Re: Auth-type=Accept
21-Jan-03 at 16:57, leaobicalho ([EMAIL PROTECTED]) wrote : When I use Auth-type=Accept, i dont need say password, authentic only by login. But always radius client send `login` in format STRING and not encrypted. I think that Password are encypted. Then, How i authentic only by Password? Read up about possible authentication methods that your NAS supports, and work out which one will encrypt passwords. If you authenticate only by password, how do you track users? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check Users File
In the process of migrating from cistron to freeradius I notice, that one nice feature of cistron is missing in freeradius: With the option -C cistron checked the syntax of a usersfile. This was very useful for us. In freeradius I did not find an option for such a check. Is it missing or did I not read enough documentation? Norbert Wegener -- Norbert WegenerPhone:(49)2012661379 Fax:(49)2012661377 SBS Essen,Germany Mail: [EMAIL PROTECTED] Mailfax:(49)2018165521379 smime.p7s Description: S/MIME Cryptographic Signature
Radiusd Problems
Hello , I am using freeRadius-0.8.1 on MinGW on Windows NT. I installed the tar file n made necessary configurations . When iam trying to run radiusd its giving the error 'Command not found'. How to fix my problem. If any one of you worked on same platforms and faced the same problems please give me some detailed tips. Thanks S R Mannava -- __ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup Meet Singles http://corp.mail.com/lavalife - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-type=Accept
I will use USERS will be PASSWORD USERS=PASSWORD.. 21-Jan-03 at 16:57, leaobicalho ([EMAIL PROTECTED]) wrote : When I use Auth-type=Accept, i dont need say password, authentic only by login. But always radius client send `login` in format STRING and not encrypted. I think that Password are encypted. Then, How i authentic only by Password? Read up about possible authentication methods that your NAS supports, and work out which one will encrypt passwords. If you authenticate only by password, how do you track users? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Animation Design® www.animationdesign.com.br __ E-mail Premium BOL Antivírus, anti-spam e até 100 MB de espaço. Assine já! http://email.bol.com.br/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:RSA security server token authentication
Yes, work... Hi All, Does freeradius support token authentication from rsa security server? Your help will be greatly appreciated. Thank you. Choudary. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Animation Design® www.animationdesign.com.br __ E-mail Premium BOL Antivírus, anti-spam e até 100 MB de espaço. Assine já! http://email.bol.com.br/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regexp in huntgroups file
On Tue, Jan 21, 2003 at 05:03:30AM -0500, Alan DeKok wrote: Nils =?ISO-8859-1?Q?R=F8nhovde?= [EMAIL PROTECTED] wrote: If I have a group of NAS'es in the address-range 10.1.1.0-32, how should I express this in a single statement i the huntgroups file. My best idea is like this testNAS-Ip-Address =~ ^10\.1\.1\.[0-32] Regular expressions are over *characters*, not *numbers*. Try: test NAS-IP-Address =~ ^10\.1\.1\.(0|1[0-9]?|2[0-9]?|3[0-2]?|[4-9]) Looks slightly unreadable, doesn't it? :) Alan, how about to implement a few operators on IP's? E.g., '' for 'is contained within', so, in this case: NAS-IP-Address 10.1.1.0/27. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
??????
