RE: New EAP/TLS + MPPE WinXP HOWTO
> somebody on the list said to me that eap/md5 has been removed only for > wireless interfaces... i've never verified that - wasn't it you??? No, not me... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New EAP/TLS + MPPE WinXP HOWTO
Antonios Lazaridis wrote: > > Hello. > > > XP without SP1 works perfectly. In SP1 there is no EAP/MD5 for wireless > > anymore... I should update my EAP/MD5 document. > > You mean that Microsoft removed EAP support for wireless completely? > You now need extra software to have 802.1x with windows XP and SP1? > > If so, any idea why this happened? no, they only removed eap/md5 as an auth possibility for wireless interfaces. at least in my xp since sp1 there is some other thing at the place of eap/md5. this other thing is probably better since it features mutual auth and key negotiation etc., but still it is some MS-CHAPv2 version over EAP so in fact proprietary. somebody on the list said to me that eap/md5 has been removed only for wireless interfaces... i've never verified that - wasn't it you??? ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New EAP/TLS + MPPE WinXP HOWTO
No, they only removed EAP/MD5 support or at least hid it really well. Support for EAP/TLS and support for PEAP are included now in SP1 Raymond McKay IT Manager / Network Administrator Funnybone Interactive Vivendi Universal Games -Original Message- From: Antonios Lazaridis [mailto:alaz@;ywt.tdk.co.jp] Sent: Wednesday, October 30, 2002 7:56 PM To: [EMAIL PROTECTED] Subject: RE: New EAP/TLS + MPPE WinXP HOWTO Hello. > XP without SP1 works perfectly. In SP1 there is no EAP/MD5 for wireless > anymore... I should update my EAP/MD5 document. You mean that Microsoft removed EAP support for wireless completely? You now need extra software to have 802.1x with windows XP and SP1? If so, any idea why this happened? antonis. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New EAP/TLS + MPPE WinXP HOWTO
Hello. > XP without SP1 works perfectly. In SP1 there is no EAP/MD5 for wireless > anymore... I should update my EAP/MD5 document. You mean that Microsoft removed EAP support for wireless completely? You now need extra software to have 802.1x with windows XP and SP1? If so, any idea why this happened? antonis. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New EAP/TLS + MPPE WinXP HOWTO
Hi Raymond > I have updated the MPPE info so that it clarifies the MPPE keying extension > within rlm_eap. For now I am going to leave the info on the CVS snapshot as > the keying ability is not within the release version. If someone could give > me a heads up when it exists in the release version, I will update my doc. great, thank you (i should perhaps clarify that it's your final decision, i only give my private opinion :-) in particular, since the thing with the snapshot is true, it should be probably mentioned, i just don't want you to get sick with all the updates :-)) > >XP without SP1 works perfectly. In SP1 there is no EAP/MD5 for wireless > >anymore... I should update my EAP/MD5 document. > > I have this working also. I came across an article a short while ago about a > memory leak in the original implementation. It was partially the reason why > it was updated in the service pack. When I find a reference to that > article, I will include it. i didn't know that, yes it would be nice to have the reference. > If anyone wants to write up some config info on other access points, I will > be happy to include it in the doc. the AP340/350 setup and debug are covered by the EAP/TLS pdf by Ken Rosner. it's url is http://www.freeradius.org/doc/EAPTLS.pdf > Artur, I have added the info about the certificates in basic terms. More > info on the random files included. I have been under the impression that > the DH file is just another file of random characters. Is this not the case > and, if not, please share a method for generating one. i actually thought, that those files contain the DH groups needed for reasonable calculations for the DH exchanges. those files are in the openssl package directory, i think in the apps subdirectory... but i'm not sure about this. ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AIX and PAM authentication
Hi all, Does anyone now if AIX supports PAM authentication? And the PAM to RADIUS authentication module? Thanks! Ricardo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unsubscribe
Unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling with Kerberos fails
On Wed, Oct 30, 2002 at 08:27:09AM -0500, Brian Johnson wrote: > So I decided to see if I had more love with the nightly snapshot > (thanks for fixing that in time for the snapshot, Steve!). Did a > configure on it and it looked good, so I tried a make. The bad news > is, I didn't get through the make. The good news is, it didn't break > with the rlm_krb5 stuff. > PS Steve, if you're interested in seeing the error I ran into building the > nightly snapshot, I'll be happy to share it with the list. If it's not specific to the rlm_krb5 module, I don't know that I'd necessarily be the one to address it, but I believe that bug reports are welcomed in general. Steve Langasek postmodern programmer msg10538/pgp0.pgp Description: PGP signature
Re: New EAP/TLS + MPPE WinXP HOWTO
