Re: RV: freeradius-ldap is not running
On Mon, 24 Feb 2003, Federico Edelman wrote: I can't get a response. Somebody know about this trouble? So if you comment out the ldap module (from the authorize and authenticate sections) your radius starts fine? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Patch for LDAP URI support (at least with OpenLDAP libraries)
On Mon, 24 Feb 2003, Derrik Pates wrote: On Sat, Feb 22, 2003 at 11:40:24AM +0200, Kostas Kalevras wrote: Where's the patch? Heh. Sure enough, I forgot to attach the patch. It's attached this time, I swear! :) I 've already made the changes based on your idea. What you could provide is a patch for configure/Makefile to check for ldap_initialize and set HAVE_LDAP_INITIALIZE -- Derrik Pates [EMAIL PROTECTED] [EMAIL PROTECTED] -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pb with eap-md5 !
it should work, i don't know why it doesn't... play with setting, activating and deactivating it all the time... eap/md5 has been taken out of XP for wireless after SP1 but it is still available for wired... sorry, can't really help you there. Benoît Bécel wrote: I would like to use eap-md5 on a wired network ! I have a laptop on Win XP with a pcmcia 3com Etherlink III card! I use a Business Policy Switch 2000 as NAS and FreeRadius on Linux ! And it seems that EAP-MD5 can't work, but my laptop answer to the NAS request/identity when I activate PEAP instead of EAP-MD5! But PEAP is a non-standard protocol and doesn't work with FreeRadius ! I know it's more a windows problem than a FreeRadius one but I can't solve it! Thanks for your help ! Beno - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
auth-proxy
Hi, I would like to use cisco auth-proxy with freeradius-0.8.1. How can I configure this? (We used to use tacacs+) Didi -- - Didi Rieder [EMAIL PROTECTED] PGPKey ID: 3431D0B0 - pgp0.pgp Description: PGP Digital Signature
RE: RV: freeradius-ldap is not running
Ok! But, I think, the freeradius should be warns me if the basedn has wrong.
I don't like guest error.
My basedn is that.
Why do you say the basedn is wrong?
Thanks very much.
Fede
-Mensaje original-
De: Robert Canary [mailto:[EMAIL PROTECTED]
Enviado el: lunes, 24 de febrero de 2003 20:40
Para: [EMAIL PROTECTED]
Asunto: Re: RV: freeradius-ldap is not running
You have ldap configured in the radius. You have ldap configured to be
a default fall-through. I understand your ldap server is working fine.
I'm saying the radius server isn't talking to the ldap server, _maybe_
because the basedn is set wrong.
Federico Edelman wrote:
My LDAP server works fine. I'm using the LDAP server for other services.
-Mensaje original-
De: Robert Canary [mailto:[EMAIL PROTECTED]
Enviado el: lunes, 24 de febrero de 2003 15:35
Para: [EMAIL PROTECTED]
Asunto: Re: RV: freeradius-ldap is not running
I think you should look at your ldap server logs. Your basedn
dosen't
look right to me. I think it should be something like,
cn=user-that-can-read-passwords,dc=example,dc=com
Federico Edelman wrote:
I can't get a response.
Somebody know about this trouble?
-Mensaje original-
De: Federico Edelman
Enviado el: jueves, 20 de febrero de 2003 10:29
Para: [EMAIL PROTECTED]
Asunto: RE: freeradius-ldap is not running
Robert:
This is the complete log file.
-Mensaje original-
De: Robert Canary [mailto:[EMAIL PROTECTED]
Enviado el: miércoles, 19 de febrero de 2003 17:54
Para: [EMAIL PROTECTED]
Asunto: Re: freeradius-ldap is not running
Why did you snip-it? We need the rest of the lof file.
Do this radiusd -X /var/log/radiusd_dbg_con.log
It is esasier to capture the error messages that way.
Also what shows up in your freeradius logs during this time?
Federico Edelman wrote:
Hi guys,
I'm newbie with freeradius. I'm running freeradius-0.8.1
on
Linux Debian 3.1. The LDAP server/client is openldap-2.1.12.
I've compiled the freeradius with:
# LD_LIBRARY_PATH=/usr/local/openldap/lib:/usr/local/lib
# LDFLAGS=-L/usr/local/openldap/lib -L/usr/local/lib
# CFLAGS=-O -g -I/usr/local/openldap/include -
I/usr/local/include
# CC=gcc
# export LD_LIBRARY_PATH LDFLAGS CFLAGS CC
# ./configure --prefix=/usr/local/freeradius --with-
openldap=/usr/local/openldap
# make
# make install
All's ok.
I've run:
# /usr/local/freeradius/sbin/radiusd -X
And...
# /usr/local/freeradius/bin/radtest
All's ok. The radtest connect with radiusd successfully.
But, When I setting up the radius with LDAP support the radiusd
exit
and
not running.
The radius ldap configuration:
My /usr/local/freeradius/etc/raddb/radiusd.conf:
snip snip
ldap {
server = myldapserver
basedn = ou=people,dc=rootldap
filter = ((posixAccount)(uid=%u))
start_tls = no
tls_mode = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
authenticate {
authtype LDAP {
ldap
}
}
snip snip
my /usr/local/freeradius/etc/raddb/dictionary:
snip snip
#
# Non-Protocol Integer Translations
#
VALUE Auth-Type Local
0
VALUE Auth-Type System
1
VALUE Auth-Type SecurID
2
VALUE Auth-Type Crypt-Local
3
VALUE Auth-Type Reject
4
VALUE Auth-Type ActivCard
4
VALUE Auth-Type LDAP
5
snip snip
my /usr/local/freeradius/etc/raddb/users:
snip snip
DEFAULT Auth-Type := LDAP
Fall-Through = 1
snip snip
My ldif user:
snip snip
dn: uid=test,ou=people,dc=claxson
objectClass: top
objectClass: account
objectClass: posixAccount
ou: people
uid: test
cn: TestUser
loginShell: /bin/bash
homeDirectory: /home/test
gecos: Test User
uidNumber: 1001
gidNumber: 1001
userPassword: {crypt}XXX
snip snip
When I run radiusd -X I get this:
snip snip
.
.
.
Module: Loaded radutmp
Re: RV: freeradius-ldap is not running
Have you tried using ldapsearch using these parameters? This is the
easiest and fastest way to find out if your LDAP parameters are correct and
your server is replying. Typically once you find the correct syntax in
ldapsearch, the modification of the radiusd.conf LDAP parameters becomes
trivial.
Mark Capelle
- - - - - - - - - - - - - - -
Robert Canary wrote:
You have ldap configured in the radius. You have ldap configured to be
a default fall-through. I understand your ldap server is working fine.=20
I'm saying the radius server isn't talking to the ldap server, _maybe_
because the basedn is set wrong.
Federico Edelman wrote:
=20
My LDAP server works fine. I'm using the LDAP server for other services.