we have installed freeradius 0-8-1 and we have downloaded a client from internet. we have also created with create-users.pl 10 users of the server and we configured radiusd.conf to read from passwd and shadow file which create-users.pl created.Also we added to clients.conf the client which send requests to the server. the server takes the requests and send the reply to the client the detail files are updated properly and the server and client seem to work with no problems. the only broblem is that radutmp and radwtmp files are not created.the client sents accounting packets and the server takes them and send the proper reply ,but the radutmp returns noop.what to do??? should i add anything to users file or change the radiusd.conf (in the radiusd.conf the radutmp module is uncomment and the server says on the beggining tha it has intantiated) is a a solution to my problem?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
bind to ldap server only (no search)
Hi all, I am quite new to Radius. I installed FreeRadius 0.8.1 and it runs fine. We have some local users in the users file, other users are authenticated via ourLDAP server. As far I can see we only need to bind to the LDAP server to authenticate them but it seems the rlm_ldap module first search for the users. In our case we have some users which are not searchable. That means the authentication fails. rlm_ldap first search for the user but can't find it. Is therefore possible to only bind to the LDAP server without searching for the users? Is it something to do with the identity flag in rlm_ldap? Regards, David ___David De MaeyerRoskilde University CenterComputer Science DepartmentBox 260, Hus 42.14000 RoskildeDenmarkvoice (+45) 46 74 38 29 fax (+45) 46 74 30 72
Re: bind to ldap server only (no search)
On Wed, 22 Jan 2003, David De Maeyer wrote: Hi all, I am quite new to Radius. I installed FreeRadius 0.8.1 and it runs fine. We have some local users in the users file, other users are authenticated via our LDAP server. As far I can see we only need to bind to the LDAP server to authenticate them but it seems the rlm_ldap module first search for the users. In our case we have some users which are not searchable. That means the authentication fails. rlm_ldap first search for the user but can't find it. Is therefore possible to only bind to the LDAP server without searching for the users? You have to first find the user dn. Anyway you could create a Ldap-UserDn attribute by use of the attr_rewrite module, add it in the config attribute list and it should work. Something like: attribute = Ldap-UserDn replacewith = uid=%{User-Name},ou=people,dc=company,dc=com new_attribute = yes authorize{ [...] attr_rewrite } Is it something to do with the identity flag in rlm_ldap? Regards, David ___ David De Maeyer Roskilde University Center Computer Science Department Box 260, Hus 42.1 4000 Roskilde Denmark voice (+45) 46 74 38 29 fax (+45) 46 74 30 72 -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
control (or garbage) characters in username
Hi all, It occassionally (sometimes frequently) happens that the NAS sends some control characters as username and password. Could it be line noise or DOS? I'm not quite sure. Here is a debug output (from the Home Server FRv0.8.1): rad_recv: Access-Request packet from host x.x.x.100:1814, id=134, length=368 User-Name = \225\247+\037\230O:?}\263\334\374\310I\223\005\3174\226g\377%p8/\301\300\271\260MYT\021\t\340f\252\347\026\376\220,d\326\332#1e\247\246\346(\025\360\263\022\256\025\245\001\253]\005\310\240.$vo\357\326k\3756\316\007d^.\216\313\304\373\354A%\214\365-\367\027o User-Password = \315f\365+\266|z\210\3241\364'@\256\241\205\2468\271U\0060E\004\021\200\243\271\224\016\036\230\224\333!'4\330\272O\366Oo)F\031\264\256\017\006T\240\343\025\024\205\252\021%G\247\362\346\273=\375H\007\201\372\250\361\2527\202\016\312\305)\277\305\204_\350\241\367\301\256\002\365?\365f?\242N\362\013\325 NAS-IP-Address = x.x.x.196 NAS-Identifier = x.x.x.196 NAS-Port = 1794 Acct-Session-Id = 117512730 USR-Interface-Index = 3050 USR-Supports-Tags = 0 Service-Type = Login-User USR-Chassis-Call-Slot = 8 USR-Chassis-Call-Span = 16 USR-Chassis-Call-Channel = 2 USR-Connect-Speed = NONE NAS-Port-Type = Async Proxy-State = 0x3936 rad_lowerpair: User-Name now '?§+??o:?}³ÜüÈi??Ï4?gÿ%p8/ÁÀ¹°myt??àfªç?þ?,dÖÚ#1e§¦æ(?ð³?®?¥?«]?È?.$voïÖký6Î?d^.?ËÄûìa%?õ-÷?o' rad_rmspace_pair: User-Name now '?§+??o:?}³ÜüÈi??Ï4?gÿ%p8/ÁÀ¹°myt?àfªç?þ?,dÖÚ#1e§¦æ(?ð³?®?¥?«]?È?.$voïÖký6Î?d^.?ËÄûìa%?õ-÷?o' modcall: entering group authorize modcall[authorize]: module preprocess returns ok users: Matched DEFAULT at 176 modcall[authorize]: module files returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for ?§+??o:?}³ÜüÈi??Ï4?gÿ%p8/ÁÀ¹°myt?àfªç?þ?,dÖÚ#1e§¦æ(?ð³?®?¥?«]?È?.$voïÖký6Î?d^.?ËÄûìa%?õ-÷?o radius_xlat: '(uid=\225\247+\037\230o:?}\263\334\374\310i\223\005\3174\226g\377%p8/\301\300\271\260myt\021\340f\252\347\026\376\220,d\326\332#1e\247\246\346(\025\360\263\022\256\025\245\001\253]\005\310\240.