Re: Max-Daily-Session and counter module

[oz]

Oliver Zimmermann wrote:


I have the problem understanding how the counter module works. Lets say I want to provide a Maximum Daily Session linit of 3600 seconds for a user on freeradius-0.7. Is the following scenario right? (sorry I can't test it for the moment):

users file:
--
DEFAULT Max-Daily-Session = 3600
Fall-Through = 1

John_DPassword = FZ768wRll, NAS-IP-Address = 214.32.39.2, Simultaneous-Use = 1
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 1500,
Idle-Timeout = 3600,
Port-Limit = 1
...


Hi, I tested this setup now with a Max-Daily-Session = 3, to provocate a 
reject - but I still get Login OK.

In the logs I saw rlm_counter: Could not find Check item value pair 
and modcall[accounting]: module counter returns noop which I cannot 
interprete. Irritating for me is the line rlm_counter: Counter 
attribute Daily-Session-Time is number 1063 because it has this value 
in every session. Please take a look on the session log, thanks in advance:

starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = /usr/local
 main: localstatedir = /usr/local/var
 main: logdir = /usr/local/var/log/radius
 main: libdir = /usr/local/lib
 main: radacctdir = /usr/local/var/log/radius/radacct
 main: hostname_lookups = no
read_config_files:  reading dictionary
read_config_files:  reading clients
read_config_files:  reading realms
read_config_files:  reading naslist
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = no
 main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
 main: user = root
 main: group = root
 main: usercollide = no
 main: lower_user = no
 main: lower_pass = no
 main: nospace_user = no
 main: nospace_pass = no
 main: proxy_requests = no
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 security: max_attributes = 200
 security: reject_delay = 1
 main: debug_level = 0
read_config_files:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded System
 unix: cache = no
 unix: passwd = /etc/passwd
 unix: shadow = /etc/shadow
 unix: group = /etc/group
 unix: radwtmp = /usr/local/var/log/radius/radwtmp
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded Counter
 counter: filename = /usr/local/etc/raddb/db.counter
 counter: key = User-Name
 counter: reset = daily
 counter: count-attribute = Acct-Session-Time
 counter: counter-name = Daily-Session-Time
 counter: check-name = Max-Daily-Session
 counter: allowed-servicetype = Framed-User
 counter: cache-size = 5000
rlm_counter: Counter attribute Daily-Session-Time is number 1063
rlm_counter: Current Time: 1039422801, Next reset 1039474800
Module: Instantiated counter (counter)
Module: Loaded realm
 realm: format = suffix
 realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = /usr/local/etc/raddb/users
 files: acctusersfile = /usr/local/etc/raddb/acct_users
 files: compat = cistron
  auth_type_fixup: Auth-Type [1000]
  auth_type_fixup: Password [2]
  auth_type_fixup: NAS-IP-Address [4]
  auth_type_fixup: Simultaneous-Use [1034]
  auth_type_fixup: Auth-Type [1000]
  auth_type_fixup: Password [2]
  auth_type_fixup: Simultaneous-Use [1034]
  auth_type_fixup: Auth-Type [1000]
  auth_type_fixup: Password [2]
  auth_type_fixup: NAS-IP-Address [4]
  auth_type_fixup: Simultaneous-Use [1034]
[/usr/local/etc/raddb/users]:4 Cistron compatibility checks for entry 
DEFAULT ...
?Changing 'Max-Daily-Session =' to 'Max-Daily-Session +='
[/usr/local/etc/raddb/users]:7 Cistron compatibility checks for entry 
U.Abdinghoff ...
?Changing 'Password =' to 'Password =='
?Changing 'NAS-IP-Address =' to 'NAS-IP-Address =='
?Changing 'Simultaneous-Use =' to 'Simultaneous-Use +='
[/usr/local/etc/raddb/users]:15 Cistron compatibility checks for entry 
helinet010 ...
?Changing 'Password =' to 'Password =='
?Changing 'Simultaneous-Use =' to 'Simultaneous-Use +='
[/usr/local/etc/raddb/users]:23 Cistron compatibility checks for entry 
schmidt.online ...
?Changing 'Password =' to 'Password =='
?Changing 'NAS-IP-Address =' to 'NAS-IP-Address =='
?Changing 'Simultaneous-Use =' to 'Simultaneous-Use +='
Module: Instantiated files (files)
Module: Loaded preprocess
 preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
 preprocess: hints = /usr/local/etc/raddb/hints
 preprocess: with_ascend_hack = no
 

Re: Just plain problems

[Andrei Koulik]

Hello,

You may list content of db file by command:

rlm_dbm_cat -f /usr/local/etc/raddb/users

or just some records by:

rlm_dbm_cat -f /usr/local/etc/raddb/users  elitest

note: /usr/local/etc/raddb/users.db - your users database.

please send me that output
and i will try to help you

Friday, December 6, 2002, 4:26:50 PM, [EMAIL PROTECTED] wrote:

nmn Here's the facts:

nmn FreeRadius ver 0.8

nmn OS FreeBSD

nmn User name and password has been verified to be accurate.

nmn Trying to do test authentication from a Livingston PM4 (hey, it's what I 
nmn had laying around)

nmn Only one entry in the users file:

nmn DEFAULT Auth-Type := System, Simultaneous-Use := 1
nmn  Framed-IP-Address = 255.255.255.254,
nmn  Framed-MTU = 1500,
nmn  Service-Type = Framed-User,
nmn  Framed-Protocol = PPP,
nmn  Framed-Compression = Van-Jacobson-TCP-IP,
nmn  Framed-Routing = None

nmn Objective: If user is not defined in user file, have FreeRadius fall 
nmn through and use the system's authentication process.

nmn Here's the output from the debugging:

nmn Ready to process requests.
nmn rad_recv: Access-Request packet from host 208.187.24.17:1332, id=9, length=59
nmn  User-Name = elitest
nmn  User-Password = test
nmn  NAS-IP-Address = 208.187.24.17
nmn  NAS-Port = 99
nmn modcall: entering group authorize
nmnmodcall[authorize]: module preprocess returns ok
nmn  rlm_realm: No '@' in User-Name = elitest, looking up realm NULL
nmn  rlm_realm: No such realm NULL
nmnmodcall[authorize]: module suffix returns noop
nmn rlm_dbm: try open database file: /usr/local/etc/raddb/users
nmn rlm_dbm: Call parse_user:
nmn sm_parse_user.c: check for loops
nmn Add elitest to user list
nmn rlm_dbm: User elitest not foud in database
nmn Remove elitest from user list
nmn sm_parse_user.c: check for loops
nmn Add DEFAULT to user list
nmn rlm_dbm: User DEFAULT not foud in database
nmn Remove DEFAULT from user list
nmnmodcall[authorize]: module dbm returns notfound
nmn modcall: group authorize returns ok
nmn auth: No authenticate method (Auth-Type) configuration found for the 
nmn request: Re
nmn jecting the user
nmn auth: Failed to validate the user.
nmn Delaying request 0 for 1 seconds
nmn Finished request 0

nmn Can someone PLEASE help me?  I am probably doing something stupid, but 
nmn desperately need help.  I WILL EVEN PAY FOR SOMEONE WELL VERSED IN 
nmn FREERADIUS TO CONSULT ON THE PHONE.


nmn Thanks,
nmn Gary


nmn - 
nmn List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-- 
Andrei Koulik.
System administrator, Sandy Info Ltd. (ISP), Nizhny Novgorod, Russia


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: Just plain problems

[Andrei Koulik]

Hello,

Friday, December 6, 2002, 5:09:46 PM, Jason Lixfeld wrote:

JL Good morning Gary,

JL rlm_dbm: User DEFAULT not foud in database

JL looks to be the culprit.  I don't know offhand if the  characters are
JL put into the output and is only there as a delimiter or if that is
JL infact what is being passed to the dbm module.  If it's the former, I'm
JL at a loss, but if it's the latter then there may be something adding
JL those characters to the entry which the module can't match because of
JL course it doesn't actually exist.
 added on output to do visible whites at word ends.
actually records are stored and tested without  characters. They are
used in debug output only.  not used because hello
is more nice-looking then \hello\ in source code.


JL One thing I might be able to suggest is to remove the dbm module from
JL the equation and see if you can auth against a plain text users file.

JL If that works, then it's something with the dbm module, I'd suspect.

JL On Fri, 2002-12-06 at 08:26, [EMAIL PROTECTED] wrote:
 Here's the facts:
 
 FreeRadius ver 0.8
 
 OS FreeBSD
 
 User name and password has been verified to be accurate.
 
 Trying to do test authentication from a Livingston PM4 (hey, it's what I 
 had laying around)
 
 Only one entry in the users file:
 
 DEFAULT Auth-Type := System, Simultaneous-Use := 1
  Framed-IP-Address = 255.255.255.254,
  Framed-MTU = 1500,
  Service-Type = Framed-User,
  Framed-Protocol = PPP,
  Framed-Compression = Van-Jacobson-TCP-IP,
  Framed-Routing = None
 
 Objective: If user is not defined in user file, have FreeRadius fall 
 through and use the system's authentication process.
 
 Here's the output from the debugging:
 
 Ready to process requests.
 rad_recv: Access-Request packet from host 208.187.24.17:1332, id=9, length=59
  User-Name = elitest
  User-Password = test
  NAS-IP-Address = 208.187.24.17
  NAS-Port = 99
 modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
  rlm_realm: No '@' in User-Name = elitest, looking up realm NULL
  rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop
 rlm_dbm: try open database file: /usr/local/etc/raddb/users
 rlm_dbm: Call parse_user:
 sm_parse_user.c: check for loops
 Add elitest to user list
 rlm_dbm: User elitest not foud in database
 Remove elitest from user list
 sm_parse_user.c: check for loops
 Add DEFAULT to user list
 rlm_dbm: User DEFAULT not foud in database
 Remove DEFAULT from user list
modcall[authorize]: module dbm returns notfound
 modcall: group authorize returns ok
 auth: No authenticate method (Auth-Type) configuration found for the 
 request: Re
 jecting the user
 auth: Failed to validate the user.
 Delaying request 0 for 1 seconds
 Finished request 0
 
 Can someone PLEASE help me?  I am probably doing something stupid, but 
 desperately need help.  I WILL EVEN PAY FOR SOMEONE WELL VERSED IN 
 FREERADIUS TO CONSULT ON THE PHONE.
 
 Thanks,
 Gary
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Multiple cisco-avpair entries

[JREDONDO]

Hi, 

I am trying to create a new user with few cisco-avpair attributes but
radius only reply one of the values defined on the original users file.

ciscouser Password == cisco
Service-Type = Outbound-User,
Cisco-AVPair = ipsec:key-exchange=ike,
Cisco-AVPair = ipsec:addr-pool=ippool,
Tunnel-Password = :1:ciscopass,
Tunnel-Medium-Type = :1:IP,
Tunnel-Type = :1:ESP


but radius only serves the first Cisco-AVPair attribute...

