Radius authentication using RSA/SecurID ACE-Server
Hello Folks! I´m planning to use a Radius-Server for the Authentication/Accounting of my VPN-Users. Is there a plugin for an ACE-Server, so the Radius-Server asks the ACE to authenticate the user? -- Bye Frank Sackewitz
Re: Logging Question
29-Jan-03 at 17:42, Brandon Lehmann ([EMAIL PROTECTED]) wrote : I'm sorry I got my log files mixed up. Either way I want the information from the server (radius.log) to log to sql. I may just have to fire a cronjob to parse it and toss it into the sql dbase but thats the complex way out. The detail.log has the accounting data that is going to the SQL server already. Why reply off list? - I am subscribed to too many mailing lists and its hard to tell if someone responds to my posts. However I didn't know if someone else might one day have the same question as I and they could then go through the archive and find it. Get a mail client not made by Microsoft : you run (X-Mailer: Internet Mail Service (5.5.2653.19)) Then, you can sort mailing lists in to separate folders with regexps, order by thread, and easily watch your thread to see when replies come in. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP + Linux Accounts
29-Jan-03 at 18:35, Ryan Beisner ([EMAIL PROTECTED]) wrote : My problem is: when a Win9x machine dials and auths, it uses CHAP. While I'm tailing the log file, it points out that it isn't gonna work, and to read the FAQ. OK. Win9x can authenticate via PAP. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OR checks in check authorize_check_query
Hi list, Is it possible to use logical OR in check items, returned by authorize_check_query? For example I whant to restrict user by Calling-Station-ID to be allowed to use one of 2 or more phone numbers. Maybe it should be something like += with many Calling-Station-ID check items? Thanks in advance, B. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OR checks in check authorize_check_query
you could add them in a huntgroup, adding them to the file etc/raddb/huntgroups like this: id Calling-Station-Id==11 id Calling-Station-Id==22 id Calling-Station-Id==123456 where id is the huntgroup name, add as many as you like, hope that helps Ossama B.I. wrote: Hi list, Is it possible to use logical OR in check items, returned by authorize_check_query? For example I whant to restrict user by Calling-Station-ID to be allowed to use one of 2 or more phone numbers. Maybe it should be something like += with many Calling-Station-ID check items? Thanks in advance, B. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication using RSA/SecurID ACE-Server
Unfortunately, no, there is no plug in so that freeradius can directly authenticate against an ACE server. I have been in contact with RSA on this issue. RSA's response was basically, 'We've never heard of freeradius, so piss off.' I even offered to write the freeradius plug in. RSA's reply was that if I wrote a plug in, that I'd be in violation of the RSA licensing agreement if I were to give the code back to the freeradius project for distribution. So the long and the short of it is this: IF YOU WANT FREERADIUS TO SUPPORT SECURID --EVER--, CONTACT YOUR RSA REP (if you need an address to contact let me know) AND DEMAND THEY SUPPORT IT! (Then _maybe_ they'll let me write a plugin that doesn't violate the licensing agreement. Maybe.) - What you _can_ do in the interim is proxy against the piss poor radius server built into ACE, but that's a sub-sub-sub optimal solution. Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia Frank Sackewitz [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/2003 02:23 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:Radius authentication using RSA/SecurID ACE-Server Hello Folks! I´m planning to use a Radius-Server for the Authentication/Accounting of my VPN-Users. Is there a plugin for an ACE-Server, so the Radius-Server asks the ACE to authenticate the user? -- Bye Frank Sackewitz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
changing source code for Crypt-Password
o.k., Ive successfully tested the Crypt-Password Attribute w/ my mysql database encrypting peoples passwords with mysql function encrypt(pass) Somehow, freeradius sources for crypt-password must match mysql encrypt. The problem I have is that I have a list of md5 passwords Id like to point freeradius to. Does anybody know where the the freeradius code to start looking for this crypt-password attribute. Id like to specify the md5 algorithm instead of the one it is using. Maybe there is an easier way to do this, would rather have it as a configurable option, but I cant find it. Thoughts? Thx, doug
Re: Radius authentication using RSA/SecurID ACE-Server
Frank Sackewitz [EMAIL PROTECTED] wrote: Is there a plugin for an ACE-Server, so the Radius-Server asks the ACE to authenticate the user? You can proxy requests from FreeRADIUS to the ACE server. Or, you can use the Exec-Program-Wait feature to run their command-line client, to do the authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OR checks in check authorize_check_query
B.I. [EMAIL PROTECTED] wrote: Is it possible to use logical OR in check items, returned by authorize_check_query? For now, regular expressions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
additional reply attributes in EAP/TLS auth.
