RE: Compiling FreeRadius for oracle support?

2003-02-10 Thread Tim McCracken 

Just link with the oracle library.  The oracle module (last time I
checked) was either written in OCI calls directly, or was written
in Pro*c and had already been pre-compiled.

Just make sure you have included rlm_oracle in the build and
have the oralib in one of the lib directories.

Tim

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Ryan
> Castellucci
> Sent: Monday, February 10, 2003 6:59 PM
> To: [EMAIL PROTECTED]
> Subject: Compiling FreeRadius for oracle support?
> 
> 
> Hi, I need to compile FreeRadius 0.8.1 on Redhat 7.3 with oracle 
> support. I've installed the oracle 9i linux developers software, where 
> do I go from here?
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Compiling FreeRadius for oracle support?

2003-02-10 Thread Ryan Castellucci 
Hi, I need to compile FreeRadius 0.8.1 on Redhat 7.3 with oracle 
support. I've installed the oracle 9i linux developers software, where 
do I go from here?


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius + unixodbc + freetds

2003-02-10 Thread Ross Reed 
Title: Message



Hello 
all:
 
I have the following 
setup:
 
BSDi 
4.3
freeradius 
0.8.1
freetds 
0.61
unixodbc 
2.2.4
 
I am able to connect 
to my MSSQL2000 server with the isql utility with no 
problems.
All modules compile 
and link under freeradius. But rlm_sql_unixodbc will not connect to the 
DB.
 
I get the following 
from radiusd -X
rlm_sql (sql): 
sql_set_user escaped user --> 'test'radius_xlat:  'SELECT 
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER BY 
id'rlm_sql (sql): Ignoring unconnected handlerlm_sql (sql): Ignoring 
unconnected handlerlm_sql (sql): Ignoring unconnected handlerlm_sql 
(sql): Ignoring unconnected handlerlm_sql (sql): Ignoring unconnected 
handlerlm_sql (sql): There are no DB handles to use!
and when starting 
radius I get:
rlm_sql (sql): 
Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded and linkedrlm_sql 
(sql): Attempting to connect to sa@RADIUS:/radiusrlm_sql (sql): starting 
0rlm_sql (sql): Attempting to connect rlm_sql_unixodbc 
#0rlm_sql_unixodbc: Connection failed   rlm_sql (sql): Failed 
to connect DB handle #0rlm_sql (sql): starting 1rlm_sql (sql): starting 
2rlm_sql (sql): starting 3rlm_sql (sql): starting 
4
I am completely out of ideas. I get no connectivity via 
freeradius but all the other levels work 
(unixodbc->freetds)
Any 
ideas
 
 
Ross 
Reed

Reloading configuration files -> radiusd hangs

2003-02-10 Thread Mike Denka 









 



I’m using freeradius 0.8.  This
morning I changed my authentication mechanism from using the passwd, shadow and
raddb/user files to using ldap.  Everything works fine accept that both of
my radius servers have locked up trying to reload the configuration
files.  The cpu goes to 100% and the radiusd process stays in memory but
no one can authenticate.  The last message in the radius.log file is “Info:
Reloading configuration files.”   Radius remains in this state
until I kill -9 the process (just killing it won’t get rid of the
process) and restart radiusd.  This has happened once to one server and
twice to another in about the last 5 hours.

 

Any ideas what might be causing this
problem?  All I have done is taken unix authentication out of the radiusd.config
file and replaced it with ldap authentication.  I left unix accounting in
for the radwtmp info and disabled caching in the unix module. I wonder why
radius is trying to reload its configuration file in the first place. 
And, secondly, what would cause it to hang in the process of trying to reload
the config file?

 

Thanks,

 

Mike

Re: Security issue; non case sensitivity in MySql

2003-02-10 Thread Robert Canary 
Well I changed the sql query to be case sensitive.  That has stop the
problem, however, I can't find anything in the portslave config to cause
it to drop the "R".

I am moving this thread to the portslave list.

Thanks for everyones input.

Alan DeKok wrote:
> 
> Robert Canary <[EMAIL PROTECTED]> wrote:
> > Now here is the odd thing I noticed.  PPPD logs the the user as
> > "Rcanary" as being logged on, However, utmps and priveldges the user as
> > "canary".
> 
>   Then either PPPd or the RADIUS server is stripping off the leading
> 'R'.
> 
>   The server doesn't do it unless you edited the configs, so I would
> guess PPPd.
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ScanMail Message: To Recipient Match eManager setting and takeaction.

2003-02-10 Thread Gustavo Lozano 
Well Alan

In fact it is not a Spam filter in our site...

We do use RAV :) not Trend ...

Seems like somebody is bouncing to the list and masking the sender as
@domain.com where domain.com is the domain of the recipients in the
list...

Rgds


On Mon, 2003-02-10 at 10:08, Alan DeKok wrote:
> Gustavo Lozano <[EMAIL PROTECTED]> wrote:
> > Uh?
> > 
> > [EMAIL PROTECTED]?
> > 
> > Why the heck is an email comming from our Domain?
> 
>   You have a broken spam filter installed.  It sees the spam from the
> list, and then bounces an error message back to the list.
> 
>   It should NOT send any notification about the spam.  It should just
> throw the spam away.
> 
>   Alan DeKok.
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 
_ __
Gustavo A. Lozano Noldata Corporation
[EMAIL PROTECTED]   Calle 46 No. 40-19
CTO   Bogota D.C. Colombia
Noldata Corporation   http://noldata.com

I know not with what weapons World War III will be fought,
   but World War IV will be fought with sticks and stones.
   Albert Einstein

This Message has been scanned for Virus Content using RAV Antivirus.
Get your copy of RAV Antivirus at Noldata, send mail to 
[EMAIL PROTECTED]   http://noldata.com



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security issue; non case sensitivity in MySql

2003-02-10 Thread Jason Haar 
On Mon, Feb 10, 2003 at 10:19:22AM -0600, Robert Canary wrote:
> When mysql is queried for that password aginst that username (regardless
> of case) it returns a match because MySql isn't case sensitive.  Thats
> something which should be boldly noted in the dos.

Not necessarily. "MySql isn't case sensitive" because that's how you've
configured it by choosing particular field types that are
case-insensitive...

Search the mysql manual for "case insensitive by default"

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Portslave-users] Security issue; non case sensitivity in MySql

2003-02-10 Thread Russell Coker 
On Sun, 9 Feb 2003 19:55, Robert Canary wrote:
> Let say I have a username of "rcanary".  The account is created on the
> radius (MySql DB) as UserName=rcanary
>
> Now lets say I try to dialin (using portslave here in this case).  I
> mistype the username as *R*canary instead of *r*canary.
> The RAS is case sensitive.  However, radius is allowing the Rcanary and
> rcanary.  This results with the user being logged in as "canary" because
> portslave will drop the "R".

I can't reproduce this.  Portslave only drops the first character if it is one 
of 'P', 'C', 'S', 'L', or '!'.

> If I have two usernames which differ only by the first letter (rcanary
> and canary) if rcanary user logs in with a capital letter then they will
> be granted access to the other users files.

If the two users have the same password then this sort of thing can happen.  
How can it happen otherwise?

Anyway is anyone using this feature?  Maybe it would be generally less 
confusing if I just removed the feature of using prefixes and suffixes for 
indicating service type and just let this be handled by the RADIUS server.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: cisco_vsa_hack (rlm_preprocess)

2003-02-10 Thread Alan DeKok 
Thomas Jalsovsky <[EMAIL PROTECTED]> wrote:
>   I sent many times the SAME feature to the list, but project
> leaders (or leader, I can't remember) said, we should make a general
> architecture for this type of hacks and not do with rlm_preprocess.

  That's true, but it looks like the general architecture is a long
way away.

>   So it is not in the CVS (but It should from a long time...).

  I've added it to my list of "patches to add".

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security issue; non case sensitivity in MySql

2003-02-10 Thread Alan DeKok 
Robert Canary <[EMAIL PROTECTED]> wrote:
> Now here is the odd thing I noticed.  PPPD logs the the user as
> "Rcanary" as being logged on, However, utmps and priveldges the user as
> "canary".

  Then either PPPd or the RADIUS server is stripping off the leading
'R'.

  The server doesn't do it unless you edited the configs, so I would
guess PPPd.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ScanMail Message: To Recipient Match eManager setting and take action.

2003-02-10 Thread Emre Bastuz 
Hi,

Zitat von Gustavo Lozano <[EMAIL PROTECTED]>:
> Uh?
> [EMAIL PROTECTED]?
> Why the heck is an email comming from our Domain?
I also had [EMAIL PROTECTED] as recipient. Seems this one´s yet
another screwed up Windows/Exchange Trend Micro content filter.