Thank you for your update Artur. I have made a few updates based on your recommendations > it's not an MPPE module, it's the ability to add correclty formatted > MPPE-* attributes to the Access Accept within the rlm_eap_tls module. > Otherwise the people will begin to look for rlm_mppe and that's not a > good advice... Perhaps you shouldn't talk about the CVS snapshot since > otherwise you will have to revise your document soon. Try to filter out > any requirements and versions in your chapter 4, in that way you (we) > could maintain the document actuality. I have updated the MPPE info so that it clarifies the MPPE keying extension within rlm_eap. For now I am going to leave the info on the CVS snapshot as the keying ability is not within the release version. If someone could give me a heads up when it exists in the release version, I will update my doc. >actually, for EAP/TLS AND FreeRadius (and XP) to work you only need ONE >(the currently beta) version of OpenSSL, you don't need both. you >*should* have both if you don't want to trust the beta versions when >using security, but it's a bit out of the scope. You could say that the >two versions could be installed in parallel... the issues of the current >snapshot are not necessary to mention, it will change in a week, it >makes too much work. Updated >XP without SP1 works perfectly. In SP1 there is no EAP/MD5 for wireless >anymore... I should update my EAP/MD5 document. I have this working also. I came across an article a short while ago about a memory leak in the original implementation. It was partially the reason why it was updated in the service pack. When I find a reference to that article, I will include it. >make a reference to Chapter 7 when talking about freeradius. Done >didn't read in details (no orinoco here, and since your radius runs it >should be correct). > >you could mention that any number of CA certificates can be just >concatenated in the root.pem file and how the random file can be >produced and where to find the dh* files, that usually provides troubles. If anyone wants to write up some config info on other access points, I will be happy to include it in the doc. Artur, I have added the info about the certificates in basic terms. More info on the random files included. I have been under the impression that the DH file is just another file of random characters. Is this not the case and, if not, please share a method for generating one. Thanks again for your recomendations Raymond McKay IT Manager / Network Administrator Funnybone Interactive Vivendi Universal Games - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New EAP/TLS + MPPE WinXP HOWTO
hi Raymond that's surely a good thing. some comments here: in Chapter 3: Dynamic encryption keying and re-keying requires the MPPE module within FreeRADIUS. This is a part of the CVS version ONLY!!! The release version does not include it. -> it's not an MPPE module, it's the ability to add correclty formatted MPPE-* attributes to the Access Accept within the rlm_eap_tls module. Otherwise the people will begin to look for rlm_mppe and that's not a good advice... Perhaps you shouldn't talk about the CVS snapshot since otherwise you will have to revise your document soon. Try to filter out any requirements and versions in your chapter 4, in that way you (we) could maintain the document actuality. in Chapter 4: actually, for EAP/TLS AND FreeRadius (and XP) to work you only need ONE (the currently beta) version of OpenSSL, you don't need both. you *should* have both if you don't want to trust the beta versions when using security, but it's a bit out of the scope. You could say that the two versions could be installed in parallel... the issues of the current snapshot are not necessary to mention, it will change in a week, it makes too much work. XP without SP1 works perfectly. In SP1 there is no EAP/MD5 for wireless anymore... I should update my EAP/MD5 document. Chapter 5: make a reference to Chapter 7 when talking about freeradius. Chapters after 6: didn't read in details (no orinoco here, and since your radius runs it should be correct). you could mention that any number of CA certificates can be just concatenated in the root.pem file and how the random file can be produced and where to find the dh* files, that usually provides troubles. ok, have to go now!!! ciao artur -- Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New EAP/TLS + MPPE WinXP HOWTO
Greetings all, For the good of all mankind, I have written an updated EAP/TLS HOWTO that answers a lot of the questions and fills in the holes in the existing HOWTOS. It is available at http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm. I don't claim to be an overall expert on that matter so if you find any errors or have any additions, please let me know and I will put them in. Thanks Raymond McKay IT Manager / Network Administrator Funnybone Interactive Vivendi Universal Games - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: VSAs in mysql database
Never mind... Screwball me didn't know about "man -a". :P Thanks. It works like a charm now that I got my head pulled out. :) Brian J. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:freeradius-users-admin@;lists.cistron.nl] On Behalf Of > Alan DeKok > Sent: Wednesday, October 30, 2002 11:32 AM > To: [EMAIL PROTECTED] > Subject: Re: VSAs in mysql database > > > "Brian Johnson" <[EMAIL PROTECTED]> wrote: > > I'm a little shaky on the whole operator thing, but > otherwise yes using > > the "==" operator. > > You probably don't want to do that. Read the sample 'users' file > to see examples of reply attributes, and the operators they use. Read > the 'users' man page, to get more description of the operators. > > > I tried the following entries: > > > > Client_DNS_Pri = 1.2.3.4 > > Redback:Client_DNS_Primary = 1.2.3.4 > > Where? How did you configure them? What did the server say when > you used them? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: mysql radcheck table