=20
-Mensaje original-
De: Robert Canary [mailto:[EMAIL PROTECTED]
Enviado el: lunes, 24 de febrero de 2003 15:35
Para: [EMAIL PROTECTED]
Asunto: Re: RV: freeradius-ldap is not running
I think you should look at your ldap server logs. Your basedn dose=
n't
look right to me. I think it should be something like,
cn=3Duser-that-can-read-passwords,dc=3Dexample,dc=3Dcom
Federico Edelman wrote:
I can't get a response.
Somebody know about this trouble?
-Mensaje original-
De: Federico Edelman
Enviado el: jueves, 20 de febrero de 2003 10:29
Para: [EMAIL PROTECTED]
Asunto: RE: freeradius-ldap is not running
Robert:
This is the complete log file.
-Mensaje original-
De: Robert Canary [mailto:[EMAIL PROTECTED]
Enviado el: mi=E9rcoles, 19 de febrero de 2003 17:54
Para: [EMAIL PROTECTED]
Asunto: Re: freeradius-ldap is not running
Why did you snip-it? We need the rest of the lof file.
Do this radiusd -X /var/log/radiusd_dbg_con.log
It is esasier to capture the error messages that way.
Also what shows up in your freeradius logs during this time?
Federico Edelman wrote:
Hi guys,
I'm newbie with freeradius. I'm running freeradius-0.8.=
1 on
Linux Debian 3.1. The LDAP server/client is openldap-2.1.12.
I've compiled the freeradius with:
# LD_LIBRARY_PATH=3D/usr/local/openldap/lib:/usr/local/lib
# LDFLAGS=3D-L/usr/local/openldap/lib -L/usr/local/lib
# CFLAGS=3D-O -g -I/usr/local/openldap/include -I/usr/local/in=
clude
# CC=3Dgcc
# export LD_LIBRARY_PATH LDFLAGS CFLAGS CC
# ./configure --prefix=3D/usr/local/freeradius --with-
openldap=3D/usr/local/openldap
# make
# make install
All's ok.
I've run:
# /usr/local/freeradius/sbin/radiusd -X
And...
# /usr/local/freeradius/bin/radtest
All's ok. The radtest connect with radiusd successfully.
But, When I setting up the radius with LDAP support the radiusd=
exit
and
not running.
The radius ldap configuration:
My /usr/local/freeradius/etc/raddb/radiusd.conf:
snip snip
ldap {
server =3D myldapserver
basedn =3D ou=3Dpeople,dc=3Drootldap
filter =3D ((posixAccount)(uid=3D%u))
start_tls =3D no
tls_mode =3D no
dictionary_mapping =3D ${raddbdir}/ldap.attrmap
ldap_connections_number =3D 5
timeout =3D 4
timelimit =3D 3
net_timeout =3D 1
}
authenticate {
authtype LDAP {
ldap
}
}
snip snip
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RV: freeradius-ldap is not running
I run the same line from ldapsearch command and work fine. :(
-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Enviado el: martes, 25 de febrero de 2003 10:25
Para: [EMAIL PROTECTED]
Asunto: Re: RV: freeradius-ldap is not running
Have you tried using ldapsearch using these parameters? This is the
easiest and fastest way to find out if your LDAP parameters are
correct
and
your server is replying. Typically once you find the correct syntax
in
ldapsearch, the modification of the radiusd.conf LDAP parameters
becomes
trivial.
Mark Capelle
- - - - - - - - - - - - - - -
Robert Canary wrote:
You have ldap configured in the radius. You have ldap configured to
be
a default fall-through. I understand your ldap server is working
fine.=20
I'm saying the radius server isn't talking to the ldap server, _maybe_
because the basedn is set wrong.
Federico Edelman wrote:
=20
My LDAP server works fine. I'm using the LDAP server for other
services.
=20
-Mensaje original-
De: Robert Canary [mailto:[EMAIL PROTECTED]
Enviado el: lunes, 24 de febrero de 2003 15:35
Para: [EMAIL PROTECTED]
Asunto: Re: RV: freeradius-ldap is not running
I think you should look at your ldap server logs. Your basedn
dose=
n't
look right to me. I think it should be something like,
cn=3Duser-that-can-read-passwords,dc=3Dexample,dc=3Dcom
Federico Edelman wrote:
I can't get a response.
Somebody know about this trouble?
-Mensaje original-
De: Federico Edelman
Enviado el: jueves, 20 de febrero de 2003 10:29
Para: [EMAIL PROTECTED]
Asunto: RE: freeradius-ldap is not running
Robert:
This is the complete log file.
-Mensaje original-
De: Robert Canary [mailto:[EMAIL PROTECTED]
Enviado el: mi=E9rcoles, 19 de febrero de 2003 17:54
Para: [EMAIL PROTECTED]
Asunto: Re: freeradius-ldap is not running
Why did you snip-it? We need the rest of the lof file.
Do this radiusd -X /var/log/radiusd_dbg_con.log
It is esasier to capture the error messages that way.
Also what shows up in your freeradius logs during this time?
Federico Edelman wrote:
Hi guys,
I'm newbie with freeradius. I'm running
freeradius-0.8.=
1 on
Linux Debian 3.1. The LDAP server/client is openldap-2.1.12.
I've compiled the freeradius with:
# LD_LIBRARY_PATH=3D/usr/local/openldap/lib:/usr/local/lib
# LDFLAGS=3D-L/usr/local/openldap/lib -L/usr/local/lib
# CFLAGS=3D-O -g -I/usr/local/openldap/include
-I/usr/local/in=
clude
# CC=3Dgcc
# export LD_LIBRARY_PATH LDFLAGS CFLAGS CC
# ./configure --prefix=3D/usr/local/freeradius --with-
openldap=3D/usr/local/openldap
# make
# make install
All's ok.
I've run:
# /usr/local/freeradius/sbin/radiusd -X
And...
# /usr/local/freeradius/bin/radtest
All's ok. The radtest connect with radiusd successfully.
But, When I setting up the radius with LDAP support the
radiusd=
exit
and
not running.
