFAULT' sql_escape out: 'DEFAULT' sql_set_user: escaped user --> 'DEFAULT' I'm running Freeradius v0.5 on a FreeBSD machine. Where is it getting DEFAULT from? -- Well aren't we just a ray of fucking sunshine? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with ld
Hello all, I know that this problem was discussed many times. But again I want to ask a question. I'm trying to compile freeradius on OpenBSD machine, but the postgresql module doesn't work. It says make sure that rlm_postgresql is in your ld path. I mannulally set ld path to location of that file, but it still doesn't work. Has anybody compiled freeradius on OpenBSD machine with postgresql? On Linux machine I haven't any problem with system ld path. What can be wrong? -- Best regards, Dinar mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ascend-Data-Filter issue
Hi all. I'm using the 0.5 release on a Linux machine, and I can't seem to get the Ascend-Data-Filter attribute to function properly. If I put two lines such as: DEFAULT Auth-Type := ldap Framed-Protocol = PPP, Ascend-Data-Filter = "generic in drop 0 0 0", Ascend-Data-Filter = "generic out drop 0 0 0" freeradius loads properly, but obviously I can't transfer any data once I connect because the filters are blocking all incoming and outgoing traffic. But my original intent was to only allow users to connect to our web server, specified here as 192.168.0.5 (the second two lines are for the DNS service): [226] Ascend-Data-Filter = "ip in forward dstip 192.168.0.5/24 tcp dstpost = 80", [227] Ascend-Data-Filter = "ip out forward dstip 192.168.0.5/24 tcp srcpost = 80 1", [228] Ascend-Data-Filter = "ip in forward dstip 192.168.0.15/24 tcp dstpost = 53", [229] Ascend-Data-Filter = "ip out forward dstip 192.168.0.15/24 tcp srcpost = 53 1", (I put in the line numbers here to follow the error easier). And I'd put these attributes where the entry is above. However with these entries in /raddb/users I get the error: Tue May 28 23:35:35 2002 : Error: //etc/raddb/users[227]: Syntax error: Previous line is missing a trailing comma for entry DEFAULT So I did some troubleshooting and commented out all but one of the ip filters, and still got the error. The only way I got the error message to go away was by deleting out all of the string except for the "ip in forward" part. As soon as I put in "dstip" it gave me that syntax error again. So I went into the dictionary.ascend file and looked at the Ascend-Data-Filter data type, which was set to abinary, so I tried changing that to type string, and radiusd loaded fine with no syntax errors, but obviously the Ascend Max I'm using didn't like the data it got as part of the radius reply. Is there some flaw in the abinary data type that's mis-interpreting the data filter as syntax errors?? Any help would be greatly appreciated. Eric * Eric Reischer [EMAIL PROTECTED] "The universe is full of magical things patiently waiting for our wits to grow sharper." -- Eden Phillpots * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP & Authentication via PAM
Hi all,
I am trying to get both authentication and authorisation through LDAP. While
authentication works, authorisation still evades me. Ideas anybody ?
Regards,
Michael Fuller
- Original Message -
From: "Kostas Kalevras" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 28, 2002 5:14 PM
Subject: Re: Authorization via LDAP & Authentication via PAM
> On Tue, 28 May 2002, Allister Maguire wrote:
>
> > Hello,
> >
> > I have got this working by setting:
> >
> > DEFAULT Auth-Type := pam
> > Fall-Through = 1
> >
> > In the users file.
> >
> > I also want to restrict dialin access to certain ldap users, so I
> > changed the ldap filter:
> >
> > filter = "(&(uid=%u)(msNPAllowDialin=TRUE))"
> >
> > In the ldap {} module.
> >
> > Only problem is if I set msNPAllowDialin=FALSE, they still get a
> > Access-Accept because the files, pam module return ok (I think).
>
> You could also use the access_attr configuration directive. Then the
module will
> return reject (well actually userlock) instead of notfound.
>
> >
> >
> >
> > modcall[authorize]: module "ldap" returns notfound
> > modcall: group authorize returns ok
> > rad_check_password: Found Auth-Type pam
> > auth: type "Pam"
> > modcall: entering group authenticate
> > pam_pass: using pamauth string for pam.conf lookup
> > pam_pass: authentication succeeded for
> > modcall[authenticate]: module "pam" returns ok
> > modcall: group authenticate returns ok
> > Sending Access-Accept of id 1 to 127.0.0.1:32826
> > Finished request 1
> > Going to the next request
> > Thread 2 waiting to be assigned a request
> >
> >
> > How many need to fail, for the Access-Request to fail?
