sql and MSCHAP and disabling user.

2003-01-23 Thread Roman Bessyadovskii 
Hi All.

I need to setup vpn server with radius login and store passwords in sql.
I have install all correctly (poptop, ppp, freeradius, mysql), and
configure, users can connect, and go throw the vpn.

And, i what to temporary disable user, but i can't.

That's what i do.

mysql> select * from radcheck; 
++--+---+++ 
| id | UserName | Attribute | op | Value  | 
++--+---+++ 
|  1 | test | User-Password | == | test   | 
|  2 | test | Auth-Type | == | Reject | 
++--+---+++ 

>From radiusd.conf :
authorize { 
preprocess 
chap 
suffix 
sql 
# 
#  If the users are logging in with an MS-CHAP-Challenge 
#  attribute for authentication, the mschap module will find 
#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' 
#  to the request, which will cause the server to then use 
#  the mschap module for authentication. 
mschap 

} 

As describd in comment, MS-CHAP add (or rewrite) Auth-Type for MS-CHAP and
user can login independent of Reject in sql table.

If in authorize section i switch sql and mschap module and set next order
authorize { 
...
mschap
sql
}

In that configuration i recive reject if disble user in sql table, but also
recive reject with normal (not disabled users) with following log (radiusd
-X).

rlm_sql (sql): Released sql socket id: 4 
  modcall[authorize]: module "sql" returns ok 
modcall: group authorize returns ok 
  rad_check_password:  Found Auth-Type MS-CHAP 
auth: type "MS-CHAP" 
modcall: entering group authtype 
rlm_mschap: No LM/NT password configured. Check authorization. 
  modcall[authenticate]: module "mschap" returns invalid 
modcall: group authtype returns invalid 
auth: Failed to validate the user. 
Login incorrect: [test/] (from client localhost
port 0) 
Delaying request 0 for 1 seconds 

How i need to configure radius for propertly work?
Or how i can disable user in that configuration?

Thaks.

Rick.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_pap bug ?

2003-01-23 Thread Alan DeKok 
"Joel Vandal" <[EMAIL PROTECTED]> wrote:
> I'm not sure if it's a normal behavior or a bug ... but if my password is
> test and I enter test123, the rlm_pap module say that my password is valid.

  Yeah, it's a bug.  The code should be using 'strcmp', not 'strncmp'.

  I'll fix it in CVS.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy.conf

2003-01-23 Thread Darren Nay 

> Specify all realms that do not use IP 1.2.3.4 as normal, than use a
DEFAULT
> realm for the rest. Read /path/to/src/radiusd/raddb/proxy.conf for more
> details.

Ahh.. Good idea. I hadn't thought of that.  Thanks !

Darren


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy.conf

2003-01-23 Thread Chris Brotsos 
At 01:40 PM 1/23/2003 -0700, you wrote:

Hey all,

I do a lot of proxy for realms to remote radius servers, and several of the
realms have the same proxy information with just a different realm name.

Currently I have proxy.conf setup as follows:

realm realm1.com {
type= radius
authhost= 1.2.3.4:1645
accthost= 1.2.3.4:1646
secret  = SeCrEtZ
nostrip
}

realm realm2.com {
type= radius
authhost= 1.2.3.4:1645
accthost= 1.2.3.4:1646
secret  = SeCrEtZ
nostrip
}

Which is fine, except that I have to have a new entry in proxy.conf for
every single realm.  Hence, proxy.conf gets to be quite a long file after
you add so many realms.  :)

What I am wondering is if it is possible to combine these realm entries that
have the same information?


Specify all realms that do not use IP 1.2.3.4 as normal, than use a DEFAULT 
realm for the rest. Read /path/to/src/radiusd/raddb/proxy.conf for more 
details.


Chris



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_pap bug ?

2003-01-23 Thread Joel Vandal 
Hi,

I'm not sure if it's a normal behavior or a bug ... but if my password is
test and I enter test123, the rlm_pap module say that my password is valid.

When I check the source code of rlm_pap.c, I see :

if (strncmp((char *) passwd_item->strvalue,
(char *) request->password->strvalue, passwd_item->length)
!= 0){
DEBUG("rlm_pap: Passwords don't match");

If I understand, they compare only the first "x" characters of the password
(where x = the length of the wanted password) then If the wanted password is
"test" then all password that begin w/ test will be accepted...

