Re: more Kerberos fun

[Brian Johnson]

On Thu, 7 Nov 2002, Allister Maguire wrote:

> Hello,
> 
> This is what you need in radius.conf:
> 
> You need to add a empty "krb5" to the module section. (It takes no
> parameters).
> 
> modules {
> 
> 
>   krb5 {
>   }
> 
> 

Wow, it looks like I was closer than I thought with my guess.  I look
forward to giving it a try tomorrow, er, this morning, a bit later
:).  Thanks Allister!

Brian



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

mod_auth_radiusd and apache 2.0.40 (RH8.0)

[bart]

Hi,

Im having a problem cant seem to work out.

I compile the mod_auth_radius 1.5.4 fine with: "apsx -i -a -c
mod_auth_radius-2.0.c" it installs fine however when I start apache I
get: 

"Cannot load /etc/httpd/modules/mod_auth_radius-2.0.so into server:
/etc/https/modules/mod_auth_radius-2.0.so: undefined symbol:
note_basic_auth_failure"

This is on apache 2.0.40 on redhat 8.0 with freeradius on the same.

Can anyone help?

Thanks

Daniel


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: more Kerberos fun

[Allister Maguire]

Hello,

This is what you need in radius.conf:

You need to add a empty "krb5" to the module section. (It takes no
parameters).

modules {


krb5 {
}



}

And then add "krb5" to auth section:

authenticate {
krb5
}

This part is correct:

Auth-Type := Kerberos

Regards

Allister P Maguire

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: (So close I can taste it...) freeradius & mssql2000

[Glynn Taylor]

Thank you.  My apologies for leaving that out:


my /usr/local/freetds.conf file has this as the only section database
section:

[192.168.0.126]
host = 192.168.0.126
port = 1433
tds version = 7.0

Does the name in [brackets] have to match anything else in the other conf
files??

The  test program tsql is working:


[glynn@localhost bin]$ tsql -S 192.168.0.126 -p 1433 -U hsvpnws
Password:
Msg 5703, Level 0, State 1, Server WFC-ACC1, Line 0
Changed language setting to us_english.
1> use wific
2> go
1> select * from customer;
2> go
Msg 208, Level 16, State 1, Server WFC-ACC1, Line 1
Invalid object name 'customer'.
1> select * from customers;
2> go
ID  CustomerID  NameAddr1   CityState   Zip
1   1   Microsoft   1 Microsoft Way
RedmondWA
98105
5   2   Oracle  1 Ellison Way
Dontknow
9
1>


Yet radiusd can not get a connection to the database.  Is there some logging
I can turn on or check to help me figure this out?

Thanks all
GT








-Original Message-
From: [EMAIL PROTECTED]
[mailto:freeradius-users-admin@;lists.cistron.nl]On Behalf Of Adorable
Dauz
Sent: Wednesday, November 06, 2002 5:53 PM
To: [EMAIL PROTECTED]
Subject: Re: (So close I can taste it...) freeradius & mssql2000


you need also to configure the freetds first.


- Original Message -
From: "Glynn Taylor" <[EMAIL PROTECTED]>
To: "Freeradius-Users" <[EMAIL PROTECTED]>
Sent: Thursday, November 07, 2002 6:36 AM
Subject: (So close I can taste it...) freeradius & mssql2000


>
> 1. Do we have to specify a port number to connect to a MS SQL database?
(If
> so where, I can't find where to put one in MSSQL.conf)
>
> 2. Is it true that unixODBC does not work on it's own and still requires
> freeTDS?
>
> First I got freeRadius working with text files.  So far so good.  The move
> to SQL has not yet worked.  The user is hsvpnws, the database is wific.
The
> databases server is 192.168.0.126.
>
> My Modules load, but my connection never makes it.
> 
>  sql: simul_verify_query = ""
> rlm_sql ((null)): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded
> and linked
> rlm_sql ((null)): Attempting to connect to [EMAIL PROTECTED]:/wific
> rlm_sql ((null)): starting 0
> rlm_sql ((null)): Attempting to connect #0
> rlm_sql_unixodbc: Connection failed
> rlm_sql ((null)): Failed to connect DB handle #0
> rlm_sql ((null)): starting 1
> rlm_sql ((null)): starting 2
> rlm_sql ((null)): starting 3
> rlm_sql ((null)): starting 4
> Module: Instantiated sql (sql)
> Module: Loaded files
>  files: usersfile = "/etc/raddb/users"
>  files: acctusersfile = "/etc/raddb/acct_users"
>  files: preproxy_usersfile = "/etc/raddb/preproxy_users"
>  files: compat = "no"
> Module: Instantiated files (files)
> Module: Loaded detail
>  detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail"
>  detail: detailperm = 384
>  detail: dirperm = 493
>  detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
>  radutmp: filename = "/var/log/radius/radutmp"
>  radutmp: username = "%{User-Name}"
>  radutmp: perm = 384
>  radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
> 1814/udp.
> Ready to process requests.
> 
> At the top of the raddb trace (third line down here) there is a blank port

> directive, but I can't find where to enter it in mssql.conf:
> 
> Module: Loaded SQL
>  sql: driver = "rlm_sql_unixodbc"
>  sql: server = "192.168.0.126"
>  sql: port = ""
>  sql: login = "hsvpnws"
>  sql: password = "eagles99"
>  sql: radius_db = "wific"
>  sql: acct_table = "radacct"
>  sql: acct_table2 = "radacct"
>  sql: authcheck_table = "radcheck"
>  sql: authreply_table = "radreply"
>  sql: groupcheck_table = "radgroupcheck"
>  sql: groupreply_table = "radgroupreply"
>  sql: usergroup_table = "usergroup"
>  sql: nas_table = "nas"
>  sql: dict_table = "dictionary"
>  sql: sqltrace = no
>  sql: sqltracefile = "/var/log/radius/sqltrace.sql"
>  sql: deletestalesessions = yes
>  sql: num_sql_socks = 5
>  sql: sql_user_name = "%{hsvpnws}"
> 
> I'm running the latest snapshot of freeRadius and freeTDS.  (but the
> symptons are the same with 0.7.1 and 0.60).  I compiled and installed
> unixODBC first, then the freeTDS, then recompiled freeRadius.  The
database
> exists.
>
> This is in my /usr/local/etc/odbc.ini:
> [sqlserver]
> Driver  = TDS
> Descripttion = SQL Server
> Trace = Yes
> Servername = 192.168.0.4
> Database = wific
>
> This is in my /usr/local/etc/odbcinst.ini:
> [TDS]
> 

Re: Freeradius-Users digest, Vol 1 #1211 - 14 msgs

[Randall Badilla]

Hey guys:
The patch 112438-01 http://sunsolve.sun.com add /dev/random and other
stuff related to it.