[root@proxy raddb]# radtest 3000client cisco 127.0.0.1:1645 1 testing123
Sending Access-Request of id 43 to 127.0.0.1:1645
User-Name = ciscouser
User-Password = \375ZQ\366}\375w\320\251;\360\345\223\266\r
NAS-IP-Address = proxy.intra.csc.es
NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1:1645, id=43, length=98
Service-Type = Outbound-User
Filter-Id = std.ppp
Cisco-AVPair = ipsec:key-exchange=ike
Tunnel-Password:1 = ciscopass
Tunnel-Medium-Type:1 = IP
Tunnel-Type:1 = ESP
[root@proxy raddb]#


Any ideas?

Regards,

Jordi

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MYSQL check_error: 1065 received

[Genoud Richard]

well... I upgraded to freeradius 0.8, and it's ok now...

Genoud Richard a écrit:

hello everyone !

I got freeradius0.7.1, with mysql module and I got this error on a 
radclient request :
echo User-Name = user, Password=guess | radclient 127.0.0.1 auth guess

I had previously a postgreSQL database, and i managed to had it running.
I compiled the mysql module, changed the radius.conf file, setting up my 
 data based... but there's still a problem.

The DB seems to be ok.

freeradius manages to connect to it, but there's this error.
anyone got an idea ?

here's the log:
[...]
Module: Loaded SQL
 sql: driver = rlm_sql_mysql
 sql: server = 10.0.1.18
 sql: port = 
 sql: login = dbuser
 sql: password = guess
 sql: radius_db = radiusdb
 sql: acct_table = radacct
 sql: acct_table2 = radacct
 sql: authcheck_table = radcheck
 sql: authreply_table = radreply
 sql: groupcheck_table = radgroupcheck
 sql: groupreply_table = radgroupreply
 sql: usergroup_table = usergroup
 sql: nas_table = nas
 sql: dict_table = dictionary
 sql: sqltrace = yes
 sql: sqltracefile = /usr/local/var/log/radius/sqltrace.sql
 sql: deletestalesessions = yes
 sql: num_sql_socks = 5
 sql: sql_user_name = %{User-Name}
 sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op 
FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
 sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op 
FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id
 sql: authorize_group_check_query = SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
 FROM radgroupcheck,usergroup WHERE usergroup.Username = 
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName 
ORDER BY radgroupcheck.id
 sql: authorize_group_reply_query = SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
 FROM radgroupreply,usergroup WHERE usergroup.Username = 
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName 
ORDER BY radgroupreply.id
 sql: authenticate_query = 
 sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S', 
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), 
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = 
%{Acct-Delay-Time} WHERE AcctSessionTime=0 AND AcctStopTime=0 AND 
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S'
 sql: accounting_update_query = UPDATE radacct SET FramedIPAddress = 
'%{Framed-IP-Address}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND 
UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}' AND 
AcctStopTime = 0
 sql: accounting_start_query = INSERT into radacct (RadAcctId, 
AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, 
NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, 
AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, 
AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, 
ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, 
AcctStopDelay) values('', '%{Acct-Session-Id}', 
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', 
'%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', 
'%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', 
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', 
'%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')
 sql: accounting_start_query_alt = UPDATE radacct SET AcctStartTime = 
'%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = 
'%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND 
UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' AND 
AcctStopTime = 0
 sql: accounting_stop_query = UPDATE radacct SET AcctStopTime = '%S', 
AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = 
'%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', 
AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = 
'%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE 
AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' 
AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime = 0
 sql: accounting_stop_query_alt = INSERT into radacct (RadAcctId, 
AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, 
NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, 
AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, 
AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, 
ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, 
AcctStopDelay) values('', '%{Acct-Session-Id}', 
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', 
'%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '0', '%S', 
'%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', 
'%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', 
'%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', 

Authenticating with MS-CHAP

[Jonn-Erik Farmen]

I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, 
but I'm not
very successful. I'm obviously missing a point a point here when it comes 
to
authentication with MS-CHAP. I'm using freeradius 0.8 and radclient:


echo User-Name = jonn, CHAP-Password = MEMEME | radclient -x 
xxx.xxx.xx.xxx:1812 auth testing123
Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812
User-Name = jonn
CHAP-Password = 0x704552484cb6fb830e6584c947df285671
rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, 
length=20

The output of the radius server is:

rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, 
length=45
User-Name = jonn
CHAP-Password = 0x704552484cb6fb830e6584c947df285671
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
rlm_realm: No '@' in User-Name = jonn, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop
users: Matched DEFAULT at 79
  modcall[authorize]: module files returns ok
  modcall[authorize]: module mschap returns notfound
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type MS-CHAP
auth: type MS-CHAP
modcall: entering group authenticate
rlm_mschap: No LM/NT password configured. Check authorization.
  modcall[authenticate]: module mschap returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.

in the users file, I have the following:

#
#   Please read the documentation file ../doc/processing_users_file,
#   or 'man 5 users' (after installing the server) for more 
information.
#
#   This file contains authentication security and configuration
#   information for each user.  Accounting requests are NOT processed
#   through this file.  Instead, see 'acct_users', in this directory.
#
#   The first field is the user's name and can be up to
#   253 characters in length.  This is followed (on the same line) 
with
#   the list of authentication requirements for that user.  This can
#   include password, comm server name, comm server port number, 
protocol
#   type (perhaps set by the hints file), and huntgroup name (set by
#   the huntgroups file).
#
#   If you are not sure why a particular reply is being sent by the
#   server, then run the server in debugging mode (radiusd -X), and
#   you will see which entries in this file are matched.
#
#   When an authentication request is received from the comm server,
#   these values are tested. Only the first match is used unless the
#   Fall-Through variable is set to Yes.
[root@pc13-62 raddb]# cat /tmp/tmp2
I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, 
but I'm not
very successful. I'm obviously missing a point a point here when it comes 
to
authentication with MS-CHAP. I'm using freeradius 0.8 and radclient:


echo User-Name = jonn, CHAP-Password = MEMEME | radclient -x 
xxx.xxx.xx.xxx:1812 auth testing123
Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812
User-Name = jonn
CHAP-Password = 0x704552484cb6fb830e6584c947df285671
rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, 
length=20

The output of the radius server is:

rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, 
length=45
User-Name = jonn
CHAP-Password = 0x704552484cb6fb830e6584c947df285671
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
rlm_realm: No '@' in User-Name = jonn, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop
users: Matched DEFAULT at 79
  modcall[authorize]: module files returns ok
  modcall[authorize]: module mschap returns notfound
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type MS-CHAP
auth: type MS-CHAP
modcall: entering group authenticate
rlm_mschap: No LM/NT password configured. Check authorization.
  modcall[authenticate]: module mschap returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.

in the users file, I have the following:

#
#   Please read the documentation file ../doc/processing_users_file,
#   or 'man 5 users' (after installing the server) for more 
information.
#
#   This file contains authentication security and configuration
#   information for each user.  Accounting requests are NOT processed
#   through this file.  Instead, see 'acct_users', in this directory.
#
#   The first field is the user's name and can be up to
#   253 characters in length.  This is followed (on the same line) 
with
#   the list of authentication requirements for that user.  This can
#   include password, comm server name, comm server port number, 
protocol
#   type (perhaps set by the hints file), and huntgroup name (set by
#   the huntgroups file).
#
#   If you 

Re: Authenticating with MS-CHAP

[3APA3A]

Dear Jonn-Erik Farmen,

First,  MS-CHAP  uses  MS-CHAP-Password,  not  CHAP-Password  attribute.
Second,  in order to configure Password for user for MS-CHAP you need :=
operator instead of ==.

--Monday, December 9, 2002, 1:46:32 PM, you wrote to [EMAIL PROTECTED]:


JEF I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, 
JEF but I'm not
JEF very successful. I'm obviously missing a point a point here when it comes 
JEF to
JEF authentication with MS-CHAP. I'm using freeradius 0.8 and radclient:


JEF echo User-Name = jonn, CHAP-Password = MEMEME | radclient -x 
JEF xxx.xxx.xx.xxx:1812 auth testing123
JEF Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812
JEF User-Name = jonn
JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671
JEF rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, 
JEF length=20

JEF The output of the radius server is:

JEF rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, 
JEF length=45
JEF User-Name = jonn
JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671
JEF modcall: entering group authorize
JEF   modcall[authorize]: module preprocess returns ok
JEF rlm_realm: No '@' in User-Name = jonn, looking up realm NULL
JEF rlm_realm: No such realm NULL
JEF   modcall[authorize]: module suffix returns noop
JEF users: Matched DEFAULT at 79
JEF   modcall[authorize]: module files returns ok
JEF   modcall[authorize]: module mschap returns notfound
JEF modcall: group authorize returns ok
JEF   rad_check_password:  Found Auth-Type MS-CHAP
JEF auth: type MS-CHAP
JEF modcall: entering group authenticate
JEF rlm_mschap: No LM/NT password configured. Check authorization.
JEF   modcall[authenticate]: module mschap returns invalid
JEF modcall: group authenticate returns invalid
JEF auth: Failed to validate the user.

JEF in the users file, I have the following:

JEF #
JEF #   Please read the documentation file ../doc/processing_users_file,
JEF #   or 'man 5 users' (after installing the server) for more 
JEF information.
JEF #
JEF #   This file contains authentication security and configuration
JEF #   information for each user.  Accounting requests are NOT processed
JEF #   through this file.  Instead, see 'acct_users', in this directory.
JEF #
JEF #   The first field is the user's name and can be up to
JEF #   253 characters in length.  This is followed (on the same line) 
JEF with
JEF #   the list of authentication requirements for that user.  This can
JEF #   include password, comm server name, comm server port number, 
JEF protocol
JEF #   type (perhaps set by the hints file), and huntgroup name (set by
JEF #   the huntgroups file).
JEF #
JEF #   If you are not sure why a particular reply is being sent by the
JEF #   server, then run the server in debugging mode (radiusd -X), and
JEF #   you will see which entries in this file are matched.
JEF #
JEF #   When an authentication request is received from the comm server,
JEF #   these values are tested. Only the first match is used unless the
JEF #   Fall-Through variable is set to Yes.
JEF [root@pc13-62 raddb]# cat /tmp/tmp2
JEF I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, 
JEF but I'm not
JEF very successful. I'm obviously missing a point a point here when it comes 
JEF to
JEF authentication with MS-CHAP. I'm using freeradius 0.8 and radclient:


JEF echo User-Name = jonn, CHAP-Password = MEMEME | radclient -x 
JEF xxx.xxx.xx.xxx:1812 auth testing123
JEF Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812
JEF User-Name = jonn
JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671
JEF rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, 
JEF length=20

JEF The output of the radius server is:

JEF rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, 
JEF length=45
JEF User-Name = jonn
JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671
JEF modcall: entering group authorize
JEF   modcall[authorize]: module preprocess returns ok
JEF rlm_realm: No '@' in User-Name = jonn, looking up realm NULL
JEF rlm_realm: No such realm NULL
JEF   modcall[authorize]: module suffix returns noop
JEF users: Matched DEFAULT at 79
JEF   modcall[authorize]: module files returns ok
JEF   modcall[authorize]: module mschap returns notfound
JEF modcall: group authorize returns ok
JEF   rad_check_password:  Found Auth-Type MS-CHAP
JEF auth: type MS-CHAP
JEF modcall: entering group authenticate
JEF rlm_mschap: No LM/NT password configured. Check authorization.
JEF   modcall[authenticate]: module mschap returns invalid
JEF modcall: group authenticate returns invalid
JEF auth: Failed to validate the user.