--
Joel Vandal



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy.conf

2003-01-23 Thread Alan DeKok 
"Darren Nay" <[EMAIL PROTECTED]> wrote:
> I do a lot of proxy for realms to remote radius servers, and several of the
> realms have the same proxy information with just a different realm name.
...
> Which is fine, except that I have to have a new entry in proxy.conf for
> every single realm.  Hence, proxy.conf gets to be quite a long file after
> you add so many realms.  :)
> 
> What I am wondering is if it is possible to combine these realm entries that
> have the same information?

  Not really.  Source code mods might help...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy.conf

2003-01-23 Thread Darren Nay 
Hey all,

I do a lot of proxy for realms to remote radius servers, and several of the
realms have the same proxy information with just a different realm name.

Currently I have proxy.conf setup as follows:

realm realm1.com {
type= radius
authhost= 1.2.3.4:1645
accthost= 1.2.3.4:1646
secret  = SeCrEtZ
nostrip
}

realm realm2.com {
type= radius
authhost= 1.2.3.4:1645
accthost= 1.2.3.4:1646
secret  = SeCrEtZ
nostrip
}

Which is fine, except that I have to have a new entry in proxy.conf for
every single realm.  Hence, proxy.conf gets to be quite a long file after
you add so many realms.  :)

What I am wondering is if it is possible to combine these realm entries that
have the same information?

Any help would be appreciated.  Thanks!

Darren  Nay - [EMAIL PROTECTED]
LibertyISP - IT Administrator


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Different Services

2003-01-23 Thread Alexander M. Pravking 
On Thu, Jan 23, 2003 at 03:06:50PM +, Didi Rieder wrote:
> Quoting Brian Johnson <[EMAIL PROTECTED]>:
> 
> > Ahh
> > 
> > I see what you are asking. :)
> > 
> > Since the users are authenticating, do you use a username for each
> > service they use? Do users have multiple services and use the same
> > username?
> 
> The same username for all services...

What is the NAS you're using?

If it could recognize Service-Type and send it in RADIUS packets,
then you can configure freeradius and database schema to do
auth/acct based on (User-Name, Service-Type) key, instead of
only User-Name.

Otherwise, you should use different User-Names, I think...


-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeBSD Port

2003-01-23 Thread John A. Hengstler 








Greetings All,

 

I saw last month on the list that the FreeBSD port was going to be
updated in a couple weeks to the current version.

 

Anybody heard at when when this will be updated?

 

Regards,

John

RE: Simultaneous-Use type question.

2003-01-23 Thread Mike Ockenga 
> Am I missing anything?

IMHO, I wouldn't introduce the combined latency and fallability of ICMP 
request/response packet processing and SNMP query/response handling into the 
authentication/authorization process.  It seems vulnerable to failure and lacking in 
scalability.  

ICMP packets dropped or delayed somewhere between the host running your script and the 
end-user would be problematic, as would dropped or delayed SNMP query responses.

Just my two cents...

-- 
__
Mike Ockenga, CCNP [EMAIL PROTECTED]
Network Engineer II  
Onvoy Inc. 
300 North Highway 169   Minneapolis, MN 55441
_




List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL timeout problem

2003-01-23 Thread Alan DeKok 
Giuliano Zorzi <[EMAIL PROTECTED]> wrote:
>  I have a big problem with freeradius and mysql. After a 8 hours of
> inactivity of the freeradius server it looses the connection to the
> mysql server and I have to restart both to have the problem solved. Is
> there a way to turn off or set an higher value for this ?

  This problem has been fixed.  You're probably running an older
version of the server, and should upgrade.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd dies on user disconnect

2003-01-23 Thread Alan DeKok 
mgleiss2 <[EMAIL PROTECTED]> wrote:
> We are running freeradius-0.7.1 and the daemon dies when a dial-up user 
> disconnects. We ran radius with the "-X" flag and saw the following error 
> message:
> "gbdm failed: read error"
> 
> Any ideas?

  Upgrade to 0.8.1, or try to track down why the DBM is getting a read
error...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Simultaneous-Use type question.

2003-01-23 Thread Justin Wheeler 
Instead of spending all that time with the checklogin.pl script, I'm
wondering if there's any issue with finding duplicate logins via the
following:

A user attempts to login -- but there's already a record of login for that
user.

I grab that IP address that it says they're on, and see if anyone with a
newer session is on it.

If there is no one newer on that session, I ping the address to see if
it's alive.  If I get a response, I disallow access.  If I don't, I allow
access.

Customers who block pings are few and far between and would get caught
rather quickly by my dupe login script, and as such, would be dealt with a
one-by-one basis, and is not a concern.

Am I missing anything?