I use EAP/TLS authentication and want to add the Session-Timeout attribute to the authentication reply message. I changed my users file to : DEFAULT Auth-Type:=EAP Session-Timeout = 14400 That's all what's not commented out in my users file. I checked the whole debugging output, but there's no new attribute. What's wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Threads not being used
Alan Did you get a chance to review the info I posted? Any ideas/thoughts would be greatly appreciated. Matt On Wed, 2003-01-29 at 10:08, Matt Scifo wrote: On Wed, 2003-01-29 at 02:11, Alan DeKok wrote: Matt Scifo [EMAIL PROTECTED] wrote: I didn't even think to look in /proc. I found the same thing. The threads were spawned according to /proc, yet the daemon is not reporting thread info in the debug output. Though that still doesn't explain the horrid numbers I'm seeing. The horrid numbers are due to something else blocking the server (back-end database, disk IO, DNS, etc) I assumed that was what the issue had to be. Yet I have tuned and stripped the server down to the bare minimum and am still seeing disappointing numbers. Let me tell you in more detail exactly how my configuration is set up so you can get a better idea about my concerns. As you can see from my configuration below, I am still receiving low numbers even when I have no back-end database, added disk IO do to writing detail records, and hostname lookups are off. Even with no accounting/authentication processing, I can never get more than 60 requests per/sec, which is disappointing on my hardware and stripped down configuration. Hardware: Quad Xeon 550mhz with 2g ram and 8g scsi disk Software: Redhat 8.0 running Freeradius 0.8.1 Network: Full Duplex 100mb network Configuration: (I removed commented out sections) BEGIN CONFIGURATION ## prefix = /usr/local exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 10 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = no $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 100 max_servers = 150 min_spare_servers = 30 max_spare_servers = 50 max_requests_per_server = 0 } modules { detail { detailfile = ${radacctdir}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id } $INCLUDE ${confdir}/sql.conf expr { } } instantiate { expr } ## I have run tests with all of these enabled, a combination of them ## enabled, and even with none of them enabled. accounting { #acct_unique #detail #sql } post-auth { } END CONFIGURATION ## Here is debug output from one accounting request packet (with no accounting options enabled, hence the Nothing to do line)... rad_recv: Accounting-Request packet from host 66.81.1.206:46298, id=215, length=113 Thread 33 assigned request 2362 --- Walking the entire request list --- Thread 33 handling request 2362, (47 handled so far) Cleaning up request 2361 ID 214 with timestamp 3e3811f9 Nothing to do. Sleeping until we see a request. User-Name = mikem Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 2206 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1972 Acct-Input-Octets = 20972 Acct-Output-Octets = 30972 Sending Accounting-Response of id 215 to 66.81.1.206:46298 Finished request 2362 Going to the next request Thread 33 waiting to be assigned a request Results from top during test shows that radiusd never uses more than 20% cpu... 10:01am up 22:18, 2 users, load average: 0.05, 0.06, 0.00 94 processes: 93 sleeping, 1 running, 0 zombie, 0 stopped CPU0 states: 0.1% user, 4.0% system, 0.0% nice, 94.0% idle CPU1 states: 5.0% user, 1.0% system, 0.0% nice, 92.0% idle CPU2 states: 2.0% user, 0.0% system, 0.0% nice, 97.0% idle CPU3 states: 3.0% user, 0.0% system, 0.0% nice, 96.0% idle Mem: 2064712K av, 175380K used, 1889332K free, 0K shrd, 40860K buff Swap: 1052248K av, 0K used, 1052248K free91536K cached PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM
Re: Threads not being used
Matt Scifo [EMAIL PROTECTED] wrote: Did you get a chance to review the info I posted? Any ideas/thoughts would be greatly appreciated. Yeah, it didn't look unreasonable to me. The only unusual thing was that there were a lot of threads in the pool. But that shouldn't cause problems... Try using 4-5 threads in the pool. If the problem still persists, then you'll have to use more complicated tools to track down the problem. e.g. strace, or ktrace. See what it's doing, and when. Maybe something in that output would help. But I've run the server on some pretty slow systems, and still gotten 100's of authentications per second. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Monthly usage limits
Right now I'm between a rock and a hard place. We are wanting to implement limits on user usage per month. Say give user abc 10 hours a month. Reading up on this I think I need to do two things. First recompile radius w/ exparimental modules - then move our users file over from a flat listing of files and into a sql database, and use the Max-Monthly-Session to limit times monthly. Recompiling freeradius is simple, but learning sql and then moving the user information from a flat file into a database is a little bit harder. Is there any other way to limit users time per month other then moving over to storing users in a sql database? If not, does anyone have any guides, faqs, or suggestions on moving from a file to storing user info in database format? -- Rock River Internet Roger Grunkemeyer 202 W. State St, 8th Floor[EMAIL PROTECTED] Rockford, IL 61101 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Monthly usage limits
Roger [EMAIL PROTECTED] wrote: Reading up on this I think I need to do two things. First recompile radius w/ exparimental modules - then move our users file over from a flat listing of files and into a sql database, and use the Max-Monthly-Session to limit times monthly. Huh? You don't need experimental modules, and you don't need SQL. Use the 'counter' module, not 'sqlcounter'. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The New trying to get aclaimated