JEF in the users file, I have the following:

JEF #
JEF #   Please read the documentation file ../doc/processing_users_file,
JEF #   or 'man 5 users' (after installing the 

Re[2]: Just plain problems

[Andrei Koulik]

Sunday, December 8, 2002, 4:51:04 AM, [EMAIL PROTECTED] wrote:
Hey, Man.
Alan doesn't wrote rlm_dbm and documentation for it.
So all bugs and discordancy belongs to authors of module
and documentation
see
6. ACKNOWLEDGMENTS

 Author- Andrei Koulik [EMAIL PROTECTED]
 Documentation - BjÛrn NordbÛ  [EMAIL PROTECTED]

try to contact with [EMAIL PROTECTED]
I am sure it will be more useful then public blame of whole
project and Alan especially.


nmn At 07:58 PM 12/7/2002 -0500, you wrote:
  First I cannot use rlm_dbm_parser to create a dbm file.

   I don't use rlm_dbm, and the default configuration doesn't use it,
either.

  My second problem may be related to the first.  After testing my
  configuration and plain text users file (which work without a hitch) I
  create a users.db file using builddbm, a program from an earlier 
 version of
  radius (not FreeRadius).

   Then it won't work.  Do you run python programs through Perl, and
complain when they don't work?

  So that's the problem.  Whenever I try to switch to dbm things fall
  apart.  The strange thing is that I am using a radiusd.conf and users 
 files
  from a working version of FreeRadius as my model.

   So when you said you were using the default configuration that ships
with the server, you lied.

   Thanks.  I don't think I'm interested in helping you much any more.

   Alan DeKok.


nmn - 
nmn List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple cisco-avpair entries

[Alexey Chetroi]

On Mon, Dec 09, 2002 at 11:32:22AM +0100, [EMAIL PROTECTED] wrote:
 From: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: Multiple cisco-avpair entries
 
 I am trying to create a new user with few cisco-avpair attributes but
 radius only reply one of the values defined on the original users file.
 
 ciscouser Password == cisco
 Service-Type = Outbound-User,
 Cisco-AVPair = ipsec:key-exchange=ike,
 Cisco-AVPair = ipsec:addr-pool=ippool,
 Tunnel-Password = :1:ciscopass,
 Tunnel-Medium-Type = :1:IP,
 Tunnel-Type = :1:ESP
 
 
 but radius only serves the first Cisco-AVPair attribute...

  Take a look at man 5 users, operators section, after that try +=
instead of =


-- 

  Best regards,
  Alexey Chetroi

---
Smile... Tomorrow will be worse.   (c) Murphy's law

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TLS Problem

[[EMAIL PROTECTED]]

Hi,

I have a wireless network with cisco aironet 350 AP and a cisco card 
and I use win xp as
supplicant.
If I don't use (in win XP) the the key is provided for me 
automatically it's all ok.
When I enable that option I have same problems, the authentication is 
ok the cisco ap write
status=EAP Authenticated, BOOTP/DHCP but it's not possible take the 
ip address with the DHCP
and the connection is not enable, the cisco aironet client utilities 
indicate that the radio
connection is good.
I have read that in the authentication exchange freeradius send the 
session key (with MPPE) at
the AP.
It's possible that I have not configured the cisco AP or Freeradius in 
the right manner.

Thanks

Daniele Brevi


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Account Help

[LoKoRadius]

Hi,

 I'm a new user from Radius and I'm getting some problems
 I have XtRadius Version xtradius-1.0beta3-3 and when I'm doing an account my script don´t work

If I use
Users File
42: DEFAULT Acct-Status-Type = "Stop"
43: Exec-Program-Account = "/usr/lib/cgi-bin/account.pl %u"
44:
45: DEFAULT NAS-Port-Type = 16, Auth-Type = External
46: Exec-Program-Wait = "/usr/lib/cgi-bin/autentica.pl %u %w",
47: Service-Type = Framed-User,
48: Framed-Protocol = PPP,
49: Class = ALF,
50: Fall-Through = 0

I get this
/usr/sbin/radiusd -sfxxyz -l STDOUT
[/etc/raddb/hints:42] WARNING: Check item "Exec-Program-Account"
 found in reply item list for user "DEFAULT".
 This attribute MUST go on the first line with the other check items.


or if I use
Users File
42: DEFAULT Acct-Status-Type = "Stop", Exec-Program-Account = "/usr/lib/cgi-bin/account.pl %u"
43: 
44:
45: DEFAULT NAS-Port-Type = 16, Auth-Type = External
46: Exec-Program-Wait = "/usr/lib/cgi-bin/autentica.pl %u %w",
47: Service-Type = Framed-User,
48: Framed-Protocol = PPP,
49: Class = ALF,
50: Fall-Through = 0

I get but no accounts were saved.
/usr/sbin/radiusd -sfxxyz -l STDOUT
Starting - reading configuration files ...
Ready to process requests.
radrecv: Request from host 10.5.108.73 code=4, id=6, length=58
 User-Name = "[EMAIL PROTECTED]"
 Acct-Status-Type = Stop
 Acct-Session-Id = "2368"
 NAS-Port-Type = 16
 users: Matched DEFAULT at 42
Sending Accounting Ack of id 6 to 10.5.108.73 (nas alefalcao)


The Script is working fine, if I run "/usr/lib/cgi-bin/autentica.pl alfspsp" the account is saved.

Is it possible anybody help me?

Alex

Re: EAP-TLS Problem

[Artur Hecker]

hi


the thread name is actually wrong since this is not a problem in
EAP-TLS.


 I have a wireless network with cisco aironet 350 AP and a cisco card
 and I use win xp as
 supplicant.
 If I don't use (in win XP) the the key is provided for me
 automatically it's all ok.

nice, so EAP-TLS is working just fine. what you want is dynamic wep
keys.


 When I enable that option I have same problems, the authentication is
 ok the cisco ap write
 status=EAP Authenticated, BOOTP/DHCP but it's not possible take the
 ip address with the DHCP
 and the connection is not enable, the cisco aironet client utilities
 indicate that the radio
 connection is good.

exactly, because the WEP keys are not the same at the supplicant and the
client (ap).


 I have read that in the authentication exchange freeradius send the
 session key (with MPPE) at
 the AP.
 It's possible that I have not configured the cisco AP or Freeradius in
 the right manner.

very probably even. in the future requests, please provide the version
of freeradius and the complete debug output (radiusd -s -X).

however, you have a good basis for succeeding, so further requests might
not be necessary :-) your EAP-TLS authentication works fine, you say.
congratulation, since that's the difficult part of the whole story.
now just grab the newest version of FR available, compile the
rlm_eap_tls, verify that you have some *mppe*.c files in the concerned
directory and that there are no compilation/linking errors.

then, start the new server and look at the radiusd -s -X output. if the
Access-Accept sent to the AP350 contains two MPPE-*-Key attributes with
values, everything should be ok for freeradius so far (when updating,
update the dictionaries too). then, you only need to alter the config of
the AP350 appropriately (activate encryption and either provide a
wep-key in the Slot1 or set the broadcast key rotation interval to 0).


greetings
artur



-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authenticating with MS-CHAP (fwd)

[Jonn-Erik Farmen]

 Dear Jonn-Erik Farmen,
 
 First,  MS-CHAP  uses  MS-CHAP-Password,  not  CHAP-Password  attribute.
 Second,  in order to configure Password for user for MS-CHAP you need :=
 operator instead of ==.
 
 --Monday, December 9, 2002, 1:46:32 PM, you wrote to 
[EMAIL PROTECTED]:
 

Thank you for your reponse,

I wasn't able to see that MS-CHAP-Password was among the standard RADIUS 
attributes, and replacing == with := in the users file didn't help much:

# echo User-Name = jonn, MS-CHAP-Password = MEMEME | radclient -x 
xxx.xxx.xxx.xxx:1812 auth testing123
radclient:Unknown attribute MS-CHAP-Password

 
 JEF I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, 
 JEF but I'm not
 JEF very successful. I'm obviously missing a point a point here when it comes 
 JEF to
 JEF authentication with MS-CHAP. I'm using freeradius 0.8 and radclient:
 
 
 JEF echo User-Name = jonn, CHAP-Password = MEMEME | radclient -x 
 JEF xxx.xxx.xx.xxx:1812 auth testing123
 JEF Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812
 JEF User-Name = jonn
 JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671
 JEF rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, 
 JEF length=20
 
 JEF The output of the radius server is:
 
 JEF rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, 
 JEF length=45
 JEF User-Name = jonn
 JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671
 JEF modcall: entering group authorize
 JEF   modcall[authorize]: module preprocess returns ok
 JEF rlm_realm: No '@' in User-Name = jonn, looking up realm NULL
 JEF rlm_realm: No such realm NULL
 JEF   modcall[authorize]: module suffix returns noop
 JEF users: Matched DEFAULT at 79
 JEF   modcall[authorize]: module files returns ok
 JEF   modcall[authorize]: module mschap returns notfound
 JEF modcall: group authorize returns ok
 JEF   rad_check_password:  Found Auth-Type MS-CHAP
 JEF auth: type MS-CHAP
 JEF modcall: entering group authenticate
 JEF rlm_mschap: No LM/NT password configured. Check authorization.
 JEF   modcall[authenticate]: module mschap returns invalid
 JEF modcall: group authenticate returns invalid
 JEF auth: Failed to validate the user.
 
 JEF in the users file, I have the following:
 
 JEF #
 JEF #   Please read the documentation file ../doc/processing_users_file,
 JEF #   or 'man 5 users' (after installing the server) for more 
 JEF information.
 JEF #
 JEF #   This file contains authentication security and configuration
 JEF #   information for each user.  Accounting requests are NOT processed
 JEF #   through this file.  Instead, see 'acct_users', in this directory.
 JEF #
 JEF #   The first field is the user's name and can be up to
 JEF #   253 characters in length.  This is followed (on the same line) 
 JEF with
 JEF #   the list of authentication requirements for that user.  This can
 JEF #   include password, comm server name, comm server port number, 
 JEF protocol
 JEF #   type (perhaps set by the hints file), and huntgroup name (set by
 JEF #   the huntgroups file).
 JEF #
 JEF #   If you are not sure why a particular reply is being sent by the
 JEF #   server, then run the server in debugging mode (radiusd -X), and
 JEF #   you will see which entries in this file are matched.
 JEF #
 JEF #   When an authentication request is received from the comm server,
 JEF #   these values are tested. Only the first match is used unless the
 JEF #   Fall-Through variable is set to Yes.
 JEF [root@pc13-62 raddb]# cat /tmp/tmp2
 JEF I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, 
 JEF but I'm not
 JEF very successful. I'm obviously missing a point a point here when it comes 
 JEF to
 JEF authentication with MS-CHAP. I'm using freeradius 0.8 and radclient:
 
 
 JEF echo User-Name = jonn, CHAP-Password = MEMEME | radclient -x 
 JEF xxx.xxx.xx.xxx:1812 auth testing123
 JEF Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812
 JEF User-Name = jonn
 JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671
 JEF rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, 
 JEF length=20
 
 JEF The output of the radius server is:
 
 JEF rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, 
 JEF length=45
 JEF User-Name = jonn
 JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671
 JEF modcall: entering group authorize
 JEF   modcall[authorize]: module preprocess returns ok
 JEF rlm_realm: No '@' in User-Name = jonn, looking up realm NULL
 JEF rlm_realm: No such realm NULL
 JEF   modcall[authorize]: module suffix returns noop
 JEF users: Matched DEFAULT at 79
 JEF   modcall[authorize]: module files returns ok
 JEF   modcall[authorize]: module mschap returns notfound
 JEF modcall: group authorize returns ok
 JEF   rad_check_password:  Found Auth-Type MS-CHAP
 JEF auth: type MS-CHAP
 JEF 

Re[2]: Authenticating with MS-CHAP

[3APA3A]

Dear Jonn-Erik Farmen,

It was my fault, I ment MS-CHAP-Response attribute.