Regards,
Justin Wheeler

-- Computer programmer (n): Red-eyed mammal capable of communicating with
electronics and inanimate equipment.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Telnet Problem

2003-01-23 Thread p.beard 
Hi,
I’m a newbie to FreeRadius so please forgive my lack of knowledge.
I am using FreeRadius (0.8.1) with Portslave (2002.01.19) both of which are running on 
the same host (Debian Woody 3r1).

I’m trying to set up a telnet connection. The ‘USERS’ entry is as follows:

Username   Auth-Type := Local, User-Password == “password”
 Service-Type = Login-User,
 Login-IP-Host = xxx.xxx.xxx.xxx,
 Login-Service = Telnet,
 Login-TCP-Port = 


When I Hyper-Terminal in I get the Login and Password prompt, I can see FreeRadius has 
authenticated. However I then get the following:
telnet:  could not resolve 112.23.0.0/112.23.0.0: Servname not supported for 
ai-socktype

I’ve searched the archives of this list by subject but found nothing. Deja return one 
result but that was in Russian.

Any help would be welcome.

--
Paddy





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Different Services

2003-01-23 Thread Didi Rieder 
Quoting Brian Johnson <[EMAIL PROTECTED]>:

> Ahh
> 
> I see what you are asking. :)
> 
> Since the users are authenticating, do you use a username for each
> service they use? Do users have multiple services and use the same
> username?

The same username for all services...

Didi

-- 
-
Didi Rieder
[EMAIL PROTECTED]
PGPKey ID: 3431D0B0
-




msg12985/pgp0.pgp
Description: PGP Digital Signature

RE: Different Services

2003-01-23 Thread Brian Johnson 
Ahh

I see what you are asking. :)

Since the users are authenticating, do you use a username for each
service they use? Do users have multiple services and use the same
username?

- Brian J.


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]] On Behalf Of 
> Didi Rieder
> Sent: Thursday, January 23, 2003 8:51 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Different Services
> 
> 
> Quoting Brian Johnson <[EMAIL PROTECTED]>:
> 
> > I'm assuming that your oracle db has the information that would tell
> > radius what "special service" the user has...
> > 
> > Modify the SQL queries and/or add a table to your oracle db 
> to specify
> > what reply attributes should be assigned to each group.
> > 
> > You will prolly need to do both.
> 
> Thanks
> But how can I tell the Radius server for which service the 
> user asks. The
> requests come from the same NAS.
> 
> Didi
> 
> -- 
> -
> Didi Rieder
> [EMAIL PROTECTED]
> PGPKey ID: 3431D0B0
> -
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Different Services

2003-01-23 Thread Didi Rieder 
Quoting Brian Johnson <[EMAIL PROTECTED]>:

> I'm assuming that your oracle db has the information that would tell
> radius what "special service" the user has...
> 
> Modify the SQL queries and/or add a table to your oracle db to specify
> what reply attributes should be assigned to each group.
> 
> You will prolly need to do both.

Thanks
But how can I tell the Radius server for which service the user asks. The
requests come from the same NAS.

Didi

-- 
-
Didi Rieder
[EMAIL PROTECTED]
PGPKey ID: 3431D0B0
-


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Different Services

2003-01-23 Thread Brian Johnson 
I'm assuming that your oracle db has the information that would tell
radius what "special service" the user has...

Modify the SQL queries and/or add a table to your oracle db to specify
what reply attributes should be assigned to each group.

You will prolly need to do both.

- Brian J.

BTW... O'Reilly has a GREAT book on RADIUS that uses freeradius as it's
implementation.

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]] On Behalf Of 
> Didi Rieder
> Sent: Thursday, January 23, 2003 6:23 AM
> To: [EMAIL PROTECTED]
> Subject: Q: Different Services
> 
> 
> Hi,
> 
> first of all I must admitt, that I'm not very familiar with RADIUS
> 
> We would like to use freeradius to authenticate and authorize 
> our users for
> different services such as PPP, DSL, WLAN
> Therefore we set up freeradius-0.8.
> The users are stored in an Oracle DB and at this time we are 
> able to do both
> CHAP and PAP authentication. So far so good...
> 
> Now we would like to differentiate between the differnt 
> services, so that we can
> lock a user for one or more special service.
> I have no idea how to do and configure this, could somebody 
> give me a hint.
> 
> Didi
> 
> -- 
> -
> Didi Rieder
> [EMAIL PROTECTED]
> PGPKey ID: 3431D0B0
> -
> 
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Using one server with multiple owners.

2003-01-23 Thread Brian Johnson 
I did this by running multiple instances of freeradius with a database
and custom config file for each "owner".

Seems to work well here, but It doesn't scale as well as Realms. ;)

YMMV

- Brian J.

