Redirect homepage with filter
Hi there. Glad to join the list. I'm facing a puzzle dealing with Radius; the whole problem doesn't makes sense to me, but I'm still trying to find a way. ( I work at an ISP in Brazil) The classic situation: Since my custome dials-in and authenticates, it will have an assigned filter, i.e. if he hasn't paid his prepaid account. With this filter, I can say what (IP) addresses and/or services he can or cannot access. Regular customers have no filters. The question: There's some way, using RAS filters activated by the Radius server, to "force" my filtered customer to open some default homepage in his browser? In other words, no matter what website he tries to reach, he's redirected (at his first try) to www.rantac.com.br/payme.html? I'm not using proxy. And I can't imagine how to combine IPTables (or other packet-filter) to redirect the customer IP to some URL based on the RAS/radius filter. Any tip? Is this really impossible? Fernando.
Re: Redirect homepage with filter
Yes, you're looking for a captive portal or walled garden. This really has nothing to do with FreeRADIUS. See http://www.personaltelco.net/index.cgi/PortalSoftware for a mix of commerical and open source solutions. --Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to use Calling-Station-Id to filter client's MAC
Hi all, I try use the attribute Calling-Station-Id to filter client's MAC ,but it can't work (can't filter client's MAC),Does any body can tell me how to config FreeRADIUS ? Thanks a lot !! the following is my config: testAuth-Type := EAP, User-Password = test Calling-Station-Id =00-10-11-11-11-11 //Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with logout
Hi, I have some problems when users log out. Sometimes the change_logout query (I'm using freeradius 0.6 (I'll upgrade to 0.8 soon) and MySQL to store user's data) is not executed, su the users have the busy attribute in the radcheck. This prohibits the users to log in again (only one session is permitted for each user). This happens rarely, but I'm very worried about that. Any hint will be greatly appreciated. Thanks in advance Giuliano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Security flaw in EAP/TLS
I'm using EAP/TLS authentication with a aironet 350 ap and win2k client. The win2k client (as the nt client) allow to specify a login name different from the name within the certificate. Now, the user name in the cert is used for auth but the (different) login name is stored in the UserName attribute of my accounting table (MySql). If I know a valid user other than me, I can log in with my cert but let the other one pay for it. Is there a way to make sure that the user name and the login name are the same? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter
./configure --with-rlm_sql_counter (./configure --help) Peter Santiago a écrit: how do I include rlm_sqlcounter in the compilation? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Security flaw in EAP/TLS
From: Klaus Heck [mailto:[EMAIL PROTECTED]] Sent: den 11 december 2002 13:06 To: [EMAIL PROTECTED] Subject: Security flaw in EAP/TLS I'm using EAP/TLS authentication with a aironet 350 ap and win2k client. The win2k client (as the nt client) allow to specify a login name different from the name within the certificate. Now, the user name in the cert is used for auth but the (different) login name is stored in the UserName attribute of my accounting table (MySql). If I know a valid user other than me, I can log in with my cert but let the other one pay for it. Yes, this was discussed on this list a couple of weeks ago: http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg11193.html Is there a way to make sure that the user name and the login name are the same? Sure, but you will have to add code to the rlm_eap_tls module. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS Validation via MySQL
Good Morning! I´ve just migrated from IC-Radius to FreeRadius. Everything is working fine, and I *AM* authenticating users via MySQL. But I´d like to validate my NAS though MySQL too. Is that possible in FreeRadius? On IC-Radius it was. Thanks by now, Hélio Rubens Kamogawa - System Programalist Central Server Informatica www.centralserver.com.br [EMAIL PROTECTED] +55 41 324-1993 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
I have instaled freeradius with ./configure, make and make install. I have added lolo Password = lolo Reply-Message = Hola, lolo to the file users, and starts the server with radiusd -X. But when I use radtest the server doesn't accept the user: radtest lolo lolo localhost 0 testing123 and the server show: rad_recv: Access-Request packet from host 127.0.0.1:1047, id=233, length=56 User-Name = lolo User-Password = lolo NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns notfound rlm_realm: No '@' in User-Name = lolo, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate rlm_unix: [lolo]: invalid password modcall[authenticate]: module unix returns reject modcall: group authenticate returns reject auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 233 to 127.0.0.1:1047 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 233 with timestamp 3df74acc Nothing to do. Sleeping until we see a request. somebody can help me to configure freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
