Re: CHAP-Password Authentication

[steve]

Re: CHAP Authentication

I recently posted a request for help re: CHAP Authentication - thanks to
everyone for your replies.  Here is my new dilema:

We need to authenticate using the unix shadow/system. Per everyones
suggestion, we're attempting to authenticate using PAP. We've removed all
other authentication schemes from the radiusd.conf file... this is what we
have left:

# Authentication.
authenticate{
  authtype PAP {
pap
}

When we receive an incoming request from the terminal server, this is what
we get in the debug log:


Thread 1 handling request 0, (1 handled so far)
User-Name = "magnus"
CHAP-Password = 0x01a030df1ec26de22aa48fb6095472d67d
NAS-Port-Type = Async
Calling-Station-Id = "755270XXX"
Called-Station-Id = "0198308066"
X-Ascend-Data-Rate = 31200
X-Ascend-Xmit-Rate = 50667
NAS-IP-Address = 144.130.4.5
Acct-Session-Id = "589[]388708091"
auth: No authenticate method (Auth-Type) configuration found for the
request: Re
jecting the user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds


The users workstation is a Windows 98 system.

What am I doing wrong here?  If there is anyone out there who wants to make
a few dollars helping me sort this out, I'm prepared to set aside my ego for
my sanity!!! :)

Thanks in advace.

Steve



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_sql: All sockets are being used! Assertion failed in radiusd.c,line 2463 ...

[Do-Risika RAFIEFERANTSIARONJY]

Hi everybody,

I had my freeradius crashed many times after a libc6 upgrade in the 
server (debian),

Should I actually increase the num_sql_sockets value ? or it is another 
problem ?

Or should I upgrade freeradius because I have a little old version (0.5 
snapshot 20020514) ?

I had these in radius.log :

Fri Oct 4 08:11:57 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:11:57 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:11:58 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:11:59 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:12:00 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:12:00 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:12:00 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:12:00 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:12:00 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:12:00 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:12:01 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:12:01 2002 : Error: Assertion failed in radiusd.c, line 2463
Fri Oct 4 08:12:01 2002 : Error: MASTER: exit on signal (6)
Fri Oct 4 08:12:01 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:13:56 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:13:57 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:13:59 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:13:59 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:13:59 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:14:00 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:14:00 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:14:01 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:14:02 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:14:02 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:14:03 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:14:04 2002 : Error: rlm_sql: All sockets are being used! 
Please increase the maximum number of sockets!
Fri Oct 4 08:14:05 2002 : Error: Assertion failed in radiusd.c, line 2463
Fri Oct 4 08:14:05 2002 : Error: MASTER: exit on signal (6)

Thanks in advance,

@+
-- 
DouRiX  \\\|///
  ___   \\ - - //     ___  __
|  _ oOOo_@ @_oOOo|  _ \(_) \/ /
| | | |/ _(_) | | | |_| ) |\  /
| |_| | (_) | |_| |  _ <| |/  \
|/ \___/ \_O| \_\_/_/\_\
f u cn rd ths u r usng unx
   O ) /
   (   )(_/
\ (
 \_)
  ["As empty vessels make the loudest sound, so they that have the least
wit are the greatest blabbers." -- Plato]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: CHAP-Password Authentication

[3APA3A]

Dear steve,

You have to setup NAS and client to request PAP authentication.

--Friday, October 4, 2002, 12:51:57 PM, you wrote to [EMAIL PROTECTED]:

s> Re: CHAP Authentication

s> I recently posted a request for help re: CHAP Authentication - thanks to
s> everyone for your replies.  Here is my new dilema:

s> We need to authenticate using the unix shadow/system. Per everyones
s> suggestion, we're attempting to authenticate using PAP. We've removed all
s> other authentication schemes from the radiusd.conf file... this is what we
s> have left:

s> # Authentication.
s> authenticate{
s>   authtype PAP {
s> pap
s> }

s> When we receive an incoming request from the terminal server, this is what
s> we get in the debug log:

s> 
s> Thread 1 handling request 0, (1 handled so far)
s> User-Name = "magnus"
s> CHAP-Password = 0x01a030df1ec26de22aa48fb6095472d67d
s> NAS-Port-Type = Async
s> Calling-Station-Id = "755270XXX"
s> Called-Station-Id = "0198308066"
s> X-Ascend-Data-Rate = 31200
s> X-Ascend-Xmit-Rate = 50667
s> NAS-IP-Address = 144.130.4.5
s> Acct-Session-Id = "589[]388708091"
s> auth: No authenticate method (Auth-Type) configuration found for the
s> request: Re
s> jecting the user
s> auth: Failed to validate the user.
s> Delaying request 0 for 1 seconds
s> 

s> The users workstation is a Windows 98 system.