>
> Check out the doc/configurable_failover. You could do something like this
in
> your authorize section:
>
> authorize{
> ldap{
> notfound = return
> }
> [...]
> }
>
> Hope it helps
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 10 7721861
> 'Go back to the shadow' Gandalf
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Release Schedule
Hi, Does FreeRADIUS has a release schedule ? - Giovanni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot login for the third times (a new bug?) (fwd)
Alan, I find that the new CVS is not able to recognize the Group == "" in the users file. The below is my users files content: DEFAULT Simultaneous-Use := 1 Fall-Through = 1 DEFAULT Group == "plan60", RAD-Max-Session-Time := 60 Fall-Through = 1 #DEFAULTGroup == "plan60", RAD-Session-Time == 60, Auth-Type := Reject # Reply-Message = "You've used up more than 1 minute!" #DEFAULTGroup == "plan60", Auth-Type := Reject # Reply-Message = "You've used up more than 1 minute!" DEFAULT Auth-Type := System Fall-Through = 1 If I use the version 0.5, I can see MATCH with line 1,4,13 from the debug message: users: Matched DEFAULT at 1 users: Matched DEFAULT at 4 users: Matched DEFAULT at 13 Can you help to check whether it is a bug? Thanks a lot! Kenneth On Fri, 24 May 2002, Alan DeKok wrote: > Kenneth Lee <[EMAIL PROTECTED]> wrote: > > rlm_counter: Entering module authorize code > > > > the output is stop at the above statement and the client is disconnect > > after some time. > > > > I dont know whether can give you all some insight about the problem, I > > find that the thread seems getting halt with you login after the second > > time (becase I see that the total number of thread is increased by one > > when I continue try logging in). > > OK, it looks like the counter module has issues. Try grabbing the > CVS snapshot from tonight, I've made some changes which may fix the > problem. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Need Help: Struggling to add Ascend-Data-Filter in Freeradius 0.4
At 04:46 PM 5/28/2002 -0700, Lists wrote: >DEFAULT > Service-Type == Framed-User, > Service-Type == Login-User, > Login-Service == Telnet, > Login-Service == Rlogin, > Login-Service == TCP-Clear, > Login-TCP-Port <= 65536, > Framed-IP-Address == 255.255.255.254, > Framed-IP-Netmask == 255.255.255.255, > Framed-Protocol == PPP, > Framed-Protocol == SLIP, > Framed-Compression == Van-Jacobson-TCP-IP, > Framed-MTU >= 576, > Framed-Filter-ID =~ ".*", > Reply-Message =~ ".*", > Session-Timeout <= 28800, > Idle-Timeout <= 600, > Port-Limit <= 2, > Ascend-Data-Filter += "ip in forward tcp est", No. Use :=. > Ascend-Data-Filter := "ip in forward dstip ip.of.mailbox/32", > Ascend-Data-Filter := "ip in drop tcp dstport = 25", > Ascend-Data-Filter := "ip in forward", > Fall-Through = yes > >what gives? Run a recent version. Earlier versions have known problems that cannot be fixed except by upgrading. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Need Help: Struggling to add Ascend-Data-Filter in Freeradius 0.4
Well, to answer my own question, I should but I am not. I have the
following entry in radiusd.conf
authorize {
preprocess
attr_filter
sql
}
attr_filter in turn has this:
attr_filter {
attrsfile = ${confdir}/attrs
}
and attrs
DEFAULT
Service-Type == Framed-User,
Service-Type == Login-User,
Login-Service == Telnet,
Login-Service == Rlogin,
Login-Service == TCP-Clear,
Login-TCP-Port <= 65536,
Framed-IP-Address == 255.255.255.254,
Framed-IP-Netmask == 255.255.255.255,
Framed-Protocol == PPP,
Framed-Protocol == SLIP,
Framed-Compression == Van-Jacobson-TCP-IP,
Framed-MTU >= 576,
Framed-Filter-ID =~ ".*",
Reply-Message =~ ".*",
Session-Timeout <= 28800,
Idle-Timeout <= 600,
Port-Limit <= 2,
Ascend-Data-Filter += "ip in forward tcp est",
Ascend-Data-Filter := "ip in forward dstip ip.of.mailbox/32",
Ascend-Data-Filter := "ip in drop tcp dstport = 25",
Ascend-Data-Filter := "ip in forward",
Fall-Through = yes
what gives?