$vo\357\326k\3756\316\007d^.\216\313\304\373\354a%\214\365-\367' radius_xlat: 'ou=radius,dc=company,dc=com,dc=ph' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.compass.com.ph:389, authentication 0 rlm_ldap: bind as / to ldap.compass.com.ph:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in ou=radius,dc=company,dc=com,dc=ph, with filter (uid=\225\247+\037\230o:?}\263\334\374\310i\223\005\3174\226g\377%p8/\301\300\271\260myt\021\340f\252\347\026\376\220,d\326\332#1e\247\246\346(\025\360\263\022\256\025\245\001\253]\005\310\240.$vo\357\326k\3756\316\007d^.\216\313\304\373\354a%\214\365-\367 rlm_ldap: ldap_search() failed: Bad search filter rlm_ldap: search failed ldap_release_conn: Release Id: 0 ...and then it dies. Segmentation fault. It's the same username and password values on the proxy server (FR v0.8.1). It didn't crash the proxy server though. For sure, this is not a secret problem. Any suggestions on how to filter these kinds of username values? Thanks! regards, Alexis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hi In our case the authentication works fine with both modules: unix and ldap (local users and LDAP users). Using LDAP works fine for most of the users but for some users (the one not searchable) it doesn't work. When rlm_ldap authorize a user: does it make a bind to ldap? In that case the default is to bind anonymously so it shouldn't be a problem... Or does it make a ldapsearch? When rlm_ldap authenticate the user it makes a new bind if understood correctly (watching at a radtest session). Regards, David Date: Wed, 22 Jan 2003 15:47:33 +0200 (EET) From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: bind to ldap server only (no search) Reply-To: [EMAIL PROTECTED] On Wed, 22 Jan 2003, David De Maeyer wrote: Hi all, I am quite new to Radius. I installed FreeRadius 0.8.1 and it runs fine. We have some local users in the users file, other users are authenticated via our LDAP server. As far I can see we only need to bind to the LDAP server to authenticate them but it seems the rlm_ldap module first search for the users. In our case we have some users which are not searchable. That means the authentication fails. rlm_ldap first search for the user but can't find it. Is therefore possible to only bind to the LDAP server without searching for the users? You have to first find the user dn. Anyway you could create a Ldap-UserDn attribute by use of the attr_rewrite module, add it in the config attribute list and it should work. Something like: attribute = Ldap-UserDn replacewith = "uid=%{User-Name},ou=people,dc=company,dc=com" new_attribute = yes authorize{ [...] attr_rewrite } Is it something to do with the identity flag in rlm_ldap? Regards, David ___ David De Maeyer Roskilde University Center Computer Science Department Box 260, Hus 42.1 4000 Roskilde Denmark voice (+45) 46 74 38 29 fax (+45) 46 74 30 72 -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf ___David De MaeyerRoskilde University CenterComputer Science DepartmentBox 260, Hus 42.14000 RoskildeDenmarkvoice (+45) 46 74 38 29 fax (+45) 46 74 30 72
Re: Mysql Authentication
Alan DeKok wrote: Ossama Suleiman [EMAIL PROTECTED] wrote: i am using freeradius 0.8.1 with Redhat 8.0, i wanted to use mysql authentication, the problem is that i want to authenticate users depending on Calling-Station-Id, so i added an entry (blank username) Why? What's wrong with the DEFAULT configuration? When using the DEFAULT entry with the users file there is no problem at all, but when using it with mysql i got the error message mentioned before below -i got the following error message that the user-name can't be blank: -- rlm_sql (sql): zero length username not permitted Exactly. Use DEFAULT. i tried the DEFAULT value, my table looks like this: ++--+--+--+--+ | id | UserName | Attribute | Value| op| ++--+--+--+--+ | 1 | DEFAULT | Auth-Type | Accept| := | | 2 | DEFAULT | Huntgroup-Name | test | == | ++--+--+--+--+ but as i said before, this configuration is not working and it still complains about zero length username. when i commented out that section in rlm_sql.c and replaced the default entry with an blank entry it worked correctly. my table looked like this in that case: ++--+--+--+--+ | id | UserName | Attribute | Value| op| ++--+--+--+--+ | 1 | | Auth-Type | Accept| := | | 2 | | Huntgroup-Name | test | == | ++--+--+--+--+ this is working fine, and checking the calling-station-id listed in the huntgroup file could somebody correct me if this contains mistakes?? You're doing too much work, and ignoring the examples which tell you about the DEFAULT user. Alan DeKok. sorry for all the trouble, and resending it Ossama - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: EAP/TLS - XP