s> What am I doing wrong here?  If there is anyone out there who wants to make
s> a few dollars helping me sort this out, I'm prepared to set aside my ego for
s> my sanity!!! :)

s> Thanks in advace.

s> Steve



s> - 
s> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
~/ZARAZA
 ðàñ÷åòàõ áûëà îøèáêà.  (Ëåì)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sql: All sockets are being used! Assertion failed inradiusd.c, line 2463 ...

[Kostas Kalevras]

On Fri, 4 Oct 2002, Do-Risika RAFIEFERANTSIARONJY wrote:

>
> Hi everybody,
>
> I had my freeradius crashed many times after a libc6 upgrade in the
> server (debian),
>
> Should I actually increase the num_sql_sockets value ? or it is another
> problem ?
>
> Or should I upgrade freeradius because I have a little old version (0.5
> snapshot 20020514) ?

You should really upgrade to the latest snapshot.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP-Password Authentication

[Kostas Kalevras]

On Fri, 4 Oct 2002, steve wrote:

> Re: CHAP Authentication
>
> I recently posted a request for help re: CHAP Authentication - thanks to
> everyone for your replies.  Here is my new dilema:
>
> We need to authenticate using the unix shadow/system. Per everyones
> suggestion, we're attempting to authenticate using PAP. We've removed all
> other authentication schemes from the radiusd.conf file... this is what we
> have left:
>
>   # Authentication.
>   authenticate{
> authtype PAP {
>   pap
>   }
>
> When we receive an incoming request from the terminal server, this is what
> we get in the debug log:
>
>   
> Thread 1 handling request 0, (1 handled so far)
> User-Name = "magnus"
> CHAP-Password = 0x01a030df1ec26de22aa48fb6095472d67d
> NAS-Port-Type = Async
> Calling-Station-Id = "755270XXX"
> Called-Station-Id = "0198308066"
> X-Ascend-Data-Rate = 31200
> X-Ascend-Xmit-Rate = 50667
> NAS-IP-Address = 144.130.4.5
> Acct-Session-Id = "589[]388708091"
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Re
> jecting the user

You should set the Auth-Type to PAP somewhere (like in the users file).
For example:

authorize{
files
[...]
}

users:

DEFAULT Auth-Type := "PAP"

> auth: Failed to validate the user.
> Delaying request 0 for 1 seconds
>   
>
> The users workstation is a Windows 98 system.
>
> What am I doing wrong here?  If there is anyone out there who wants to make
> a few dollars helping me sort this out, I'm prepared to set aside my ego for
> my sanity!!! :)
>
> Thanks in advace.
>
> Steve
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: question about EAP dynamic keys generation

[Lars Viklund]

> From: Artur Hecker [mailto:[EMAIL PROTECTED]] 

> On 2 Oct 2002, Lars Viklund wrote:
> > send the supplicant an EAPOL-Key message with an empty Key field, 
> > which means use the specified number of bits from the 
> MS-MPPE-Send-Key 
> > as the key-mapping key.
> >
> 
> cool, i didn't know the second possibility existed. where can 
> i see that? in the 1X standard?

Yes, it is specified in the 802.1X standard (section 7.6.7) as well as in the congdon 
ID (section 4).

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: CHAP-Password Authentication

[3APA3A]

Dear Kostas Kalevras,


--Friday, October 4, 2002, 1:20:06 PM, you wrote to [EMAIL PROTECTED]:


KK> You should set the Auth-Type to PAP somewhere (like in the users file).
KK> For example:

KK> authorize{
KK> files
KK> [...]
KK> }

This will give no effect, because it's NAS who requests CHAP. Either NAS
or  client  computer should be configured to always use PAP. For Windows
98  it  can be achieved by removing "Use encrypted password" checkbox on
Server tab in Dialup Connection's properties.