>OK it's getting clearer. Now, when I use radtest, should I see those
>filters in the output? Cause I am not seeing any.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Chris
Parker
Sent: Tuesday, May 28, 2002 11:37 AM
To: [EMAIL PROTECTED]
Subject: Re: Need Help: Struggling to add Ascend-Data-Filter in
Freeradius 0.4
At 02:30 PM 5/28/2002 -0400, Alan DeKok wrote:
>"Lists" <[EMAIL PROTECTED]> wrote:
> > I am running FreeRADIUS 0.4 with PostgreSQL backend, it's been
running
> > great. I am now required to add Ascend-Data-Filter (s). After
reading
> > the documentation I came up with the following:
> >
> > The following in /usr/local/freeradius/etc/raddb/attrs
> >
> > DEFAULT
> > Service-Type == Framed-User,
> > Service-Type == Login-User,
>
> This is wrong. Please read 'man 5 users' for a description of what
>'==' does.
This is not 'users'. This is 'attrs'. The operators specified were
correct for that usage, apart from the Data-Filter ones, which should
have been := ( Set Operator ). :)
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services -
http://www.megapop.net
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with PAM/Winbind
Greetings, I have just finished configuring Redhat 7.3 with winbind to authenticate off of our NT 4.0 PDC via winbind and ran into a problem with the username/password handoff. It seems that the first letter is getting cut off when attempting to authenticate through PAM to the PDC. When you double the first letter for example MMYDOMAIN\username, it works perfectly. This authentication method has worked for all the other services on the machine which is why I think it may be freeradius. Any ideas? NT Security Logs shows Reason: Unknown user name or bad password User Name: YDOMAIN\username Domain: MYDOMAIN Logon Type: 3 Logon Process: KSecDD Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: \\LINUXSERVER The linux error log while running winbind in debug mode shows May 28 14:57:43 linuxserver pam_winbind[29736]: Verify user `YDOMAIN\username' with password `XXX' May 28 14:57:44 linuxserver pam_winbind[29736]: user `YDOMAIN\username' not found The accompanying PAM configuration file for radiusd is #%PAM-1.0 authrequired/lib/security/pam_winbind.so debug authrequired/lib/security/pam_nologin.so account required/lib/security/pam_permit.so session required/lib/security/pam_unix.so none Thanks, Richard Lyszczek AIO Network Solutions, Inc. www.aiosolutions.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Need Help: Struggling to add Ascend-Data-Filter in Freeradius 0.4
OK it's getting clearer. Now, when I use radtest, should I see those filters in the output? Cause I am not seeing any. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Parker Sent: Tuesday, May 28, 2002 11:37 AM To: [EMAIL PROTECTED] Subject: Re: Need Help: Struggling to add Ascend-Data-Filter in Freeradius 0.4 At 02:30 PM 5/28/2002 -0400, Alan DeKok wrote: >"Lists" <[EMAIL PROTECTED]> wrote: > > I am running FreeRADIUS 0.4 with PostgreSQL backend, it's been running > > great. I am now required to add Ascend-Data-Filter (s). After reading > > the documentation I came up with the following: > > > > The following in /usr/local/freeradius/etc/raddb/attrs > > > > DEFAULT > > Service-Type == Framed-User, > > Service-Type == Login-User, > > This is wrong. Please read 'man 5 users' for a description of what >'==' does. This is not 'users'. This is 'attrs'. The operators specified were correct for that usage, apart from the Data-Filter ones, which should have been := ( Set Operator ). :) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need Help: Struggling to add Ascend-Data-Filter in Freeradius 0.4
Chris Parker <[EMAIL PROTECTED]> wrote: > This is not 'users'. This is 'attrs'. The operators specified were > correct for that usage, apart from the Data-Filter ones, which should > have been := ( Set Operator ). :) Whoops, sorry. I skimmed the message too quickly, I think. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need Help: Struggling to add Ascend-Data-Filter in Freeradius 0.4
At 02:30 PM 5/28/2002 -0400, Alan DeKok wrote: >"Lists" <[EMAIL PROTECTED]> wrote: > > I am running FreeRADIUS 0.4 with PostgreSQL backend, it's been running > > great. I am now required to add Ascend-Data-Filter (s). After reading > > the documentation I came up with the following: > > > > The following in /usr/local/freeradius/etc/raddb/attrs > > > > DEFAULT > > Service-Type == Framed-User, > > Service-Type == Login-User, > > This is wrong. Please read 'man 5 users' for a description of what >'==' does. This is not 'users'. This is 'attrs'. The operators specified were correct for that usage, apart from the Data-Filter ones, which should have been := ( Set Operator ). :) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need Help: Struggling to add Ascend-Data-Filter in Freeradius 0.4
