nekkid pics of my twin stepsisters..
Title: FREE XXX MOVIE! This Email Brought To You By Absolute Free Smut!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS and Windows 98
Alan, Thank-you for the response, I've taken your advice and searched for Auth-Type := System (in file "users"). I have changed the default Auth-Type := System to Auth-Type =: EAP. I am suprised, however, I thought if FreeRADIUS loads EAP (both md5 and tls modules) correctly, and in the "users" file if a user specifies something like: adam-ctl Auth-Type := EAP I thought it would override the default "system" and tell FreeRADIUS to use "eap", for this one user/instance. (A learning experience...) Again, thank-you for your help Alan, Len Jacob Alan DeKok wrote: "L. Jacob" <[EMAIL PROTECTED]> wrote: The FreeRADIUS server itself IS loading TLS module, yet is using "Auth-Type System" (further down in the output) is this right? Shouldn't it be using "Auth-Type EAP"? Not if you told it to use Auth-Type := System, which is the way it comes by default. modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 152 Check out that line. That's what you missed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS and Windows 98
"L. Jacob" <[EMAIL PROTECTED]> wrote: > The FreeRADIUS server itself IS loading TLS module, yet is using > "Auth-Type System" (further down in the output) is this right? Shouldn't > it be using "Auth-Type EAP"? Not if you told it to use Auth-Type := System, which is the way it comes by default. >modcall[authorize]: module "suffix" returns noop > users: Matched DEFAULT at 152 Check out that line. That's what you missed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS and Windows 98
Hello all, I am trying to impliment FreeRADIUS with EAP/TLS support (on FreeBSD 4.7). I have followed the directions available at: http://www.missl.cs.umd.edu/wireless/eaptls/ when compiling FreeRADIUS. I have tried both Funk Odessy and Meetinghouse AEGIS software on different machines at different times, making sure to install the client certificate and enable EAP/TLS support in the client software. Yet when I try to authenticate the process gets stuck in a loop. The FreeRADIUS server itself IS loading TLS module, yet is using "Auth-Type System" (further down in the output) is this right? Shouldn't it be using "Auth-Type EAP"? The *complete* output is below, but for some reason during the authentication process the user fails to authenticate. What am I doing wrong? Please Help -output begins--- sidewinder# ./run-radiusd -X -A + LD_LIBRARY_PATH=/usr/local/openssl/lib + LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + /usr/local/radius/sbin/radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: servers_per_realm = 15 security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: ignore_password = no mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/usr/local/radius/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/1x/cert/cert-srv.pem" tls: certificate_file = "/etc/1x/cert/cert-srv.pem" tls: CA_file = "/etc/1x/cert/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/1x/cert/dh" tls: random_file = "/etc/1x/cert/random" tls: fragment_size = 1750 tls: include_length = yes rlm_eap_tls: conf N ctx stored rlm_eap: Loaded and initialized the type tls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/radius/etc/raddb/users" files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users" files: compat = "n
EAP/TLS and Windows 98...
Hello all, I am trying to impliment FreeRADIUS with EAP/TLS support (on FreeBSD 4.7). I have followed the directions available at: http://www.missl.cs.umd.edu/wireless/eaptls/ when compiling FreeRADIUS. I have tried both Funk Odessy and Meetinghouse AEGIS software on different machines at different times, making sure to install the client certificate and enable EAP/TLS support in the client software. Yet when I try to authenticate the process gets stuck in a loop. The FreeRADIUS server itself IS loading TLS module, yet is using "Auth-Type System" (further down in the output) is this right? Shouldn't it be using "Auth-Type EAP"? The *complete* output is below, but for some reason during the authentication process the user fails to authenticate. What am I doing wrong? Please Help -output begins--- sidewinder# ./run-radiusd -X -A + LD_LIBRARY_PATH=/usr/local/openssl/lib + LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + /usr/local/radius/sbin/radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: servers_per_realm = 15 security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: ignore_password = no mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/usr/local/radius/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/1x/cert/cert-srv.pem" tls: certificate_file = "/etc/1x/cert/cert-srv.pem" tls: CA_file = "/etc/1x/cert/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/1x/cert/dh" tls: random_file = "/etc/1x/cert/random" tls: fragment_size = 1750 tls: include_length = yes rlm_eap_tls: conf N ctx stored rlm_eap: Loaded and initialized the type tls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/radius/etc/raddb/users" files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct
