rlm_ldap check items
Hello, I am testing freeRadius v0.5, and have attributes setup in the ldap directory. Reply attributes are working find, but Check attributes don't seem to work properly eg: access should be deined fi the check attribute in the Access-Request does not match. Am I correct in thinking this? Below is a Access-Request and an Access-Accept, if you look where I have added the *** First Check Attribute ** etc, you will see they do not match but the request is accepted anyway. Any help would be great, thanks. Regards Allister rad_recv: Access-Request packet from host 203.96.128.242:1025, id=133, length=110 Thread 3 assigned request 3 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Nothing to do. Sleeping until we see a request. Thread 3 handling request 3, (1 handled so far) User-Name = "[EMAIL PROTECTED]" User-Password = "X" NAS-IP-Address = 203.96.128.242 NAS-Port = 20118 * First Check Attribute ** NAS-Port-Type = Async ** State = 0x * Second Check Attribute ** Calling-Station-Id = "49157700" ** Called-Station-Id = "049173901" Acct-Session-Id = "281178942" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok users: Matched DEFAULT at 1 modcall[authorize]: module "files" returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for bbuilder radius_xlat: '(uid=bbuilder)' radius_xlat: 'ou=People,ou=Internet Service Provider,ou=Globe.Net Communications Ltd,dc=gnc,dc=net,dc=nz' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=Internet Service Provider,ou=Globe.Net Communications Ltd,dc=gnc,dc=net,dc=nz, with filter (uid=bbuilder) rlm_ldap: checking if remote access for bbuilder is allowed by radiusNPAllowDialin rlm_ldap: looking for check items in directory... * First Check Attribute ** rlm_ldap: Adding radiusNASPortType as NAS-Port-Type, value Cable & op=11 ** * Second Check Attribute ** rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 49157711 & op=11 ** rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusIdleTimeout as Idle-Timeout, value 600 & op=11 rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value 192.168.2.180 & op=11 rlm_ldap: user bbuilder authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Pam auth: type "Pam" modcall: entering group authenticate pam_pass: using pamauth string for pam.conf lookup pam_pass: authentication succeeded for modcall[authenticate]: module "pam" returns ok modcall: group authenticate returns ok Sending Access-Accept of id 133 to 203.96.128.242:1025 Service-Type = Framed-User Framed-Protocol = PPP Framed-Netmask = 255.255.255.255 Framed-Routing = None Framed-Compression = Van-Jacobson-TCP-IP Ascend-Assign-IP-Pool = 6 Ascend-Maximum-Channels = 1 Idle-Timeout = 600 Framed-IP-Address = 192.168.2.180 Finished request 3 Going to the next request Thread 3 waiting to be assigned a request - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unsubscribing
- ÉÓÈÏÄÎÏÅ ÓÏÏÂÝÅÎÉÅ - ïÔ: é×ÁÎ çÒÕÚÄÅ× <[EMAIL PROTECTED]> ôÅÍÁ: unsubscribing >- ÉÓÈÏÄÎÏÅ ÓÏÏÂÝÅÎÉÅ - >ïÔ: Ronan Lucio <[EMAIL PROTECTED]> >ôÅÍÁ: Re: Accounting > >>Hello Alan, >> >>I've put the follow line in raddb/acct_users files >> >>DEFAULT Exec-Program-Wait = "/usr/local/etc/raddb/vrflogin.py %u %f" >> >>It's a simple test that I'm doing. It just logs a username and the >>Framed-IP-Address to a file. >> >>In users file I've changed nothing. >> >>Now, when I make a connection, it connects but don't execute the >>script. >>I had already read all files from freeradius-0.5/doc dir but I'm >>a little lost, yet... :-/ >> >>Do you know what am I doing wrong? >> >>Thank's >>Ronan >> >>On Fri, 31 May 2002 15:50:47 -0400 >>"Alan DeKok" <[EMAIL PROTECTED]> wrote: >> >>> Ronan Lucio <[EMAIL PROTECTED]> wrote: >>> > I have already did it, but as far as I've understood it, when the >>> > user disconnects, this script isn't executed, is it? >>> >>> If you configure 'acct_users' like it says to do at the start of the >>> script, yes, it is. >>> >>> READ the comments at the start if the file, and edit >>> 'raddbb/acct_users' as given in the example. >>> >>> Alan DeKok. >>> >>> - >>> List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html >>> >> >>- >>List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html > > > > http://www.rambler.ru > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html http://www.rambler.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribing
- ÉÓÈÏÄÎÏÅ ÓÏÏÂÝÅÎÉÅ - ïÔ: Ronan Lucio <[EMAIL PROTECTED]> ôÅÍÁ: Re: Accounting >Hello Alan, > >I've put the follow line in raddb/acct_users files > >DEFAULT Exec-Program-Wait = "/usr/local/etc/raddb/vrflogin.py %u %f" > >It's a simple test that I'm doing. It just logs a username and the >Framed-IP-Address to a file. > >In users file I've changed nothing. > >Now, when I make a connection, it connects but don't execute the >script. >I had already read all files from freeradius-0.5/doc dir but I'm >a little lost, yet... :-/ > >Do you know what am I doing wrong? > >Thank's >Ronan > >On Fri, 31 May 2002 15:50:47 -0400 >"Alan DeKok" <[EMAIL PROTECTED]> wrote: > >> Ronan Lucio <[EMAIL PROTECTED]> wrote: >> > I have already did it, but as far as I've understood it, when the >> > user disconnects, this script isn't executed, is it? >> >> If you configure 'acct_users' like it says to do at the start of the >> script, yes, it is. >> >> READ the comments at the start if the file, and edit >> 'raddbb/acct_users' as given in the example. >> >> Alan DeKok. >> >> - >> List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html >> > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html http://www.rambler.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
