RE: Compiling FreeRadius for oracle support?
Just link with the oracle library. The oracle module (last time I checked) was either written in OCI calls directly, or was written in Pro*c and had already been pre-compiled. Just make sure you have included rlm_oracle in the build and have the oralib in one of the lib directories. Tim > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Ryan > Castellucci > Sent: Monday, February 10, 2003 6:59 PM > To: [EMAIL PROTECTED] > Subject: Compiling FreeRadius for oracle support? > > > Hi, I need to compile FreeRadius 0.8.1 on Redhat 7.3 with oracle > support. I've installed the oracle 9i linux developers software, where > do I go from here? > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling FreeRadius for oracle support?
Hi, I need to compile FreeRadius 0.8.1 on Redhat 7.3 with oracle support. I've installed the oracle 9i linux developers software, where do I go from here? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + unixodbc + freetds
Title: Message Hello all: I have the following setup: BSDi 4.3 freeradius 0.8.1 freetds 0.61 unixodbc 2.2.4 I am able to connect to my MSSQL2000 server with the isql utility with no problems. All modules compile and link under freeradius. But rlm_sql_unixodbc will not connect to the DB. I get the following from radiusd -X rlm_sql (sql): sql_set_user escaped user --> 'test'radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER BY id'rlm_sql (sql): Ignoring unconnected handlerlm_sql (sql): Ignoring unconnected handlerlm_sql (sql): Ignoring unconnected handlerlm_sql (sql): Ignoring unconnected handlerlm_sql (sql): Ignoring unconnected handlerlm_sql (sql): There are no DB handles to use! and when starting radius I get: rlm_sql (sql): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded and linkedrlm_sql (sql): Attempting to connect to sa@RADIUS:/radiusrlm_sql (sql): starting 0rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #0rlm_sql_unixodbc: Connection failed rlm_sql (sql): Failed to connect DB handle #0rlm_sql (sql): starting 1rlm_sql (sql): starting 2rlm_sql (sql): starting 3rlm_sql (sql): starting 4 I am completely out of ideas. I get no connectivity via freeradius but all the other levels work (unixodbc->freetds) Any ideas Ross Reed
Reloading configuration files -> radiusd hangs
I’m using freeradius 0.8. This morning I changed my authentication mechanism from using the passwd, shadow and raddb/user files to using ldap. Everything works fine accept that both of my radius servers have locked up trying to reload the configuration files. The cpu goes to 100% and the radiusd process stays in memory but no one can authenticate. The last message in the radius.log file is “Info: Reloading configuration files.” Radius remains in this state until I kill -9 the process (just killing it won’t get rid of the process) and restart radiusd. This has happened once to one server and twice to another in about the last 5 hours. Any ideas what might be causing this problem? All I have done is taken unix authentication out of the radiusd.config file and replaced it with ldap authentication. I left unix accounting in for the radwtmp info and disabled caching in the unix module. I wonder why radius is trying to reload its configuration file in the first place. And, secondly, what would cause it to hang in the process of trying to reload the config file? Thanks, Mike
Re: Security issue; non case sensitivity in MySql
Well I changed the sql query to be case sensitive. That has stop the problem, however, I can't find anything in the portslave config to cause it to drop the "R". I am moving this thread to the portslave list. Thanks for everyones input. Alan DeKok wrote: > > Robert Canary <[EMAIL PROTECTED]> wrote: > > Now here is the odd thing I noticed. PPPD logs the the user as > > "Rcanary" as being logged on, However, utmps and priveldges the user as > > "canary". > > Then either PPPd or the RADIUS server is stripping off the leading > 'R'. > > The server doesn't do it unless you edited the configs, so I would > guess PPPd. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ScanMail Message: To Recipient Match eManager setting and takeaction.
Well Alan In fact it is not a Spam filter in our site... We do use RAV :) not Trend ... Seems like somebody is bouncing to the list and masking the sender as @domain.com where domain.com is the domain of the recipients in the list... Rgds On Mon, 2003-02-10 at 10:08, Alan DeKok wrote: > Gustavo Lozano <[EMAIL PROTECTED]> wrote: > > Uh? > > > > [EMAIL PROTECTED]? > > > > Why the heck is an email comming from our Domain? > > You have a broken spam filter installed. It sees the spam from the > list, and then bounces an error message back to the list. > > It should NOT send any notification about the spam. It should just > throw the spam away. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- _ __ Gustavo A. Lozano Noldata Corporation [EMAIL PROTECTED] Calle 46 No. 40-19 CTO Bogota D.C. Colombia Noldata Corporation http://noldata.com I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. Albert Einstein This Message has been scanned for Virus Content using RAV Antivirus. Get your copy of RAV Antivirus at Noldata, send mail to [EMAIL PROTECTED] http://noldata.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Security issue; non case sensitivity in MySql
On Mon, Feb 10, 2003 at 10:19:22AM -0600, Robert Canary wrote: > When mysql is queried for that password aginst that username (regardless > of case) it returns a match because MySql isn't case sensitive. Thats > something which should be boldly noted in the dos. Not necessarily. "MySql isn't case sensitive" because that's how you've configured it by choosing particular field types that are case-insensitive... Search the mysql manual for "case insensitive by default" -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Portslave-users] Security issue; non case sensitivity in MySql
On Sun, 9 Feb 2003 19:55, Robert Canary wrote: > Let say I have a username of "rcanary". The account is created on the > radius (MySql DB) as UserName=rcanary > > Now lets say I try to dialin (using portslave here in this case). I > mistype the username as *R*canary instead of *r*canary. > The RAS is case sensitive. However, radius is allowing the Rcanary and > rcanary. This results with the user being logged in as "canary" because > portslave will drop the "R". I can't reproduce this. Portslave only drops the first character if it is one of 'P', 'C', 'S', 'L', or '!'. > If I have two usernames which differ only by the first letter (rcanary > and canary) if rcanary user logs in with a capital letter then they will > be granted access to the other users files. If the two users have the same password then this sort of thing can happen. How can it happen otherwise? Anyway is anyone using this feature? Maybe it would be generally less confusing if I just removed the feature of using prefixes and suffixes for indicating service type and just let this be handled by the RADIUS server. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco_vsa_hack (rlm_preprocess)
Thomas Jalsovsky <[EMAIL PROTECTED]> wrote: > I sent many times the SAME feature to the list, but project > leaders (or leader, I can't remember) said, we should make a general > architecture for this type of hacks and not do with rlm_preprocess. That's true, but it looks like the general architecture is a long way away. > So it is not in the CVS (but It should from a long time...). I've added it to my list of "patches to add". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Security issue; non case sensitivity in MySql
Robert Canary <[EMAIL PROTECTED]> wrote: > Now here is the odd thing I noticed. PPPD logs the the user as > "Rcanary" as being logged on, However, utmps and priveldges the user as > "canary". Then either PPPd or the RADIUS server is stripping off the leading 'R'. The server doesn't do it unless you edited the configs, so I would guess PPPd. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ScanMail Message: To Recipient Match eManager setting and take action.
Hi, Zitat von Gustavo Lozano <[EMAIL PROTECTED]>: > Uh? > [EMAIL PROTECTED]? > Why the heck is an email comming from our Domain? I also had [EMAIL PROTECTED] as recipient. Seems this one´s yet another screwed up Windows/Exchange Trend Micro content filter. Don´t bother. Regards, Emre -- Emre Bastuz [EMAIL PROTECTED] http://www.emre.de UIN: 561260 PGP Key ID: 0xAFAC77FD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ScanMail Message: To Recipient Match eManager setting and take action.