Anyway  it  will  will not be easy to test MS-CHAP with radtest. Because
MS-CHAP-Response is not some kind of password, it's composed as DES hash
of MS-CHAP-Challenge and NT and LM hashes of password (NT is MD4 hash of
Unicode  password,  LM  is  DES hash of OEM password). So, you have some
reading  tonight  (RFC  2433  and  RFC  2548)  if  you  wanna  calculate
MS-CHAP-Response manually.

--Monday, December 9, 2002, 5:19:44 PM, you wrote to [EMAIL PROTECTED]:

JEF On Mon, 9 Dec 2002, 3APA3A wrote:

 Dear Jonn-Erik Farmen,
 
 First,  MS-CHAP  uses  MS-CHAP-Password,  not  CHAP-Password  attribute.
 Second,  in order to configure Password for user for MS-CHAP you need :=
 operator instead of ==.
 
 --Monday, December 9, 2002, 1:46:32 PM, you wrote to 
[EMAIL PROTECTED]:
 

JEF Thank you for your reponse,

JEF I wasn't able to see that MS-CHAP-Password was among the standard RADIUS 
JEF attributes, and replacing == with := in the users file didn't help much:

JEF # echo User-Name = jonn, MS-CHAP-Password = MEMEME | radclient -x 
JEF xxx.xxx.xxx.xxx:1812 auth testing123
JEF radclient:Unknown attribute MS-CHAP-Password

 
 JEF I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, 
 JEF but I'm not
 JEF very successful. I'm obviously missing a point a point here when it comes 
 JEF to
 JEF authentication with MS-CHAP. I'm using freeradius 0.8 and radclient:
 
 
 JEF echo User-Name = jonn, CHAP-Password = MEMEME | radclient -x 
 JEF xxx.xxx.xx.xxx:1812 auth testing123
 JEF Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812
 JEF User-Name = jonn
 JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671
 JEF rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, 
 JEF length=20
 
 JEF The output of the radius server is:
 
 JEF rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, 
 JEF length=45
 JEF User-Name = jonn
 JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671
 JEF modcall: entering group authorize
 JEF   modcall[authorize]: module preprocess returns ok
 JEF rlm_realm: No '@' in User-Name = jonn, looking up realm NULL
 JEF rlm_realm: No such realm NULL
 JEF   modcall[authorize]: module suffix returns noop
 JEF users: Matched DEFAULT at 79
 JEF   modcall[authorize]: module files returns ok
 JEF   modcall[authorize]: module mschap returns notfound
 JEF modcall: group authorize returns ok
 JEF   rad_check_password:  Found Auth-Type MS-CHAP
 JEF auth: type MS-CHAP
 JEF modcall: entering group authenticate
 JEF rlm_mschap: No LM/NT password configured. Check authorization.
 JEF   modcall[authenticate]: module mschap returns invalid
 JEF modcall: group authenticate returns invalid
 JEF auth: Failed to validate the user.
 
 JEF in the users file, I have the following:
 
 JEF #
 JEF #   Please read the documentation file ../doc/processing_users_file,
 JEF #   or 'man 5 users' (after installing the server) for more 
 JEF information.
 JEF #
 JEF #   This file contains authentication security and configuration
 JEF #   information for each user.  Accounting requests are NOT processed
 JEF #   through this file.  Instead, see 'acct_users', in this directory.
 JEF #
 JEF #   The first field is the user's name and can be up to
 JEF #   253 characters in length.  This is followed (on the same line) 
 JEF with
 JEF #   the list of authentication requirements for that user.  This can
 JEF #   include password, comm server name, comm server port number, 
 JEF protocol
 JEF #   type (perhaps set by the hints file), and huntgroup name (set by
 JEF #   the huntgroups file).
 JEF #
 JEF #   If you are not sure why a particular reply is being sent by the
 JEF #   server, then run the server in debugging mode (radiusd -X), and
 JEF #   you will see which entries in this file are matched.
 JEF #
 JEF #   When an authentication request is received from the comm server,
 JEF #   these values are tested. Only the first match is used unless the
 JEF #   Fall-Through variable is set to Yes.
 JEF [root@pc13-62 raddb]# cat /tmp/tmp2
 JEF I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, 
 JEF but I'm not
 JEF very successful. I'm obviously missing a point a point here when it comes 
 JEF to
 JEF authentication with MS-CHAP. I'm using freeradius 0.8 and radclient:
 
 
 JEF echo User-Name = jonn, CHAP-Password = MEMEME | radclient -x 
 JEF xxx.xxx.xx.xxx:1812 auth testing123
 JEF Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812
 JEF User-Name = jonn
 JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671
 JEF rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, 
 JEF length=20
 
 JEF The output of the radius server is:
 
 JEF rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, 
 JEF length=45
 JEF 

Re[2]: Just plain problems

[netboss]

Let's take what I said step by step and see where I blamed the whole 
project and/or  Alan.

First I cannot use rlm_dbm_parser to create a dbm file.

That is a simple statement of fact.  I didn't elaborate in that email 
because I had given more detail in earlier emails.  And if you will read 
the entire thread, you will see that I never blamed anyone or anything for 
this situation.  I presented facts and ask questions.  I thought that is 
how you debugged things.

My second problem may be related to the first.  After testing my
configuration and plain text users file (which work without a hitch) I
create a users.db file using builddbm, a program from an earlier
version of radius (not FreeRadius).


Again a simple statement of fact to help Alan understand what I had 
tried.  I didn't say it was suppose to work, I just stated that I had tried 
it.  I guess a cynical eye could take the statement which worked without a 
hitch as a criticism, but it was again just a statement of fact to let 
Alan know that the entire installation wasn't broken, but that some things 
worked.

So that's the problem.  Whenever I try to switch to dbm things fall
apart.  The strange thing is that I am using a radiusd.conf and users files
from a working version of FreeRadius as my model.


Again a simple statement of fact.  I freely admitted that things go awry 
when I tried to make the change to using dbm.  Again if you will read the 
entire thread you will see that I several times admitted that it was 
probably something I was doing that was causing the problem.

My problem is that Alan, after offering his services for hire took 
statements that have to be twisted dramatically to even begin to be 
considered critical or confrontational, was condescending and even called 
me a liar.  I NEVER did anything except state facts and ask questions.  If 
Alan felt that this was a problem he didn't want to tackle, all he had to 
do was politely state I don't think I can help you with this 
issue.  Remember, I was responding to Alan's OFFER of his services for 
hire.  I didn't demand his services, I had merely stated in several emails 
that I even willing to pay someone for help and he responded.

I might not have been clear in outlining EVERY step that I took, but I was 
trying to present enough facts while still being brief.  And new facts were 
developing as time passed.  I wasn't setting on my hands between emails 
waiting for someone to solve my problem, I was trying different things.  I 
have no doubt that this may have confused the matter somewhat.  But I was 
doing the best I could with what information I had available.

Gary

At 01:55 PM 12/9/2002 +0300, you wrote:

Sunday, December 8, 2002, 4:51:04 AM, [EMAIL PROTECTED] wrote:
Hey, Man.
Alan doesn't wrote rlm_dbm and documentation for it.
So all bugs and discordancy belongs to authors of module
and documentation
see
6. ACKNOWLEDGMENTS

 Author- Andrei Koulik [EMAIL PROTECTED]
 Documentation - BjÛrn NordbÛ  [EMAIL PROTECTED]

try to contact with [EMAIL PROTECTED]
I am sure it will be more useful then public blame of whole
project and Alan especially.


nmn At 07:58 PM 12/7/2002 -0500, you wrote:
  First I cannot use rlm_dbm_parser to create a dbm file.

   I don't use rlm_dbm, and the default configuration doesn't use it,
either.

  My second problem may be related to the first.  After testing my
  configuration and plain text users file (which work without a hitch) I
  create a users.db file using builddbm, a program from an earlier
 version of
  radius (not FreeRadius).

   Then it won't work.  Do you run python programs through Perl, and
complain when they don't work?

  So that's the problem.  Whenever I try to switch to dbm things fall
  apart.  The strange thing is that I am using a radiusd.conf and users
 files
  from a working version of FreeRadius as my model.

   So when you said you were using the default configuration that ships
with the server, you lied.

   Thanks.  I don't think I'm interested in helping you much any more.

   Alan DeKok.


nmn -
nmn List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re[2]: Just plain problems

[Alan DeKok]

[EMAIL PROTECTED] wrote:
 Let's take what I said step by step and see where I blamed the whole
 project and/or  Alan.

  You said you couldn't get something to work.  I'm not disagreeing
with that.

  My point, that I've said repeatedly, is that I can't help you with
rlm_dbm questions.

 Again a simple statement of fact.  I freely admitted that things go awry
 when I tried to make the change to using dbm.  Again if you will read the
 entire thread you will see that I several times admitted that it was
 probably something I was doing that was causing the problem.

  And I said repeatedly if you're having problems with it, to NOT use
rlm_dbm.  I don't think many people here can help you with questions
about that module.

 My problem is that Alan, after offering his services for hire took
 statements that have to be twisted dramatically to even begin to be
 considered critical or confrontational, was condescending and even called
 me a liar.

  shrug You said at one point what you wanted to do (without
referencing dbm, or other FreeRADIUS internals).  You said you had
hadn't changed the default configuration that the server ships with.
You then said you had tried using the DBM module.

  At the minimum, you're disagreeing with yourself.

  My response then, as now, is that the default configuration shipped
with the server does what you claimed you wanted.

  I have no clue why you're stuck on using the DBM module.

 Alan felt that this was a problem he didn't want to tackle, all he had to 
 do was politely state I don't think I can help you with this 
 issue.  Remember, I was responding to Alan's OFFER of his services for 
 hire.  I didn't demand his services, I had merely stated in several emails
 that I even willing to pay someone for help and he responded.

  I responded, saying I was willing to help.  You responded, with
contradictory stories about what you were doing.  I declined to
participate further.

 I wasn't setting on my hands between emails waiting for someone to
 solve my problem, I was trying different things.  I have no doubt
 that this may have confused the matter somewhat.

  Exactly.  If you can't tell a consistent story about what you're
doing, then how the hell do you expect anyone else to understand it,
and to help you?

