Re: Sql authentication
On Fri, Jan 10, 2003 at 07:50:35PM +0300, CEBKA wrote: > Hello > > Sorry, if this question took place, but I want to know may rlm_mysql > module make authentication. If I have a user in radcheck/radreply > tables with correct AV values, when I use radtest with this username > and password my server send Access-Reject pascket. This works well > with local files. So can I do this without local authentication, using > only MySQL database? run your freeradius server using the command "radius -x", to get debug output. you may also want to examine sql.conf, and set some extra settings there, and make mysql log in fairly verbose terms. That should show you where the problem is coming from. i had to play with the exact name of the AV pairs for the password for a day or two to realise i wanted Crypt-Password for an md5/crypt hash password. make sure you set Auth-Type, and use the correct entry in the "op" field. Andrew 'ashridah' Pilley > > -- Best regards, > CEBKAmailto:[EMAIL PROTECTED] > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication time
On Fri, Jan 10, 2003 at 10:07:34AM -0500, Roy Wills wrote: > hmmmid ont think i am explaining this very well. I need some users to only have >access for a week > (ie: monday to following monday) and some users have a month of access (ie: Jan 1 to >Jan 31). I do not > think that actuall session times are going to work in this case since they are not >actually doing a > traditional dial-in setup. Radius is just there to have centralized authorization >for about 6 networks > across the city. Is there an attribute to allow from first login to say disable >after 7 days or 30 days? i suspect you'll have to use perl/python and friends to write a script to check through their logs, and when they reach their limit, modify their password so they can no longer authenticate properly. I'm in the middle of doing something similar to work with pre-paid accounts, but i'm in no position to be giving out code at this time. in my case, however, i'm adding a Framed-Address reply for that user, (made easy by using mysql for auth/logging) which belongs to the rfc1918 address range. this allows me to filter any web requests to our own webpage, whch displays an appropriate message (since windows ignores any ppp messages iirc) allowing us to let them on, but not to do anything useful (stops people who have autodial from dialing up a fortune in connect/disconnect charges) Andrew 'ashridah' Pilley > > 1/10/03 4:18:42 AM, Kostas Kalevras <[EMAIL PROTECTED]> wrote: > > >On Thu, 9 Jan 2003, Roy Wills wrote: > > > >> ok...i have read the radiusd.conf and scoured once again the docs and am not > >> grasping where i need to put the attrib. i have users that only have access > >> for a week and some for a month. Its > >> all time-frame based and varies. i guess my question now is do i have a line > >> like this for every usrs on top of the accept lines? > >>DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject > >>Reply-Message = "You've used up more than one hour today > >> or do i need to create a db.counter file for theese? If this is totally wrong > >> can you point me to a faq better than the docs that are with it? > > > >The docs are really just fine. > > > >You can set the corresponding attribute for each user: > > > >userweekly Max-Weekly-Session := 4500 > > > >usermonthly Max-Monthly-Session := 45000 > > > >Just make sure you don't set DEFAULT entries with these attributes. > > > >> > >> > >> 1/9/2003 4:30:35 PM, "Alan DeKok" <[EMAIL PROTECTED]> wrote: > >> > >> >Roy Wills <[EMAIL PROTECTED]> wrote: > >> >> Is there a way to limit the time a user can spend online? What i > >> >> want to do is say that user X has 1 week of use and after that they > >> >> are no longer allowed to log in. > >> > > >> > Yes. Read 'raddb/radiusd.conf', and look for the 'counter' module. > >> > > >> >> If so when does the time start, when the first logins or when i put > >> >> the user/pass in the users file? > >> > > >> > When the user first logs in. > >> > > >> > Alan DeKok. > >> > > >> >- > >> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > >> > > >> > > >> > >> > >> > >> > >> - > >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > >> > > > >-- > >Kostas Kalevras Network Operations Center > >[EMAIL PROTECTED] National Technical University of Athens, Greece > >Work Phone: +30 210 7721861 > >'Go back to the shadow' Gandalf > > > >- > >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Not quite working right
Everyone, I'm a newbie here, so please don't hack me to shreds. I've read the FAQ and Docs closely, and tried everything I can, but I must be missing something I sucsessfully built v81 of FreeRadius on my server, and I can properly authenticate using the USERS file, and demo user of 'steve' However, for whatever reason, I cannot get the server to connect to the mySQL database to look up users there, and the dialup_admin program can't seem to add or edit users because of this. I know the DB is working, as I can connect to it using mysql, or phpmyadmin. The tables are there, as per the schema for both apps. I'm thinking that I missed a configure option when I built it, but a configure --help doesn't say anything about mysql. I've properly configured the sql.conf file to make sure it's got all the correct info, and the radiusd.conf file calls it correctly. In the pre-accounting, and session areas I put in 'sql' rather than 'files', and when I do that, I get an error in the log: Fri Jan 10 20:08:24 2003 : Error: rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found Fri Jan 10 20:08:24 2003 : Error: rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. Fri Jan 10 20:08:24 2003 : Error: radiusd.conf[14]: sql: Module instantiation failed. Now, there is no module in my /usr/local/lib directory called rlm_sql_mysql... there is one called rlm_sql though, nor is there source for such a module name. So, in the sql.conf file I changed the driver from 'rlm_sql_mysql' to 'rlm_sql'... and then the server just hangs with this in the log: Fri Jan 10 20:13:32 2003 : Info: rlm_sql (sql): Driver rlm_sql (module SQL) loaded and linked Fri Jan 10 20:13:32 2003 : Info: rlm_sql (sql): Attempting to connect to root@localhost:/radius running radiusd -X results in the following: rlm_sql (sql): Driver rlm_sql (module SQL) loaded and linked rlm_sql (sql): Attempting to connect to root@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect SQL #0 Segmentation fault Any clues as to what I'm doing wrong here? Maybe the MySQL module just got left out of the .81 distrib? I'm running this on a FreeBSD 4.5 system. Thanks! Don - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[help]i can't work with EAP-MD5
hi.