-- 
~/ZARAZA
Íåïðèÿòíîñòè íà÷íóòñÿ â âîñåìü.  (Òâåí)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [nycwireless] configure Cisco AP340 for Radius

[Jacques Caron]

Hi,

If you have DHCP enabled on the LAN, then the AP340 will get its address 
that way. If the Linksys box has such an option, you can probably look at 
IP addresses it handed over, or in its ARP table. Otherwise you can just 
trying pinging all IPs in the DHCP range until you find the AP :-)

If you have a Windows machine with a cisco card it will give you the AP's 
address too.

And the last option is to connect to the serial port to find the IP address 
(you can also do everything you can do with the web interface using the 
serial port interface. It's a bit weird, but it works).

Also, don't forget to upgrade your AP340 to the latest code, and follow the 
procedures on CCO precisely for that to avoid losing the installation key!

And of course, I suppose your Linux box is connected to the wired side of 
the AP, not the wireless one!

Hope that helps,

Jacques.

At 03:53 04/10/2002, augustine tsai wrote:
>Hi,
>
>Is there anyone know how to configure Cisco Airnet 340 (AP340) through
>the web browser? There is a serial port at the back of AP340.  I would
>like to modify the Authenticator Configuration.  I am setting up
>supplicant on XP and a FreeRadius on the Linux box.
>
>Here is my setup.
>
>__  __   
>__
>| dsl modem | <--->| linksys dsl router| <>| AP340  | <> | linux
>radius|
>-  ---
>----
>
>I hook up AP340 to a Linksys 4 ports DSL router. The Linksys hook up to
>DSL Modelm.  The Linksys DSL router has a DHCP server.  I can access
>Linksys DSL router at 192.168.1.1.  Is there any default IP address for
>AP340?
>
>Thanks for the help.
>
>Augustine
>
>--
>NYCwireless - http://www.nycwireless.net/
>Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/
>Archives: http://lists.nycwireless.net/pipermail/nycwireless/


-- Jacques Caron, IP Sector Technologies
Join the discussion on public WLAN open global roaming:
http://lists.ipsector.com/listinfo/openroaming


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

xlat.c issue...

[Franklin Trumpy]

I have been running the CVS snapshot dated 20020814 on FreeBSD
4.6-STABLE. I built and installed the CVS snapshot dated 20021002 tonight
and noticed an unusual behavior in xlat.c that I had not observed before.

I have my detail { } module configured:

detailfile = ${radacctdir}/%{Realm:-accounting}/detail

... the intended behavior being as described in doc/variables.txt, "If
there is a Realm AV pair in the accounting packet, log the accounting
information to /var/log/radius/radacct/realmvalue/detail. Otherwise, log
the accounting information to /var/log/radius/radacct/accounting/detail."

The snapshot dated 20021002 handles accounting requests with a Realm AV
pair just fine and the detailfile is expanded correctly. However, when no
Realm AV pair is present, radius_xlat tacks on a '}' to the end of the
literal string 'accounting':

modcall: entering group accounting
radius_xlat:  '/var/log/radius/radacct/accounting}/detail'
rlm_detail: /var/log/radius/radacct/%{Realm:-accounting}/detail expands 
to /var/log/radius/radacct/accounting}/detail

I can confirm this behavior at least as far back as snapshots dated
20020901. I also went looking through CVS logs and found that
revision 1.47 of xlat.c dated 20020814 19:02:37 specifically deals with
the handling of braces. I'm not qualified to evaluate code, but it seems
that that commit, or one of the other several commits to xlat.c in
the following couple of weeks dealing with handling of braces might have
something to do with the altered functonality.

Any ideas? Thanks.

Franklin

--
Franklin Trumpy, NFA, MNGS, GSc | Say not, "I have found the truth,"
Sr. UNIX Systems Administrator  | but rather, "I have found a truth."
Lighthouse Communications   | 
[EMAIL PROTECTED] | Say not, "I have found the path of the soul."
(515)244-1115   | Say rather, "I have met the soul walking
(888)953-3278   |   upon my path."
http://www.lh.net   |
| -Kahlil Gibran, _The Prophet_, 1923
|


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

chap and NT domain authentication

[Doove, Rene]

Title: chap and NT domain authentication





Hello,


I have succesfully configured freeradius to use NT-domain authentication thru the use of the smb pam module. However this only seems to work if I use PAP on the client. This means the password is send in cleartext. I like to see this password encrypted with (MS)-CHAP. Does anyone have experience with this; is it possible?

If not; we are planning to go to Active Directory soon. Is it possible to use AD with LDAP and then authenticat with ldap and then use chap? 