At 02:16 PM 5/28/2002 -0700, Lists wrote: >I am running FreeRADIUS 0.4 with PostgreSQL backend, it's been running >great. I am now required to add Ascend-Data-Filter (s). After reading >the documentation I came up with the following: > >The following in /usr/local/freeradius/etc/raddb/attrs 8< snip >Ascend-Data-Filter = "ip in forward tcp est", > Ascend-Data-Filter = "ip in forward dstip ip.of.mail.box/32", > Ascend-Data-Filter = "ip in drop tcp dstport = 25", > Ascend-Data-Filter = "ip in forward" > > >but alas, the filters do not get send. What am I missing? := is the operator you want. And you really want to upgrade to the latest release, as there have been changes to the way attrs is parsed and the operators you can use ( two new ones are now available =* and !* ). -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need Help: Struggling to add Ascend-Data-Filter in Freeradius 0.4
"Lists" <[EMAIL PROTECTED]> wrote: > I am running FreeRADIUS 0.4 with PostgreSQL backend, it's been running > great. I am now required to add Ascend-Data-Filter (s). After reading > the documentation I came up with the following: > > The following in /usr/local/freeradius/etc/raddb/attrs > > DEFAULT > Service-Type == Framed-User, > Service-Type == Login-User, This is wrong. Please read 'man 5 users' for a description of what '==' does. > Framed-MTU >= 576, This will NEVER do what you think. The Framed-MTU is an attribute which tells the NAS *exactly* what size MTU to use, and NOT a range. > Ascend-Data-Filter = "ip in forward tcp est", > Ascend-Data-Filter = "ip in forward dstip ip.of.mail.box/32", Use '+=' here, instead of '='. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
Need Help: Struggling to add Ascend-Data-Filter in Freeradius 0.4
I am running FreeRADIUS 0.4 with PostgreSQL backend, it's been running
great. I am now required to add Ascend-Data-Filter (s). After reading
the documentation I came up with the following:
The following in /usr/local/freeradius/etc/raddb/attrs
DEFAULT
Service-Type == Framed-User,
Service-Type == Login-User,
Login-Service == Telnet,
Login-Service == Rlogin,
Login-Service == TCP-Clear,
Login-TCP-Port <= 65536,
Framed-IP-Address == 255.255.255.254,
Framed-IP-Netmask == 255.255.255.255,
Framed-Protocol == PPP,
Framed-Protocol == SLIP,
Framed-Compression == Van-Jacobson-TCP-IP,
Framed-MTU >= 576,
Framed-Filter-ID =~ ".*",
Reply-Message =~ ".*",
Session-Timeout <= 28800,
Idle-Timeout <= 600,
Port-Limit <= 2,
Ascend-Data-Filter = "ip in forward tcp est",
Ascend-Data-Filter = "ip in forward dstip ip.of.mail.box/32",
Ascend-Data-Filter = "ip in drop tcp dstport = 25",
Ascend-Data-Filter = "ip in forward"
And the following in /usr/local/freeradus/etc/raddb/radius.conf
authorize {
preprocess
attr_filter
sql
# files
# counter
# attr_filter
# eap
# suffix
# files
# mschap
}
but alas, the filters do not get send. What am I missing?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check that Calling-Station-Id is present
At 05:01 PM 5/28/2002 +0100, [EMAIL PROTECTED] wrote: > I am trying to create a single user entry that will only allow users >on if they present their Calling-Station-Id. I don't care what number they >call from as that will be stored in the accounting records. The user must >present the correct username and password and their Calling Station Id. The >information is required in case of abuse of the service. I use local >authentication as below. Add to your check-items: Calling-Station-ID =* ANY -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting errors from an Ascend unit
Greetings, We recently inherited an old Ascend dialup unit at one of our new sites. When we add it to our freeradius server we generate a bunch of: Error: Received Accounting-Request packet from with invalid signature! Any suggestions on what to look at/fix? I have tried to track down the problem, and it seems the Ascend is sending the accounting on packet without a private key?! Any ideas? We currently can't afford to replace this unit (soon! but not yet) and until then we have to run an old radius program to handle just that one unit. Hardware/software details: OS: FreeBSD 4.5 Radius: Freeradius 0.5 Ascend NAS: Ascend Max-4000 with 7.0.22 OS -- ·William Ragsdale ·http://www.netonecom.net ·Server Administrator ·Office Hours ·NetOne Communications, Inc. ·Work: 231-734-2917 10AM - 7PM ·2186 US 10 ·FAX: 231-734-6395 ·Sears, MI 49679 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check that Calling-Station-Id is present