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]] On Behalf Of 
> Simon White
> Sent: Thursday, January 23, 2003 6:30 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Using one server with multiple owners.
> 
> 
> 23-Jan-03 at 13:19, Joost Hietbrink 
> ([EMAIL PROTECTED]) wrote :
> > Yeah, I've read up to realms :). But this would mean I have 
> to let NASes or
> > their users put some kind of 
> @thisissomedatabasetableidentifier at the end
> > of their username wouldn't it? Or can I add this 
> automaticly by putting
> > something in the clients.conf file? And put some check in 
> the 'authorize'
> > and 'accounting' section so it would select sql1 or sql2 or 
> sql3 (all
> > different databases) to use?
> 
> Maybe this?
> 
> #  rewrite arbitrary packets.  Useful in accounting and
> #  authorization.
> ## FIXME:  This is highly experimental at the moment.  Please
> give
> ## feedback.
> #attr_rewrite sanecallerid {
> #   attribute = Called-Station-Id
> # may be "packet", "reply", or "config"
> #   searchin = packet
> #   searchfor = "[+ ]"
> #   replacewith = ""
> #   ignore_case = no 
> #   max_matches = 10
> #}
> 
> I don't know how it works, but perhaps you could use it to add a realm
> to each NAS by comparing the attribute for NAS ID and then changing
> username (I'm clutching at straws, really).
> 
> Maybe the NAS can add the domain?
> 
> -- 
> |-Simon White, Internet Services Manager, Certified Check Point CCSA.
> |-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
> |-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
> |-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius-0.8.1 proxing

2003-01-23 Thread Alexis C. Villalon 


On Thu, 23 Jan 2003, yacine rebahi wrote:

> I put in the proxy.conf,
> realm isp2.com { type = radius
>  authhost = 193.24.35.12:1812 (ip address of my machine)
>  accthost = 193.24.35.12:1813
>  secret = testing123
>}
> modules {
> preprocess {
> huntgroups = ${confdir}/huntgroups
> hints = ${confdir}/hints
> # here some other stuff
> }
>
> realm suffix {
> format = suffix
> delimiter = "@"
> }
> }
>
> authorize {
> preprocess
> suffix
> # here some other stuff
> }
> and the command line is :
> radtest [EMAIL PROTECTED] test localhost 0 testing123
>
> but it is not working, the errors are:
>- rlm_realm: no such realm isp2.com
>- [authorize]: module "suffix" returns noop
>

do you have proxying turned on in radiusd.conf?

proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf

if yes, and if it's still not working, post the entire debug output (but
edit the sensitive information, if there are any) somewhere where i can view
it, then i'll see if i can give another try.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using one server with multiple owners.

2003-01-23 Thread Simon White 
23-Jan-03 at 13:19, Joost Hietbrink ([EMAIL PROTECTED]) wrote :
> Yeah, I've read up to realms :). But this would mean I have to let NASes or
> their users put some kind of @thisissomedatabasetableidentifier at the end
> of their username wouldn't it? Or can I add this automaticly by putting
> something in the clients.conf file? And put some check in the 'authorize'
> and 'accounting' section so it would select sql1 or sql2 or sql3 (all
> different databases) to use?

Maybe this?

#  rewrite arbitrary packets.  Useful in accounting and
#  authorization.
## FIXME:  This is highly experimental at the moment.  Please
give
## feedback.
#attr_rewrite sanecallerid {
#   attribute = Called-Station-Id
# may be "packet", "reply", or "config"
#   searchin = packet
#   searchfor = "[+ ]"
#   replacewith = ""
#   ignore_case = no 
#   max_matches = 10
#}

I don't know how it works, but perhaps you could use it to add a realm
to each NAS by comparing the attribute for NAS ID and then changing
username (I'm clutching at straws, really).

Maybe the NAS can add the domain?

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Q: Different Services

2003-01-23 Thread Didi Rieder 
Hi,

first of all I must admitt, that I'm not very familiar with RADIUS

We would like to use freeradius to authenticate and authorize our users for
different services such as PPP, DSL, WLAN
Therefore we set up freeradius-0.8.
The users are stored in an Oracle DB and at this time we are able to do both
CHAP and PAP authentication. So far so good...

Now we would like to differentiate between the differnt services, so that we can
lock a user for one or more special service.
I have no idea how to do and configure this, could somebody give me a hint.

Didi

-- 
-
Didi Rieder
[EMAIL PROTECTED]
PGPKey ID: 3431D0B0
-




msg12978/pgp0.pgp
Description: PGP Digital Signature

Re: Using one server with multiple owners.