I am Netflash. i develop dot1x_radius clients
I have some trouble during setup Winxp <>my AP <---> RADIUS Server , ask
for your help...
AP is dot1x+radiusclient. client use FreeRadius Server code.
using EAP-MD5, and set to winxp to md5-challenge mode.
My environment setup as follows
(1) supplicant : winxp
(2) authenticator:AP(i develop for dot1x radius client)
(3) authentication server: Linux Redhat 7.2+ FreeRADIUS (lastest version)
(4) users file.
wilee Auth-Type := EAP, User-Password == "wilee123"
DEFAULT Auth-Type := System
Fall-Through = 1
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
(5) clients.conf file
client 172.27.4.2 { <= AP IP Address
secret = test123
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}
(6) radiusd.conf file else same to original file..
modules {
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
}
}
authorize {
eap
preprocess
suffix
files
}
authenticate {
eap
unix
}
(Question)
1.first, xp send EAP request, but it doesn't has user name,only has User-Name
header.why?
2.My Ap relay Message to Radius server,and radius -x print is below. dump EAP packet,
result is
4f 07 01 54 00 05 01 , it means EAP-identify. i expect md5-challenag(type is 4,not 5)
and State attribute.
but server returns only EAP-identify.i suspect eap_start() function. if EAP msg
exist(eap-requst has eap,so it
exist!),eap_start returns EAP_FOUND and EAP-identify msg, then eap_authorize() returns
RLM_MODULE_HANDLED and program returns EAP-Identifyi trace radiusd code.but i
can't not understand code why it works that way..
A.radiusd -x
Starting - reading configuration files ...
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded eap
rlm_eap: eap_instantiate start <=my debug
rlm_eap: eap_instantiate :auth_type md5 <=my debug
rlm_eap: type_name md5 node->typeid 4 <=my debug
rlm_eap: Loaded and initialized the type md5
rlm_eap: eap_instantiate end <=my debug
Module: Instantiated eap (eap)
Module: Loaded System
Module: Instantiated unix (unix)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded files
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
Module: Instantiated detail (detail)
Module: Loaded radutmp
Module: Instantiated radutmp (radutmp)
Initializing the thread pool...
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 172.27.4.2:32769, id=157, length=176
Athentication-Request
User-Name = "wilee" <==insert by my AP for test,in case null, result is same..
Called-Station-Id = "00-d0-b7-b8-9f-99" <==AP MAC
Calling-Station-Id = "00-80-ad-7f-17-80" <=XP MAC
NAS-Identifier = "172.27.4.2" <=AP IP
NAS-IP-Address = 172.27.4.2 <=AP_IP
NAS-Port = 1
NAS-Port-Type = Ethernet
Connect-Info = "1" <=speed
Service-Type = Authenticate-Only(8)
Framed-MTU = 1500
State = 0x536174657320636f706965642069662065786973742e69742069732074657374
EAP-Message = "\002O"
Message-Authenticator = 0xc474dd2b9a5000a0b7ec8b71e044a8fb
rlm_eap: Got EAP_START message <==it is very important!. eap_start() func call..