The radius ldap configuration:
My /usr/local/freeradius/etc/raddb/radiusd.conf:
snip snip
ldap {
server =3D myldapserver
basedn =3D ou=3Dpeople,dc=3Drootldap
filter =3D ((posixAccount)(uid=3D%u))
start_tls =3D no
tls_mode =3D no
dictionary_mapping =3D
${raddbdir}/ldap.attrmap
ldap_connections_number =3D 5
timeout =3D 4
timelimit =3D 3
net_timeout =3D 1
}
authenticate {
authtype LDAP {
ldap
}
}
snip snip
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CISTRON vs. FreeRADIUS :: Extra Bit and/or Case Sensitivity
Hi All- Well, this is slightly entertaining: ((this is not a FreeRADIUS mis-posting, please read on...)) I've been using FreeRADIUS for a few weeks on a USR Hiper Access 96 bank dialup rack, authenticating with PAP. Randomly, a forward slash plus three digits were being added to the password portion of the authentication request. The FreeRADIUS forum folks said it was a glitch in my W98 client(s) -- they were sometimes sending an extra bit of info (?). While I could definitely buy the possibility that MS had once again screwed up a standard protocol, I decided to try CISTRON RADIUSD. Guess what? No more /### at the end of passwords. Ok, so I don't have people saying sometimes it accepts my password, and sometimes it doesn't ... what's going on? Good deal. Yeah. But... In FreeRADIUS there is an option to alter the user name's case Before or After authentication (failure). I have many users who (even though you say to use lower case), continue to use a capital letter or two in their login name. Since all users are entered into Linux as lower-case, the authentication fails in CISTRON RADIUSD whereas it had passed in FreeRADIUS. (Authentication method is System.) System is RH8. ---== My question is: ==--- ---=== Can you force usernames to be rewritten in lowercase on the fly using CISTRON like you can with FreeRADIUS? (ie. force lower case before authentication attempt) All help and comments on the subject will be greatly appreciated. TIA! -Ryan Beisner ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: running freeradius on mips platform
Jeffery [EMAIL PROTECTED] wrote: All my other programs are work fine and no messages like this. all the other application in freeradius, like check-config, radtest, are work fine. Only radiusd cannot work. radiusd is also the only program built with libtool. Can you give any other suggestion? Or what you think the error probably occur reason. Thank you! Do: $ file /usr/local/sbin/radiusd and see what it says. Odds are that the binary is NOT built for your platform. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth-proxy
Quoting Chris Parker [EMAIL PROTECTED]:
At 02:09 PM 2/25/2003 +0100, Didi Rieder wrote:
Hi,
I would like to use cisco auth-proxy with freeradius-0.8.1. How can I
configure
this? (We used to use tacacs+)
FreeRADIUS works very well with Cisco NAS ( 5x00 ) and other platforms.
Is there something different about your situation that is not a typical
NAS/AAA setup?
There is a doc in 'doc/cisco' that should cover basic AAA config for
a typical Cisco NAS.
Thanks for the answer, but could you give me a hint how to configure radius to
do this (I'm really a newbie)
in tacacs conf we had something like the following:
user = DEFAULT {
service = auth-proxy
{
priv-lvl = 15
proxyacl#1 = permit ip any xxx.xxx.0.0 0.0.255.255
}
}
Didi
--
-
Didi Rieder
[EMAIL PROTECTED]
PGPKey ID: 3431D0B0
-
pgp0.pgp
Description: PGP Digital Signature
Re: Free Radius and Inter Access Point Protocol (IAPP - 802.11f)
Mohit Bajpai [EMAIL PROTECTED] wrote: Could you please let me know whether FreeRadius supports IAPP. No, it doesn't. No one is working on it, so far as I know. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CISTRON vs. FreeRADIUS :: Extra Bit and/or Case Sensitivity
I *am* reading the freeradius-users list. Was there any need to send an extra copy of the message to me, in addition to the list? Ryan Beisner [EMAIL PROTECTED] wrote: I've been using FreeRADIUS for a few weeks on a USR Hiper Access 96 bank dialup rack, authenticating with PAP. Randomly, a forward slash plus No, a back-slash. See your original post: http://www.mail-archive.com/[EMAIL PROTECTED]/msg13422.html three digits were being added to the password portion of the authentication request. The FreeRADIUS forum folks said it was a glitch in my W98 client(s) -- they were sometimes sending an extra bit of info (?). Again, that's *not* what I said. See my response: http://www.mail-archive.com/[EMAIL PROTECTED]/msg13424.html So it looks like it's a bug in FreeRADIUS. I'm still wondering why no one else with a similar setup sees the same problem. Try grabbing the latest CVS snapshot of FreeRADIUS and running that. Maybe there was a problem during compilation... ---=== Can you force usernames to be rewritten in lowercase on the fly using CISTRON like you can with FreeRADIUS? (ie. force lower case before authentication attempt) Sure. Edit the source code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth-proxy
Didi Rieder [EMAIL PROTECTED] wrote: Thanks for the answer, but could you give me a hint how to configure radius to do this (I'm really a newbie) Buy the RADIUS book. It describes common setups like this. Or, there's a file suspicially named 'proxy' in the 'doc' directory. It might have something useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RV: freeradius-ldap is not running
I don't _know_ it is wrong, I have only seen ldap dn (ones with access
to passwords) include a cn of the a user configures in the ACL to see
passwords. Your basedn dosen't have that, curious.
Federico Edelman wrote:
Ok! But, I think, the freeradius should be warns me if the basedn has wrong.
I don't like guest error.
My basedn is that.
Why do you say the basedn is wrong?
Thanks very much.
Fede
-Mensaje original-
De: Robert Canary [mailto:[EMAIL PROTECTED]
Enviado el: lunes, 24 de febrero de 2003 20:40
Para: [EMAIL PROTECTED]
Asunto: Re: RV: freeradius-ldap is not running
You have ldap configured in the radius. You have ldap configured to be
a default fall-through. I understand your ldap server is working fine.
I'm saying the radius server isn't talking to the ldap server, _maybe_
because the basedn is set wrong.
Federico Edelman wrote:
My LDAP server works fine. I'm using the LDAP server for other services.
-Mensaje original-
De: Robert Canary [mailto:[EMAIL PROTECTED]
Enviado el: lunes, 24 de febrero de 2003 15:35
Para: [EMAIL PROTECTED]
Asunto: Re: RV: freeradius-ldap is not running
I think you should look at your ldap server logs. Your basedn
dosen't
look right to me. I think it should be something like,
cn=user-that-can-read-passwords,dc=example,dc=com
Federico Edelman wrote:
I can't get a response.
Somebody know about this trouble?
-Mensaje original-
De: Federico Edelman
Enviado el: jueves, 20 de febrero de 2003 10:29
Para: [EMAIL PROTECTED]
Asunto: RE: freeradius-ldap is not running
Robert:
This is the complete log file.
-Mensaje original-
De: Robert Canary [mailto:[EMAIL PROTECTED]
Enviado el: miércoles, 19 de febrero de 2003 17:54
Para: [EMAIL PROTECTED]
Asunto: Re: freeradius-ldap is not running
Why did you snip-it? We need the rest of the lof file.
Do this radiusd -X /var/log/radiusd_dbg_con.log
It is esasier to capture the error messages that way.
Also what shows up in your freeradius logs during this time?
Federico Edelman wrote:
Hi guys,
I'm newbie with freeradius. I'm running freeradius-0.8.1
on
Linux Debian 3.1. The LDAP server/client is openldap-2.1.12.