I am trying to create a single user entry that will only allow users on if they present their Calling-Station-Id. I don't care what number they call from as that will be stored in the accounting records. The user must present the correct username and password and their Calling Station Id. The information is required in case of abuse of the service. I use local authentication as below. [EMAIL PROTECTED]Auth-Type = Local, Password = "password" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Module
"Rodrigo Gonzalez" <[EMAIL PROTECTED]> wrote: > Whenever it receives a user with an IP format, example: 10.1.2.3 it > returns failed and it is wrong. > > I search the code and found that the problem is with this line: > radius_xlat(querystr, MAX_QUERY_LEN, > inst->config->authorize_check_query, request, sql_escape_string); > > After changing this line to: > radius_xlat(querystr, MAX_QUERY_LEN, > inst->config->authorize_check_query, request, NULL); > everything goes fine... That's because of recent changes I made to the module. It now escapes magic characters, and I'll add '.' to the list of characters it doesn't escape. The problem is that if someone sends a RADIUS packet with something like: User-Name = "' SQL-command blah '" They can execute SQL commands. This is a fairly serious security problem, and users of SQL should be aware that it's an issue. The CVS snapshot from tonight will contain the fix for IP addresses. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling errors on Solaris 8 Please help
At 10:52 AM 5/28/2002 -0400, Russell Premont wrote: >I have just downloaded FreeRadius 0.5. and am trying to compile it on >Solaris 8 for Sparc with the following option >changes --localstatedir=/var --sysconfdir=/etc. I can run the configure >command and everything is ok but when I run make I >get the following errors Try to use the CVS snapshots. We are nearing the 0.6 release, so there have been many fixes since 0.5 came out. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling errors on Solaris 8 Please help
I have just downloaded FreeRadius 0.5. and am trying to compile it on Solaris 8 for Sparc with the following option changes --localstatedir=/var --sysconfdir=/etc. I can run the configure command and everything is ok but when I run make I get the following errors gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DND EBUG -I../../include -c rlm_eap.c -o rlm_eap.o In file included from rlm_eap.c:25: eap.h:9: ltdl.h: No such file or directory In file included from eap.h:17, from rlm_eap.c:25: /usr/include/netinet/in.h:271: warning: `INADDR_ANY' redefined ../../include/missing.h:73: warning: this is the location of the previous definition /usr/include/netinet/in.h:272: warning: `INADDR_LOOPBACK' redefined ../../include/missing.h:77: warning: this is the location of the previous definition make[6]: *** [rlm_eap.o] Error 1 make[6]: Leaving directory `/export/home/russell/freeradius-0.5/src/modules/rlm_eap' make[5]: *** [common] Error 1 make[5]: Leaving directory `/export/home/russell/freeradius-0.5/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/export/home/russell/freeradius-0.5/src/modules' make[3]: *** [common] Error 1 make[3]: Leaving directory `/export/home/russell/freeradius-0.5/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/export/home/russell/freeradius-0.5/src' make[1]: *** [common] Error 1 make[1]: Leaving directory `/export/home/russell/freeradius-0.5' make: *** [all] Error 2 Could someone please tell me what the problem might be. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't get EAP/TLS module to load
I figured that one out. I was using the wrong version of OpenSSL (0.9.6d). After installing the latest beta, I can start FreeRadius. Mike >>> Lars Viklund <[EMAIL PROTECTED]> 05/28/02 03:18AM >>> > From: Raghu [mailto:[EMAIL PROTECTED]] > Michael Murphy wrote: > > > > Hello. > > > > I am trying to get EAP/TLS running with FreeRadius using > Ken Roser's great Howto. My problem is that, when I start > radiusd -X, the following is at the end of the output: > Try, > ldd /path/rlm_eap_tls.so I had to add -lcrypto to RLM_LIBS in the rlm_eap_tls Makefile. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two problems with FreeRadius 0.5 (Chris Parker)