missing -d in radwho
Developers, I have a request that the -d option get added to radwho. I have 2 radius servers and I split them off with the -d raddb switch, but that breaks radwho. I hacked at it myself a little, but I am not a c programmer and my code caused the binary to seg fault. Thanks, schu -- ___ Matthew Schumacher [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius-1.3.15 not failing over correctly
"Richard L. Goerwitz III" <[EMAIL PROTECTED]> wrote: > All is well unless that RADIUS server is unavailable, times out, or has > some other issue that renders it incapable of responding. In that case, > another request is issued to a secondary server. This request goes out > from the same source IP port, across the Sidewinder (which does its NAT > thing), and eventually ends up at port 1645 on the secondary RADIUS > server, where it apparently fails to verify at least in some cases. That's why RADIUS proxies (and UDP proxies in general) are a bad idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting
Ronan Lucio <[EMAIL PROTECTED]> wrote: > I've put the follow line in raddb/acct_users files > > DEFAULT Exec-Program-Wait = "/usr/local/etc/raddb/vrflogin.py %u %f" Does this look anything like the example in the file 'scripts/exec-program-wait'? NO! That's why it does not work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting
Hello Alan, I've put the follow line in raddb/acct_users files DEFAULT Exec-Program-Wait = "/usr/local/etc/raddb/vrflogin.py %u %f" It's a simple test that I'm doing. It just logs a username and the Framed-IP-Address to a file. In users file I've changed nothing. Now, when I make a connection, it connects but don't execute the script. I had already read all files from freeradius-0.5/doc dir but I'm a little lost, yet... :-/ Do you know what am I doing wrong? Thank's Ronan On Fri, 31 May 2002 15:50:47 -0400 "Alan DeKok" <[EMAIL PROTECTED]> wrote: > Ronan Lucio <[EMAIL PROTECTED]> wrote: > > I have already did it, but as far as I've understood it, when the > > user disconnects, this script isn't executed, is it? > > If you configure 'acct_users' like it says to do at the start of the > script, yes, it is. > > READ the comments at the start if the file, and edit > 'raddbb/acct_users' as given in the example. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius-1.3.15 not failing over correctly
Alan DeKok wrote: >>I believe all the proxy does, in effect, is forward packets. I don't >>think it has a notion of stateful conversations for UDP. I'll have to >>check on this. > > Exactly. It forwards a RADIUS request, and when it receives the > reply, where the heck does the reply go? It's a Sidewinder unit; the RADIUS request goes out via UDP through the Sidewinder, which does some port mapping but keeps the source IP address intact, and forwards the packet on to the RADIUS server, on port 1645, which duly replies, sending its information back across the firewall. All is well unless that RADIUS server is unavailable, times out, or has some other issue that renders it incapable of responding. In that case, another request is issued to a secondary server. This request goes out from the same source IP port, across the Sidewinder (which does its NAT thing), and eventually ends up at port 1645 on the secondary RADIUS server, where it apparently fails to verify at least in some cases. In any event, the secondary sends a response back across the Sidewinder, which appears not to verify correctly back on the server that posed the initial query. That server issues an ICMP udp port unreachable message which the firewall doesn't forward. -- Richard L. Goerwitz IIIEmail: [EMAIL PROTECTED] Phone: +1 507 646 5526 Fax: +1 507 646 4537 PGP key fingerprint: 4471 B6D3 57CC B2DC A0CF 82D3 0B7D EA19 F425 B0E0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql re-connect code?
"Todd T. Fries" <[EMAIL PROTECTED]> wrote: > Has anyone looked into the mysql (if it disconnects, re-connect) > code? I've been asked to look into it and would not like to > duplicate any existing effort. No one else is working on it. > I'm told the postgresql module has this functionality but the mysql module > does not. I *think* it does, but I could be wrong, I haven't checked lately. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting
On Fri, 31 May 2002 15:50:47 -0400 "Alan DeKok" <[EMAIL PROTECTED]> wrote: > Ronan Lucio <[EMAIL PROTECTED]> wrote: > > I have already did it, but as far as I've understood it, when the > > user disconnects, this script isn't executed, is it? > > If you configure 'acct_users' like it says to do at the start of the > script, yes, it is. > > READ the comments at the start if the file, and edit > 'raddbb/acct_users' as given in the example. Thank you very much Alan, I'll try to do this. Ronan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Port-Id vs NAS-Port ?