I've compiled the freeradius with:
# LD_LIBRARY_PATH=/usr/local/openldap/lib:/usr/local/lib
# LDFLAGS=-L/usr/local/openldap/lib -L/usr/local/lib
# CFLAGS=-O -g -I/usr/local/openldap/include -
I/usr/local/include
# CC=gcc
# export LD_LIBRARY_PATH LDFLAGS CFLAGS CC
# ./configure --prefix=/usr/local/freeradius --with-
openldap=/usr/local/openldap
# make
# make install
All's ok.
I've run:
# /usr/local/freeradius/sbin/radiusd -X
And...
# /usr/local/freeradius/bin/radtest
All's ok. The radtest connect with radiusd successfully.
But, When I setting up the radius with LDAP support the radiusd
exit
and
not running.
The radius ldap configuration:
My /usr/local/freeradius/etc/raddb/radiusd.conf:
snip snip
ldap {
server = myldapserver
basedn = ou=people,dc=rootldap
filter = ((posixAccount)(uid=%u))
start_tls = no
tls_mode = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
authenticate {
authtype LDAP {
ldap
}
}
snip snip
my /usr/local/freeradius/etc/raddb/dictionary:
snip snip
#
# Non-Protocol Integer Translations
#
VALUE Auth-Type Local
0
VALUE Auth-Type System
1
VALUE Auth-Type SecurID
2
VALUE Auth-Type Crypt-Local
3
VALUE Auth-Type Reject
4
VALUE Auth-Type ActivCard
4
VALUE Auth-Type LDAP
5
snip snip
my /usr/local/freeradius/etc/raddb/users:
snip snip
DEFAULT Auth-Type := LDAP
Fall-Through = 1
snip snip
My ldif user:
snip snip
dn: uid=test,ou=people,dc=claxson
objectClass: top
objectClass: account
objectClass:
Re: auth-proxy
Quoting Alan DeKok [EMAIL PROTECTED]: Didi Rieder [EMAIL PROTECTED] wrote: Thanks for the answer, but could you give me a hint how to configure radius to do this (I'm really a newbie) Buy the RADIUS book. It describes common setups like this. I will Or, there's a file suspicially named 'proxy' in the 'doc' directory. It might have something useful. Thanks but, that's not what I'm looking for, see: http://www.cisco.com/warp/public/793/ios_fw/auth_intro.html Didi -- - Didi Rieder [EMAIL PROTECTED] PGPKey ID: 3431D0B0 - pgp0.pgp Description: PGP Digital Signature
checkrad script things
After looking at the checkrad script, I noticed a few minor things. Namely: - For several RAS server types, the script doesn't actually look up username/password (or SNMP community ID) info from anyplace. - The script only looks in the naspasswd file, which I thought was deprecated. Shouldn't it look in (and of course, parse) clients.conf, at least? I'm thinking I'll probably fix these, because I'd like to be able to use checkrad. -- Derrik Pates [EMAIL PROTECTED] [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad script things
[EMAIL PROTECTED] (Derrik Pates) wrote: After looking at the checkrad script, I noticed a few minor things. Namely: - For several RAS server types, the script doesn't actually look up username/password (or SNMP community ID) info from anyplace. Yeah,checkrad hasn't had much development for quite a while. - The script only looks in the naspasswd file, which I thought was deprecated. Shouldn't it look in (and of course, parse) clients.conf, at least? The server probably shouldn't fork checkrad at all. See 'gnu radius', it uses the SNMP libraries directly to avoid an external program like checkrad. In addition, putting that code into the server means that the configuration parameters are easily available, and external programs don't have to root through configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad script things
On Tue, 25 Feb 2003, Alan DeKok wrote: [EMAIL PROTECTED] (Derrik Pates) wrote: After looking at the checkrad script, I noticed a few minor things. Namely: - For several RAS server types, the script doesn't actually look up username/password (or SNMP community ID) info from anyplace. Yeah,checkrad hasn't had much development for quite a while. - The script only looks in the naspasswd file, which I thought was deprecated. Shouldn't it look in (and of course, parse) clients.conf, at least? The server probably shouldn't fork checkrad at all. See 'gnu radius', it uses the SNMP libraries directly to avoid an external program like checkrad. In addition, putting that code into the server means that the configuration parameters are easily available, and external programs don't have to root through configuration files. checkrad is one huge piece of software which i don't think will ever be moved inside the server. It uses SNMP only for specific nas types (cisco for example) and other methods (like telnet) for other nas types. I would prefer just using perl xlat to call it directly from the server thus avoiding the perl interpreter overhead. The overhead isn't that large in any case since checkrad is only called in double login cases. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RV: freeradius-ldap is not running
On Tue, 25 Feb 2003, Federico Edelman wrote: Yes, If do I compile and install freeradius for default, It runs ok. OK step one: Go to src/modules/rlm_ldap make clean;make;make install Does the problem persist? Step two: Uncomment ldap from authorize/authenticate section. Does the problem go away? I need to be sure that the problem is in rlm_ldap since i don't see anything really strange in your configuration. -Mensaje original- De: Kostas Kalevras [mailto:[EMAIL PROTECTED] Enviado el: martes, 25 de febrero de 2003 6:07 Para: [EMAIL PROTECTED] Asunto: Re: RV: freeradius-ldap is not running On Mon, 24 Feb 2003, Federico Edelman wrote: I can't get a response. Somebody know about this trouble? So if you comment out the ldap module (from the authorize and authenticate sections) your radius starts fine? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad script things
Kostas Kalevras [EMAIL PROTECTED] wrote: checkrad is one huge piece of software which i don't think will ever be moved inside the server. It uses SNMP only for specific nas types (cisco for example) and other methods (like telnet) for other nas types. Yeah, but moving the SNMP queries into the server core would at least be a step forwards. Hmm... there's also the issue that the Simultaneous-Use code for the various modules each calls rad_check_ts(), which probably isn't a good idea. I would prefer just using perl xlat to call it directly from the server thus avoiding the perl interpreter overhead. That's preferred over forking checkrad. The overhead isn't that large in any case since checkrad is only called in double login cases. True. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad script things
[EMAIL PROTECTED] (Derrik Pates) wrote:
After looking at the checkrad script, I noticed a few minor things.
Namely:
I've noticed a couple of minor things too. I'm thinking that the problems
I was having with SNMP and Simultaneous-Use killing the server earlier
were actually in part due to this:
$sess_id = hex $ARGV[4];
On Ascend session ID's and, I think, others, this causes an Integer
overflow in hexadecimal number error, which seems to lead to the SNMP
errors. From what I can tell, if the snmpget call works on plain old
$ARGV[4], then we shouldn't need to even try to hex it. Isn't that right?
Adding a simple check to see if the previous snmpget worked and only if it
didn't, going to check the hexified session id, seems to have solved my
error problems in this case.