Another question:
Can I change the ldap library checking??
Now is something like this:
try lber
if not lber
then fail and exit
else try ldap...

I need barely

try lber
if not lber
then continue
try ldap


I have dealed with the configure.in and other files but any modification
make configure unusable or just like the original one!

Thanks a lot!


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radutmp file

[Brian Kolaci]

I'm running 3 pairs of radius servers.  One of them is
logging the framed-ip-address properly, however the other
two are not.  I see the entry in the detail file.
I run radwho and the "Location" is not populated on 2 of
the servers.  Each uses a different radius server for
proxy, however they all have the Framed-IP-Address entry
in their detail files.

Any clues?

Thanks,

Brian


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: (So close I can taste it...) freeradius & mssql2000

[Adorable Dauz]

you need also to configure the freetds first.


- Original Message -
From: "Glynn Taylor" <[EMAIL PROTECTED]>
To: "Freeradius-Users" <[EMAIL PROTECTED]>
Sent: Thursday, November 07, 2002 6:36 AM
Subject: (So close I can taste it...) freeradius & mssql2000


>
> 1. Do we have to specify a port number to connect to a MS SQL database?
(If
> so where, I can't find where to put one in MSSQL.conf)
>
> 2. Is it true that unixODBC does not work on it's own and still requires
> freeTDS?
>
> First I got freeRadius working with text files.  So far so good.  The move
> to SQL has not yet worked.  The user is hsvpnws, the database is wific.
The
> databases server is 192.168.0.126.
>
> My Modules load, but my connection never makes it.
> 
>  sql: simul_verify_query = ""
> rlm_sql ((null)): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded
> and linked
> rlm_sql ((null)): Attempting to connect to [EMAIL PROTECTED]:/wific
> rlm_sql ((null)): starting 0
> rlm_sql ((null)): Attempting to connect #0
> rlm_sql_unixodbc: Connection failed
> rlm_sql ((null)): Failed to connect DB handle #0
> rlm_sql ((null)): starting 1
> rlm_sql ((null)): starting 2
> rlm_sql ((null)): starting 3
> rlm_sql ((null)): starting 4
> Module: Instantiated sql (sql)
> Module: Loaded files
>  files: usersfile = "/etc/raddb/users"
>  files: acctusersfile = "/etc/raddb/acct_users"
>  files: preproxy_usersfile = "/etc/raddb/preproxy_users"
>  files: compat = "no"
> Module: Instantiated files (files)
> Module: Loaded detail
>  detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail"
>  detail: detailperm = 384
>  detail: dirperm = 493
>  detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
>  radutmp: filename = "/var/log/radius/radutmp"
>  radutmp: username = "%{User-Name}"
>  radutmp: perm = 384
>  radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
> 1814/udp.
> Ready to process requests.
> 
> At the top of the raddb trace (third line down here) there is a blank port
> directive, but I can't find where to enter it in mssql.conf:
> 
> Module: Loaded SQL
>  sql: driver = "rlm_sql_unixodbc"
>  sql: server = "192.168.0.126"
>  sql: port = ""
>  sql: login = "hsvpnws"
>  sql: password = "eagles99"
>  sql: radius_db = "wific"
>  sql: acct_table = "radacct"
>  sql: acct_table2 = "radacct"
>  sql: authcheck_table = "radcheck"
>  sql: authreply_table = "radreply"
>  sql: groupcheck_table = "radgroupcheck"
>  sql: groupreply_table = "radgroupreply"
>  sql: usergroup_table = "usergroup"
>  sql: nas_table = "nas"
>  sql: dict_table = "dictionary"
>  sql: sqltrace = no
>  sql: sqltracefile = "/var/log/radius/sqltrace.sql"
>  sql: deletestalesessions = yes
>  sql: num_sql_socks = 5
>  sql: sql_user_name = "%{hsvpnws}"
> 
> I'm running the latest snapshot of freeRadius and freeTDS.  (but the
> symptons are the same with 0.7.1 and 0.60).  I compiled and installed
> unixODBC first, then the freeTDS, then recompiled freeRadius.  The
database
> exists.
>
> This is in my /usr/local/etc/odbc.ini:
> [sqlserver]
> Driver  = TDS
> Descripttion = SQL Server
> Trace = Yes
> Servername = 192.168.0.4
> Database = wific
>
> This is in my /usr/local/etc/odbcinst.ini:
> [TDS]
> Description = SQL 2000 Database
> Driver  = /usr/local/lib/libtdsodbc.so
> FileUsage   = 1
>
> In mssql.conf the database type is declared as driver = "rlm_sql_unixodbc"
> In radiusd.conf the following line chooses mssql.
>
> # For MS-SQL, use ${confdir}/mssql.conf
> $INCLUDE  ${confdir}/mssql.conf
>
>
>
> 
>
> Any assistance or pointers greatly appreciated.  Thanks for your time.
> GT
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

(So close I can taste it...) freeradius & mssql2000

[Glynn Taylor]

1. Do we have to specify a port number to connect to a MS SQL database?  (If
so where, I can't find where to put one in MSSQL.conf)

2. Is it true that unixODBC does not work on it's own and still requires
freeTDS?

First I got freeRadius working with text files.  So far so good.  The move
to SQL has not yet worked.  The user is hsvpnws, the database is wific.  The
databases server is 192.168.0.126.

My Modules load, but my connection never makes it.

 sql: simul_verify_query = ""
rlm_sql ((null)): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded
and linked
rlm_sql ((null)): Attempting to connect to [EMAIL PROTECTED]:/wific
rlm_sql ((null)): starting 0
rlm_sql ((null)): Attempting to connect #0
rlm_sql_unixodbc: Connection failed
rlm_sql ((null)): Failed to connect DB handle #0
rlm_sql ((null)): starting 1
rlm_sql ((null)): starting 2
rlm_sql ((null)): starting 3
rlm_sql ((null)): starting 4
Module: Instantiated sql (sql)
Module: Loaded files
 files: usersfile = "/etc/raddb/users"
 files: acctusersfile = "/etc/raddb/acct_users"
 files: preproxy_usersfile = "/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
 detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = "/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.