"Todd T. Fries" <[EMAIL PROTECTED]> wrote: > In our system, we've done a '%s/NAS-Port-Id/NAS-Port/' on sql.conf (diff > attached) and instead of hazving '0' show up all the time, suddenly the > dialup accounting data has the port number in the NASPortId column. > > Is there a reason this is not 'NAS-Port' and NASPort .. ? Historical. The RFC's originally said 'NAS-Port-Id' for the integer NAS port. Then it got changed to 'NAS-Port', and 'NAS-Port-Id' was re-used for something else. The default SQL queries should probably be updated, as well as the schemas. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting
Ronan Lucio <[EMAIL PROTECTED]> wrote: > I have already did it, but as far as I've understood it, when the > user disconnects, this script isn't executed, is it? If you configure 'acct_users' like it says to do at the start of the script, yes, it is. READ the comments at the start if the file, and edit 'raddbb/acct_users' as given in the example. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap remoteuser auth problem
Dave Vondracek <[EMAIL PROTECTED]> wrote: > The documentation for dsradiusd is incredibly poor, so if it > can do what I now need it to, I have no real way of knowing. > (If someone knows and can put me out of my misery quick, > that would be ok too) Freeradius however does support > everything I need. And while you say your documentation > needs work, it's far beyond the other projects I've looked > at recently. That's always nice to hear. > What do I need to change to get Freeradius to work with > remoteUsers instead of posixAccounts? Am I on the right > path? And thinkiig a little further ahead - is Freeradius > going to pull the proper attributes from the LDAP server to > forward to the NAS? If you configure the queries correctly, then I *think* so, but I'm not an ldap expert. You can also set it up to NOT bind to the ldap server for user authentication. In that case, just store the password in the ldap database, and use another RADIUS module to do the verification. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suggestion re: rad_lowerpair/rmspace_pair
Nick Davis <[EMAIL PROTECTED]> wrote: > In practice, I do not see the above statement as true. What I see is that it > will always modify the password even if it was true in the first place. Hmm... that code isn't well used, or well tested, sorry. > So, it was correct in the first place, and login was accepted, then it does > the lowerpair and rmspace_pair after being accepted. Isn't that a waste? Yes, but not much of one. It doesn't run the request through the modules again, so it's not much of a problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting
Alan, > > Is there a way to execute a external script in accounting step? > > See 'scripts/exec-program-wait' > > Alan DeKok. I have already did it, but as far as I've understood it, when the user disconnects, this script isn't executed, is it? Thank's Ronan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting
Ronan Lucio <[EMAIL PROTECTED]> wrote: > I have a radius server (not freeradius) that execute a external > script which make some checks to validate the user. > When such user is allowed, the script insert a record in a > Postgres database with (User-Name, Framed-IP-Address, Connect-Info > Calling-Station-ID, Acct-Status-Type, connect time) and when the > user disconnect (Acct-Status-Type, disconnect time). FreeRADIUS has postgres support built-in, so you don't need to run an external script. > My problem is the script is executed at authentication step and in > that time, it don't have some datas, yet. > > Is there a way to execute a external script in accounting step? See 'scripts/exec-program-wait' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removal of Proxy-State
At 02:45 PM 5/31/2002 -0400, Alan DeKok wrote: >Chris Parker <[EMAIL PROTECTED]> wrote: > > This assumes we are sending to a NAS, which we can't. Consider a two > > stage proxy: > > The proxy state returned to the client MUST be exactly the same as >what client sent to the server. You CANNOT trust the Proxy-State >attributes in the reply from the home server, as they may be running a >brain-dead server like Merit, which mangles Proxy-State. > > Look at rad_respond(). When it's responding to a request, it copies >the PW_PROXY_STATE from the request to the reply. Since FreeRADIUS >isn't completely brain-damaged, these attributes are unmodified. > > Any crap Proxy-State attributes it receives in >request->proxy_reply->vps are discarded as nonsense. Yep. > It does that already. Yep, and I jumped the gun. :) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting
Hi All, I have a radius server (not freeradius) that execute a external script which make some checks to validate the user. When such user is allowed, the script insert a record in a Postgres database with (User-Name, Framed-IP-Address, Connect-Info Calling-Station-ID, Acct-Status-Type, connect time) and when the user disconnect (Acct-Status-Type, disconnect time). Now I installed freeradius and I have already got it authenticate and execute a external script. My problem is the script is executed at authentication step and in that time, it don't have some datas, yet. Is there a way to execute a external script in accounting step? I know that freeradius works with postgres, but I'm needing to make it work now this way and after that, calmer, I'll work in a centralized authentication. Thank's Ronan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removal of Proxy-State
On Fri, May 31, 2002 at 02:50:02PM -0400, Alan DeKok wrote: > And for some reason, the people at Merit got their name on the > RFC's, despite having probably the worst RADIUS server implementation > I've seen *anywhere*. Writing a protocol specification is not even close to the same thing as implementing it. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removal of Proxy-State
"eric " <[EMAIL PROTECTED]> wrote: > However, apparently some implementations may actually forward proxy > states along the path... If the request is being forwarded, any Proxy-State in the original request must be in the forwarded copy, too. > why? I don't know...other than broken radius servers: > > If a Proxy-State Attribute is added to a packet when forwarding > the packet, the Proxy-State Attribute MUST be added after any > existing Proxy-State attributes. Which FreeRADIUS does. I don't think Merit does it, though. And for some reason, the people at Merit got their name on the RFC's, despite having probably the worst RADIUS server implementation I've seen *anywhere*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removal of Proxy-State
Chris Parker <[EMAIL PROTECTED]> wrote: > This assumes we are sending to a NAS, which we can't. Consider a two > stage proxy: The proxy state returned to the client MUST be exactly the same as what client sent to the server. You CANNOT trust the Proxy-State attributes in the reply from the home server, as they may be running a brain-dead server like Merit, which mangles Proxy-State. Look at rad_respond(). When it's responding to a request, it copies the PW_PROXY_STATE from the request to the reply. Since FreeRADIUS isn't completely brain-damaged, these attributes are unmodified. Any crap Proxy-State attributes it receives in request->proxy_reply->vps are discarded as nonsense. > The reply going back to ISP1 should be: > > Blah = "blah", > Proxy-State = "foo" > Blah = "blah" > > I'm working on a patch to do this, unless you want to take a stab > at it. :) It does that already. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius-1.3.15 not failing over correctly
"Richard L. Goerwitz III" <[EMAIL PROTECTED]> wrote: > I believe all the proxy does, in effect, is forward packets. I don't > think it has a notion of stateful conversations for UDP. I'll have to > check on this. Exactly. It forwards a RADIUS request, and when it receives the reply, where the heck does the reply go? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removal of Proxy-State
At 01:50 PM 5/31/2002 -0400, eric wrote: >Apparently, freeradius maintains the proxy-state elsewhere because I ran a >test and it worked. H. Interesting, I don't see where it's getting it from, but your test shows it there... My bad if I jumped the gun. :) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removal of Proxy-State
Apparently, freeradius maintains the proxy-state elsewhere because I ran a test and it
worked.