Re: EAP-TLS authentication and Certificate Revocation List
On Wed, Mar 19, 2003 at 06:53:28PM +0100, Artur Hecker wrote: > in fact, the latter is the only real alternative because the certificate > *has* to point to its proper CRL. also the CRL has to be dated and > signed by the CA. except, the certificate of the CA itself has to be > valid too (not expired, not revoked). Well it actually doesn't have to. Go get yorself a cert from Verisign - note how there's no mention of a CRL in it [basically there's no money in CRLs; they don't scale well; and confuse users. However, they are *fundemental* to the successfull operation of a PKI.] > > does your implementation check the revocation of the user certificate > only or does it also check the revocation of the CA certificate? The client cert - I don't think you can check the revocation of the CA cert. It's a chicken-and-egg problem: how can you know that the CA cert is compromised when you trust the CA? If a CA is compromised, I think you're talking out-of-band revocation [i.e. shouting "WE'RE DOMED I TELL YA!"] > > i have some other questions on this topic too: e.g. what happens if the > fresh CRL is not available and the old one has expired? (because of > connectivity problems or whatever). much more interesting: suppose you Apache disables https. Cisco VPN concentrators allow you to choose between rejecting all future requests or to ignore CRL issues until the next successful update occurs. I think the latter is preferable - let the site decide instead of the software. > put a certificate into the CRL. so it's not valid anymore. what happens > when it expires? do you let it in the CRL or to you delete it? if you > delete it, what when a signature made in the period of time from the When a CRL is generated, it is basically just a signed list of the serial numbers of non-expired certs that have been revoked. i.e. once a cert expires, the next CRL generation removes the cert from the CRL. > > too much problems for me personally. i think that CRLs are not an > alternative since almost everything gets too complicated with the CRLs > and finally the CA (parts of it) has to be online at any time. The CA never needs to be online - just the CRLs. > > on the other hand, the online check protocols for CRLs (e.g. OCSP and > SCVP) are actually still in development... Absolutely. > > if i already have an AAA server i prefer to let it do the authorization > because i will have to install some server/directory which is checked by > some protocol. so why don't i use RADIUS/DIAMETER directly whenever i > can - at least within the network like it is the case for 802.1X? > What you're talking about is not PKI. If you're doing EAP/TLS, then it really should support CRLs because that's part of TLS. Personally, I think we'd be much better off without CAs. I envisage a system whereby client and server auto-generate their own public/private keys (unsigned by any CA) - like SSH does, use them to connect to each other securely (i.e. encryption), then pass off the authentication request to an auth server (such as RADIUS). None of the overhead of a CA and relies on WELL KNOWN, STANDARD, TRIED AND TESTED MECHANISMS OF ACCOUNT MANAGEMENT. Unfortunately, that doesn't cover the main usage of https today - to let the client know that have really connected to their bank - and not some hacker's faked site... Only a CA can do that. Gotta pass that buck ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple attributes in reply message
"Sunny Wang" <[EMAIL PROTECTED]> wrote: > I'm using FreeRADIUS Version 0.8.1, I would like to be able to get multiple > attributes of the same type in accept reply message. Can someone let me > know how do I do that? Read the 'man' page for the 'users' file. > Filter-Id = "in: abc", > Filter-Id = "out: xyz" You want: ... Filter-Id += "in: abc", Filter-Id += "out: xyz" ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple attributes in reply message
Hi, I'm using FreeRADIUS Version 0.8.1, I would like to be able to get multiple attributes of the same type in accept reply message. Can someone let me know how do I do that? Here is my record: [EMAIL PROTECTED] User-Password == "blah" Service-Type = Framed-User, Framed-IP-Address = 10.1.1.12, Filter-Id = "in: abc", Filter-Id = "out: xyz" FreeRADIUS server currently is only sending me Filter-Id = "in: abc" but not Filter-Id = "out: xyz". Thanks for the help. --Sunny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ScanMail Message: To Recipient Match eManager setting and take action.