Greeting,
Rene Doove


TOREX-HISCOM
Rene Doove
System Engineer
Schipholweg 97
2316 XA LEIDEN
Postbus 901
2300 AX LEIDEN
t: 071-5256682
f: 071-5219856
E-mail: [EMAIL PROTECTED]   


 


Disclaimer:


* * * * * * * * * * * * * * * * * * * * * * * * * * * * *


This message is confidential. It may also be privileged or protected by other legal rules. It does not constitute anoffer or acceptance of an offer, nor shall it form any part of a legally binding contract. If you have received this communication in error, please let us know by reply then destroy it. You should not use, print, copy the message or disclose its contents to anyone. E-mail is subject to possible data corruption, is not secure, and its content does not necessarily represent the opinion of this Company. No representation or warranty is made as to the accuracy or completeness of the information and no liability can be accepted for any loss arising from its use. This e-mail and any attachments are not guaranteed to be free from so-called computer viruses and it is recommended that you check for such viruses before down-loading it to your computer equipment. This Company has no control over other websites to which there may be hypertext links and no liability can be accepted in relation to those sites.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * 

Re: EAP + proxying

[BUTTI Laurent FTRD/DTL/ISS]

Title: Re: EAP + proxying






Very late ;) , but i confirm that with freeradius-snapshot-20021003

works with :


* EAP-TLS proxying between an Orinoco AP2000 to a Microsoft IAS server.


Laurent.


Raghu wrote:


> > Laurent Butti wrote:

> >

> > Hello,

> >

> > Does FreeRadius support (or will support) proxying for EAP

> > authentication methods (MD5/TLS), with a kind of user@realm in EAP

> > Response Identity which should be used in order to delegate

> > authentication to a 3rd party AAA ?

> >

> EAP Proxying is supported if the

> 1. User-Name attribute is present in the Access-Request.

> 2. User-Name attribute is not present then

> if eap is present as in the authorize block

>    as one of the first modules.

>    ie

>    authorize {

> eap

> ... all other modules.

>    }

>    What this does is User-Name attribute is created

>    from EAP-Identity response, if it is not present.

>    The other modules should take care of proxying.

>

> -Raghu

>

> -

> List info/subscribe/unsubscribe? See

> http://www.freeradius.org/list/users.html


--

Laurent BUTTI

& france telecom / FTR&D / DTL / SSR

Research Engineer - Internet/Intranet Security

38-40 Rue du Général LECLERC

92794 Issy les Moulineaux Cedex 9 - FRANCE

Tel : ( + 33 ) 1 45 29 68 99

Fax : ( + 33 ) 1 45 29 65 19

Email : [EMAIL PROTECTED]

Re: chap and NT domain authentication

[3APA3A]

Dear Doove, Rene,

For  a  while  it's  impossible  to  use encrypted authentication (CHAP,
MS-CHAP)  against  domain.  It's  also  impossible  (to  my knowlege) to
authenticate  via  Active  Directory's LDAP, because it doesn't allow to
request user's password hash directly via LDAP.

Solutions  are  to  migrate (or synchronize) user's account's to another
source  (file,  database,  etc)  with  something  like pwdump2 or to use
FreeRADIUS as a proxy to Microsoft IAS.

It's  possbile  to  create  some daemon process to be launched on domain
controller  (based  on  pwdump2 technology) and to authorize via network
against  this  process.  In this case it will be possible to use MS-CHAP
v1/2.  I  did  some job in this direction but I have no time to complete
it. If someone wanna try to complete it I can pass all I have.

--Friday, October 4, 2002, 5:39:00 PM, you wrote to [EMAIL PROTECTED]:

DR> Hello,

DR> I have succesfully configured freeradius to use NT-domain authentication
DR> thru the use of the smb pam module. However this only seems to work if I use
DR> PAP on the client. This means the password is send in cleartext. I like to
DR> see this password encrypted with (MS)-CHAP. Does anyone have experience with
DR> this; is it possible?

DR> If not; we are planning to go to Active Directory soon. Is it possible to
DR> use AD with LDAP and then authenticat with ldap and then use chap? 