However, apparently some implementations may actually forward proxy states along the
path...why? I don't know...other than broken radius servers:
If a Proxy-State Attribute is added to a packet when forwarding
the packet, the Proxy-State Attribute MUST be added after any
existing Proxy-State attributes.
http://www.freeradius.org/rfc/rfc2865.html#Proxy-State
Anyway it worked, thanks Alan:
[eric@thread ~]$ echo "User-Name = "[EMAIL PROTECTED]", CHAP-Password = "test",
NAS-Port=10, NAS-Port-Type=0, NAS-Identifier=RadTest, Proxy-State = "1234" " |
radclient -r 1 -t 5 -d /usr/local/radius/etc/ 192.168.1.1:1645 01 test
Received response ID 18, code 2, length = 392
Port-Limit = 2
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.255
Service-Type = Framed-User
Framed-Protocol = PPP
Session-Timeout = 28800
Idle-Timeout = 900
Ascend-Idle-Limit = 900
Ascend-Maximum-Time = 28800
Proxy-State = "1234"
-- Original Message --
From: Chris Parker <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date: Fri, 31 May 2002 12:33:36 -0500
>At 01:06 PM 5/31/2002 -0400, Alan DeKok wrote:
>>"eric " <[EMAIL PROTECTED]> wrote:
>> > I searched through the CVS and probably overlooked the mod. Could
>> > you send me the oneliner?
>>
>>
>> if (request->proxy_reply->vps) {
>> request->reply->vps = request->proxy_reply->vps;
>>+ pairdelete(&request->reply->vps, PW_PROXY_STATE);
>> request->reply->code = request->proxy_reply->code;
>> request->proxy_reply->vps = NULL;
>> }
>
>This assumes we are sending to a NAS, which we can't. Consider a two
>stage proxy:
>
>NAS -> ISP1 -> ISP2 [ -> ISP3 ]( we are ISP2 )
>
>ISP1 *must* receive back the Proxy-State that it added, if it added one.
>
>pairdelete() removes all instances it finds ( including ISP1's ).
>
>IE, ISP1 adds proxy-state = "foo"
> ISP2 adds Proxy-State = "bar"
>
>Reply from ISP3 looks like:
>
> Blah = "blah",
> Proxy-State = "foo",
> Proxy-State = "bar",
> Blah = "blah"
>
>The reply going back to ISP1 should be:
>
> Blah = "blah",
> Proxy-State = "foo"
> Blah = "blah"
>
>I'm working on a patch to do this, unless you want to take a stab
>at it. :)
>
>-Chris
>--
>\\\|||/// \ StarNet Inc. \ Chris Parker
>\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
>| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
>oOo---(_)---oOo--\--
> \ Wholesale Internet Services - http://www.megapop.net
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Sent via the WebMail system at purespeed.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removal of Proxy-State
At 01:06 PM 5/31/2002 -0400, Alan DeKok wrote:
>"eric " <[EMAIL PROTECTED]> wrote:
> > I searched through the CVS and probably overlooked the mod. Could
> > you send me the oneliner?
>
>
> if (request->proxy_reply->vps) {
> request->reply->vps = request->proxy_reply->vps;
>+ pairdelete(&request->reply->vps, PW_PROXY_STATE);
> request->reply->code = request->proxy_reply->code;
> request->proxy_reply->vps = NULL;
> }
This assumes we are sending to a NAS, which we can't. Consider a two
stage proxy:
NAS -> ISP1 -> ISP2 [ -> ISP3 ]( we are ISP2 )
ISP1 *must* receive back the Proxy-State that it added, if it added one.
pairdelete() removes all instances it finds ( including ISP1's ).
IE, ISP1 adds proxy-state = "foo"
ISP2 adds Proxy-State = "bar"
Reply from ISP3 looks like:
Blah = "blah",
Proxy-State = "foo",
Proxy-State = "bar",
Blah = "blah"
The reply going back to ISP1 should be:
Blah = "blah",
Proxy-State = "foo"
Blah = "blah"
I'm working on a patch to do this, unless you want to take a stab
at it. :)
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius-1.3.15 not failing over correctly
Alan DeKok wrote: >>Note that this conversation (the one between the Linux box running >>pam_radius) and the Radius servers is being mediated with a firewall >>that has an application-level proxy. > > That's the problem. UDP is stateless, so there's little or nothing > an appliction-level proxy can do. I believe all the proxy does, in effect, is forward packets. I don't think it has a notion of stateful conversations for UDP. I'll have to check on this. -- Richard L. Goerwitz IIIEmail: [EMAIL PROTECTED] Phone: +1 507 646 5526 Fax: +1 507 646 4537 PGP key fingerprint: 4471 B6D3 57CC B2DC A0CF 82D3 0B7D EA19 F425 B0E0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removal of Proxy-State
"eric " <[EMAIL PROTECTED]> wrote:
> I searched through the CVS and probably overlooked the mod. Could
> you send me the oneliner?
Index: auth.c
===
RCS file: /source/radiusd/src/main/auth.c,v
retrieving revision 1.102
diff -u -r1.102 auth.c
--- auth.c 2002/03/20 16:48:42 1.102
+++ auth.c 2002/05/31 17:05:36
@@ -458,9 +458,14 @@
/*
* Initialize our reply to the user, by taking
* the reply attributes from the proxy.
+*
+* Note that we DELETE the Proxy-State attributes
+* from the proxy reply, as they include the one
+* we added, which MUST NOT go back to the NAS.