  But I was doing the best I could with what information I had
 available.

  I don't deny that.  But with the information you've given me, I'm
confused as to what you're doing, and why.


  And I'm doubly confused as to why you're spending time arguing with
me, instead of using a solution I proposed to get your system working.

  Get off the DBM bandwagon.  I don't know why you're so horny about
using it, and I don't care.  Understand how the server works FIRST,
and THEN try something more complicated.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Just plain problems

[Steve Coleman]

Simon wrote:
 Look, there are plenty of people using FreeRadius successfully. I got it
 set up with MySQL and I have never configured a radius server before. It
 wasn't too hard.

Alan wrote:
 Yeah, but you had probably installed and configured software
 before.  There's a certain sub-set of people who expect that
 installing complicated servers should be blindingly obvious, even if
 they've never seen a computer before.

I had never installed nor configured software on a Linux box in my life.  In fact, I 
hadn't used Unix for nearly 10 years (and even then I was far from expert) and had 
never used Linux.  I bought a second hand PC, bought the Red Hat Linux 7.2 Bible, and 
got Linux running.  I downloaded FreeRADIUS and MySQL and configured and installed 
both with help from the FreeRADIUS FAQ, the included docs, this mailing list archive 
and other sources easily found on the web.

I got FreeRADIUS up and running with very few problems.  All it takes is some reading, 
some experimenting and some patience if this is new to you.  If I can do this, anybody 
can.

Many thanks to Alan, Chris and so many of the rest of you that contribute to this 
project.

Steve Coleman

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

users file replacement with sql_check and sql_reply

[Bobi]

Is it possible to 
replace "users" file functionality like:

Prefix == 
"pref_"
 
Auth_Typbe := PAP
 
Compression := Van-Jacobson-TCP-IP

with values, returned 
by sql_check and sql_reply?

Thanks in 
advance,
B.

HInts, Huntgroups and Users Files

[Miller, Kenneth L NWP]

Title: HInts, Huntgroups and Users Files





Good morning,

 I am very new to Radus Server and especially new to freeradius. I have inherited a very old Ascend Radius Server that is running on a SUN box. I want to move this to Linux and run it under freeradius. The USERS file on the Sun box is just a flat text file, which contains the usernames, passwords, and attributes such as Framed-Protocol, Filter-ID, etc., but it appears that freeradius handles thing differently. If the username and passwords are not placed in the users file, then where are they put.

 The "How the USERS file is processed" states "After the items of a request have been mangled by the "hints" and "huntgroups" files, the users file is processed."

 What does this mean? Do I put the username and passwords in the "hints" file or what?

Can anyone help me out here? 

Thanks

Ken

Re: HInts, Huntgroups and Users Files

[Chris Parker]

At 08:46 AM 12/9/2002 -0800, Miller, Kenneth L NWP wrote:


Good morning,

I am very new to Radus Server and especially new to 
freeradius.  I have inherited a very old Ascend Radius Server that is 
running on a SUN box. I want to move this to Linux and run it under 
freeradius.  The USERS file on the Sun box is just a flat text file, 
which contains the usernames, passwords, and attributes such as 
Framed-Protocol, Filter-ID, etc., but it appears that freeradius handles 
thing differently. If the username and passwords are not placed in the 
users file, then where are they put.

The How the USERS file is processed  states After the items of 
a request have been mangled by the hints and huntgroups files, the 
users file is processed.

What does this mean?  Do I put the username and passwords in the 
hints file or what?

No, it uses a users file in the same way as your old Ascend Radius server.
It has the additional files hints and huntgroups which *may* be used,
but are definitely not required in a basic config.  In fact, if you aren't
using them, comment their contents out entirely.

You should be able to modify the Ascend users file to be used under
FreeRADIUS.  Note that the syntax is slightly different under FreeRADIUS
and that some of the attribute names may be changed slightly.

IE: Framed-Address becomes Framed-IP-Address under FreeRADIUS.

If your Ascend file looks like:

someuserPassword = letmein
Framed-Address = 255.255.255.254
Framed-Netmask = 255.255.255.255
...

You could convert it to FreeRADIUS syntax:

someuserAuth-Type := LOCAL, User-Password == letmein
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.255


( note the 'operators'; :=, ==, =; have different meanings )!

Hope this helps,
-Chris

--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HInts, Huntgroups and Users Files

[Evren Yurtesen]

if you installed freeradius into linux then look at
man 5 users
if you still have questions then you are welcome to send email =)

PS. also see the sample users file which came with freeradius
Evren

On Mon, 9 Dec 2002, Miller, Kenneth L NWP wrote:

 Good morning,
 
   I am very new to Radus Server and especially new to freeradius.  I
 have inherited a very old Ascend Radius Server that is running on a SUN box.
 I want to move this to Linux and run it under freeradius.  The USERS file on
 the Sun box is just a flat text file, which contains the usernames,
 passwords, and attributes such as Framed-Protocol, Filter-ID, etc., but it
 appears that freeradius handles thing differently. If the username and
 passwords are not placed in the users file, then where are they put.
 
   The How the USERS file is processed  states After the items of a
 request have been mangled by the hints and huntgroups files, the users
 file is processed.
 
   What does this mean?  Do I put the username and passwords in the
 hints file or what?
 
 Can anyone help me out here? 
 
 Thanks
 
 Ken
 
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

usage.cgi problems

[Scott Miller]

Has anyone worked up a new variation of the usage.cgi script that will allow
users to check their usage online?  I can't seem to get mine working
properly.

Thanks,
Scott


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: usage.cgi problems

[Chris Parker]

At 11:27 AM 12/9/2002 -0700, Scott Miller wrote:

Has anyone worked up a new variation of the usage.cgi script that will allow
users to check their usage online?  I can't seem to get mine working
properly.


See the 'dialup_admin' project which is packaged with the server.

-Chris
--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: config/link help

[Alan DeKok]

[EMAIL PROTECTED] wrote:
 When i start freeradius i get this message below.
 I can authenticate through mysql using -X or -xx and can still
 authenticate after calling radiusd.
...

  Grab the CVS snapshot tomorrow.  It should have the bug fixed.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Max-Daily-Session and counter module

[Kostas Kalevras]

On Sun, 8 Dec 2002, Oliver Zimmermann wrote:

 I have the problem understanding how the counter module works. Lets say I want to 
provide a Maximum Daily Session linit of 3600 seconds for a user on freeradius-0.7. 
Is the following scenario right? (sorry I can't test it for the moment):

 users file:
 --
 DEFAULT Max-Daily-Session = 3600
 Fall-Through = 1

 John_DPassword = FZ768wRll, NAS-IP-Address = 214.32.39.2, Simultaneous-Use = 
1
 Service-Type = Framed-User,
 Framed-Protocol = PPP,
 Framed-IP-Address = 255.255.255.254,
 Framed-MTU = 1500,
 Idle-Timeout = 3600,
 Port-Limit = 1
 ...
 _

 radiusd.conf:
 
 ...
 counter {
 filename = ${raddbdir}/db.counter
 key = User-Name
 count-attribute = Acct-Session-Time
 reset = daily
 counter-name = Daily-Session-Time
 check-name = Max-Daily-Session
 allowed-servicetype = Framed-User
 cache-size = 5000
 }
 authorize {
 counter
 suffix
 files

The counter module should come *after* the files module so that
Max-Daily-Session has been set when it runs.
Also add the counter module in the instantiate section.

 }
 accounting {
 detail
 counter
 unix
 radutmp
 }
 session {
 radutmp
 }
 ---

 If someone knows how to realize the same with Daily-Session-Time is appreciated too

 Thank you
 Oliver



 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Max-Daily-Session and counter module

[Kostas Kalevras]

On Mon, 9 Dec 2002, oz wrote:


 Oliver Zimmermann wrote:

  I have the problem understanding how the counter module works. Lets say I want to 
provide a Maximum Daily Session linit of 3600 seconds for a user on freeradius-0.7. 
Is the following scenario right? (sorry I can't test it for the moment):
 
  users file:
  --
  DEFAULT Max-Daily-Session = 3600
  Fall-Through = 1
 
  John_DPassword = FZ768wRll, NAS-IP-Address = 214.32.39.2, Simultaneous-Use 
= 1
  Service-Type = Framed-User,
  Framed-Protocol = PPP,
  Framed-IP-Address = 255.255.255.254,
  Framed-MTU = 1500,
  Idle-Timeout = 3600,
  Port-Limit = 1
  ...

 Hi, I tested this setup now with a Max-Daily-Session = 3, to provocate a
 reject - but I still get Login OK.

 In the logs I saw rlm_counter: Could not find Check item value pair
 and modcall[accounting]: module counter returns noop which I cannot

The counter module will do some work on an accounting-stop not an
accounting-start.

 interprete. Irritating for me is the line rlm_counter: Counter
 attribute Daily-Session-Time is number 1063 because it has this value
 in every session. Please take a look on the session log, thanks in advance:

That's the number assigned to the Daily-Session-Time attribute, you shouldn't
worry about it.


 starting - reading configuration files ...
 reread_config:  reading radiusd.conf
 Config:   including file: /usr/local/etc/raddb/proxy.conf
 Config:   including file: /usr/local/etc/raddb/clients.conf
 Config:   including file: /usr/local/etc/raddb/snmp.conf
 Config:   including file: /usr/local/etc/raddb/sql.conf
   main: prefix = /usr/local
   main: localstatedir = /usr/local/var
   main: logdir = /usr/local/var/log/radius
   main: libdir = /usr/local/lib
   main: radacctdir = /usr/local/var/log/radius/radacct
   main: hostname_lookups = no
 read_config_files:  reading dictionary
 read_config_files:  reading clients
 read_config_files:  reading realms
 read_config_files:  reading naslist
   main: max_request_time = 30
   main: cleanup_delay = 5
   main: max_requests = 1024
   main: delete_blocked_requests = 0
   main: port = 0
   main: allow_core_dumps = no
   main: log_stripped_names = no
   main: log_auth = yes
   main: log_auth_badpass = yes
   main: log_auth_goodpass = no
   main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
   main: user = root
   main: group = root
   main: usercollide = no
   main: lower_user = no
   main: lower_pass = no
   main: nospace_user = no
   main: nospace_pass = no
   main: proxy_requests = no
   proxy: retry_delay = 5
   proxy: retry_count = 3
   proxy: synchronous = no
   proxy: default_fallback = yes
   proxy: dead_time = 120
   security: max_attributes = 200
   security: reject_delay = 1
   main: debug_level = 0
 read_config_files:  entering modules setup
 Module: Library search path is /usr/local/lib
 Module: Loaded System
   unix: cache = no
   unix: passwd = /etc/passwd
   unix: shadow = /etc/shadow
   unix: group = /etc/group
   unix: radwtmp = /usr/local/var/log/radius/radwtmp
   unix: usegroup = no
   unix: cache_reload = 600
 Module: Instantiated unix (unix)
 Module: Loaded Counter
   counter: filename = /usr/local/etc/raddb/db.counter
   counter: key = User-Name
   counter: reset = daily
   counter: count-attribute = Acct-Session-Time
   counter: counter-name = Daily-Session-Time
   counter: check-name = Max-Daily-Session
   counter: allowed-servicetype = Framed-User
   counter: cache-size = 5000
 rlm_counter: Counter attribute Daily-Session-Time is number 1063
 rlm_counter: Current Time: 1039422801, Next reset 1039474800
 Module: Instantiated counter (counter)
 Module: Loaded realm
   realm: format = suffix
   realm: delimiter = @
 Module: Instantiated realm (suffix)
 Module: Loaded files
   files: usersfile = /usr/local/etc/raddb/users
   files: acctusersfile = /usr/local/etc/raddb/acct_users
   files: compat = cistron
auth_type_fixup: Auth-Type [1000]
auth_type_fixup: Password [2]
auth_type_fixup: NAS-IP-Address [4]
auth_type_fixup: Simultaneous-Use [1034]
auth_type_fixup: Auth-Type [1000]
auth_type_fixup: Password [2]
auth_type_fixup: Simultaneous-Use [1034]
auth_type_fixup: Auth-Type [1000]
auth_type_fixup: Password [2]
auth_type_fixup: NAS-IP-Address [4]
auth_type_fixup: Simultaneous-Use [1034]
 [/usr/local/etc/raddb/users]:4 Cistron compatibility checks for entry
 DEFAULT ...
 ?Changing 'Max-Daily-Session =' to 'Max-Daily-Session +='
 [/usr/local/etc/raddb/users]:7 Cistron compatibility checks for entry
 U.Abdinghoff ...
 ?Changing 'Password =' to 'Password =='
 ?Changing 'NAS-IP-Address =' to 'NAS-IP-Address =='
 ?Changing 'Simultaneous-Use =' to 'Simultaneous-Use +='
 [/usr/local/etc/raddb/users]:15 Cistron compatibility checks for entry
 helinet010 ...
 ?Changing 'Password =' to 'Password =='
 ?Changing 'Simultaneous-Use =' to 'Simultaneous-Use +='
 [/usr/local/etc/raddb/users]:23 Cistron 