Don´t bother.

Regards,

Emre

-- 
Emre Bastuz
[EMAIL PROTECTED]  http://www.emre.de
UIN: 561260   PGP Key ID: 0xAFAC77FD

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ScanMail Message: To Recipient Match eManager setting and take action.

2003-02-10 Thread Alan DeKok 
Gustavo Lozano <[EMAIL PROTECTED]> wrote:
> Uh?
> 
> [EMAIL PROTECTED]?
> 
> Why the heck is an email comming from our Domain?

  You have a broken spam filter installed.  It sees the spam from the
list, and then bounces an error message back to the list.

  It should NOT send any notification about the spam.  It should just
throw the spam away.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Strange rlm_sql error

2003-02-10 Thread Giovanni P. Tirloni 
Hi,

 I've been using version 0.6 with MysSQL successfully but I'm getting
 something strange with version 0.8.1, here is the log information:

 (sorry about line lenght)
 
rad_recv: Access-Request packet from host 200.203.183.35:2455, id=119, length=60
User-Name = "teste"
User-Password = "abcde"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Mon Feb 10 18:06:01 2003 : Debug: rad_lowerpair:  User-Name now 'teste'
Mon Feb 10 18:06:01 2003 : Debug: rad_rmspace_pair:  User-Name now 'teste'
Mon Feb 10 18:06:01 2003 : Debug: modcall: entering group authorize
Mon Feb 10 18:06:01 2003 : Debug: radius_xlat:  'teste'
Mon Feb 10 18:06:01 2003 : Debug: rlm_sql (sql): sql_set_user escaped user --> 'teste'
Mon Feb 10 18:06:01 2003 : Debug: radius_xlat:  'SELECT 
gid,SUBSTRING(id,1,LOCATE('@',id,1)-1),'Crypt-Password' Attribute,crypt,op FROM 
users-bak WHERE SUBSTRING(id,1,LOCATE('@',id,1)-1) = 'teste' ORDER BY id'
Mon Feb 10 18:06:01 2003 : Debug: rlm_sql (sql): Reserving sql socket id: 4
Mon Feb 10 18:06:01 2003 : Debug: rlm_sql_mysql: query:  SELECT 
gid,SUBSTRING(id,1,LOCATE('@',id,1)-1),'Crypt-Password' Attribute,crypt,op FROM 
users-bak WHERE SUBSTRING(id,1,LOCATE('@',id,1)-1) = 'teste' ORDER BY id
Mon Feb 10 18:06:01 2003 : Debug: rlm_sql_mysql: MYSQL check_error: 1064 received
Mon Feb 10 18:06:01 2003 : Error: rlm_sql_getvpdata: database query error
Mon Feb 10 18:06:01 2003 : Error: rlm_sql (sql): SQL query error; rejecting user
Mon Feb 10 18:06:01 2003 : Debug: rlm_sql (sql): Released sql socket id: 4
Mon Feb 10 18:06:01 2003 : Debug:   modcall[authorize]: module "sql" returns fail
Mon Feb 10 18:06:01 2003 : Debug: modcall: group authorize returns fail
Mon Feb 10 18:06:01 2003 : Debug: There was no response configured: rejecting request 0
Mon Feb 10 18:06:01 2003 : Debug: Server rejecting request 0.
Mon Feb 10 18:06:01 2003 : Debug: Finished request 0
Mon Feb 10 18:06:01 2003 : Debug: Going to the next request
Mon Feb 10 18:06:01 2003 : Debug: --- Walking the entire request list ---
Mon Feb 10 18:06:01 2003 : Debug: Waking up in 1 seconds...
Mon Feb 10 18:06:02 2003 : Debug: --- Walking the entire request list ---
Mon Feb 10 18:06:02 2003 : Debug: Waking up in 1 seconds...
Mon Feb 10 18:06:03 2003 : Debug: --- Walking the entire request list ---
Sending Access-Reject of id 119 to 200.203.183.35:2455

 The table structure,

 CREATE TABLE users-bak (
  cli_cod int(4) NOT NULL default '0',
  id varchar(128) NOT NULL default '',
  crypt varchar(128) NOT NULL default '',
  group varchar(64) NOT NULL default 'Mail',
  uid smallint(5) NOT NULL auto_increment,
  gid smallint(5) NOT NULL default '0',
  home varchar(128) NOT NULL default '/',
  domain varchar(255) NOT NULL default '',
  maildir varchar(255) NOT NULL default '',
  quota varchar(255) NOT NULL default '1000',
  imapok tinyint(3) NOT NULL default '1',
  op char(2) NOT NULL default '==',
  PRIMARY KEY  (id,cli_cod),
  UNIQUE KEY id (id),
  UNIQUE KEY uid (uid)
 ) TYPE=MyISAM;

 And a sample entry,

 [ 1, 'teste@DIAL', '$1$-MD5-PASSWORD', 'Dial', 1, 1, '/, 'mydomain', '0', 0, '==' ]

 Is there anything I can do to increase the level of verbosity so I can have a clue
 about what's going on?

 Thanks in advance,

 --
 Giovanni P. Tirloni
 http://www.tirloni.org

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ScanMail Message: To Recipient Match eManager setting and takeaction.

2003-02-10 Thread Gustavo Lozano 
Uh?

[EMAIL PROTECTED]?

Why the heck is an email comming from our Domain?


On Mon, 2003-02-10 at 14:03, [EMAIL PROTECTED] wrote:
>  eManager Notification *
> 
> The following mail was blocked since it contains sensitive content.
> 
> Source mailbox: [EMAIL PROTECTED]
> Destination mailbox(es): [EMAIL PROTECTED]
> Rule/Policy: Sexually Explicit
> Action: Quarantine to D:\Program Files\Trend\SMCF\Quarantine\2003-02-10\14-03-06.409
> 
> Content filter has detected a sensitive e-mail.
> 
> *** End of message *
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 
_ __
Gustavo A. Lozano Noldata Corporation
[EMAIL PROTECTED]   Calle 46 No. 40-19
CTO   Bogota D.C. Colombia
Noldata Corporation   http://noldata.com

I know not with what weapons World War III will be fought,
   but World War IV will be fought with sticks and stones.
   Albert Einstein

This Message has been scanned for Virus Content using RAV Antivirus.
Get your copy of RAV Antivirus at Noldata, send mail to 
[EMAIL PROTECTED]   http://noldata.com



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Suffix not stripped when processing users file...

2003-02-10 Thread dfriend 
I have two different user groups (local & remote) and two different NAS devices (local 
& 

remote). I’ve setup the huntgroups file so that each NAS device will be assigned it’s 

Huntgroup-Name (either local or remote). I do not want users from the local group to 

authenticate on the remote NAS device and I do not want remote users to authenticate 
on the 

local NAS. I put two entries near to top of my users file that read:



(line 95)   DEFAULT Group == "remote", Huntgroup-Name == "local", Auth-Type := Reject

(line 96)   Reply-Message = "Call your service provider to activate local 
dialup!"

(line 97)

(line 98)   DEFAULT Group == "local", Huntgroup-Name == "remote", Auth-Type := Reject

(line 99)   Reply-Message = "Call your service provider to activate remote 
dialup!"



I have setup a realm with the following:



# RealmRemote server [:port]   Options

#     ---

mydomain.com LOCAL



My huntgroups file looks like:



LocalNAS-IP-Address == 111.222.333.444

RemoteNAS-IP-Address == 444.333.222.111





The process is working perfectly if I login using ‘username’ without a suffix. When I 

use ‘[EMAIL PROTECTED]’ the lines in the users file appear to be ignored. I can 
login 

from both locations regardless of what group I am in. 



The suffix is being stripped properly for authentication, Simultaneous-Use and 
accounting 

purposes. 