eManager Notification * The following mail was blocked since it contains sensitive content. Source mailbox: [EMAIL PROTECTED] Destination mailbox(es): [EMAIL PROTECTED] Rule/Policy: Sexually Explicit Action: Quarantine to D:\Program Files\Trend\SMCF\Quarantine\2003-03-19\20-22-46.4252 Content filter has detected a sensitive e-mail. *** End of message * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter: unknown xlat function [WAS: rlm_sqlcounter Help-me]
I have the same problem below as this previous message posted below. Did this ever get solved? I need help with: WARNING: Attempt to use unknown xlat function or attribute in string %{sqlcca3: as in the original message below. Ed original message From Mon, 23 Dec 2002 03:33:47 -0800 = i need help table radgroupcheck: mysql> select * from radgroupcheck where GroupName='35Horas'; ++---+-+++ | id | GroupName | Attribute | op | Value | ++---+-+++ | 15 | 35horas | Max-Monthly-Session | := | 126000 | ++---+-+++ 1 row in set (0.00 sec) mysql> SELECT SUM(AcctSessionTime - GREATEST((1038708000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='santos' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1038708000'; +--+ | SUM(AcctSessionTime - GREATEST((1038708000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) | +--+ | 232305 | +--+ 1 row in set (0.00 sec) radius -X rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "noresetcounter" returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "dailycounter" returns noop rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((1038708000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1038708000'' radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1038708000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='santos' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1038708000'' sqlcounter_expand: '%{sqlcca3:SELECT SUM(AcctSessionTime - GREATEST((1038708000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='santos' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1038708000'}' WARNING: Attempt to use unknown xlat function or attribute in string %{sqlcca3:SELECT SUM(AcctSessionTime - GREATEST((1038708000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='santos' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1038708000'} radius_xlat: '' rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user santos, check_item=126000, counter=0 rlm_sqlcounter: Sent Reply-Item for user santos, Type=Session-Timeout, value=126000 modcall[authorize]: module "monthlycounter" returns ok modcall: group authorize returns ok Why not work ? =end of original message From Mon, 23 Dec 2002 03:33:47 -0800 = _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New fast acting V I A G R A..
Title: Viagra - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie: Authenticating dialin user
"Adrian Cunliffe" <[EMAIL PROTECTED]> wrote: > I have FreeRADIUS-0.8.1, portslave-2002.10.21 and MySQL installed. The > Radius server is authenticating users from my MySQL database using the > RADping test, and now I'm trying to authenticate users dialling in, and > it's not working. I have had users dialling in, authenticating and > accessing the web, by using just the Linux users list, but not from the > MySQL db. Can anyone help?? Read the FAQ? It has directions for tracking down these sort of problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter.conf Error
Fixed it. When I had copied it verbatim to the sqlcounter.conf file, I forgot to take out the carriage returns from the doc/rlm_sqlcounter file. So one line was wrapping to the next with a /r/n and the processor did not recognize it as part of the first line's A/V pair. Du <:-l Ed From: "Ed H" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: sqlcounter.conf Error Date: Wed, 19 Mar 2003 23:08:40 + I am using the rlm_sqlcounter module. I have configured per the documentation from doc/rlm_sqlcounter. When I run radiusd in debug mode I get the following error: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sqlcounter.conf /etc/raddb/sqlcounter.conf[22]: Line is not in 'attribute = value' format Errors reading radiusd.conf Below is my sqlcounter.conf file, which was copied directly from the doc/rlm_sqlcounter documentation, verbatim: # sqlcounter.conf file # sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}'" } sqlcounter dailycounter { driver = "rlm_sqlcounter" counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sqlcca3 key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sqlcca3 key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } Anyone run into this issue before? Ed _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlcounter.conf Error
I am using the rlm_sqlcounter module. I have configured per the documentation from doc/rlm_sqlcounter. When I run radiusd in debug mode I get the following error: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sqlcounter.conf /etc/raddb/sqlcounter.conf[22]: Line is not in 'attribute = value' format Errors reading radiusd.conf Below is my sqlcounter.conf file, which was copied directly from the doc/rlm_sqlcounter documentation, verbatim: # sqlcounter.conf file # sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}'" } sqlcounter dailycounter { driver = "rlm_sqlcounter" counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sqlcca3 key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sqlcca3 key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } Anyone run into this issue before? Ed _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[slightly offtopic] Cisco IVR with rlm_sqlcounter