In other minor fixes, also, I made a config variable $cmmty_string
towards the top of the file, and changed public to $cmmty_string
throughout the script. I made $finger a config variable, just in case, and
put that at the top of the script as well. I also put $cmmty_string in ''
at one point where it's an argument to the external snmpwalk, in case your
community string has characters that lend themselves to being enclosed.
Patch attached covers the above for checkrad.pl.in from freeradius 0.8.1
dist version. (I'm using Pine. In case silly Pine wraps lines, try this
URL:
http://tesol.net/linux/checkrad.patch
Let me know what you think. :-)
--
--- checkrad.pl.in-orig Tue Feb 25 10:17:47 2003
+++ checkrad.pl.in Tue Feb 25 10:37:13 2003
@@ -55,6 +55,11 @@
$rusers= @RUSERS@;
$naspass = $raddbdir/naspasswd;
+# Community string. Change this if yours isn't public.
+$cmmty_string = public;
+# path to finger command
+$finger = /usr/bin/finger;
+
#
# USR-Hiper: $hiper_density is the reported port density (default 256
# but 24 makes more sense)
@@ -141,8 +146,8 @@
my ($host, $community, $oid) = @_;
local $_;
- print LOG snpwalk: $snmpwalk -r $snmp_retries -t $snmp_timeout $host
$community $oid\n;
- $_ = `$snmpwalk -r $snmp_retries -t $snmp_timeout $host $community $oid`;
+ print LOG snpwalk: $snmpwalk -r $snmp_retries -t $snmp_timeout $host
'$community' $oid\n;
+ $_ = `$snmpwalk -r $snmp_retries -t $snmp_timeout $host '$community' $oid`;
return $_;
}
@@ -298,7 +303,7 @@
} else {
$test_index = 32;
}
- $_ = snmpget($ARGV[1], public, $lvm.3.2.1.1.1.2.$test_index);
+ $_ = snmpget($ARGV[1], $cmmty_string, $lvm.3.2.1.1.1.2.$test_index);
/S([0-9]+)/;
$xport = $1 + 0;
$ifIndex = $ARGV[2] + ($test_index - $xport);
@@ -309,7 +314,7 @@
#
# Now get the session id from the terminal server.
#
- $sessid = snmpget($ARGV[1], public, $lvm.3.2.1.1.1.5.$ifIndex);
+ $sessid = snmpget($ARGV[1], $cmmty_string, $lvm.3.2.1.1.1.5.$ifIndex);
print LOG session id at port S$ARGV[2]: $sessid\n if ($debug);
@@ -340,8 +345,8 @@
# However an active session doesn't have a Stop time,
# so we can differentiate that way.
#
- my $login = snmpget($ARGV[1], public, $apm1. . hex($sessid));
- my $stopt = snmpget($ARGV[1], public, $apm2. . hex($sessid));
+ my $login = snmpget($ARGV[1], $cmmty_string, $apm1. . hex($sessid));
+ my $stopt = snmpget($ARGV[1], $cmmty_string, $apm2. . hex($sessid));
$login = -- if ($stopt 0);
print LOG login with session-id $ARGV[4]: $login\n if ($debug);
@@ -358,7 +363,7 @@
# Look up community string in naspasswd file.
my ($login, $pass) = naspasswd($ARGV[1], 1);
if ($login eq '') {
- $pass = 'public';
+ $pass = $cmmty_string;
} elsif ($login ne 'SNMP') {
if ($debug) {
print LOG
@@ -427,7 +432,7 @@
sub multitech_snmp {
my $temp = $ARGV[2] + 1;
-$login = snmpget($ARGV[1], public, $msm.2.31.1.1.1.$temp);
+$login = snmpget($ARGV[1], $cmmty_string, $msm.2.31.1.1.1.$temp);
print LOG user at port S$ARGV[2]: $login\n if ($debug);
($login eq $ARGV[3]) ? 1 : 0;
@@ -457,7 +462,7 @@
sub computone_finger {
my $trunc, $ver;
- open(FD, finger [EMAIL PROTECTED]|) or return 2;
+ open(FD, $finger [EMAIL PROTECTED]|) or return 2;
FD; # the [hostname] line is definitely uninteresting
$trunc = substr($ARGV[3], 0, 12);
$ver = ;
@@ -494,7 +499,7 @@
# Author: Shiloh Costa of MDI Internet Inc. [EMAIL PROTECTED]
#
sub max40xx_finger {
- open(FD, finger [EMAIL PROTECTED]|);
+ open(FD, $finger [EMAIL PROTECTED]|);
while(FD) {
$line = FD;
if( $line =~ /Session/ ){
@@ -529,10 +534,12 @@
#
$sess_id = $ARGV[4];
if ($sess_id !~ /^0/ $sess_id !~ /[a-f]/i) {
- $l1 = snmpget($ARGV[1], public,
Re: checkrad script things
Kristina Pfaff-Harris [EMAIL PROTECTED] wrote: I've noticed a couple of minor things too. I'm thinking that the problems I was having with SNMP and Simultaneous-Use killing the server earlier were actually in part due to this: $sess_id = hex $ARGV[4]; On Ascend session ID's and, I think, others, this causes an Integer overflow in hexadecimal number error, which seems to lead to the SNMP errors. From what I can tell, if the snmpget call works on plain old $ARGV[4], then we shouldn't need to even try to hex it. Isn't that right? Hmm... probably. In fact, I'm not even sure why that is there in the first place. In other minor fixes, also, I made a config variable $cmmty_string towards the top of the file, and changed public to $cmmty_string throughout the script. I made $finger a config variable, just in case, and put that at the top of the script as well. I also put $cmmty_string in '' at one point where it's an argument to the external snmpwalk, in case your community string has characters that lend themselves to being enclosed. That makes sense. Patch attached covers the above for checkrad.pl.in from freeradius 0.8.1 dist version. (I'm using Pine. In case silly Pine wraps lines, try this URL: Applied, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad script things
On Tue, 25 Feb 2003, Alan DeKok wrote: On Ascend session ID's and, I think, others, this causes an Integer overflow in hexadecimal number error, which seems to lead to the SNMP errors. From what I can tell, if the snmpget call works on plain old $ARGV[4], then we shouldn't need to even try to hex it. Isn't that right? Hmm... probably. In fact, I'm not even sure why that is there in the first place. Erk. The simultaneous use problem isn't quite fixed, since it's still doing that silly hex thing if the session isn't active. I'll see if I can't figure out why we're trying to use hex at all for the session ID. Maybe some NASes send radius a decimal session ID, but have a hexified version of it that the give out to SNMP queries? Bizarre. :-) K. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LEAP and freeradius
Can someone out there who has gotten Cisco's LEAP to work with Freeradius give me some pointers? I'm not exactly sure what modules I need to use. Right now I have the following authorize modules preprocess chap mschap eap suffic files I've configured my wireless NIC using Cisco's ACU utility for Linux. When I set a username/password I see the following on my freeradius server. rad_recv: Access-Request packet from host 10.252.238.3:1028, id=3, length=144 User-Name = shickey Cisco-AVPair = ssid=testing123 NAS-IP-Address = 10.252.238.3 Called-Station-Id = 000b46e2e6f0 Calling-Station-Id = 00078592c49f NAS-Identifier = wkstn3 NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = \002\002\000\014\001shickey Message-Authenticator = 0xce7bf3402e987718de6daae59822ccda rlm_chap: Could not find proper Chap-Password attribute in request rlm_unix: Attribute User-Password is required for authentication. Sending Access-Reject of id 3 to 10.252.238.3:1028 I tinkered around with the 802.1X Protocol Version (for EAP Authentication): setting in the Cisco 1200 AP gui, but only Draft 10 seems to get me anywhere. Anyway, I cringe to post this because I'm sure this is a stupid question, but I've been unable to find a solution. -- Shane Hickey : Network/System Consultant GPG KeyID: 777CBF3F Key fingerprint: 254F B2AC 9939 C715 278C DA95 4109 9F69 777C BF3F Listening to: Echo The Bunnymen - Friction [live] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #1574 - 10 msgs