Gustavo Lozano <[EMAIL PROTECTED]> wrote: > Uh? > > [EMAIL PROTECTED]? > > Why the heck is an email comming from our Domain? You have a broken spam filter installed. It sees the spam from the list, and then bounces an error message back to the list. It should NOT send any notification about the spam. It should just throw the spam away. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange rlm_sql error
Hi, I've been using version 0.6 with MysSQL successfully but I'm getting something strange with version 0.8.1, here is the log information: (sorry about line lenght) rad_recv: Access-Request packet from host 200.203.183.35:2455, id=119, length=60 User-Name = "teste" User-Password = "abcde" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Mon Feb 10 18:06:01 2003 : Debug: rad_lowerpair: User-Name now 'teste' Mon Feb 10 18:06:01 2003 : Debug: rad_rmspace_pair: User-Name now 'teste' Mon Feb 10 18:06:01 2003 : Debug: modcall: entering group authorize Mon Feb 10 18:06:01 2003 : Debug: radius_xlat: 'teste' Mon Feb 10 18:06:01 2003 : Debug: rlm_sql (sql): sql_set_user escaped user --> 'teste' Mon Feb 10 18:06:01 2003 : Debug: radius_xlat: 'SELECT gid,SUBSTRING(id,1,LOCATE('@',id,1)-1),'Crypt-Password' Attribute,crypt,op FROM users-bak WHERE SUBSTRING(id,1,LOCATE('@',id,1)-1) = 'teste' ORDER BY id' Mon Feb 10 18:06:01 2003 : Debug: rlm_sql (sql): Reserving sql socket id: 4 Mon Feb 10 18:06:01 2003 : Debug: rlm_sql_mysql: query: SELECT gid,SUBSTRING(id,1,LOCATE('@',id,1)-1),'Crypt-Password' Attribute,crypt,op FROM users-bak WHERE SUBSTRING(id,1,LOCATE('@',id,1)-1) = 'teste' ORDER BY id Mon Feb 10 18:06:01 2003 : Debug: rlm_sql_mysql: MYSQL check_error: 1064 received Mon Feb 10 18:06:01 2003 : Error: rlm_sql_getvpdata: database query error Mon Feb 10 18:06:01 2003 : Error: rlm_sql (sql): SQL query error; rejecting user Mon Feb 10 18:06:01 2003 : Debug: rlm_sql (sql): Released sql socket id: 4 Mon Feb 10 18:06:01 2003 : Debug: modcall[authorize]: module "sql" returns fail Mon Feb 10 18:06:01 2003 : Debug: modcall: group authorize returns fail Mon Feb 10 18:06:01 2003 : Debug: There was no response configured: rejecting request 0 Mon Feb 10 18:06:01 2003 : Debug: Server rejecting request 0. Mon Feb 10 18:06:01 2003 : Debug: Finished request 0 Mon Feb 10 18:06:01 2003 : Debug: Going to the next request Mon Feb 10 18:06:01 2003 : Debug: --- Walking the entire request list --- Mon Feb 10 18:06:01 2003 : Debug: Waking up in 1 seconds... Mon Feb 10 18:06:02 2003 : Debug: --- Walking the entire request list --- Mon Feb 10 18:06:02 2003 : Debug: Waking up in 1 seconds... Mon Feb 10 18:06:03 2003 : Debug: --- Walking the entire request list --- Sending Access-Reject of id 119 to 200.203.183.35:2455 The table structure, CREATE TABLE users-bak ( cli_cod int(4) NOT NULL default '0', id varchar(128) NOT NULL default '', crypt varchar(128) NOT NULL default '', group varchar(64) NOT NULL default 'Mail', uid smallint(5) NOT NULL auto_increment, gid smallint(5) NOT NULL default '0', home varchar(128) NOT NULL default '/', domain varchar(255) NOT NULL default '', maildir varchar(255) NOT NULL default '', quota varchar(255) NOT NULL default '1000', imapok tinyint(3) NOT NULL default '1', op char(2) NOT NULL default '==', PRIMARY KEY (id,cli_cod), UNIQUE KEY id (id), UNIQUE KEY uid (uid) ) TYPE=MyISAM; And a sample entry, [ 1, 'teste@DIAL', '$1$-MD5-PASSWORD', 'Dial', 1, 1, '/, 'mydomain', '0', 0, '==' ] Is there anything I can do to increase the level of verbosity so I can have a clue about what's going on? Thanks in advance, -- Giovanni P. Tirloni http://www.tirloni.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ScanMail Message: To Recipient Match eManager setting and takeaction.
Uh? [EMAIL PROTECTED]? Why the heck is an email comming from our Domain? On Mon, 2003-02-10 at 14:03, [EMAIL PROTECTED] wrote: > eManager Notification * > > The following mail was blocked since it contains sensitive content. > > Source mailbox: [EMAIL PROTECTED] > Destination mailbox(es): [EMAIL PROTECTED] > Rule/Policy: Sexually Explicit > Action: Quarantine to D:\Program Files\Trend\SMCF\Quarantine\2003-02-10\14-03-06.409 > > Content filter has detected a sensitive e-mail. > > *** End of message * > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- _ __ Gustavo A. Lozano Noldata Corporation [EMAIL PROTECTED] Calle 46 No. 40-19 CTO Bogota D.C. Colombia Noldata Corporation http://noldata.com I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. Albert Einstein This Message has been scanned for Virus Content using RAV Antivirus. Get your copy of RAV Antivirus at Noldata, send mail to [EMAIL PROTECTED] http://noldata.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Suffix not stripped when processing users file...
I have two different user groups (local & remote) and two different NAS devices (local & remote). Ive setup the huntgroups file so that each NAS device will be assigned its Huntgroup-Name (either local or remote). I do not want users from the local group to authenticate on the remote NAS device and I do not want remote users to authenticate on the local NAS. I put two entries near to top of my users file that read: (line 95) DEFAULT Group == "remote", Huntgroup-Name == "local", Auth-Type := Reject (line 96) Reply-Message = "Call your service provider to activate local dialup!" (line 97) (line 98) DEFAULT Group == "local", Huntgroup-Name == "remote", Auth-Type := Reject (line 99) Reply-Message = "Call your service provider to activate remote dialup!" I have setup a realm with the following: # RealmRemote server [:port] Options # --- mydomain.com LOCAL My huntgroups file looks like: LocalNAS-IP-Address == 111.222.333.444 RemoteNAS-IP-Address == 444.333.222.111 The process is working perfectly if I login using username without a suffix. When I use [EMAIL PROTECTED] the lines in the users file appear to be ignored. I can login from both locations regardless of what group I am in. The suffix is being stripped properly for authentication, Simultaneous-Use and accounting purposes. Debug results are the same from both NAS devices except for origination addresses. Here is a sample: rad_recv: Access-Request packet from host 444.333.222.111:3012, id=91, length=70 User-Name = "[EMAIL PROTECTED]" User-Password = "mypasswd" Framed-Protocol = PPP Service-Type = Framed-User modcall: entering group authorize hints: Matched DEFAULT at 63 modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm mydomain.com for User-Name = "username@mydomain" rlm_realm: Found realm mydomain.com rlm_realm: Setting Stripped-User-Name = "username" rlm_realm: Proxying request from user username to realm mydomain.com rlm_realm: Adding Realm = "mydomain.com" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop modcall[authorize]: module "mschap" returns notfound rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair modcall[authorize]: module "counter" returns noop users: Matched DEFAULT at 226 users: Matched DEFAULT at 249 users: Matched DEFAULT at 261 users: Matched username at 1 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password modcall: entering group session radius_xlat: 'username' modcall[session]: module "radutmp" returns ok modcall: group session returns ok Login OK: [username] (from client remote.mydomain.com port 0) Sending Access-Accept of id 91 to 444.333.222.111:3012 Session-Timeout = 28800 Idle-Timeout = 900 Framed-IP-Address = 255.255.255.254 Framed-MTU = 1514 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Finished request 8 Going to the next request --- Walking the entire request list --- Any ideas would be welcomed. D Friend â²Ø§~ì¹»®&Þþéì¹»®&ÞI硶Úÿ0~·§bºÊ+ùb²ßî±êìÙ¥
0.8.1 Radmon
Attached is a little utility that we hacked to monitor and restart 0.8.1. My server would die...and then I'd get that late night horror-movie phone call. "we're all dead!!!" Some people were running a kill -9 cron and that still leaves a potentially dangerous period in between the cron interval whereby radius could crash. This can be tuned to be a bit more vigilant. radmon.py Description: Binary data
ScanMail Message: To Recipient Match eManager setting and take action.