At 06:45 PM 10/30/2002 +, Mark Terry wrote: On Wednesday 30 Oct 2002 5:54 pm, you wrote: > At 05:48 PM 10/30/2002 +, Mark Terry wrote: > >all, > > can anyone give me an example radcheck table entry for using > > freeradius with > >mysql, please? > > > >currently i'm using this but i am unsure whether it is correct: > > > >+-+--+---++--+ > > > >| id | UserName | Attribute | Value | op | > > > >+-+--+---++--+ > > > >| 311 | 102523 | User-Password | password | == | > > > >+-+--+---++--+ > > > >should the op field be null? > > Would you put the following entry in the users file? > > 102523 User-Password password > > or would you put? > > 102523 User-Password == password > > Regardless of where they are stored you need attribute, operator, and value > to compare a check-item. > > If you are unsure of something, try it, and run the server in debugging > mode. It is very good about telling you very specifically what you have > done wrong if something is incorrect. > > -Chris thanks for your help. ok, so if i wanted to check againist three items then these table records would work. (as i see no AND, OR fields)? By design, each check-item is ANDed with the others. You must match all check items to match the entry. +-+--+++--+ | id | UserName | Attribute | Value | op | +-+--+++--+ | 836 | 101302 | User-Password | password| == | | 837 | 101302 | Calling-Station-Id | 123456 | == | | 838 | 101302 | Calling-Station-Id | 123457 | == | +-+--+++--+ if possible i would like the user to dial up from anyone of the clis in the database. But if their password was incorrect and they used the correct cli would they get authenticated? No, as above it must pass ALL check items. You may need to use a regular expression match on the Calling-Station-Id to do what you have above (try this first, regex may need tweaking): User-Password == password Calling-Station-Id ~= (123456|123457) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with primary-dns
High List, we ae using freeradius 0.7 on an RedHat 7.3 System in conjunction with openldap 2.0.34. Things work quite well ( CHAP/PAP/EAP-MD5 ). One router requires additional attributes like "Ascend-Client-Primary-DNS" for example. Authentification seems to be ok. How do I provide these additional attribute ?. I tried to provied them via /etc/raddb/users. But this seems not be the right way. How do I test the response ( radclient with PAP ). Log from the router = Oct 22 14:39:26: RADIUS: Initial Transmit Virtual-Access7 id 177 134.106.40.56:1812, Access-Request, len 90 Oct 22 14:39:26: Attribute 4 6 866A6402 Oct 22 14:39:26: Attribute 5 6 0007 Oct 22 14:39:26: Attribute 61 6 0002 Oct 22 14:39:26: Attribute 1 10 74616C6B Oct 22 14:39:26: Attribute 31 12 35323436 Oct 22 14:39:26: Attribute 2 18 B5144691 Oct 22 14:39:26: Attribute 6 6 0002 Oct 22 14:39:26: Attribute 7 6 0001 ... Oct 22 14:39:26: RADIUS: Received from id 177 134.106.40.56:1812, Access-Accept, len 20 ... Oct 22 14:39:26: RADIUS: saved authorization data for user 81F3AD98 at 81F2F0F8 Oct 22 14:39:26: AAA/AUTHEN (4137162207): status = PASS Oct 22 14:39:26: RADIUS: no appropriate authorization type for user. Oct 22 14:39:26: Vi7 PAP: O AUTH-NAK id 1 len 25 msg is "Authorization failed" == == /etc/raddb/users (whole file ) DEFAULT Service-Type == Framed-User, Framed-Protocol == PPP Service-Type = Framed-User, Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Ascend-Client-Primary-DNS = 134.106.40.3, Ascend-Client-Secondary-DNS = 134.106.49.2, Ascend-Idle-Limit = 600, Fall-Through = Yes == Thanks for your help -- ** _ __ Juergen Weiss /_/ /_/ / Systemadministration Universität Oldenburg / / /\/_ Carl von Ossietzky Str. 9-11 / 26129 Oldenburg Hochschul-Tel.: 49 441/7984407 Fax: 49 441/798R4413 rechenzentrum Mail:mailto:juergen.weiss@;uni-oldenburg.de ** signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
how to use external program in both authorize and accounting secction
Thanks Raymond - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: mysql radcheck table
On Wednesday 30 Oct 2002 5:54 pm, you wrote: > At 05:48 PM 10/30/2002 +, Mark Terry wrote: > >all, > > can anyone give me an example radcheck table entry for using > > freeradius with > >mysql, please? > > > >currently i'm using this but i am unsure whether it is correct: > > > >+-+--+---++--+ > > > >| id | UserName | Attribute | Value | op | > > > >+-+--+---++--+ > > > >| 311 | 102523 | User-Password | password | == | > > > >+-+--+---++--+ > > > >should the op field be null? > > Would you put the following entry in the users file? > > 102523 User-Password password > > or would you put? > > 102523 User-Password == password > > Regardless of where they are stored you need attribute, operator, and value > to compare a check-item. > > If you are unsure of something, try it, and run the server in debugging > mode. It is very good about telling you very specifically what you have > done wrong if something is incorrect. > > -Chris thanks for your help. ok, so if i wanted to check againist three items then these table records would work. (as i see no AND, OR fields)? +-+--+++--+ | id | UserName | Attribute | Value | op | +-+--+++--+ | 836 | 101302 | User-Password | password| == | | 837 | 101302 | Calling-Station-Id | 123456 | == | | 838 | 101302 | Calling-Station-Id | 123457 | == | +-+--+++--+ if possible i would like the user to dial up from anyone of the clis in the database. But if their password was incorrect and they used the correct cli would they get authenticated? so about the basic questions, i'm just trying to get the database ready for when the radius gets restarted in the morning. Mark -- http://www.thedumbterminal.co.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pap authentication problem
I have freeradius-0.7.1 working with ldap for autz/auth and mysql for
acct.