Sending Access-Challenge of id 157 to 172.27.4.2:32769
EAP-Message = "\001P\000\005\001"
Message-Authenticator = 0x
(3)i trace rlm_eap(printf work well) and rlm_eap_md5(insert printf at init it doesn't
work).
help me..â²Ø§~ì¹»
®&Þþéì¹»
®&ÞI硶Úÿ
0~·§bºÊ+ùb²ßî±êìÙ¥
Re: Freeradius-Users digest, Vol 1 #1409 - 12 msgs
Thanks Tim I solved the problem. I have another issue though (sick!). Now the RADIUS server is sending the Access-Accept packet but the client (notebook) is unable to log on or connect to the net. The wireless network connection task bar says "Windows was unable to find a certificate to log you on to the network RadiusAP_A <-(my AP)" Do i need to get a certificate, if yes what kind of certificate and how to set up. Please clarify. Thank You Reddy > Let me be the first... :) > > RTFM > > FR follows the same setup that Livingston used since the beginning of > RADIUS. It is documented, check out config files. Especially the one labled > "CLIENTS". You might also want to pick up a copy of The Radius Book and > check out the RFCs. > > Your NAS manual should cover the setup for that. > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of > > [EMAIL PROTECTED] > > Sent: Thursday, January 09, 2003 3:02 PM > > To: [EMAIL PROTECTED] > > Subject: SHARED SECRET ERROR... > > > > > > Hi all > > > > Iam trying to authenticate a wireless user (notebook) through > > Orinoco AP2000 > > sending the information to RADIUS against LDAP. > > > > I have added the MAC address of the wireless card as a user > > (oxoxox-oyoyoy) > > with a userPassword in the LDAP, also i have the same password on > > the AP (the > > one to use to log in as admin for the AP), the RADIUS gets the > > MAC address as > > the uid, which is ok. Now when it tries to authenticate with the > > password it > > cannot. > > > > I know iam doing some silly mistake...please help me set up the > > shared secret > > for the AP and the RADIUS, i mean where shall i store the > > password for both > > individually.. > > > > Here's the debug...(radiusd -X -A) > > > > rlm_ldap: login attempt by "00022d-5e1a19" with password "?s?÷?»A?£F? T}c" > > rlm_ldap: user DN: uid=00022d-5e1a19,dc=example,dc=coo > > rlm_ldap: (re)connect to localhost:389, authentication 1 > > rlm_ldap: setting TLS mode to 4 > > rlm_ldap: bind as uid=00022d-5e1a19,dc=example,dc=coo/?s?÷?»A?£F? T}c to > > localhost:389 > > rlm_ldap: waiting for bind result ... > > modcall[authenticate]: module "ldap" returns reject <<--ERROR > > modcall: group authtype returns reject > > auth: Failed to validate the user. > > WARNING: Unprintable characters in the password. ? > > Double-check the shared > > secret on the server and the NAS! <<--ERROR > > Delaying request 1 for 1 seconds > > Finished request 1 > > > > Any suggestion or help is appreciated... > > > > Thanks in advance > > Reddy - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Urgent And Confidentail
FROM: TALU KYARI. E-mail: [EMAIL PROTECTED] ALMERE THE NETHERLANDS. Compliment of the day, I am TALU KYARI, The son of late General Kubwa Kayari of the Democratic Republic of Congo. My father was a General in the Congolese Army. In his position (My father) with the office of the presidentcy during the regime of Laurent Kabila, he was assigned on a secret mission to source and acquire arms internationally in order to strengthen the Government forces against the rebels, which already had the support of Rwandan and Uganda Army. Meanwhile, he was still negotiating for the purchase of the arms, he received on the 16th January 2001 news of the assassination of Laurent Kabila which force him to call off the assignment and deposited the sum of US$12.5M, Packed in a diplomatic case in a private security company in the Amsterdam, the Netherlands, though he registered the content as precious stones while the real content is (US12.5M) meant for the purchase of arms for the Congolese Army. My father went home for the funeral of the late president, but on his arrival he was arrested, detained and tortured, unfortunately my father suffer cardiac arrest and died on the 17th of March 2001. However, on one of our numerous visits, my mother and I paid him while in prison, my father was able to reveal this secret to me and advice that i should proceed to the Netherlands to claim the money, he handed me all the relevant documents that will enable me claim the box from the security company. Already, I have made my first visit to the security company and the availability of this box have been confirmed. On our arrival in the Netherlands few months ago, we sought for political asylum; which was granted. My mother and I are making frantic effort on the best way to handle this money. We sought advice from an attorney who advised that we must seek for a trustworthy foreign business partner whom this money could be transferred into his/her personer or company"s account. This we view as the best option because our refugee status dose not permit us to operate a bank account, hence we seek your assistance and hope you could be trusted. I got your contact from the commercial section of the congolese embassy in Belgium.Meanwhile, I sincerely ask for your assistance to get this money through your account, Your share for assisting us will be 25% of the total sum, 5% will be use for upsetting all the expenses incurred in the course of concluding this venture and the remaining 70% that will be for me and my family. Also you stand to gain from any investment you might introduce us into after the conclusion of the transfer. Please keep this confidential until we finalize and get this money into your account for security reasons. This is my e-mail address you can reach me: [EMAIL PROTECTED] Thanks and GOD bless. MR, Talu Kyari. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco av-pairs rear their ugly heads
you can search only inside abc.com domain in google, if you give the right parameters On Fri, 10 Jan 2003, Frank Cusack wrote: > On Fri, Jan 10, 2003 at 10:24:43AM -0600, Chris Parker wrote: > > At 10:04 AM 1/10/2003 -0500, Alan DeKok wrote: > > If I need to search for cisco info, I use the following: > > > > http://cisco.google.com/cisco > > > > It is a google index of *just* cisco's site. :) Far better than > > trying to search from www.cisco.com. > > Cisco uses Google for their search. Perhaps they weight results differently > on their own site. > > /fc > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting problems
