test
Testing, sorry. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Exec-Program-Wait
Hi Daryl, Thanks very much for your help! We found out that the environment was being reset somehow by freeradius and managed to call a wrapper unix shell script (like you suggested) that first sets the environment variables (in exactly the same way as .profile) before calling the program. It all works nicely now! Thanks, Sally Fetouh I'd call a wrapper script around your program, with a printenv command dumping the output to a file in /tmp. Is this the same _unix_ user ID, or Oracle user id? Are you manually (or automatically, through .profile) calling oraenv to set your environment (ORACLE_SID, etc)? Does your program (which I haven't seen a lot of detail on) require these variables, like sqlplus typically does? Does it use OCI? It will inherit the environment of its parent process - if it's started as a typical Unix daemon, then that isn't a lot (I don't know whether it scrubs the environment it passes on to sub-processes, either). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in group authentication
I think the Framed-Protocol operator in check item should be ==. However still I cant get what should be the operator with Group attribute. I have also tried += operator with Group attribute. Please help to solve this situation. Aqeel --- Chris Parker [EMAIL PROTECTED] wrote: At 06:09 AM 6/11/2002 -0700, Aqeel Anwar wrote: Hi all I am using freeradius 0.5 on solaris 7.0 with cisco servers. On server radius i defined two groups with group-names disabled and single. then i created two users: test1 belonging to disabled and test2 belonging to single. Then in users file I have: DEFAULT Group := disabled, Auth-Type := Reject Reply-Message = Not authorized DEFAULT Group := single, Auth-Type :=System, Framed-Protocol := PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP With this configuration, both users are matched on first group, so both are rejected authorization. Yes. You are using the wrong operators. Please see the 'users' man page. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vendor-specific attribute support in pam_radius_auth?
[EMAIL PROTECTED] wrote: Since some servers require vendor-specific attributes, I wonder if the pam_module supports these: - in Access-request, the radius client sends one or more vendor-specific attributes on top of the usual attributes WHICH vendor-specific, and WHY? How would you configure these? The short answer is that you can't, unless you modify the code. - in the Access-challenge, the radius client reports the reply-message + one or more vendor-specific attributes to the application on top of the regular attributes - in the second Access request, the radius client sends in the response one or more vendor specific attributes + regular attributes. Have anybody tries these? Can a PAM module at all support usage of vendor-specific attributes? No. if not, what do you think needs to be modified to allow this to happen? Would that be a big work? A suggestion would be that the application merely provides the vendor-ID, vendor type vendor length and value field to the PAM module. How? PAM doesn't do this. The radius client then transparently forwards the request to the server without altering it. If the application can create a RADIUS request, why the heck are you trying to use PAM? In the other way round, the client detects the vendor specific fields and reports them to the application without processing it any further. How? PAM doesn't do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorisation based on LDAP Group membership
Hi all, I have installed openldap and freeradius on a Red Hat v7.3 box. I want to use ldap for radius authentication and authorisation. I want to control authorisation on a per group basis, and added the radiusprofile object class to a group. The radiusServiceType was then set to Administrative-User. However, members of this group are not able to telnet to any of our cisco routers. The arrangement works fine if I follow the same procedure on a per user basis. Is there any change that I have to make to radiusd.conf ? Where am I going wrong ? Please help. Regards, Michael Fuller - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
port limitation
Yo list, is there an easy, or known way to implement port limits on a group basis. I'm mean on radius side as my NAS's don't accept the Port-Limit AVP. Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth
Title: pam_radius_auth All, I'm trying to do the impossible it seems and would appreciate some help. I want to use your pam_radius_auth module to make pppd-2.4.1 auth off of freeradius using MSCHAPv2. I've gotten OpenSSH to work fine with the pam_radius_auth module, so at least the module and the radius server are working (although not complete for pppd, just haven't added some of the CHECK/REPLY items). I have also gotten pppd to use p_r_a when using PAP authentication. Works fine using pppd auth login -chap +pap. As soon as I add `+chap -pap', everything goes to hell, meaning at that point pppd won't even attempt to use PAM. I'll post this on the pppd list as well. The question: Is it possible to use pam_radius_auth with pppd to do MSCHAPv2 auth against freeradius? Thanks in advance. Christopher S. Cosby [EMAIL PROTECTED] SciCare Software Services - - - - - - - Appended by Scientific-Atlanta, Inc. - - - - - - - This e-mail and any attachments may contain information which is confidential, proprietary, privileged or otherwise protected by law. The information is solely intended for the named addressee (or a person responsible for delivering it to the addressee). If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this e-mail in error, please notify the sender immediately by return e-mail and delete it from your computer.