eManager Notification * The following mail was blocked since it contains sensitive content. Source mailbox: [EMAIL PROTECTED] Destination mailbox(es): [EMAIL PROTECTED] Rule/Policy: Sexually Explicit Action: Quarantine to D:\Program Files\Trend\SMCF\Quarantine\2003-02-10\14-03-06.409 Content filter has detected a sensitive e-mail. *** End of message * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Suffix not stripped when processing users file...
I have two different user groups (local & remote) and two different NAS devices (local & remote). I’ve setup the huntgroups file so that each NAS device will be assigned it’s Huntgroup-Name (either local or remote). I do not want users from the local group to authenticate on the remote NAS device and I do not want remote users to authenticate on the local NAS. I put two entries near to top of my users file that read: (line 95) DEFAULT Group == "remote", Huntgroup-Name == "local", Auth-Type := Reject (line 96) Reply-Message = "Call your service provider to activate local dialup!" (line 97) (line 98) DEFAULT Group == "local", Huntgroup-Name == "remote", Auth-Type := Reject (line 99) Reply-Message = "Call your service provider to activate remote dialup!" I have setup a realm with the following: # Realm Remote server [:port] Options # --- mydomain.com LOCAL My huntgroups file looks like: Local NAS-IP-Address == 111.222.333.444 Remote NAS-IP-Address == 444.333.222.111 The process is working perfectly if I login using ‘username’ without a suffix. When I use ‘[EMAIL PROTECTED]’ the lines in the users file appear to be ignored. I can login from both locations regardless of what group I am in. The suffix is being stripped properly for authentication, Simultaneous-Use and accounting purposes. Debug results are the same from both NAS devices except for origination addresses. Here is a sample: rad_recv: Access-Request packet from host 444.333.222.111:3012, id=91, length=70 User-Name = "[EMAIL PROTECTED]" User-Password = "mypasswd" Framed-Protocol = PPP Service-Type = Framed-User modcall: entering group authorize hints: Matched DEFAULT at 63 modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm mydomain.com for User-Name = "username@mydomain" rlm_realm: Found realm mydomain.com rlm_realm: Setting Stripped-User-Name = "username" rlm_realm: Proxying request from user username to realm mydomain.com rlm_realm: Adding Realm = "mydomain.com" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop modcall[authorize]: module "mschap" returns notfound rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair modcall[authorize]: module "counter" returns noop users: Matched DEFAULT at 226 users: Matched DEFAULT at 249 users: Matched DEFAULT at 261 users: Matched username at 1 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password modcall: entering group session radius_xlat: 'username' modcall[session]: module "radutmp" returns ok modcall: group session returns ok Login OK: [username] (from client remote.mydomain.com port 0) Sending Access-Accept of id 91 to 444.333.222.111:3012 Session-Timeout = 28800 Idle-Timeout = 900 Framed-IP-Address = 255.255.255.254 Framed-MTU = 1514 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Finished request 8 Going to the next request --- Walking the entire request list --- Any ideas would be welcomed. D Friend This message has originated from, or was processed through, one of the VITALink servers. This message may contain confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Email processed by this server is subject to monitoring. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
Re: I did Bizarre stuff with my pussy
Title: Untitled Document Normally I hate spam, but this one put the entire office in tears. PEDRO THE TACO EATER! - Original Message - From: samantha To: [EMAIL PROTECTED] Sent: Thursday, February 06, 2003 7:57 PM Subject: I did Bizarre stuff with my pussy OK GUYS I HAVE FINALLY EVEN SHOCKED MY SELFI HOPE I DIDN'T RUIN MY COOTER FOR EVERLAST NIGHT MY NEW BOYFRIEND GOT HIS ENTIRE FIST IN MY LOVE TACOPEDRO THE TACO EATER WOULD HAVE BEEN OFFENDED.WE FILMED THE ENTIRE THING...HOT SAUCE AND GUACAMOLE AND ALL...I CAN LET YOU IN FOR 1 DAY TO CHECK THIS WEIRD SHIT OUT FOR FREE BEFORE WE HAVE TO CHARGE YA.I KINDA LIKED IT.HUMAN TACOCARLA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
newbie questions...installed, authenticated, now what?