At 01:37 PM 5/27/2002 +, Miquel van Smoorenburg wrote: >I've been thinking about that, and I'm not sure about that. For >example, Lucington PM3 boxes have l2tp tunneling support, but I >don't think the PM3 supports tagged attributes. Yet you need to >send it the Tunnel attributes. > >If you are serving a PM3 (LAC) and a Cisco box (LNS) of which one >doesn't want tags and the other does, you can't just edit the >dictionary file - you want both types of behaviour simultaneously. > >So probably not adding a tag when none is specified is the correct >behaviour. > >But I have read the RFC and I'm still not sure what, if anything, >is being said about this. It's ambigious. Lucent finalized the PM3 ComOS before completing RFC compliant Tunnel attribute support. They also don't encrypt the Tunnel-Password, if I recall. That's what happens when you have a box that is EOL, no longer supported, and no longer being developed for by Lucent. The RFC is June, 2000. The PM3 was publicly EOL'ed November, 2000, but they didn't do a whole lot of development prior to that. I don't think we should break the RFC becuase Lucent killed the PM3 without completing ComOS. ( Yes it does suck, as I was a big fan of the PM3, but have moved on to cisco and Ascend gear because I need something that is supported. ) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Module
I found a little problem with this module. Whenever it receives a user with an IP format, example: 10.1.2.3 it returns failed and it is wrong. I search the code and found that the problem is with this line: radius_xlat(querystr, MAX_QUERY_LEN, inst->config->authorize_check_query, request, sql_escape_string); After changing this line to: radius_xlat(querystr, MAX_QUERY_LEN, inst->config->authorize_check_query, request, NULL); everything goes fine... Regards.
Problem with Login-Time attribute.
Hi all I am using freeradius 0.5 on Solaris 7 and Cisco IOS 11.1. I want to restrict one of my user such a way that he can login only from 1500 to 1700. My users file is: foo Auth-Type := System, Login-Time == "Any1500-1700", Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP The problem is Login-Time check is not working properly. He can still login without any time restriction. Any solution? Thanks in Advance Aqeel __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
fastusers grouping
Hello, I would like to use 10.000 prepaid accounts and use Exec-Program-Wait feature for this. How can I define a group and how can I add that user accounts into the given group? I would like to use another accounts (without Exec-Program-Wait and with another parameters). Thanks in advance, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Idea
No IdeaHi All, Same problem here too. Any help will be appreciated please. Another issue how I can give different permissions to ldap users to be able lets say when they telnet to a device and authenticated be ldap to access in different permissions like administrator, or normal user can I control this what do you think If it come to radius only you can define under /raddb/user the user name to be authenticated and something called service-type=administrative-user But hoe to do like that with ldap users now pls Regards, Michael Fuller - Original Message - From: Mazen R. Kassem To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, May 28, 2002 4:36 PM Subject: No Idea Hi guys After integrating LDAP and Radius I checked the radius functionality it went ok "radtest" returns Accept which is perfect so my Radius clients being authenticated by ldap but ldapsearch not working returns always object not found .any idea how comes. Another issue how I can give different permissions to ldap users to be able lets say when they telnet to a device and authenticated be ldap to access in different permissions like administrator, or normal user can I control this what do you think If it come to radius only you can define under /raddb/user the user name to be authenticated and something called service-type=administrative-user But hoe to do like that with ldap users now pls Integrated Networks Co. Tel: 2734474 x 148 Fax: 2734117 x 148 Mob: 054170626 Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP & Authentication via PAM
On Tue, 28 May 2002, Allister Maguire wrote:
> Hello,
>
> I have got this working by setting:
>
> DEFAULT Auth-Type := pam
> Fall-Through = 1
>
> In the users file.