2003-01-23 Thread Joost Hietbrink 
Yeah, I've read up to realms :). But this would mean I have to let NASes or
their users put some kind of @thisissomedatabasetableidentifier at the end
of their username wouldn't it? Or can I add this automaticly by putting
something in the clients.conf file? And put some check in the 'authorize'
and 'accounting' section so it would select sql1 or sql2 or sql3 (all
different databases) to use?

Joost

> 23-Jan-03 at 12:25, Joost ([EMAIL PROTECTED]) wrote :
> > Hi,
> >
> > I've set up a FreeRadius 0.8.1 server with MySQL on one of my machines.
Now
> > I would like to use this server for 'multiple owners', so I could use it
but
> > others can use the same machine.
> > The best way would be (i think) to use multiple mysql databases and
select
> > one of these databases to use depending on the NAS the request is
comming
> > from.
> >
> > Is this possible? Are there any other solutions for this problem. I
could
> > off course run multiple freeradiuses on multiple ports.. but I would
like an
> > other solution..
>
> Perhaps read up on realms. [EMAIL PROTECTED] can be authenticated
> differently from [EMAIL PROTECTED]
>
> Regards,
>
> --
> |-Simon White, Internet Services Manager, Certified Check Point CCSA.
> |-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
> |-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
> |-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius-0.8.1 proxing

2003-01-23 Thread yacine rebahi 
Hello Alexis,
Thank you for your answer. I took into account your suggestions. I put 
in the proxy.conf,
realm isp2.com { type = radius
 authhost = 193.24.35.12:1812 (ip address of my machine)
 accthost = 193.24.35.12:1813
 secret = testing123
   }
modules {
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
# here some other stuff
}

realm suffix {
format = suffix
delimiter = "@"
}
}

authorize {
preprocess
suffix
# here some other stuff
}
and the command line is :
radtest [EMAIL PROTECTED] test localhost 0 testing123

but it is not working, the errors are:
   - rlm_realm: no such realm isp2.com
   - [authorize]: module "suffix" returns noop

<<

"Alexis C. Villalon" wrote:
> 
> On Thu, 23 Jan 2003, yacine rebahi wrote:
> 
> > Dear All,
> > I will be very glad if someone can give me more details regarding the
> > use of realm in freeradius-0.8.1.
> > - In the realms and the proxy.conf files, some realms are given. They
> > correspond to some remote servers. When a request is received with
> > @realm, the server looks up in these files and based on the
> > corresponding results, it gives the answer
> > - I am trying to use the test command for example (radtest [EMAIL PROTECTED]
> > test localhost 0 testing123) but the proxy does not recognize this
> > realm.
> > --
> 
> I wish you could give more clues like related snippets of your config files
> and debug output.
> 
> Anyway, we're using FRv0.8.1 both as proxy and home server and it's doing
> well.  You can ignore the realms file and just modify the proxy.conf file to
> your setup.  Here's a shot.
> 
> in proxy.conf (as for your setup)...
> 
> realm isp2.com {
> type= radius
> authhost= home.server.com:1812
> accthost= home.server.com:1813
> secret  = secret
> }
> 
> and then in radiusd.conf...
> 
> modules {
> preprocess {
> huntgroups = ${confdir}/huntgroups
> hints = ${confdir}/hints
> }
> 
> realm suffix {
> format = suffix
> delimiter = "@"
> }
> }
> 
> authorize {
> preprocess
> suffix
> }
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Best Regards
Yacine


Yacine Rebahi
FOKUS - Institut fuer offene Kommunikationssysteme
Kaiserin-Augusta-Allee 31, D-10589 Berlin, Germany
Phone   +49 30 - 34 63 - 73 78
Fax +49 30 - 34 63 - 80 00
e-Mail  [EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using one server with multiple owners.

2003-01-23 Thread Simon White 
23-Jan-03 at 12:25, Joost ([EMAIL PROTECTED]) wrote :
> Hi,
> 
> I've set up a FreeRadius 0.8.1 server with MySQL on one of my machines. Now
> I would like to use this server for 'multiple owners', so I could use it but
> others can use the same machine.
> The best way would be (i think) to use multiple mysql databases and select
> one of these databases to use depending on the NAS the request is comming
> from.
> 
> Is this possible? Are there any other solutions for this problem. I could
> off course run multiple freeradiuses on multiple ports.. but I would like an
> other solution..

Perhaps read up on realms. [EMAIL PROTECTED] can be authenticated
differently from [EMAIL PROTECTED]

Regards,

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Using one server with multiple owners.