Debug results are the same from both NAS devices except for origination addresses. 
Here is a 

sample:





rad_recv: Access-Request packet from host 444.333.222.111:3012, id=91, length=70

User-Name = "[EMAIL PROTECTED]"

User-Password = "mypasswd"

Framed-Protocol = PPP

Service-Type = Framed-User

modcall: entering group authorize

  hints: Matched DEFAULT at 63

  modcall[authorize]: module "preprocess" returns ok

rlm_realm: Looking up realm mydomain.com for User-Name = "username@mydomain"

rlm_realm: Found realm mydomain.com

rlm_realm: Setting Stripped-User-Name = "username"

  rlm_realm: Proxying request from user username to realm mydomain.com

rlm_realm: Adding Realm = "mydomain.com"

rlm_realm:  Authentication realm is LOCAL.

  modcall[authorize]: module "suffix" returns noop

rlm_chap: Could not find proper Chap-Password attribute in request

  modcall[authorize]: module "chap" returns noop

  modcall[authorize]: module "mschap" returns notfound

rlm_counter: Entering module authorize code

rlm_counter: Could not find Check item value pair

  modcall[authorize]: module "counter" returns noop

users: Matched DEFAULT at 226

users: Matched DEFAULT at 249

users: Matched DEFAULT at 261

users: Matched username at 1

  modcall[authorize]: module "files" returns ok

modcall: group authorize returns ok

  rad_check_password:  Found Auth-Type Local

auth: type Local

auth: user supplied User-Password matches local User-Password

modcall: entering group session

radius_xlat:  'username'

  modcall[session]: module "radutmp" returns ok

modcall: group session returns ok

Login OK: [username] (from client remote.mydomain.com port 0)

Sending Access-Accept of id 91 to 444.333.222.111:3012

Session-Timeout = 28800

Idle-Timeout = 900

Framed-IP-Address = 255.255.255.254

Framed-MTU = 1514

Service-Type = Framed-User

Framed-Protocol = PPP

Framed-Compression = Van-Jacobson-TCP-IP

Finished request 8

Going to the next request

--- Walking the entire request list ---

 

 

Any ideas would be welcomed.

D Friend
â²Ø§~ì¹»®&Þþéì¹»®&ÞI硶Úÿ0~·ž­§bºÊ+ƒùb²ßî±êì†Ù¥

0.8.1 Radmon

2003-02-10 Thread Eric Dean 



Attached is a little utility that we hacked to monitor 
and restart 0.8.1.  My server would die...and then I'd get that late 
night horror-movie phone call. "we're all dead!!!" 
 
Some 
people were running a kill -9 cron and that still leaves a potentially dangerous 
period in between the cron interval whereby radius could crash.  This can 
be tuned to be a bit more vigilant.


radmon.py
Description: Binary data

ScanMail Message: To Recipient Match eManager setting and take action.

2003-02-10 Thread Administrator 
 eManager Notification *

The following mail was blocked since it contains sensitive content.

Source mailbox: [EMAIL PROTECTED]
Destination mailbox(es): [EMAIL PROTECTED]
Rule/Policy: Sexually Explicit
Action: Quarantine to D:\Program Files\Trend\SMCF\Quarantine\2003-02-10\14-03-06.409

Content filter has detected a sensitive e-mail.

*** End of message *


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Suffix not stripped when processing users file...

2003-02-10 Thread Doug Friend 





 

I have two different user
groups (local & remote) and two different NAS devices (local & remote).
I’ve setup the huntgroups file so that each NAS device will be assigned it’s
Huntgroup-Name (either local or remote). I do not want users from the local group
to authenticate on the remote NAS device and I do not want remote users to
authenticate on the local NAS. I put two entries near to top of my users file
that read:

 

(line 95)   DEFAULT Group ==
"remote", Huntgroup-Name == "local", Auth-Type := Reject

(line 96)      
Reply-Message = "Call your service provider to activate local
dialup!"

(line 97)

(line 98)   DEFAULT Group ==
"local", Huntgroup-Name == "remote", Auth-Type := Reject

(line 99)      
Reply-Message = "Call your service provider to activate remote
dialup!"

 

I have setup a realm with
the following:

 

# Realm        Remote
server [:port]   Options

#    
---

mydomain.com     LOCAL

 

My huntgroups file looks
like:

 

Local            NAS-IP-Address
== 111.222.333.444

Remote        NAS-IP-Address
== 444.333.222.111

 

The process is working perfectly
if I login using ‘username’ without a suffix. When I use ‘[EMAIL PROTECTED]’
the lines in the users file appear to be ignored. I can login from both locations
regardless of what group I am in. 

 

The suffix is being stripped
properly for authentication, Simultaneous-Use and accounting purposes. 

 

Debug results are the same
from both NAS devices except for origination addresses. Here is a sample:

 

rad_recv: Access-Request
packet from host 444.333.222.111:3012, id=91, length=70

    User-Name =
"[EMAIL PROTECTED]"

    User-Password =
"mypasswd"

    Framed-Protocol =
PPP

    Service-Type = Framed-User

modcall: entering group
authorize

  hints: Matched DEFAULT
at 63

  modcall[authorize]:
module "preprocess" returns ok

    rlm_realm: Looking up
realm mydomain.com for User-Name = "username@mydomain"

    rlm_realm: Found
realm mydomain.com

    rlm_realm: Setting
Stripped-User-Name = "username"

  rlm_realm: Proxying
request from user username to realm mydomain.com

    rlm_realm: Adding
Realm = "mydomain.com"

rlm_realm: 
Authentication realm is LOCAL.

  modcall[authorize]:
module "suffix" returns noop

rlm_chap: Could not find
proper Chap-Password attribute in request

  modcall[authorize]:
module "chap" returns noop

  modcall[authorize]:
module "mschap" returns notfound

rlm_counter: Entering
module authorize code

rlm_counter: Could not
find Check item value pair

  modcall[authorize]:
module "counter" returns noop

    users: Matched
DEFAULT at 226

    users: Matched
DEFAULT at 249

    users: Matched
DEFAULT at 261

    users: Matched username
at 1

  modcall[authorize]:
module "files" returns ok

modcall: group authorize
returns ok

  rad_check_password: 
Found Auth-Type Local

auth: type Local

auth: user supplied
User-Password matches local User-Password

modcall: entering group
session

radius_xlat:  'username'

  modcall[session]:
module "radutmp" returns ok

modcall: group session
returns ok

Login OK: [username]
(from client remote.mydomain.com port 0)

Sending Access-Accept of
id 91 to 444.333.222.111:3012

    Session-Timeout =
28800

    Idle-Timeout =
900

    Framed-IP-Address
= 255.255.255.254

    Framed-MTU = 1514

    Service-Type =
Framed-User

    Framed-Protocol =
PPP

   
Framed-Compression = Van-Jacobson-TCP-IP

Finished request 8

Going to the next request

--- Walking the entire
request list ---

 

 

Any ideas would be welcomed.

D Friend




 
 
 

This message has originated from, or was processed through, one of the VITALink servers. This message may contain confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Email processed by this server is subject to monitoring. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.

Re: I did Bizarre stuff with my pussy

2003-02-10 Thread Matthew Simpson 
Title: Untitled Document



Normally I hate spam, but this one put the entire 
office in tears.
 
PEDRO THE TACO EATER!

  - Original Message - 
  From: 
  samantha 
  To: [EMAIL PROTECTED] 
  
  Sent: Thursday, February 06, 2003 7:57 
  PM
  Subject: I did Bizarre stuff with my 
  pussy
  
  OK GUYS I HAVE FINALLY EVEN SHOCKED MY SELFI HOPE I DIDN'T 
  RUIN MY COOTER FOR EVERLAST NIGHT MY NEW BOYFRIEND GOT HIS ENTIRE FIST IN 
  MY LOVE TACOPEDRO THE TACO EATER WOULD HAVE BEEN OFFENDED.WE FILMED 
  THE ENTIRE THING...HOT SAUCE AND GUACAMOLE AND 
  ALL...I CAN LET YOU IN 
  FOR 1 DAY TO CHECK THIS WEIRD SHIT OUT FOR FREE BEFORE WE HAVE TO CHARGE 
  YA.I KINDA LIKED IT.HUMAN 
  TACOCARLA
   
   
   - List info/subscribe/unsubscribe? See 
  http://www.freeradius.org/list/users.html

newbie questions...installed, authenticated, now what?

2003-02-10 Thread Matt Ashfield \(UNB\) 



Hi All,
 
I've been asked to investigate the use of a Radius 
server as a means of authenticating users on our network. Namely wireless, but 
really, just broad user authentication. I've been reading up some of the 
documentation and have been following this list, and it has been helpful, 
although I'm hoping my Radius O'Reily book will clear a lot of things 
up.
 
I've installed radius server on a linux box, and 
have done a basic apache authentication. So I guess my question is where do I go 
from here as far as user authethentication? What I'd like to do is have a user 
authenticate, and then an ip address based on a successful authentication. Or 
possibly authenticate and being placed in a new vlan based on a successful 
authentication. Is this possible? I'm sure if it is, it's been done. Any tips 
would be helpful!
Thanks
 
Matt
 

RE: Authentication against MySQL

2003-02-10 Thread Scott Bartlett 
>That is exactly what I had to do.  All the docs say put it in
>radgroupreply.  But it seems that it will not recognize it anywhere in
>the DB.  I never did get a good answer, I think it soemthing in the
>recent code, older versions seem to be fine. The only way I could make
>it work was to change it at the users file.  So now I have no default
>System for local logins.