did you try setting User-Password instead of Password ? On Wed, 11 Dec 2002 [EMAIL PROTECTED] wrote: I have instaled freeradius with ./configure, make and make install. I have added lolo Password = lolo Reply-Message = Hola, lolo to the file users, and starts the server with radiusd -X. But when I use radtest the server doesn't accept the user: radtest lolo lolo localhost 0 testing123 and the server show: rad_recv: Access-Request packet from host 127.0.0.1:1047, id=233, length=56 User-Name = lolo User-Password = lolo NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns notfound rlm_realm: No '@' in User-Name = lolo, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate rlm_unix: [lolo]: invalid password modcall[authenticate]: module unix returns reject modcall: group authenticate returns reject auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 233 to 127.0.0.1:1047 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 233 with timestamp 3df74acc Nothing to do. Sleeping until we see a request. somebody can help me to configure freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
understanding MIBs (simultaneous use with cisco's)
Well I got our AS5200s simultaneous use to work finally. Now the problem is the cisco 7500 we have for DSL. checkrad (running full debug mode on radius) shows no response it looks like the MIBs are wrong. so in this case I have two questions: 1. how do I find the correct MIBs? (yes, I could run SNMPwalk, but I have no idea what I'm doing with that) 2. once I do have them, how do I put them into checkrad without wrecking the other cisco stuff (since they are both cisco) I may (or may not) actually have a MIB string for the 7500, I don't undestand what this stuff means, so I don't know what to do with it while on the topic of MIBs, can anyone tell me what this means or what it could be used for: 1.3.6.1.4.1.9.10.19.1.1.4.0:public@usernas2 I think this is the MIB for the IP pool on an AS500, which means it could be used to keep track of how many users are online. Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use Calling-Station-Id to filter client's MAC
Kevin [EMAIL PROTECTED] wrote: I try use the attribute Calling-Station-Id to filter client's MAC ,but it can't work Wonderful. So I take it you didn't read the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
[EMAIL PROTECTED] wrote: I have instaled freeradius with ./configure, make and make install. I have added lolo Password = lolo Reply-Message = Hola, lolo to the file users, and starts the server with radiusd -X. But when I use radtest the server doesn't accept the user: 1) You didn't read the FAQ as to how to test the server 2) You didn't read the debugging output you posted to the list Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAPv1 does not encrypt MPPE keys
Dear Martin Gadbois, readdoc/rlm_mschapcarefully.Allyouneed is update dictionary.microsoft. --Tuesday, December 10, 2002, 11:46:51 PM, you wrote to [EMAIL PROTECTED]: MG -BEGIN PGP SIGNED MESSAGE- MG Hash: SHA1 MG Hello all, MG I found that freeradius-0.8 does not encrypt the MS-CHAPv1 MPPE keys as specified by RFC 2548 sec. MG 2.4.1. MG In fact, that code was commented out. MG Here is the patch: MG - --- freeradius-0.8/src/modules/rlm_mschap/rlm_mschap.cWed Oct 2 10:37:08 2002 MG +++ freeradius-0.8-modif/src/modules/rlm_mschap/rlm_mschap.cTue Dec 10 15:40:33 2002 MG @@ -860,6 +860,7 @@ MG ~ /* now create MPPE attributes */ MG ~ if (inst-use_mppe) { MG ~ if (chap == 1){ MG + int len; MG ~ DEBUG2(rlm_mschap: adding MS-CHAPv1 MPPE keys); MG ~ memset (mppe_sendkey, 0, 32); MG ~ if (smbPasswd.smb_passwd) MG @@ -875,10 +876,10 @@ MG ~ memcpy (mppe_sendkey+8,smbPasswd.smb_nt_passwd,16); MG ~ */ MG ~ md4_calc(mppe_sendkey+8, smbPasswd.smb_nt_passwd,16); MG - -/* MG + MG ~ rad_pwencode(mppe_sendkey, len, MG ~request-secret, request-packet-vector); MG - -*/ MG + MG ~ mppe_add_reply( request-reply-vps, MG ~ MS-CHAP-MPPE-Keys,mppe_sendkey,32); MG ~ } MG Sorry if this is a repeat. MG That code works well with Win2K Professional. MG - -- MG == MG Martin Gadbois MG S/W Developper MG Colubris Networks Inc. MG PS: I do not subscribe to this list... MG -BEGIN PGP SIGNATURE- MG Version: GnuPG v1.0.4 (GNU/Linux) MG Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org MG iEYEARECAAYFAj32UroACgkQ9Y3/iTTCEDkmqACfdt7uSiZSR6Gjn0sN1rv4Lk7T MG pSsAn0rw55GXyAnAU8TmYK/M1k59SwrP MG =n1iW MG -END PGP SIGNATURE- MG - MG List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA Ïîêà âû âî âëàñòè ïðîâèäåíèÿ, âàì íå óäàñòñÿ óìåðåòü ðàíüøå ñðîêà. (Òâåí) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant entry for MySQL accounting