At the top of the raddb trace (third line down here) there is a blank port
directive, but I can't find where to enter it in mssql.conf:

Module: Loaded SQL
 sql: driver = "rlm_sql_unixodbc"
 sql: server = "192.168.0.126"
 sql: port = ""
 sql: login = "hsvpnws"
 sql: password = "eagles99"
 sql: radius_db = "wific"
 sql: acct_table = "radacct"
 sql: acct_table2 = "radacct"
 sql: authcheck_table = "radcheck"
 sql: authreply_table = "radreply"
 sql: groupcheck_table = "radgroupcheck"
 sql: groupreply_table = "radgroupreply"
 sql: usergroup_table = "usergroup"
 sql: nas_table = "nas"
 sql: dict_table = "dictionary"
 sql: sqltrace = no
 sql: sqltracefile = "/var/log/radius/sqltrace.sql"
 sql: deletestalesessions = yes
 sql: num_sql_socks = 5
 sql: sql_user_name = "%{hsvpnws}"

I'm running the latest snapshot of freeRadius and freeTDS.  (but the
symptons are the same with 0.7.1 and 0.60).  I compiled and installed
unixODBC first, then the freeTDS, then recompiled freeRadius.  The database
exists.

This is in my /usr/local/etc/odbc.ini:
[sqlserver]
Driver  = TDS
Descripttion = SQL Server
Trace = Yes
Servername = 192.168.0.4
Database = wific

This is in my /usr/local/etc/odbcinst.ini:
[TDS]
Description = SQL 2000 Database
Driver  = /usr/local/lib/libtdsodbc.so
FileUsage   = 1

In mssql.conf the database type is declared as driver = "rlm_sql_unixodbc"
In radiusd.conf the following line chooses mssql.

# For MS-SQL, use ${confdir}/mssql.conf
$INCLUDE  ${confdir}/mssql.conf





Any assistance or pointers greatly appreciated.  Thanks for your time.
GT



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: more Kerberos fun

[Brian Johnson]

On Wed, 6 Nov 2002, Alan DeKok wrote:

> Brian Johnson <[EMAIL PROTECTED]> wrote:
> > modcall: group authorize returns ok
> >   rad_check_password:  Found Auth-Type Kerberos
> > auth: type "Kerberos"
> > auth: Failed to validate the user.
> 
>   Yup.  The kerberos module returns helpful debugging messages,
> doesn't it?

Heh, yeah, it does seem to be a little vague 

> 
> > As always, I'm happy to provide any additional information.
> 
>   A patch to rlm_krb5, so that it takes any return error string/code
> from kerberos, and outputs debug information saying WHY it failed?

Hehe, sadly, at the moment I have no coding abilities and I know enough
about kerberos to be dangerous, so unfortunately I'm definitely the wrong
man for the job.  However, by the time this is said and done, I'll
probably be an expert in kerberos, and then, after I get my butt in gear
and start programming, I'll come back and it'll be the first thing I do
:).

Actually, there is a piece of information I can provide
(and probably should've said in my last post)unfortunately I'm still
unable to find anything telling me what needs to be added to radiusd.conf
for krb5...I've tried a few guesses (nothing really more than adding krb5
and an open and closed curly bracket following under the 'modules'
section), but unfortunately my lame attempt didn't seem to do much
good.  Here's the information after I start the server:

radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
 mschap: ignore_password = no
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap) 
Module: Loaded System 
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix) 
Module: Loaded preprocess 
 preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess) 
Module: Loaded realm 
 realm: format = "suffix"
 realm: delimiter = "@"
Module: Instantiated realm (suffix) 
Module: Loaded files 
 files: usersfile = "/usr/local/etc/raddb/users"
 files: acctusersfile = "/usr/local/etc/raddb/acct_users"
 files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files) 
Module: Loaded Acct-Unique-Session-Id 
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Addre
ss, NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique) 
Module: Loaded detail 
 detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/de
tail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail) 
Module: Loaded radutmp 
 radutmp: filename = "/usr/local/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp) 

No mention of krb in the module section at all.  If someone could point me
in the direction of something that tells what I need to put in
radiusd.conf, I think it'll definitely help, if not solve my problem.  

Thanks!

Brian


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: more Kerberos fun

[Alan DeKok]

Brian Johnson <[EMAIL PROTECTED]> wrote:
> modcall: group authorize returns ok
>   rad_check_password:  Found Auth-Type Kerberos
> auth: type "Kerberos"
> auth: Failed to validate the user.

  Yup.  The kerberos module returns helpful debugging messages,
doesn't it?

> As always, I'm happy to provide any additional information.

  A patch to rlm_krb5, so that it takes any return error string/code
from kerberos, and outputs debug information saying WHY it failed?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: more Kerberos fun

[Brian Johnson]

On Wed, 6 Nov 2002, Alan DeKok wrote:

> Brian Johnson <[EMAIL PROTECTED]> wrote:
> > Here's the debugging info as requested.  In my users file, I added:
> > 
> > DEFAULT Auth-Type = Kerberos
> > Reply-Message = "Hello, Brian"
> 
>   Try 'Auth-Type := Kerberos', I think.

Ah, it does make a differenceI had tried it once with and once without
the ':' when troubleshooting before, and left it out when I was getting
debugging info.  Although I don't have the debugging info from my 0.7.1
server, I do remember it returning:

modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type Kerberos
auth: type "Kerberos"
auth: Failed to validate the user.

after I made the change (the above is from the debugging info from the
latest snapshot, but should be similar, if not the same to what I saw from
0.7.1).

> 
> >   modcall[authorize]: module "files" returns notfound
> > modcall: group authorize returns ok
> > auth: No authenticate method (Auth-Type) configuration found for the request: 
>Rejecting the user
> 
>   Hmm...  can you try this using the latest CVS version?  I think
> there's a bugfix there which may help.

No problem.  With 

DEFAULT Auth-Type := Kerberos
Reply-Message = "Hello, Brian"

at the top of my users file and using the command "radtest mbjohn
[password] 152.3.2.153 0 testing123" on the remote client, here's the
debugging information from the latest snapshot:

Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
Thread 4 waiting to be assigned a request
Thread 5 waiting to be assigned a request
rad_recv: Access-Request packet from host 152.16.0.183:1031, id=168, length=55
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
User-Name = "mbjohn"
User-Password = "[password]"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "0"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
  modcall[authorize]: module "chap" returns noop
  modcall[authorize]: module "mschap" returns notfound
rlm_realm: No '@' in User-Name = "mbjohn", looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 4
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type Kerberos
auth: type "Kerberos"
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Thread 1 waiting to be assigned a request
rad_recv: Access-Request packet from host 152.16.0.183:1031, id=168, length=55
Sending Access-Reject of id 168 to 152.16.0.183:1031
Reply-Message = "Hello, Brian"
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/0/5
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 168 with timestamp 3dc9706d
Nothing to do.  Sleeping until we see a request.