Hi All, I've been asked to investigate the use of a Radius server as a means of authenticating users on our network. Namely wireless, but really, just broad user authentication. I've been reading up some of the documentation and have been following this list, and it has been helpful, although I'm hoping my Radius O'Reily book will clear a lot of things up. I've installed radius server on a linux box, and have done a basic apache authentication. So I guess my question is where do I go from here as far as user authethentication? What I'd like to do is have a user authenticate, and then an ip address based on a successful authentication. Or possibly authenticate and being placed in a new vlan based on a successful authentication. Is this possible? I'm sure if it is, it's been done. Any tips would be helpful! Thanks Matt
RE: Authentication against MySQL
>That is exactly what I had to do. All the docs say put it in >radgroupreply. But it seems that it will not recognize it anywhere in >the DB. I never did get a good answer, I think it soemthing in the >recent code, older versions seem to be fine. The only way I could make >it work was to change it at the users file. So now I have no default >System for local logins. There was a thread on this a couple of days ago (which also finally prompted today's updating of the FR/MySQL notes at http://www.frontios.com/freeradius.html). Basically, auth-type should be a check item, not a reply item, and if FreeRadius doesn't get one it defaults to 'Local'. Search the list under the subject: "freeradius not reading Auth-Type from MySQL" for more... Regards, SB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication against MySQL
Well Rick, That is exactly what I had to do. All the docs say put it in radgroupreply. But it seems that it will not recognize it anywhere in the DB. I never did get a good answer, I think it soemthing in the recent code, older versions seem to be fine. The only way I could make it work was to change it at the users file. So now I have no default System for local logins. > Rick Evans wrote: > > Hello, > > I am new to using Freeradius as well as to the list so I apologize for > any ignorant statements. > > I am using Freeradius + MySQL and up until a few minutes ago, I could > get a user 'test' to authenticate against the Radius server as long as > the > user was entered into the system, however not if the user was in the > Radius > database (MySQL). > > I was getting the same errors about "DEFAULT Auth-Type := System" and > it > would reject the username/password combination. I have setup in the > radgroupreply table, a field entry setting the Auth-Type to Local. I > also setup in > the radgroupcheck table the same type of entry based on a previous > read > message. I would still get the same errors when running the Radius > server > in its 'debbuging' mode. > > I just recently modified the 'users' file and changed the Default > Auth-Type to 'Local' > instead of 'System' and it started working. Is this the correct > location to specify > this attribute or is there a cleaner way of setting it? > > Thank you for all of your help and suggestions. > > Rick Evans - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication against MySQL
Hello, I am new to using Freeradius as well as to the list so I apologize for any ignorant statements. I am using Freeradius + MySQL and up until a few minutes ago, I could get a user 'test' to authenticate against the Radius server as long as the user was entered into the system, however not if the user was in the Radius database (MySQL). I was getting the same errors about "DEFAULT Auth-Type := System" and it would reject the username/password combination. I have setup in the radgroupreply table, a field entry setting the Auth-Type to Local. I also setup in the radgroupcheck table the same type of entry based on a previous read message. I would still get the same errors when running the Radius server in its 'debbuging' mode. I just recently modified the 'users' file and changed the Default Auth-Type to 'Local' instead of 'System' and it started working. Is this the correct location to specify this attribute or is there a cleaner way of setting it? Thank you for all of your help and suggestions. Rick Evans
Re: Security issue; non case sensitivity in MySql
When mysql is queried for that password aginst that username (regardless of case) it returns a match because MySql isn't case sensitive. Thats something which should be boldly noted in the dos. Now here is the odd thing I noticed. PPPD logs the the user as "Rcanary" as being logged on, However, utmps and priveldges the user as "canary". I can't get enough debug logging going on the portslave machine to see what happening. If radius is told not to strip the "R" we still have a tiny problem with the mysql circumventing case sensitivity. (well more like something one needs to be aware of). However, MySql will do a STRCMP (String Compare). So I went into the sql.conf file to change the query strings. However, I found that the author had already include the case sensitive query, but it was commented-out. Alan DeKok wrote: > > Robert Canary <[EMAIL PROTECTED]> wrote: > > Now lets say I try to dialin (using portslave here in this case). I > > mistype the username as *R*canary instead of *r*canary. > > The RAS is case sensitive. However, radius is allowing the Rcanary and > > rcanary. > > So run the server in debugging mode, to see which parts of which > configuration files are being used... look at those configuration > files to see what's going on. > > Incidentally, the user name comparison in the 'users' file and in > rlm_sql is case sensitive. > > > This results with the user being logged in as "canary" because > > portslave will drop the "R". > > So configure portslave to NOT drop the "R"... > > > If I have two usernames which differ only by the first letter (rcanary > > and canary) if rcanary user logs in with a capital letter then they will > > be granted access to the other users files. > > So fix your configuration to not do that... > > > Other than trying to control username similarity when usernames are > > created, anyone have an idea how to control this? > > > > PS. Since this invloves PortSlave and freeradius and a security > > problem. I doubled posted this on both mail-list. > > You've either misconfigured portslave, or radiusd. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie, authenticate MAC address
CoyoteTM wrote: Hello list members ! I am really newbie... 0. First off all, plz point me the best how-to available on the net, about freeradius. I want to use it with mysql. The doc directory and the comments in the various configuration files are your best bet. Try google for information on using MySQL. There area a couple of sites out there. 1. Can I user the same radius server to authenticate dial-up users (from CISCO), authenticate wireless devices based on MAC address, gather VOIP accounting information (from CISCO) ? And store all this in mysql. Yes, one RADIUS server can be used with several different NAS devices. 2. How to authenticate on MAC address ? There are no passwords, and user names. Basic concept ? For a Cisco device, the user name and password are the same. They are the MAC address in lowercase with no punctuation. Try something like: Auth-Type := Local, User-Password == "" Where is the MAC address of the client/user. 3. How accurate is this kind of accounting ? What if a "session end" message is lost. Or what is the situation if a user is always on-line ? There is some kind of timeout when accounting data is written out to databse ? -- Aron J. Silverton Senior Staff Research Engineer Motorola Laboratories, Networks and Infrastructure Research Motorola, Inc. Telephone: 847-576-8747 Fax: 847-576-3240 mailto: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Annoying 'stop packet with zero session length' messages
Hi, a little problem (not real bad, but...) : my logs are cluttered with messages like this -> Mon Feb 10 16:43:57 2003 : Error: rlm_sql: Stop packet with zero session length. (user 'xxx', nas '194.79.150.5') From a search in this mailing-list archives, I found that these are spurious accounting-stop messages that are phased out by the rlm_sql module. In my case, this /seems/ to be caused by ISDN routers who try to use Multilink PPP, but are stopped by the RADIUS (Port-Limit = 1). Can I just comment out the two lines that display them in rlm_sql.c ? Or is there an use for these messages (other than finding all the people with badly configured routers) ? Regards, -- [ Jacques Caruso <[EMAIL PROTECTED]> Développeur PHP ] [ Monaco Internet http://monaco-internet.mc/ ] [ Tél : (+377) 93 10 00 43Clé PGP : 0x41F5C63D ] [ -+- Support bacteria! They're the only culture some people have. -+- ] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_users : unclear running order ...
Alan DeKok wrote: DouRiX <[EMAIL PROTECTED]> wrote: I have a little strange (at least for me) behaviour on *when scripts in acct_users are run*. I am trying to use the Exec-Program on preacct inside acct_users with the simple config below : ... The 'Exec-Program' scripts are executed as the LAST THING before an accounting response is returned. Ok, It's good for me as I'd be able to directly work with the last saved accounting record, If you want a program to be executed immediately, grab the latest CVS snapshot, and see 'rlm_exec' I'll take a look, Thanks much, @+ -- DouRiX - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Not all attributes transmitted
RTFM, I need some holiday Thanks Alan, With += it works. Burkhard > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Alan DeKok > Sent: Monday, February 10, 2003 10:47 AM > To: [EMAIL PROTECTED] > Subject: Re: Not all attributes transmitted > > > "Weeber, Burkhard" <[EMAIL PROTECTED]> wrote: > > I am just trying to update my well running version 0.3 to > 0.8.1 but I am > > stuck with a problem. > > A Bintec Brick X.4100 is only getting the firtst > "Framed-Route" entry of > > it's default "dialout-X" user. > > On 0.3 all of the "Framed-Route" attributes are sent to the > NAS so it > > can set up ist routing table, but on 0.8.1 only the first is > > transmitted. > > > > A bug or a feature in 0.8.1 ? > > It's a feature. Read the 'users' file 'man' page. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Called-Station-Id Revisted
Greetings list-members. I have a script that does some very simple if statements in the sh shell. My script exits 0 or 1 for good auth/bad auth; but FR (current cvs) authenticates my user regardless. I have "files" in the authorize and preacct stanzas of radiusd.conf. Here's a snippet of my radius in debug mode: rlm_ldap: user [EMAIL PROTECTED] authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "LDAP2" returns ok modcall: group redundant returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop users: Matched DEFAULT at 54 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password radius_xlat: '/usr/local/bin/radchecksignup.sh' Exec-Program: /usr/local/bin/radchecksignup.sh Exec-Program output: Exec-Program: returned: 1 Login OK: [[EMAIL PROTECTED]] (from client localhost port 0) Sending Access-Accept of id 78 to 127.0.0.1:4644 Is there something I am missing? Documentation suggests that users will not authenticate if Exec-Program-Wait exits non-zero. --JST - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unable to test !