why struct REQUEST 's member var container is void **
Hi, I am studying freeradius0.5 ¡®s source.When I check the struct REQUEST ¡®s member var, I find that the container is double pointer.But I checked the other source code,it considered container is a point. i.e. request-container = rad_malloc(sizeof(REQNODE));(in rl_add function) Hawinr Li
Re: Proxy Value 33
*sigh* ok so I ran the latest CVS version, and I did see that there were numerous little fixes, and I liked it. Well I e-mailed to the people with the pop's and they did some testing. They STILL claim that the attribute 33 is NOT being sent to them, This is what they sent me to prove the problem: dballew@radtest02:/export/home/dballew echo [EMAIL PROTECTED], Password=abc, NAS-Port=10, NAS-Identifier=RadTest, Proxy-State=0xab00ef | /etc/radclient/bin/radclient -r 1 -t 5 -d /etc/radclient/etc/raddb 64.218.97.97:1645 01 cosi71sunfl radclient: no response from server The request comes in and is authenticated or denied as it needs to be, but they never get their stuff. Is there something I need to change in a conf file to allow the new CVS to do this? --E - Original Message - From: Chris Parker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 11, 2002 10:49 AM Subject: Re: Proxy Value 33 At 10:42 AM 6/11/2002 -0400, Enesha Fairluck wrote: Hey guys:) I have another problem maybe some of you can help me with. I just got off the phone with the people at our reseller...They say that when we send the accept, reject or accounting packets, we are supposed to be sending proxy value 33 back to them. For some reason we arn't doing this, and I don't evenknow what this thing is. Can someone help us please? :) Heh Freeradius0.5 :) THANKS! :) Attribute 33 is Proxy-State. FreeRADIUS should return this correctly in the latest CVS versions. There was a problem in previous versions that incorrectly sent Proxy-State attributes back. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy Value 33
This is a timedout authentication...not an issue with attribute 33. If you are seeing the requests but they aren't seeing the responses then you have a network problem...often attributed to a radius proxy having multiple IP addresses. Does your server have more than one IP address? If so, is it correctly configured? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Enesha Fairluck Sent: Tuesday, June 11, 2002 4:02 PM To: [EMAIL PROTECTED] Subject: Re: Proxy Value 33 *sigh* ok so I ran the latest CVS version, and I did see that there were numerous little fixes, and I liked it. Well I e-mailed to the people with the pop's and they did some testing. They STILL claim that the attribute 33 is NOT being sent to them, This is what they sent me to prove the problem: dballew@radtest02:/export/home/dballew echo [EMAIL PROTECTED], Password=abc, NAS-Port=10, NAS-Identifier=RadTest, Proxy-State=0xab00ef | /etc/radclient/bin/radclient -r 1 -t 5 -d /etc/radclient/etc/raddb 64.218.97.97:1645 01 cosi71sunfl radclient: no response from server The request comes in and is authenticated or denied as it needs to be, but they never get their stuff. Is there something I need to change in a conf file to allow the new CVS to do this? --E - Original Message - From: Chris Parker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 11, 2002 10:49 AM Subject: Re: Proxy Value 33 At 10:42 AM 6/11/2002 -0400, Enesha Fairluck wrote: Hey guys:) I have another problem maybe some of you can help me with. I just got off the phone with the people at our reseller...They say that when we send the accept, reject or accounting packets, we are supposed to be sending proxy value 33 back to them. For some reason we arn't doing this, and I don't evenknow what this thing is. Can someone help us please? :) Heh Freeradius0.5 :) THANKS! :) Attribute 33 is Proxy-State. FreeRADIUS should return this correctly in the latest CVS versions. There was a problem in previous versions that incorrectly sent Proxy-State attributes back. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorisation based on LDAP Group membership
On Wed, 12 Jun 2002, Michael Fuller wrote: Hi all, I have installed openldap and freeradius on a Red Hat v7.3 box. I want to use ldap for radius authentication and authorisation. I want to control authorisation on a per group basis, and added the radiusprofile object class to a group. The radiusServiceType was then set to Administrative-User. However, members of this group are not able to telnet to any of our cisco routers. The arrangement works fine if I follow the same procedure on a per user basis. Is there any change that I have to make to radiusd.conf ? Where am I going wrong ? Please help. Regards, Michael Fuller The profiles don't work on a group basis. What you can is to add a profile_attribute (the name can be configured through the profile_attribute configuration directive) in the ldap entries of all the users belonging in the administrator group. That attribute will point to the DN of an entry containing the radiusServiceType attribute. In other words: dn: uid=admin,ou=people,dc=your,dc=company,dc=com cn: Administrator radiusprofiledn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com [...] dn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com cn: Administrator Dialup Profile radiusServiceType: Administrative-User That should work just fine. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling/installing freeradius with specific modules
Hi all, Is it possible to configure freeradius to only compile and install certain specified modules? Or do you have to compile the lot, and then remove the modules you don't use? cheers, josh. Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Value 33
At 04:01 PM 6/11/2002 -0400, Enesha Fairluck wrote: *sigh* ok so I ran the latest CVS version, and I did see that there were numerous little fixes, and I liked it. Well I e-mailed to the people with the pop's and they did some testing. They STILL claim that the attribute 33 is NOT being sent to them, This is what they sent me to prove the problem: dballew@radtest02:/export/home/dballew echo [EMAIL PROTECTED], Password=abc, NAS-Port=10, NAS-Identifier=RadTest, Proxy-State=0xab00ef | /etc/radclient/bin/radclient -r 1 -t 5 -d /etc/radclient/etc/raddb 64.218.97.97:1645 01 cosi71sunfl radclient: no response from server They sent the request to port 1645, is your server listening on that port? What debug info do you see when they send the request. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth against an NT Domain?
Anyone have freeradius that can authenticate against an NT Domain controller? I've attempted to use pam_radius and then pam_smb but it does not seem to be working. This would be for regular PAP, not ms-chap or anything. thanks! William - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in group authentication
At 03:22 AM 6/12/2002 -0700, Aqeel Anwar wrote: I think the Framed-Protocol operator in check item should be ==. However still I cant get what should be the operator with Group attribute. I have also tried += operator with Group attribute. Please help to solve this situation. All check items that you simply want to compare should use '==' as the operator. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Odd Problem with invalid passwords
Greetings, Is this getting to the list? I have not received any answers, nor anyone telling me to RTFM (which I have). Can somone respond letting me know if they received this email? Even if you don't hanve an answer. On Fri, 7 Jun 2002 10:34:07 -0400 (Eastern Daylight Time) William Ragsdale [EMAIL PROTECTED] wrote: Problem details: I have recently installed freeradius, and while running in -X debug mode everything works great, but when in daemon mode I encounter some problems when a user enter an incorrect password. When in debug mode the radius responds with the proper reject code, but in daemon mode, it never responds so my users are seeing a PPP timeout. (error 718 on Windows) When running in Debug mode, it sends the reply correctly.If you want or needa copy of the radius.conf or any of the other conf files, please let me know. I will be happy to furnish them. This problem happens on both my test, and production servers. Any suggestions, or pointers would help. I am fairly new to radius, so please, if this has been asked before, point me there, and I will see what I can figure out. Production server: BSDi/OS 4.1 (fully patched and up to date) FreeRadius 0.5 snapshot 20020531 Works in debug mode, but not in daemon mode. Config options: --prefix=/usr/local/radius --without-snmp --with-mysql-lib=/usr/local/mysql/lib --with-threads=no --enable-ltdl-install=no Changes to Make.inc: Added -DHAVE_INET_ATON since the ./configure script doesn't see my bind 8 properly (has to do with BSDi's embedding bind in the kernel) Test Server: FreeBSD 4.5 STABLE FreeRadius 0.5 Works in debug mode, but not in daemon mode. Config Options: --prefix=/usr/local/radius --without-snmp --enable-ltdl-install -with-mysql-lib=/home/azander/wrk/mysql --enable-ltdl-install Problem details: I have recently installed freeradius, and while running in -X debug mode everything works great, but when in daemon mode I encounter some problems when a user enter an incorrect password. When in debug mode the radius responds with the proper reject code, but in daemon mode, it never responds so my users are seeing a PPP timeout. (error 718 on Windows) When running in Debug mode, it sends the reply correctly.If you want or needa copy of the radius.conf or any of the other conf files, please let me know. I will be happy to furnish them. -- ·William Ragsdale ·http://www.netonecom.net ·Server Administrator ·Office Hours ·NetOne Communications, Inc. ·Work: 231-734-2917 10AM - 7PM ·2186 US 10 ·FAX: 231-734-6395 ·Sears, MI 49679 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling/installing freeradius with specific modules
At 03:06 PM 6/12/2002 +0100, Josh Howlett wrote: Hi all, Is it possible to configure freeradius to only compile and install certain specified modules? Or do you have to compile the lot, and then remove the modules you don't use? You can disable them through arguments to 'configure' or you can edit the list of 'stable' modules located in 'src/modules/stable'. ( the latter only in the current CVS build, it's not in 0.5 ) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth against an NT Domain?