DR> Greeting,
DR> Rene Doove

DR> TOREX-HISCOM
DR> Rene Doove
DR> System Engineer
DR> Schipholweg 97
DR> 2316 XA LEIDEN
DR> Postbus 901
DR> 2300 AX LEIDEN
DR> t: 071-5256682
DR> f: 071-5219856
DR> E-mail: [EMAIL PROTECTED]   

 

DR> Disclaimer:

DR> * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

DR> This message is confidential. It may also be privileged or protected by
DR> other legal rules. It does not constitute anoffer or acceptance of an offer,
DR> nor shall it form any part of a legally binding contract. If you have
DR> received this communication in error, please let us know by reply then
DR> destroy it. You should not use, print, copy the message or disclose its
DR> contents to anyone. E-mail is subject to possible data corruption, is not
DR> secure, and its content does not necessarily represent the opinion of this
DR> Company. No representation or warranty is made as to the accuracy or
DR> completeness of the information and no liability can be accepted for any
DR> loss arising from its use. This e-mail and any attachments are not
DR> guaranteed to be free from so-called computer viruses and it is recommended
DR> that you check for such viruses before down-loading it to your computer
DR> equipment. This Company has no control over other websites to which there
DR> may be hypertext links and no liability can be accepted in relation to those
DR> sites.

DR> * * * * * * * * * * * * * * * * * * * * * * * * * * * * 


-- 
~/ZARAZA
You know my name - look up my number (Beatles)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PAM Or Ldap Authentication

[Brendon Colby]

Greetings,

We have a LDAP server with which we want to do authentication. I also
want to use PAM to authenticate (if LDAP user doesn't exist check PAM).
Here is what I have in radius.conf:

authorize {
  files
  ldap {
notfound = return
  }
}

authenticate {
  pam
  ldap
}

in the users file:

DEFAULT Auth-Type := Pam
  Fall-Through = Yes

DEFAULT Auth-Type := ldap
  Fall-Through = Yes


I try logging in as a user that does not exist in LDAP (PAM auth).
The authorize section returns not found, of course, and the authenticate
section doesn't even try pam. The debug shows that it tries LDAP and
then fails on the login, sending back an Access-Reject.

I want it to try ldap first, then try PAM if the LDAP returns a user not
found. Is this possible?

Thanks.

-- 
Brendon Colby
Systems Administrator
Midcontinent Communications

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: chap and NT domain authentication

[Steve Langasek]

On Fri, Oct 04, 2002 at 05:52:04PM +0400, 3APA3A wrote:
> For  a  while  it's  impossible  to  use encrypted authentication (CHAP,
> MS-CHAP)  against  domain.  It's  also  impossible  (to  my knowlege) to
> authenticate  via  Active  Directory's LDAP, because it doesn't allow to
> request user's password hash directly via LDAP.

> Solutions  are  to  migrate (or synchronize) user's account's to another
> source  (file,  database,  etc)  with  something  like pwdump2 or to use
> FreeRADIUS as a proxy to Microsoft IAS.

> It's  possbile  to  create  some daemon process to be launched on domain
> controller  (based  on  pwdump2 technology) and to authorize via network
> against  this  process.  In this case it will be possible to use MS-CHAP
> v1/2.  I  did  some job in this direction but I have no time to complete
> it. If someone wanna try to complete it I can pass all I have.

The domain controller HAS a daemon process that's suitable for
authenticating against: the domain controller itself.

The correct way to implement domain-based MS-CHAP authentication is to
teach a freeradius module to speak RPC-over-SMB.  There is a project
underway, ntlm_auth, to provide an authentication helper for Unix
services that need to authenticate against a domain.  Anyone interested
in helping make this happen should probably coordinate with the squid
folks, and with Andrew Bartlett <[EMAIL PROTECTED]>.

Steve Langasek
postmodern programmer



msg09856/pgp0.pgp
Description: PGP signature

Çå½àȼÁϹ©Ó¦--¼¼ÊõתÈÃ--ÏîÄ¿ºÏ×÷

[»ú»á £¡]

  ΪÄú½µµÍ³É±¾
 
  Ͷ×ʲ»´ó£¬µ«¿ÉÒÔ×ö´ó

   ÎÒµ¥Î»ÊÇרҵ´ÓÊÂÇå½àȼÁÏÑо¿¿ª·¢µÄÆóÒµ¡£ÏµÁм¼ÊõÓС¶¼×´¼È¼ÁÏ¡·£¬
¡¶¼×´¼ÆûÓÍ¡·£¬¡¶¼×´¼²ñÓÍ¡·£¬¡¶¼×´¼ÖØÓÍ¡·¼°È¼ÉÕÆ÷µÈ¡£
³É±¾×îµÍ£¬¼Û¸ñ×îºÏÀí£¬²Ù×÷×î¼òµ¥£¬Ê¹ÓÃ×î·½±ã£¬¸üÐÂ×î¿ì£¬·þÎñ×îºÃ¡£