Hi, I am interested in a billing solution for telephony through the Cisco AS5350's IVR system. I have RTFM, both Cisco's docs, the FreeRADIUS docs (especially exec-program and sqlcounter), as well as the mailing list archives. There are several thread along the lines of, "Is this possible?", "Yes, it's easy, RTFM." It doesn't look too challenging on paper -- certainly not as hard as first grokking the whole RADIUS concept -- but has anyone actually managed to build something with an SQL database (e.g. MySQL or PostgreSQL), FreeRADIUS and software that they wrote themselves (i.e. in exec-program or rlm_python) that can support prepaid calling cards fairly completely? Did you encounter any little problems along the way? Did you successfully overcome them? (I realize that the logic on the otherside to calculate toll charges for different countries etc is a completely different thing.) The problem is that I don't have a Cisco AS5350 or anything resembling it's IVR system here. I am considering whether to purchase a commercial billing solution or to roll my own. Guan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
questions about sql
Hello I was checking sql.conf and wondering what simul_count_query and simul_verify_query do If a return value of simul_count_query of a user is more than one(say 3), does this means this user has 3 simultaneous sessions? Regards SImon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Newbie: Authenticating dialin user
Title: Message Hello, I'm doing a final year university project and I'm setting up a dial-up service. I'm using everything on one Linux Redhat machine as an all-in-one-box solution. I have FreeRADIUS-0.8.1, portslave-2002.10.21 and MySQL installed. The Radius server is authenticating users from my MySQL database using the RADping test, and now I'm trying to authenticate users dialling in, and it's not working. I have had users dialling in, authenticating and accessing the web, by using just the Linux users list, but not from the MySQL db. Can anyone help?? Many thanks, Adi
Re: adding realm to username without it
Christophe Boyanique <[EMAIL PROTECTED]> wrote: > I want to have a detail file matching something like: > -.log and the only way I found was to force the User-Name > variable on the proxy just before sending requests to the Home with > something like @. Or is there a way to have a > different log file depending on parameters (like Realm, > Called-Station-Id, etc.) on the same accounting server ? Yes. You can use any variable in the 'detailfile' directive: detailfile = %{Realm}-%Y%m%d-%{Called-Station-Id}.radlog Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: adding realm to username without it
On Wed, Mar 19, 2003 at 08:24:06AM -0500, Alan DeKok wrote: > > I need to add a realm to all user without it. > Why? I have the same need here: I received calls access-requests and accounting requests without User-Name nor User-Pasword that I proxify to a 'home' server. I want to have a detail file matching something like: -.log and the only way I found was to force the User-Name variable on the proxy just before sending requests to the Home with something like @. Or is there a way to have a different log file depending on parameters (like Realm, Called-Station-Id, etc.) on the same accounting server ? I explained the setup on a previous message on Mon, 17 Mar 2003 13:07:17 +0100 with subject "Re: attr_rewrite conditional?" (http://lists.cistron.nl/archives/freeradius-users/2003/03/frm00498.html). And I'm afraid that setup is unreliable about new freeradius versions... This is an example of why modifying the request before proxying may be helpfull (all that because today working platform we want to replace with freeradius runs with cisco and tacacs don't ask neither username nor password on cell phones and there is no way to ask all the clients to add a username on their phone configuration). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS certificates and server questions
Thanks Artur, Artur Hecker wrote: hi Thanks to the EAP/TLS Howto, I was able to setup the radius server and get all the authentification I needed going. Now the script, which creates the root certificate, generates root.pem with a lifetime of 30 days. After that authentification doesn't work, OK. Last month I recreated everything. That's a pain... > > - How can I extend them? Reuse them? What's the deal? no reuse. you have to set another expriration date. take a look at the scripts. Well, I didn't find any expiration date in my CA.root script. In openssl.cnf I have: default_days= 365 # how long to certify for default_crl_days= 365 These only seem to affect the 'user' certs - gives them one year lifetime. Using the script in http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm This is the script CA.root I am using. ---snipsnip--- #!