>
> I also want to restrict dialin access to certain ldap users, so I
> changed the ldap filter:
>
> filter = "(&(uid=%u)(msNPAllowDialin=TRUE))"
>
> In the ldap {} module.
>
> Only problem is if I set msNPAllowDialin=FALSE, they still get a
> Access-Accept because the files, pam module return ok (I think).
You could also use the access_attr configuration directive. Then the module will
return reject (well actually userlock) instead of notfound.
>
>
>
> modcall[authorize]: module "ldap" returns notfound
> modcall: group authorize returns ok
> rad_check_password: Found Auth-Type pam
> auth: type "Pam"
> modcall: entering group authenticate
> pam_pass: using pamauth string for pam.conf lookup
> pam_pass: authentication succeeded for
> modcall[authenticate]: module "pam" returns ok
> modcall: group authenticate returns ok
> Sending Access-Accept of id 1 to 127.0.0.1:32826
> Finished request 1
> Going to the next request
> Thread 2 waiting to be assigned a request
>
>
> How many need to fail, for the Access-Request to fail?
Check out the doc/configurable_failover. You could do something like this in
your authorize section:
authorize{
ldap{
notfound = return
}
[...]
}
Hope it helps
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No Idea
Title: No Idea Hi guys After integrating LDAP and Radius I checked the radius functionality it went ok "radtest" returns Accept which is perfect so my Radius clients being authenticated by ldap but ldapsearch not working returns always object not found .any idea how comes. Another issue how I can give different permissions to ldap users to be able lets say when they telnet to a device and authenticated be ldap to access in different permissions like administrator, or normal user can I control this what do you think If it come to radius only you can define under /raddb/user the user name to be authenticated and something called service-type=administrative-user But hoe to do like that with ldap users now pls Integrated Networks Co. Tel: 2734474 x 148 Fax: 2734117 x 148 Mob: 054170626 Email: [EMAIL PROTECTED]
Changes to MS-CHAPv2 MPPE support
Dear [EMAIL PROTECTED],
I've commited changes to FreeRADIUS MS-CHAPv2 MPPE support. Now all
encryption/decryption of MPPE keys will be performed automatically on
sending/receiving RADIUS packet rather then in rlm_mschap module, so,
proxying of this attributes is now OK (not for MS-CHAPv1 yet).
If you will use MPPE for MS-CHAP2 in newer FreeRADIUS snapshot (since
today) _MAKE SURE TO UPDATE_ dictionary.microsoft in raddb directory.
Please report back if there are any troubles with MS-CHAP or tunneling
support in latest snapshot.
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
| ZARAZA U 3APA3A }
+-o66o--+ /
|/
You know my name - look up my number (The Beatles)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: Fwd: Re: Encrypted attribute problems
Dear 3APA3A, (Cc'd to the mailing list for the archives) I confirm that these patches work correctly: freeradius now authenticates MSCHAP-v2 against the rlm_mschap module and as a proxy server against a remote RADIUS server (IAS in my case). Many thanks for your assistance and rapid support in this matter, josh. On Mon, 27 May 2002, 3APA3A wrote: > Dear Josh Howlett, > > Replace dictionary.microsoft in _both_ RADIUS source and installation > (normally /usr/local/etc/raddb) dir, it should help (make sure you have > latest CVS snapshot, older FreeRADIUS incorrectly handles tunnel > encryption). It should be already enough to solve your problem (no > recompilation/reinstallation required) but it will break FreeRADIUS own > MS-CHAPv2 functionality. > > So, I will be very grateful to you if you can also replace rlm_mschap > with one attached, rebuild RADIUS and to test MS-CHAPv2 functionality > via FreeRADIUS itself, because I have no MS-CHAPv2 compliant NAS to > test. > > --Monday, May 27, 2002, 9:01:26 PM, you wrote to [EMAIL PROTECTED]: > > JH> Dear 3APA3A, > > JH> I would be very pleased to test it! > > JH> Many thanks, josh. > > JH> On