And on the remote client I got:

Sending Access-Request of id 168 to 152.3.2.153:1812
User-Name = "mbjohn"
User-Password = "\36286i\354\223~\202H\2663D\221\027X\344"
NAS-IP-Address = user-0-183.wireless.duke.edu
NAS-Port-Id = "0"
Re-sending Access-Request of id 168 to 152.3.2.153:1812
User-Name = "mbjohn"
User-Password = "\36286i\354\223~\202H\2663D\221\027X\344"
NAS-IP-Address = user-0-183.wireless.duke.edu
NAS-Port-Id = "0"
rad_recv: Access-Reject packet from host 152.3.2.153:1812, id=168,
length=34 
Reply-Message = "Hello, Brian"

These are also the results I got when I made the 'Auth-Type := ' change on
the 0.7.1 server and ran it from the remote client.

As always, I'm happy to provide any additional information.

Thanks!

Brian


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sql accounting and custom attributes

[Hielke Christian Braun]

Hi,

i am using that with a cvs version from september, but it worked with
all version up to from 0.5

Regards,
 Christian.

On Wed, Nov 06, 2002 at 10:10:27PM +0200, Alexey Chetroi wrote:
>  Hello Christian,
>  I'd like to have that patches regarding converting of the
> cisco-avpair attributes, if it is possible. you may use
> this email.
> 
> -- 
> 
>   Best regards,
>   Alexey Chetroi
> 
> ---
> Smile... Tomorrow will be worse.   (c) Murphy's law

--- freeradius-0.7.1/src/modules/rlm_preprocess/rlm_preprocess.cWed Sep 11 
06:49:12 2002
+++ freeradius-snapshot-20020923/src/modules/rlm_preprocess/rlm_preprocess.cMon 
+Sep 23 21:57:06 2002
@@ -115,51 +115,52 @@
char*ptr;
charnewattr[MAX_STRING_LEN];
 
-for ( ; vp != NULL; vp = vp->next) {
-vendorcode = (vp->attribute >> 16); /* HACK! */
-if (vendorcode == 0) continue;  /* ignore non-VSA attributes */
-
-vendorpec  = dict_vendorpec(vendorcode);
-if (vendorpec == 0) continue; /* ignore unknown VSA's */
-
-if (vendorpec != 9) continue; /* not a Cisco VSA, continue */
-
-/* no = seperator in value */
-if ((ptr = strchr(vp->strvalue, '=')) == NULL) continue;
-
-/* ugly sip-hdr hack */
-if ((strncmp(vp->strvalue,"sip-hdr=",8) == 0) && 
(strchr(vp->strvalue, ':') != NULL)) {
-DEBUG2("cisco_vsa_hack: found sip_hdr %s", vp->strvalue);
-*ptr = '-';
-ptr = strchr(vp->strvalue, ':');
-*ptr = '=';
-DEBUG("cisco_vsa_hack: rewrote %s", vp->strvalue);
-}
-
-/* Cisco-AVPair
- * We take the lvalue look it up in the dictionary and
- * when found overwrite the attribute of Cisco-AVPair with it.
- */
-if ((vp->attribute & 0x) == 1) {
-strNcpy(newattr, vp->strvalue, vp->length - strlen(ptr) + 1 );
-DEBUG2("cisco_vsa_hack: attr : %s to %s",vp->strvalue, 
da->name);
-if (( da = dict_attrbyname((char *)newattr) ) == NULL )
-continue;
-vp->attribute = da->attr;
-DEBUG2("cisco_vsa_hack: attr : %s found in dictionary", 
da->name);
-}
-
-/*
- *  We strip out the duplicity from the value field,
- *  we use only the value on the right side of
- *  = character.
- */
-strNcpy(newattr, ptr + 1, sizeof(newattr));
-DEBUG2("cisco_vsa_hack: value: %s to %s",(char *)vp->strvalue,(char 
*) newattr);
-strNcpy((char *)vp->strvalue, newattr,
-sizeof(vp->strvalue));
-vp->length = strlen((char *)vp->strvalue);
-}
+
+   for ( ; vp != NULL; vp = vp->next) {
+   vendorcode = (vp->attribute >> 16); /* HACK! */
+   if (vendorcode == 0) continue;  /* ignore non-VSA attributes */
+
+   vendorpec  = dict_vendorpec(vendorcode);
+   if (vendorpec == 0) continue; /* ignore unknown VSA's */
+
+   if (vendorpec != 9) continue; /* not a Cisco VSA, continue */
+
+   /* no = seperator in value */
+   if ((ptr = strchr(vp->strvalue, '=')) == NULL) continue; 
+
+   /* ugly sip-hdr hack */
+   if ((strncmp(vp->strvalue,"sip-hdr=",8) == 0) && (strchr(vp->strvalue, 
+':') != NULL)) {
+   DEBUG2("cisco_vsa_hack: found sip_hdr %s", vp->strvalue);
+   *ptr = '-';
+   ptr = strchr(vp->strvalue, ':');
+   *ptr = '=';
+   DEBUG("cisco_vsa_hack: rewrote %s", vp->strvalue);
+   }
+
+   /* Cisco-AVPair 
+* We take the lvalue look it up in the dictionary and
+* when found overwrite the attribute of Cisco-AVPair with it.
+*/
+   if ((vp->attribute & 0x) == 1) { 
+   strNcpy(newattr, vp->strvalue, vp->length - strlen(ptr) + 1 );
+   DEBUG2("cisco_vsa_hack: attr : %s to %s",vp->strvalue, 
+newattr);
+   if (( da = dict_attrbyname((char *)newattr) ) == NULL )
+   continue;
+   vp->attribute = da->attr;
+   DEBUG2("cisco_vsa_hack: attr : %s found in dictionary", 
+da->name);
+   }
+   
+   /*
+*  We strip out the duplicity from the value field,
+*  we use only the value on the right side of 
+*  = character.
+*/
+   strNcpy(newattr, ptr + 1, siz

Re: Install FreeRadius on Redhat 7.3

[Daniel Monjar]

check your firewall settings...