2003-01-23 Thread Joost 
Hi,

I've set up a FreeRadius 0.8.1 server with MySQL on one of my machines. Now
I would like to use this server for 'multiple owners', so I could use it but
others can use the same machine.
The best way would be (i think) to use multiple mysql databases and select
one of these databases to use depending on the NAS the request is comming
from.

Is this possible? Are there any other solutions for this problem. I could
off course run multiple freeradiuses on multiple ports.. but I would like an
other solution..

Thanks,

Joost



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

unsubscribe

2003-01-23 Thread Joseph Ross Lee 
 
 

=
Joseph Ross Lee
Director, IT Solutions
POPS Inc (People, Organization, Process and Solutions)
mobile: +639189363808 office:8077232

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: using freeradius with celluarip networks

2003-01-23 Thread yacine rebahi 

freeradius is a AAA (authentication, authorization and Accounting)
server.It could be used to authenticate and authorize users requiring
access (for example) to network resources and services 


Simon White wrote:
> 
> 23-Jan-03 at 00:17, satnett satellite ([EMAIL PROTECTED]) wrote :
> >
> >
> >  "Dear tim,
> > Does Freeradius Support Voice Over Ip
> 
> VoIP has nothing to do with authentication.
> 
> --
> |-Simon White, Internet Services Manager, Certified Check Point CCSA.
> |-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
> |-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
> |-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Best Regards
Yacine


Yacine Rebahi
FOKUS - Institut fuer offene Kommunikationssysteme
Kaiserin-Augusta-Allee 31, D-10589 Berlin, Germany
Phone   +49 30 - 34 63 - 73 78
Fax +49 30 - 34 63 - 80 00
e-Mail  [EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: using freeradius with celluarip networks

2003-01-23 Thread yacine rebahi 
freeradius is a AAA (authentication, authorization and Accounting)
server.It could be used to authenticate and authorize users requiring
access (for example) to network resources and services 

Simon White wrote:
> 
> 23-Jan-03 at 00:17, satnett satellite ([EMAIL PROTECTED]) wrote :
> >
> >
> >  "Dear tim,
> > Does Freeradius Support Voice Over Ip
> 
> VoIP has nothing to do with authentication.
> 
> --
> |-Simon White, Internet Services Manager, Certified Check Point CCSA.
> |-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
> |-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
> |-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Best Regards
Yacine


Yacine Rebahi
FOKUS - Institut fuer offene Kommunikationssysteme
Kaiserin-Augusta-Allee 31, D-10589 Berlin, Germany
Phone   +49 30 - 34 63 - 73 78
Fax +49 30 - 34 63 - 80 00
e-Mail  [EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authorization

2003-01-23 Thread Aleksandar Zhelyazkov 
You can use rlm_perl or rlm_python for authenticating.
Then you can do whatever you want.


Alex Zhang wrote:

> Thanks Tim.
> I'm using oracle database trigger to calculate the credit amount and
> add it to radreply:
> at the conclusion of each call, i use trigger to calculate the amount
> left according to calledstationid and username, the unit price is also
> in the table. the formular is "amount left = amount left - amount used" .
> your fomular : "time left=time left-call duration" can not be used at
> the conclusion of a call. To different destination country code or
> area code, unit price is different. thus time calculation should be
> used after user dial the destination phone number and i'll check the
> unit price table in database to calculate the time that use can use.
> the formular is: "time left = amount left / unit price", thus I think
> this calculation can only be used after authorization request and
> before authorization response.
> am i right? or you can explain to me in more detail if i misunderstood
> your solution.
> regards
> Alex Zhang
>
> - Original Message -
> *From:* Tim McCracken 
> *To:* [EMAIL PROTECTED]
> 
> *Sent:* Thursday, January 16, 2003 11:51 AM
> *Subject:* RE: Authorization
>
> Here is a best guess.
> FR is only going to issue queries as defined in the config file
> for oracle.
> The only queries that are going to work for auths are going to be
> selects, since you must retreive data for an auth.
> I think you need to calculate the credit time based on a DB
> trigger in the Accounting table at the conclusion of each call,
> and use that to update radreply and or radcheck as may be
> necessary. Each trigger execution should probably be something
> like "time left=time left-call duration" so that if you purge the
> accounting tables, the lost records won't matter.
> This will likely perform better for auths also, since you aren't
> executing a potentially long running trigger at auth time.
> I dont think ExecProgramWait is going to do what you want at all.
> Tim
>
> -Original Message-
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]*On Behalf Of
> *Alex Zhang
> *Sent:* Wednesday, January 15, 2003 9:28 PM
> *To:* [EMAIL PROTECTED]
> *Subject:* Authorization
>
> Hi,
> I'm trying to use freeradius0.8.1 and oracle with quintum box
> to build a prepaid voip system.
> currently, i have a problem:
> i can not modify or insert the h323-credit-time in radreply
> when authorizing. If I can insert the calledsessionid and
> username into oracle, i think i can write a database trigger
> to calcute the credit-time and insert it into radreply. but
> the problem is i don't know how to interact with oracle in
> authorizaion stage.
> I checked this list to find "Exec-Program-Wait" can be used.
> One of the method is to write a c programm. Is it possible to
> use sqlplus and sql script file? have anyone tried this way?
> Thanks in advanced.
> Alex Zhang
>