/bin/sh/ SSL=/usr/local/openssl-certgen export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH} export LD_LIBRARY_PATH=${SSL}/lib # needed if you need to start from scratch otherwise the CA.pl -newca command doesn't copy the new # private key into the CA directories rm -rf demoCA echo "*" echo "Creating self-signed private key and certificate" echo "When prompted override the default value for the Common Name field" echo "*" echo # Generate a new self-signed certificate. # After invocation, newreq.pem will contain a private key and certificate # newreq.pem will be used in the next step openssl req -new -x509 -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever echo "*" echo "Creating a new CA hierarchy (used later by the "ca" command) with the certificate" echo "and private key created in the last step" echo "*" echo echo "newreq.pem" | CA.pl -newca >/dev/null echo "*" echo "Creating ROOT CA" echo "*" echo # Create a PKCS#12 file, using the previously created CA certificate/key # The certificate in demoCA/cacert.pem is the same as in newreq.pem. Instead of # using "-in demoCA/cacert.pem" we could have used "-in newreq.pem" and then omitted # the "-inkey newreq.pem" because newreq.pem contains both the private key and certificate openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin pass:whatever -passout pass:whatever # parse the PKCS#12 file just created and produce a PEM format certificate and key in root.pem openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever -passout pass:whatever # Convert root certificate from PEM format to DER format openssl x509 -inform PEM -outform DER -in root.pem -out root.der #Clean Up rm -rf newreq.pem ---snipsnip--- This script creates my 'root.der' file, which I store on the wifi clients. I have the second box, with software up and running. But again, the certificates: - My first attempt - just copying them - didn't work. OK, just a try. why? what exactly did you copy and what exactly did you certify? - Second, since the certs are tied to hostname, I recreated them - guess what... well, you have to look at what you are doing. are you sure that your certificates are tied to the host address? because mine are not. and i doubt that this is verified anyway. the server simply has a pair of keys and both are signed and one of them (the private) is encrypted. the posession of the decryption key enables the usage. AFAIK I have three types of certs, which I need: filename locationscript-file root.pem radius-server:/etc/1x CA.root root.der user-host #created above - derived server.pem radius-server:/etc/1x CA.svr user.p12 user-host CA.clt So, server.pem has the hostname "in it"... Rather than fixing the way I did it... what about showing me the right way to do it Copying / modifying / creating the appropriate certs for a backup radius server. ciao artur As you can see, I am a bit lost there... Thanks a lot for your help! Tom -- Thomas Maenner E-Mail: mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: db.counter: Permission denied
"Ed H" <[EMAIL PROTECTED]> wrote: > I just configured the counter module in radiusd.conf and I restarted radiusd > and got this error: > > rlm_counter: Failed to open file /etc/raddb/db.counter: Permission denied > > Any suggestions on how to fix? chmod? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
db.counter: Permission denied
I just configured the counter module in radiusd.conf and I restarted radiusd and got this error: rlm_counter: Failed to open file /etc/raddb/db.counter: Permission denied Any suggestions on how to fix? Ed _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions about checkrad
Got it to work! I changed nastype=other in clients.conf. I had nastype=portslave. Now NTRadPing is giving Access-Reject when trying to log in multiple times. Hallelujah! Thanks for you help. Ed From: "Ed H" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: questions about checkrad Date: Wed, 19 Mar 2003 18:37:39 + Hello Alan, Where is nastype=other, defined? In the clients.conf or in checkrad.pl? Ed From: "Alan DeKok" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: questions about checkrad Date: Tue, 18 Mar 2003 13:06:58 -0500 "Simon Son" <[EMAIL PROTECTED]> wrote: > I think what you said in this reply is the situation I am in. > So if I can't use checkrad, Can you suggest what I should do to make > Simultaneous-Use work If checkrad can't be run (nastype is "other"), then the information in radutmp is believed, and enforces Simultaneous-Use. > I set radiusd.conf like this ... That's nice, but what happens when you send packets to the server? Grab the current CVS snapshot. It should give more information as to what's happening during Simultaneous-Use checking. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions about checkrad
On Wed, 19 Mar 2003, Ed H wrote: > Hello Alan, > > Where is nastype=other, defined? In the clients.conf or in checkrad.pl? clients.conf :-) K. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions about checkrad
"Ed H" <[EMAIL PROTECTED]> wrote: > Where is nastype=other, defined? In the clients.conf or in checkrad.pl? clients.conf. The documentation in the comments in the file describes it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-choice authentication.