There was a thread on this a couple of days ago (which also finally
prompted today's updating of the FR/MySQL notes at
http://www.frontios.com/freeradius.html). 

Basically, auth-type should be a check item, not a reply item, and if
FreeRadius doesn't get one it defaults to 'Local'. 

Search the list under the subject: "freeradius not reading Auth-Type
from MySQL" for more...

Regards,

SB




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication against MySQL

2003-02-10 Thread Robert Canary 
Well Rick,

That is exactly what I had to do.  All the docs say put it in
radgroupreply.  But it seems that it will not recognize it anywhere in
the DB.  I never did get a good answer, I think it soemthing in the
recent code, older versions seem to be fine. The only way I could make
it work was to change it at the users file.  So now I have no default
System for local logins.

> Rick Evans wrote:
> 
> Hello,
> 
> I am new to using Freeradius as well as to the list so I apologize for
> any ignorant statements.
> 
> I am using Freeradius + MySQL and up until a few minutes ago, I could
> get a user 'test' to authenticate against the Radius server as long as
> the
> user was entered into the system, however not if the user was in the
> Radius
> database (MySQL).
> 
> I was getting the same errors about "DEFAULT Auth-Type := System" and
> it
> would reject the username/password combination.  I have setup in the
> radgroupreply table, a field entry setting the Auth-Type to Local.  I
> also setup in
> the radgroupcheck table the same type of entry based on a previous
> read
> message.  I would still get the same errors when running the Radius
> server
> in its 'debbuging' mode.
> 
> I just recently modified the 'users' file and changed the Default
> Auth-Type to 'Local'
> instead of 'System' and it started working.  Is this the correct
> location to specify
> this attribute or is there a cleaner way of setting it?
> 
> Thank you for all of your help and suggestions.
> 
> Rick Evans

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Authentication against MySQL

2003-02-10 Thread Rick Evans 



Hello,
 
I am new to using Freeradius as well as to the list 
so I apologize for
any ignorant statements.  
 
I am using Freeradius + MySQL and up until 
a few minutes ago, I could 
get a user 'test' to authenticate against the 
Radius server as long as the
user was entered into the system, however 
not if the user was in the Radius 
database (MySQL).  
 
I was getting the same errors about "DEFAULT Auth-Type := System" and it 
would reject the 
username/password combination.  I have setup in the 
radgroupreply table, 
a field entry setting the Auth-Type to Local.  I also setup in 

the radgroupcheck 
table the same type of entry based on a previous read
message.  I would still get the same errors 
when running the Radius server
in its 'debbuging' mode.
 
I just recently modified the 'users' file and 
changed the Default Auth-Type to 'Local'
instead of 'System' and it started working.  
Is this the correct location to specify
this attribute or is there a cleaner way of setting 
it?
 
Thank you for all of your help and 
suggestions.
 
Rick Evans

Re: Security issue; non case sensitivity in MySql

2003-02-10 Thread Robert Canary 
When mysql is queried for that password aginst that username (regardless
of case) it returns a match because MySql isn't case sensitive.  Thats
something which should be boldly noted in the dos.

Now here is the odd thing I noticed.  PPPD logs the the user as
"Rcanary" as being logged on, However, utmps and priveldges the user as
"canary".  I can't get enough debug logging going on the portslave
machine to see what happening.  If radius is told not to strip the "R"
we still have a tiny problem with the mysql circumventing case
sensitivity.  (well more like something one needs to be aware of).  

However, MySql will do a STRCMP (String Compare).  So I went into the
sql.conf file to change the query strings.  However, I found that the
author had already include the case sensitive query, but it was
commented-out.

Alan DeKok wrote:
> 
> Robert Canary <[EMAIL PROTECTED]> wrote:
> > Now lets say I try to dialin (using portslave here in this case).  I
> > mistype the username as *R*canary instead of *r*canary.
> > The RAS is case sensitive.  However, radius is allowing the Rcanary and
> > rcanary.
> 
>   So run the server in debugging mode, to see which parts of which
> configuration files are being used... look at those configuration
> files to see what's going on.
> 
>   Incidentally, the user name comparison in the 'users' file and in
> rlm_sql is case sensitive.
> 
> >  This results with the user being logged in as "canary" because
> > portslave will drop the "R".
> 
>   So configure portslave to NOT drop the "R"...
> 
> > If I have two usernames which differ only by the first letter (rcanary
> > and canary) if rcanary user logs in with a capital letter then they will
> > be granted access to the other users files.
> 
>   So fix your configuration to not do that...
> 
> > Other than trying to control username similarity when usernames are
> > created, anyone have an idea how to control this?
> >
> > PS. Since this invloves PortSlave and freeradius and a security
> > problem.  I doubled posted this on both mail-list.
> 
>   You've either misconfigured portslave, or radiusd.
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Newbie, authenticate MAC address

2003-02-10 Thread Aron Silverton 
CoyoteTM wrote:

Hello list members !
 
I am really newbie...
 
0. First off all, plz point me the best how-to available on the net, 
about freeradius. I want to use it with mysql.

The doc directory and the comments in the various configuration files 
are your best bet.  Try google for information on using MySQL.  There 
area a couple of sites out there.

 
1. Can I user the same radius server to authenticate dial-up users (from 
CISCO), authenticate wireless devices based on MAC address, gather VOIP 
accounting information (from CISCO) ? And store all this in mysql.

Yes, one RADIUS server can be used with several different NAS devices.


 
2. How to authenticate on MAC address ? There are no passwords, and user 
names. Basic concept ?

For a Cisco device, the user name and password are the same.  They are 
the MAC address in lowercase with no punctuation.  Try something like:

	Auth-Type := Local, User-Password == ""

Where  is the MAC address of the client/user.

 
3. How accurate is this kind of accounting ? What if a "session end" 
message is lost. Or what is the situation if a user is always on-line ? 
There is some kind of timeout when accounting data is written out to 
databse ?
 


--
Aron J. Silverton
Senior Staff Research Engineer
Motorola Laboratories, Networks and Infrastructure Research
Motorola, Inc.

Telephone: 847-576-8747
Fax: 847-576-3240
mailto: [EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Annoying 'stop packet with zero session length' messages

2003-02-10 Thread Jacques Caruso 
Hi,

a little problem (not real bad, but...) : my logs are cluttered with
messages like this ->

Mon Feb 10 16:43:57 2003 : Error: rlm_sql: Stop packet with zero session length.  
(user 'xxx', nas '194.79.150.5')

From a search in this mailing-list archives, I found that these are
spurious accounting-stop messages that are phased out by the rlm_sql
module. In my case, this /seems/ to be caused by ISDN routers who try to
use Multilink PPP, but are stopped by the RADIUS (Port-Limit = 1). Can I
just comment out the two lines that display them in rlm_sql.c ? Or is
there an use for these messages (other than finding all the people with
badly configured routers) ?

Regards,
-- 
[ Jacques Caruso <[EMAIL PROTECTED]>  Développeur PHP ]
[ Monaco Internet   http://monaco-internet.mc/ ]
[ Tél : (+377) 93 10 00 43Clé PGP : 0x41F5C63D ]
[ -+- Support bacteria! They're the only culture some people have. -+- ]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: acct_users : unclear running order ...

2003-02-10 Thread DouRiX 
Alan DeKok wrote:

DouRiX <[EMAIL PROTECTED]> wrote:


I have a little strange (at least for me) behaviour on *when scripts in 
acct_users are run*.

I am trying to use the Exec-Program on preacct inside acct_users with 
the simple config below :

...

  The 'Exec-Program' scripts are executed as the LAST THING before an
accounting response is returned.


Ok, It's good for me as I'd be able to directly work with the last saved 
accounting record,


  If you want a program to be executed immediately, grab the latest
CVS snapshot, and see 'rlm_exec'


I'll take a look,

Thanks much,

@+
--
DouRiX





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Not all attributes transmitted

2003-02-10 Thread Burkhard Weeber 
RTFM, I need some holiday

Thanks Alan,

With += it works.