*/
if (request->proxy_reply->vps) {
request->reply->vps = request->proxy_reply->vps;
+ pairdelete(&request->reply->vps, PW_PROXY_STATE);
request->reply->code = request->proxy_reply->code;
request->proxy_reply->vps = NULL;
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius-1.3.15 not failing over correctly
"Richard L. Goerwitz III" <[EMAIL PROTECTED]> wrote: > Note that this conversation (the one between the Linux box running > pam_radius) and the Radius servers is being mediated with a firewall > that has an application-level proxy. That's the problem. UDP is stateless, so there's little or nothing an appliction-level proxy can do. Remove the proxy, and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removal of Proxy-State
I searched through the CVS and probably overlooked the mod. Could you send me the oneliner? > If you fon't want to use the latest snapshot, you can add that patch >in by hand to auth.c, in the 0.5 release. Sent via the WebMail system at purespeed.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius-1.3.15 not failing over correctly
We have a pair of Radius servers at Carleton, both part of Novell's old BorderManager product. When pam_radius-1.3.15 finds one too busy (and it times out), it naturally fails over to the other server listed in our /etc/raddb/servers file. Interestingly, when the second server is contacted, it's finding that our packets are malformed. When the remote server responds, the ma- chine running pam_radius itself sees a bad packet. The machine run- ning pam_radius also sends out an ICMP udp port unreachable message. The machine running pam_radius is a RedHat Linux box (7.3; kernel ver- sion 2.4.18). We're kind of wondering whether the fact that pam_radius uses the same local UDP port for both connections (i.e., connections to both the first and the second Radius server) might be causing the Linux kernel to behave oddly. Note that this conversation (the one between the Linux box running pam_radius) and the Radius servers is being mediated with a firewall that has an application-level proxy. The ICMP message, though, is clearly being issued by the Linux machine after getting a denial from the Radius server. Anyone have any thoughts about what is going on? -- Richard L. Goerwitz IIIEmail: [EMAIL PROTECTED] Phone: +1 507 646 5526 Fax: +1 507 646 4537 PGP key fingerprint: 4471 B6D3 57CC B2DC A0CF 82D3 0B7D EA19 F425 B0E0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql re-connect code?
Has anyone looked into the mysql (if it disconnects, re-connect) code? I've been asked to look into it and would not like to duplicate any existing effort. I'm told the postgresql module has this functionality but the mysql module does not. Thanks, -- Todd Fries .. [EMAIL PROTECTED] (last updated $ToddFries: signature.p,v 1.2 2002/03/19 15:10:18 todd Exp $) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-Port-Id vs NAS-Port ?
I've noticed that in the sql database (using mysql as a backend, shouldn't
matter) module the sql.conf suggests a field in the database should be
'NASPortId' and the dictionary name that should be stored there is
'NAS-Port-Id' ..
However in an all-cisco-dialup-router setup, the NAS-Port-Id never shows
up in accounting packets, while NAS-Port does.
In our system, we've done a '%s/NAS-Port-Id/NAS-Port/' on sql.conf (diff
attached) and instead of hazving '0' show up all the time, suddenly the
dialup accounting data has the port number in the NASPortId column.
Is there a reason this is not 'NAS-Port' and NASPort .. ?
--
Todd Fries .. [EMAIL PROTECTED]
(last updated $ToddFries: signature.p,v 1.2 2002/03/19 15:10:18 todd Exp $)
Index: sql.conf
===
RCS file: /source/radiusd/raddb/sql.conf,v
retrieving revision 1.15
diff -u -r1.15 sql.conf
--- sql.conf2002/04/25 14:52:07 1.15
+++ sql.conf2002/05/31 16:16:48
@@ -117,12 +117,12 @@
accounting_update_query = "UPDATE ${acct_table1} SET FramedIPAddress =
'%{Framed-IP-Address}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}'"
- accounting_start_query = "INSERT into radacct (RadAcctId, AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop,
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay,
AcctStopDelay) values('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port-Id}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0',
'0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
+ accounting_start_query = "INSERT into radacct (RadAcctId, AcctSessionId,
+AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,
+AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop,
+AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
+AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay,
+AcctStopDelay) values('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
+'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
+'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0',
+'0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
+'%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
accounting_start_query_alt = "UPDATE ${acct_table1} SET AcctStartTime = '%S',
AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE
AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND
NASIPAddress = '%{NAS-IP-Address}'"
accounting_stop_query = "UPDATE ${acct_table1} SET AcctStopTime = '%S',
AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}',
AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause =
'%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop =
'%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
- accounting_stop_query_alt = "INSERT into radacct (RadAcctId, AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop,
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay,
AcctStopDelay) values('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port-Id}',
'%{NAS-Port-Type}', '0', '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0',
'%{Acct-Delay-Time}')"
+ accounting_stop_query_alt = "INSERT into radacct (RadAcctId, AcctSessionId,
+AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,
+AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop,
+AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
+AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay,
+AcctStopDelay) values('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
+'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Addres
ldap remoteuser auth problem
Greetings,
I'm new to the FreeRadius world, and frankly pretty new to
radius in general.
My situation is this: I have inherited a Netscape Directory
Server 4.11 using Solaris Extensions and dsradiusd for my
radius authentication. We have added another dialup
provider to our existing services and this one requires CHAP
authentication and an Ascend-Data-Filter form SMTP blocking.
The documentation for dsradiusd is incredibly poor, so if it
can do what I now need it to, I have no real way of knowing.
(If someone knows and can put me out of my misery quick,
that would be ok too) Freeradius however does support
everything I need. And while you say your documentation
needs work, it's far beyond the other projects I've looked
at recently.
I've managed to build and get running the freeradius server,
basic authentication works fine (bob account) but it fails
when I try LDAP authentication against my Netscape Directory
Server. I believe the problem is that my LDAP server is set
up with remoteUser, accounts not posixAccounts for the
classObject. Between looking at the code (rlm_ldap.c) and
the debug output, it appears to be attempting to rebind as
the login user.
What do I need to change to get Freeradius to work with
remoteUsers instead of posixAccounts? Am I on the right
path? And thinkiig a little further ahead - is Freeradius
going to pull the proper attributes from the LDAP server to
forward to the NAS?