Ray <[EMAIL PROTECTED]> wrote: > anyways, while looking over the accounting data we are noticing that > a number of login/logout accounting packets are missing. the old > system had the same problem, so its not that freeRadius is worse, > but it seems wierd to me that this is normal. what are some things > to check into to fix this? The short answer is that RADIUS uses UDP, so it's always possible to lose packets. Other than makeing sure your network is physically OK, and that it's not running at capacity, and the machines involved aren't at or over capacity, there's not much more you can do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco av-pairs rear their ugly heads
At 10:22 AM 1/10/2003 -0800, Frank Cusack wrote: On Fri, Jan 10, 2003 at 10:24:43AM -0600, Chris Parker wrote: > At 10:04 AM 1/10/2003 -0500, Alan DeKok wrote: > If I need to search for cisco info, I use the following: > > http://cisco.google.com/cisco > > It is a google index of *just* cisco's site. :) Far better than > trying to search from www.cisco.com. Cisco uses Google for their search. Perhaps they weight results differently on their own site. I've found that they do something weird, as the same search items yield different results in each place. I like to google direct link, as it's far simpler and just plain works. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco av-pairs rear their ugly heads
On Fri, Jan 10, 2003 at 10:24:43AM -0600, Chris Parker wrote: > At 10:04 AM 1/10/2003 -0500, Alan DeKok wrote: > If I need to search for cisco info, I use the following: > > http://cisco.google.com/cisco > > It is a google index of *just* cisco's site. :) Far better than > trying to search from www.cisco.com. Cisco uses Google for their search. Perhaps they weight results differently on their own site. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql query errors
Hi First of all very sorry for such a long email. I have free-radius0.8.1 with mysql 2.23.49 on solaris8. I am trying to get users authenticated from database i.e.mysql using free-radius. I am getting these two errors: 1) Pairs do not match for user [[EMAIL PROTECTED]]. what am I doing wrong at there ( tried my best to get any clue from mailing list but no success) 2) these queries rlm_sql_mysql: MYSQL check_error: 1065 received rlm_sql (sql) sql_checksimul: Database query failed are getting failed. Here is the log -- Ready to process requests. rad_recv: Access-Request packet from host 204.xxx.xxx.:44582, id=55, length=102 User-Name = '[EMAIL PROTECTED]' User-Password = "test" NAS-IP-Address = 206.xxx.xxx. NAS-Port = 3188 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "816xxx" NAS-Port-Type = Async modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop modcall[authorize]: module "mschap" returns notfound rlm_realm: Looking up realm test.comfor User-Name = '[EMAIL PROTECTED]' rlm_realm: Found realm seriousisp.us rlm_realm: Adding Stripped-User-Name = "test" rlm_realm: Proxying request from user test to realm test.com rlm_realm: Adding Realm = "test.com" rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module "suffix" returns noop radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]'AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '[EMAIL PROTECTED]'ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Pairs do not match for user [[EMAIL PROTECTED]] rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns notfound users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type SQL auth: type "SQL" modcall: entering group authenticate radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_password escaped password --> 'test' radius_xlat: '' rlm_sql (sql): Reserving sql socket id: 3 Running SQL query: rlm_sql_mysql: MYSQL check_error: 1065 received rlm_sql (sql) sql_checksimul: Database query failed rlm_sql (sql): Released sql socket id: 3 modcall[authenticate]: module "sql" returns fail modcall: group authenticate returns fail module authenticate result is -1 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request -- I will really appreciate any help on it. Shohab - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting problems
everything seems to be working well. but we are having some minor issues. the accounting radius is doing about 10% cpu according to top, the gui looks like about 5% of it, and another fraction or 2 for the top command and remote shells into it to watch the radius.log file (to aid tech support with bad username/password issues) OT humor: how do you make it clear that 'HP Authorized Customer' is not their username? anyways, while looking over the accounting data we are noticing that a number of login/logout accounting packets are missing. the old system had the same problem, so its not that freeRadius is worse, but it seems wierd to me that this is normal. what are some things to check into to fix this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sql authentication
Hello Sorry, if this question took place, but I want to know may rlm_mysql module make authentication. If I have a user in radcheck/radreply tables with correct AV values, when I use radtest with this username and password my server send Access-Reject pascket. This works well with local files. So can I do this without local authentication, using only MySQL database? -- Best regards, CEBKAmailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco av-pairs rear their ugly heads
At 10:04 AM 1/10/2003 -0500, Alan DeKok wrote: Dan <[EMAIL PROTECTED]> wrote: > to see the av-pairs in the log you must turn on an extra feature in your > cisco config. its: radius-server vsa accounting > you may need the word "send" in there somewhere, > depending on your version of IOS, etc etc etc I've added some text to 'doc/cisco' about this. So the best location for Cisco documentation is the minimal FreeRADIUS documention? Wow... Nah, cisco has good docs, just using their own search engine sucks. If I need to search for cisco info, I use the following: http://cisco.google.com/cisco It is a google index of *just* cisco's site. :) Far better than trying to search from www.cisco.com. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Double logins....HELP...