I am setting up dial up accounts and email. I am looking at RADIUS to handle AAA. Is this a recommended setup? { Install Redhat Linux on a i386 box as a Mail Server (sendmail) create user accounts for email only. install FreeRADIUS Server on email server. in the clients.conf file, include the names of users that can use dial up (Master accounts of users w/Multi Emails) Setup a RAS (from a linux project or other that supports RADIUS) point the RADIUS Authentication to the EMail Server running Radius Server (w/secrets ect...) } The only thing is I wanted to keep all AAA info in MySQL for easier record keeping. I don't see how you can have an account for mail but not Dialup as well if you use RADIUS ( I have the O'Riely book on RADIUS, but could not find it in there). Secondly does anyone know of a way to use MySQL or other product to do email especially if you have multiple domainnames that you want your email to reflect which web site it came from? In RedHat 7.1 I used linuxconf to set up virtual email domains, I haven't noticed any other good solutions but don't know if it is compatible with RADIUS. Sorry to get off RADIUS for a moment here but I would want it to work w/RADIUS so I figured this group would be the ones in the know more than any other list. Thanks for any help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Threads not being used
On Thu, 2003-01-30 at 04:15, Alan DeKok wrote: Matt Scifo [EMAIL PROTECTED] wrote: Did you get a chance to review the info I posted? Any ideas/thoughts would be greatly appreciated. Yeah, it didn't look unreasonable to me. The only unusual thing was that there were a lot of threads in the pool. But that shouldn't cause problems... Try using 4-5 threads in the pool. If the problem still persists, then you'll have to use more complicated tools to track down the problem. e.g. strace, or ktrace. See what it's doing, and when. Maybe something in that output would help. But I've run the server on some pretty slow systems, and still gotten 100's of authentications per second. Ok, thanks for the ideas. I'll let you know if I find anything. Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Starting new thread with a reply (like this one)
In article [EMAIL PROTECTED], Peter Nixon [EMAIL PROTECTED] wrote: Is it possible to people to please start a new thread with a new message, not a reply to an existing thread. This can get very annoying for this of us who use threaded mail clients that thread based on In-Reply-To: headers. [] List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well apparently nobody actually reads http://www.freeradius.org/list/users.html ... Mike. -- Anyone who is capable of getting themselves made President should on no account be allowed to do the job -- Douglas Adams. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The New trying to get aclaimated
David Wise [EMAIL PROTECTED] wrote: I am setting up dial up accounts and email. I am looking at RADIUS to handle AAA. Is this a recommended setup? { Install Redhat Linux on a i386 box as a Mail Server (sendmail) create user accounts for email only. install FreeRADIUS Server on email server. in the clients.conf file, include the names of users that can use dial up (Master accounts of users w/Multi Emails) No, that goes in another configuration file. The only thing is I wanted to keep all AAA info in MySQL for easier record keeping. I don't see how you can have an account for mail but not Dialup as well if you use RADIUS ( I have the O'Riely book on RADIUS, but could not find it in there). The RADIUS request sent by the mail system SHOULD be different from the RADIUS request sent by the RAS box. You can key on those differences to generate different responses. Read the FAQ. Put the users into two different groups. Secondly does anyone know of a way to use MySQL or other product to do email especially if you have multiple domainnames that you want your email to reflect which web site it came from? MySQL is a database. It doesn't do email. In RedHat 7.1 I used linuxconf to set up virtual email domains, I haven't noticed any other good solutions but don't know if it is compatible with RADIUS. I doubt that any will be. You will have to edit configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #1478 - 12 msgs
All help here is greatly appreciated. I posted yesterday -- THANK YOU to those who responded -- but I'm still stuck in a rut. I have a dialup RAS with Win 95 98 XP clients dialing in etc. When I dial and attempt to authenticate, it says it can't use CHAP and to read the FAQ. OK I read the FAQ. THE RESPONSE IS: */ modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = ryan, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module files returns ok modcall: group authorize returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [ryan/CHAP-Password] (from client prattusa-dialup-rack port 276 cli ) */ In the users file, what should this value be set to: DEFAULT Auth-Type := ??? Pam or System? In the radiusd.conf file, how do I force pap instead of chap? I have gone over things 1000 times and can't seem to make it fly. Using radclient, I can authenticate with FreeRADIUS. = ) Here's my wishlist. My question is: Can it be done? If so, some examples please? [--- I DO want to authenticate against local Linux user files. (passwd shadow etc.) Because it's simple to manage. [--- I don't want to make user entries to the users file. Because it's a nightmare to add/remove/manage folks. [--- I don't want to use LDAP. [--- I don't want to use MySQL. Because this is just a small deal. I don't have 1200 users or anything massive. We're talking about a couple dozen users. Thanks again -- in advance. -Ryan Beisner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: changing source code for Crypt-Password
Doug Yeager [EMAIL PROTECTED] wrote: The problem I have is that I have a list of md5 passwords I'd like to point freeradius to. Does anybody know where the the freeradius code to start looking for this crypt-password attribute. I'd like to specify the md5 algorithm instead of the one it is using. See the PAP module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP versus CHAP issues
Ryan Beisner [EMAIL PROTECTED] wrote: In the radiusd.conf file, how do I force pap instead of chap? You don't. That's up to the NAS box. [--- I DO want to authenticate against local Linux user files. (passwd shadow etc.) Because it's simple to manage. PAP is your ONLY option. [--- I don't want to make user entries to the users file. Because it's a nightmare to add/remove/manage folks. [--- I don't want to use LDAP. [--- I don't want to use MySQL. Because this is just a small deal. I don't have 1200 users or anything massive. We're talking about a couple dozen users. This doesn't matter. Fix your NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm w/ mysql
Does anyone know how to setup realm auth when using mysql authentication?