On Tue, 10 Dec 2002, Franklin Trumpy wrote: Perhaps try specifying the explicit behavior of the group rather than using redudant { } ? From doc/configurable_failover: I should have guessed to do that... It is working, but is is strange that it isn't with redundant{}... Christophe. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAPv1 does not encrypt MPPE keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 3APA3A wrote: | Dear Martin Gadbois, | | readdoc/rlm_mschapcarefully.Allyouneed is update | dictionary.microsoft. I see. Sorry if I jumped the guns. Ref: - --- dictionary.microsoft Wed Jul 3 14:25:18 2002 +++ mg.raddb/dictionary.microsoft Mon Dec 2 16:20:29 2002 @@ -21,7 +21,7 @@ ~ ATTRIBUTE MS-RAS-Vendor 9 integer # content is Vendor-ID ~ ATTRIBUTE MS-CHAP-Domain 10 string ~ ATTRIBUTE MS-CHAP-Challenge 11 octets - -ATTRIBUTE MS-CHAP-MPPE-Keys 12 octets +ATTRIBUTE MS-CHAP-MPPE-Keys 12 octets encrypt=1 ~ ATTRIBUTE MS-BAP-Usage 13 integer ~ ATTRIBUTE MS-Link-Utilization-Threshold 14 integer # values are 1-100 ~ ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Thanks! - -- == Martin Gadbois S/W Developper Colubris Networks Inc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAj33WwAACgkQ9Y3/iTTCEDlsrgCfVHLr7AWFJh5zEd1esrSeGI65 aR0AoMAHihy+CRmbOQAdnTfMXYeIrPDw =9xyH -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS Validation via MySQL
helio [EMAIL PROTECTED] wrote: I´ve just migrated from IC-Radius to FreeRadius. Everything is working fine, and I *AM* authenticating users via MySQL. But I´d like to validate my NAS though MySQL too. Is that possible in FreeRadius? Not right now. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure attribute
betux [EMAIL PROTECTED] wrote: I can found / set check attribute and reply attribute in database rec= ord. But where i can set configure attribute since there is no table for it. They're in with the check attributes. Also where I can find list of possible configure attribute. Right now, read the dictionaries and examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NDN: Language
Sorry. Your message could not be delivered to: reba edwards,SCS CO (The name was not found at the remote site. Check that the name has been entered correctly.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Webpage redirect
Hi Matt, and thanks for the tip. Walled Garden sounds fine. I followed the link you send me; as far I understood, a captive portal is a kind of gateway with transparent proxy that redirects the client browser; so, when the customer tries any address, it's source is verified from an auth system (if it has already authenticated, he can pass-through an go anywhere). It should work for me, even with no auth - simply sending a default webpage to the client with a cookie. Yet, my problem remains: not all my customers should fall in this system - they will (or will not) fit in this rule according some criteria - and the Radius is my first choice, since everybody's must dial-in and auth in Radius. If I let anyone auth in Radius and force anyone to authenticate in browser to access the web, it will be a great pain for regular customers (90% of the total users); this is the pattern used by free-ISP in Brazil, and it makes this services so boring. Most important, you answered my main question: there's no way to redirect clients homepage with any of Radius features, right? Radius talks only with RAS, and not with the end-user. So, any solution will require web-proxy redirecting. No other way? Thanks again, Fernando. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mess for NAS-Port-Id and NAS-Port
Genoud Richard [EMAIL PROTECTED] wrote: actually, radutmp doesn't look for an NAS-Port-Id, but for NAS-Port... ... is there something that i don't understand or there's a big confusion ? The RFC's changed the name of the attribute, and then created a *new* attribute, with the same name as before. It's annoying, but not a serious problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Webpage redirect
At 04:59 PM 12/11/2002 -0300, Fernando Teodoro wrote: Hi Matt, and thanks for the tip. Walled Garden sounds fine. I followed the link you send me; as far I understood, a captive portal is a kind of gateway with transparent proxy that redirects the client browser; so, when the customer tries any address, it's source is verified from an auth system (if it has already authenticated, he can pass-through an go anywhere). It should work for me, even with no auth - simply sending a default webpage to the client with a cookie. Yet, my problem remains: not all my customers should fall in this system - they will (or will not) fit in this rule according some criteria - and the Radius is my first choice, since everybody's must dial-in and auth in Radius. If I let anyone auth in Radius and force anyone to authenticate in browser to access the web, it will be a great pain for regular customers (90% of the total users); this is the pattern used by free-ISP in Brazil, and it makes this services so boring. Most important, you answered my main question: there's no way to redirect clients homepage with any of Radius features, right? Radius talks only with RAS, and not with the end-user. So, any solution will require web-proxy redirecting. No other way? There is no specific way via RADIUS directly to make this happen as routing policy it outside the scope of RADIUS. *HOWEVER* RADIUS can be used to communicate policy routing decisions to the NAS if the NAS supports it. It's a feature of the NAS, not of RADIUS. You can setup Policy Based Routing on Cisco NAS for example, triggered by a Cisco-VSA attribute you return. You could selectively return the VSA trigger with Group attributes on your RADIUS server. So, to answer you question, it does not require a web-proxy system. It depends on your NAS choice and the capabilties of that NAS. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Release of 0.8.1