hi David Baer wrote: hi, thanks for looking at the matter, Artur. in fact, unless you shortened your post, there seems to be two requests one after another or am i wrong? because radius actually doesn't do anything about the wrong request. it denies the next one... well, it's perhaps normal. well strange is (or is it a normal retry?), that it has two rad_recv of id=95. one at (*A*) and than the other one at (*B*). then he is sending the reject message on the line (*E*) to id=95, but it is not clear to which. However, I think the problem really is between line (*C*) and (*D*) which prevents me from getting an Access-Accept This error seems to happen from time to time, I've found another post in the mailing list (http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg115- 98.html). But there isn't a solution (or even a guess, as to where it comes from) around. Advice is appreciated. david it's probably a bug in your AP implementation. try the newest firmware, e.g. effectively, it's a re-request since the id-number is the same. the TLS error probably comes from the shortened message or something similar, the data seems to be corrupted in some way. radius seems to just reject from that moment on, it doesn't seem to check the second message for its correctness (IMHO, it should however, since it's udp). compare the two messages by snooping on the interface. if the error is always the same, try to change some parameters (framed-mtu value, perhaps even another user-name, etc.) ciao artur -- Artur Hecker De'partement Informatique et Re'seaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cvs login error
pavelsh [EMAIL PROTECTED] wrote: It's problem? $ cvs -d :pserver:[EMAIL PROTECTED]:/source login (Logging in to [EMAIL PROTECTED]) CVS password: cvs login: authorization failed: server cvs.freeradius.org rejected access to /source for user anoncvs Yes. I didn't make an announcement yesterday because I was pressed for time. There has been a security announcement with regards to CVS. Therefore, CVS access to FreeRADIUS has been removed until such time as we upgrade CVS to a non-vulnerable version. The last thing we want in an authentication server is that someone breaks into the CVS repository, and installs a back-door into FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RSA security server token authentication
Choudary Asad Mumtaz [EMAIL PROTECTED] wrote: I was under the impression that by turning on the proxy requests feature, it could send requests to the rsa security server. Yes... but that's not the same as FreeRADIUS supporting it itself. As freeradius doesn't has this feature, does someone has another free solution to the problem :). No. SecurID is a proprietary system. There is NO free solution to the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check Users File
Norbert Wegener [EMAIL PROTECTED] wrote: In the process of migrating from cistron to freeradius I notice, that one nice feature of cistron is missing in freeradius: With the option -C cistron checked the syntax of a usersfile. This was very useful for us. In freeradius I did not find an option for such a check. Is it missing or did I not read enough documentation? FreeRADIUS doesn't have that feature. As always, patches are welcome... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ??????
giorgio [EMAIL PROTECTED] wrote: the only broblem is that radutmp and radwtmp files are not created.the client sents accounting packets and the server takes them and send the proper reply ,but the radutmp returns noop.what to do??? Send accounting packets with information that can go into radutmp or radwtmp. If the server receives accounting packets without (say) a port or a User-Name, it doesn't know what to put in radutmp or radwtmp. So it doesn't do anything with the packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cvs login error
At 05:20 AM 1/22/2003 -0500, Alan DeKok wrote: pavelsh [EMAIL PROTECTED] wrote: It's problem? $ cvs -d :pserver:[EMAIL PROTECTED]:/source login (Logging in to [EMAIL PROTECTED]) CVS password: cvs login: authorization failed: server cvs.freeradius.org rejected access to /source for user anoncvs Yes. I didn't make an announcement yesterday because I was pressed for time. There has been a security announcement with regards to CVS. Therefore, CVS access to FreeRADIUS has been removed until such time as we upgrade CVS to a non-vulnerable version. The last thing we want in an authentication server is that someone breaks into the CVS repository, and installs a back-door into FreeRADIUS. Definitely. As the host of the server for the website and the CVS repository, we are in the process of upgrading CVS to an unaffected release. Once this is done, we will restore CVS access, which should occur later today (1/22). Alan or myself will make an announcement to the lists when CVS has been upgraded and access is restored. You can still download the latest tarballs of the CVS snapshots as well as all release versions from the FTP site. Thanks for your patience, -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ??????
- Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 22, 2003 12:28 PM Subject: Re: ?? giorgio [EMAIL PROTECTED] wrote: the only broblem is that radutmp and radwtmp files are not created.the client sents accounting packets and the server takes them and send the proper reply ,but the radutmp returns noop.what to do??? Send accounting packets with information that can go into radutmp or radwtmp. If the server receives accounting packets without (say) a port or a User-Name, it doesn't know what to put in radutmp or radwtmp. So it doesn't do anything with the packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html when i send a packet and i receive a reply the server writes to the detail file Wed Jan 8 12:42:33 2003 User-Name = gelu NAS-Identifier = telendos Acct-Status-Type = Start Acct-Session-Id = fbsnx Service-Type = Login-User NAS-IP-Address = 195.251.249.184 Client-IP-Address = 195.251.249.184 Acct-Unique-Session-Id = a5092a353199d945 Timestamp = 1042022553 these are not enough information?? what do you mean sayingIf the server receives accounting packets without (say) a port ??? how you can change that,and say a port ??? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ??????
jim [EMAIL PROTECTED] wrote: when i send a packet and i receive a reply the server writes to the detail file The message was about radutmp and radwtmp, not the detail file. The detail module doesn't look at the contents of the accounting packet. It just writes them to a file. The radutmp module needs to write *specific* pieces of information to a file. It needs that information, and it ignores any other attributes in the accounting packet. e.g. LOOK at the fields of 'radutmp'. Certain information is necessary. what do you mean sayingIf the server receives accounting packets without (say) a port ??? The radutmp file has a 'port' entry, which is taken from the NAS-Port attribute. If there is no NAS-Port attribute in the accounting packet, then 'radutmp' CANNOT create a radutmp entry for that packet, so the packet is ignored, and the module returns NOOP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cannot visit the cvs web for radiusd
Error: $cvstreedefault points to a repository (local) not defined in %CVSROOT (edit your configuration file /web/pages/us.freeradius.org/cvsweb.conf) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cannot visit the cvs web for radiusd
Um, did you miss the latest response on a **very** similar thread, oh let's see...only _three_ messages prior to yours? -- __ Mike Ockenga, CCNP [EMAIL PROTECTED] Network Engineer II Onvoy Inc. 300 North Highway 169 Minneapolis, MN 55441 _ -Original Message- From: Abel Alejandro [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 11:39 AM To: [EMAIL PROTECTED] Subject: Cannot visit the cvs web for radiusd Error: $cvstreedefault points to a repository (local) not defined in %CVSROOT (edit your configuration file /web/pages/us.freeradius.org/cvsweb.conf) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
partial realm match?
I am trying to configure freeradius-0.8.1 to accept authentication requests of the form: user@somthing.isp.net where I don't know in advance what the something is going to be. So essentially what I am asking is, is it possible to setup proxy.conf to match on a substring? Is there a regular expression type of realm matching logic available, or must this be coded? Thanks for your help! -- Robert D. Haskins - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Freeradius with sybase database
We are trying to validate RAS users using Freeradius 0.8.1 against our Sybase 12 database, but we received an error message Segmentation fault. Our box is a LINUX SuSE 8.0 and we use rlm_sql_sybase driver compiled using Sybase Openclient OCS 12.5. If we try to connect directly to sybase database using sql -Sservername -Uusername we have success. Validating local users working fine, so we assume that Freeradius is working. I'm attaching a copy of the debugging message at the end of the mail and if you can see it maybe could help. Thanks for any help that you can send us. Yurguen Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/local/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: servers_per_realm = 15 security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: ignore_password = no mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded SQL sql: driver = rlm_sql_sybase sql: server = atila sql: port = sql: login = egalvgn sql: password = egalvgn sql: radius_db = hegalicia sql: acct_table = radacct sql: acct_table2 = radacct sql: authcheck_table = radcheck sql: authreply_table = radreply sql: groupcheck_table = radgroupcheck sql: groupreply_table = radgroupreply sql: usergroup_table = usergroup sql: nas_table = nas sql: dict_table = dictionary sql: sqltrace = no sql: sqltracefile = /var/log/radius/sqltrace.sql sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = %{User-Name} sql: default_user_profile = sql: query_on_not_found = no sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_group_check_query = SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id sql: authorize_group_reply_query = SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = %{Acct-Delay-Time} WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S' sql: accounting_update_query = UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime = 0 sql: accounting_start_query = INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
Re: RSA security server token authetication