"Michael Davidson" <[EMAIL PROTECTED]> wrote: > After some considerable reading as well as testing and feeling I'm missing > something basic, I need to know if the following setup possible. > > LDAP backend supporting a Radius server providing authentication by > auth-type as determined by the incoming request on the day.(lets say any one > of PAP CHAP & MS_CHAP v1 or 2) That's possible. > I have most of it working providing I pre-determine the Auth-Type, but > request determined Auth-Type defeats me. Some pointers at the basic config > level would be appreciated No, you don't want to pre-determine the Auth-Type. You want to list the relevant modules in the 'authorize' section. They will look at the request, and set Auth-Type to themselves, if they see something they recognize. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: linking to a c++ lib in a module
Mike Varley <[EMAIL PROTECTED]> wrote: > I have a module which is linking (and using) a library which is using > the standard C++ library; when I kill -HUP radiusd, I get a segfault in > dl_close() (dumps core). This is primarily witnessed under Linux. I believe that this was a result of link ordering. The module code was fixed to do link(a,b,c), and then unlink(c,b,a). It was previously unlinking them in the opposite order, which was wrong. > I tried building the module alone with '-lstdc++', but this did not > solve the problem; should I rebuild the radius core with the '-lstdc++' > flag? is there a configure option to do this? That may help, but there's no configure option to do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions about checkrad
Hello Alan, Where is nastype=other, defined? In the clients.conf or in checkrad.pl? Ed From: "Alan DeKok" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: questions about checkrad Date: Tue, 18 Mar 2003 13:06:58 -0500 "Simon Son" <[EMAIL PROTECTED]> wrote: > I think what you said in this reply is the situation I am in. > So if I can't use checkrad, Can you suggest what I should do to make > Simultaneous-Use work If checkrad can't be run (nastype is "other"), then the information in radutmp is believed, and enforces Simultaneous-Use. > I set radiusd.conf like this ... That's nice, but what happens when you send packets to the server? Grab the current CVS snapshot. It should give more information as to what's happening during Simultaneous-Use checking. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: adding realm to username without it
Alain Cocconi <[EMAIL PROTECTED]> wrote: > One of the features i need but not find in doc/mailing list is : > > I need to add a realm to all user without it. Why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions about checkrad
"Simon Son" <[EMAIL PROTECTED]> wrote: > > If checkrad can't be run (nastype is "other"), then the information > > in radutmp is believed, and enforces Simultaneous-Use. > > >I use sql for session,So I was wondering if above statment is applied to > sql as well. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication and Certificate Revocation List
hi Look at mod_ssl for Apache, and the smime component of openssl - both do CRL checking. i actually meant 802.1X clients but thanks for this info. To get you started: CRL are dealt with by manually downloading the .crl and referring to it by filename under Apache (works really well), and crlDistributionPoints are used within signed certs to point to HTTP and LDAP-based URLs of the CRL for most other PKI apps (e.g S/MIME, X509 in IPSec), i.e. the cert itself refers to the URL. in fact, the latter is the only real alternative because the certificate *has* to point to its proper CRL. also the CRL has to be dated and signed by the CA. except, the certificate of the CA itself has to be valid too (not expired, not revoked). does your implementation check the revocation of the user certificate only or does it also check the revocation of the CA certificate? i have some other questions on this topic too: e.g. what happens if the fresh CRL is not available and the old one has expired? (because of connectivity problems or whatever). much more interesting: suppose you put a certificate into the CRL. so it's not valid anymore. what happens when it expires? do you let it in the CRL or to you delete it? if you delete it, what when a signature made in the period of time from the revocation to the expiration (i.e. an invalid sig) is checked later i.e. after the expiration? it will suddenly appear perfectly valid, right? if you do not delete it, your CRL keeps on growing forever, right? too much problems for me personally. i think that CRLs are not an alternative since almost everything gets too complicated with the CRLs and finally the CA (parts of it) has to be online at any time. on the other hand, the online check protocols for CRLs (e.g. OCSP and SCVP) are actually still in development... if i already have an AAA server i prefer to let it do the authorization because i will have to install some server/directory which is checked by some protocol. so why don't i use RADIUS/DIAMETER directly whenever i can - at least within the network like it is the case for 802.1X? Basically the first is easiest, and the latter scales best. The so-called "standards" are pretty bad for the latter - I've had tonnes of problems with such things - whereas the "here is the path to the CRL file" is pretty brain-dead and works 100% of the time :-). For our secure Apache servers, I just push via rsync the new CRL as it is generated, and a cronjob on the apache servers HUP it when the file changes. Frankly, given the amount of times a client cert is referenced, there's probably no downside (performance-wise) in simply re-reading the CRL every time it needs to be checked. thanks for your explanations however. it's interesting :) ciao artur -- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multi-choice authentication.