Burkhard 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]] On Behalf Of 
> Alan DeKok
> Sent: Monday, February 10, 2003 10:47 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Not all attributes transmitted 
> 
> 
> "Weeber, Burkhard" <[EMAIL PROTECTED]> wrote:
> > I am just trying to update my well running version 0.3 to 
> 0.8.1 but I am
> > stuck with a problem.
> > A Bintec Brick X.4100 is only getting the firtst 
> "Framed-Route" entry of
> > it's default "dialout-X" user.
> > On 0.3 all of the "Framed-Route" attributes are sent to the 
> NAS so it
> > can set up ist routing table, but on 0.8.1 only the first is
> > transmitted.
> > 
> > A bug or a feature in 0.8.1 ?
> 
>   It's a feature.  Read the 'users' file 'man' page.
> 
>   Alan DeKok.
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Called-Station-Id Revisted

2003-02-10 Thread J. S. Townsley 

Greetings list-members.

I have a script that does some very simple if statements in the sh shell.
My script exits 0 or 1 for good auth/bad auth; but FR (current cvs)
authenticates my user regardless.

I have "files" in the authorize and preacct stanzas of radiusd.conf.

Here's a snippet of my radius in debug mode:

rlm_ldap: user [EMAIL PROTECTED] authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module "LDAP2" returns ok
modcall: group redundant returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
  modcall[authorize]: module "chap" returns noop
users: Matched DEFAULT at 54
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
radius_xlat:  '/usr/local/bin/radchecksignup.sh'
Exec-Program: /usr/local/bin/radchecksignup.sh
Exec-Program output:
Exec-Program: returned: 1
Login OK: [[EMAIL PROTECTED]] (from client localhost port 0)
Sending Access-Accept of id 78 to 127.0.0.1:4644

Is there something I am missing?  Documentation suggests that users will
not authenticate if Exec-Program-Wait exits non-zero.

--JST


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unable to test !

2003-02-10 Thread Alan DeKok 
Nadeem Akhtar <[EMAIL PROTECTED]> wrote:
>  I've installed radius on a Redhat Linux m/c. It installed without any 
> problems and I even tested using radtest on localhost with Auth-Type set 
> to Local. Now, when I try to test it using radtest with Auth-Type set to 
> System, I run into problems. Here's a portion of the log :
...
>   rad_check_password:  Found Auth-Type System
> auth: type "System"
> modcall: entering group authenticate
>   modcall[authenticate]: module "unix" returns notfound

  Is it really that hard to understand that message?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS response from incorrect interface

2003-02-10 Thread Alan DeKok 
"John Gruber" <[EMAIL PROTECTED]> wrote:
> Is that prophesy or cynicism?Not that you're wrong... we'd ask for
> that.

  It's a strong opinion.

  Writing one RADIUS server is hard enough.  Writing a RADIUS server
with multiple personalities is even harder.

  If people want to return different attributes based on the NAS, then
they can do that now.  But allowing two *completely* different
configurations inside of the RADIUS server makes misconfiguration and
security leaks *much* more likely.

  For similar reasons, I'm opposed to adding a PHP module to the
server.  PHP is nice, but it has an *atrocious* security record.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: acct_users : unclear running order ...

2003-02-10 Thread Alan DeKok 
DouRiX <[EMAIL PROTECTED]> wrote:
> I have a little strange (at least for me) behaviour on *when scripts in 
> acct_users are run*.
> 
> I am trying to use the Exec-Program on preacct inside acct_users with 
> the simple config below :
...

  The 'Exec-Program' scripts are executed as the LAST THING before an
accounting response is returned.

  If you want a program to be executed immediately, grab the latest
CVS snapshot, and see 'rlm_exec'

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

unable to test !

2003-02-10 Thread Nadeem Akhtar 

Hi,
 I've installed radius on a Redhat Linux m/c. It installed without any 
problems and I even tested using radtest on localhost with Auth-Type set 
to Local. Now, when I try to test it using radtest with Auth-Type set to 
System, I run into problems. Here's a portion of the log :

Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32810, id=209, 
length=58
User-Name = "ees1na"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_eap: EAP-Message not found
  modcall[authorize]: module "eap" returns noop
rlm_realm: No '@' in User-Name = "ees1na", looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
  modcall[authenticate]: module "unix" returns notfound
modcall: group authenticate returns notfound
auth: Failed to validate the user.
Login incorrect: [ees1na/test] (from client localhost port 0)


Can anyone please tell me what's going ? I've read the FAQs and searched 
the archives too but couldn't find much relevant info.

Regards,
Nadeem
-- 



Nadeem Akhtar
Centre for Comm. Systems Research
University of Surrey
Guildford, Surrey GU2 7XH
United Kingdom

Tel (CCSR) : 01483-683605


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Not all attributes transmitted

2003-02-10 Thread Alan DeKok 
"Weeber, Burkhard" <[EMAIL PROTECTED]> wrote:
> I am just trying to update my well running version 0.3 to 0.8.1 but I am
> stuck with a problem.
> A Bintec Brick X.4100 is only getting the firtst "Framed-Route" entry of
> it's default "dialout-X" user.
> On 0.3 all of the "Framed-Route" attributes are sent to the NAS so it
> can set up ist routing table, but on 0.8.1 only the first is
> transmitted.
> 
> A bug or a feature in 0.8.1 ?

  It's a feature.  Read the 'users' file 'man' page.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Counters question

2003-02-10 Thread Alan DeKok 
"Keith Ballard" <[EMAIL PROTECTED]> wrote:
> I am using counters with the reset time set to 'never'.
> 
> Just wondered, if I did want to reset a particular counter for any reason,
> is it possible to do it (and how)?

  Write a small utility, and post it to the list.  We can add it to
the rlm_counter module...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: porting mipsel platform problem

2003-02-10 Thread Alan DeKok 
Jeffery <[EMAIL PROTECTED]> wrote:
>   I use x86 host to cross compile mipsel-linux code. Will "configure" 
> know that I will use mipsel-linux-gcc to compile freeradius not gcc?

  If you user '--target', it's supposed to work.  But I've never used
it.

> As the result I run. It will guess my compiler is gcc, not
> mipsel-linux-gcc. So I think that maybe I should add --target
> parameter.  But it also cannot find out my crosscompiler. How do you
> do that will make a Makefile that can use mipsel-linux-gcc to
> compile freeradius?

  Edit it by hand.  See 'Make.inc'

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RADIUS response from incorrect interface

2003-02-10 Thread John Gruber 
Is that prophesy or cynicism?Not that you're wrong... we'd ask for
that.

John

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Alan DeKok
Sent: Monday, February 10, 2003 3:35 AM
To: [EMAIL PROTECTED]
Subject: Re: RADIUS response from incorrect interface


Jason Haar <[EMAIL PROTECTED]> wrote:
> On Sat, Feb 08, 2003 at 01:47:28PM +, Miquel van Smoorenburg wrote:
> >[...stuff on how complex it is to bind to >1 interface deleted]
>
> Why not just run two instances of radiusd - one on each address? They can
> point to the same auth system - just the logfiles have to be different...

  I can understand people wanting the *same* radius server to listen
on 2 interfaces, and respond correctly from those interfaces.  Running
one server which listens on 2 interfaces is a reasonable solution.

  If that's implemented, then I'll bet the next request will be for
the ability to run one server, which does different things, based on
which interface received the request.  The response to that will be
NO.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Security issue; non case sensitivity in MySql

2003-02-10 Thread Alan DeKok 
Robert Canary <[EMAIL PROTECTED]> wrote:
> Now lets say I try to dialin (using portslave here in this case).  I
> mistype the username as *R*canary instead of *r*canary.
> The RAS is case sensitive.  However, radius is allowing the Rcanary and
> rcanary.

  So run the server in debugging mode, to see which parts of which
configuration files are being used... look at those configuration
files to see what's going on.

  Incidentally, the user name comparison in the 'users' file and in
rlm_sql is case sensitive.

>  This results with the user being logged in as "canary" because
> portslave will drop the "R".

  So configure portslave to NOT drop the "R"...

> If I have two usernames which differ only by the first letter (rcanary
> and canary) if rcanary user logs in with a capital letter then they will
> be granted access to the other users files.

  So fix your configuration to not do that...

> Other than trying to control username similarity when usernames are
> created, anyone have an idea how to control this?
>
> PS. Since this invloves PortSlave and freeradius and a security
> problem.  I doubled posted this on both mail-list.

  You've either misconfigured portslave, or radiusd.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS response from incorrect interface

2003-02-10 Thread Alan DeKok 
Jason Haar <[EMAIL PROTECTED]> wrote:
> On Sat, Feb 08, 2003 at 01:47:28PM +, Miquel van Smoorenburg wrote:
> >[...stuff on how complex it is to bind to >1 interface deleted]
> 
> Why not just run two instances of radiusd - one on each address? They can
> point to the same auth system - just the logfiles have to be different...