Probably I didn't phrase my question right earlier. As we now know that Freeradius server can act as a middle man to the authentication from the rsa security server, has some one implied this scenario before. If you have done so, how would I set it up in clients file after enabling the proxy server setup? Thank you all for all your helpful input. Choudary. [EMAIL PROTECTED] wrote: Send Freeradius-Users mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.cistron.nl/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: RSA security server token authentication (" Today's Topics: 1. Re: RSA security server token authentication ([EMAIL PROTECTED]) 2. Oracle database failover (Sally Fetouh) 3. Re: Auth-type=Accept (Simon White) 4. Check Users File (Norbert Wegener) 5. Radiusd Problems (Srinivasa Rao Mannava) 6. Re: Auth-type=Accept (leaobicalho) 7. Re:RSA security server token authentication (leaobicalho) 8. Re: Regexp in huntgroups file (Alexander M. Pravking) 9. ?? (giorgio) 10. bind to ldap server only (no search) (David De Maeyer) 11. Re: bind to ldap server only (no search) (Kostas Kalevras) 12. control (or garbage) characters in username (Alexis C. Villalon) --__--__-- Message: 1 To: [EMAIL PROTECTED] Subject: Re: RSA security server token authentication From: [EMAIL PROTECTED] Date: Wed, 22 Jan 2003 00:16:13 -0600 Reply-To: [EMAIL PROTECTED] Actually, that you _can_ do. I personally detest the radius server that is built into ACE and refuse to use it in any manner, either as the target of a proxy or as the direct client target. But there's no reason why you _couldn't_ do exactly what you describe with FR and and an ACE server. Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center "So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around."-- Simon Travaglia Choudary Asad Mumtaz [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/21/03 09:35 PM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:Re: RSA security server token authentication Hi Vincent and Alan, Thank you very much for your quick response. I was under the impression that by turning on the proxy requests feature, it could send requests to the rsa security server. As freeradius doesn't has this feature, does someone has another free solution to the problem :). Thank you. Choudary. --__--__-- Message: 2 Date: Wed, 22 Jan 2003 11:21:42 +0400 From: Sally Fetouh [EMAIL PROTECTED] Subject: Oracle database failover To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Hi, We're currently using an Oracle database with freeradius. We had a concern with database failover and redundancy issues. One issue was if the database was down freeradius should be directed to another one - bearing in mind that freeradius and the database are on different machines. This was done succesfully through the sql.conf file and is working fine. The other issue we had was if the network connection between the freeradius server machine and the database machine is down, freeradius should still be redirected to an alternative database. Has anyone found a way of doing this, again through freeradius configuration files? thanks in advance, Sally Fetouh --__--__-- Message: 3 Date: Wed, 22 Jan 2003 09:21:51 + From: Simon White [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Auth-type=Accept Reply-To: [EMAIL PROTECTED] 21-Jan-03 at 16:57, leaobicalho ([EMAIL PROTECTED]) wrote : When I use Auth-type=Accept, i dont need say password, authentic only by login. But always radius client send `login` in format STRING and not encrypted. I think that Password are encypted. Then, How i authentic only by Password? Read up about possible authentication methods that your NAS supports, and work out which one will encrypt passwords. If you authenticate only by password, how do you track users?
Re: RSA security server token authetication
Choudary Asad Mumtaz [EMAIL PROTECTED] wrote: Probably I didn't phrase my question right earlier. As we now know that Freeradius server can act as a middle man to the authentication from the rsa security server, has some one implied this scenario before. If you have done so, how would I set it up in clients file after enabling the proxy server setup? You would set FreeRADIUS up to proxy to the RSA server no differently than proxying to any other RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allowing POP3 (email only) access
Lisa Casey [EMAIL PROTECTED] wrote: However this isn't how it has been working. Take the case of username sbmills who has a email only account of stan. Both sbmills and stan can dial in and get authenticated via radius. So in the users file I created as my first default entry: # DEFAULT Group == mailusers, Auth-Type := Reject Reply-Message = You are using a mailonly account. # In /etc/group, I have a group mailonly, with GID of 105. Next I edited the password filed (using vipw) and changed stan's group to 105. From the testing I have done though, it still appears that this user can dial in using the username stan and stan's password. Is there something I have neglected to do? Run the server in debuggin mode, and see IF it matches that line in the 'users' file. Odds are that there is another configuration above it, which says to authenticate the user, and that DEFAULT isn't reached. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allowing POP3 (email only) access