=
1¡¶¼×´¼È¼ÁÏ¡·

   Ö£Öݽ¨ÓÐÄêÉè¼ÆÉú²úÄÜÁ¦3Íò¶ÖÉú²úÏß¡£Éú²ú³É±¾1700Ôª
/¶Ö.ʹÓÃÇå½àȼÁϸü¾­¼Ã£¨²ñÓ͵Ä70%£»ÃºÓ͵Ä58%£»
ʯÓÍÒº»¯ÆøµÄ50%£»ÌìÈ»ÆøµÄ55%£©

2¡¶¼×´¼ÆûÓÍ¡·

Èý·ÏÅŷŽµµÍ20~30%£¬¶¯Á¦Ìá¸ß10%¡£
Ô­ÁÏÊÇÓÍÌ︱²úÆ·ºÍµÍ±êºÅÆûÓÍ¡£

3¡¶¼×´¼²ñÓÍ¡·

½ÚÓÍ¿É´ï30%£¬È¼ÉÕ³ä·Ö£¬ÎÞÎÛȾ¡£

4¡¶¼×´¼ÖØÓÍ¡·

½ÚÔ¼¿É´ï30%£¬È¼ÉÕÍêÈ«£¬²»½á½¹£¬ÎÞ¸¯Ê´£¬ÈÈÖµ¸ß¡£

5¡¶ÖлªÈËÃñ¹²ºÍ¹úÇå½àÉú²ú´Ù½ø·¨¡·½«ÓÚ2003Äê1ÔÂ1ÈÕÆðʵʩ

»¶Ó­ºÏ×÷

Ö£ÖÝÊл··¢Ó¦Óü¼ÊõÑо¿Ëù

¹ùÌ©

Email  [EMAIL PROTECTED]
   [EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mySQL with Groups

[Nick Davis]

To diable a group do this:

#select * from radgroupcheck;
++---+--+++
| id | GroupName | Attribute| Value  | op |
++---+--+++
| 21 | reject| Auth-Type| Reject | := |

the all users with in the group "reject" will not be able to connect. You do 
not need an entry in radgroupreply for this group, but you can.. it doesn't 
matter.

Atleast this works for me.

You can change the GroupName from "reject" to whatever you want.. I just use 
this for simplicity sake.