On Tue, Jun 11, 2002 at 04:18:35PM -0500, William Devine, II wrote: Anyone have freeradius that can authenticate against an NT Domain controller? I've attempted to use pam_radius and then pam_smb but it does not seem to be working. This would be for regular PAP, not ms-chap or anything. Have you tried pam_winbind? Steve Langasek postmodern programmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PortSlave + EAP
Tay Shwu Ying [EMAIL PROTECTED] wrote: I would like to enquire if PortSlave support EAP. Since FreeRadius claims to support EAP message, I am trying to find a Radius client (eg. NAS) which will actually accepts EAP packet from the client side (Eg. mobile terminal) and inserts the packet into the Radius EAP attribute. Is there any Radius Client out there which is able to do this task? Not that I know of, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Virus found
The message from [EMAIL PROTECTED] to [EMAIL PROTECTED] was infected. For this reason, the message was not delivered to the destination. If you are the sender of the message, please disinfect your computer then send it again. If you are the destination of the message, ask the sender to retransmit the message, without the virus. Message headers: Received: (qmail 17877 invoked from network); 12 Jun 2002 13:56:13 - Received: from unknown (HELO smtp2.cistron.nl) (62.216.30.41) by 0 with SMTP; 12 Jun 2002 13:56:14 - Received: from localhost ([127.0.0.1] helo=lwaxana.cistron.net) by smtp2.cistron.nl with esmtp (Exim 3.12 #1 (Debian)) id 17Hzj0-0003WW-00; Wed, 12 Jun 2002 06:27:14 +0200 From: [EMAIL PROTECTED] Subject: Freeradius-Users digest, Vol 1 #797 - 4 msgs X-Mailer: Mailman v2.0beta5 MIME-version: 1.0 Content-type: multipart/mixed; boundary=62.216.30.26.38.13379.1023855991.366.18810 To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] X-BeenThere: [EMAIL PROTECTED] X-Mailman-Version: 2.0beta5 Precedence: bulk Reply-To: [EMAIL PROTECTED] List-Id: FreeRadius users mailing list freeradius-users.lists.cistron.nl Message-Id: [EMAIL PROTECTED] Date: Wed, 12 Jun 2002 06:27:14 +0200 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using ldap authentication/authorization
I am looking at using freeradius to authenticate and authorize dialup users. All the users are in an LDAP databse. There are a few things I need to be able to do and I am wondering if freeradius will support it. - Authenticate user by doing a bind to the LDAP server using the users username and password - Get the daily timelimit amount for the user from LDAP and apply that daily limit - I have 2 pools of ip addresses with different access on the terminal server. I need to somehow assign users to one of the pools using an LDAP attribute Is the above doable with freeradius? Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
On Wed, 12 Jun 2002, Adi Linden wrote: I am looking at using freeradius to authenticate and authorize dialup users. All the users are in an LDAP databse. There are a few things I need to be able to do and I am wondering if freeradius will support it. - Authenticate user by doing a bind to the LDAP server using the users username and password Yes - Get the daily timelimit amount for the user from LDAP and apply that daily limit Yes - I have 2 pools of ip addresses with different access on the terminal server. I need to somehow assign users to one of the pools using an LDAP attribute Yes. Just create two user profiles and assign each user to one of them. Add a Framed-Pool or Cisco-AVPair := ip:addr-pool=mypoolname in each profile and you are ok. Is the above doable with freeradius? Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Sally Fetouh [EMAIL PROTECTED] wrote: Thanks very much for your help! We found out that the environment was being reset somehow by freeradius That's called security. Are you *sure* that you want shell scripts executed with all of the login environment variables set? The answer is almost always NO. More information given to a shell script means more possibilities for that information to be abused to attack your system. e.g. Sending User-Name with magic shell characters in it, in the hope that dumb scripts will use them as-is. and managed to call a wrapper unix shell script (like you suggested) that first sets the environment variables (in exactly the same way as .profile) before calling the program. It all works nicely now! I would strongly recommend setting only the MINIMUM environment variables in the script. That will make things much safer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: port limitation
Daniel Marquez-Klaka [EMAIL PROTECTED] wrote: is there an easy, or known way to implement port limits on a group basis. I'm mean on radius side as my NAS's don't accept the Port-Limit AVP. Then buy a real NAS. Only the NAS has ports, so only the NAS can enforce port limits. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth
Cosby, Christopher [EMAIL PROTECTED] wrote: I'm trying to do the impossible it seems and would appreciate some help. I want to use your pam_radius_auth module to make pppd-2.4.1 auth off of freeradius using MSCHAPv2. Uh... why? Why not just make pppd send radius requests itself? I've gotten OpenSSH to work fine with the pam_radius_auth module, so at least the module and the radius server are working (although not complete for pppd, just haven't added some of the CHECK/REPLY items). I have also gotten pppd to use p_r_a when using PAP authentication. Works fine using pppd auth login -chap +pap. As soon as I add `+chap -pap', everything goes to hell, meaning at that point pppd won't even attempt to use PAM. I'll post this on the pppd list as well. Exactly. PAM is for authenticating usernames/passwords. Adding CHAP or MS-CHAP (which are NOT passwords) to PAM, makes PAM not work. The question: Is it possible to use pam_radius_auth with pppd to do MSCHAPv2 auth against freeradius? Nope. How would pppd give the MSCHAP password to PAM? How would it tell PAM that the password is MSCHAP? How would PAM tell pam_radius_auth that the password is MSCHAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: port limitation