Thank you for your help!
Dave Vondracek
CTO, IntNet
[EMAIL PROTECTED]
ps - here are some of the config changes I've made, and
program outputs.
First DEFAULT in users (replaces system auth):
DEFAULT Auth-Type := LDAP
Fall-Through = 1
Changes to radius.conf:
ldap {
[ldap server info]
filter = "(&(Objectclass=remoteUser)(uid=%u))"
[...etc...]
}
authenticate {
# pam
# unix
#chap
pap
ldap
# mschap
# eap
}
Radtest:
# radtest bob "bob" localhost:1245 1 testing123
Sending Access-Request of id 106 to 127.0.0.1:1245
User-Name = "bob"
User-Password = "-\016\001\353.\032\332f\336\n\373M\353\322\241\231"
NAS-IP-Address = archimedes
NAS-Port-Id = "1"
rad_recv: Access-Accept packet from host 127.0.0.1:1245,
id=106, length=32
Reply-Message = "Hello, bob"
# radtest test "test" localhost:1245 1 testing123
Sending Access-Request of id 111 to 127.0.0.1:1245
User-Name = "test"
User-Password = "\277\356\001\347T\226\354s\t\243\227\263\257L\343*"
NAS-IP-Address = archimedes
NAS-Port-Id = "1"
rad_recv: Access-Reject packet from host 127.0.0.1:1245,
id=111, length=20
/usr/local/sbin/radiusd -X -A
rlm_ldap: - authenticate
rlm_ldap: login attempt by "test" with password "test"
radius_xlat: '(&(Objectclass=remoteUser)(uid=test))'
radius_xlat: 'o=intnet.net'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ds1.intnet.net:389, authentication
0
rlm_ldap: bind as uid=ADMIN,ou=People,o=intnet.net/ADMINPASSWORD
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: performing search in o=intnet.net, with filter
(&(Objectclass=remoteUser)(uid=test))
request 2 done
ldap_release_conn: Release Id: 0
rlm_ldap: user DN: uid=test,ou=INO Dial Subscribers,
o=intnet.net
rlm_ldap: (re)connect to ds1.intnet.net:389, authentication
1
rlm_ldap: bind as uid=test,ou=INO Dial Subscribers,
o=intnet.net/test
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: uid=davetest,ou=INO Dial Subscribers, o=intnet.net
bind failed Inappropriate authentication
modcall[authenticate]: module "ldap" returns fail
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
suggestion re: rad_lowerpair/rmspace_pair
I have the following in my radiusd.conf: lower_user = after lower_pass = after nospace_user = after nospace_pass = after According to the notes in that file # [...] "If "after", the server # will first auth using the values provided by the # user. If that fails it will reprocess the request # after modifying it as you specify below." In practice, I do not see the above statement as true. What I see is that it will always modify the password even if it was true in the first place. Here is what I see: modcall: group authtype returns ok modcall: entering group session modcall[session]: module "radutmp" returns ok modcall: group session returns ok Login OK: [radman2] (from client localhost port 0) rad_lowerpair: User-Name now 'radman2' rad_lowerpair: User-Password now 'testing' rad_rmspace_pair: User-Name now 'radman2' rad_rmspace_pair: User-Password now 'testing' Sending Access-Accept of id 246 to 127.0.0.1:1087 So, it was correct in the first place, and login was accepted, then it does the lowerpair and rmspace_pair after being accepted. Isn't that a waste? Am I interpreting this correctly? Not that this is of huge importantance, but if it doesn't work as advertised, I think it should be fixed. Nick -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with MySQL authentication
> > root@localhost# radtest radman2 testing localhost 10 2 > hostname> Sending Access-Request of id 128 to 127.0.0.1:1812 > > User-Name = "radman2" > > User-Password = "\2529M\234\353,\006w\2657K\346m\301\022@" > > NAS-IP-Address = > > NAS-Port-Id = "10" > > Framed-Protocol = PPP > > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=128, > > length=20 rad_decode: Received Access-Reject packet from 127.0.0.1 with > > invalid signature! > > ^^^ > > ^ > > > output from radiusd -X > > [...] > > > WARNING: Unprintable characters in the password. ? Double-check the > > shared secret on the server and the NAS! > > > > > > This WARNING says check my secret, but I know that is correct for sure. > > From > > Are you _really really_ sure you have your shared secret correct? Both > the "invalid signature" error radtest gives and the warning from radiusd > indicate that the shared secrets don't match. > Could you paste the relevant section from raddb/clients.conf? You were correct in saying that I used an incorrect secret. I looked at my clients.conf and I saw that there are different secrets for localhost, and my NAS's. I guess I didn't understand that I needed to use the secret for localhost, I was using the secret for my NAS. Once, I used the secret for localhost, everything works great!! Thanks for the excellent support everyone! Nick -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removal of Proxy-State
"Eric Dean" <[EMAIL PROTECTED]> wrote: > Qwest and UUNET are throwing a fit because we are returning two sets of > Proxy-State attributes when we proxy to our customers. They expect only > one. They're right. cvs update src/main/auth.c or grab the CVS snapshot from tonight. There's a one-line patch to that file. If you fon't want to use the latest snapshot, you can add that patch in by hand to auth.c, in the 0.5 release. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Module
On Fri, May 31, 2002 at 10:48:27AM -0400, Alan DeKok wrote: > Simon <[EMAIL PROTECTED]> wrote: > > > That's because of recent changes I made to the module. It now > > > escapes magic characters, and I'll add '.' to the list of characters > > > it doesn't escape. > > > > Could we please also add '@' to the list of non-escaped characters? > > Considering that '@' is used for realms it tends to show up alot in > > radacct, and the '=40' equivalent isn't very good looking :) > > OK, so long as no SQL back-end gets excited about '@'. > > The method I want to use is one of minimal inclusion, rather than > specific exclusion. e.g. rlm_sql/sql.c has it's own escape function, > which operates on the exclusion principle. That means it MAY be > possible to fool it. > > This is also known as 'better safe than sorry' I checked with some of my more sql-knowledgeable co-workers, and they couldn't think of anything bad happening with '@' in querys etc, so it's most likely safe. Only speaking for mysql here though, none of the others. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unix-06 not found in newest snapshot
