Re: Can RADIUS attributes pass through to Apache?

[Josh Howlett]

On Mon, 2003-03-24 at 17:06, Alan DeKok wrote:
> "Mark Lavi" <[EMAIL PROTECTED]> wrote:
> > However, it is common to have different "groups" in an authenticated 
> > population. Say, for instance, a department of an organization. Once you 
> > know that attribute (if it exists) for a person, you can say restict 
> > access to different resources on the web server.
> 
>   I agree.  At the time the module was written, there were no RADIUS
> standards for defining groups.  The other module you pointed to
> implements groups by re-defining existing RADIUS attributes, which is
> *very* bad.

I am quite interested in this concept of passing WWW-flavoured
attributes to a WWW application via RADIUS.

Alan has already pointed out that the need to prevent (i) re-defining
existing attributes and (ii) not implementing site-specific attributes.

Might I suggest a general mechanism for implementing this, whereby
arbitrary and application-specific variable/value pairs are passed to
the WWW application within a 'generic' wrapper A/V?  The auth server
concatenates the variables within single wrapper A/V in the
Access-Accept, which mod_auth_radius unwraps and passes the contained
variables to Apache.

This approach only requires defining a single new A/V.  The contents of
the A/V would be site-specific (user-group, favourite colour, etc).

regards, josh.

-- 
---
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]

---


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Simultaneous-Use

[Simon Son]

Hello

Here's what I have  done

I inserted ("dialup", "Simultaneous-Use", ":=", "1") into radgroupcheck.
And I uncommented  simul_count_query and simul_verify_query on sql.conf.

After I done that  I when I looked at the radius.log.And it seemed that it's
catching multiple logins.
But it turns out that radius is denying dialup users,even though login is
not multiple login.

When I looked at simul_count_query,it looked like  this query  just count
the number of records that have AcctStopTime is 0 for a certain  user.

So I searched our radacct table and  found almost 12 records that have 0
as AcctStopTime.(Most of them are dial-up customers). And It looked like
most of dial-up customers have at least one records with  0 as AcctStopTime.

So I  want to know is that .

The  reason why dial-up customers couldn't login when I uncommented
simul_count_query and simul_verify_query is   because dial-up users have
records with 0 as AcctStopTime and the way simul_count_query  works?

Am I correct? If not can someone help me out?

Thanks in advance
Simon
_
Simon Son
New Zealand Online Tech Ltd.
Level2 , 10 Northcroft St
Takapuna Auckland
Ph:09-488-9001
Fax:09-489-8324
Mobile:021-267-2697
_


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

New FreeRadius Installation...

[Sanjay Shah]

Hi,
 
We are looking into 
installing FreeRadius 0.8 on FreeBSD 4.6 platform. I would like to find out what 
specific package(s) are needed above and beyond base FreeBSD 4.6 prior to 
compiling FreeRadius.
 
Additionally, are 
there any scripts available to parse radius records and producing comma/space 
delaminated file?
 
Thanks,





Sanjay 
Shah

* Email:   [EMAIL PROTECTED]
 

Re: questions about sql

[Kostas Kalevras]

On Thu, 20 Mar 2003, Simon Son wrote:

> Hello
>
> I was checking sql.conf and wondering
> what simul_count_query and simul_verify_query  do

simul_count_query counts the active sessions of a user

simul_verify_query verifies each of them if simul_count_query returns more
active sessions than allowed.

>
> If a return value of simul_count_query of a user is more than one(say 3),
> does this means this user has 3 simultaneous sessions?

yes

>
> Regards
> SImon
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: adding realm to username without it

[Kostas Kalevras]

On Wed, 19 Mar 2003, Alain Cocconi wrote:

> Hi everybody,
>
> I'm currently checking if it is possible for me to switch fromicradius+my
> patches to freeradius.
> One of the features i need but not find in doc/mailing list is :
>
>   I need to add a realm to all user without it.
>
>   remote username sended  will become
> ex:   johndue --> [EMAIL PROTECTED]
>   [EMAIL PROTECTED]   --> [EMAIL PROTECTED]
>   [EMAIL PROTECTED]   --> [EMAIL PROTECTED]

attr_rewrite module.

>
>
> I've search a lot in archives and docs but not find answer for this.
>
> tia guys
> Alain Cocconi
>
> SATNET SARL
> BP 2694
> NOUMEA CEDEX
> Nouvelle Caledonie
> Phone : +687 24 38 70
> Fax : +687 27 12 50
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: dialup_admin and changing user groups

[Kostas Kalevras]

On Tue, 18 Mar 2003, Nick Lomonte wrote:

> When editing a users attributes, the "Member of" dropdown list only
> shows the group they are in, it doesn't show the other available groups
> in order to change their membership.