It's simply courteous to include previous respondents in further correspondence of an issue or conversation; Just in case they happen to overlook it in the many postings. In other lists (samba, ardour, netfilter, squid) people are nice enough to CC: me on something I was helping with (or asking about) previously. It's a habit I've picked up from others who are not-so-righteous. --== Politeness is not a bad habit!!! ==-- I appreciate your expertise and advice. You won't receive further CC messages from me. -Ryan Beisner On Tue, 2003-02-25 at 09:41, [EMAIL PROTECTED] wrote: Send Freeradius-Users mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.cistron.nl/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: RV: freeradius-ldap is not running ([EMAIL PROTECTED]) 2. RE: RV: freeradius-ldap is not running (Federico Edelman) 3. Re: auth-proxy (Chris Parker) 4. CISTRON vs. FreeRADIUS :: Extra Bit and/or Case Sensitivity (Ryan Beisner) 5. Re: running freeradius on mips platform (Alan DeKok) 6. Re: auth-proxy (Didi Rieder) 7. Re: Free Radius and Inter Access Point Protocol (IAPP - 802.11f) (Alan DeKok) 8. Re: CISTRON vs. FreeRADIUS :: Extra Bit and/or Case Sensitivity (Alan DeKok) 9. Re: auth-proxy (Alan DeKok) 10. Re: RV: freeradius-ldap is not running (Robert Canary) --__--__-- Message: 1 Subject: Re: RV: freeradius-ldap is not running To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Date: Tue, 25 Feb 2003 07:24:59 -0600 Reply-To: [EMAIL PROTECTED] Have you tried using ldapsearch using these parameters? This is the easiest and fastest way to find out if your LDAP parameters are correct and your server is replying. Typically once you find the correct syntax in ldapsearch, the modification of the radiusd.conf LDAP parameters becomes trivial. Mark Capelle - - - - - - - - - - - - - - - Robert Canary wrote: You have ldap configured in the radius. You have ldap configured to be a default fall-through. I understand your ldap server is working fine.=20 I'm saying the radius server isn't talking to the ldap server, _maybe_ because the basedn is set wrong. Federico Edelman wrote: =20 My LDAP server works fine. I'm using the LDAP server for other services. =20 -Mensaje original- De: Robert Canary [mailto:[EMAIL PROTECTED] Enviado el: lunes, 24 de febrero de 2003 15:35 Para: [EMAIL PROTECTED] Asunto: Re: RV: freeradius-ldap is not running I think you should look at your ldap server logs. Your basedn dose= n't look right to me. I think it should be something like, cn=3Duser-that-can-read-passwords,dc=3Dexample,dc=3Dcom Federico Edelman wrote: I can't get a response. Somebody know about this trouble? -Mensaje original- De: Federico Edelman Enviado el: jueves, 20 de febrero de 2003 10:29 Para: [EMAIL PROTECTED] Asunto: RE: freeradius-ldap is not running Robert: This is the complete log file. -Mensaje original- De: Robert Canary [mailto:[EMAIL PROTECTED] Enviado el: mi=E9rcoles, 19 de febrero de 2003 17:54 Para: [EMAIL PROTECTED] Asunto: Re: freeradius-ldap is not running Why did you snip-it? We need the rest of the lof file. Do this radiusd -X /var/log/radiusd_dbg_con.log It is esasier to capture the error messages that way. Also what shows up in your freeradius logs during this time? Federico Edelman wrote: Hi guys, I'm newbie with freeradius. I'm running freeradius-0.8.= 1 on Linux Debian 3.1. The LDAP server/client is openldap-2.1.12. I've compiled the freeradius with: # LD_LIBRARY_PATH=3D/usr/local/openldap/lib:/usr/local/lib # LDFLAGS=3D-L/usr/local/openldap/lib -L/usr/local/lib # CFLAGS=3D-O -g -I/usr/local/openldap/include -I/usr/local/in= clude # CC=3Dgcc # export LD_LIBRARY_PATH LDFLAGS CFLAGS CC # ./configure --prefix=3D/usr/local/freeradius --with- openldap=3D/usr/local/openldap # make # make install All's ok. I've run: # /usr/local/freeradius/sbin/radiusd -X And... # /usr/local/freeradius/bin/radtest All's ok. The radtest connect with radiusd successfully. But, When I setting up the radius with LDAP support the radiusd= exit and not running. The radius ldap configuration: My /usr/local/freeradius/etc/raddb/radiusd.conf: snip snip
Re: LEAP and freeradius
Shane Hickey [EMAIL PROTECTED] wrote: Can someone out there who has gotten Cisco's LEAP to work with Freeradius give me some pointers? FreeRADIUS doesn't support LEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad script things
Kristina Pfaff-Harris [EMAIL PROTECTED] wrote: Hmm... probably. In fact, I'm not even sure why that is there in the first place. Erk. The simultaneous use problem isn't quite fixed, since it's still doing that silly hex thing if the session isn't active. I'll see if I can't figure out why we're trying to use hex at all for the session ID. Maybe some NASes send radius a decimal session ID, but have a hexified version of it that the give out to SNMP queries? That's possible. Every time I'm amazed at some crazy code, I fall over an even worse example. If we can remove the 'hex' stuff, that would be good. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Server sending from random ports
I am having a problem with a new client. Their radius server is sending back the requests I proxy to them using random ports. It always arrives on my port 1647, but is sent using a random port on their side. Initially I was getting these errors (stripped from -xxx debug log) Tue Feb 25 11:04:15 2003 : Error: Ignoring request from unknown proxy ipaddie:12386 I disabled this error checking code, and get this error now: rad_recv: Access-Accept packet from host ipaddie:12414, id=2, length=183 Tue Feb 25 11:41:26 2003 : Error: Trying to look up name of unknown client ipaddie. Tue Feb 25 11:41:26 2003 : Proxy: No matching request was found for proxy reply from server UNKNOWN-CLIENT:12414 - ID 2 Tue Feb 25 11:41:26 2003 : Debug: Cleaning up request 2 ID 133 with timestamp 3e5bc6e4 Tue Feb 25 11:41:26 2003 : Debug: Waking up in 1 seconds... The rest of my proxy customers always send the request back using the same port which the request was proxied to them on, which is usually 1645 or 1812. As you can see, this particular request arrived from port 12386 which seems to be random port #'s above 1. My first assumption is this has something to do w/ laod balancing software on their side. My first and most important question is, is there a work-around perhaps so I can get this customer live w/o them fixing their radius? Should freeradius be accepting these connections, or is it in fact their radius which is violating the spec? -- Nathan Miller - [EMAIL PROTECTED] VISP Technologies Building The Nation's Largest Network of Successful ISPs.