Re: Monthly usage limits
Alan DeKok wrote: Huh? You don't need experimental modules, and you don't need SQL. Use the 'counter' module, not 'sqlcounter'. Alan DeKok. Ok. I've put this in the radiusd.conf file. As far as I can tell this setup a counter rotating on a monthly basis using the unique key of username counter countermonthly { filename = ${raddbdir}/db.monthly key = User-Name count-attribute = Acct-Session-Time reset = monthly counter-name = RAD-Monthly-Session-Time check-name = RAD-Max-Monthly-Session-Time allowed-servicetype = Framed-User cache-size = 5000 } I created the db.monthly file and in the users file I have grunky User-Password == randompassword User-Service = Framed-User, Framed-Protocol = PPP, Framed-Routing = None, Ascend-Assign-IP-Pool = 1, Ascend-Idle-Limit = 1800, Ascend-Maximum-Time = 43200, Framed-Compression = Van-Jacobson-TCP-IP, Acct-Session-Time = 60, Ascend-Maximum-Channels = 1 I tried to add the values RAD-Monthly-Session-Time = 60, RAD-Max-Monthly-Session-Time = 60, But upon restart radius said that these where invalid counters. I was thinking that these would limit my connection time to just 60 seconds a month. However this proved unsucessful. Also, in radiusd.conf under accounting I thought I'd put 'countermonthly'. Upon restart radiusd died saying it couldn't find the rlm_counter module. -- Rock River Internet Roger Grunkemeyer 202 W. State St, 8th Floor[EMAIL PROTECTED] Rockford, IL 61101815-968-3888 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Monthly usage limits
Roger [EMAIL PROTECTED] wrote: I tried to add the values RAD-Monthly-Session-Time = 60, RAD-Max-Monthly-Session-Time = 60, But upon restart radius said that these where invalid counters. Try adding those attributes to the dictionary. Pick some some greater than 2000 for their value, and 'integer' for their type. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Monthly usage limits
Pp. 110-111 in the RADIUS book (www.theradiusbook.com) -Original Message- From: Roger [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 30, 2003 4:28 PM To: [EMAIL PROTECTED] Subject: Re: Monthly usage limits Alan DeKok wrote: Huh? You don't need experimental modules, and you don't need SQL. Use the 'counter' module, not 'sqlcounter'. Alan DeKok. Ok. I've put this in the radiusd.conf file. As far as I can tell this setup a counter rotating on a monthly basis using the unique key of username counter countermonthly { filename = ${raddbdir}/db.monthly key = User-Name count-attribute = Acct-Session-Time reset = monthly counter-name = RAD-Monthly-Session-Time check-name = RAD-Max-Monthly-Session-Time allowed-servicetype = Framed-User cache-size = 5000 } I created the db.monthly file and in the users file I have grunky User-Password == randompassword User-Service = Framed-User, Framed-Protocol = PPP, Framed-Routing = None, Ascend-Assign-IP-Pool = 1, Ascend-Idle-Limit = 1800, Ascend-Maximum-Time = 43200, Framed-Compression = Van-Jacobson-TCP-IP, Acct-Session-Time = 60, Ascend-Maximum-Channels = 1 I tried to add the values RAD-Monthly-Session-Time = 60, RAD-Max-Monthly-Session-Time = 60, But upon restart radius said that these where invalid counters. I was thinking that these would limit my connection time to just 60 seconds a month. However this proved unsucessful. Also, in radiusd.conf under accounting I thought I'd put 'countermonthly'. Upon restart radiusd died saying it couldn't find the rlm_counter module. -- Rock River Internet Roger Grunkemeyer 202 W. State St, 8th Floor[EMAIL PROTECTED] Rockford, IL 61101815-968-3888 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Monthly usage limits
Scratch that! Wrong message! My apologies. -Original Message- From: Jonathan Hassell [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 30, 2003 4:39 PM To: [EMAIL PROTECTED] Subject: RE: Monthly usage limits Pp. 110-111 in the RADIUS book (www.theradiusbook.com) -Original Message- From: Roger [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 30, 2003 4:28 PM To: [EMAIL PROTECTED] Subject: Re: Monthly usage limits Alan DeKok wrote: Huh? You don't need experimental modules, and you don't need SQL. Use the 'counter' module, not 'sqlcounter'. Alan DeKok. Ok. I've put this in the radiusd.conf file. As far as I can tell this setup a counter rotating on a monthly basis using the unique key of username counter countermonthly { filename = ${raddbdir}/db.monthly key = User-Name count-attribute = Acct-Session-Time reset = monthly counter-name = RAD-Monthly-Session-Time check-name = RAD-Max-Monthly-Session-Time allowed-servicetype = Framed-User cache-size = 5000 } I created the db.monthly file and in the users file I have grunky User-Password == randompassword User-Service = Framed-User, Framed-Protocol = PPP, Framed-Routing = None, Ascend-Assign-IP-Pool = 1, Ascend-Idle-Limit = 1800, Ascend-Maximum-Time = 43200, Framed-Compression = Van-Jacobson-TCP-IP, Acct-Session-Time = 60, Ascend-Maximum-Channels = 1 I tried to add the values RAD-Monthly-Session-Time = 60, RAD-Max-Monthly-Session-Time = 60, But upon restart radius said that these where invalid counters. I was thinking that these would limit my connection time to just 60 seconds a month. However this proved unsucessful. Also, in radiusd.conf under accounting I thought I'd put 'countermonthly'. Upon restart radiusd died saying it couldn't find the rlm_counter module. -- Rock River Internet Roger Grunkemeyer 202 W. State St, 8th Floor[EMAIL PROTECTED] Rockford, IL 61101815-968-3888 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: realm w/ mysql