please kindly get back to me

[MPETI L. KABILA (Jnr)]

REQUEST FOR URGENT BUSINESS ASSISTANCE
--
Your contact was availed to me by the chamber of
commerce. It was given  to me because of my diplomatic
status as I did not disclose the actual reasons for
which I sought your contact. But I was
assured That you are reputable and trustworthy if you
will be of assistance.
I am Laurent Mpeti Kabila (Jnr) the second son of
Late President LAURENT DESIRE KABILA the immediate
Past president of the DEMOCRATIC REPUBLIC OF CONGO in
Africa who was murdered by his opposition through his
personal bodyguards in his bedroom on Tuesday 16th January, 2001.
I have the privilege of being mandated by my father colleagues
to seek your immediate and urgent co-operation to receive into
your bank account the sum of US $25m.(twenty-five million Dollars)
and some thousands carats of Diamond.
This money and treasures was lodged in a vault with a
security firm in Europe and South-Africa.

SOURCES OF DIAMONDS AND FUND
In August 2000, my father as a defence minister and president has a
meeting with his cabinet and armychief about the defence budget for
2000 to 2001 which was US $700m. so he directed one of his best
friend. Frederic Kibasa Maliba who was a minister of
mines and a political party leader known as the Union Sacree de,
I opposition radicale et ses allies (USORAL) to buy arms
with US $200m on 5th January 2001; for him to finalized the arms
deal,
my father was murdered. f.K. Maliba (FKM) and I have decided to keep
the money with a foreigner after which he will use it to contest for
the political election. Inspite of all this we have resolved to
present your or your company for the firm to pay it into your
nominated
account the above sum and diamonds. This transaction should be
finalized within
seven (7) working days and for your co-operation and partnership, we
have unanimously agreed that you will be entitled to 5.5% of the money
when successfully receive it in your account. The nature of your
business is not relevant to the successful execution of this
transaction what we
require is your total co-operation and commitment to ensure 100%
risk-free transaction at both ends and to protect the persons
involved in this
transaction, strict confidence and utmost secrecy is required
even after the successful conclusion of this transaction. If this
proposal is acceptable to you, kindly provide me with your personal
telephone
and fax through my E-mail box for immediate commencement of the
transaction.
All correspondence is for the attention of my counsel:
I count on your honour to keep my secret, SECRET.
Looking forward for your urgent reply
Thanks.
Best Regards

MPETI L. KABILA (Jnr)





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: usage.cgi problems

[Scott Miller]

I'm not finding it.  I've looked in /usr/local/src and in my
/var/www/cgi-bin, but found nothing about dialup_admin.

I am running:

ICRadius 0.17b
RedHat 7.2 (all updates)
MySQL 3.23.28

Thanks,
Scott Miller

- Original Message -
From: Chris Parker [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, December 09, 2002 11:35 AM
Subject: Re: usage.cgi problems


 At 11:27 AM 12/9/2002 -0700, Scott Miller wrote:
 Has anyone worked up a new variation of the usage.cgi script that will
allow
 users to check their usage online?  I can't seem to get mine working
 properly.

 See the 'dialup_admin' project which is packaged with the server.

 -Chris
 --
 \\\|||///  \  StarNet Inc.  \ Chris Parker
 \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
 | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
 oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net



 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: usage.cgi problems

[Alan DeKok]

Scott Miller [EMAIL PROTECTED] wrote:
 I'm not finding it.  I've looked in /usr/local/src and in my
 /var/www/cgi-bin, but found nothing about dialup_admin.
 
 I am running:
 
 ICRadius 0.17b

  Then why are you asking questions on the FreeRADIUS list?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: usage.cgi problems

[John Gruber]

Hello,

From what I read in the proxy file, after the huntgroups file is processed..
it's off to the realm for proxy.

Here is my issue.  Today I have freeradius .8 allowing certain NPANXX from
the Calling-Station-ID Attribute when you come from a tollfree number.

ie:


DEFAULT Called-Station-ID =~ 800|888|866, Calling-Station-ID =~
NPANXX
Fall-Through = No

This works great. We are being merged into another Radius implementation
that does not have the ability to filter on Calling-Station-ID.

I would like to frontend the lesser implementation with freeradius such
that I can filter the Calling-Station-ID as before (to reject any NPANXX not
on the list) and then after processing the user file proceed to proxy (based
on realm) to the lesser implementation.

Currently I :

authorize {
preprocess
files
sql
}

How do I replace sql with the proxy process? Can I do that?

Thanks,

John


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy Config Using Auth Attributes

[QCI Internet]

Is is possible to setup proxy radius not based so much on realms but based
on Key/Value pairs in the authentication packets? For example, I have many
resellers and I need to be able to proxy requests based on DNIS
(CalledStationID) or even just the last 4 digits of the DNIS.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS not authing via SQL

[JP Hindin]

Greetings;
I've been trying to make FR auth using its SQL module (through MySQL to be
specific) and am having no luck whatsoever.
I've thoroughly consulted the frontios.com/freeradius.html
documentation and just can't seem to make this work.
I swear, if someone helps me work this out, I'll write the freakin'
FreeRADIUS SQL auth documentation myself, 'cos this is bugging me.

The relevant parts of the radiusd.conf:
authorize {
preprocess
suffix
sql
files
}

authentication {
}

preacct {
preprocess
suffix
files
}

accounting {
acct_unique
detail
unix# wtmp file
sql
radutmp
}

My SQL data:
mysql select * from usergroup;
++--+---+
| id | UserName | GroupName |
++--+---+
|  2 | testuser | dynamic   |
++--+---+
mysql select * from radcheck;
++--+---++--+
| id | UserName | Attribute | op | Value|
++--+---++--+
|  2 | testuser | Password  | == | testpass |
++--+---++--+
mysql select * from radgroupreply;
++---+++-+--+
| id | GroupName | Attribute  | op | Value   | prio |
++---+++-+--+
|  1 | dynamic   | Auth-Type  | := | Local   |0 |
|  2 | dynamic   | Service-Type   | =  | Framed-User |0 |
|  3 | dynamic   | Framed-Protocol| =  | PPP |0 |
|  4 | dynamic   | Framed-Compression | =  | Van-Jacobsen-TCP-IP |0 |
|  5 | dynamic   | Framed-MTU | =  | 1500|0 |
++---+++-+--+

The command I'm using to test:
[jphindin@server bin]$ ./radtest testuser testpass localhost 66 *password*
Sending Access-Request of id 251 to 127.0.0.1:1812
User-Name = testuser
User-Password = \017j\264\354\345\300\311\311\014\317j\215a\310cM
NAS-IP-Address = server
NAS-Port = 66
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=251, length=20

The relevant 'radiusd -X' output:
rad_recv: Access-Request packet from host 127.0.0.1:33643, id=102, length=60
User-Name = testuser
User-Password = testpass
NAS-IP-Address = 255.255.255.255
NAS-Port = 66
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
rlm_realm: No '@' in User-Name = testuser, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop
radius_xlat:  'testuser'
rlm_sql (sql): sql_set_user escaped user -- 'testuser'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 
'testuser' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = 'testuser' ORDER BY id
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
 FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query:  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
 FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 
'testuser' ORDER BY id'
rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
Username = 'testuser' ORDER BY id
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
 FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query:  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
 FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND 
usergroup.GroupName = radgroupreply. GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 3
  modcall[authorize]: module sql returns ok
users: Matched DEFAULT at 152
  modcall[authorize]: module files returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type System
auth: type System
auth: Failed to validate the user.
Login incorrect: [testuser/testpass] (from client localhost port 66)

JP


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radiusd.conf

[Bill]

Hello!
Can someone send me a radiusd.conf example that would show a connection for 
an AS5200 or similar? I have FreeRadius running on Suse 8.0. I'm currently 
a wireless provider going to dial-up also. When I try to connect, the Cisco 
box says that it can't find the Radius server. I have port 1645 loaded on 
both units as well as the key secret. I'm thinking I'm still missing 
something in the radiusd.conf file.
Thanks,
Bill


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: usage.cgi problems

[Scott Miller]

yep, you're right, wrong list.  Sorry about my oversight.

Scott

- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, December 09, 2002 2:21 PM
Subject: Re: usage.cgi problems


 Scott Miller [EMAIL PROTECTED] wrote:
  I'm not finding it.  I've looked in /usr/local/src and in my
  /var/www/cgi-bin, but found nothing about dialup_admin.
 
  I am running:
 
  ICRadius 0.17b

   Then why are you asking questions on the FreeRADIUS list?

   Alan DeKok.

 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: radiusd.conf

[Tim D. McCracken]

This doesn't exactly answer your question, but I found it helpful.

Goto www.dialways.com and download radping.  It is a win client
to test radius servers.  Once you get that working, then worry
about your cisco box.