hmmm, but isn't it posible that radius keeps track about how many sessions are connected for a group or dialed number, and send back an access-reject if the limit is reached ? Daniel On Wed, 12 Jun 2002, Alan DeKok wrote: Daniel Marquez-Klaka [EMAIL PROTECTED] wrote: is there an easy, or known way to implement port limits on a group basis. I'm mean on radius side as my NAS's don't accept the Port-Limit AVP. Then buy a real NAS. Only the NAS has ports, so only the NAS can enforce port limits. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: port limitation
Daniel Marquez-Klaka [EMAIL PROTECTED] wrote: hmmm, but isn't it posible that radius keeps track about how many sessions are connected for a group or dialed number, and send back an access-reject if the limit is reached ? That's what Simultaneous-Use does. But it's not perfect. e.g. It relies on getting accounting packets from the NAS. If there's a problem, then the information on the RADIUS server disagrees with what's happening on the NAS. If you have one NAS, setting 'Port-Limit=1' is preferable to Simultaneous-Use. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Value 33
This is what I see when I have it in debug: Shouldn't I see that Proxy-State in the Access-Request? Waking up in 6 seconds... rad_recv: Access-Request packet from host 63.150.70.42:55330, id=250, length=151 User-Name = tbullock CHAP-Password = 0x446a180b7671ea72479840aa08f2b9 NAS-IP-Address = 63.152.0.236 NAS-Port = 17458 Service-Type = Framed-User Framed-Protocol = PPP Cisco-NAS-Port = Async1/11/100*Serial1/1/0:2:18 Called-Station-Id = 8165850005 Calling-Station-Id = 8163730470 Acct-Session-Id = 02036A0D NAS-Port-Type = Async Login OK: [tbullock] (from client Qwest5 port 17458 cli 8163730470) Sending Access-Accept of id 250 to 63.150.70.42:55330 Service-Type = Framed-User Framed-Protocol = PPP Session-Timeout = 21600 Idle-Timeout = 1800 Ascend-Data-Filter = ip input forward tcp est Ascend-Data-Filter = ip input forward 0 dstip 64.218.97.0/24 Ascend-Data-Filter = ip input drop tcp dstport = 25 Ascend-Data-Filter = ip input forward 0 Finished request 3 - Original Message - From: Chris Parker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 12, 2002 10:20 AM Subject: Re: Proxy Value 33 At 04:01 PM 6/11/2002 -0400, Enesha Fairluck wrote: *sigh* ok so I ran the latest CVS version, and I did see that there were numerous little fixes, and I liked it. Well I e-mailed to the people with the pop's and they did some testing. They STILL claim that the attribute 33 is NOT being sent to them, This is what they sent me to prove the problem: dballew@radtest02:/export/home/dballew echo [EMAIL PROTECTED], Password=abc, NAS-Port=10, NAS-Identifier=RadTest, Proxy-State=0xab00ef | /etc/radclient/bin/radclient -r 1 -t 5 -d /etc/radclient/etc/raddb 64.218.97.97:1645 01 cosi71sunfl radclient: no response from server They sent the request to port 1645, is your server listening on that port? What debug info do you see when they send the request. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap troubles
On Tue, Jun 11, 2002 at 03:18:41PM +0400, rust wrote: Hello Frank, I have working pptpd + freeradius snapshot 2002-05-22 After installing latest rlm_mschap from 10-06-2002 with your patches i got errors I don't have patches for rlm_mschap, so I'm not sure what you're referring to. MS-MPPE-Recv-Key = 0x380881936de4cd3e76660b7d54d553a2 MS-MPPE-Send-Key = 0x37955cc86bf8feabd972bb153b37aefc Jun 11 14:54:01 gate pppd[10708]: RADIUS: Incorrect attribute length (16) for MS-MPPE-Recv-Key Jun 11 14:54:01 gate pppd[10708]: RADIUS: bad MS-MPPE-Recv-Key attribute Jun 11 14:54:01 gate pppd[10708]: CHAP peer authentication failed for remote host wizard After changing back to old version rlm_mschap - it work again MS-MPPE-Recv-Key = 0xa74b4c4adf4e3ac8eac8296c38bb1ad170b69e3a5b82b0a5305e66b1be25c48c0c1a MS-MPPE-Send-Key = 0xd32e8ec4d0091e4314551367acff49dff81ea5f635f668874102dfe29d35eda37903 Jun 11 15:16:41 gate pppd[13114]: MPPE 128-bit stateless compression enabled Yeah, so clear problem here. There was a change in the way the keys are encoded, I did suspect it might have a problem. Hopefully Kostas can look at this. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Value 33
Enesha Fairluck [EMAIL PROTECTED] wrote: This is what I see when I have it in debug: Shouldn't I see that Proxy-State in the Access-Request? If the NAS sends one, yes. If the NAS doesn't send one, no. The issue from your earlier emails seemed to be that the *reply* didn't have a Proxy-State. That's a different issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #795 - 17 msgs
On Tue, 11 Jun 2002 12:18:04 +0200, [EMAIL PROTECTED] wrote: When set to clear text password on admin.conf the user_admin.php3 file can check the password correctly! But I could never get this to work when using crypt on general_encryption_method line... It always says NO It is wrong, even when the password is correct... What OS are you using? The crypt function can get very tricky some times. Plain redhat 6.2... Another thing worth of mention: when the line above is set to clear, it still set the password value on Crypt-Password record from radcheck table, which stops radius from authenticating the user ... It tries to find a crypted password, but what it finds is a cleartext one... Of course when I changed this, I changed the password on radcheck table so the user is always authenticating correctly... There is an sql_password_attribute configuration directive in conf/admin.conf. You could just change that. Ok, it works ok, thanks!... But the trouble when you test a crypted password from user_admin.php3 keeps on... As opiniões formuladas neste e-mail são de caráter exclusivamente pessoal. Minha opinião não necessariamente representa a opinião do meu Moto Grupo nem da empresa onde trabalho. Mene Sakkhet ur-seveh Alexandre Ganso - Diretor Steel Goose Moto Group 6, 7 e 8 de setembro - Aniversario 10 anos Steel Goose - Ouro Branco - MG 500 Four Vermelha [EMAIL PROTECTED] ICQ# 3778773 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