  I can understand people wanting the *same* radius server to listen
on 2 interfaces, and respond correctly from those interfaces.  Running
one server which listens on 2 interfaces is a reasonable solution.

  If that's implemented, then I'll bet the next request will be for
the ability to run one server, which does different things, based on
which interface received the request.  The response to that will be
NO.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: cisco_vsa_hack (rlm_preprocess)

2003-02-10 Thread Thomas Jalsovsky 


Hello,

I sent many times the SAME feature to the list, but project
leaders (or leader, I can't remember) said, we should make a general
architecture for this type of hacks and not do with rlm_preprocess.
So it is not in the CVS (but It should from a long time...).

Perhaps you will have success :)

I would like to see this improvement in FR.

Regards,
Thomas

On Tue, 4 Feb 2003, Vladimir Kravchenko wrote:

>
> I offer to add functionality in the function "cisco_vsa_hack".
>
> Example value pair:
> Cisco-AVPair = "h323-incoming-conf-id=cc0576cf 379011d7 95c8ef6a 9f419c36"
> I can not will address to attribute h323-incoming-conf-id through macro
> %{h323-incoming-conf-id}
> Offer: if "h323-incoming-conf-id" exists in dictonary then replace
> attribute & value.
>
> Example patch:
>
> oracle[jimson]:.../radiusd $ cat ../cisco_vsa_hack.patch
> --- src/modules/rlm_preprocess/rlm_preprocess.c.origTue Feb  4 21:26:05 2003
> +++ src/modules/rlm_preprocess/rlm_preprocess.c Tue Feb  4 21:27:22 2003
> @@ -112,7 +112,9 @@
>  {
> int vendorpec, vendorcode;
> char*ptr;
> -   charnewattr[MAX_STRING_LEN];
> +   charnattr[MAX_STRING_LEN];
> +   charnvalue[MAX_STRING_LEN];
> +   DICT_ATTR   *dattr;
>
> for ( ; vp != NULL; vp = vp->next) {
> vendorcode = (vp->attribute >> 16); /* HACK! */
> @@ -123,16 +125,21 @@
>
> if (vendorpec != 9) continue; /* not a Cisco VSA, continue */
>
> -   if ((vp->attribute & 0x) == 1) continue; /* Cisco-AVPair */
> -
> /*
>  *  We strip out the duplicity from the value field,
>  *  we use only the value on the right side of = character.
>  */
> -   if ((ptr = strchr(vp->strvalue, '=')) != NULL) {
> -   strNcpy(newattr, ptr + 1, sizeof(newattr));
> -   strNcpy((char *)vp->strvalue, newattr,
> -   sizeof(vp->strvalue));
> +   if (vp->type == PW_TYPE_STRING && (ptr = strchr(vp->strvalue, '=')) 
>!= NULL) {
> +   if ((vp->attribute & 0x) == 1) {
> +   /* Cisco-AVPair */
> +   strNcpy(nattr, vp->strvalue, ptr - (char 
>*)vp->strvalue + 1);
> +   if ((dattr = dict_attrbyname(nattr)) != NULL && 
>dattr->type == PW_TYPE_STRING) {
> +   vp->attribute = dattr->attr;
> +   strNcpy(vp->name, dattr->name, 
>sizeof(vp->name));
> +   } else continue;
> +   }
> +   strNcpy(nvalue, ptr + 1, sizeof(nvalue));
> +   strNcpy((char *)vp->strvalue, nvalue, sizeof(vp->strvalue));
> vp->length = strlen((char *)vp->strvalue);
> }
> }
> oracle[jimson]:.../radiusd $
>
> Your opinion?
>
> P.S. To add check dattr vendor whether or not? :)
> --
> Vladimir Kravchenko / PK Mostcom JSC / system engineer
> Tel: +7 095 2312255 / UIN: 132038843 / Email: [EMAIL PROTECTED]
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + pppd

2003-02-10 Thread Norbert Wegener 
The actual cvs version of pppd contains a ppp-radius plugin, which 
-maybe- does what you want.
Norbert Wegener


Luca Grossi schrieb:
Thanks very muchly ! :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Miquel van
Smoorenburg
Sent: Monday, February 10, 2003 11:03 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + pppd

In article <007a01c2d0f3$a09b2e30$020a@stuido>,
Luca Grossi <[EMAIL PROTECTED]> wrote:


Hello everyone!,
Could someone please explain to me, how to go about patch for pppd to
support authentification throught RADIUS.
I've been looking around , people just start suggesting to use


portslave


Why would that been ? 


I enterered "pppd radius" in Google and one of the first hits was
http://www.chelcom.ru/~anton/projects/pppd-tacacs+radius/
which appears to be exactly what you want.



linux:/usr/src/linux # patch -p1 <
ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch
patching file Makefile



Why are you trying to apply a patch for pppd to the Linux kernel?
That doesn't make any sense.

Mike.



--
Norbert Wegener Phone : (49) 201 2661 379
SBS Essen   Fax:(49) 201 2661 377
Germany Mail:   [EMAIL PROTECTED]
http://relax.sbs.de (intranet)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Portslave-users] Security issue; non case sensitivity in MySql

2003-02-10 Thread Nicholas Tretyachenko 
Hello Robert,

Sunday, February 9, 2003, 9:55:20 PM, you wrote:

RC> Let say I have a username of "rcanary".  The account is created on the
RC> radius (MySql DB) as UserName=rcanary

RC> Now lets say I try to dialin (using portslave here in this case).  I
RC> mistype the username as *R*canary instead of *r*canary.
RC> The RAS is case sensitive.  However, radius is allowing the Rcanary and
RC> rcanary.  This results with the user being logged in as "canary" because
RC> portslave will drop the "R".  
Look at the config of your radius server. I think it uses capital R as
hint for service type and then drops R. That is not issue at all. That
is misconfiguration of your radius server.

-- 
Best regards,
 Nicholasmailto:[EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

acct_users : unclear running order ...

2003-02-10 Thread DouRiX 

Hello everybody,

I have a little strange (at least for me) behaviour on *when scripts in 
acct_users are run*.

I am trying to use the Exec-Program on preacct inside acct_users with 
the simple config below :

DEFAULT Acct-Status-Type == Start
Exec-Program = "/usr/local/bin/exec-program-printenv.sh start"

DEFAULT Acct-Status-Type == Stop
Exec-Program = "/usr/local/bin/exec-program-printenv.sh stop"

As test, I use a simple script which print the environment variables 
into a file, and I am surprised that I already have the 
Acct-Unique-Session-Id attribute at this stage (preacct), while the 
acct_unique module (which should calculate this unique attribute) is 
called only at the accounting phase.

Actually, when I look at the freeradius debug logs (cf. below), I notice 
that my script is run only after the accounting module, after the 
message 'group accounting returns ok'.

So I wonder if this behaviour is normal or not ? Could someone bring me 
a light on this ?


-- in radiusd.conf --
# Pre-accounting. Look for proxy realm in order of realms, then
# acct_users file, then preprocess (hints file).
preacct {
files
}

# Accounting. Log to detail file, and to the radwtmp file, and maintain
# radutmp.
accounting {
acct_unique
	sql
	#...
	radutmp
}


-- debug acct log --
...
modcall: entering group preacct
acct_users: Matched DEFAULT at 21
  modcall[preacct]: module "files" returns ok	*here module files returns ok*
modcall: group preacct returns ok
modcall: entering group accounting
rlm_acct_unique: Hashing 'Framed-IP-Address = 
192.168.111.111,NAS-Port-Id = "52",NAS-IP-Address = 
192.168.10.98,Acct-Session-Id = "AA95F700E10C",User-Name = "fifi"'
rlm_acct_unique: Acct-Unique-Session-ID = "17f2ce1f0270476c".
  modcall[accounting]: module "acct_unique" returns ok
radius_xlat:  '/var/log/radiusd-freeradius/radacct//detail'
rlm_detail: 
/var/log/radiusd-freeradius/radacct/%{Client-IP-Address}/detail expands 
to /var/log/radiusd-freeradius/radacct//detail
  modcall[accounting]: module "detail" returns ok
  modcall[accounting]: module "endless_counter" returns ok
modcall: entering group redundant
radius_xlat:  'fifi'
rlm_sql (sql): sql_set_user escaped user --> 'fifi'
radius_xlat:  'UPDATE radacct SET AcctStopTime = '2003-02-10 15:24:16', 
AcctSessionTime = '2574', AcctInputOctets = '998604', AcctOutputOctets = 
'135044', AcctTerminateCause = 'User-Request', AcctStopDelay = '0', 
ConnectInfo_stop = '', AcctMultiSessionId = 'AA95F700E10C', 
AscendDataRate = '', AscendXmitRate = '' WHERE AcctSessionId = 
'AA95F700E10C' AND UserName = 'fifi' AND NASIPAddress = '192.168.10.98''
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
  modcall[accounting]: module "sql" returns ok
modcall: group redundant returns ok
radius_xlat:  '/var/log/radiusd-freeradius/radutmp'
radius_xlat:  'fifi'
  modcall[accounting]: module "radutmp" returns noop
modcall: group accounting returns ok
radius_xlat:  '/usr/local/bin/exec-program-printenv.sh stop'	*the script in 
acct_users (files module) is only run here*
Exec-Program: /usr/local/bin/exec-program-printenv.sh stop
Sending Accounting-Response of id 116 to 127.0.0.1:1536
Finished request 5
Going to the next request
Cleaning up request 5 ID 116 with timestamp 3e4799f0
rl_next:  returning NULL
Waking up in 5 seconds...
rl_next:  returning NULL
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 110 with timestamp 3e4799ef
Nothing to do.  Sleeping until we see a request.