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: using freeradius with celluarip networks

2003-01-23 Thread Simon White 
23-Jan-03 at 00:17, satnett satellite ([EMAIL PROTECTED]) wrote :
> 
>  
>  "Dear tim,
> Does Freeradius Support Voice Over Ip

VoIP has nothing to do with authentication.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius-0.8.1 proxing

2003-01-23 Thread Alexis C. Villalon 


On Thu, 23 Jan 2003, yacine rebahi wrote:

> Dear All,
> I will be very glad if someone can give me more details regarding the
> use of realm in freeradius-0.8.1.
> - In the realms and the proxy.conf files, some realms are given. They
> correspond to some remote servers. When a request is received with
> @realm, the server looks up in these files and based on the
> corresponding results, it gives the answer
> - I am trying to use the test command for example (radtest [EMAIL PROTECTED]
> test localhost 0 testing123) but the proxy does not recognize this
> realm.
> --

I wish you could give more clues like related snippets of your config files
and debug output.

Anyway, we're using FRv0.8.1 both as proxy and home server and it's doing
well.  You can ignore the realms file and just modify the proxy.conf file to
your setup.  Here's a shot.

in proxy.conf (as for your setup)...

realm isp2.com {
type= radius
authhost= home.server.com:1812
accthost= home.server.com:1813
secret  = secret
}

and then in radiusd.conf...

modules {
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
}

realm suffix {
format = suffix
delimiter = "@"
}
}

authorize {
preprocess
suffix
}




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius-0.8.1 proxing

2003-01-23 Thread yacine rebahi 
Dear All,
I will be very glad if someone can give me more details regarding the
use of realm in freeradius-0.8.1.
- In the realms and the proxy.conf files, some realms are given. They
correspond to some remote servers. When a request is received with
@realm, the server looks up in these files and based on the
corresponding results, it gives the answer
- I am trying to use the test command for example (radtest [EMAIL PROTECTED]
test localhost 0 testing123) but the proxy does not recognize this
realm. 
-- 
Best Regards
Yacine


Yacine Rebahi
FOKUS - Institut fuer offene Kommunikationssysteme
Kaiserin-Augusta-Allee 31, D-10589 Berlin, Germany
Phone   +49 30 - 34 63 - 73 78
Fax +49 30 - 34 63 - 80 00
e-Mail  [EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to send out an Access-Challenge packet

2003-01-23 Thread liug 
sorry ,there is a little error in my last post about last packet from freeradius . I 
just put it right. 

hi,everyone!

I am doing a case about a radius client. I want to use freeradius to test my job.
I must use freeradius to send out an Access-Challenge Packet.

That is ,
my client  freeradius

 Access-Request --->
  User-Name= "test"
  User-Password="Challenge"
 
   <  Access-Challenge
Challenge-State= "adasd"

 Access-Request->
   User-Name="test"
   User-Password="abcd"
   state= "adasd"

   <- Access-Accept


how can I implement this. I mean , I can send an Access-Accept or an 
Access-Reject 
packet with freeradius,but I can't send an Access-Challenge. If anybody 
knows,please 
tell me, thanks a lot.


   
 liug

- Original Message - 
From: "liug" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, January 23, 2003 5:00 PM
Subject: how to send out an Access-Challenge packet


> hi,everyone!
> 
> I am doing a case about a radius client. I want to use freeradius to test my 
>job.
> I must use freeradius to send out an Access-Challenge Packet.
> 
> That is ,
> my client  freeradius
> 
>  Access-Request >
>   User-Name= "test"
>   User-Password="Challenge"
>  
><  Access-Challenge
> Challenge-State= "adasd"
> 
>  Access-Request->
>User-Name="test"
>User-Password="abcd"
>state= "adasd"
> 
><-  Access-Challenge
>  Access-Accept
> 
> 
> how can I implement this. I mean , I can send an Access-Accept or an 
>Access-Reject 
> packet with freeradius,but I can't send an Access-Challenge. If anybody 
>knows,please 
> tell me, thanks a lot.
> 
> 
>  
>   liug
> 
> 
â²Ø§~ì¹»®&Þþéì¹»®&ÞI硶Úÿ0~·ž­§bºÊ+ƒùb²ßî±êì†Ù¥