Re: Proxy Server sending from random ports
Nathan Miller [EMAIL PROTECTED] wrote: I am having a problem with a new client. Their radius server is sending back the requests I proxy to them using random ports. It always arrives on my port 1647, but is sent using a random port on their side. That's a violation of the RFC. Initially I was getting these errors (stripped from -xxx debug log) Tue Feb 25 11:04:15 2003 : Error: Ignoring request from unknown proxy ipaddie:12386 That's a different error. The reply from the home server came from one which wasn't listed in in proxy.conf. So not only are they sending from random ports, they're sending from random IP's, too. The rest of my proxy customers always send the request back using the same port which the request was proxied to them on, which is usually 1645 or 1812. As you can see, this particular request arrived from port 12386 which seems to be random port #'s above 1. My first assumption is this has something to do w/ laod balancing software on their side. Probably. My first and most important question is, is there a work-around perhaps so I can get this customer live w/o them fixing their radius? No. The proxy requests are keyed by port IP. So if the home server responds from a *different* port IP, there's no way of figuring out which request matches that reply. Should freeradius be accepting these connections, or is it in fact their radius which is violating the spec? Their system should be fixed. It's a complete and total violation of the RADIUS spec. It's impossible to fix, and even if you could, it would create severe security problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Server sending from random ports
Alan, I truly appreciate the speedy reply. I confirmed the requests are definitely always coming from the same IP address, it's just the port # which is changing. I had disabled some error checking code (section which confirms the port #) in freeradius to get the 2nd error I listed. I will notify them that their radius server is definitely violating the RFC. Thanks. At 09:54 AM 2/25/2003 -0500, you wrote: Nathan Miller [EMAIL PROTECTED] wrote: I am having a problem with a new client. Their radius server is sending back the requests I proxy to them using random ports. It always arrives on my port 1647, but is sent using a random port on their side. That's a violation of the RFC. Initially I was getting these errors (stripped from -xxx debug log) Tue Feb 25 11:04:15 2003 : Error: Ignoring request from unknown proxy ipaddie:12386 That's a different error. The reply from the home server came from one which wasn't listed in in proxy.conf. So not only are they sending from random ports, they're sending from random IP's, too. The rest of my proxy customers always send the request back using the same port which the request was proxied to them on, which is usually 1645 or 1812. As you can see, this particular request arrived from port 12386 which seems to be random port #'s above 1. My first assumption is this has something to do w/ laod balancing software on their side. Probably. My first and most important question is, is there a work-around perhaps so I can get this customer live w/o them fixing their radius? No. The proxy requests are keyed by port IP. So if the home server responds from a *different* port IP, there's no way of figuring out which request matches that reply. Should freeradius be accepting these connections, or is it in fact their radius which is violating the spec? Their system should be fixed. It's a complete and total violation of the RADIUS spec. It's impossible to fix, and even if you could, it would create severe security problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Nathan Miller - [EMAIL PROTECTED] VISP Technologies Building The Nation's Largest Network of Successful ISPs.
RE: Proxy Server sending from random ports
-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Nathan MillerSent: Tuesday, February 25, 2003 2:06 PMTo: [EMAIL PROTECTED]Subject: Re: Proxy Server sending from random ports Alan, I truly appreciate the speedy reply. I confirmed the requests are definitely always coming from the same IP address, it's just the port # which is changing. I had disabled some error checking code (section which confirms the port #) in freeradius to get the 2nd error I listed. I will notify them that their radius server is definitely violating the RFC. Thanks.At 09:54 AM 2/25/2003 -0500, you wrote: Nathan Miller [EMAIL PROTECTED] wrote: I am having a problem with a new client. Their radius server is sending back the requests I proxy to them using random ports. It always arrives on my port 1647, but is sent using a random port on their side. That's a violation of the RFC. Initially I was getting these errors (stripped from -xxx debug log) Tue Feb 25 11:04:15 2003 : Error: Ignoring request from unknown proxy ipaddie:12386 That's a different error. The reply from the home server came fromone which wasn't listed in in proxy.conf. So not only are they sending from random ports, they're sending fromrandom IP's, too. The rest of my proxy customers always send the request back using the same port which the request was proxied to them on, which is usually 1645 or 1812. As you can see, this particular request arrived from port 12386 which seems to be random port #'s above 1. My first assumption is this has something to do w/ laod balancing software on their side. Probably. My first and most important question is, is there a work-around perhaps so I can get this customer live w/o them fixing their radius? No. The proxy requests are keyed by port IP. So if the homeserver responds from a *different* port IP, there's no way offiguring out which request matches that reply. Should freeradius be accepting these connections, or is it in fact their radius which is violating the spec? Their system should be fixed. It's a complete and total violationof the RADIUS spec. It's impossible to fix, and even if you could, itwould create severe security problems. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --Nathan Miller - [EMAIL PROTECTED]VISP TechnologiesBuilding The Nation's Largest Network of Successful ISPs.