Hi to all,
i read the doc about Simultaneous-Use and i did these:
i installed the module http://www.switch.ch/misc/leinen/snmp/perl/ and
i made changes in radius.conf
session {
radutmp
sql
}
i also made changes in naspassword file (username SNMP and password
"community")
i made changes on my NAS so the radius server have access
snmp-server community RW 10
Access-list 10 permin myipaddr
and i check with the checkrad and i get response from the NAS
but after all i can't prevent double logins . Any idea?
Åõ÷áñéóôþ
Costas A. Christonis
Networking & Communications Centre
Gallos Campus - University of Crete
tel: +30-8310-77044
email: [EMAIL PROTECTED]
http://www.ucnet.uoc.gr/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap + md5 passwords
is anyone using ldap with the password in ldap stored as an md5 hash, instead of crypt to authenticate? If so what does your config look like? thanks, -ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
"giorgio" <[EMAIL PROTECTED]> wrote: ... > modcall[accounting]: module "unix" returns noop ... > modcall[accounting]: module "radutmp" returns noop Well, there you go. The debugging information for those modules shows that they're not doing anything. (And was it *really* necessary to double-space the debug output?) The packet which was sent was: > User-Name = "gelu" > NAS-Identifier = "telendos" > Acct-Status-Type = Start > Acct-Session-Id = "fbsnx" > Service-Type = Login-User With no NAS-Port-Id, or other information which usually goes into wtmp or utmp. What, exactly are you expecting it to write to the wtmp file for that request? Invented ports? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication time
hmmmid ont think i am explaining this very well. I need some users to only have access for a week (ie: monday to following monday) and some users have a month of access (ie: Jan 1 to Jan 31). I do not think that actuall session times are going to work in this case since they are not actually doing a traditional dial-in setup. Radius is just there to have centralized authorization for about 6 networks across the city. Is there an attribute to allow from first login to say disable after 7 days or 30 days? 1/10/03 4:18:42 AM, Kostas Kalevras <[EMAIL PROTECTED]> wrote: >On Thu, 9 Jan 2003, Roy Wills wrote: > >> ok...i have read the radiusd.conf and scoured once again the docs and am not >> grasping where i need to put the attrib. i have users that only have access >> for a week and some for a month. Its >> all time-frame based and varies. i guess my question now is do i have a line >> like this for every usrs on top of the accept lines? >>DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject >>Reply-Message = "You've used up more than one hour today >> or do i need to create a db.counter file for theese? If this is totally wrong >> can you point me to a faq better than the docs that are with it? > >The docs are really just fine. > >You can set the corresponding attribute for each user: > >userweekly Max-Weekly-Session := 4500 > >usermonthlyMax-Monthly-Session := 45000 > >Just make sure you don't set DEFAULT entries with these attributes. > >> >> >> 1/9/2003 4:30:35 PM, "Alan DeKok" <[EMAIL PROTECTED]> wrote: >> >> >Roy Wills <[EMAIL PROTECTED]> wrote: >> >> Is there a way to limit the time a user can spend online? What i >> >> want to do is say that user X has 1 week of use and after that they >> >> are no longer allowed to log in. >> > >> > Yes. Read 'raddb/radiusd.conf', and look for the 'counter' module. >> > >> >> If so when does the time start, when the first logins or when i put >> >> the user/pass in the users file? >> > >> > When the user first logs in. >> > >> > Alan DeKok. >> > >> >- >> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >> > >> > >> >> >> >> >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >> > >-- >Kostas KalevrasNetwork Operations Center >[EMAIL PROTECTED] National Technical University of Athens, Greece >Work Phone:+30 210 7721861 >'Go back to the shadow'Gandalf > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco av-pairs rear their ugly heads
Dan <[EMAIL PROTECTED]> wrote: > to see the av-pairs in the log you must turn on an extra feature in your > cisco config. its: radius-server vsa accounting > you may need the word "send" in there somewhere, > depending on your version of IOS, etc etc etc I've added some text to 'doc/cisco' about this. So the best location for Cisco documentation is the minimal FreeRADIUS documention? Wow... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MD5 passwd ecryption (was Re: Error about:rlm_eap_md5)