The passwords are stored SHA encrypted on the ldap. I can get the
password but rlm_pap fails with SHA1 encryption.
The password can be reproduced with the OpenLDAP tool slappasswd:
root@jul# slappasswd -h {SHA} -s test
{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=
Has anyone an idea what is wrong?
TIA!
Uli
from stdout:
---snip---
rad_recv: Access-Request packet from host 192.168.255.253:1645, id=81,
length=56
NAS-IP-Address = 192.168.255.253
NAS-Port-Type = Async
User-Name = "test"
User-Password =
"\323\253\353u\202f\232A*\355\327\264\036\376\326,"
rad_lowerpair: User-Name now 'test'
rad_rmspace_pair: User-Name now 'test'
rad_rmspace_pair: User-Password now 'test'
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat: '(uid=test)'
radius_xlat: 'ou=sesm,o=estellos'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=sesm,o=estellos, with filter
(uid=test)
rlm_ldap: Added password qUqP5cyxm6YcTAhz05Hph5gvu9M= in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group authtype
rlm_pap: login attempt by "test" with password test
rlm_pap: Using password qUqP5cyxm6YcTAhz05Hph5gvu9M= for user test
authentication.
rlm_pap: Using SHA1 encryption.
rlm_pap: Passwords don't match
modcall[authenticate]: module "pap" returns reject
modcall: group authtype returns reject
auth: Failed to validate the user.
---snip---
from radiusd.conf
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = yes
lower_user = before
lower_pass = no
nospace_user = before
nospace_pass = before
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
}
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pam {
pam_auth = radiusd
}
unix {
cache = yes
cache_reload = 600
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
radwtmp = ${logdir}/radwtmp
}
eap {
md5 {
}
}
mschap {
authtype = MS-CHAP
}
pap {
encryption_scheme = sha1
}
ldap {
server = "10.10.11.30"
basedn = "ou=sesm,o=estellos"
filter = "(uid=%u)"
start_tls = no
ldap_cache_timeout = 0
ldap_connections_number = 5
password_header = "{SHA}"
password_attribute = clearpassword
groupmembership_filter = ""
timeout = 4
timelimit = 3
net_timeout = 1
access_attr_used_for_allow = no
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmslash {
format = prefix
delimiter = "/"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = yes
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
fastusers {
usersfile = ${confdir}/users_fast
hashsize = 1000
Re: mysql radcheck table
At 05:48 PM 10/30/2002 +, Mark Terry wrote: all, can anyone give me an example radcheck table entry for using freeradius with mysql, please? currently i'm using this but i am unsure whether it is correct: +-+--+---++--+ | id | UserName | Attribute | Value | op | +-+--+---++--+ | 311 | 102523 | User-Password | password | == | +-+--+---++--+ should the op field be null? Would you put the following entry in the users file? 102523 User-Password password or would you put? 102523 User-Password == password Regardless of where they are stored you need attribute, operator, and value to compare a check-item. If you are unsure of something, try it, and run the server in debugging mode. It is very good about telling you very specifically what you have done wrong if something is incorrect. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql radcheck table
Mark Terry <[EMAIL PROTECTED]> wrote: > currently i'm using this but i am unsure whether it is correct: > > +-+--+---++--+ > | id | UserName | Attribute | Value | op | > +-+--+---++--+ > | 311 | 102523 | User-Password | password | == | > +-+--+---++--+ The SQL schema is meant to mimic what goes on in the 'users' file. So look at the 'users' file for examples... > should the op field be null? Absolutely not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql radcheck table
all, can anyone give me an example radcheck table entry for using freeradius with mysql, please? currently i'm using this but i am unsure whether it is correct: +-+--+---++--+ | id | UserName | Attribute | Value | op | +-+--+---++--+ | 311 | 102523 | User-Password | password | == | +-+--+---++--+ should the op field be null? thanks in advance. Mark -- http://www.thedumbterminal.co.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Little LAN and Freeradius. It's possible?