Pp. 110-111 in the RADIUS book (www.theradiusbook.com) -Original Message- From: Duane Barnes [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 30, 2003 4:15 PM To: [EMAIL PROTECTED] Subject: realm w/ mysql Does anyone know how to setup realm auth when using mysql authentication? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: realm w/ mysql
Let me be more specific. I'm using mysql and all authentication is done via rlm_sql. In my realms file I have listed 2 domain names that I wish to allow authentication on. They used to work before I converted my flat file system over to mysql. I was just wondering if anyone else out there has had this problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jonathan Hassell Sent: Thursday, January 30, 2003 4:42 PM To: [EMAIL PROTECTED] Subject: RE: realm w/ mysql Pp. 110-111 in the RADIUS book (www.theradiusbook.com) -Original Message- From: Duane Barnes [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 30, 2003 4:15 PM To: [EMAIL PROTECTED] Subject: realm w/ mysql Does anyone know how to setup realm auth when using mysql authentication? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP PAP issues...
. . You can tell who doesn't know his NAS from his A$$ here, eh? LOL That's me! I want to thank Alan and everyone else who contributes here. You're wonderful!! -Ryan Beisner PS. In the radiusd.conf file, how do I force pap instead of chap? You don't. That's up to the NAS box. This doesn't matter. Fix your NAS. Alan DeKok. . . . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC Auth. for Orinoco AP-1000 not working (log attached)
Hi, I'm trying to authenticate Wireless Access Point of Orinoco/Lucent/Avaya/Agere/Proxim with Free Radius server. I've made the user as AP's MAC address in /etc/raddb/users file and conf file, but when I start the radius server in debig mode I get the following messages which I have attached below. Please have a look at it and help me in figuring out what should I do? Thanks a bunch. -Shahid Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 128.111.20.96:192, id=1, length=59 NAS-IP-Address = 128.111.20.96 User-Name = 00022d-677c37 User-Password = testing123 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns notfound rlm_realm: No '@' in User-Name = 00022d-677c37, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 162 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns notfound modcall: group authenticate returns notfound auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 128.111.20.96:192, id=1, length=59 Sending Access-Reject of id 1 to 128.111.20.96:192 --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 1 with timestamp 3e39a2f4 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth. for Orinoco AP-1000 not working (log attached)
well it is sending mac address as username, you should perhaps set the usernames in users file as mac addresses. what do you have in users file now? Evren On Thu, 30 Jan 2003, Shahid M. Bhatti wrote: Hi, I'm trying to authenticate Wireless Access Point of Orinoco/Lucent/Avaya/Agere/Proxim with Free Radius server. I've made the user as AP's MAC address in /etc/raddb/users file and conf file, but when I start the radius server in debig mode I get the following messages which I have attached below. Please have a look at it and help me in figuring out what should I do? Thanks a bunch. -Shahid Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 128.111.20.96:192, id=1, length=59 NAS-IP-Address = 128.111.20.96 User-Name = 00022d-677c37 User-Password = testing123 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns notfound rlm_realm: No '@' in User-Name = 00022d-677c37, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 162 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns notfound modcall: group authenticate returns notfound auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 128.111.20.96:192, id=1, length=59 Sending Access-Reject of id 1 to 128.111.20.96:192 --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 1 with timestamp 3e39a2f4 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Monthly usage limits -slowly but surely
