Re: f-cking kissing sisters
On Fri, Feb 07, 2003 at 09:11:51PM +0100, kayla wrote: HELLO GUYS...MY SISTER AND I JUST GOT THROUGH FILMING SOME VERY DIRTY SISTER ACTION [...] The question of making this mailist closed was asked not once. Maybe we should permit posting to list only for subscribe users??? -- WBR, Vitaliy Karlov [KV1670-RIPE] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP not working
Dear Frank Keeney,
Plese get new version from CVS, I've changed importance of
SMB-Account-Control attribute a couple of days ago, but didn't checked
default value is valid, so it fails if this attribute doesn't present.
--Friday, February 7, 2003, 9:58:23 PM, you wrote to [EMAIL PROTECTED]:
FK I can't seem to get MS-CHAP to work. We've spent many hours with various
FK configuration but always seem to have an error. We've tried smbpasswd and
FK other options without success.
FK Is there an example MS-CHAP config that I can use for a model? I've been
FK through all the docs and the mailing list. The NAS is a SMC EliteConnect.
FK We keep seeing this message and others:
FK rlm_mschap: No LM/NT password configured. Check authorization.
FK modcall[authenticate]: module mschap returns invalid
FK Thank you, Configs and dump below:
FK
FK Applicable parts of the config:
FK mschap {
FK authtype = MS-CHAP
FK use_mppe = yes
FK require_encryption = yes
FK }
FK authorize {
FKmschap
FK }
FK authenticate {
FK authtype PAP {
FK pap
FK }
FK authtype CHAP {
FK chap
FK }
FK authtype MS-CHAP {
FK mschap
FK }
FK }
FK preacct {
FK preprocess
FK suffix
FK files
FK }
FK
FK Test user file:
FK test11Auth-Type := Local, User-Password := test
FK test12Auth-Type := MS-CHAP, User-Password := test
FK
FK Radius dump:
FK Ready to process requests.
FK rad_recv: Access-Request packet from host 192.168.16.3:1176, id=130, length=110
FK User-Name = test12
FK MS-CHAP-Challenge = 0x2c1096fe257fe7d558cd07dee6ea1638
FK MS-CHAP2-Response =
0x3d1602735c6db434c3145b04dc81a12325833ba5078dd3cd1fc0f070e6ae98ee629e73bb4d1742a2
FK rad_lowerpair: User-Name now 'test12'
FK rad_rmspace_pair: User-Name now 'test12'
FK modcall: entering group authorize
FK modcall[authorize]: module preprocess returns ok
FK users: Matched DEFAULT at 1
FK modcall[authorize]: module files returns ok
FK modcall[authorize]: module mschap returns notfound
FK modcall: group authorize returns ok
FK rad_check_password: Found Auth-Type MS-CHAP
FK auth: type MS-CHAP
FK modcall: entering group authtype
FK rlm_mschap: No LM/NT password configured. Check authorization.
FK modcall[authenticate]: module mschap returns invalid
FK modcall: group authtype returns invalid
FK auth: Failed to validate the user.
FK Login incorrect: [test12] (from client smc port 0)
FK Delaying request 0 for 1 seconds
FK Finished request 0
FK Going to the next request
FK --- Walking the entire request list ---
FK Waking up in 1 seconds...
FK --- Walking the entire request list ---
FK Waking up in 1 seconds...
FK --- Walking the entire request list ---
FK Sending Access-Reject of id 130 to 192.168.16.3:1176
FK MS-CHAP-Error = \000E=691 R=1
FK Waking up in 4 seconds...
FK --- Walking the entire request list ---
FK Cleaning up request 0 ID 130 with timestamp 3e43ffcc
FK Nothing to do. Sleeping until we see a request.
FK Radius dump number 2:
FK --- Walking the entire request list ---
FK Threads: total/active/spare threads = 5/1/4
FK Waking up in 5 seconds...
FK Thread 1 handling request 0, (1 handled so far)
FK User-Name = test12
FK MS-CHAP-Challenge = 0x6227301276f8a2625c5e1b17f5cf8c4b
FK MS-CHAP2-Response =
0x5e2f83723e193f82d54c210d15bab6744a1ee29726edf3a348188e0d4c5c4a59c6542ff9637ec90d
FK rad_lowerpair: User-Name now 'test12'
FK rad_rmspace_pair: User-Name now 'test12'
FK modcall: entering group authorize
FK modcall[authorize]: module preprocess returns ok
FK rlm_chap: Could not find proper Chap-Password attribute in request
FK modcall[authorize]: module chap returns noop
FK users: Matched test12 at 1075
FK modcall[authorize]: module files returns ok
FK modcall[authorize]: module mschap returns ok
FK modcall: group authorize returns ok
FK rad_check_password: Found Auth-Type MS-CHAP
FK auth: type MS-CHAP
FK modcall: entering group authtype
FK rlm_mschap: doing MS-CHAPv2 with NT-Password
FK rlm_mschap: Authentication failed
FK rlm_mschap: Nothing in the packet I recognise: Rejecting the user
FK modcall[authenticate]: module mschap returns reject
FK modcall: group authtype returns reject
FK auth: Failed to validate the user.