Nick


On Thursday 03 October 2002 10:36, William Ragsdale wrote:
> Greetings,
>   I have set up freeradius 0.7.1 using mySQL authentication.  Everything
> works, except that users who have a group aren't being rejected based on
> group.
>
>   I have a group called nonprof that is restricted to 8am to 5pm
> (Any0800-1700).  Those in the group that are alloed to login (using the
> authorize_check_query/authorize_reply_query) should then be checked against
> the Radius_Grp table to see if they are in a group and if so, the values
> from Radius_Grp_Reply should work, but they seem to be ignored.  I set up a
> disabled group, with Auth-Type := reject and it ignores that group when I
> try to get them to log in (ie it lets them in!).
>
>   Below is excepts from the my trace on the test server.  If you need more
> information, let me know, I will be happy to provide it.
>
>
>
> From trace:
>
>  sql: sql_user_name = "%{Stripped-User-Name:-%{User-Name}}"
>  sql: authorize_check_query = "SELECT RID, username, attribute, password,
> op FROM Radius LEFT JOIN Billing ON Radius.RID = Billing.BID LEFT JOIN
> Invoices_Include ON Radius.IID = Invoices_Include.ID LEFT JOIN Services ON
> Services.ID = Invoices_Include.service_ID LEFT JOIN Status on Status.ID =
> Invoices_Include.status_ID WHERE username = '%{SQL-User-Name}' AND
> Status.active = 1 AND Services.dialup= 1 ORDER BY RID" sql:
> authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM
> Radius_Reply WHERE UserName = '%{SQL-User-Name}' ORDER BY id" sql:
> authorize_group_check_query = "SELECT
> Radius_Grp_Check.ID,Radius_Grp_Check.groupname,Radius_Grp_Check.attribute,R
>adius_Grp_Check.value,Radius_Grp_Check.op  FROM Radius_Grp_Check,Radius_Grp
> WHERE Radius_Grp.username = '%{SQL-User-Name}' AND Radius_Grp.groupname =
> Radius_Grp_Check.groupName ORDER BY Radius_Grp_Check.ID" sql:
> authorize_group_reply_query = "SELECT
> Radius_Grp_Reply.ID,Radius_Grp_Reply.groupname,Radius_Grp_Reply.attribute,R
>adius_Grp_Reply.value,Radius_Grp_Reply.op  FROM Radius_Grp_Reply,Radius_Grp
> WHERE Radius_Grp.username = '%{SQL-User-Name}' AND Radius_Grp.groupname =
> Radius_Grp_Reply.GroupName ORDER BY Radius_Grp_Reply.ID" sql:
> authenticate_query = "SELECT password,attribute FROM Radius LEFT JOIN
> Billing on Radius.RID = Billing.BID LEFT JOIN Status on Billing.status_ID =
> Status.ID LEFT JOIN Invoices_Include ON Radius.IID = Invoices_Include.ID
> LEFT JOIN Services ON Services.ID = Invoices_Include.service_ID WHERE
> (username = '%{User-Name}' AND Status.active = 1 AND Services.dialup = 1)
> AND ( attribute = 'User-Password' OR attribute = 'Password' OR attribute =
> 'Crypt-Password' ) ORDER BY attribute DESC"
>
> ...
>
> sql_set_user:  escaped user --> 'eaglevillage'
> radius_xlat:  'SELECT RID, username, attribute, password, op FROM Radius
> LEFT JOIN Billing ON Radius.RID = Billing.BID LEFT JOIN Invoices_Include ON
> Radius.IID = Invoices_Include.ID LEFT JOIN Services ON Services.ID =
> Invoices_Include.service_ID LEFT JOIN Status on Status.ID =
> Invoices_Include.status_ID WHERE username = 'eaglevillage' AND
> Status.active = 1 AND Services.dialup= 1 ORDER BY RID' rlm_sql: Reserving
> sql socket id: 4
> radius_xlat:  'SELECT
> Radius_Grp_Check.ID,Radius_Grp_Check.groupname,Radius_Grp_Check.attribute,R
>adius_Grp_Check.value,Radius_Grp_Check.op  FROM Radius_Grp_Check,Radius_Grp
> WHERE Radius_Grp.username = 'eaglevillage' AND Radius_Grp.groupname =
> Radius_Grp_Check.groupName ORDER BY Radius_Grp_Check.ID' radius_xlat: 
> 'SELECT id,UserName,Attribute,Value,op FROM Radius_Reply WHERE UserName =
> 'eaglevillage' ORDER BY id' radius_xlat:  'SELECT
> Radius_Grp_Reply.ID,Radius_Grp_Reply.groupname,Radius_Grp_Reply.attribute,R
>adius_Grp_Reply.value,Radius_Grp_Reply.op  FROM Radius_Grp_Reply,Radius_Grp
> WHERE Radius_Grp.username = 'eaglevillage' AND Radius_Grp.groupname =
> Radius_Grp_Reply.GroupName ORDER BY Radius_Grp_Reply.ID' radius_xlat: 
> 'SELECT password,attribute FROM Radius LEFT JOIN Billing on Radius.RID =
> Billing.BID LEFT JOIN Status on Billing.status_ID = Status.ID LEFT JOIN
> Invoices_Include ON Radius.IID = Invoices_Include.ID LEFT JOIN Services ON
> Services.ID = Invoices_Include.service_ID WHERE (username = 'eaglevillage'
> AND Status.active = 1 AND Services.dialup = 1) AND ( attribute =
> 'User-Password' OR attribute = 'Password' OR attribute = 'Crypt-Password' )
> ORDER BY attribute DESC' rlm

Re[2]: mySQL with Groups

[William Ragsdale]

On Fri, 4 Oct 2002 13:32:00 -0500 Nick Davis <[EMAIL PROTECTED]> wrote:

> To diable a group do this:
> 
> #select * from radgroupcheck;
> ++---+--+++
> | id | GroupName | Attribute| Value  | op |
> ++---+--+++
> | 21 | reject| Auth-Type| Reject | := |
> 
> the all users with in the group "reject" will not be able to connect.
> You do 
> not need an entry in radgroupreply for this group, but you can.. it
> doesn't 
> matter.
> 
> Atleast this works for me.
> 
> You can change the GroupName from "reject" to whatever you want.. I just
> use 
> this for simplicity sake.
> 
> Nick
> 
> 

Greetings,
  I have this, and it still ignorse the group.  I'm not sute why, and have
no idea why it isn't working.  