Margrete Raaum <[EMAIL PROTECTED]> wrote:> We are migrating to LDAP. I am trying to get EAP/MD5 to work with LDAP. > Of course there are no clear text passwords in the LDAP base as that would > result in clear text passwords across the network, they are MD5-encrypted. > The passwords don't really have to be in clear text, do they? For EAP, yes, they do. The solution to passwords going across the netwrok from your LDAP server in clear-text is to encrypt the connection to the LDAP server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MD5 passwd ecryption (was Re: Error about:rlm_eap_md5)
On Tue, 7 Jan 2003, Shawn Adams wrote: >I guess my big dissapointent is the user password is in clear text in >the /etc/raddb/users.conf file. Which is just another administrative >task to maintain. We are migrating to LDAP. I am trying to get EAP/MD5 to work with LDAP. Of course there are no clear text passwords in the LDAP base as that would result in clear text passwords across the network, they are MD5-encrypted. The passwords don't really have to be in clear text, do they? Margrete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Allowed Session
Ok. Here's my conf:
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
counter weekly {
filename = ${raddbdir}/db.weekly
key = User-Name
count-attribute = Acct-Session-Time
reset = weekly
counter-name = Weekly-Session-Time
check-name = Max-Weekly-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
authorize {
preprocess
# counter
# attr_filter
# eap
suffix
sql
files
# mschap
}
authenticate {
# pam
unix
# ldap
# mschap
# eap
}
preacct {
suffix
files
preprocess
}
accounting {
# acct_unique
detail
# counter
unix
radutmp
sql
# sradutmp
}
session {
radutmp
}
instantiate {
daily
weekly
}
---
Here is the error I get:
Error: rlm_sql: unknown attribute Max-Daily-Session
Fri Jan 10 09:18:21 2003 : Error: rlm_sql: Error getting data from database
Fri Jan 10 09:18:21 2003 : Error: rlm_sql: SQL query error; rejecting user
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Kostas
Kalevras
Sent: Friday, January 10, 2003 4:10 AM
To: [EMAIL PROTECTED]
Subject: RE: Allowed Session
On Thu, 9 Jan 2003, Duane Barnes wrote:
> Maybe I'm not understanding. Here is a snippet from my radiusd.conf
> file: counter {
> filename = ${raddbdir}/db.counter
> key = User-Name
> count-attribute = Acct-Session-Time
> reset = daily
> counter-name = Daily-Session-Time
> check-name = Max-Daily-Session
> counter-name = Weekly-Session-Time
> check-name = Max-Weekly-Session
> allowed-servicetype = Framed-User
> cache-size = 5000
> }
>
No:
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
counter weekly {
filename = ${raddbdir}/db.weekly
key = User-Name
count-attribute = Acct-Session-Time
reset = weekly
counter-name = Weekly-Session-Time
check-name = Max-Weekly-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
[...]
instantiate {
daily
weekly
}
[...]
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP & CHAP
I've been using this in my authenticate block for awhile and it seems to
work fine with UUNet for the dialup we resell from them:
authtype UUNET {
chap
pap
}
and just match it with Auth-Type := UUNET for an entry in the users file.
-Shawn
On Fri, 10 Jan 2003, Chris Knipe wrote:
> Hi,
>
> I tried this, and it still did not work :( Maybe I am missing something...
> Bellow's the relevant snippets from my configuration...
>
> modules {
> pap {
> encryption_scheme = clear
> }
>
> chap {
> authtype = CHAP
> }
> }
>
> authorize {
> preprocess
> attr_filter
> suffix
> files
> chap
> sql
> }
>
> # Authentication.
> authenticate {
> authtype PAP {
> pap
> }
>
> authtype CHAP {
> chap
> }
> }
>
> --
> me
>
>
> - Original Message -
> From: "3APA3A" <[EMAIL PROTECTED]>
> To: "Chris Knipe" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Thursday, January 09, 2003 10:55 AM
> Subject: Re: PAP & CHAP
>
>
> > Dear Chris Knipe,
> >
> > Set Auth-Type to PAP, add chap module to authorize section and make sure
> > you have
> >
> > chap {
> > authtype = CHAP
> > }
> >
> > in module configuration. In this case default authentication will be
> > PAP, but if CHAP-Password attribute will be found in request Auth-Type
> > will be changed to CHAP during authorization. This behavior is explained
> > in doc/rlm_mschap for MS-CHAP authentication which is very similar to
> > CHAP.