§ïµ½±¼¾v, ¹w¨¾¨rÀYªº³Ì¨Î¿ï¾Ü
§ïµ½±¼¾v¡A¹w¨¾¨rÀYªº³Ì¨Î¿ï¾Ü ¸g±`Å¥¨ì¦³¤H»¡ÀY¾v±¼ªº¶V¨Ó¶VÄY«¡A ¥i¯à¦b¤£¤[ªº±N¨Ó§Y±N¥[¤J¨rÀY¤@±Ú¡C¤£ª¾±z¬O§_¤]±Á{¦P¼Ëªº°ÝÃD¡H¨ä¹ê³oºØª¬ªp¤j¦hµo¥Í¦b¦¨¦~¨k©Ê¨¤W¡A ¸û¤Ö¦³¤k©Ê·|¦³³oÃþ°ÝÃD¡C¥Dnì¦]¬O¨k©Ê²üº¸»X³y¦¨ªº¡C ¶¯©Ê¿E¯À·|¨ë¿EÀY¥Ö¥Ö¯×¸¢¤Àªcªo¯×¡A YµLªk¦³®Ä²M°£¡A «h·|°ï¿n¦b¥Ö¤U¯×ªÕ¼h¤¤¡A ³y¦¨¤òÅnÀç¾i¨Ñµ¹ªº»Ùê¡A ¶i¦Ó¨ÏÀY¾v®e©ö±¼¸¨¡C Âk®Ú¨s©³¡A ¸Ñ¨M¦¹Ãþ°ÝÃD¡A ³Ì«nªº¬O¯à§â¦h¾lªºªo¯×²M°£¡A ³Ì²³æªº¿ìªk´N¬O¡G (1). ¸g±`¬~ÀY (2). ¿ï¦X¾Aªº¬~¾vºë (3). ´î¤Ö¬V¡B¿S¾v (4). ¾A«×«ö¼¯ÀY¥Ö( ¿ï¥Î¤£¶ËÀY¥Öªº¾v®Þ®ÞÀY§Y¥i ) (5). ¿ï¾Ü¹ïÀY¾v¦³¯qªº¶¼¹ (6). ¿ï¥ÎÀu¨}¾i¾v²G¡B ¥Í¾v¤ô¡C : : »¡¨ì¥Í¾v²£«~¡A±ÀÂ˱z³Ì¨Îªº²£«~¡G ºaÀò 1992¦~¥_¨Ê°ê»Úµo©ú®i»ÈµP¼ú1993¦~«w¶§°ê»ÚÂåÃÄ«O°·¸`ª÷µP¼ú ¾_Åå¾Ç¬Éªº¡y°_¤ò¦n¾i¾v²G¡z¡A©ó¤@¤E¤E¤G¦~°Ñ¥[¥_¨Ê°ê»Úµo©ú®i¡AºaÀò»ÈµP¼ú ; °Ñ¥[º©¡¤¤°ê«w¶§°ê»ÚÂåÃÄ«O°·¸`¡AºaÀòª÷µP¼ú¡C¦]¥\®Ä»·¶W¹L¥@¬Éª¾¦Wªº¥Í¾v¥Î«~¡A³QÅA¬°·í¤µ¥@¬É³Ì§Ö³tªº¥Í¾v¤ô¡A¤×¨ä¹ï´³¨r(«UºÙ°«cÀY)¡A¤T¶g¤º§Y¨£®Ä¡C ¶¯©Ê¨r¬O¥Ñ©Ê¸¢¤Àªcªº¸AିE¯À¡A¦bÀY¥Ö¤¤¿Eµo¥Ö¯×¼W¥Í¡A¬O¯×·¸©Ê²æ¾vªº¥D¦]¡C¡y°_¤ò¦n¾i¾v²G¡z¤º§tÂ×´Iªº·L¶q¤¸¯À - ¿øMn¡A¯à«P¶i¦å²G¤¤²y³J¥Õ§Ö³t²M°£¼W¥Íªº¯×½è¡A§ïµ½¤ò¾vªº¥Í²zÀô¹Ò¡AÅý¤ò¾v¦ÛµM¥Íªø¡AªYªY¦Vºa¡AÁÙ±z¥»¦â¡C ¨Ï¥Î¡y°_¤ò¦n¾i¾v²G¡z¤§n»â¬O±N¤ò¤Õ¤¤ªºªo¯×¬~²bÀ¿°®«á¡A¥ß§Y¼Q©ó¨r³B©ÎÁ¡¤ò¤U¡A¨Ã«ö¼¯¼Æ¤ÀÄÁ¡A«P¶i§l¦¬¡A¤è¯àÀò±o³Ì¨Î®ÄªG¡C ¡y°_¤ò¦n¾i¾v²G¡z¬ð¯}¶Ç²Î°t¤è¡AµÑ¨ú»È§ö¸¡A¤H°Ñ¡A¦óº¯Q¡A·íÂk¡A¥ÍÁ¤¡K.µ¥¤Q¼ÆºØ¬Ã¶Q¤ÑµM´Óª«½Õ°t¦Ó¦¨¡A¸g¬Ù½ÃùÛ¦r²Ä0502983¸¹®Öã¡A¨Ã¸g¹L¬ü°êFDAÀËÅç¡A¤Î¥þ²y¤½»{ªºRIPT¤HÅé¥Ö½§µL¨ë¿E¦w¥þ¸ÕÅç¡AÃÒ¹ê¨ä¤¤¯à«P¶i¤ò¾v¥Íªø¤Î§ïµ½·L´`Àô¡A¨¾±¼¾vªº¨âºØÃöÁä·L¶q¤¸¯À¡GÖ´Se¡B¿øMn§t¶q·¥Â×´I¡C ¡¹Ö´¿ø§t¶q¤ñ ¡@¡@¥_¨Ê101¤ò¾vXXºë¦h14¿¤Î50¿¡¹ ¡@¡@¡@¡@¡@¡@¡@¡@ ¤Ñ¬z¥Í¾vX¦h29¿¤Î12.5¿ ¼y¯¬¤K¶g¦~--¤jÃØ°e--¶R2²~°e1²~(¨C²~NT$1,600) - 5000¥÷Å@¾v¤â¥U§K¶O³Æ¯Á - ¤º®e¥]§t¡G ¤¶²Ð¤ò¾v¥Íªø¶g´Á¡C ¦³§Uªø¾vªº¤¸¯À¡C ¶¯©Ê¨r¯gª¬ªº¬ã¨s¡C «O¾v±`ÃÑ¡C Àu¨}¥Í¾v²£«~¤¶²Ð¡C Åwªï©ó0900~1700¥H¹q¸ÜqÁÊ: (04)2524-0873 ©Î ¶ñ¼gqÁʳæqÁÊ¡G q³æ¸ê®Æ ©m¦W ¥X¥Í¦~ ¦a§} ¶l»¼°Ï¸¹ §Æ±æ°e¹F ¦¤W0900~1200 ¤U¤È1200~1700 ±ß¶¡1700~2100 Ápµ¸¹q¸Ü ¤â¾÷ E-mail §Ún §ÚnÅ@¾v¤â¥U 3²~--3200¤¸ 1²~--1600¤¸ ±zªº«Øij¤ÎÄ_¶Q·N¨£ (½Ð§iª¾²{¦b¥¿§xÂZ±zªºÀY¾v°ÝÃD) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Value 33
Yeah they were telling me that they were sending and just not receiving...I'm gonna hit them back with my debugging information and see what happens Thanks :) - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 12, 2002 11:34 AM Subject: Re: Proxy Value 33 Enesha Fairluck [EMAIL PROTECTED] wrote: This is what I see when I have it in debug: Shouldn't I see that Proxy-State in the Access-Request? If the NAS sends one, yes. If the NAS doesn't send one, no. The issue from your earlier emails seemed to be that the *reply* didn't have a Proxy-State. That's a different issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
test radius without terminal server
How can I test the radius server without a terminal server? I would like to build, configure and test the radius server first. Once I can successfully authenticate I'd like to proceed to configure and test clients (Cisco terminal server and Linux terminal server) to work with the server. Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: port limitation
Hi again, but isn't Simultaneous-Use only taking care about same usernames ? What i want is to limit the usable ports per customer. To explain a bit better: I'm using mysql as backend for freeradius. There is ,of cause, the usergroup table: 1 user-1 group-1 2 user-2 group-1 3 user-3 group-1 4 user-4 group-2 5 user-5 group-2 ... what i wanna archieve is to limit the usable ports per group. i.e. group-1 can use up to 10 ports, group-2 up to 1000. or did i get something wrong, Daniel On Wed, 12 Jun 2002, Alan DeKok wrote: Daniel Marquez-Klaka [EMAIL PROTECTED] wrote: hmmm, but isn't it posible that radius keeps track about how many sessions are connected for a group or dialed number, and send back an access-reject if the limit is reached ? That's what Simultaneous-Use does. But it's not perfect. e.g. It relies on getting accounting packets from the NAS. If there's a problem, then the information on the RADIUS server disagrees with what's happening on the NAS. If you have one NAS, setting 'Port-Limit=1' is preferable to Simultaneous-Use. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Virus found
The message from [EMAIL PROTECTED] to [EMAIL PROTECTED] was infected. For this reason, the message was not delivered to the destination. If you are the sender of the message, please disinfect your computer then send it again. If you are the destination of the message, ask the sender to retransmit the message, without the virus. Message headers: Received: (qmail 23814 invoked from network); 12 Jun 2002 14:49:57 - Received: from unknown (HELO smtp2.cistron.nl) (62.216.30.41) by 0 with SMTP; 12 Jun 2002 14:49:58 - Received: from localhost ([127.0.0.1] helo=lwaxana.cistron.net) by smtp2.cistron.nl with esmtp (Exim 3.12 #1 (Debian)) id 17I9Qj-bs-00; Wed, 12 Jun 2002 16:49:01 +0200 From: [EMAIL PROTECTED] Subject: Freeradius-Users digest, Vol 1 #798 - 15 msgs X-Mailer: Mailman v2.0beta5 MIME-version: 1.0 Content-type: multipart/mixed; boundary=62.216.30.26.38.1628.1023893282.723.2080 To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] X-BeenThere: [EMAIL PROTECTED] X-Mailman-Version: 2.0beta5 Precedence: bulk Reply-To: [EMAIL PROTECTED] List-Id: FreeRadius users mailing list freeradius-users.lists.cistron.nl Message-Id: [EMAIL PROTECTED] Date: Wed, 12 Jun 2002 16:49:01 +0200 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Alan DeKok wrote: It will inherit the environment of its parent process - if it's started as a typical Unix daemon, then that isn't a lot (I don't know whether it scrubs the environment it passes on to sub-processes, either). It scrubs the environment variables. Thanks - I shouldn't have been lazy and actually looked at the code. -- Regards, Daryl Tester, Software Wrangler and Bit Herder, IOCANE Pty. Ltd. So Lord I see you grinnin', must be grand always winning, How proud are you being able, to gather faith from fable? -- God Am, Alice In Chains (R.I.P. Layne Staley). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