  The only thing I forgot in my original posting is that I have Auth-Type =
System in my users file. Could that be causing the problem?



--

·William Ragsdale   ·http://www.netonecom.net
·Server Administrator ·Office Hours ·NetOne Communications, Inc.
·Work: 231-734-2917 10AM - 7PM  ·2186 US 10
·FAX:  231-734-6395 ·Sears, MI  49679


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re[2]: mySQL with Groups

[Nick Davis]

If your radius.conf has "files" listed before "sql" in the "authorize" 
section, than your entries in mysql are irrelavant. So yes it's possible. 

However, if you have both the sql and files in the authorize section.. the one 
that overrides will depend on which ":=", "=" equals symbol you are using.. 
read "man 5 users" for more info on that!

Nick

On Friday 04 October 2002 13:40, William Ragsdale wrote:
> On Fri, 4 Oct 2002 13:32:00 -0500 Nick Davis <[EMAIL PROTECTED]> wrote:
> > To diable a group do this:
> >
> > #select * from radgroupcheck;
> > ++---+--+++
> >
> > | id | GroupName | Attribute| Value  | op |
> >
> > ++---+--+++
> >
> > | 21 | reject| Auth-Type| Reject | := |
> >
> > the all users with in the group "reject" will not be able to connect.
> > You do
> > not need an entry in radgroupreply for this group, but you can.. it
> > doesn't
> > matter.
> >
> > Atleast this works for me.
> >
> > You can change the GroupName from "reject" to whatever you want.. I just
> > use
> > this for simplicity sake.
> >
> > Nick
>
> Greetings,
>   I have this, and it still ignorse the group.  I'm not sute why, and have
> no idea why it isn't working.
>
>   The only thing I forgot in my original posting is that I have Auth-Type =
> System in my users file. Could that be causing the problem?

-- 
Nick Davis 
Associate Systems Administrator 
[EMAIL PROTECTED] 
Internet Exposure, Inc. 
http://www.iexposure.com  

(612)676-1946 
Web Development-Web Marketing-ISP Services

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PAM Or Ldap Authentication

[Kostas Kalevras]

On Fri, 4 Oct 2002, Brendon Colby wrote:

> Greetings,
>
> We have a LDAP server with which we want to do authentication. I also
> want to use PAM to authenticate (if LDAP user doesn't exist check PAM).
> Here is what I have in radius.conf:
>
> authorize {
>   files
>   ldap {
> notfound = return
>   }
> }
>
> authenticate {
>   pam
>   ldap
> }
>
> in the users file:
>
> DEFAULT Auth-Type := Pam
>   Fall-Through = Yes
>
> DEFAULT Auth-Type := ldap
>   Fall-Through = Yes
>
>
> I try logging in as a user that does not exist in LDAP (PAM auth).
> The authorize section returns not found, of course, and the authenticate
> section doesn't even try pam. The debug shows that it tries LDAP and
> then fails on the login, sending back an Access-Reject.

You always set Auth-Type to ldap in your users file. I would suggest something
like this (i haven't tested it though):

authenticate{
pam
ldap
}

authorize {
ldap
files
}

users file:

DEFAULT Auth-Type = Pam

That way if ldap finds the user it will set by default the Auth-Type to ldap
(the module handles that). If it returns notfound then the users file will set
Auth-Type to Pam.

doc/configurable_failover is very helpfull on this.

>
> I want it to try ldap first, then try PAM if the LDAP returns a user not
> found. Is this possible?
>
> Thanks.
>
> --
> Brendon Colby
> Systems Administrator
> Midcontinent Communications
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Dies

[Kostas Kalevras]

On Mon, 30 Sep 2002, Costas Christonis wrote:

> Hi to all,
>
> We have freeradius 0.6 installes on a Solaris machine.
> The problem that we have is that some times radius dies with the
> following messages :
>
> "Assertion failed in radiusd.c, line 1233"
> "exit on signal (6)"
>
> Pls give any advises
>
> Thanks
>
> Costas A. Christonis
> Networking & Communications Centre
> Gallos Campus - University of Crete
> tel: +30-8310-77044
> email: [EMAIL PROTECTED]
> http://www.ucnet.uoc.gr/

I would suggest using the latest cvs snapshot.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html