--On Wednesday, November 06, 2002 12:02 PM -0800 "Ynjiun P. Wang" 
<[EMAIL PROTECTED]> wrote:

Hi,

	I was able to install freeradius on Redhat 7.3 and run "radiusd -X"
successfully. The "Ready to process requests." string did showup. But
when I start running "radtest bob bob localhost 0 testing123" There is no
response from Radius. I did check /etc/services and the port was right
1812. I did add bob user account with password bob in the
/etc/raddb/users. I did check both clients and clients.conf have
localhost with share secret testing123. Am I missing something? I do
notice for every service in Redhat 7.3, it has a file under
/etc/xinetd.d. Do I need to setup a radius file under /etc/xinetd.d and
enable the service? or just simply run "radius -X" in a window? Please
advise. Thanks.

-Ynjiun


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




--
Daniel Monjar
IS Manager, Technical Services
bioMérieux, Inc.
Durham, NC US


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Install FreeRadius on Redhat 7.3

[Ynjiun P. Wang]

Hi,

I was able to install freeradius on Redhat 7.3 and run "radiusd -X" 
successfully. The "Ready to process requests."
string did showup. But when I start running "radtest bob bob localhost 0 testing123" 
There is no response from Radius. I
did check /etc/services and the port was right 1812. I did add bob user account with 
password bob in the
/etc/raddb/users. I did check both clients and clients.conf have localhost with share 
secret testing123. Am I missing
something? I do notice for every service in Redhat 7.3, it has a file under 
/etc/xinetd.d. Do I need to setup a radius
file under /etc/xinetd.d and enable the service? or just simply run "radius -X" in a 
window? Please advise. Thanks.

-Ynjiun


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sql accounting and custom attributes

[Hielke Christian Braun]

Hello Thomas,

On Wed, Nov 06, 2002 at 09:15:30AM +0100, Thomas Jalsovsky wrote:
> 
> On Wed, 6 Nov 2002, Alexey Chetroi wrote:
> 
> >  Is it possible to rewrite attribute names eg in preprocess module,
> > like cisco_vsa_hack. eg to convert from:
> >
> > Cisco-AVPair = "nas-rx-speed=31200"
> > to
> > nas-rx-speed=31200
> 

This is exactly what i am doing. I can sent you the patch for it, if you
like.

Regards,
 Christian.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PAM-Radius

[Alan DeKok]

"Ricardo Gadea" <[EMAIL PROTECTED]> wrote:
> Do any of you know if the PAM-Radius module can be used with any compliant
> Radius server, or it only works with freeradius?

  It works with any RADIUS server.

> In the second case, can I configure Freeradius as a proxy and redirect the
> authentication to another generic Radius server?

  Yes.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MySQL-Proxy-Exec-Program-Wait

[Mike Dain]

I'm using my server for both local authentication and proxy to another
server.  I'm using MySQL for authentication/accounting.  I have all of the
realms/secrets/etc. setup in the proxy.conf file, and everything seems to
work ok.  Accounting shows up in the radacct table for all of it.

Now I'm trying to add in an Exec-Program-Wait script.  I don't care if it
only runs for proxy users or if it runs for everyone, I just need to add in
that attribute/value (Exec-Program-Wait/scriptname) to everyone that logs
in.  Can someone tell me how to add in attributes that effect all users.

The server doesn't use the "users" file or system at all (it only
authenticates using SQL).

Any help would be greatly appreciated.

Thanks,
Mike


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius & mssql2000

[Christian Schmit]

I installed freeradius along with freetds and unixodbc
on RH8 to be able to send accounting records to a
MSSQL database.

Radius starts fine and connects to mssql but I get
the following errors when radius is trying to
update/insert the mssql database for accounting records:

rlm_sql: Couldn't insert SQL accounting STOP record - 0
OR
rlm_sql: Couldn't update SQL accounting for START packet - 0


extract of debugging output:
--

 sql: connect_failure_retry_delay = 60
 sql: simul_count_query = ""
 sql: simul_verify_query = ""
 sql: simul_zap_query = ""
rlm_sql: Driver rlm_sql_unixodbc loaded and linked
rlm_sql: Attempting to connect to freeradius@MSSQL-6:/freeradius
rlm_sql: starting 0
rlm_sql:  Attempting to connect #0
rlm_sql:  Connected new DB handle, #0
rlm_sql: starting 1
rlm_sql:  Attempting to connect #1
rlm_sql:  Connected new DB handle, #1



modcall: entering group preacct
  modcall[preacct]: module "preprocess" returns noop
rlm_realm: Looking up realm NULL for User-Name = "dme"
rlm_realm: No such realm NULL
  modcall[preacct]: module "suffix" returns noop
  modcall[preacct]: module "files" returns noop
modcall: group preacct returns noop
modcall: entering group accounting
radius_xlat:  'dme'
sql_set_user:  escaped user --> 'dme'
radius_xlat:  'UPDATE radacct SET AcctStopTime = '2002-11-06 18:44:40', 
AcctSessionTime = '127', AcctInputOctets = '2320', AcctOutputOctets = '157339', 
AcctTerminateCause = 'User-Request', AcctStopDelay = '0', ConnectInfo_stop = '' WHERE 
AcctSessionId = '7400315D' AND UserName = 'dme' AND NASIPAddress = '212.24.192.4' AND 
AcctStopTime = 0'
rlm_sql: Reserving sql socket id: 4
radius_xlat:  'INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, 
NASIPAddress, NASPort, NASPortType, AcctStopTime, AcctSessionTime, AcctAuthentic, 
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, 
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, 
FramedIPAddress, AcctStartDelay, AcctStopDelay) values('7400315D', '', 'dme', '', 
'212.24.192.4', '34', 'ISDN', '2002-11-06 18:44:40', '127', 'RADIUS', '', '', '2320', 
'157339', '', '', 'User-Request', 'Framed-User', 'PPP', '212.24.192.101', '0', '0')'
rlm_sql_unixodbc: '0 ' 
rlm_sql: Couldn't insert SQL accounting STOP record - 0 
rlm_sql: Released sql socket id: 4
  modcall[accounting]: module "sql" returns ok
radius_xlat:  '/usr/local/var/log/radius/radacct/212.24.192.4/detail'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail expands to 
/usr/local/var/log/radius/radacct/212.24.192.4/detail
  modcall[accounting]: module "detail" returns ok
  modcall[accounting]: module "unix" returns ok
radius_xlat:  'dme'
Accounting: logout: entry for NAS 212.24.192.4 port 34 has wrong ID
  modcall[accounting]: module "radutmp" returns ok
modcall: group accounting returns ok
Sending Accounting-Response of id 175 to 212.24.192.4:1118
Finished request 0
Going to the next request
==


Does anybody know a solution to this problem?

thanks,
Christian


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PAM-Radius

[Ricardo Gadea]

Hi, 

Do any of you know if the PAM-Radius module can be used with any compliant Radius 
server, or it only works with freeradius?
In the second case, can I configure Freeradius as a proxy and redirect the 
authentication to another generic Radius server?