<[EMAIL PROTECTED]> wrote: > I want send B pc from A with all services availables (telnet, http, ftp > ecc...). My necessity is authenticate all connection from A to B with > radius and CHAP type of authentication (login and password) Why? YP (or NIS) does exactly the same thing, and is probably easier to set up. Also, RADIUS won't supply all of the information to the second PC that it needs. NIS will. Don't use RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VSAs in mysql database
"Brian Johnson" <[EMAIL PROTECTED]> wrote: > I'm a little shaky on the whole operator thing, but otherwise yes using > the "==" operator. You probably don't want to do that. Read the sample 'users' file to see examples of reply attributes, and the operators they use. Read the 'users' man page, to get more description of the operators. > I tried the following entries: > > Client_DNS_Pri = 1.2.3.4 > Redback:Client_DNS_Primary = 1.2.3.4 Where? How did you configure them? What did the server say when you used them? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: VSAs in mysql database
I'm a little shaky on the whole operator thing, but otherwise yes using the "==" operator. I tried the following entries: Client_DNS_Pri = 1.2.3.4 Redback:Client_DNS_Primary = 1.2.3.4 Any other ideas? Brian J. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:freeradius-users-admin@;lists.cistron.nl] On Behalf Of > Alan DeKok > Sent: Wednesday, October 30, 2002 10:05 AM > To: [EMAIL PROTECTED] > Subject: Re: VSAs in mysql database > > > "Brian Johnson" <[EMAIL PROTECTED]> wrote: > > I am trying to setup a reply attribute in the > "radgroupreply" table in > > mysql. It is a Redback VSA specified in the > dictionary.redback file. I > > have checked that it is included in the dictionary file and it is. I > > have STFWd and RTFMd for two days with no luck. I just want > to send the > > Redback VSA for "Client_DNS_Pri" and "Client_DNS_Sec" in > the response. > > Have you tried adding the attribute name, value, and operator, just > like for any other attribute? There's nothing magic about VSA's. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
also, how to call a external program from Accounting section in radiusd.conf
Raymond
Little LAN and Freeradius. It's possible?
Hello everybody. I create a mini lan with 2 PC's, A) 192.168.0.1 and B) 192.168.0.2. The S.O. is Linux RH7.2 . Every PC is equipped with ethernet card Realtek, and ping test from A to B and vice-versa don't have any problem. All is ok. On B personal computer I have installed FREERADIUS 0.7.1 and local radtest work correctly with my users names setting. I want send B pc from A with all services availables (telnet, http, ftp ecc...). My necessity is authenticate all connection from A to B with radius and CHAP type of authentication (login and password) Only after auth the PC A can access a B resource. It's possible that? I have say a big .? Please help-me! I'm a newbie and have read all e-mail of freeradius user archive without solution. Thank for you help! Kind regards! P.S. My english is poor! sorry! MAX
Re: VSAs in mysql database
Simply add it to the table.
insert into radgroupreply (groupname,attribute,value,op)
values ('mygroup','Client_DNS_Pri','1.1.1.1','=');
insert into radgroupreply (groupname,attribute,value,op)
values ('mygroup','Client_DNS_Sec','1.1.1.2','=');
> I am trying to setup a reply attribute in the "radgroupreply" table in
> mysql. It is a Redback VSA specified in the dictionary.redback file. I
> have checked that it is included in the dictionary file and it is. I
> have STFWd and RTFMd for two days with no luck. I just want to send the
> Redback VSA for "Client_DNS_Pri" and "Client_DNS_Sec" in the response.
> Any help would be appreciated.