FK Login incorrect: [test12] (from client smc port 0)
FK Delaying request 0 for 1 seconds
FK Finished request 0
FK Going to the next request
FK Thread 1 waiting to be assigned a request
FK --- Walking the entire request list ---
FK Threads: total/active/spare threads = 5/0/5
FK Sending Access-Reject of id 56 to 192.168.16.3:1102
FK MS-CHAP-Error = \000E=691 R=1
FK Waking up in 1 seconds...
FK Error receiving packet: Connection refused
FK rl_next: returning NULL
FK
Re: RADIUS response from incorrect interface
In article [EMAIL PROTECTED], Alan DeKok [EMAIL PROTECTED] wrote: John Gruber [EMAIL PROTECTED] wrote: But bind on * should work too.. and the reply should come from the address for the interface the request was sent to. It just doesn't, and I did not have the time at the time to see why in the code. It only works if you call bind() immediately upon receiving a packet. That's expensive, and causes the server to do a *lot* of work. You mean immediately before sending a reply. But that creates a race condition, since you can then not receive packets from other interfaces anymore. Unless you use a seperate send and receive socket. However then you need to lock around the bind() / sendto() calls, to prevent race conditions between threads. It's not worth it. It's also impossible for another reason: you cannot know on which interface a certain UDP packet was received. recvfrom() only records the clients IP address, not the address of the interface the packet was received on. With Linux, you can use recvmsg() / sendmsg() with IP_PKTINFO in the ancillary data to get / set the local address, but that is not portable (though *BSD appears to have something similar). A better solution is to explicitely list the addresses the server listens on, which is much less expensive, but requires a bit more code. And just open one socket for each address/port to listen on. Yes, that is the easiest solution by far. Mike. -- Anyone who is capable of getting themselves made President should on no account be allowed to do the job -- Douglas Adams. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to implement Class and Vendor-Specific attributes, accounting question
Dave Mason [EMAIL PROTECTED] wrote: Woops - I should have held my fire a bit, I see the answer now. Do you just add your module to the accounting block in radiusd.conf? My next question is can I use an EAP sub-module here? Not really. My next question is: Is there EAP information in the accounting packet? If not, then the accounting should *not* be in the EAP module. With that, maybe I need to use eap in the accounting block, and have an eap_accounting() function to handle my accounting behavior. Or, even though the client was authenticated with EAP, accounting really doesnt involve EAP, so maybe I should define a new RLM module for my new behavior? The EAP related code should go into rlm_eap. I also need to add a new function in preaccounting to grab some data and stick it in the accounting record before it's recorded. What do you think? That's possible. If you want to tie an EAP request/response to an accounting packet, see the 'Class' attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy.conf, realm definition and LDAP
I'm running freeradius-0.8.1 on RedHat 7.3. On another server,
I'm running OpenLDAP 2.0.1 on RedHat 7.3.
I'm having problems getting Radius to proxy LDAP authentications.
For starters, I have three classes of users:
1) local - use local Radius authentication
2) my_radius - use remote Radius authentication (also running freeradius-0.8.1 on
RedHat 7.3)
3) my_partner - authenticate against a remote OpenLDAP server
Therefore, I'm trying to use realms and let the local Radius server proxy the
two other remote authentications. In my radiusd.conf, I've enabled proxying,
added the ldap module and have defined it as:
ldap {
server = 123.123.123.123
port = 389
basedn = ou=People, o=%{Realm}
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
tls_mode = no
ldap_connections_number = 30
timeout = 5
timelimit = 5
net_timeout = 5
identity = cn=Manager, o=%{Realm}
password = foo
}
I want to use realms such as [EMAIL PROTECTED] to authorize
against the remote LDAP server and my_radius/bob to authorize
against the remote RADIUS server.
Here's an excerpt from my proxy.conf:
realm local {
type = radius
authhost = LOCAL
accthost = LOCAL
}
realm my_radius {
type = radius
authhost = radius.us.com:1812
accthost = radius.us.com:1813
secret = foo
}
realm my_partner {
type = ldap
authhost = LOCAL
accthost = LOCAL
}
I think that the last realm, 'my_partner', is wrong. How would
I define the realm to authorize against a remote LDAP?
Do I have to have the remote LDAP user in my users conf file?
Thanks in advance,
Mark Gaither
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