Thanks in advance,
Ricardo


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simultaneous-User Questions

[Alan DeKok]

WA Support <[EMAIL PROTECTED]> wrote:
> Thank you for your suggestions.  However, no one has responded to why I
> don't see any debugging traffic coming from checkrad.  Is it not being
> called?

  Did you read my previous message, where I told you how to find out
the answer?

  I don't understand why you're refusing to do any work to find out
the answer for yourself.  I don't know what's going on in your
server.  YOU can find out by running it in debugging mode.


  I've said that until I'm sick of saying it, and still you refuse to
follow simple instructions.

  Go away.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simultaneous-User Questions

[WA Support]

Hello,

Thank you for your suggestions.  However, no one has responded to why I
don't see any debugging traffic coming from checkrad.  Is it not being
called?

Murrah Boswell

Alan DeKok wrote:
> 
> WA Support <[EMAIL PROTECTED]> wrote:
> > I will look at running freeradius in debug mode, but I would rather set
> > debug flags in checkrad.
> 
>   Most of your questions about what happens, and when it happens, can
> be answered by running the server in debugging mode, and reading the
> output.
> 
> > > Have you looked into using realms?
> >
> > I read this in the duplicate-users documentation:
> >
> > "Now, about now, many of you are thinking, "what about realms?"
> > Well, realms are great, but, in general, it will require the end
> > user to add "@domain.com", which is a pain. It means ISP A has to
> > call 375 people and tell them to add that to their login name."
> >
> > and decided against realms, since I would have to notify a few thousand
> > people.
> 
>   With the attr_rewrite module, it should be possible to have the
> server re-write the usernames for them.
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simultaneous-User Questions

[Alan DeKok]

WA Support <[EMAIL PROTECTED]> wrote:
> I will look at running freeradius in debug mode, but I would rather set
> debug flags in checkrad.  

  Most of your questions about what happens, and when it happens, can
be answered by running the server in debugging mode, and reading the
output.

> > Have you looked into using realms?
> 
> I read this in the duplicate-users documentation:
> 
> "Now, about now, many of you are thinking, "what about realms?"
> Well, realms are great, but, in general, it will require the end
> user to add "@domain.com", which is a pain. It means ISP A has to
> call 375 people and tell them to add that to their login name."
> 
> and decided against realms, since I would have to notify a few thousand
> people.

  With the attr_rewrite module, it should be possible to have the
server re-write the usernames for them.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simultaneous-User Questions

[WA Support]

Hello,



> Run the radius server in debugging mode (-x) and see what the NAS actually
> sends to the server when a person tries to authenticate.  That will show you
> the data you can use in the users file to help determine where packets get
> proxied.  I believe the Called-Station-Id is sent only in accounting packets,
> which is sent after successful authentication.
> 

My understanding is that freeradius first checks radutemp and if it sees
a user logged on with the same username as one attempting to log on, it
calls checkrad to query the NAS.  This from the documentation on
Simultaneous-Use:

"...Only when someone tries to login who _already_ has an active
session according to the radutmp file, the server executes the perl
script /usr/local/sbin/checkrad (or /usr/sbin/checkrad, it checks for
the presence of both and in that order). This script queries the
terminal
server to see if the user indeed already has an active session."

Now, it makes sense to me that this checking would be done before the
authentication process, since it is the more efficient path.  However, I
am not familiar with the logic flow of freeradius, so I do not know this
for certain.

If it does check radutmp, and call checkrad when necessary, before
authentication, then it has access to the Called-Station-Id, since this
is available in the requesting packet from the new user.  It also has
access to the Called-Station-Id for all users currently logged on, since
the NAS keeps record of this in a table.  At least my NAS does, since
this is how they know which modem bank to assign my customers to.

So, I am fairly certain that both the username and Called-Station-Id are
available when/if checkrad is called.  Since this is written in perl, it
would be the most logical place to start working on a fix; i.e., would
require recompiles of radiusd.c.

However, I can not see any traffic coming out of the checkrad script, it
doesn't seem to be writing to checkrad.log.  Does freeradius-0.7.1, in
fact, call the perl script checkrad?  I did find where checkrad is
called from the session.c module, so I know that the thought is in the
code, but it doesn't seem to get triggered.  However, I also see in my
radius.log that certain sessions are being flagged as 'Multiple logins,'
so I know something is catching them, but I don't know what.  Do you?

I will look at running freeradius in debug mode, but I would rather set
debug flags in checkrad.  

> Have you looked into using realms?

I read this in the duplicate-users documentation:

"Now, about now, many of you are thinking, "what about realms?"
Well, realms are great, but, in general, it will require the end
user to add "@domain.com", which is a pain. It means ISP A has to
call 375 people and tell them to add that to their login name."

and decided against realms, since I would have to notify a few thousand
people.


Thanks,

Murrah Boswell

> 
> Kevin Bonner
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: more Kerberos fun

[Alan DeKok]

Brian Johnson <[EMAIL PROTECTED]> wrote:
> Here's the debugging info as requested.  In my users file, I added:
> 
> DEFAULT Auth-Type = Kerberos
> Reply-Message = "Hello, Brian"

  Try 'Auth-Type := Kerberos', I think.

>   modcall[authorize]: module "files" returns notfound
> modcall: group authorize returns ok
> auth: No authenticate method (Auth-Type) configuration found for the request: 
>Rejecting the user

  Hmm...  can you try this using the latest CVS version?  I think
there's a bugfix there which may help.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How to get "dh_file" and "random_file"?

[Gene Parks]

Random is not available for Solaris 8 expect as an add-on.  Just an FYI.

There is a way around it. 

Gene Parks
VIP Direct

-Original Message-
From: Artur Hecker [mailto:hecker@;enst.fr] 
Sent: Wednesday, November 06, 2002 11:12 AM
To: [EMAIL PROTECTED]
Subject: Re: How to get "dh_file" and "random_file"?


ok, thank you very much

you probably already know my opinion:
random: copy from the /dev/random
dh: from the openssl distribution directories...


ciao
artur



McKay, Raymond wrote:
>>http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
> 
> 
>>raymond, did you add it?
> 
> 
> 
>>ciao
> 
> 
>>artur
> 
> 
> I have put some blurbage in on the random and DH file but before I put 
> any full instruction set in, I would like to hear the general 
> consensus on generating those files.  There seems to be numerous 
> methods of generating the files so for the sake of ease of use, it 
> might be a good idea to come up with a universally accepted method.  
> Suggestions anyone?