I use freeradius-snapshot-20030203 on linux/debian,

Thanks in advance,

@+
--
DouRiX
 ["You're bound to be unhappy if you optimize everything." -- Donald E. 
Knuth]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + pppd

2003-02-10 Thread Puchkov S.N. 
try portslave on sourseforge %)
it's realy cool !!!
radius+cbcp

Luca Grossi wrote:


Thanks very muchly ! :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Miquel van
Smoorenburg
Sent: Monday, February 10, 2003 11:03 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + pppd

In article <007a01c2d0f3$a09b2e30$020a@stuido>,
Luca Grossi <[EMAIL PROTECTED]> wrote:
 

Hello everyone!,
Could someone please explain to me, how to go about patch for pppd to
support authentification throught RADIUS.
I've been looking around , people just start suggesting to use
   

portslave
 

Why would that been ? 
   


I enterered "pppd radius" in Google and one of the first hits was
http://www.chelcom.ru/~anton/projects/pppd-tacacs+radius/
which appears to be exactly what you want.

 

linux:/usr/src/linux # patch -p1 <
ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch
patching file Makefile
   


Why are you trying to apply a patch for pppd to the Linux kernel?
That doesn't make any sense.

Mike.
 




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [q] Cisco-Disconnect-Cause

2003-02-10 Thread 3APA3A 
Dear Andrey Kotrekhov,

This is Cisco, not FreeRADIUS question.

--Monday, February 10, 2003, 3:14:23 PM, you wrote to 
[EMAIL PROTECTED]:

AK> Hi, All!

AK> I see cisco NAS send to freeradius
AK> Cisco-AVPair with disconnect cause like this:
AK> Cisco-AVPair = "disc-cause-ext=1102"

AK> But not send Cisco-Disconnect-Cause pair.

AK> IOS version 12.2
AK> Is there possible configure NAS to send me  Cisco-Disconnect-Cause pair?
AK> And how.

AK> __
AK> Andrey.



AK> - 
AK> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
~/ZARAZA
Ïîêà âû âî âëàñòè ïðîâèäåíèÿ, âàì íå óäàñòñÿ óìåðåòü ðàíüøå ñðîêà. (Òâåí)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[q] Cisco-Disconnect-Cause

2003-02-10 Thread Andrey Kotrekhov 
Hi, All!

I see cisco NAS send to freeradius
Cisco-AVPair with disconnect cause like this:
Cisco-AVPair = "disc-cause-ext=1102"

But not send Cisco-Disconnect-Cause pair.

IOS version 12.2
Is there possible configure NAS to send me  Cisco-Disconnect-Cause pair?
And how.

__
Andrey.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius + pppd

2003-02-10 Thread Luca Grossi 
Thanks very muchly ! :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Miquel van
Smoorenburg
Sent: Monday, February 10, 2003 11:03 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + pppd

In article <007a01c2d0f3$a09b2e30$020a@stuido>,
Luca Grossi <[EMAIL PROTECTED]> wrote:
>Hello everyone!,
>Could someone please explain to me, how to go about patch for pppd to
>support authentification throught RADIUS.
>I've been looking around , people just start suggesting to use
portslave
>Why would that been ? 

I enterered "pppd radius" in Google and one of the first hits was
http://www.chelcom.ru/~anton/projects/pppd-tacacs+radius/
which appears to be exactly what you want.

>linux:/usr/src/linux # patch -p1 <
>ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch
>patching file Makefile

Why are you trying to apply a patch for pppd to the Linux kernel?
That doesn't make any sense.

Mike.
-- 
Anyone who is capable of getting themselves made President should
on no account be allowed to do the job -- Douglas Adams.


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + pppd

2003-02-10 Thread Miquel van Smoorenburg 
In article <007a01c2d0f3$a09b2e30$020a@stuido>,
Luca Grossi <[EMAIL PROTECTED]> wrote:
>Hello everyone!,
>Could someone please explain to me, how to go about patch for pppd to
>support authentification throught RADIUS.
>I've been looking around , people just start suggesting to use portslave
>Why would that been ? 

I enterered "pppd radius" in Google and one of the first hits was
http://www.chelcom.ru/~anton/projects/pppd-tacacs+radius/
which appears to be exactly what you want.

>linux:/usr/src/linux # patch -p1 <
>ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch
>patching file Makefile

Why are you trying to apply a patch for pppd to the Linux kernel?
That doesn't make any sense.

Mike.
-- 
Anyone who is capable of getting themselves made President should
on no account be allowed to do the job -- Douglas Adams.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FR and MySQL notes updated...

2003-02-10 Thread Scott Bartlett 
Dear All,

Consider it a miracle, or just me getting off my posterior long enough
to do it, but my 'infamous' notes on how to do get FreeRadius and MySQL
working have been updated (well, at least put into a slightly better
semblance of order with the major out-of-date gaffs removed) at
http://www.frontios.com/freeradius.html

Enjoy...

SB





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Not all attributes transmitted

2003-02-10 Thread Weeber, Burkhard 
Hello list,

I am just trying to update my well running version 0.3 to 0.8.1 but I am
stuck with a problem.
A Bintec Brick X.4100 is only getting the firtst "Framed-Route" entry of
it's default "dialout-X" user.
On 0.3 all of the "Framed-Route" attributes are sent to the NAS so it
can set up ist routing table, but on 0.8.1 only the first is
transmitted.

A bug or a feature in 0.8.1 ?

Any help very welcome 

Kind regards

Burkhard Weeber
viastore systems GmbH
P/O Box 300668
D-70446 Stuttgart
Tel: +49-711-9818-0
Email: [EMAIL PROTECTED]

Disclaimer:
The opinions expressed herein are my personal points of view and do not
represent those of my employer.

Windows95:  n.
32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit
operating system originally coded for a 4 bit microprocessor, written by
a 2 bit company, that can't stand 1 bit of competition.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sendmail and freeradius

2003-02-10 Thread Jason Clifford 
On Sun, 9 Feb 2003, Robert Canary wrote:

> Has any succesfully used freeradius (or any radius) to authenticate user
> for sendmail while maintaining all the /.forward functions?

I am not sure I understand what you really want.

What particular aspect of your email system do you want to have 
authenticated via RADIUS?

Is it to determine which IP addresses are authorised to relay mail?

Is it to determine whether a POP/IMAP login is valid?

To determine a list of valid local users?

> Is there a pam module one could use on the mail server that would talk
> to the radius server on another server?

Yes for simple user authentication there is a PAM module on the freeradius 
site that works very well.

Jason Clifford
-- 
UKPOST.COM get your @ukpost.com address now...
http://www.ukpost.com/ professional hosting and colocation


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: client-ip.??

2003-02-10 Thread Leelen Pillay 
Hi! Amit,

I have been looking at a similar situation, how I have
seen this done previously with a Dial-up on the Acess
Server the accounting information is passed, which
generally have the msisdn; Although for GPRS which I
am currently working on I initially going to use a
username which then becomes my NAIand
authentication is done using this...