You could change the shell to the no logon shell. That'll solve the problem the easiest way I know of. -- Original Message --- From: Lisa Casey [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wed, 22 Jan 2003 16:28:46 -0500 Subject: Allowing POP3 (email only) access Hi, We acquired an ISP who is using Freeradius. There are several accounts on this system which are meant to be email only accounts (i.e. customers dial in and are authenticated using their dial-up username/password, then once they get connected they can check e- mail on that account or on a e-mail only account). An e-mail only account should not, of course, be able to log in via radius. However this isn't how it has been working. Take the case of username sbmills who has a email only account of stan. Both sbmills and stan can dial in and get authenticated via radius. So in the users file I created as my first default entry: # DEFAULT Group == mailusers, Auth-Type := Reject Reply-Message = You are using a mailonly account. # In /etc/group, I have a group mailonly, with GID of 105. Next I edited the password filed (using vipw) and changed stan's group to 105. From the testing I have done though, it still appears that this user can dial in using the username stan and stan's password. Is there something I have neglected to do? Thanks, Lisa Casey Webmaster SysAdmin Netlink 2000, Inc. [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- End of Original Message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Allowing POP3 (email only) access
That's what we've done and it works. -- __ Mike Ockenga, CCNP [EMAIL PROTECTED] Network Engineer II Onvoy Inc. 300 North Highway 169 Minneapolis, MN 55441 _ -Original Message- From: craig witter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 4:13 PM To: [EMAIL PROTECTED] Subject: Re: Allowing POP3 (email only) access You could change the shell to the no logon shell. That'll solve the problem the easiest way I know of. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realms on 0.8.1
we are a small isp that has some problems with a few users where they are using their email address rather then there username (username bob, email [EMAIL PROTECTED]) and as per an earlier email i added DEFAULT LOCAL to the realms file to cause it to trim email addresses off and notice that realms has # # THIS FILE IS DEPRECATED. # # You should NOT be using this file to configure the server. # It is here ONLY for backwards compatibility. # # See 'proxy.conf' for the new configuration. i made what i thought was the same edit to the proxy.conf file realm DEFAULT { type= radius authhost= LOCAL accthost= LOCAL } and made sure realm suffix { format = suffix delimiter = @ } was in the radiusd.conf but its still not trimming the names, and i changed it to proxy_requests = yes just incase that was the problem what is the next thing(s) i should look at to try to get this working? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS question
I'm just becoming familiar with TLS and I'm trying to understand it by reading the 8.1 freeradius code. I don't quite have the ability to run it yet. One thing i don't understand: in tls.c, the routine tls_handshake_recv are the following lines: if (ssn-info.content_type != application_data) { err = BIO_read(ssn-from_ssl, ssn-dirty_out.data, MAX_RECORD_SIZE); MAX_RECORD_SIZE is defined as 16k. But TLS messages can span records - a certificate can be 16 Meg. I don't see any path to get back in here and do another BIO_read to get the rest of the message (once dirty_out has been emptied by transmitting it as EAP packets), without being triggered to do so by receiving another handshake message. So if we were sending, say, a 16 Meg cert, how would the subsequent records be read from the BIO and transmitted? We will receive EAP fragment acks, but those don't appear to come back in to tls_handshake_recv. Apologies if I've missed something obvious here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realms on 0.8.1
in the realm file I remember having to add relmname ip address and my realms work fine. Does this help? Craig -- Open WebMail Project (http://openwebmail.org) -- Original Message --- From: Ray [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wed, 22 Jan 2003 17:17:12 -0600 Subject: realms on 0.8.1 we are a small isp that has some problems with a few users where they are using their email address rather then there username (username bob, email [EMAIL PROTECTED]) and as per an earlier email i added DEFAULT LOCAL to the realms file to cause it to trim email addresses off and notice that realms has # # THIS FILE IS DEPRECATED. # # You should NOT be using this file to configure the server. # It is here ONLY for backwards compatibility. # # See 'proxy.conf' for the new configuration. i made what i thought was the same edit to the proxy.conf file realm DEFAULT { type= radius authhost= LOCAL accthost= LOCAL } and made sure realm suffix { format = suffix delimiter = @ } was in the radiusd.conf but its still not trimming the names, and i changed it to proxy_requests = yes just incase that was the problem what is the next thing(s) i should look at to try to get this working? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- End of Original Message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realms on 0.8.1
Nevermind, the radius/mysql blew up this afternoon (not sure which but either way the system stopped authenticating) and after it came back up it was working fine, so i guess i did it right, just something didn't pick up the settings when it should have. when i was restarting it, it did complain about port already in use, so i'm guessing something was a bit buggy with the stop/restart script i'm using. On Wednesday 22 January 2003 17:17, you wrote: we are a small isp that has some problems with a few users where they are using their email address rather then there username (username bob, email [EMAIL PROTECTED]) and as per an earlier email i added DEFAULT LOCAL to the realms file to cause it to trim email addresses off and notice that realms has # # THIS FILE IS DEPRECATED. # # You should NOT be using this file to configure the server. # It is here ONLY for backwards compatibility. # # See 'proxy.conf' for the new configuration. i made what i thought was the same edit to the proxy.conf file realm DEFAULT { type= radius authhost= LOCAL accthost= LOCAL } and made sure realm suffix { format = suffix delimiter = @ } was in the radiusd.conf but its still not trimming the names, and i changed it to proxy_requests = yes just incase that was the problem what is the next thing(s) i should look at to try to get this working? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pap question