-- 
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr Département Informatique et Réseaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr  ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to get "dh_file" and "random_file"?

[Artur Hecker]

ok, thank you very much

you probably already know my opinion:
random: copy from the /dev/random
dh: from the openssl distribution directories...


ciao
artur



McKay, Raymond wrote:

http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm




raymond, did you add it?





ciao




artur



I have put some blurbage in on the random and DH file but before I put any
full instruction set in, I would like to hear the general consensus on
generating those files.  There seems to be numerous methods of generating
the files so for the sake of ease of use, it might be a good idea to come up
with a universally accepted method.  Suggestions anyone?



--
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr		  Département Informatique et Réseaux
+33 1 45 81 7507		46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr   ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: more Kerberos fun

[Brian Johnson]

On Tue, 5 Nov 2002, Alan DeKok wrote:
 
>   So run the server in debugging mode, as it suggests in the README,
> the documention, and in the FAQ.
> 

I'll start here with an apology to the list.  This was inexcusable on my
part.  Thanks for going easy.

Here's the debugging info as requested.  In my users file, I added:

DEFAULT Auth-Type = Kerberos
Reply-Message = "Hello, Brian"

to the top.  clients.conf has the proper information for localhost, so I
ran "radtest mbjohn [password] localhost 0 testing123".  Below is what I
got from debugging on the server.  I'm not sure what's needed, and it's
rather verbose using the -xx option, so for brevity, I'm just posting from
the "Listening on IP address..." part.  I'll be happy to provide anything
before, if needed.

Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
Thread 1 waiting to be assigned a request
Thread 2 waiting to be assigned a request
Thread 3 waiting to be assigned a request
Thread 4 waiting to be assigned a request
Thread 5 waiting to be assigned a request
rad_recv: Access-Request packet from host 127.0.0.1:1032, id=111, length=55
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
User-Name = "mbjohn"
User-Password = "(t\342uf\275H4\351_\350\321\023\224\230\367"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "0"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm NULL for User-Name = "mbjohn"
rlm_realm: No such realm NULL
  modcall[authorize]: module "suffix" returns noop
  modcall[authorize]: module "files" returns notfound
modcall: group authorize returns ok
auth: No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Thread 1 waiting to be assigned a request
rad_recv: Access-Request packet from host 127.0.0.1:1032, id=111, length=55
Sending Access-Reject of id 111 to 127.0.0.1:1032
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/0/5
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 111 with timestamp 3dc92509
Nothing to do.  Sleeping until we see a request.
MASTER: exit on signal (2)

I then added the appropriate info for a remote client in clients.conf, ran
"radtest mbjohn [password] 152.3.2.153 0 testing123" and got this
debugging information from the server:

Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
Thread 3 waiting to be assigned a request
Thread 4 waiting to be assigned a request
Thread 5 waiting to be assigned a request
rad_recv: Access-Request packet from host 152.16.0.183:1031, id=64, length=55
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
User-Name = "mbjohn"
User-Password = "'\322\220\221\356P\3505M\355\221\3104\305\316\355"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "0"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm NULL for User-Name = "mbjohn"
rlm_realm: No such realm NULL
  modcall[authorize]: module "suffix" returns noop
  modcall[authorize]: module "files" returns notfound
modcall: group authorize returns ok
auth: No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Thread 1 waiting to be assigned a request
rad_recv: Access-Request packet from host 152.16.0.183:1031, id=64, length=55
Sending Access-Reject of id 64 to 152.16.0.183:1031
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/0/5
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 64 with timestamp 3dc925b2
Nothing to do.  Sleeping until we see a request.
MASTER: exit on signal (2)

And this is what I got on the client side (which is nearly identical to
what I got on localhost, which is why it wasn't posted above.  Imagine
%s/152.3.2.153/127.0.0.1/g and %s/user-0-183.wireless.duke.edu/hythloth/g, 
if you will, everything else is identical):

Sending Access-Request of id 195 to 152.3.2.153:1812
User-Name = "mbjohn"
User-Password = "\212\215\033s\220\361]\237\267\2760pc\016\206"
NAS-IP-Address = user-0-183.wireless.duke.edu
NAS-Port-Id = "0"
Re-sending Access-Request of id 195 to 152.3.2.153:1812
User-Name = "mbjohn"
User-Password = "\212\215\033s\220\361]\237\267\2760pc\016\206"
 

RE: How to get "dh_file" and "random_file"?

[McKay, Raymond]

> http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm

> raymond, did you add it?


> ciao

> artur

I have put some blurbage in on the random and DH file but before I put any
full instruction set in, I would like to hear the general consensus on
generating those files.  There seems to be numerous methods of generating
the files so for the sake of ease of use, it might be a good idea to come up
with a universally accepted method.  Suggestions anyone?


Raymond McKay
IT Manager / Network Administrator
Funnybone Interactive
Vivendi Universal Games


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to get "dh_file" and "random_file"?

[Artur Hecker]

it should be (added) in


http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm

raymond, did you add it?


ciao

artur



James Xie wrote:
> Hi,
> In radius.conf file, two files(dh_file and random_file)  are needed. Who can tell me 
>the usage of these two files and how to get these two files?
> Thanks!.+-Šwèþ˛±ÊâmïîžË›±ÊâmäžzmðÃëyêÚv+¬¢?+-þë®Èmml==


-- 
Artur Hecker Groupe Acc¨¨s et Mobilit¨¦
hecker[at]enst[dot]fr D¨¦partement Informatique et R¨¦seaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr  ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: solaris/sparc & Forte

[Gene Parks]

An RPM of what?  Freeradius?

Gene

-Original Message-
From: Peter Nixon [mailto:listuser@;peternixon.net] 
Sent: Tuesday, November 05, 2002 4:57 AM
To: [EMAIL PROTECTED]
Subject: Re: solaris/sparc & Forte


On Mon, 4 Nov 2002 20:07:46 -0500
"Gene Parks" <[EMAIL PROTECTED]> wrote:

> I had a similar problem when I ran make on my Solaris 8 box but I 
> decided to take another route.  I installed SUSE 7.3 for SPARC and 
> everything is working great now.
> 
> Gene Parks
> VIP Direct

Finally! Another SuSE user on the list! Any luck with getting an rpm
build to work yet?

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: creating ldap module with Solaris 9.

[Gene Parks]

Install openldap-2x and run the ./configure, make , make install. You do
not have to use Openldap just need the libraries at compile time.  We
run it here with Iplanet 5.1 and everything works great.