wen I try to start ne newest CVS snapshot (05/31/02) I get teh following error: radiusd.conf[329] Failed to link to module 'rlm_unix-0.6': file not found The 0.5 release works fine. The difference seems to be in rlm_unix.la: The 0.5 has: library_names='rlm_unix.so.0.0.0 rlm_unix.so.0 rlm_unix.so' The snapshot has: library_names='rlm_unix-0.6.so rlm_unix-0.6.so rlm_unix.so' both, rlm_unix.so.0.0.0 and rlm_unix-0.6.so are both on my system, both in the same directory. Can anybody help ??? -- Stefan Immel |N|O|C Network Operation Center -+-+-+--- | Grove Auf der Stuecke 6Tel. +49 2773-8167-0 35708 Haiger / Germany Fax +49 2773-8167-20 -- mailto:[EMAIL PROTECTED] http://www.grove.de "There is always hope, only because it is the one thing nobody's figured out how to kill yet." ~ Galen, Crusade "Racing The Night" -- http://www.nocr2.de -> NOC R2 die Lösung für den IT-Workflow -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Module
Simon <[EMAIL PROTECTED]> wrote: > > That's because of recent changes I made to the module. It now > > escapes magic characters, and I'll add '.' to the list of characters > > it doesn't escape. > > Could we please also add '@' to the list of non-escaped characters? > Considering that '@' is used for realms it tends to show up alot in > radacct, and the '=40' equivalent isn't very good looking :) OK, so long as no SQL back-end gets excited about '@'. The method I want to use is one of minimal inclusion, rather than specific exclusion. e.g. rlm_sql/sql.c has it's own escape function, which operates on the exclusion principle. That means it MAY be possible to fool it. This is also known as 'better safe than sorry' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: Problem with ld
=?Windows-1251?B?xOjt4PA=?= <[EMAIL PROTECTED]> wrote: > AD> It's a problem with shared libraries. Maybe you don't have a shared > AD> library for postgresql. > > The thing is that I have shared library for postgresql. > What extensions do rlm modules have??? It must be .so extension or > something else??? They're just normal shared libraries. Read the FAQ. That's what it's there for: http://www.freeradius.org/faq/#4.14 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client Implementation
Tay Shwu Ying <[EMAIL PROTECTED]> wrote: > I am a new user in FreeRadius and I would like to enquire if there is any > sample FreeRadius client implementation that I can adopt? > I know that radtest is just a script file. Which calls a program called 'radclient', which has source included in the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hi Guys Is there any simple tools to access LDAP date and add user delete user something like that “ web tools for eg” Mazen �
Re: Problems with MySQL authentication was Re: Problems with MySQL Auth-Type
At 08:52 AM 5/31/2002 +0200, Simon wrote: >On Thu, May 30, 2002 at 07:14:14PM -0500, Nick Davis wrote: > >[...] > > > root@localhost# radtest radman2 testing localhost 10 2 hostname> > > Sending Access-Request of id 128 to 127.0.0.1:1812 > > User-Name = "radman2" > > User-Password = "\2529M\234\353,\006w\2657K\346m\301\022@" > > NAS-IP-Address = > > NAS-Port-Id = "10" > > Framed-Protocol = PPP > > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=128, length=20 > > rad_decode: Received Access-Reject packet from 127.0.0.1 with invalid > > signature!^^^ > ^ > >Are you _really really_ sure you have your shared secret correct? Both >the "invalid signature" error radtest gives and the warning from radiusd >indicate that the shared secrets don't match. >Could you paste the relevant section from raddb/clients.conf? It is most likely just really old code on the NAS. Quite a few NAS in older code revs didn't sign Accounting-Request packets properly. Livingston Portmasters were one. I'd highly recommend looking at upgrading the NAS code as the suspect here. Also, if this is an older Ascend box, Ascend didn't quite follow the RFC method of encrypting PAP passwords when sending to the NAS ( they added additional NULL pads ). Newer Ascend/Lucent allow you to switch to an RFC compliant mode. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removal of Proxy-State
Damn, I was minutes away from posting about the exact same problem. :) I await the fix eagerly. Chris Kalin - Original Message - From: "Chris Parker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, May 31, 2002 09:06 AM Subject: Re: Removal of Proxy-State > At 12:36 AM 5/31/2002 -0400, Eric Dean wrote: > > >Qwest and UUNET are throwing a fit because we are returning two sets of > >Proxy-State attributes when we proxy to our customers. They expect only > >one. > > > >Apparently, according to the RFC: > >http://www.freeradius.org/rfc/rfc2865.html#Proxy-State > > > > When the proxy server receives the response to > > its request, it MUST remove its own Proxy-State (the last Proxy- > > State in the packet) before forwarding the response to the NAS. > > > >I'm assuming that the NAS can also mean another upstream proxy. Is there a > >way to make freeradius only return the specific Proxy-State attribute from > >the request and not include those which it creates. > > Yes, it should do this. It's a bug. This will get fixed shortly. > > -Chris > -- > \\\|||/// \ StarNet Inc. \ Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- >\ Wholesale Internet Services - http://www.megapop.net > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removal of Proxy-State
At 12:36 AM 5/31/2002 -0400, Eric Dean wrote: >Qwest and UUNET are throwing a fit because we are returning two sets of >Proxy-State attributes when we proxy to our customers. They expect only >one. > >Apparently, according to the RFC: >http://www.freeradius.org/rfc/rfc2865.html#Proxy-State > > When the proxy server receives the response to > its request, it MUST remove its own Proxy-State (the last Proxy- > State in the packet) before forwarding the response to the NAS. > >I'm assuming that the NAS can also mean another upstream proxy. Is there a >way to make freeradius only return the specific Proxy-State attribute from >the request and not include those which it creates. Yes, it should do this. It's a bug. This will get fixed shortly. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm's not being removed.