Tim

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of Bill
 Sent: Monday, December 09, 2002 5:01 PM
 To: [EMAIL PROTECTED]
 Subject: radiusd.conf


 Hello!
 Can someone send me a radiusd.conf example that would show a
 connection for
 an AS5200 or similar? I have FreeRadius running on Suse 8.0. I'm
 currently
 a wireless provider going to dial-up also. When I try to connect,
 the Cisco
 box says that it can't find the Radius server. I have port 1645 loaded on
 both units as well as the key secret. I'm thinking I'm still missing
 something in the radiusd.conf file.
 Thanks,
 Bill


 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd.conf

[William Ragsdale]

On Mon, 09 Dec 2002 17:01:05 -0600 Bill [EMAIL PROTECTED] wrote:

 Hello!
 Can someone send me a radiusd.conf example that would show a connection
 for 
 an AS5200 or similar? I have FreeRadius running on Suse 8.0. I'm
 currently 
 a wireless provider going to dial-up also. When I try to connect, the
 Cisco 
 box says that it can't find the Radius server. I have port 1645 loaded
 on 
 both units as well as the key secret. I'm thinking I'm still missing 
 something in the radiusd.conf file.
 Thanks,

Greetings,
  Did you specify port 1645 on your FreeRadius daemon?  By default it uses
port 1812 for authentication.


-- 

·William Ragsdale   ·http://www.netonecom.net
·Server Administrator ·Office Hours ·NetOne Communications, Inc.
·Work: 231-734-2917 10AM - 7PM  ·2186 US 10
·FAX:  231-734-6395 ·Sears, MI  49679


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Your Web Site Performance Report

[Kane at InternetSeer]

Title: InternetSeer : Weekly Report





	
		
			
		
		
		
	
	
		
	
	
		
		
		
			
		
		
	
	
		
	

Your Weekly Web Site Performance ReportFor December 2, 2002 - December 8, 2002Dear Bruce,
 

It is not too late to send holiday greetings and promotions to your customers and prospects.   In 
minutes, anyone can create and send an email campaign with ready-to-use templates. No technical 
skill is required.  Choose from over 50 templates including promotions, newsletters and holiday 
greetings.

Sign up now for your 60 day FREE trial!

Kane Bender, VP eBusiness Development


 
  
   
   

	
  	  
	  Start Selling Your Products Online
  
  88% of Internet shoppers use a credit card for their online purchases. Don't lose another sale because 
  you don't take credit cards.
  
  SecureNetShop offers everything you need.
  Shopping Cart gives you the ability to sell products on your Web site.
  Store Builder allows you to easily sell multiple products over the internet.
  
  Merchant Account provides you with an INSTANT MERCHANT ACCOUNT. No set up fee for a limited time, 
  a $295 value.
  
  Click here and start selling your products online today!
	 

   
   	
  
  
  
   
   

	 
	  24/7 Tech Support For When Your Away!
  
  For about $1 a day, InternetSeer's engineers will watch over your site 24 hours a day, 7 days a week 
  to make sure it's up and running so you don't lose customers or credibility.
  
  Upon detecting an error with your Web site our engineers will: 
  
   

Manually recheck your Web site
   
   

Run diagnostic tests
   
   

Get your Web site back Online
   
  
  
  No setup fees and no hassles!
  Special Offer! Join today and take 20% off!
  
  Don't leave your site vulnerable, click here 
  for 24/7 coverage.
 

   
   
  
 


http://lists.cistron.nl/pipermail/freeradius-...DayMonTueWedThuFriSatSunWeeklyTotalDate12/0212/0312/0412/0512/0612/0712/08OutagesTime on error00::::00% Uptime100.0100.0100.0100.0Connect time0.150.180.130.07Outages- number of times we were unable to access this URLTime on Error- the total time this URL was not available (hr:min)% Uptime- the percentage this URL was available for the dayConnect Time- the average time in seconds to connect to this URL** Data not available
 
  
   

 
 Customer Service & Account Management Information
 
 

   
  
 
 
  
   

 Log in at www.internetseer.com to keep your account up to date.
  Your login name is, [EMAIL PROTECTED].  Forgot your password?, Get it now.
 


 
  
   

Add Additional URL's to your Weekly Performance Report with Priority Club.
   
   

Get your Web site back Online with our Personalized Tech service 24 hours a day.
   
   

Maintain your Web site or network security with our new Security Check.
   
   

If you have any questions regarding your Performance Reports, visit our help site, or email us at [EMAIL PROTECTED].
   
  
 

   
  
 
	


Subscriber Sponsored Listings

 
  
   
   
   Get your FREE WebSite or WebStore Today!
   Sign up now for a FREE 15 Day Trial Account (no credit card needed) and start building your own web 
   site in minutes.
   
   
   
   Real Time IIS Monitor
   View visitors on your web sites in real time using 'WhosOn.' Get real time alerts & exception 
   reports via email or SMS. Free evaluation downloads from: 
   http://www.whos-on.net
  
  
   
   
   Silent Tracking of Your Outgoing Emails
   Know when your email gets read, number of times it is read, where it is opened, whom it was forwarded to! 
   You can even send self-deleting emails...
   
   
   
   Advertise Your Product Here
   Promote your product or service. For more information click the link above.
  
 



 
  

 
 Spotlight
  
 

   
 
 
  
   

 
  
  Guaranteed Search Engine Listings
  Express Plus Service gets your site listed on 20 top search engines in 72 
  hours and keeps it there.
  
  PLUS sign up before November 28th and we'll provide a FREE list of the top keywords used on 
  search engines for your product or service. A $99 Value.
  
  
  Act Now!
  
 

   
  
 
 
  
   
  
 


 
  
   

 
 RESOURCES
  
 

   
  
 
 
  
   

 
  Advanced Monitoring
  Business Credit
  Business Software
  Domain  Registration
  E-mail Marketing
  Hosting Services
  Intranets
  Long Distance
  Merchant Accounts
  Page Optimization
  Pay-for-Performance
  Shopping Cart
  Search Submissions
  Traffic Analysis
  Web Design
  Website Security
  

Re: radiusd.conf

[Evren Yurtesen]

good point, cisco use 1645 default if you dont specify in the
configuration. =)

Evren

On Mon, 9 Dec 2002, William Ragsdale wrote:

 On Mon, 09 Dec 2002 17:01:05 -0600 Bill [EMAIL PROTECTED] wrote:
 
  Hello!
  Can someone send me a radiusd.conf example that would show a connection
  for 
  an AS5200 or similar? I have FreeRadius running on Suse 8.0. I'm
  currently 
  a wireless provider going to dial-up also. When I try to connect, the
  Cisco 
  box says that it can't find the Radius server. I have port 1645 loaded
  on 
  both units as well as the key secret. I'm thinking I'm still missing 
  something in the radiusd.conf file.
  Thanks,
 
 Greetings,
   Did you specify port 1645 on your FreeRadius daemon?  By default it uses
 port 1812 for authentication.
 
 
 -- 
 
 ·William Ragsdale   ·http://www.netonecom.net
 ·Server Administrator ·Office Hours ·NetOne Communications, Inc.
 ·Work: 231-734-2917 10AM - 7PM  ·2186 US 10
 ·FAX:  231-734-6395 ·Sears, MI  49679
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Can't authenticate with MySQL

[Mike Paneth]

I have got FR 0.8  MySQL up and running on
LINUX 8, but I cannot authenticate.  Where am
I going wrong?

Mike Paneth

I issue the following test message
[root@Psyche root]# radtest root emptar1
localhost 0 testing123

and get the following response

Sending Access-Request of id 197 to
127.0.0.1:1812
User-Name = root
User-Password =
\303\343W\035W\376\372\016\277\315\311x\220\341\255-
NAS-IP-Address = Psyche
NAS-Port = 0
rad_recv: Access-Accept packet from host
127.0.0.1:1812, id=197, length=20
[root@Psyche root]# radtest bob bobbob
localhost 0 testing123
Sending Access-Request of id 201 to
127.0.0.1:1812
User-Name = bob
User-Password =
\272-\207W\306\206\372\316\200\214\202q\002WeQ
NAS-IP-Address = Psyche
NAS-Port = 0
rad_recv: Access-Reject packet from host
127.0.0.1:1812, id=201, length=20

The user bob has been set up on MySQL
mysql select * from radcheck;
++--+---++--+
| id | UserName | Attribute | Value  | op   |
++--+---++--+
|  1 | bob  | password  | bobbob | NULL |
++--+---++--+
1 row in set (0.00 sec)

mysql select * from radacct;
Empty set (0.00 sec)

mysql select * from usergroup;
++--+---+
| id | UserName | GroupName |
++--+---+
|  1 | bob  | dynamic   |
++--+---+
1 row in set (0.00 sec)
 
Looking at the FR dialog I get the following.

rad_recv: Access-Request packet from host
127.0.0.1:32769, id=201, length=55
User-Name = bob
User-Password = bobbob
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize
  modcall[authorize]: module preprocess
returns ok
rlm_realm: No '@' in User-Name = bob,
looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns
noop
radius_xlat:  'bob'
rlm_sql (sql): sql_set_user escaped user --
'bob'
radius_xlat:  'SELECT
id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = 'bob' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql: The 'op' field for attribute
'password = bobbob' is NULL, or non-existent.
rlm_sql: You MUST FIX THIS if you want the
configuration to behave as you expect.
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
 FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'bob' AND
usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT
id,UserName,Attribute,Value,op FROM radreply
WHERE Username = 'bob' ORDER BY id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
 FROM radgroupreply,usergroup WHERE
usergroup.Username = 'bob' AND
usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 0
  modcall[authorize]: module sql returns ok
users: Matched DEFAULT at 152
  modcall[authorize]: module files returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type System
auth: type System
modcall: entering group authenticate
  modcall[authenticate]: module unix
returns notfound
modcall: group authenticate returns notfound
auth: Failed to validate the user.
Delaying request 4 for 1 seconds
Finished request 4

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can't authenticate with MySQL

[Evren Yurtesen]

do you think its even checking the mysql database? did you try to run
freeradius with -xx option?
by the way the op field should be := shouldnt it ?

Evren

On Tue, 10 Dec 2002, Mike Paneth wrote:

 
 I have got FR 0.8  MySQL up and running on
 LINUX 8, but I cannot authenticate.  Where am
 I going wrong?
 