Nadeem Akhtar <[EMAIL PROTECTED]> wrote: > I've installed radius on a Redhat Linux m/c. It installed without any > problems and I even tested using radtest on localhost with Auth-Type set > to Local. Now, when I try to test it using radtest with Auth-Type set to > System, I run into problems. Here's a portion of the log : ... > rad_check_password: Found Auth-Type System > auth: type "System" > modcall: entering group authenticate > modcall[authenticate]: module "unix" returns notfound Is it really that hard to understand that message? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS response from incorrect interface
"John Gruber" <[EMAIL PROTECTED]> wrote: > Is that prophesy or cynicism?Not that you're wrong... we'd ask for > that. It's a strong opinion. Writing one RADIUS server is hard enough. Writing a RADIUS server with multiple personalities is even harder. If people want to return different attributes based on the NAS, then they can do that now. But allowing two *completely* different configurations inside of the RADIUS server makes misconfiguration and security leaks *much* more likely. For similar reasons, I'm opposed to adding a PHP module to the server. PHP is nice, but it has an *atrocious* security record. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_users : unclear running order ...
DouRiX <[EMAIL PROTECTED]> wrote: > I have a little strange (at least for me) behaviour on *when scripts in > acct_users are run*. > > I am trying to use the Exec-Program on preacct inside acct_users with > the simple config below : ... The 'Exec-Program' scripts are executed as the LAST THING before an accounting response is returned. If you want a program to be executed immediately, grab the latest CVS snapshot, and see 'rlm_exec' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unable to test !
Hi, I've installed radius on a Redhat Linux m/c. It installed without any problems and I even tested using radtest on localhost with Auth-Type set to Local. Now, when I try to test it using radtest with Auth-Type set to System, I run into problems. Here's a portion of the log : Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32810, id=209, length=58 User-Name = "ees1na" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_eap: EAP-Message not found modcall[authorize]: module "eap" returns noop rlm_realm: No '@' in User-Name = "ees1na", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate modcall[authenticate]: module "unix" returns notfound modcall: group authenticate returns notfound auth: Failed to validate the user. Login incorrect: [ees1na/test] (from client localhost port 0) Can anyone please tell me what's going ? I've read the FAQs and searched the archives too but couldn't find much relevant info. Regards, Nadeem -- Nadeem Akhtar Centre for Comm. Systems Research University of Surrey Guildford, Surrey GU2 7XH United Kingdom Tel (CCSR) : 01483-683605 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Not all attributes transmitted
"Weeber, Burkhard" <[EMAIL PROTECTED]> wrote: > I am just trying to update my well running version 0.3 to 0.8.1 but I am > stuck with a problem. > A Bintec Brick X.4100 is only getting the firtst "Framed-Route" entry of > it's default "dialout-X" user. > On 0.3 all of the "Framed-Route" attributes are sent to the NAS so it > can set up ist routing table, but on 0.8.1 only the first is > transmitted. > > A bug or a feature in 0.8.1 ? It's a feature. Read the 'users' file 'man' page. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Counters question
"Keith Ballard" <[EMAIL PROTECTED]> wrote: > I am using counters with the reset time set to 'never'. > > Just wondered, if I did want to reset a particular counter for any reason, > is it possible to do it (and how)? Write a small utility, and post it to the list. We can add it to the rlm_counter module... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: porting mipsel platform problem
Jeffery <[EMAIL PROTECTED]> wrote: > I use x86 host to cross compile mipsel-linux code. Will "configure" > know that I will use mipsel-linux-gcc to compile freeradius not gcc? If you user '--target', it's supposed to work. But I've never used it. > As the result I run. It will guess my compiler is gcc, not > mipsel-linux-gcc. So I think that maybe I should add --target > parameter. But it also cannot find out my crosscompiler. How do you > do that will make a Makefile that can use mipsel-linux-gcc to > compile freeradius? Edit it by hand. See 'Make.inc' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS response from incorrect interface
Is that prophesy or cynicism?Not that you're wrong... we'd ask for that. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Alan DeKok Sent: Monday, February 10, 2003 3:35 AM To: [EMAIL PROTECTED] Subject: Re: RADIUS response from incorrect interface Jason Haar <[EMAIL PROTECTED]> wrote: > On Sat, Feb 08, 2003 at 01:47:28PM +, Miquel van Smoorenburg wrote: > >[...stuff on how complex it is to bind to >1 interface deleted] > > Why not just run two instances of radiusd - one on each address? They can > point to the same auth system - just the logfiles have to be different... I can understand people wanting the *same* radius server to listen on 2 interfaces, and respond correctly from those interfaces. Running one server which listens on 2 interfaces is a reasonable solution. If that's implemented, then I'll bet the next request will be for the ability to run one server, which does different things, based on which interface received the request. The response to that will be NO. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Security issue; non case sensitivity in MySql
Robert Canary <[EMAIL PROTECTED]> wrote: > Now lets say I try to dialin (using portslave here in this case). I > mistype the username as *R*canary instead of *r*canary. > The RAS is case sensitive. However, radius is allowing the Rcanary and > rcanary. So run the server in debugging mode, to see which parts of which configuration files are being used... look at those configuration files to see what's going on. Incidentally, the user name comparison in the 'users' file and in rlm_sql is case sensitive. > This results with the user being logged in as "canary" because > portslave will drop the "R". So configure portslave to NOT drop the "R"... > If I have two usernames which differ only by the first letter (rcanary > and canary) if rcanary user logs in with a capital letter then they will > be granted access to the other users files. So fix your configuration to not do that... > Other than trying to control username similarity when usernames are > created, anyone have an idea how to control this? > > PS. Since this invloves PortSlave and freeradius and a security > problem. I doubled posted this on both mail-list. You've either misconfigured portslave, or radiusd. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS response from incorrect interface
Jason Haar <[EMAIL PROTECTED]> wrote: > On Sat, Feb 08, 2003 at 01:47:28PM +, Miquel van Smoorenburg wrote: > >[...stuff on how complex it is to bind to >1 interface deleted] > > Why not just run two instances of radiusd - one on each address? They can > point to the same auth system - just the logfiles have to be different... I can understand people wanting the *same* radius server to listen on 2 interfaces, and respond correctly from those interfaces. Running one server which listens on 2 interfaces is a reasonable solution. If that's implemented, then I'll bet the next request will be for the ability to run one server, which does different things, based on which interface received the request. The response to that will be NO. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco_vsa_hack (rlm_preprocess)