At 11:56 AM 5/31/2002 +1200, Allister Maguire wrote: >Hello, > >We are using realm's, but when a user is autherize and authenticated the >realm is not removed. > >Regards >Allister Maguire > > >DEBUG: > >rad_recv: Access-Request packet from host 127.0.0.1:32853, id=22, >length=68 >Thread 3 assigned request 2 >--- Walking the entire request list --- >Cleaning up request 1 ID 18 with timestamp 3cf6b8b2 >Nothing to do. Sleeping until we see a request. >Thread 3 handling request 2, (1 handled so far) > User-Name = "[EMAIL PROTECTED]" > User-Password = "@\022kJ\363\rY\267\346\313\214"(\245\306\200" > NAS-IP-Address = 255.255.255.255 > NAS-Port-Id = "1" >modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "suffix" returns ok > users: Matched DEFAULT at 1 > modcall[authorize]: module "files" returns ok >rlm_ldap: - authorize >rlm_ldap: performing user authorization for ssaint >radius_xlat: '([EMAIL PROTECTED])' >radius_xlat: 'ou=People,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XX' >ldap_get_conn: Got Id: 0 >rlm_ldap: performing search in >ou=People,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XX, with filter >([EMAIL PROTECTED]) >rlm_ldap: object not found or got ambiguous search result >rlm_ldap: search failed >ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns notfound If this is the problem you are talking about, you can configure LDAP to use a different attribute ( Stripped-User-Name I believe ) rather than the full User-Name. If that's not what you want, please provide more detail on what you are expecting to happen. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Module
On Tue, May 28, 2002 at 11:59:51AM -0400, Alan DeKok wrote: > "Rodrigo Gonzalez" <[EMAIL PROTECTED]> wrote: > > Whenever it receives a user with an IP format, example: 10.1.2.3 it > > returns failed and it is wrong. > > > > I search the code and found that the problem is with this line: > > radius_xlat(querystr, MAX_QUERY_LEN, > > inst->config->authorize_check_query, request, sql_escape_string); [...] > That's because of recent changes I made to the module. It now > escapes magic characters, and I'll add '.' to the list of characters > it doesn't escape. Could we please also add '@' to the list of non-escaped characters? Considering that '@' is used for realms it tends to show up alot in radacct, and the '=40' equivalent isn't very good looking :) -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
·qP¡G±M§Q°Ó¼Ðºc·Q¤H¡B¥Ó½Ð¤H¡B©Ó¿ì¤H
·qP¡G±M§Q°Ó¼Ðºc·Q¤H¡B¥Ó½Ð¤H¡B©Ó¿ì¤H
Y¦³¥´ÂZ¡A·q½Ð¥]²[¡C
ª¾©ú±M§Q°Ó¼Ð¨Æ°È©Ò·q¤W
¹q¸Ü¡G(02) 2695 8836
0933 067 099
(¤@) ¥»©ÒÀuÂI
ªA°È©P¸Ô¡Aµ´¹ï«O±K¡FÀH®ÉÀH¨è¡A±Mµ{«ô³X¡C
»ù®æ¤½¹D¡Aµ´¹ï±M·~¡F¤å¦rÀu¬ü¡A«O»ÙÅv¯q¡C
(¤G) ¯S§OªA°È
1. ¹ï«È¤á±ý¥Ó½Ð±M§Q/°Ó¼Ð¤§®×¥ó¸Ô¥[µû¦ô¡Aµû¦ô¤£¦¬¶O¥Î¡C
Yµû¦ô«á»{¬°¥i¥H¨ú±o±M§Q/°Ó¼ÐÅv¡A«h¥iñ¬ù«OÃÒ¨ú±o¡A¦ý¦U¶¥¬q
ªº»ù®æ³£¥[¿¡AY¸g¦U¶¥¬q«á³£µLªk¨ú±o±M§Q/°Ó¼ÐÅv¡A«h°hÁÙ¥H«e
©Ò¥I¤§©Ò¦³¶O¥Î¡C
¥»©Ò«È¤á¬ù¤@¦¨±Ä¨ú¦¹ºØ¯S§OªA°È¡A¤E¦¨±Ä¨úµû¦ô«á¤£«OÃÒ¡B»ù®æ
¤£¥[¿ªºªA°È¡C
2. ¬°«È¤á´£¨ÑÅU°ÝªA°È¡AÁ|¤ZÀ˯Á¡B¥Ó½Ð¡BµªÅG¡B²§Ä³¡BÁ|µo¡B¶D³^¡B
«IÅv¡B¥é«_¡B±M§Q°jÁסB±Ð¨|¡B¬ã°Q¡B¸ê°T»`¶°µ¥¬ÛÃö°ÝÃD§¡¥i´£¨Ñ¡C
¦p¦³»Ýn¡A½Ð§Y³qª¾¡C
¦p»X¤¶²Ð¡A¥Ñ°J·PÁ¡C
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Account Expire Date...
Hi, Is there a way to set an expire date / time for an account? So users can't use the account after the expire date / time? Thanks! PS. Since this is my first post: hello all mailing list people!Verzend en ontvang Hotmail via je mobieltje: Klik hier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Users Limit
I am using Redhat Linux 7.2 + FreeRadius 0.5 + Openldap combination. May i know how many users it can support. Is there any user limit in freeradius with ldap? Regards Raman [This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