- Authenticate user by doing a bind to the LDAP server using the users username and password Yes Ok, got that going. - Get the daily timelimit amount for the user from LDAP and apply that daily limit Yes I am assuming this is done with rlm_count. How can I retrieve the timelimit from ldap and use it in radius? - I have 2 pools of ip addresses with different access on the terminal server. I need to somehow assign users to one of the pools using an LDAP attribute Yes. Just create two user profiles and assign each user to one of them. Add a Framed-Pool or Cisco-AVPair := ip:addr-pool=mypoolname in each profile and you are ok. How do I retrieve the pool information from ldap? Can I keep the poolname in an attribute such as knetRadiusPool? Where do I define the pool and associated ip addresses? Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Odd Problem with invalid passwords
Its in the radiusd.conf file # On systems with shadow passwords, you might have to set 'group = shadow' # for the server to be able to read the shadow password file. If you can # authenticate users while in debug mode, but not in normal use, it may be # because the debugged server is running as a user that can read the shadow # info, and the user listed below can not. user = nobody group = shadow ### On Wednesday 12 June 2002 7:24, William Ragsdale wrote: Greetings, Is this getting to the list? I have not received any answers, nor anyone telling me to RTFM (which I have). Can somone respond letting me know if they received this email? Even if you don't hanve an answer. On Fri, 7 Jun 2002 10:34:07 -0400 (Eastern Daylight Time) William Ragsdale [EMAIL PROTECTED] wrote: Problem details: I have recently installed freeradius, and while running in -X debug mode everything works great, but when in daemon mode I encounter some problems when a user enter an incorrect password. When in debug mode the radius responds with the proper reject code, but in daemon mode, it never responds so my users are seeing a PPP timeout. (error 718 on Windows) When running in Debug mode, it sends the reply correctly.If you want or needa copy of the radius.conf or any of the other conf files, please let me know. I will be happy to furnish them. This problem happens on both my test, and production servers. Any suggestions, or pointers would help. I am fairly new to radius, so please, if this has been asked before, point me there, and I will see what I can figure out. Production server: BSDi/OS 4.1 (fully patched and up to date) FreeRadius 0.5 snapshot 20020531 Works in debug mode, but not in daemon mode. Config options: --prefix=/usr/local/radius --without-snmp --with-mysql-lib=/usr/local/mysql/lib --with-threads=no --enable-ltdl-install=no Changes to Make.inc: Added -DHAVE_INET_ATON since the ./configure script doesn't see my bind 8 properly (has to do with BSDi's embedding bind in the kernel) Test Server: FreeBSD 4.5 STABLE FreeRadius 0.5 Works in debug mode, but not in daemon mode. Config Options: --prefix=/usr/local/radius --without-snmp --enable-ltdl-install -with-mysql-lib=/home/azander/wrk/mysql --enable-ltdl-install Problem details: I have recently installed freeradius, and while running in -X debug mode everything works great, but when in daemon mode I encounter some problems when a user enter an incorrect password. When in debug mode the radius responds with the proper reject code, but in daemon mode, it never responds so my users are seeing a PPP timeout. (error 718 on Windows) When running in Debug mode, it sends the reply correctly.If you want or needa copy of the radius.conf or any of the other conf files, please let me know. I will be happy to furnish them. -- ||| \ ~ ~ / | @ @ | --oOo---(_)---oOo Lee Wolf EMR Data Services [EMAIL PROTECTED] 623-764-0870 cell 623-581-0842 voice 623-582-9499 fax EMR Internet A Serious Internet Experience ** 56K Dial-up **DSL ** Web-hosting ** ** Co-location **T1s ** ISDN ** ** High-Speed Fiber Backbone ** Linux powered ** ** Custom Web Design ** Site Development ** ** Search Engine Placement Web Consultation ** Visit us at http://www.emr.net! Ask about our reseller programs! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Odd Problem with invalid passwords
On Wed, 12 Jun 2002 13:49:37 -0700 Lee W [EMAIL PROTECTED] wrote: # user/group: The name (or #number) of the user/group to run radiusd as. # user = root group = wheel They seem to have access to the shadow files. (and should!) Its in the radiusd.conf file # On systems with shadow passwords, you might have to set 'group = shadow' # for the server to be able to read the shadow password file. If you can # authenticate users while in debug mode, but not in normal use, it may be # because the debugged server is running as a user that can read the shadow ## info, and the user listed below can not. user = nobody group = shadow ### On Fri, 7 Jun 2002 10:34:07 -0400 (Eastern Daylight Time) William Ragsdale [EMAIL PROTECTED] wrote: Problem details: I have recently installed freeradius, and while running in -X debug mode everything works great, but when in daemon mode I encounter some problems when a user enter an incorrect password. When in debug mode the radius responds with the proper reject code, but in daemon mode, it never responds so my users are seeing a PPP timeout. (error 718 on Windows) When running in Debug mode, it sends the reply correctly.If you want or needa copy of the radius.conf or any of the other conf files, please let me know. I will be happy to furnish them. This problem happens on both my test, and production servers. Any suggestions, or pointers would help. I am fairly new to radius, so please, if this has been asked before, point me there, and I will see what I can figure out. -- ·William Ragsdale ·http://www.netonecom.net ·Server Administrator ·Office Hours ·NetOne Communications, Inc. ·Work: 231-734-2917 10AM - 7PM ·2186 US 10 ·FAX: 231-734-6395 ·Sears, MI 49679 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