After some considerable reading as well as testing and feeling I'm missing something basic, I need to know if the following setup possible. LDAP backend supporting a Radius server providing authentication by auth-type as determined by the incoming request on the day.(lets say any one of PAP CHAP & MS_CHAP v1 or 2) I have most of it working providing I pre-determine the Auth-Type, but request determined Auth-Type defeats me. Some pointers at the basic config level would be appreciated Regards Mike D. Michael Davidson 082 650 5707 Cell 011 532 8380 Direct 011 484 4740 Reception <>
linking to a c++ lib in a module
This problem was noticed back in Sept 2000, but I never saw the resulting solution; I have a module which is linking (and using) a library which is using the standard C++ library; when I kill -HUP radiusd, I get a segfault in dl_close() (dumps core). This is primarily witnessed under Linux. I tried building the module alone with '-lstdc++', but this did not solve the problem; should I rebuild the radius core with the '-lstdc++' flag? is there a configure option to do this? Sorry for the redundant post. Any help would be appreciated. MV -- ~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/Xsupplicant EAP-MD
i don't know exactly what happens but it's clearly not a correct response to the issued challenge: Sending Access-Challenge of id 57 to 192.168.2.205:1091 EAP-Message = "\001%\000\026\004\020\361\003\026,\tt\t\273{\035\247\314,\200\361<" Message-Authenticator = 0x State = 0x9b7b487b9b29a9bd2949c0104895a2b63e89783e32c85da841d50ca2346d6116c074cd80 rad_recv: Access-Request packet from host 192.168.2.205:1092, id=58, length=187 User-Name = "toto" Cisco-AVPair = "ssid=access_point" NAS-IP-Address = 192.168.2.205 Called-Station-Id = "0040965b1dc6" Calling-Station-Id = "000b46bd5909" NAS-Identifier = "AP350-5b1dc6" NAS-Port = 38 Framed-MTU = 1400 State = 0x9b7b487b9b29a9bd2949c0104895a2b63e89783e32c85da841d50ca2346d6116c074cd80 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = "\002%\000\006\003\r" Message-Authenticator = 0x4e478a7a91d21542bb065660cbaade88 take a look at the EAP message, it's NEVER a challenge response - way too short. i'm not familar with xsupplicant though... ciao artur -- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultanous use not working using sql
Hello Wisam, I am no expert here, but it sounds like you need the Perl modules SNMP_Session and BER installed. You can find them at http://www.switch.ch/misc/leinen/snmp/perl/ This is documented in doc/Simultaneous-Use Ed From: Wisam Najim <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Simultanous use not working using sql Date: Wed, 19 Mar 2003 12:30:41 +0400 I am using database to check for simultanous use. I define the Simultanous-Use value in "radgroupcheck" table. Even if Simultanous use limit is reached the user can still login and get Access-Accept. "AcctStopTime" is updated and "Acct-Input-Octets","AcctOutputOctets","Acct-Session-Time " are initialized to zero in the already existing record for that user in database and the new session is accepted. I want to know what are the condition that enables this to happen. I beleive the check of the fields returned by "simul_verify_query" lead to this. My query looks like this : "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE CalledStationId='%{Called-Station-Id}' AND AcctStopTime IS NULL". The weired part of the debug I get once running radius with -xxx option is: Wed Mar 19 10:46:22 2003 : Debug: radius_xlat: 'SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE CalledStationId='3362830' AND AcctStopTime IS NULL' checkrad: Neither SNMP_Session module or found! checkrad: Neither SNMP_Session module or found! Wed Mar 19 10:46:22 2003 : Debug: modcall: entering group accounting Regards, << WisamSuleimanNajim.vcf >> _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: adding realm to username without it
check out attr_rewrite. attr_rewrite nodomain { attribute = Realm searchin = packet searchfor = "NULL" replacewith = "mydomain.com" ignore_case = yes new_attribute = no max_matches = 10 append = no } On Wed, 19 Mar 2003, Alain Cocconi wrote: > Hi everybody, > > I'm currently checking if it is possible for me to switch fromicradius+my > patches to freeradius. > One of the features i need but not find in doc/mailing list is : > > I need to add a realm to all user without it. > > remote username sended will become > ex: johndue --> [EMAIL PROTECTED] > [EMAIL PROTECTED] --> [EMAIL PROTECTED] > [EMAIL PROTECTED] --> [EMAIL PROTECTED] > > > I've search a lot in archives and docs but not find answer for this. > > tia guys > Alain Cocconi > > SATNET SARL > BP 2694 > NOUMEA CEDEX > Nouvelle Caledonie > Phone : +687 24 38 70 > Fax : +687 27 12 50 > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius/Xsupplicant EAP-MD