Mon, 27 May 2002, 3APA3A wrote: > > >> Dear Josh Howlett, > >> > >> As you can see it was forward to [EMAIL PROTECTED], this > >> message was not addressed to you, but to core RADIUS developers. > >> > >> If I'll send you fixed source files can you test it? > >> > >> --Monday, May 27, 2002, 8:53:29 PM, you wrote to >[EMAIL PROTECTED]: > >> > >> JH> On Mon, 27 May 2002, 3APA3A wrote: > >> >> > >> >> Probably the problem is that MS uses for > >> >> MS-MPPE-Send-Key/MS-MPPE-Recv-Key absolutely same encoding schema as for > >> >> Tunnel-Password attributes. Currently I do all encoding inside > >> >> rlm_mschap itself. > >> >> > >> >> I'm not sure how does proxy operates: if proxy rebuilds packet and these > >> >> values are changed I need to rewrite rlm_mschap to not perform encoding > >> >> and to mark MS-MPPE-Send-Key/MS-MPPE-Recv-Key as encrypt=2 in the > >> >> dictionary instead. > >> >> > >> >> Will it work? > >> >> > >> >> BTW: for MS-CHAPv1 Microsoft uses standard rad_pwencode() to encrypt > >> >> MS-CHAP-MPPE-Keys attribute. Currently I call rad_pwencode() from > >> >> rlm_mschap. May be we should process all rad_pwencode'd attributes in > >> >> the way we process Tunnel-Password encryption? That is instead of > >> >> calling rad_pwencode/rad_pwdecode for Password we should mark Password > >> >> and MS-CHAP-MPPE-Keys as encrypt=1 in the dictionary and handle all > >> >> encrypted attributes? > >> > >> JH> Hi 3APA3A, > >> > >> JH> I am not using rlm_mschap at all because I am only proxying. I assumed > >> JH> that the encoding/decoding would be performed automatically as part of > >> JH> the proxying process. > >> > >> JH> What you suggest sounds sensible to me, but I do not know much at all > >> JH> about RADIUS :-(. > >> > >> JH> regards, josh. > >> > >> >> --This is a forwarded message > >> >> From: Josh Howlett <[EMAIL PROTECTED]> > >> >> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> > >> >> Date: Monday, May 27, 2002, 7:28:36 PM > >> >> Subject: Encrypted attribute problems > >> >> > >> >> ===8<==Original message text=== > >> >> > Josh Howlett <[EMAIL PROTECTED]> wrote: > >> >> > > What is the status of encrypted attribute support in Freeradius at the > >> >> > > moment? It appears to be broken - has anyone had similar problems? > >> >> > > >> >> > WHICH encrypted attribute? There's more than one, and there are a > >> >> > number of different encryption schemes. > >> >> > >> >> Sorry for the lack of specificity; I am rather new to RADIUS! > >> >> > >> >> My precise problem is this. I have a Microsoft IAS W2K server and a NAS > >> >> with a Freeradius proxy in the middle: > >> >> > >> >> IAS <--> Freeradius <--> NAS > >> >> > >> >> The NAS authenticates clients using MSCHAP-v2 and also provides > >> >> encryption using MPPE. The NAS can authenticate and retrieve the MPPE > >> >> keys via RADIUS from the W2K box without any problems. However, if the > >> >> RADIUS transaction is performed via the Freeradius proxy, the NAS > >> >> reports problems with de-crypting the MPPE attributes: > >> >> > >> >> decrypt_attr_style_1: bogus decrypted length 89 > >> >> decrypt_attr_style_1: bogus decrypted length -37 > >> >> > >> >> Hence, I can authenticate correctly but not retrieve the MPPE keys when > >> >> Freeradius is acting as proxy. > >> >> > >> >> I hope this is clear? > >> >> > >> >> thanks, josh. > >> >> > >> >> > >> >> > >> >> Josh Howlett, Networking & Digital Communications, > >> >> Information Systems & Computing, University of Bristol, U.K. > >> >> 'phone: 0117 928 7850 email: [EMAIL PROTECTED] > >> >>
RE: Can't get EAP/TLS module to load
> From: Raghu [mailto:[EMAIL PROTECTED]] > Michael Murphy wrote: > > > > Hello. > > > > I am trying to get EAP/TLS running with FreeRadius using > Ken Roser's great Howto. My problem is that, when I start > radiusd -X, the following is at the end of the output: > Try, > ldd /path/rlm_eap_tls.so I had to add -lcrypto to RLM_LIBS in the rlm_eap_tls Makefile. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