On Wed, 12 Jun 2002, Adi Linden wrote: - Authenticate user by doing a bind to the LDAP server using the users username and password Yes Ok, got that going. - Get the daily timelimit amount for the user from LDAP and apply that daily limit Yes I am assuming this is done with rlm_count. How can I retrieve the timelimit from ldap and use it in radius? counter { filename = ${raddbdir}/db.counter key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } Add an attribute like radiusMaxDailySession in your ldap schema (and in the radiusprofile aobjectclass). Also add it in ldap.attrmap like: checkItem Max-Daily-Session radiusMaxDailySession Then you can just set it to whatever value you wish for each user. - I have 2 pools of ip addresses with different access on the terminal server. I need to somehow assign users to one of the pools using an LDAP attribute Yes. Just create two user profiles and assign each user to one of them. Add a Framed-Pool or Cisco-AVPair := ip:addr-pool=mypoolname in each profile and you are ok. How do I retrieve the pool information from ldap? Can I keep the poolname in an attribute such as knetRadiusPool? Where do I define the pool and associated ip addresses? You could either use the radiusReplyItem like this: radiusReplyitem: Cisco-AVPair := ip:addr-pool=mypoolname or create your own attribute which you should add to the radiusprofile objectclass and ldap.attrmap. You define the pool inside your nas. Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
Add an attribute like radiusMaxDailySession in your ldap schema (and in the radiusprofile aobjectclass). Also add it in ldap.attrmap like: checkItem Max-Daily-Session radiusMaxDailySession Then you can just set it to whatever value you wish for each user. Great, this is exactly what I'd like to happen. How do I retrieve the pool information from ldap? Can I keep the poolname in an attribute such as knetRadiusPool? Where do I define the pool and associated ip addresses? You could either use the radiusReplyItem like this: radiusReplyitem: Cisco-AVPair := ip:addr-pool=mypoolname or create your own attribute which you should add to the radiusprofile objectclass and ldap.attrmap. You define the pool inside your nas. Can I define an attribute to contain the profile a user belongs to and then refer to this attribute value in the users file? doc/rlm_ldap has a section: USER PROFILE ATTRIBUTE: The module can use the User-Profile attribute. If it is set, it will assume that it contains the DN of a profile entry containing radius attributes. This entry will _replace_ the default profile directive. That way we can use different profiles based on checks on the radius attributes contained in the Access-Request packets. For example (users file): DEFAULT Service-Type == Outbound-User, User-Profile := uid=outbound-dialup,dc=company,dc=com I assume that the User-Profile refers to the following line in radiusd.conf: # profile_attribute = radiusProfileDn Will this work if the DN doesn't exist on the ldap server, or can I use any string instead of valid DN and have this in ldap: radiusProfileDn: knetonly and in users: DEFAULT Service-Type == Framed-User, User-Profile == knetonly Thank you for answering my questions. This has been tremendously helpful in getting things going! Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
On Wed, 12 Jun 2002, Adi Linden wrote: Add an attribute like radiusMaxDailySession in your ldap schema (and in the radiusprofile aobjectclass). Also add it in ldap.attrmap like: checkItem Max-Daily-Session radiusMaxDailySession Then you can just set it to whatever value you wish for each user. Great, this is exactly what I'd like to happen. How do I retrieve the pool information from ldap? Can I keep the poolname in an attribute such as knetRadiusPool? Where do I define the pool and associated ip addresses? You could either use the radiusReplyItem like this: radiusReplyitem: Cisco-AVPair := ip:addr-pool=mypoolname or create your own attribute which you should add to the radiusprofile objectclass and ldap.attrmap. You define the pool inside your nas. Can I define an attribute to contain the profile a user belongs to and then refer to this attribute value in the users file? doc/rlm_ldap has a section: USER PROFILE ATTRIBUTE: The module can use the User-Profile attribute. If it is set, it will assume that it contains the DN of a profile entry containing radius attributes. This entry will _replace_ the default profile directive. That way we can use different profiles based on checks on the radius attributes contained in the Access-Request packets. For example (users file): DEFAULT Service-Type == Outbound-User, User-Profile := uid=outbound-dialup,dc=company,dc=com I assume that the User-Profile refers to the following line in radiusd.conf: # profile_attribute = radiusProfileDn Will this work if the DN doesn't exist on the ldap server, or can I use any string instead of valid DN and have this in ldap: radiusProfileDn: knetonly and in users: DEFAULT Service-Type == Framed-User, User-Profile == knetonly No you can't. Both have to point to valid DN's in your tree. The profile_attribute is an attribute contained in the user entry pointing to the profile to be applied for the user, while User-Profile contains the profile to be applied in special cases instead of the default profile (I use it to implement Large Scale Dialout where I don't need the default reply items contained in the default profile). Thank you for answering my questions. This has been tremendously helpful in getting things going! Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
No you can't. Both have to point to valid DN's in your tree. The profile_attribute is an attribute contained in the user entry pointing to the profile to be applied for the user, while User-Profile contains the profile to be applied in special cases instead of the default profile (I use it to implement Large Scale Dialout where I don't need the default reply items contained in the default profile). So the profiles are entirely in LDAP then. I wanted to stay away from extending the LDAP schema on the LDAP server if possible and do as much as possible in the freeradius configuration. From another message on the list I see that it is not possible to group users by having an attribute such as this either: knetRadiusGroup: knetonly In radiusd.conf the LDAP attribute would have to associate with the group somehow and then in users: DEFAULT Group == knetonly Are there any solutions I haven't thought of yet? Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: Odd Problem with invalid passwords