Gene Parks
VIP Direct

-Original Message-
From: Randall Badilla [mailto:rbadilla@;cesa.co.cr] 
Sent: Tuesday, November 05, 2002 9:55 AM
To: [EMAIL PROTECTED]
Subject: creating ldap module with Solaris 9.


Hi all:
I have recently downloaded the 0.7.1 version of freeradius, to be used
with a LDAP server built on solaris 9 with SunOne (netscape) directory
server 5.X. My problem is with the call of libraries although I have
ber_decode and other commands/headers on the ldap library -lldap, the
configure of that module insist call -llber; can any body tell me if I
can workaround this and how..? copying libraries and renaming???

Thanks


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ynt: margo wgyk

[Philippa Derrett]

SADECE TÜRK KAÞARLAR VAR!!!
DÜNYANIN EN SEKSÝ KIZLARINI CANLI SEYREDÝN! KARÞILIKLI CHAT YAPIN, WEBCAM DE 
ÝSTEDÝÐÝNÝZ HERÞEYÝ YAPSINLAR! SÝZ ÝSTEYÝN ONLAR SOYUNSUN!
TÜRK KIZLARI-TÜRK KAÞARLARI-TÜRK ÜNV. KIZLARI-TÜRK EV KADINLARI VAR! YABANCI HATUN 
YOK! HEPSÝ SADECE AMA SADECE TÜRK HATUNLARI! VAKÝT KAYBETMEYÝN!

Hiçbir yerde göremeyeceðiniz içerik Margo mekanda.
http://www.margosex.com




ŠËbú?²æìr¸›{û§²æìr¸›y'ž†Ûiÿü0ÁúÞz¶Šë(®åŠËºÇ«²f

proxy.conf newbie question

[Alexey Chetroi]

 Hello All,

Is the Realm attribute set, if authhost/accthost = LOCAL 
in the proxy.conf file?


-- 

  Best regards,
  Alexey Chetroi

---
Smile... Tomorrow will be worse.   (c) Murphy's law

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to get "dh_file" and "random_file"?

[James Xie]

Hi,
In radius.conf file, two files(dh_file and random_file)  are needed. Who can tell me 
the usage of these two files and how to get these two files?
Thanks!.+-Šwèþ˛±ÊâmïîžË›±Êâmäžzm§ÿðÃëyêÚv+¬¢¸?–+-þë®Èmš

Re: sql accounting and custom attributes

[Alexey Chetroi]

On Wed, Nov 06, 2002 at 09:15:30AM +0100, Thomas Jalsovsky wrote:
> > > >  doc/variables.txt mentions that you can use %{Attribute-Name},
> > > > but what if there are several attributes with the same name,
> > > > eg Cisco-AVpair?
> > >
> > >   The server doesn't handle that right now.
> > >
> > > >  I just want to log ras-tx-speed and ras-rx-speed attributes
> > > > from the cisco in sql table. Is there any trick?
> > >
> > >   That's an even more difficult problem.  You don't know the order of
> > > the attributes, so you want to log Cisco-AVpair attributes which
> > > contain certain values.
> > >
> > >   Your best bet right now is to use some kind of external program to
> > > do the work, or to write a module to pull the information you want out
> > > of the attributes.
> >
> >  Is it possible to rewrite attribute names eg in preprocess module,
> > like cisco_vsa_hack. eg to convert from:
> >
> > Cisco-AVPair = "nas-rx-speed=31200"
> > to
> > nas-rx-speed=31200
> 
> This is not possible while there are many Cisco-AVPair AV-Pairs e.g.
>  Cisco-AVPair = "nas-rx-speed=31200"
>  Cisco-AVPair = "nas-tx-speed=31200"
> preprocess doesn't know how to rewrite this to nas-rx-speed=31200
> The cisco_vsa_hack can rewrite only pairs with type:
> h323-connect-time = "h323-connect-time=."
> 
 I know, that requires patches to source code, or another preprocess module.
Perhaps I should move to developers list :)

-- 

  Best regards,
  Alexey Chetroi

---
Smile... Tomorrow will be worse.   (c) Murphy's law

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sql accounting and custom attributes

[Thomas Jalsovsky]

On Wed, 6 Nov 2002, Alexey Chetroi wrote:

> On Tue, Nov 05, 2002 at 10:49:12AM -0500, Alan DeKok wrote:
> > >  doc/variables.txt mentions that you can use %{Attribute-Name},
> > > but what if there are several attributes with the same name,
> > > eg Cisco-AVpair?
> >
> >   The server doesn't handle that right now.
> >
> > >  I just want to log ras-tx-speed and ras-rx-speed attributes
> > > from the cisco in sql table. Is there any trick?
> >
> >   That's an even more difficult problem.  You don't know the order of
> > the attributes, so you want to log Cisco-AVpair attributes which
> > contain certain values.
> >
> >   Your best bet right now is to use some kind of external program to
> > do the work, or to write a module to pull the information you want out
> > of the attributes.
>
>  Is it possible to rewrite attribute names eg in preprocess module,
> like cisco_vsa_hack. eg to convert from:
>
> Cisco-AVPair = "nas-rx-speed=31200"
> to
> nas-rx-speed=31200

This is not possible while there are many Cisco-AVPair AV-Pairs e.g.
 Cisco-AVPair = "nas-rx-speed=31200"
 Cisco-AVPair = "nas-tx-speed=31200"
preprocess doesn't know how to rewrite this to nas-rx-speed=31200
The cisco_vsa_hack can rewrite only pairs with type:
h323-connect-time = "h323-connect-time=."

Thomas


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sql accounting and custom attributes

[Alexey Chetroi]

On Tue, Nov 05, 2002 at 10:49:12AM -0500, Alan DeKok wrote:
> >  doc/variables.txt mentions that you can use %{Attribute-Name}, 
> > but what if there are several attributes with the same name,
> > eg Cisco-AVpair?
> 
>   The server doesn't handle that right now.
> 
> >  I just want to log ras-tx-speed and ras-rx-speed attributes
> > from the cisco in sql table. Is there any trick?
> 
>   That's an even more difficult problem.  You don't know the order of
> the attributes, so you want to log Cisco-AVpair attributes which
> contain certain values.
> 
>   Your best bet right now is to use some kind of external program to
> do the work, or to write a module to pull the information you want out
> of the attributes.

 Is it possible to rewrite attribute names eg in preprocess module,
like cisco_vsa_hack. eg to convert from: 

Cisco-AVPair = "nas-rx-speed=31200"
to
nas-rx-speed=31200

-- 

  Best regards,
  Alexey Chetroi

---
Smile... Tomorrow will be worse.   (c) Murphy's law

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html