> TIA
> Brian J.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: Debug mode and CTRL-C
[EMAIL PROTECTED] wrote: > Maybe I've missed something...but I don't find reason while > 'dirty' exit was done intentionally for debugging Because you can still send it SIGTERM. CTRL-C means "die now". SIGTERM means "please die". In debugging mode, and without child threads, the server can be in the middle of processing a request (say to a back-end DB), when the admin hits CTRL-C. If the back-end database is slow (20-30 seconds to respond), that's WHY the admin has hit CTRL-C. Do you REALLY want the server to ignore the CTRL-C, and spend the next 20-30 seconds finishing what it's doing? If so, I can make it do what you want, and then bounce all of the nasty email to you, which says "the fscking server won't stop when I try to kill it!" When I'm running a process, *I* am the one in charge, not the process. When I hit CTRL-C, I mean "die NOW, you stupid program!". Any other behaviour is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VSAs in mysql database
"Brian Johnson" <[EMAIL PROTECTED]> wrote: > I am trying to setup a reply attribute in the "radgroupreply" table in > mysql. It is a Redback VSA specified in the dictionary.redback file. I > have checked that it is included in the dictionary file and it is. I > have STFWd and RTFMd for two days with no luck. I just want to send the > Redback VSA for "Client_DNS_Pri" and "Client_DNS_Sec" in the response. Have you tried adding the attribute name, value, and operator, just like for any other attribute? There's nothing magic about VSA's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VSAs in mysql database
I am trying to setup a reply attribute in the "radgroupreply" table in mysql. It is a Redback VSA specified in the dictionary.redback file. I have checked that it is included in the dictionary file and it is. I have STFWd and RTFMd for two days with no luck. I just want to send the Redback VSA for "Client_DNS_Pri" and "Client_DNS_Sec" in the response. Any help would be appreciated. TIA Brian J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Debug mode and CTRL-C
>Yes... if you had seen one of my previous messages on this topic, > you would know that this is intentional, and WHY it's intentional. Maybe I've missed something...but I don't find reason while 'dirty' exit was done intentionally for debugging - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unresponsive child
Of course i understand that :) I didn't even try to accuse radius developers, but IMHO sql back-end should give any glue (debugging info) to let the administrator solve the problem. On Wed, 30 Oct 2002, Alan DeKok wrote: > Igor Chen <[EMAIL PROTECTED]> wrote: > > The main reason of core dumping was delay after sending request to > > database. Trigger on UPDATE became too slow (UPDATE request was handled > > ~40 - 60 sec.) > > This problem should be addressed in the documentation in flaming > letters 10 feet high. If the back-end database takes more than 5 > seconds to respond to a request, then the RADIUS server will not be > able to authenticate people. > > Once the database is broken, the RADIUS server (which depends on the > database) can't be any better. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- cron-ripe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unresponsive child
Igor Chen <[EMAIL PROTECTED]> wrote: > The main reason of core dumping was delay after sending request to > database. Trigger on UPDATE became too slow (UPDATE request was handled > ~40 - 60 sec.) This problem should be addressed in the documentation in flaming letters 10 feet high. If the back-end database takes more than 5 seconds to respond to a request, then the RADIUS server will not be able to authenticate people. Once the database is broken, the RADIUS server (which depends on the database) can't be any better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Undefined reference
"Gene Parks" <[EMAIL PROTECTED]> wrote: > I am installing this on Solaris 8. Already have 2 copies running on 2 > other Solaris 8 machines but for some reason this one wants to get me > trouble. > > modules.o: In function `setup_modules': > /export/home/users/freeradius-0.7.1/src/main/modules.c:611: undefined > reference to `lt_preloaded_symbols' You don't have libltdl on that system. It comes with the server, so I don't see why it isn't there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ScanMail Message: To Recipient Match eManager setting and take action.
eManager Notification * The following mail was blocked since it contains sensitive content. Source mailbox: [EMAIL PROTECTED] Destination mailbox(es): [EMAIL PROTECTED] Rule/Policy: Profanity Action: Quarantine to C:\Program Files\Trend\SMCF\Quarantine\2002-10-30\10-10-13.64243 Content filter has detected an e-mail that contains profanity *** End of message * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRADIUS dialup admin
Hello, I was wondering if there was an oracle driver for the dialup admin. Thanks. Adam Joncas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oracle and radius authentication
"Ricardo Gadea" <[EMAIL PROTECTED]> wrote: > Is it possible to give Radius authentication to oracle users through the > radius module for PAM? I don't see why not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debug mode and CTRL-C
[EMAIL PROTECTED] wrote: > While in debug mode, after Ctrl-C server does mot > exit clearly. Yes... if you had seen one of my previous messages on this topic, you would know that this is intentional, and WHY it's intentional. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_counter: Could not find Check item value pair
Hi, Please help me in my problem. I am new in this discussion. I've installed freeradius-0.7.1 now. I used freeradius-0.1.0 before and it was worked. In users file I define Daily-Session-Time for user ppkons: ppkons Daily-Session-Time > 7200, Auth-Type := Reject Reply-Message = "Your time limit is used" When I run radiusd in test mode I see: rad_recv: Access-Request packet from host 194.44.25.67:2740, id=255, length=46 User-Name = "ppkons" User-Password = "fi\025\224\010\207y!3\373\245m\031C!\201" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok # rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair modcall[authorize]: module "counter" returns noop # radius_xlat: 'ppkons' sql_set_user: escaped user --> 'ppkons' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'ppkons' ORDER BY id' rlm_sql: Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'ppkons' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'ppkons' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'ppkons' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' radius_xlat: 'SELECT Value,Attribute FROM radcheck WHERE UserName = 'ppkons' AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC' rlm_sql: Released sql socket id: 4 modcall[authorize]: module "sql" returns ok users: Matched ppkons at 6 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok # rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Login incorrect: [ppkons/KONsul89] (from client tonic port 0) Sending Access-Reject of id 255 to 194.44.25.67:2740 Reply-Message = "Your time limit is used" ## Finished request 0 Regards, Svetlana - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oracle and radius authentication
Hi all, Is it possible to give Radius authentication to oracle users through the radius module for PAM? I mean, the authentication based on the Operating System that supports the database, and redirected to a Radius server. The main idea is to give strong authentication to oracle applications using token cards. Thanks in advance. Regards. Ricardo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debug mode and CTRL-C
also I think that it is not so bad to add
/*
* Delete PID file to indicate
* normal shutdown
*/
unlink(pid_file);
or
if (dont_fork == FALSE)
unlink(pid_file);
in if (do_exit) {...} block.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debug mode and CTRL-C
Hi!