We are happy to announce the release of version 0.8.1. All users of 0.8 should upgrade. There is no new functionality in this version, but a number of small bugs and concerns have been addressed. The code is available for download at: ftp://ftp.freeradius.org:/pub/radius/freeradius-0.8.1.tar.gz The full change log is below: FreeRADIUS 0.8.1 ; Date: 2002/12/11 19:22:08 , urgency=low * String length checking in the PAP module, to avoid false positives in authentications. * Use proper variable for log/error messages, instead of an uninitialized buffer. * Perform an SQL 'close' on connections, before doing reconnects. This should fix connection leaks. * Make the server better look for the return code from checkrad. * Fixes to better handle Oracle character types from Stocker Gernot. * Link order fixes for problems with crypt() * Added Alteon Web switch dictionary, from Thomas Linden. * Better parsing of dictionary files. This release is PGP signed: ftp://ftp.freeradius.org:/pub/radius/freeradius-0.8.1.tar.gz.sig with a key from: http:[EMAIL PROTECTED] Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Webpage redirect
On Wed, 11 Dec 2002, Chris Parker wrote: At 04:59 PM 12/11/2002 -0300, Fernando Teodoro wrote: Yet, my problem remains: not all my customers should fall in this system - they will (or will not) fit in this rule according some criteria - and the Radius is my first choice, since everybody's must dial-in and auth in Radius. If I let anyone auth in Radius and force anyone to authenticate in browser to access the web, it will be a great pain for regular customers (90% of the total users); this is the pattern used by free-ISP in Brazil, and it makes this services so boring. Most important, you answered my main question: there's no way to redirect clients homepage with any of Radius features, right? Radius talks only with RAS, and not with the end-user. So, any solution will require web-proxy redirecting. No other way? There is no specific way via RADIUS directly to make this happen as routing policy it outside the scope of RADIUS. *HOWEVER* RADIUS can be used to communicate policy routing decisions to the NAS if the NAS supports it. It's a feature of the NAS, not of RADIUS. You can setup Policy Based Routing on Cisco NAS for example, triggered by a Cisco-VSA attribute you return. You could selectively return the VSA trigger with Group attributes on your RADIUS server. So, to answer you question, it does not require a web-proxy system. It depends on your NAS choice and the capabilties of that NAS. Of course, if prepaid people dial a different number, and your NAS supports passing that number (Called-Station-ID)? you can use this as a criterion for filtering requests to assign a different IP subnet, for example, and other complex hacks, but I'm too much of a newbie to tell you if it will work, you'll have to look into it -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP support
Lars I am using the EAP-TLS code base and tweek it to work up to the point of finishing PEAP Part I. Now XP can talk to my prototype up to the Part I. Now I am getting into the Part II to send EAP packet under TLS tunnel. Could you suggest where to add the Part II code given the EAP-TLS code base? and how to bootstrap EAP code assuming everything recursively happening again? (PEAP is actually EAP-TLS-EAP, am I right?) -Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realms and SQL
Dear all, I was just wondering when I set up realms through the proxy.conf file how do I specify when it gets authenticated locally that it will check the SQL Database. At the moment in the proxy.conf file it has realm paris { type = radius authhost= LOCAL accthost= LOCAL } I want it to authenticate against the mysql database instead of the user file currently specified. Sorry I have tried a few different combinations and have read the mailing list but the threads I have read has either no responses or responses that are vague. Thanks in advance, Alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to use Calling-Station-Id to filter client's MAC
Could you tell more detail about this subjects,thanks a lot. This my configuration in users test Auth-Type := EAP,User-Password test, Calling-Station-Id = aa-bb-cc-dd-ee-ff Service-Type = Call-Check This is the debug message auth: type EAP modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - md5 rlm_eap: processing type md5 rlm_eap_md5: No password configured for this user modcall[authenticate]: module eap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request SMUX connect try 3 Can't connect to SNMP agent with SMUX: Connection refused rl_next: returning NULL Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.1.0.1:1948, id=133, length=149 Sending duplicate authentication reply to client rtest:1948 - ID: 133 Sending Access-Reject of id 133 to 10.1.0.1:1948 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html