> >
> > --Thursday, January 9, 2003, 6:47:32 AM, you wrote to
> [EMAIL PROTECTED]:
> >
> > CK> Lo everyone,
> >
> > CK> I think I have a little bit of a problem (or maybe not)...
> >
> > CK> I want to use PAP and CHAP authentication... Basically, a user should
> be
> > CK> able to authenticate using PAP or CHAP... I've created a group
> attribute
> > CK> request (Auth-Type := PAP as well as Auth-Type := CHAP). However,
> > CK> Freeradius only takes the first one it gets from the database (PAP),
> and
> > CK> disregards the CHAP.
> >
> > CK> I know this is stupid, but I am presuming that Auth-Type is sent from
> the
> > CK> NAS to the Radius server in any case? How can do I get freeradius to
> accept
> > CK> both password types? My PAP is stored cleartext to make it compatible
> with
> > CK> CHAP, and when I manually remove PAP for CHAP I can authenticate using
> both
> > CK> types... Right now though, I don't really see a way how I can use both
> at
> > CK> the same time on the same accounts?
> >
> > CK> --
> > CK> me
> >
> >
> > CK> -
> > CK> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> >
> > --
> > ~/ZARAZA
> > Ñòðåëÿÿ âî âòîðîé ðàç, îí èñêàëå÷èë ïîñòîðîííåãî. Ïîñòîðîííèì áûë ÿ.
> (Òâåí)
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP support
> From: Paul Wang [mailto:[EMAIL PROTECTED]] > Sent: den 20 december 2002 19:48 > To: Freeradius-Users@Lists. Cistron. Nl > Subject: PEAP support > > > Lars, > > I got stuck at part-II. After the server send the first > packet (Request for Identity, after confirm with Microsoft it > is one byte of value 1) in the TLS channel, there is no > response from XP client. Any chance you might look into this > in near future such that we might team up together to work > this out? or someone else might be interested in tackling > this? Thanks. Hi, I apologize for not answering earlier. I've been on vacation and busy with other stuff. We are interested in working with you on this, although we cannot spent a lot of time on it. If you send us you code we will take at look at it next week and see if we can provide any help. -- Lars Viklund Expert Software Engineer Embedded Platforms Axis Communications AB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radutmp and SQL
Hi, How can I to transfer the session handling service from radutmp to MySQL ? Thanks Amjr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
t_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
radutmp: filename = "/usr/local/var/log/radius/sradutmp"
radutmp: username = "%{User-Name}"
radutmp: perm = 420
radutmp: callerid = no
Module: Instantiated radutmp (sradutmp)
Initializing the thread pool...
thread: start_servers = 5
thread: max_servers = 32
thread: min_spare_servers = 3
thread: max_spare_servers = 10
thread: max_requests_per_server = 0
thread: cleanup_delay = 5
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Thread spawned new child 4. Total threads in pool: 4
Thread spawned new child 5. Total threads in pool: 5
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
Thread 1 waiting to be assigned a request
Thread 2 waiting to be assigned a request
Thread 3 waiting to be assigned a request
Thread 4 waiting to be assigned a request
Thread 5 waiting to be assigned a request
rad_recv: Access-Request packet from host 195.251.249.184:32776, id=0,
length=54
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
User-Name = "gelu"
User-Password = "fbsnx"
NAS-Identifier = "telendos"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns notfound
rlm_realm: No '@' in User-Name = "gelu", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 151
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
modcall[authenticate]: module "unix" returns ok
modcall: group authenticate returns ok
Login OK: [gelu/fbsnx] (from client private-net port 0)
Sending Access-Accept of id 0 to 195.251.249.184:32776
Finished request 0
Going to the next request
Thread 1 waiting to be assigned a request
rad_recv: Accounting-Request packet from host 195.251.249.184:32776, id=1,
length=55
Thread 2 assigned request 1
Waking up in 5 seconds...