Hello, I have got a problem to use EAP-MD5 on freeradius and xsupplicant client. => rlm_eap: Unsupported EAP_TYPE 3 modcall[authenticate]: module "eap" returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. see radius.conf,client.conf,users next thanks, xsupplicant -i eth1 -u toto -p iup2002 -m MD >radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: servers_per_realm = 15 security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.205:1091, id=57, length=152 User-Name = "toto" Cisco-AVPair = "ssid=access_point" NAS-IP-Address = 192.168.2.205 Called-Station-Id = "0040965b1dc6" Calling-Station-Id = "000b46bd5909" NAS-Identifier = "AP350-5b1dc6" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = "\002$\000\t\001toto" Message-Authenticator = 0x67aab7cb1cac007edb92015f0f1690f1 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok modcall[authorize]: module "eap" returns updated modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: processing type md5 rlm_eap_md5: Issu
Re: EAP/TLS certificates and server questions
hi Thanks to the EAP/TLS Howto, I was able to setup the radius server and get all the authentification I needed going. Now the script, which creates the root certificate, generates root.pem with a lifetime of 30 days. After that authentification doesn't work, OK. Last month I recreated everything. That's a pain... > > - How can I extend them? Reuse them? What's the deal? no reuse. you have to set another expriration date. take a look at the scripts. I have the second box, with software up and running. But again, the certificates: - My first attempt - just copying them - didn't work. OK, just a try. why? what exactly did you copy and what exactly did you certify? - Second, since the certs are tied to hostname, I recreated them - guess what... well, you have to look at what you are doing. are you sure that your certificates are tied to the host address? because mine are not. and i doubt that this is verified anyway. the server simply has a pair of keys and both are signed and one of them (the private) is encrypted. the posession of the decryption key enables the usage. ciao artur -- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS for WinCE/PocketPC
hi i'm sorry, it's a bit out of topic, but somebody recently told me on this list that there is an evaluation version of an EAP/TLS client for WinCE. i was too dumb to save the email and now i can't find it in the archives (tried wince, tls, pocketpc etc.) could this person kindly repost the URL? ciao artur -- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Britney gets Speared!...!!
Title: Celeb Ticket - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultanous use not working using sql
I am using database to check for simultanous use. I define the Simultanous-Use value in "radgroupcheck" table. Even if Simultanous use limit is reached the user can still login and get Access-Accept. "AcctStopTime" is updated and "Acct-Input-Octets","AcctOutputOctets","Acct-Session-Time " are initialized to zero in the already existing record for that user in database and the new session is accepted. I want to know what are the condition that enables this to happen. I beleive the check of the fields returned by "simul_verify_query" lead to this. My query looks like this : "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE CalledStationId='%{Called-Station-Id}' AND AcctStopTime IS NULL". The weired part of the debug I get once running radius with -xxx option is: Wed Mar 19 10:46:22 2003 : Debug: radius_xlat: 'SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE CalledStationId='3362830' AND AcctStopTime IS NULL' checkrad: Neither SNMP_Session module or found! checkrad: Neither SNMP_Session module or found! Wed Mar 19 10:46:22 2003 : Debug: modcall: entering group accounting Regards, BEGIN:VCARD VERSION:2.1 N:Najim;Wisam;Suleiman FN:Wisam Suleiman Najim ORG:EIM(Etisalat);Development TITLE:Analyst TEL;WORK;VOICE:0097142025573 TEL;CELL;VOICE:00971506450872 TEL;WORK;FAX:0097142958485 ADR;WORK:;;Al-Yamameh Building 9th Floor;Dubai;Dubai;;U.A.E LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Al-Yamameh Building 9th Floor=0D=0ADubai, Dubai=0D=0AU.A.E EMAIL;PREF;INTERNET:[EMAIL PROTECTED] EMAIL;INTERNET:[EMAIL PROTECTED] REV:20030302T043117Z END:VCARD