Alan DeKok wrote: Try adding those attributes to the dictionary. Pick some some greater than 2000 for their value, and 'integer' for their type. Ok, now I have the following as a entry in the users file grunky User-Password == blahblah, RAD-Monthly-Session-Time := 60 User-Service = Framed-User, Framed-Protocol = PPP, Framed-Routing = None, Ascend-Assign-IP-Pool = 1, Ascend-Idle-Limit = 1800, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Maximum-Time = 43200, Ascend-Maximum-Channels = 1 and the below in the dictionary.compat file, the value was set intentially low for testing purposes. #put in to limit monthly users usage ATTRIBUTE RAD-Monthly-Session-Time 90 integer and the following in the radiusd.conf file counter countermonthly { filename = ${raddbdir}/db.monthly key = User-Name count-attribute = Acct-Session-Time reset = monthly counter-name = RAD-Monthly-Session-Time check-name = RAD-Max-Monthly-Session-Time allowed-servicetype = Framed-User cache-size = 5000 } While radius does start and the user grunky is authenticated. The user grunky should be kicked off in rather short order. This does not happen and the db.monthly file is not being written to. After I created it w/ the proper permissions its still a zero byte file. -- Rock River Internet Roger Grunkemeyer 202 W. State St, 8th Floor[EMAIL PROTECTED] Rockford, IL 61101815-968-3888 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth. for Orinoco AP-1000 not working (log attached)
That's true, and that's why I have included the MAC address of the Access Point and the Wireless PC Card both in the users file like this: #Access Point 3152C 00022d-191cb3 Auth-Type = Local, User-Password == testing123 Service-Type = Framed-User, #PC Card Orinoco Gold (Test Laptop) 00022d-677c37 Auth-Type = Local, User-Password == testing123 Service-Type = Framed-User, On Fri, 31 Jan 2003, Evren Yurtesen wrote: well it is sending mac address as username, you should perhaps set the usernames in users file as mac addresses. what do you have in users file now? Evren On Thu, 30 Jan 2003, Shahid M. Bhatti wrote: Hi, I'm trying to authenticate Wireless Access Point of Orinoco/Lucent/Avaya/Agere/Proxim with Free Radius server. I've made the user as AP's MAC address in /etc/raddb/users file and conf file, but when I start the radius server in debig mode I get the following messages which I have attached below. Please have a look at it and help me in figuring out what should I do? Thanks a bunch. -Shahid Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 128.111.20.96:192, id=1, length=59 NAS-IP-Address = 128.111.20.96 User-Name = 00022d-677c37 User-Password = testing123 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns notfound rlm_realm: No '@' in User-Name = 00022d-677c37, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 162 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns notfound modcall: group authenticate returns notfound auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 128.111.20.96:192, id=1, length=59 Sending Access-Reject of id 1 to 128.111.20.96:192 --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 1 with timestamp 3e39a2f4 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
handling sub-realms with free-Radius
Hello folks If anyone can help with the concept of handling sub-realms in free radius.I have freeradius 0.8.1 installed on redhat 7.3. My server is doing auth locally for few realms and plus acting as proxy for a bunch of realms. Configuration is pretty much as default in radius.conf and proxy.conf.All these realms are handled with @domain.com suffix. I want to know , can we support sub-realms in free radius server aswell?? For instance, the standard case is that we proxy realm @test.com to a remote server which is happening perfectly fine. Now we have a realm @abc.com. I need to configure realm @abc.com in such a way that my FR server receives any request coming from @xxx.abc.com or @xxx.xxx.abc.com and forward to a remote server. One way is to write all the @xxx.abc.com or @xxx.xxx.abc.com realms in proxy.conf which is obviously not a efficient way to do it. I was wondering if there is way to set something in radiusd.conf in realm module or in proxy.conf to handle such request. Thanks in advance. Shohab - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: handling sub-realms with free-Radius
The mailing list archives are your friend. They will show you the answer you seek On Thursday 30 January 2003 18:59, Shohab Baig wrote: Hello folks If anyone can help with the concept of handling sub-realms in free radius.I have freeradius 0.8.1 installed on redhat 7.3. My server is doing auth locally for few realms and plus acting as proxy for a bunch of realms. Configuration is pretty much as default in radius.conf and proxy.conf.All these realms are handled with @domain.com suffix. I want to know , can we support sub-realms in free radius server aswell?? For instance, the standard case is that we proxy realm @test.com to a remote server which is happening perfectly fine. Now we have a realm @abc.com. I need to configure realm @abc.com in such a way that my FR server receives any request coming from @xxx.abc.com or @xxx.xxx.abc.com and forward to a remote server. One way is to write all the @xxx.abc.com or @xxx.xxx.abc.com realms in proxy.conf which is obviously not a efficient way to do it. I was wondering if there is way to set something in radiusd.conf in realm module or in proxy.conf to handle such request. Thanks in advance. Shohab - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Monthly usage limits -slowly but surely