I have looked at solutions which we intend to deply
later, but to get the msisdn from the SGSN CDR's and
correlate that real-time with a session IDpossible
but too much work for our current infrastructure

ThanX

LEelen<[EMAIL PROTECTED]>


--- amit sehgal <[EMAIL PROTECTED]> wrote:
> Hii list,
>   I am new to freeradius. I am basically using it to
> get the msisdn (cli) of the message sender in  a 
> WAP enviornment, as my WAP gateway does not support
> cli. However for mapping the msisdn, i also need the
> dynamic ip assigned to client phone on a gprs
> network. 
> I am able to catch the msisdn, but i am getting only
> the ip of my NAS instead of the original client ip
> (mobile phone's ip). Can you please tell me how to
> get that? Any configuration to be done or the
> attribute/parameter i need to access in order to get
> the client-ip. appreciate your help.
> 
> Thanx in advance.
> 
> best regards
> amit sehgal
> 


__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius + pppd

2003-02-10 Thread Luca Grossi 

Hello everyone!,
Could someone please explain to me, how to go about patch for pppd to
support authentification throught RADIUS.
I've been looking around , people just start suggesting to use portslave

Why would that been ? 


---
linux:/usr/src/linux # patch -p1 <
ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch
patching file Makefile
Reversed (or previously applied) patch detected!  Assume -R? [n] n
Apply anyway? [n] y
Hunk #1 FAILED at 1.
File Makefile is not empty after patch, as expected
1 out of 1 hunk FAILED -- saving rejects to file Makefile.rej
can't find file to patch at input line 63
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--
|diff -urN ppp-2.4.1b2-mschap2-mppe/etc.ppp/chap-secrets
ppp-2.4.1b2-radius-v2.0c/etc.ppp/chap-secrets
|--- ppp-2.4.1b2-mschap2-mppe/etc.ppp/chap-secrets  Fri Jun 23
03:49:28 1995
|+++ ppp-2.4.1b2-radius-v2.0c/etc.ppp/chap-secrets  Wed Jun  5
10:53:16 2002
--
File to patch: 



I don't understand what its saying if I run this command "patch -p1 <
ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch" is this the right patch ?
Whats it mean, when it ask me "File to patch" 

Thanks in advance :)




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius + pppd

2003-02-10 Thread Luca Grossi 

Hello everyone!,
Could someone please explain to me, how to go about patch for pppd to
support authentification throught RADIUS.
I've been looking around , people just start suggesting to use portslave

Why would that been ? 


---
linux:/usr/src/linux # patch -p1 <
ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch
patching file Makefile
Reversed (or previously applied) patch detected!  Assume -R? [n] n
Apply anyway? [n] y
Hunk #1 FAILED at 1.
File Makefile is not empty after patch, as expected
1 out of 1 hunk FAILED -- saving rejects to file Makefile.rej
can't find file to patch at input line 63
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--
|diff -urN ppp-2.4.1b2-mschap2-mppe/etc.ppp/chap-secrets
ppp-2.4.1b2-radius-v2.0c/etc.ppp/chap-secrets
|--- ppp-2.4.1b2-mschap2-mppe/etc.ppp/chap-secrets  Fri Jun 23
03:49:28 1995
|+++ ppp-2.4.1b2-radius-v2.0c/etc.ppp/chap-secrets  Wed Jun  5
10:53:16 2002
--
File to patch: 



I don't understand what its saying if I run this command "patch -p1 <
ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch" is this the right patch ?
Whats it mean, when it ask me "File to patch" 

Thanks in advance :)




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sendmail and freeradius

2003-02-10 Thread Simon White 
10-Feb-03 at 13:40, Puchkov S.N. ([EMAIL PROTECTED]) wrote :
> Simon White wrote:
 >>
> >>>09-Feb-03 at 20:24, Robert Canary ([EMAIL PROTECTED]) wrote :
> >>>
> >>> 
> >>>
> Has any succesfully used freeradius (or any radius) to authenticate user
> for sendmail while maintaining all the /.forward functions?
> 
> Is there a pam module one could use on the mail server that would talk
> to the radius server on another server?
>    
> 
> >>>You can get PAM to authenticate via Radius.
> >>>
> >>>Why do you want radius to authenticate for sendmail? Sounds a bit
> >>>convoluted to me.
> >>>
> >>>What problem are you actually trying to solve here?
> >
> we talk about using .forward in users deer %)

Well radius isn't going to help you there. Radius has nothing to do with
that. Try asking a mailing list for your MTA...

-- 
[Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...]
Men never do evil so completely and cheerfully as when they do it from
religious conviction.  -- Blaise Pascal
[Linux user #170823 http://counter.li.org. Home cooked signature rotator.]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Counters question

2003-02-10 Thread Keith Ballard 



Hi 
all,
 
I am using counters 
with the reset time set to 'never'.
 
Just wondered, if I 
did want to reset a particular counter for any reason, is it possible to do it 
(and how)?
 
regards,
Keith

Re: Sendmail and freeradius

2003-02-10 Thread Puchkov S.N. 


Simon White wrote:



 

Simon White wrote:
   

09-Feb-03 at 20:24, Robert Canary ([EMAIL PROTECTED]) wrote :

 

Has any succesfully used freeradius (or any radius) to authenticate user
for sendmail while maintaining all the /.forward functions?

Is there a pam module one could use on the mail server that would talk
to the radius server on another server?
   

You can get PAM to authenticate via Radius.

Why do you want radius to authenticate for sendmail? Sounds a bit
convoluted to me.

What problem are you actually trying to solve here?
 


 

10-Feb-03 at 12:17, Puchkov S.N. ([EMAIL PROTECTED]) wrote :
if i am not mistaken it's impossible to do this. :(
you can authorize users but
radius can't send user home dir :(
   


That's what LDAP is for, radius is really for NASes to authenticate
dialup users / wireless users. Radius can read from LDAP for
username/password attributes if you want a central authentication
database...

 

we talk about using .forward in users deer %)




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sendmail and freeradius

2003-02-10 Thread Simon White 
 
> Simon White wrote:
> >09-Feb-03 at 20:24, Robert Canary ([EMAIL PROTECTED]) wrote :
> >
> >>Has any succesfully used freeradius (or any radius) to authenticate user
> >>for sendmail while maintaining all the /.forward functions?
> >>
> >>Is there a pam module one could use on the mail server that would talk
> >>to the radius server on another server?
> >
> >You can get PAM to authenticate via Radius.
> >
> >Why do you want radius to authenticate for sendmail? Sounds a bit
> >convoluted to me.
> >
> >What problem are you actually trying to solve here?

>10-Feb-03 at 12:17, Puchkov S.N. ([EMAIL PROTECTED]) wrote :
> if i am not mistaken it's impossible to do this. :(
> you can authorize users but
> radius can't send user home dir :(

That's what LDAP is for, radius is really for NASes to authenticate
dialup users / wireless users. Radius can read from LDAP for
username/password attributes if you want a central authentication
database...

-- 
[Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...]
It's amazing how some people can put their foot in their mouth with their
head so far up their ass.
[Linux user #170823 http://counter.li.org. Home cooked signature rotator.]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unsubscribed

2003-02-10 Thread Miquel van Smoorenburg 
In article ,
leaobicalho <[EMAIL PROTECTED]> wrote:
>please remove me from the list, I unsubscribed this 
>morning but I am
>still receiving emails

You did not unsubscribe. Your account is still active:

# cd /var/lib/mailman/bin 
# ./find_member bol.com.br
[EMAIL PROTECTED] found in:
 freeradius-users

Please follow the directions at the end of this (and every) mail
to the list.

Mike.
-- 
Anyone who is capable of getting themselves made President should
on no account be allowed to do the job -- Douglas Adams.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sendmail and freeradius

2003-02-10 Thread Puchkov S.N. 
if i am not mistaken it's impossible to do this. :(
you can authorize users but
radius can't send user home dir :(

Simon White wrote:


09-Feb-03 at 20:24, Robert Canary ([EMAIL PROTECTED]) wrote :
 

Has any succesfully used freeradius (or any radius) to authenticate user
for sendmail while maintaining all the /.forward functions?

Is there a pam module one could use on the mail server that would talk
to the radius server on another server?
   


You can get PAM to authenticate via Radius.

Why do you want radius to authenticate for sendmail? Sounds a bit
convoluted to me.

What problem are you actually trying to solve here?

 




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sendmail and freeradius

2003-02-10 Thread Simon White 
09-Feb-03 at 20:24, Robert Canary ([EMAIL PROTECTED]) wrote :
> Has any succesfully used freeradius (or any radius) to authenticate user
> for sendmail while maintaining all the /.forward functions?
> 
> Is there a pam module one could use on the mail server that would talk
> to the radius server on another server?

You can get PAM to authenticate via Radius.

Why do you want radius to authenticate for sendmail? Sounds a bit
convoluted to me.

What problem are you actually trying to solve here?

-- 
[Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...]
It is impossible to sharpen a pencil with a blunt axe. It is equally vain
to try to do it with ten blunt axes instead.  -- E. W. Dijkstra
[Linux user #170823 http://counter.li.org. Home cooked signature rotator.]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html