While in debug mode, after Ctrl-C server does mot
exit clearly.
Problem in:
radiusd.c line 940
/*
* If we're debugging, then a CTRL-C will cause the
* server to die immediately. Use SIGTERM to shut down
* the server cleanly in that case.
*/
if (debug_flag == 0) {
signal(SIGINT, sig_fatal);
signal(SIGQUIT, sig_fatal);
}
Must be
if (debug_flag != 0) {
I think.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling with Kerberos fails
> Ah, hmm. You also need > > RLM_CFLAGS = -I/usr/kerberos/include > > and that should be it... Ah hah! I thought something should've gone there, but unfortunately I couldn't find anything that told me what I should put. Thanks for clearing that up! I added it to my original Makefile and gave it another shot, but unfortunately ran into the same error on make. So I decided to see if I had more love with the nightly snapshot (thanks for fixing that in time for the snapshot, Steve!). Did a configure on it and it looked good, so I tried a make. The bad news is, I didn't get through the make. The good news is, it didn't break with the rlm_krb5 stuff. So I took a look at the autogenerated rlm_krb5/Makefile, noticed it was a little different than the one I had hand-made, so I just copied it into my 0.7.1 tree. Ran make and it compiled without a hitch! Thank you both Alan and Steve for your prompt attention and helping me get it done as quickly as possible. I thoroughly appreciate it! Brian PS Steve, if you're interested in seeing the error I ran into building the nightly snapshot, I'll be happy to share it with the list. > > I've fixed up the configure script in CVS, btw, so that this should not > be needed come next release. > > Cheers, > Steve Langasek > postmodern programmer > - Brian Johnson ECI Data [EMAIL PROTECTED] 919-668-6492 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unresponsive child
I did two things: 1) re-compiled radius without -O2 2) removed wrong attributes from rlm_acct_unique config (in radiusd.conf) Seems like it stopped dumping to core. I can not do such experiments on a production server in ISP :) When it screwed up i hardly got grey-haired with all that... The main reason of core dumping was delay after sending request to database. Trigger on UPDATE became too slow (UPDATE request was handled ~40 - 60 sec.) - i tried to optimize it. And of course radius pg_query freezed till it got an result of operation. Thats all i know. I can test that situation later on test server if u want. On 29 Oct 2002, Todd T. Fries wrote: > If you are getting a core, that is the debugging I'm looking for! > > I experience this same thing on a mysql setup, btw. > > Could you compile the daemon with debugging, run the program itself > without installing it (preserves debugging symbols, slightly larger, but > helps in debugging) .. and when it produces a core file please do: > > gdb /path/to/your/sources/src/main/.libs/radiusd /path/to/radiusd.core > > Then type 'bt all' ? > > Thanks! > > On Tue, 2002-10-29 at 03:23, Igor Chen wrote: > > Done. Nothing has changed. It just freezes when run with -X or coredumps > > otherwise. Are there any known problems with postgresql connectivity? > > What logs should i post to get detailed explanation about that? > > > > On 28 Oct 2002, Todd T. Fries wrote: > > > > > The running suggestion on the mailing list is to try current cvs. There > > > have been, in fact, several bugfixes that have gone in since the 0.7.1 > > > release. However, I've still seen problems. I'd very much like to know > > > if you have (or see no more) problems after trying the version of > > > freeradius from cvs. > > > > > > Thanks, > > > > > > On Mon, 2002-10-28 at 11:44, Igor Chen wrote: > > > > Heya! > > > > > > > > I used freeradius 0.7.1 and postgresql 7.1.3, freebsd 4.4-STABLE > > > > Radius began to hang up (if started with -X) or just core dump. > > > > > > > > Mon Oct 28 19:40:01 2002 : Error: WARNING: Unresponsive child (id > > > > 135801856) for request 29 > > > > Mon Oct 28 19:40:06 2002 : Error: WARNING: Unresponsive child (id > > > > 135798784) for request 30 > > > > Mon Oct 28 19:40:12 2002 : Error: MASTER: exit on signal (11) > > > > > > > > Tried to downgrade to 0.7. Same shit :( > > > > Forced to run it using radwatch. It restarts approx. every 25 min. > > > > > > > > Any suggestions? > > > > > > > > -- > > > > cron-ripe > > > > > > > > > > > > - > > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > -- > > cron-ripe > -- cron-ripe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Exec-Program-Wait
Hello! I use FreeRADIUS of version 0.7.1 with MySQL authorization and accounting on ALT Linux (kernel 2.4.7). All was Ok until I try to use Exec-Program-Wait A/V pair in users file. "radiusd -X" displays something like this: -- skipped -- auth: type Local auth: user supplied User-Password matches local User-Password radius_xlat: '/usr/radius/bin/test' Exec-Program: /usr/radius/bin/test Exec-Program-Wait: value-pairs: Session-Timeout = 200,Reply-Message="test" Exec-Program: Abnormal child exit ^^^ Delaying request 0 for 1 seconds Finished request 0 Going to the next request --skipped-- --- Walking the entire request list --- Sending Access-Reject of id 12 to 195.184.214.19:1645 Reply-Message = "\r\nAccess denied (external check failed)." What I have done incorrectly? How to eliminate this? With best regards, Vladimir A. Khrestin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Do you remember Halloween is coming?