Re: Using 2 ldap servers with FreeRadius

2003-01-23 Thread Kostas Kalevras 
On Thu, 23 Jan 2003, David De Maeyer wrote:

> Hi,
>
> Is it possible with FreeRadius to define 2 LDAP servers to
> be used when authorizing/authenticating the users?
>
> In order to have the following:
>
> use LDAP1
> if LDAP1 is off then use LDAP2
> if LDAP2 is also off then Bad Luck!
>
> Can the 'server' attribute in the ldap{} module take 2 ldap
> servers as value?
>
> server = "ldap1.your.domain","ldap2.your.domain"

It's better to use the redundant section in radiusd.conf

ldap ldap1{
server = ldap1.domain.com
[...]
}

ldap ldap2{
server = ldap2.domain.com
[...]
}

authorize{
redundant{
ldap1
ldap2
}
}
authenticate{
redundant{
ldap1
ldap2
}
}

>
> Regards,
> David
>
> ___
> David De Maeyer
> Roskilde University Center
> Computer Science Department
> Box 260, Hus 42.1
> 4000 Roskilde
> Denmark
> voice (+45) 46 74 38 29 fax (+45) 46 74 30 72
>
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Using 2 ldap servers with FreeRadius

2003-01-23 Thread David De Maeyer 



Hi,
 
Is it possible with 
FreeRadius to define 2 LDAP servers to
be used when 
authorizing/authenticating the users?
 
In order to have the 
following:
 
use 
LDAP1
if LDAP1 is off then 
use LDAP2
if LDAP2 is also off 
then Bad Luck!
 
Can the 'server' 
attribute in the ldap{} module take 2 ldap
servers as 
value?
 
server = 
"ldap1.your.domain","ldap2.your.domain"
 
Regards,
David
 

___David 
De MaeyerRoskilde University CenterComputer Science DepartmentBox 260, 
Hus 42.14000 RoskildeDenmarkvoice (+45) 46 74 38 29 
fax (+45) 46 74 30 72
 

how to send out an Access-Challenge packet

2003-01-23 Thread liug 
hi,everyone!

I am doing a case about a radius client. I want to use freeradius to test my job.
I must use freeradius to send out an Access-Challenge Packet.

That is ,
my client  freeradius

 Access-Request >
  User-Name= "test"
  User-Password="Challenge"
 
   <  Access-Challenge
Challenge-State= "adasd"

 Access-Request->
   User-Name="test"
   User-Password="abcd"
   state= "adasd"

   <-  Access-Challenge
 Access-Accept


how can I implement this. I mean , I can send an Access-Accept or an 
Access-Reject 
packet with freeradius,but I can't send an Access-Challenge. If anybody 
knows,please 
tell me, thanks a lot.


   
 liug

.+-Šwèþ˛±ÊâmïîžË›±Êâmäžzm§ÿðÃëyêÚv+¬¢¸?–+-þë®Èmš

Re: Allowing POP3 (email only) access

2003-01-23 Thread Simon White 
22-Jan-03 at 16:28, Lisa Casey ([EMAIL PROTECTED]) wrote :
> Hi,
> 
> We acquired an ISP who is using Freeradius. There are several accounts on
> this system which are meant to be email only accounts (i.e. customers dial
> in and are authenticated using their dial-up username/password, then once
> they get connected they can check e-mail on that account or on a e-mail only
> account). An e-mail only account should not, of course, be able to log in
> via radius.

Unless it's an email only account which allows dialin but only for the
purposes of checking mail. We have a setup like that (users can dial in,
but from there the only IP/Port they can hit is ourmailserver:25 and
ourmailserver:110

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MySQL timeout problem

2003-01-23 Thread Giuliano Zorzi 
Hi,
 I have a big problem with freeradius and mysql. After a 8 hours of
inactivity of the freeradius server it looses the connection to the
mysql server and I have to restart both to have the problem solved. Is
there a way to turn off or set an higher value for this ?

TIA

Giuliano



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: using freeradius with celluarip networks

2003-01-23 Thread satnett satellite 
 
 "Dear tim,
Does Freeradius Support Voice Over Ip
Regards
CharlesDo you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now