Roger [EMAIL PROTECTED] wrote: Alan DeKok wrote: Try adding those attributes to the dictionary. Pick some some greater than 2000 for their value, and 'integer' for their type. ... and the below in the dictionary.compat file, the value was set intentially low for testing purposes. Um... why? Who knows more about the server, me, or you? #put in to limit monthly users usage ATTRIBUTE RAD-Monthly-Session-Time 90 integer If you're not going to follow my advice, I don't see why you're asking me questions. Alan DeKok. and the following in the radiusd.conf file counter countermonthly { ... While radius does start and the user grunky is authenticated. The user grunky should be kicked off in rather short order. This does not happen and the db.monthly file is not being written to. After I created it w/ the proper permissions its still a zero byte file. Did you run the server in debugging mode, as suggested in the FAQ and the README? Did you verify that the 'countermonthly' was active during the authentication of the request? (i.e. READING the output of debugging mode?) From your descriptions, I have a pretty good idea of what's going wrong. But I don't see the point in telling you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: init.d script on debian
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ray Sent: Thursday, 30 January 2003 3:00 AM To: [EMAIL PROTECTED] Subject: init.d script on debian i grabbed the initscript from the debian folder, figured it wouldn't be too far off since i am using a debian 3.0r1 system. i didn't make a deb file with it though, kept failing due to some of the database support wasn't available, and i was having problems finding where to disable the support since i wasn't going to be using it anyways. The dpkg-buildpackage script should have stopped and told you that it couldn't go on without certain files... Can you give more detail on what about the build was failing? The fastest (to my mind) way of disabling certain modules would be to remove them from src/modules/stable and (if neccessary) remove them from line 43 of debian/rules. (for modname in krb5 ldap mysql postgresql; do \) I've not tried this though, but I _think_ it would be sufficient. And it involves turning off sql or eap as a group, rather than database by database or protocol by protocol. I think you'd also want certain patches to the build process which I can email to you off-list if you like. Trivial stuff, like removing redundant directories, and fixing the permission-dropping entries in the config file. but anyways, '/etc/init.d/radiusd stop' doesn't stop the radius. anyone working on debian or know what should be fixed to get it to stop correctly? freeRadius 0.8.1 file in question: freeradius-0.8.1/debian/initscript Check that these values are correct, and point to where you've got freeradius installed. I suspect the pidfile argument you're using is wrong, which means that start-stop-daemon can't find the pid of the radius daemon to kill... The directory listed here (/var/run/radiusd-freeradius) probably doesn't exist or doesn't have the right permissions... If you're using the user-switch code, the directory must be writeable by the user you're switching _to_. prog=radiusd program=/usr/sbin/radiusd pidfile=/var/run/radiusd-freeradius/radiusd.pid descr=FreeRADIUS daemon -- = Paul TBBle Hampson Network Architect, Videohost Pty Ltd [EMAIL PROTECTED] The philosophy exam was a piece of cake---which was a bit of a surprise, actually, because I was expecting some questions on a sheet of paper. - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: HELP: EAP/TLS - XP
David, Artur, This problem appears to be caused by having the Server Authentication and Client Authentication properties set in the certificate. If you disable all extended certificate properties except the Client Authentication in the Client certificate on the XP machine the EAP authentication should work. It worked for me via both Symbol and Orinoco APs with certificates that I generated with the OpenCA certificate authority. Cheers, Philip Blow Senior Technical Manager Simply Wireless [EMAIL PROTECTED] hi David ok, it's good news then... if you followed exactly the steps, it should work fine. to find the error, just put the same certificate which is available at the server side on your XP machine and open it using the crypto extensions (double-click). XP should say you what is missing. the most probable error would be imho an expiration date. the second possible would be the forgotten extension (as already said, both errors should not be there if you followed exactly the script, but still, check it). check the availability of the private key, check the certification path, XP should know the signing CA (meaning that the cert is signed by the CA whose certificate is installed under certification authorities). regards, artur David Baer wrote: The problem has been partially solved (or let's say: narrowed). Somehow the server's certificate is not accepted by the XP-supplicant. If the Validate server certificate check box is unchecked, the authentication succeeds. To leave the server's certificate unvalidated is not very desirbale though. I used the script by Ken Roser (http://www.freeradius.org/doc/EAPTLS.pdf) to generate the certificates. Any idea what I could have done wrong with the server's certificate? david - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco AvPairs and MySQL (and VRF)