Hello, I sent many times the SAME feature to the list, but project leaders (or leader, I can't remember) said, we should make a general architecture for this type of hacks and not do with rlm_preprocess. So it is not in the CVS (but It should from a long time...). Perhaps you will have success :) I would like to see this improvement in FR. Regards, Thomas On Tue, 4 Feb 2003, Vladimir Kravchenko wrote: > > I offer to add functionality in the function "cisco_vsa_hack". > > Example value pair: > Cisco-AVPair = "h323-incoming-conf-id=cc0576cf 379011d7 95c8ef6a 9f419c36" > I can not will address to attribute h323-incoming-conf-id through macro > %{h323-incoming-conf-id} > Offer: if "h323-incoming-conf-id" exists in dictonary then replace > attribute & value. > > Example patch: > > oracle[jimson]:.../radiusd $ cat ../cisco_vsa_hack.patch > --- src/modules/rlm_preprocess/rlm_preprocess.c.origTue Feb 4 21:26:05 2003 > +++ src/modules/rlm_preprocess/rlm_preprocess.c Tue Feb 4 21:27:22 2003 > @@ -112,7 +112,9 @@ > { > int vendorpec, vendorcode; > char*ptr; > - charnewattr[MAX_STRING_LEN]; > + charnattr[MAX_STRING_LEN]; > + charnvalue[MAX_STRING_LEN]; > + DICT_ATTR *dattr; > > for ( ; vp != NULL; vp = vp->next) { > vendorcode = (vp->attribute >> 16); /* HACK! */ > @@ -123,16 +125,21 @@ > > if (vendorpec != 9) continue; /* not a Cisco VSA, continue */ > > - if ((vp->attribute & 0x) == 1) continue; /* Cisco-AVPair */ > - > /* > * We strip out the duplicity from the value field, > * we use only the value on the right side of = character. > */ > - if ((ptr = strchr(vp->strvalue, '=')) != NULL) { > - strNcpy(newattr, ptr + 1, sizeof(newattr)); > - strNcpy((char *)vp->strvalue, newattr, > - sizeof(vp->strvalue)); > + if (vp->type == PW_TYPE_STRING && (ptr = strchr(vp->strvalue, '=')) >!= NULL) { > + if ((vp->attribute & 0x) == 1) { > + /* Cisco-AVPair */ > + strNcpy(nattr, vp->strvalue, ptr - (char >*)vp->strvalue + 1); > + if ((dattr = dict_attrbyname(nattr)) != NULL && >dattr->type == PW_TYPE_STRING) { > + vp->attribute = dattr->attr; > + strNcpy(vp->name, dattr->name, >sizeof(vp->name)); > + } else continue; > + } > + strNcpy(nvalue, ptr + 1, sizeof(nvalue)); > + strNcpy((char *)vp->strvalue, nvalue, sizeof(vp->strvalue)); > vp->length = strlen((char *)vp->strvalue); > } > } > oracle[jimson]:.../radiusd $ > > Your opinion? > > P.S. To add check dattr vendor whether or not? :) > -- > Vladimir Kravchenko / PK Mostcom JSC / system engineer > Tel: +7 095 2312255 / UIN: 132038843 / Email: [EMAIL PROTECTED] > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + pppd
The actual cvs version of pppd contains a ppp-radius plugin, which -maybe- does what you want. Norbert Wegener Luca Grossi schrieb: Thanks very muchly ! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Miquel van Smoorenburg Sent: Monday, February 10, 2003 11:03 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + pppd In article <007a01c2d0f3$a09b2e30$020a@stuido>, Luca Grossi <[EMAIL PROTECTED]> wrote: Hello everyone!, Could someone please explain to me, how to go about patch for pppd to support authentification throught RADIUS. I've been looking around , people just start suggesting to use portslave Why would that been ? I enterered "pppd radius" in Google and one of the first hits was http://www.chelcom.ru/~anton/projects/pppd-tacacs+radius/ which appears to be exactly what you want. linux:/usr/src/linux # patch -p1 < ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch patching file Makefile Why are you trying to apply a patch for pppd to the Linux kernel? That doesn't make any sense. Mike. -- Norbert Wegener Phone : (49) 201 2661 379 SBS Essen Fax:(49) 201 2661 377 Germany Mail: [EMAIL PROTECTED] http://relax.sbs.de (intranet) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Portslave-users] Security issue; non case sensitivity in MySql
Hello Robert, Sunday, February 9, 2003, 9:55:20 PM, you wrote: RC> Let say I have a username of "rcanary". The account is created on the RC> radius (MySql DB) as UserName=rcanary RC> Now lets say I try to dialin (using portslave here in this case). I RC> mistype the username as *R*canary instead of *r*canary. RC> The RAS is case sensitive. However, radius is allowing the Rcanary and RC> rcanary. This results with the user being logged in as "canary" because RC> portslave will drop the "R". Look at the config of your radius server. I think it uses capital R as hint for service type and then drops R. That is not issue at all. That is misconfiguration of your radius server. -- Best regards, Nicholasmailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acct_users : unclear running order ...
Hello everybody, I have a little strange (at least for me) behaviour on *when scripts in acct_users are run*. I am trying to use the Exec-Program on preacct inside acct_users with the simple config below : DEFAULT Acct-Status-Type == Start Exec-Program = "/usr/local/bin/exec-program-printenv.sh start" DEFAULT Acct-Status-Type == Stop Exec-Program = "/usr/local/bin/exec-program-printenv.sh stop" As test, I use a simple script which print the environment variables into a file, and I am surprised that I already have the Acct-Unique-Session-Id attribute at this stage (preacct), while the acct_unique module (which should calculate this unique attribute) is called only at the accounting phase. Actually, when I look at the freeradius debug logs (cf. below), I notice that my script is run only after the accounting module, after the message 'group accounting returns ok'. So I wonder if this behaviour is normal or not ? Could someone bring me a light on this ? -- in radiusd.conf -- # Pre-accounting. Look for proxy realm in order of realms, then # acct_users file, then preprocess (hints file). preacct { files } # Accounting. Log to detail file, and to the radwtmp file, and maintain # radutmp. accounting { acct_unique sql #... radutmp } -- debug acct log -- ... modcall: entering group preacct acct_users: Matched DEFAULT at 21 modcall[preacct]: module "files" returns ok *here module files returns ok* modcall: group preacct returns ok modcall: entering group accounting rlm_acct_unique: Hashing 'Framed-IP-Address = 192.168.111.111,NAS-Port-Id = "52",NAS-IP-Address = 192.168.10.98,Acct-Session-Id = "AA95F700E10C",User-Name = "fifi"' rlm_acct_unique: Acct-Unique-Session-ID = "17f2ce1f0270476c". modcall[accounting]: module "acct_unique" returns ok radius_xlat: '/var/log/radiusd-freeradius/radacct//detail' rlm_detail: /var/log/radiusd-freeradius/radacct/%{Client-IP-Address}/detail expands to /var/log/radiusd-freeradius/radacct//detail modcall[accounting]: module "detail" returns ok modcall[accounting]: module "endless_counter" returns ok modcall: entering group redundant radius_xlat: 'fifi' rlm_sql (sql): sql_set_user escaped user --> 'fifi' radius_xlat: 'UPDATE radacct SET AcctStopTime = '2003-02-10 15:24:16', AcctSessionTime = '2574', AcctInputOctets = '998604', AcctOutputOctets = '135044', AcctTerminateCause = 'User-Request', AcctStopDelay = '0', ConnectInfo_stop = '', AcctMultiSessionId = 'AA95F700E10C', AscendDataRate = '', AscendXmitRate = '' WHERE AcctSessionId = 'AA95F700E10C' AND UserName = 'fifi' AND NASIPAddress = '192.168.10.98'' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 modcall[accounting]: module "sql" returns ok modcall: group redundant returns ok radius_xlat: '/var/log/radiusd-freeradius/radutmp' radius_xlat: 'fifi' modcall[accounting]: module "radutmp" returns noop modcall: group accounting returns ok radius_xlat: '/usr/local/bin/exec-program-printenv.sh stop' *the script in acct_users (files module) is only run here* Exec-Program: /usr/local/bin/exec-program-printenv.sh stop Sending Accounting-Response of id 116 to 127.0.0.1:1536 Finished request 5 Going to the next request Cleaning up request 5 ID 116 with timestamp 3e4799f0 rl_next: returning NULL Waking up in 5 seconds... rl_next: returning NULL Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 110 with timestamp 3e4799ef Nothing to do. Sleeping until we see a request. I use freeradius-snapshot-20030203 on linux/debian, Thanks in advance, @+ -- DouRiX ["You're bound to be unhappy if you optimize everything." -- Donald E. Knuth] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + pppd
try portslave on sourseforge %) it's realy cool !!! radius+cbcp Luca Grossi wrote: Thanks very muchly ! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Miquel van Smoorenburg Sent: Monday, February 10, 2003 11:03 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + pppd In article <007a01c2d0f3$a09b2e30$020a@stuido>, Luca Grossi <[EMAIL PROTECTED]> wrote: Hello everyone!, Could someone please explain to me, how to go about patch for pppd to support authentification throught RADIUS. I've been looking around , people just start suggesting to use portslave Why would that been ? I enterered "pppd radius" in Google and one of the first hits was http://www.chelcom.ru/~anton/projects/pppd-tacacs+radius/ which appears to be exactly what you want. linux:/usr/src/linux # patch -p1 < ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch patching file Makefile Why are you trying to apply a patch for pppd to the Linux kernel? That doesn't make any sense. Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [q] Cisco-Disconnect-Cause
Dear Andrey Kotrekhov, This is Cisco, not FreeRADIUS question. --Monday, February 10, 2003, 3:14:23 PM, you wrote to [EMAIL PROTECTED]: AK> Hi, All! AK> I see cisco NAS send to freeradius AK> Cisco-AVPair with disconnect cause like this: AK> Cisco-AVPair = "disc-cause-ext=1102" AK> But not send Cisco-Disconnect-Cause pair. AK> IOS version 12.2 AK> Is there possible configure NAS to send me Cisco-Disconnect-Cause pair? AK> And how. AK> __ AK> Andrey. AK> - AK> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA Ïîêà âû âî âëàñòè ïðîâèäåíèÿ, âàì íå óäàñòñÿ óìåðåòü ðàíüøå ñðîêà. (Òâåí) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[q] Cisco-Disconnect-Cause
Hi, All! I see cisco NAS send to freeradius Cisco-AVPair with disconnect cause like this: Cisco-AVPair = "disc-cause-ext=1102" But not send Cisco-Disconnect-Cause pair. IOS version 12.2 Is there possible configure NAS to send me Cisco-Disconnect-Cause pair? And how. __ Andrey. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + pppd
Thanks very muchly ! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Miquel van Smoorenburg Sent: Monday, February 10, 2003 11:03 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + pppd In article <007a01c2d0f3$a09b2e30$020a@stuido>, Luca Grossi <[EMAIL PROTECTED]> wrote: >Hello everyone!, >Could someone please explain to me, how to go about patch for pppd to >support authentification throught RADIUS. >I've been looking around , people just start suggesting to use portslave >Why would that been ? I enterered "pppd radius" in Google and one of the first hits was http://www.chelcom.ru/~anton/projects/pppd-tacacs+radius/ which appears to be exactly what you want. >linux:/usr/src/linux # patch -p1 < >ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch >patching file Makefile Why are you trying to apply a patch for pppd to the Linux kernel? That doesn't make any sense. Mike. -- Anyone who is capable of getting themselves made President should on no account be allowed to do the job -- Douglas Adams. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + pppd
In article <007a01c2d0f3$a09b2e30$020a@stuido>, Luca Grossi <[EMAIL PROTECTED]> wrote: >Hello everyone!, >Could someone please explain to me, how to go about patch for pppd to >support authentification throught RADIUS. >I've been looking around , people just start suggesting to use portslave >Why would that been ? I enterered "pppd radius" in Google and one of the first hits was http://www.chelcom.ru/~anton/projects/pppd-tacacs+radius/ which appears to be exactly what you want. >linux:/usr/src/linux # patch -p1 < >ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch >patching file Makefile Why are you trying to apply a patch for pppd to the Linux kernel? That doesn't make any sense. Mike. -- Anyone who is capable of getting themselves made President should on no account be allowed to do the job -- Douglas Adams. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR and MySQL notes updated...
Dear All, Consider it a miracle, or just me getting off my posterior long enough to do it, but my 'infamous' notes on how to do get FreeRadius and MySQL working have been updated (well, at least put into a slightly better semblance of order with the major out-of-date gaffs removed) at http://www.frontios.com/freeradius.html Enjoy... SB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Not all attributes transmitted
Hello list, I am just trying to update my well running version 0.3 to 0.8.1 but I am stuck with a problem. A Bintec Brick X.4100 is only getting the firtst "Framed-Route" entry of it's default "dialout-X" user. On 0.3 all of the "Framed-Route" attributes are sent to the NAS so it can set up ist routing table, but on 0.8.1 only the first is transmitted. A bug or a feature in 0.8.1 ? Any help very welcome Kind regards Burkhard Weeber viastore systems GmbH P/O Box 300668 D-70446 Stuttgart Tel: +49-711-9818-0 Email: [EMAIL PROTECTED] Disclaimer: The opinions expressed herein are my personal points of view and do not represent those of my employer. Windows95: n. 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor, written by a 2 bit company, that can't stand 1 bit of competition. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sendmail and freeradius
On Sun, 9 Feb 2003, Robert Canary wrote: > Has any succesfully used freeradius (or any radius) to authenticate user > for sendmail while maintaining all the /.forward functions? I am not sure I understand what you really want. What particular aspect of your email system do you want to have authenticated via RADIUS? Is it to determine which IP addresses are authorised to relay mail? Is it to determine whether a POP/IMAP login is valid? To determine a list of valid local users? > Is there a pam module one could use on the mail server that would talk > to the radius server on another server? Yes for simple user authentication there is a PAM module on the freeradius site that works very well. Jason Clifford -- UKPOST.COM get your @ukpost.com address now... http://www.ukpost.com/ professional hosting and colocation - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client-ip.??