Do you remember Halloween is coming? Take your chance to send a Free greeting from: http://cards.web-space-station.com/halloween-greeting-card.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ScanMail Message: To Recipient Match eManager setting and take action.
[EMAIL PROTECTED] wrote: > We could always send a bunch of actual swears to [EMAIL PROTECTED] and > see what happens. :) I think you already are - it's probably your signature that's tripping it off. :-) > "So for the IT Manager Role, you want someone who's absolute crap, looks > reasonable on paper, and won't cause too much trouble. ... Well I don't > have any MCSEs on my books at the moment, but I could call around."-- > Simon Travaglia -- Regards, Daryl Tester, Software Wrangler and Bit Herder, IOCANE Pty. Ltd. "Security Alert: Your Computer Is Currently Broadcasting An Internet IP Address. With This Address, Someone Can Immediately Begin Attacking Your Computer!" -- One Of Those Profound Dialog Box Adverts. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap newbiew help
On Wed, 30 Oct 2002, Alexey Chetroi wrote: > What ldap schema are you using? because I have no hits on > [lex.lexa]$ grep -i radiusreplyitem RADIUS-LDAPv3.schema > [lex.lexa]$ > > -- You where right. Schema updated. Do a cvs update -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap newbiew help
On Tue, Oct 29, 2002 at 05:29:24PM +0200, Kostas Kalevras wrote: > > Currently I'm running freeradius with mysql for storing > > user data. I want to migrate all this to LDAP. I need a couple of > > hints: in current setup I'm using a lot of cisco-AV-pairs attribute > > for defining access-list per user/group basis, idle-timeout, ip-pool etc. > > > > How whould I make it with LDAP? I've added to slapd.conf > > include /etc/ldap/schema/RADIUS-LDAPv3.schema > > and now can use radius attributes with ldap, but I just don't get > > how to use cisco-avpairs. > > > > I think probably with radiusVSAattribute from ldapv3.schema > > or ahould I write my own schema extension? > > > > PS: I've read ldap-howto on the net but it just mentions that if > > your ldap server is setup for posix account that's enough. I think > > my question is more ldap specific. ? > > dn: uid=default-user-dialup,ou=people,dc=sch,dc=gr > radiusreplyitem: Cisco-AVPair := "ip:addr-pool=dialin_pool" What ldap schema are you using? because I have no hits on [lex.lexa]$ grep -i radiusreplyitem RADIUS-LDAPv3.schema [lex.lexa]$ -- Best regards, Alexey Chetroi --- Smile... Tomorrow will be worse. (c) Murphy's law - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can i stop the name-service lookup on freeradius0.7.1 start?
You've supplied a hostname, not an IP address. If the server wants to discover what address is associated with that hostname, it MUST do an IP ADDRESS LOOKUP, not a hostname lookup. So you're confused about what it's doing. Not only that, you've misconfigured your local DNS, so that the hostname you've given it doesn't have a DNS entry, and therefore can't be resolved into an IP address. So how do you expect the server to know what that hostname is? You don't know yourself! Stop blaming the server, and fix your DNS. Even better, put IP addresses in the 'clients' file, instead of hostnames which don't exist. Our customers gave me the names, i have nothing do to with there nameservice. I was faced with this problem because we upgrade from a older RADIUS-Version (cistron-1.6.4.). In this version the RADIUS started, no matter what the address-lookup returns. Ok, i would rewrite my large clients file with only IP-adresses in it. regards Helmut Troebs -- Helmut Troebs Leibniz-Rechenzentrum Muenchen Abteilung Kommunikationsnetze E-Mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