 Mike Paneth
 
 I issue the following test message
 [root@Psyche root]# radtest root emptar1
 localhost 0 testing123
 
 and get the following response
 
 Sending Access-Request of id 197 to
 127.0.0.1:1812
 User-Name = root
 User-Password =
 \303\343W\035W\376\372\016\277\315\311x\220\341\255-
 NAS-IP-Address = Psyche
 NAS-Port = 0
 rad_recv: Access-Accept packet from host
 127.0.0.1:1812, id=197, length=20
 [root@Psyche root]# radtest bob bobbob
 localhost 0 testing123
 Sending Access-Request of id 201 to
 127.0.0.1:1812
 User-Name = bob
 User-Password =
 \272-\207W\306\206\372\316\200\214\202q\002WeQ
 NAS-IP-Address = Psyche
 NAS-Port = 0
 rad_recv: Access-Reject packet from host
 127.0.0.1:1812, id=201, length=20
 
 The user bob has been set up on MySQL
 mysql select * from radcheck;
 ++--+---++--+
 | id | UserName | Attribute | Value  | op   |
 ++--+---++--+
 |  1 | bob  | password  | bobbob | NULL |
 ++--+---++--+
 1 row in set (0.00 sec)
 
 mysql select * from radacct;
 Empty set (0.00 sec)
 
 mysql select * from usergroup;
 ++--+---+
 | id | UserName | GroupName |
 ++--+---+
 |  1 | bob  | dynamic   |
 ++--+---+
 1 row in set (0.00 sec)
  
 Looking at the FR dialog I get the following.
 
 rad_recv: Access-Request packet from host
 127.0.0.1:32769, id=201, length=55
 User-Name = bob
 User-Password = bobbob
 NAS-IP-Address = 255.255.255.255
 NAS-Port = 0
 modcall: entering group authorize
   modcall[authorize]: module preprocess
 returns ok
 rlm_realm: No '@' in User-Name = bob,
 looking up realm NULL
 rlm_realm: No such realm NULL
   modcall[authorize]: module suffix returns
 noop
 radius_xlat:  'bob'
 rlm_sql (sql): sql_set_user escaped user --
 'bob'
 radius_xlat:  'SELECT
 id,UserName,Attribute,Value,op FROM radcheck
 WHERE Username = 'bob' ORDER BY id'
 rlm_sql (sql): Reserving sql socket id: 0
 rlm_sql: The 'op' field for attribute
 'password = bobbob' is NULL, or non-existent.
 rlm_sql: You MUST FIX THIS if you want the
 configuration to behave as you expect.
 radius_xlat:  'SELECT
 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE
 usergroup.Username = 'bob' AND
 usergroup.GroupName = radgroupcheck.GroupName
 ORDER BY radgroupcheck.id'
 radius_xlat:  'SELECT
 id,UserName,Attribute,Value,op FROM radreply
 WHERE Username = 'bob' ORDER BY id'
 radius_xlat:  'SELECT
 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE
 usergroup.Username = 'bob' AND
 usergroup.GroupName = radgroupreply.GroupName
 ORDER BY radgroupreply.id'
 rlm_sql (sql): Released sql socket id: 0
   modcall[authorize]: module sql returns ok
 users: Matched DEFAULT at 152
   modcall[authorize]: module files returns ok
 modcall: group authorize returns ok
   rad_check_password:  Found Auth-Type System
 auth: type System
 modcall: entering group authenticate
   modcall[authenticate]: module unix
 returns notfound
 modcall: group authenticate returns notfound
 auth: Failed to validate the user.
 Delaying request 4 for 1 seconds
 Finished request 4
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

dictionary...

[Sergio de Almeida Lenzi]

Hello list
I have just built the Freeradius on a FreeBSD with support for postgres.
The system builds ok but I cannot find any information about how to load 
the dictionary into the sql table (dictionary).
Would someone send me an example of how the table would be?? 
an 'select * from dictionary'  would help...
Thanks for any help.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

:= or ==

[Evren Yurtesen]

so what would it matter if it is := ?
I use that one in my conf files? I checked man 5 users but it is not very
clear to me what it means by 'repalaces' etc.

Evren

On Mon, 9 Dec 2002, Ray wrote:

 On Monday 09 December 2002 6:51, you wrote:
 
  [root@Psyche root]# radtest root emptar1
  Sending Access-Request of id 197 to
  127.0.0.1:1812
  User-Name = root
  rad_recv: Access-Accept packet from host
 
  [root@Psyche root]# radtest bob bobbob
  Sending Access-Request of id 201 to
  127.0.0.1:1812
  User-Name = bob
  rad_recv: Access-Reject packet from host
 
 
  The user bob has been set up on MySQL
  mysql select * from radcheck;
  ++--+---++--+
  | id | UserName | Attribute | Value  | op   |
  |  1 | bob  | password  | bobbob | NULL |
  1 row in set (0.00 sec)
 
 the op in radcheck should be == (though :=   and the others are valid)
 
  mysql select * from radacct;
 
 radacct is just an accounting table, radtest normally doesn't cause anything 
 to show up here, nor do you normally manually add anything to it.
 
 
  mysql select * from usergroup;
  ++--+---+
  | id | UserName | GroupName |
  |  1 | bob  | dynamic   |
 
 is there anything setup in radgroupcheck or radgroupreply? if not, then there 
 isn't much point in assigning groups.
 
 though you could just do something like
 MySQL insert into radgroupreply values (null, 'dynamic', 'Framed-MTU', 
 '576', ':=');
 
  modcall: entering group authenticate
modcall[authenticate]: module unix
  returns notfound
 
 it says bob/bobbob is not a user on your machine, but since your trying to 
 auth via MySQL you probably aren't looking to auth via real users.
 if so then in radius.conf you should comment out the unix from the auth 
 section. 
 
 i've only been playing with FR for the past few month a few hours here and 
 there. so don't assume i know what i'm talking about, but if it works for 
 you, then great.
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: := or ==

[Ray a PowerWeb Tech]

the only thing that seems to give any clue for := vs == is doc/rlm_attr_filter
[snip]
 o  The operators used for specifying the attributes are as follows:

   =-  NOT ALLOWED.  If used, it becomes ==

   :=   -  Set ( used to ensure a specific a/v is present )
   ==   -  Equal  ( exact )
   =*   -  Always Equal ( will allow all values for attribute )
   !*   -  Always Not Equal ( will block all values for attribute )
   !=   -  Not equal
   =   -  Greater than or equal to
   =   -  Less than or equal to
   -  Greater than
   -  Less than

   If you have regular expressions enabled you also have:

   =~   -  Regular expression equal
   !~   -  Regular expression not equal
[/snip]

so in theory, if these operators are the same everywhere (just an assumption, 
but i don't feel like digging into the source to find out for sure) then a 
radcheck with password := 123456 would set the password to 123456 and 
password == 123456 would see if the password is 123456


On Monday 09 December 2002 8:03, you wrote:
 so what would it matter if it is := ?
 I use that one in my conf files? I checked man 5 users but it is not very
 clear to me what it means by 'repalaces' etc.

 Evren

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius using PAM to authenticate thru NT domain

[Rodolfo Siviero Stein]

	Hello guys,

	I am trying to configure a freeradius server to authenticate users in an 
NT Domain.   I am using RedHat 7.3,  but I am a newbie with smb related things.

	I don't understand PAM very well,  so I don't know if my PAM_SMB 
configuration is working  (I did it using authconfig)

	Anybody can send me a working  radiusd  PAM file (my files are above)?

	Is this way ( freradius - PAM - pam_smb - NT Domain) the best way to 
authenticate these users ?  I see in the experimental.conf about a SMB 
authication type ,  but I don't know how to use it.

	Please,  any comments,  links, howto, anything are welcome.  :)

	Rodolfo

My radiusd PAM file is:

#%PAM-1.0
auth   required /lib/security/pam_stack.so service=system-auth
auth   required /lib/security/pam_nologin.so
accountrequired /lib/security/pam_stack.so service=system-auth
password   required /lib/security/pam_stack.so service=system-auth
sessionrequired /lib/security/pam_stack.so service=system-auth
sessionoptional /lib/security/pam_console.so

and the system-auth  PAM file is:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  /lib/security/pam_env.so
authsufficient/lib/security/pam_unix.so likeauth nullok
authsufficient/lib/security/pam_smb_auth.so use_first_pass nolocal
authrequired  /lib/security/pam_deny.so
account required  /lib/security/pam_unix.so
passwordrequired  /lib/security/pam_cracklib.so retry=3 type=
passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 
shadow
passwordrequired  /lib/security/pam_deny.so
session required  /lib/security/pam_limits.so
session required  /lib/security/pam_unix.so

	


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: := or ==

[Evren Yurtesen]

I dont understand actually, if == checks if the a/v is 'equal' then it
must also ensure that it is present.

About := replacing passwords =) I feel like from another planet. It might
only work in a reply item I think. Wouldnt the person authenticate all the
time if it was replacing the a/v pairs in the request?

Anyhow I will change to == just to obey the standarts although I think :=
is working also for me...

Evren

On Mon, 9 Dec 2002, Ray a PowerWeb Tech wrote:

 the only thing that seems to give any clue for := vs == is doc/rlm_attr_filter
 [snip]
  o  The operators used for specifying the attributes are as follows:
 
=-  NOT ALLOWED.  If used, it becomes ==
 
:=   -  Set ( used to ensure a specific a/v is present )
==   -  Equal  ( exact )
=*   -  Always Equal ( will allow all values for attribute )
!*   -  Always Not Equal ( will block all values for attribute )
!=   -  Not equal
=   -  Greater than or equal to
=   -  Less than or equal to
-  Greater than
-  Less than
 
If you have regular expressions enabled you also have:
 
=~   -  Regular expression equal
!~   -  Regular expression not equal
 [/snip]
 
 so in theory, if these operators are the same everywhere (just an assumption, 
 but i don't feel like digging into the source to find out for sure) then a 
 radcheck with password := 123456 would set the password to 123456 and 
 password == 123456 would see if the password is 123456
 
 
 On Monday 09 December 2002 8:03, you wrote:
  so what would it matter if it is := ?
  I use that one in my conf files? I checked man 5 users but it is not very
  clear to me what it means by 'repalaces' etc.
 
  Evren
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: := or ==

[Ray]

both are right, but they have there place (assuming i'm reading the docs
right, and assuming my other assumtions about it are correct)

:= in the replies and == in the checks unless your doing something that the
check needs to be something else.

i agree, i can't see using anything other then := in the replies.

On Monday 09 December 2002 8:19, you wrote:
 I dont understand actually, if == checks if the a/v is 'equal' then it
 must also ensure that it is present.

 About := replacing passwords =) I feel like from another planet. It might
 only work in a reply item I think. Wouldnt the person authenticate all the
 time if it was replacing the a/v pairs in the request?

 Anyhow I will change to == just to obey the standarts although I think :=
 is working also for me...

 Evren

 On Mon, 9 Dec 2002, Ray a PowerWeb Tech wrote:
  the only thing that seems to give any clue for := vs == is
  doc/rlm_attr_filter [snip]
   o  The operators used for specifying the attributes are as follows:
 
 =-  NOT ALLOWED.  If used, it becomes ==
 
 :=   -  Set ( used to ensure a specific a/v is present )
 
 ==   -  Equal  ( exact )
 =*   -  Always Equal ( will allow all values for attribute )
 !*   -  Always Not Equal ( will block all values for attribute
  ) !=   -  Not equal
 
 =   -  Greater than or equal to
 
 =   -  Less than or equal to
 
 -  Greater than
 
 -  Less than
 
 If you have regular expressions enabled you also have:
 
 =~   -  Regular expression equal
 !~   -  Regular expression not equal
  [/snip]
 
  so in theory, if these operators are the same everywhere (just an
  assumption, but i don't feel like digging into the source to find out for
  sure) then a radcheck with password := 123456 would set the password to
  123456 and password == 123456 would see if the password is 123456
 
  On Monday 09 December 2002 8:03, you wrote:
   so what would it matter if it is := ?
   I use that one in my conf files? I checked man 5 users but it is not
   very clear to me what it means by 'repalaces' etc.
  
   Evren

---

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

set up question

[Bill Flood]

Hello!

I have a question.  I have a Cisco AS5200.  It was suggested that I 
place the public IP's into the AS5200, however there are provisions in 
freeradius to do this also.  Which is the correct way, put the Public IP's 
into the RAS or the radius?

Thanks,

Bill


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html