RE: Proxy Server sending from random ports
Sorry for the previous post! If they aren't using a load balancer, then their software is opening the port with a port number of '0' rather thana specifiedport.This is correct for many client protocols (mostly using TCP rather than UDP), but definitely not for RADIUS. Tim -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Nathan MillerSent: Tuesday, February 25, 2003 2:06 PMTo: [EMAIL PROTECTED]Subject: Re: Proxy Server sending from random ports Alan, I truly appreciate the speedy reply. I confirmed the requests are definitely always coming from the same IP address, it's just the port # which is changing. I had disabled some error checking code (section which confirms the port #) in freeradius to get the 2nd error I listed. I will notify them that their radius server is definitely violating the RFC. Thanks.At 09:54 AM 2/25/2003 -0500, you wrote: Nathan Miller [EMAIL PROTECTED] wrote: I am having a problem with a new client. Their radius server is sending back the requests I proxy to them using random ports. It always arrives on my port 1647, but is sent using a random port on their side. That's a violation of the RFC. Initially I was getting these errors (stripped from -xxx debug log) Tue Feb 25 11:04:15 2003 : Error: Ignoring request from unknown proxy ipaddie:12386 That's a different error. The reply from the home server came fromone which wasn't listed in in proxy.conf. So not only are they sending from random ports, they're sending fromrandom IP's, too. The rest of my proxy customers always send the request back using the same port which the request was proxied to them on, which is usually 1645 or 1812. As you can see, this particular request arrived from port 12386 which seems to be random port #'s above 1. My first assumption is this has something to do w/ laod balancing software on their side. Probably. My first and most important question is, is there a work-around perhaps so I can get this customer live w/o them fixing their radius? No. The proxy requests are keyed by port IP. So if the homeserver responds from a *different* port IP, there's no way offiguring out which request matches that reply. Should freeradius be accepting these connections, or is it in fact their radius which is violating the spec? Their system should be fixed. It's a complete and total violationof the RADIUS spec. It's impossible to fix, and even if you could, itwould create severe security problems. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --Nathan Miller - [EMAIL PROTECTED]VISP TechnologiesBuilding The Nation's Largest Network of Successful ISPs.
RE: Proxy Server sending from random ports
Yup.. I actually just got off the phone with them. They are using a Cisco Content switch. They are sending from port 1645 which they proved with a tcpdump log, then the cisco content switch gets ahold of it and randomizes the outgoing port prior to sending it to my proxy server. We migrated over to an IP which was not behind their content switch and everything is working great now. =) Appreciate everyone's responses. At 02:15 PM 2/25/2003 -0600, you wrote: Sorry for the previous post! If they aren't using a load balancer, then their software is opening the port with a port number of '0' rather than a specified port. This is correct for many client protocols (mostly using TCP rather than UDP), but definitely not for RADIUS. Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Nathan Miller Sent: Tuesday, February 25, 2003 2:06 PM To: [EMAIL PROTECTED] Subject: Re: Proxy Server sending from random ports Alan, I truly appreciate the speedy reply. I confirmed the requests are definitely always coming from the same IP address, it's just the port # which is changing. I had disabled some error checking code (section which confirms the port #) in freeradius to get the 2nd error I listed. I will notify them that their radius server is definitely violating the RFC. Thanks. At 09:54 AM 2/25/2003 -0500, you wrote: Nathan Miller [EMAIL PROTECTED] wrote: I am having a problem with a new client. Their radius server is sending back the requests I proxy to them using random ports. It always arrives on my port 1647, but is sent using a random port on their side. That's a violation of the RFC. Initially I was getting these errors (stripped from -xxx debug log) Tue Feb 25 11:04:15 2003 : Error: Ignoring request from unknown proxy ipaddie:12386 That's a different error. The reply from the home server came from one which wasn't listed in in proxy.conf. So not only are they sending from random ports, they're sending from random IP's, too. The rest of my proxy customers always send the request back using the same port which the request was proxied to them on, which is usually 1645 or 1812. As you can see, this particular request arrived from port 12386 which seems to be random port #'s above 1. My first assumption is this has something to do w/ laod balancing software on their side. Probably. My first and most important question is, is there a work-around perhaps so I can get this customer live w/o them fixing their radius? No. The proxy requests are keyed by port IP. So if the home server responds from a *different* port IP, there's no way of figuring out which request matches that reply. Should freeradius be accepting these connections, or is it in fact their radius which is violating the spec? Their system should be fixed. It's a complete and total violation of the RADIUS spec. It's impossible to fix, and even if you could, it would create severe security problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Nathan Miller - [EMAIL PROTECTED] VISP Technologies Building The Nation's Largest Network of Successful ISPs.
RADIUS +
Thanks Alan for your patience response. Narasimha ([EMAIL PROTECTED]) - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tagged Attributes and rlm_sql
I am having problems finding the correct format for configuring a reply with tagged attributes in rlm_sql in 1.8.1. Is the attritbute field format ATTRIBUTE:TAG for example Tunnel-Type:1? When I do this I get this error in the debug log rlm_sql: unknown attribute Tunnel-Type:1. I have tried another example that I saw on another product where you set the value to 'TAG1=VALUE', but that resulted in a segfault on the server. What is the correct format or what I am doing wrong? Thanks, Jake -- Jacob S. Barrett [EMAIL PROTECTED] www.amduat.net I don't suffer from insanity, I enjoy every minute of it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tagged Attributes and rlm_sql
Nevermind, I figured it out. It was in the value field :TAG:VALUE. Thanks, Jake Jacob S. Barrett wrote: I am having problems finding the correct format for configuring a reply with tagged attributes in rlm_sql in 1.8.1. Is the attritbute field format ATTRIBUTE:TAG for example Tunnel-Type:1? When I do this I get this error in the debug log rlm_sql: unknown attribute Tunnel-Type:1. I have tried another example that I saw on another product where you set the value to 'TAG1=VALUE', but that resulted in a segfault on the server. What is the correct format or what I am doing wrong? Thanks, Jake -- Jacob S. Barrett [EMAIL PROTECTED] www.amduat.net I don't suffer from insanity, I enjoy every minute of it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter installation
I've been wading through everything I can find regarding the installation
and configuration of the rlm_sqlcounter module using 0.8.1. It seems to me
that some changes were made to the distribution and the docs haven't
caught up. What I'd like to do is two-fold:
1. sketch out the approach I intend to try and solicit comments (see
below),
2. prepare an updated replacement doc and annotated .conf file for
distribution.
Here's what I think will work, based on existing docs/files/etc, and
assuming the sql module is installed and in use:
a. configure/compile freeradius using --with-rlm_sqlcounter
b. create etc/raddb/sqlcounter.conf using info from doc/rlm_sqlcounter and
etc/raddb/experimental.conf, e.g.,
monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = blahblahblah
}
c. add to etc/radiusd.conf in the modules section:
$INCLUDE ${confdir}/sqlcounter.conf
d. add to etc/radiusd.conf in the authorize section:
sqlcounter {
monthlycounter
}
e. add to the radcheck or radgroupcheck tables the appropriate check-name
a/v pairs
This seems to me that it *should* work, but I've been known to be a moron
at times, so I'd appreciate any feedback and any clue-by-4 whacking that
I need.
Jim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sqlcounter (Max-Daily-Time)
Hello, I have such problem: I use sqlcounter module for limiting users by session time. As shown in documentation I insert in radgroupcheck table this: Max-Daily-Time := 100 It seems to work rejecting user when 100 seconds has expired. But when user try to connect one more time RADIUS allows the user for new entry said: session timeout = 150 even though I set reset=daily Same situation with Monthly Weekly I think this is op field problem, because when I set it to any value except := User rejects, but when op is := it seems work. Please anyone who knows how to find a solvation help me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