Greetings, Thanks to those who responded to by questions about DSL billing I'll get back to you no that. However I have another issue. We're trying to configure PPP sessions to authenticate within VRFs. We want to do something like this, this is the non-MySQL version: - DEFAULT Suffix = @test1.vpdn, Strip-User-Name = No Hint = PPP, Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = lcp:interface-config=ip vrf forwarding vrf1\\n ip unnumbered loopback1\\n peer default ip address pool vpn1 - I don't know what the \ns are supposed do, perhaps these get interpreted by freeradius or the cisco as new line or the enter key, like in c. -- not sure at all So we've got this in the mysql: - +-+--+---+-+--+ | id | UserName | Attribute | Value | op | +-+--+---+-+--+ | 4 | shdslTST@SMARTER | Framed-IP-Address | xxx.x.xxx.x | == | | 5 | shdslTST@SMARTER | Framed-IP-Netmask | 255.255.255.255 | == | | 6 | shdslTST@SMARTER | Framed-Route | xxx..xxx.xx/29 xxx.x.xxx.x 1 | == | | 209 | shdslTST@SMARTER | Cisco-AVPair | lcp:interface-config=ip vrf forwarding hocking\n ip unnumbered Loopback 3\n | == | +-+--+---+-+--+ When the authentication happens we don't see any mention in the cisco debug of ppp. Should the lcp bit be there? I would have lcp was over before any interface commands. thanks, Dave Seddon - Would you like to receive faxes to your personal email address? You can with mBox. Visit http://www.mbox.com.au/fax - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling error - No rule to make target
We've decided to dump ICRadius and use FreeRadius, assuming it works. Unfortunately, we're having a heck of a time compiling it. Could somebody please point me in the right direction? Using v.0.8.1 on FreeBSD 4.3-RELEASE vanilla ./configure The only output from ./configure that seems odd is this: checking gethostbyaddr_r() syntax... none! It must not exist, here. Following error messages upon make -n: snip gcc -g -O2 -pthread -D_THREAD_SAFE -Wall -D_GNU_SOURCE -DNDEBUG -I../include -I/usr/local/include -c mainconfig.c make[4]: *** No rule to make target `../lib/libradius.a', needed by `radiusd'. Stop. make[4]: Leaving directory `/usr/local/src/freeradius-0.8.1/src/main' make[3]: *** [common] Error 1 make[3]: Leaving directory `/usr/local/src/freeradius-0.8.1/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/usr/local/src/freeradius-0.8.1/src' make[1]: *** [common] Error 1 make[1]: Leaving directory `/usr/local/src/freeradius-0.8.1' make: *** [all] Error 2 /snip libradius-related files exist here: # find / -name libradius* -print /usr/lib/libradius.a /usr/lib/libradius.so.1 /usr/lib/libradius.so /usr/local/src/freeradius-0.8.1/src/include/libradius.h Appropriate snippet from src/main/Makefile (note $(MODULE_OBJS)): snip SERVER_OBJS = radiusd.o files.o util.o acct.o nas.o log.o valuepair.o\ version.o proxy.o exec.o auth.o timestr.o conffile.o \ modules.o modcall.o session.o xlat.o threads.o smux.o \ radius_snmp.o client.o request_list.o mainconfig.o INCLUDES= ../include/radiusd.h ../include/radius.h ../include/libradius.h ../include/conf.h ../include/autoconf.h CFLAGS += -I../include $(SNMP_INCLUDE) LDFLAGS += -L../lib LIBS+= -lradius $(SNMP_LIBS) MODULE_LIBS = $(STATIC_MODULES) MODULE_OBJS = VFLAGS = -DRADIUSD_MAJOR_VERSION=$(RADIUSD_MAJOR_VERSION) VFLAGS += -DRADIUSD_MINOR_VERSION=$(RADIUSD_MINOR_VERSION) BINARIES= radiusd radwho radzap raduse radclient radrelay # # Not using shared libraries, add in ALL known static modules # at build time. # ifneq ($(USE_SHARED_LIBS),yes) MODULE_LIBS += $(shell for x in $(MODULES);do test -f ../modules/$$x/$$x.la echo -dlpreopen ../modules/$$x/$$x.la;done) MODULE_OBJS += $(shell for x in $(MODULES);do test -f ../modules/$$x/$$x.la echo ../modules/$$x/$$x.la;done) endif all:$(BINARIES) radiusd: $(SERVER_OBJS) ../lib/libradius.a $(MODULE_OBJS) $(LIBTOOL) --mode=link $(CC) -export-dynamic -dlopen self \ $(CFLAGS) $(LDFLAGS) -o $@ \ $(SERVER_OBJS) $(LCRYPT) $(LIBS) \ $(PTHREADLIB) $(LIBLTDL) $(MODULE_LIBS) /snip I've searched all through the list archives, read all the config comments, gone blind reading everything, but can't find anything relating to this other than 'install the right lib', which we have all the libs in the world, probably. It looks like it should compile, but it's not. And, if there's a guru who wouldn't mind making a few bucks to assist/direct/do this for us, please reply offlist. thanks, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html