I'm sorry I thought you were having Auth probs out of debug mode :-) On Wednesday 12 June 2002 1:55, William Ragsdale wrote: On Wed, 12 Jun 2002 13:49:37 -0700 Lee W [EMAIL PROTECTED] wrote: # user/group: The name (or #number) of the user/group to run radiusd as. # user = root group = wheel They seem to have access to the shadow files. (and should!) Its in the radiusd.conf file # On systems with shadow passwords, you might have to set 'group = shadow' # for the server to be able to read the shadow password file. If you can # authenticate users while in debug mode, but not in normal use, it may be # because the debugged server is running as a user that can read the shadow ## info, and the user listed below can not. user = nobody group = shadow ### On Fri, 7 Jun 2002 10:34:07 -0400 (Eastern Daylight Time) William Ragsdale [EMAIL PROTECTED] wrote: Problem details: I have recently installed freeradius, and while running in -X debug mode everything works great, but when in daemon mode I encounter some problems when a user enter an incorrect password. When in debug mode the radius responds with the proper reject code, but in daemon mode, it never responds so my users are seeing a PPP timeout. (error 718 on Windows) When running in Debug mode, it sends the reply correctly.If you want or needa copy of the radius.conf or any of the other conf files, please let me know. I will be happy to furnish them. This problem happens on both my test, and production servers. Any suggestions, or pointers would help. I am fairly new to radius, so please, if this has been asked before, point me there, and I will see what I can figure out. -- ||| \ ~ ~ / | @ @ | --oOo---(_)---oOo Lee Wolf EMR Data Services [EMAIL PROTECTED] 623-764-0870 cell 623-581-0842 voice 623-582-9499 fax EMR Internet A Serious Internet Experience ** 56K Dial-up **DSL ** Web-hosting ** ** Co-location **T1s ** ISDN ** ** High-Speed Fiber Backbone ** Linux powered ** ** Custom Web Design ** Site Development ** ** Search Engine Placement Web Consultation ** Visit us at http://www.emr.net! Ask about our reseller programs! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/MD5 with Redhat Linux FreeRADIUS
Hello all, Has someone ever tried EAP/MD5 working with RadHat Linux 7.2 and FreeRADIUS? Please help ... Many thanks ... Shwu Ying - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: test radius without terminal server
download ntradping http://www.mastersoft-group.com/download/ -Ali - Original Message - From: Adi Linden [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 12, 2002 9:11 PM Subject: test radius without terminal server How can I test the radius server without a terminal server? I would like to build, configure and test the radius server first. Once I can successfully authenticate I'd like to proceed to configure and test clients (Cisco terminal server and Linux terminal server) to work with the server. Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorisation based on LDAP Group membership
Hi all, Thanks to Kostas Kalevras for the clarification. Will my requirement work on an OU basis ? I can add the attributes to the administrators on a per user basis, as there will be only two or three of them. My dial up users are a different story. I have around 500 users in my database. About 50 of them will not have any restrictions on connect - A profile without any session limit restrictions About 300 of them will be allowed to connect only for a limited time per day - A profile with restrictions on session limit. The rest of the users will not have any dial up - A profile that does not permit dial up access. I do not think it is practically possible to assign these rights on a per user basis. How do I assign these three profiles to these three types of users ? Please help Thanks and regards, Michael Fuller - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 12, 2002 7:22 PM Subject: Re: Authorisation based on LDAP Group membership On Wed, 12 Jun 2002, Michael Fuller wrote: Hi all, I have installed openldap and freeradius on a Red Hat v7.3 box. I want to use ldap for radius authentication and authorisation. I want to control authorisation on a per group basis, and added the radiusprofile object class to a group. The radiusServiceType was then set to Administrative-User. However, members of this group are not able to telnet to any of our cisco routers. The arrangement works fine if I follow the same procedure on a per user basis. Is there any change that I have to make to radiusd.conf ? Where am I going wrong ? Please help. Regards, Michael Fuller The profiles don't work on a group basis. What you can is to add a profile_attribute (the name can be configured through the profile_attribute configuration directive) in the ldap entries of all the users belonging in the administrator group. That attribute will point to the DN of an entry containing the radiusServiceType attribute. In other words: dn: uid=admin,ou=people,dc=your,dc=company,dc=com cn: Administrator radiusprofiledn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com [...] dn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com cn: Administrator Dialup Profile radiusServiceType: Administrative-User That should work just fine. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth
Hello Christopher, Tuesday, June 11, 2002, 11:37:17 PM, you wrote: Use pppd 2.4.2 from ftp://pserver.samba.org/pub/unpacked/ppp/ Compile it, put in options plugin radius.so It work fine for me. Thanks Frank Cusack for radius pathes -- Best regards, rustmailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html