I have set up Freeradius 0.8.1 on a basic RedHat 8.0 install to replace several windows radius servers we run right now. Freeradius auths off of a mysql database using cleartext passwords so that CHAP may be used. We resell DSL lines through a larger ISP who proxies the auths to our radius servers using pap. After I got all the username/passwords and group attributes put into the sql database, I had the ISP start proxying the requests to the new box running freeradius, and this is what showed up in the logs: ... Auth: Login incorrect: [username/\007\323\002m2\227\035b%\346\211\234\036\342\233a] (from client theclient port 0) The server proxying these requests is using PAP, the encryption_scheme = clear in radiusd.conf, and I know the PAP module is loading just before the CHAP module does. I know that I could run the server in debug mode to see exactly what is going on, but its a live box that is handling all auths for my company now (except DSL :) and my superiors will not let me take it down, restart, etc at all. The larger ISP who proxies these requests to us is notoriously hard to get a hold of for issues like testing a new radius server (sometimes it takes over a week just hear back from them). To test the new system, I had to actually take the old windows RADIUS server down (after making sure the clients/secrets and username/password information was on the new box also) and steal it's ip address. So I'm hoping somebody may have an idea on what is going on. Thanks all. -Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: pap question
Sorry people, when I first started writing this letter, I wasn't going to bother you all with details of having to steal the ip address of the old server to test it. Today, when I finished the letter, I told that little story at the end. -Original Message- From: Lists @ Apted Tech. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 5:36 PM To: [EMAIL PROTECTED] Subject: pap question I have set up Freeradius 0.8.1 on a basic RedHat 8.0 install to replace several windows radius servers we run right now. Freeradius auths off of a mysql database using cleartext passwords so that CHAP may be used. We resell DSL lines through a larger ISP who proxies the auths to our radius servers using pap. After I got all the username/passwords and group attributes put into the sql database, I had the ISP start proxying the requests to the new box running freeradius, and this is what showed up in the logs: ... Auth: Login incorrect: [username/\007\323\002m2\227\035b%\346\211\234\036\342\233a] (from client theclient port 0) The server proxying these requests is using PAP, the encryption_scheme = clear in radiusd.conf, and I know the PAP module is loading just before the CHAP module does. I know that I could run the server in debug mode to see exactly what is going on, but its a live box that is handling all auths for my company now (except DSL :) and my superiors will not let me take it down, restart, etc at all. The larger ISP who proxies these requests to us is notoriously hard to get a hold of for issues like testing a new radius server (sometimes it takes over a week just hear back from them). To test the new system, I had to actually take the old windows RADIUS server down (after making sure the clients/secrets and username/password information was on the new box also) and steal it's ip address. So I'm hoping somebody may have an idea on what is going on. Thanks all. -Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd dies on user disconnect
We are running freeradius-0.7.1 and the daemon dies when a dial-up user disconnects. We ran radius with the -X flag and saw the following error message: gbdm failed: read error Any ideas? -Mike Michael Gleissner [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allowing POP3 (email only) access
How about setting Session-Timeout of the email only account to 1 ? This was I did (but not with FR). /sm On Thu, 2003-01-23 at 00:28, Lisa Casey wrote: Hi, We acquired an ISP who is using Freeradius. There are several accounts on this system which are meant to be email only accounts (i.e. customers dial in and are authenticated using their dial-up username/password, then once they get connected they can check e-mail on that account or on a e-mail only account). An e-mail only account should not, of course, be able to log in via radius. However this isn't how it has been working. Take the case of username sbmills who has a email only account of stan. Both sbmills and stan can dial in and get authenticated via radius. So in the users file I created as my first default entry: # DEFAULT Group == mailusers, Auth-Type := Reject Reply-Message = You are using a mailonly account. # In /etc/group, I have a group mailonly, with GID of 105. Next I edited the password filed (using vipw) and changed stan's group to 105. From the testing I have done though, it still appears that this user can dial in using the username stan and stan's password. Is there something I have neglected to do? Thanks, Lisa Casey Webmaster SysAdmin Netlink 2000, Inc. [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html