Hi! Amit, I have been looking at a similar situation, how I have seen this done previously with a Dial-up on the Acess Server the accounting information is passed, which generally have the msisdn; Although for GPRS which I am currently working on I initially going to use a username which then becomes my NAIand authentication is done using this... I have looked at solutions which we intend to deply later, but to get the msisdn from the SGSN CDR's and correlate that real-time with a session IDpossible but too much work for our current infrastructure ThanX LEelen<[EMAIL PROTECTED]> --- amit sehgal <[EMAIL PROTECTED]> wrote: > Hii list, > I am new to freeradius. I am basically using it to > get the msisdn (cli) of the message sender in a > WAP enviornment, as my WAP gateway does not support > cli. However for mapping the msisdn, i also need the > dynamic ip assigned to client phone on a gprs > network. > I am able to catch the msisdn, but i am getting only > the ip of my NAS instead of the original client ip > (mobile phone's ip). Can you please tell me how to > get that? Any configuration to be done or the > attribute/parameter i need to access in order to get > the client-ip. appreciate your help. > > Thanx in advance. > > best regards > amit sehgal > __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + pppd
Hello everyone!, Could someone please explain to me, how to go about patch for pppd to support authentification throught RADIUS. I've been looking around , people just start suggesting to use portslave Why would that been ? --- linux:/usr/src/linux # patch -p1 < ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch patching file Makefile Reversed (or previously applied) patch detected! Assume -R? [n] n Apply anyway? [n] y Hunk #1 FAILED at 1. File Makefile is not empty after patch, as expected 1 out of 1 hunk FAILED -- saving rejects to file Makefile.rej can't find file to patch at input line 63 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -- |diff -urN ppp-2.4.1b2-mschap2-mppe/etc.ppp/chap-secrets ppp-2.4.1b2-radius-v2.0c/etc.ppp/chap-secrets |--- ppp-2.4.1b2-mschap2-mppe/etc.ppp/chap-secrets Fri Jun 23 03:49:28 1995 |+++ ppp-2.4.1b2-radius-v2.0c/etc.ppp/chap-secrets Wed Jun 5 10:53:16 2002 -- File to patch: I don't understand what its saying if I run this command "patch -p1 < ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch" is this the right patch ? Whats it mean, when it ask me "File to patch" Thanks in advance :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + pppd
Hello everyone!, Could someone please explain to me, how to go about patch for pppd to support authentification throught RADIUS. I've been looking around , people just start suggesting to use portslave Why would that been ? --- linux:/usr/src/linux # patch -p1 < ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch patching file Makefile Reversed (or previously applied) patch detected! Assume -R? [n] n Apply anyway? [n] y Hunk #1 FAILED at 1. File Makefile is not empty after patch, as expected 1 out of 1 hunk FAILED -- saving rejects to file Makefile.rej can't find file to patch at input line 63 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -- |diff -urN ppp-2.4.1b2-mschap2-mppe/etc.ppp/chap-secrets ppp-2.4.1b2-radius-v2.0c/etc.ppp/chap-secrets |--- ppp-2.4.1b2-mschap2-mppe/etc.ppp/chap-secrets Fri Jun 23 03:49:28 1995 |+++ ppp-2.4.1b2-radius-v2.0c/etc.ppp/chap-secrets Wed Jun 5 10:53:16 2002 -- File to patch: I don't understand what its saying if I run this command "patch -p1 < ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch" is this the right patch ? Whats it mean, when it ask me "File to patch" Thanks in advance :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sendmail and freeradius
10-Feb-03 at 13:40, Puchkov S.N. ([EMAIL PROTECTED]) wrote : > Simon White wrote: >> > >>>09-Feb-03 at 20:24, Robert Canary ([EMAIL PROTECTED]) wrote : > >>> > >>> > >>> > Has any succesfully used freeradius (or any radius) to authenticate user > for sendmail while maintaining all the /.forward functions? > > Is there a pam module one could use on the mail server that would talk > to the radius server on another server? > > > >>>You can get PAM to authenticate via Radius. > >>> > >>>Why do you want radius to authenticate for sendmail? Sounds a bit > >>>convoluted to me. > >>> > >>>What problem are you actually trying to solve here? > > > we talk about using .forward in users deer %) Well radius isn't going to help you there. Radius has nothing to do with that. Try asking a mailing list for your MTA... -- [Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...] Men never do evil so completely and cheerfully as when they do it from religious conviction. -- Blaise Pascal [Linux user #170823 http://counter.li.org. Home cooked signature rotator.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Counters question
Hi all, I am using counters with the reset time set to 'never'. Just wondered, if I did want to reset a particular counter for any reason, is it possible to do it (and how)? regards, Keith
Re: Sendmail and freeradius
Simon White wrote: Simon White wrote: 09-Feb-03 at 20:24, Robert Canary ([EMAIL PROTECTED]) wrote : Has any succesfully used freeradius (or any radius) to authenticate user for sendmail while maintaining all the /.forward functions? Is there a pam module one could use on the mail server that would talk to the radius server on another server? You can get PAM to authenticate via Radius. Why do you want radius to authenticate for sendmail? Sounds a bit convoluted to me. What problem are you actually trying to solve here? 10-Feb-03 at 12:17, Puchkov S.N. ([EMAIL PROTECTED]) wrote : if i am not mistaken it's impossible to do this. :( you can authorize users but radius can't send user home dir :( That's what LDAP is for, radius is really for NASes to authenticate dialup users / wireless users. Radius can read from LDAP for username/password attributes if you want a central authentication database... we talk about using .forward in users deer %) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sendmail and freeradius
> Simon White wrote: > >09-Feb-03 at 20:24, Robert Canary ([EMAIL PROTECTED]) wrote : > > > >>Has any succesfully used freeradius (or any radius) to authenticate user > >>for sendmail while maintaining all the /.forward functions? > >> > >>Is there a pam module one could use on the mail server that would talk > >>to the radius server on another server? > > > >You can get PAM to authenticate via Radius. > > > >Why do you want radius to authenticate for sendmail? Sounds a bit > >convoluted to me. > > > >What problem are you actually trying to solve here? >10-Feb-03 at 12:17, Puchkov S.N. ([EMAIL PROTECTED]) wrote : > if i am not mistaken it's impossible to do this. :( > you can authorize users but > radius can't send user home dir :( That's what LDAP is for, radius is really for NASes to authenticate dialup users / wireless users. Radius can read from LDAP for username/password attributes if you want a central authentication database... -- [Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...] It's amazing how some people can put their foot in their mouth with their head so far up their ass. [Linux user #170823 http://counter.li.org. Home cooked signature rotator.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unsubscribed
In article, leaobicalho <[EMAIL PROTECTED]> wrote: >please remove me from the list, I unsubscribed this >morning but I am >still receiving emails You did not unsubscribe. Your account is still active: # cd /var/lib/mailman/bin # ./find_member bol.com.br [EMAIL PROTECTED] found in: freeradius-users Please follow the directions at the end of this (and every) mail to the list. Mike. -- Anyone who is capable of getting themselves made President should on no account be allowed to do the job -- Douglas Adams. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sendmail and freeradius
if i am not mistaken it's impossible to do this. :( you can authorize users but radius can't send user home dir :( Simon White wrote: 09-Feb-03 at 20:24, Robert Canary ([EMAIL PROTECTED]) wrote : Has any succesfully used freeradius (or any radius) to authenticate user for sendmail while maintaining all the /.forward functions? Is there a pam module one could use on the mail server that would talk to the radius server on another server? You can get PAM to authenticate via Radius. Why do you want radius to authenticate for sendmail? Sounds a bit convoluted to me. What problem are you actually trying to solve here? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sendmail and freeradius
09-Feb-03 at 20:24, Robert Canary ([EMAIL PROTECTED]) wrote : > Has any succesfully used freeradius (or any radius) to authenticate user > for sendmail while maintaining all the /.forward functions? > > Is there a pam module one could use on the mail server that would talk > to the radius server on another server? You can get PAM to authenticate via Radius. Why do you want radius to authenticate for sendmail? Sounds a bit convoluted to me. What problem are you actually trying to solve here? -- [Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...] It is impossible to sharpen a pencil with a blunt axe. It is equally vain to try to do it with ten blunt axes instead. -- E. W. Dijkstra [Linux user #170823 http://counter.li.org. Home cooked signature rotator.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html