Thread 2 handling request 1, (1 handled so far)
User-Name = "gelu"
NAS-Identifier = "telendos"
Acct-Status-Type = Start
Acct-Session-Id = "fbsnx"
Service-Type = Login-User
modcall: entering group preacct
modcall[preacct]: module "preprocess" returns noop
rlm_realm: No '@' in User-Name = "gelu", looking up realm NULL
rlm_realm: No such realm NULL
modcall[preacct]: module "suffix" returns noop
modcall[preacct]: module "files" returns noop
modcall: group preacct returns noop
modcall: entering group accounting
rlm_acct_unique: WARNING: Attribute 87 was not found in request, unique ID
MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address =
195.251.249.184,NAS-IP-Address = 195.251.249.184,Acct-Session-Id =
"fbsnx",User-Name = "gelu"'
rlm_acct_unique: Acct-Unique-Session-ID = "a5092a353199d945".
modcall[accounting]: module "acct_unique" returns ok
radius_xlat:
'/usr/local/var/log/radius/radacct/195.251.249.184/detail-20030110'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /usr/local/var/log/radius/radacct/195.251.249.184/detail-20030110
modcall[accounting]: module "detail" returns ok
modcall[accounting]: module "unix" returns noop
radius_xlat: 'gelu'
modcall[accounting]: module "radutmp" returns noop
radius_xlat: 'gelu'
modcall[accounting]: module "sradutmp" returns noop
modcall: group accounting returns ok
Sending Accounting-Response of id 1 to 195.251.249.184:32776
Finished request 1
Going to the next request
Thread 2 waiting to be assigned a request
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/0/5
Cleaning up request 1 ID 1 with timestamp 3e1e8fd3
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 3e1e8fd3
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication time
On Thu, 9 Jan 2003, Roy Wills wrote: > ok...i have read the radiusd.conf and scoured once again the docs and am not > grasping where i need to put the attrib. i have users that only have access > for a week and some for a month. Its > all time-frame based and varies. i guess my question now is do i have a line > like this for every usrs on top of the accept lines? >DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject >Reply-Message = "You've used up more than one hour today > or do i need to create a db.counter file for theese? If this is totally wrong > can you point me to a faq better than the docs that are with it? The docs are really just fine. You can set the corresponding attribute for each user: userweekly Max-Weekly-Session := 4500 usermonthly Max-Monthly-Session := 45000 Just make sure you don't set DEFAULT entries with these attributes. > > > 1/9/2003 4:30:35 PM, "Alan DeKok" <[EMAIL PROTECTED]> wrote: > > >Roy Wills <[EMAIL PROTECTED]> wrote: > >> Is there a way to limit the time a user can spend online? What i > >> want to do is say that user X has 1 week of use and after that they > >> are no longer allowed to log in. > > > > Yes. Read 'raddb/radiusd.conf', and look for the 'counter' module. > > > >> If so when does the time start, when the first logins or when i put > >> the user/pass in the users file? > > > > When the user first logs in. > > > > Alan DeKok. > > > >- > >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Allowed Session
On Thu, 9 Jan 2003, Duane Barnes wrote:
> Maybe I'm not understanding. Here is a snippet from my radiusd.conf file:
> counter {
> filename = ${raddbdir}/db.counter
> key = User-Name
> count-attribute = Acct-Session-Time
> reset = daily
> counter-name = Daily-Session-Time
> check-name = Max-Daily-Session
> counter-name = Weekly-Session-Time
> check-name = Max-Weekly-Session
> allowed-servicetype = Framed-User
> cache-size = 5000
> }
>
No:
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
counter weekly {
filename = ${raddbdir}/db.weekly
key = User-Name
count-attribute = Acct-Session-Time
reset = weekly
counter-name = Weekly-Session-Time
check-name = Max-Weekly-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
[...]
instantiate {
daily
weekly
}
[...]
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
10-Jan-03 at 10:12, g ([EMAIL PROTECTED]) wrote : > EVERYTHING SEEMS TO BE OK EXCEPT WRITING THE RADUTMP AND RADWTMP FILES Reasons why files aren't written, general: - Permissions are wrong on the directories in which the files should be created - Configuration files aren't being told to write the file - Files already exist which can't be appended because ownership is wrong - The files are being written, but you're looking in the wrong place Let us know that none of the above apply, and we will be willing to help again. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
- Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, January 08, 2003 5:44 PM Subject: Re: (no subject) > g <[EMAIL PROTECTED]> wrote: > > We have installed freeradius and we have tested it with radtest and with > > a radiusclient which > > we downloaded from the internet(sourceforge.net). > > The server and the radclient are working but the server doesn't create > > the files radutmp and radwtmp.what to do??? > > Send it accounting packets? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > we send it accounting packets and server which running in debugging mode writes modcall[accounting]: module radutmp returns noop modcall[accounting]: module unix returns noop modcall[accounting]: module sradutmp returns noop ALSO SERVER WRITES "SENDING ACCOUNTING RESPONSE TO ID ..." (OUR CLIENT TAKES THAT RESPONSE) WHAT TO DO??? EVERYTHING SEEMS TO BE OK EXCEPT WRITING THE RADUTMP AND RADWTMP FILES - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