That's what the edit group page is for.

>
> --
> Nick Lomonte
> Network Engineer
> Eonet
> [EMAIL PROTECTED]
> 409.833.1700
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP groups

[Kostas Kalevras]

On Thu, 20 Mar 2003, Ron Wahler wrote:

> I need some help please...
>
> Anyone ever use a LDAP query to extract the users group from the LDAP
> database?
>
> Not sure how to set up the radiusd.conf file to use the %GroupName.   I
> want to query
>
> The user and find what group they are in...
>
> groupname_attribute = "(cn=%GroupName)"

Please go back and read doc/rlm_ldap carefully. The groupname_attribute
corresponds to the ldap attibute which contains the group name _not_ to an ldap
search filter. So it should be:
groupname_attribute = "cn"

>
>
> #groupmembership_filter =
> "(objectCategory=organizationalUnit)(SamAccountName=%U)"

If you keep groupmembership_filter commented out it will use the default
value of
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))
(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"

I am not sure this is what you want.

>
> DEFAULT Ldap-Group == "group"

That line seems to be ok.

>
> Thanks, Ron.

The answers are in doc/rlm_ldap. Read it again

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Converting from AscendRadius to FreeRadius

[Squirrel User]

I'm converting from an old Ascend Radius and need help on "user" file 
conversion from the below to new format:

jackcha Password = "2old2"
User-Service= Framed-User,
Framed-Protocol = MP,
Ascend-Route-IP = Route-IP-Yes,
Framed-Address  = 208.27.64.65,
Framed-Netmask  = 255.255.255.224,
Framed-Routing  = Broadcast-Listen-v2,
Framed-Route = "208.27.64.64/27 208.27.64.65 1",
Framed-Compression = Van-Jacobsen-TCP-IP,
Ascend-Maximum-Channels = 2


-
This mail sent through ISOT.  To find out more 
about ISOT, visit http://isot.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can RADIUS attributes pass through to Apache?

[Alan DeKok]

"Mark Lavi" <[EMAIL PROTECTED]> wrote:
> However, it is common to have different "groups" in an authenticated 
> population. Say, for instance, a department of an organization. Once you 
> know that attribute (if it exists) for a person, you can say restict 
> access to different resources on the web server.

  I agree.  At the time the module was written, there were no RADIUS
standards for defining groups.  The other module you pointed to
implements groups by re-defining existing RADIUS attributes, which is
*very* bad.

  Now that FreeRADIUS has a private enterprise code, we can implement
groups in the FreeRADIUS dictionary.

> Finally, if the group (or any other RADIUS attribute) is exposed at a 
> server environment variable, this would be a mechanism for any server 
> side web application to leverage that information for conditional 
> security based upon those attributes within a page of an application. 

  I agree completely, I'm not arguing that point.  What I was saying
was that we have to be careful about *how* the groups are implemented.

> 1. Groups are an important attribute utilized in many situations and 
> environments.
>They are enabled in even the most basic Apache authentication modules.
>We can witness a fork which, amongst other things, attempts an 
> implementation of groups.

  If someone is willing to supply patches to the module to implement
groups as a FreeRADIUS VSA, I'm willing to add those to the module.

> 2. The ability to leverage RADIUS attributes in a web server environment
> extends the utility of RADIUS, whatever those attributes may be.

  Sure.

> Discarding those attributes reduces RADIUS' utility.

  I couldn't figure out how to use the RADIUS attributes in the rest
of Apache.  The simplest thing to do was to ignore them.

  If you've got a method whereby the RADIUS attributes can easily be
used in the rest of Apache, then I'm all for it.  But all of the
methods I've seen so far are very site-specific.

> Not having the "escape mechanism" or back channel to expose the RADIUS 
> attributes to the web server reduces the full utility of this module and 
> the RADIUS server.

  How are these RADIUS attributes exposed to the web server?

> I will understand and respect your decisions, I'm thankful to you and 
> the freeradius community for this work. I hope this discussion is 
> constructive to promote the further utility of RADIUS with web applications.

  I'm not arguing against what you want to do, I just want to be sure
that it's done right, and that it's useful to situations other than
yours.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-Message dictionary entry [Re: 802.1X tunnel attributes and VLAN settings]

[Alan DeKok]

Dave Mason <[EMAIL PROTECTED]> wrote:
> On a related note, should the entry for EAP-Message in the dictionary 
> file have type octets?  It is currently string, so it assumes everything 
> is ASCII.  I had to change this to octets so the server would interpret 
> my EAP attributes correctly.  Let me know if this is wrong.

  No, I've already made that change in the CVS head.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Realm Specific Accounting

[Gene Parks]

Cool thanks

-Original Message-
From: Franklin Trumpy [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 24, 2003 2:03 PM
To: [EMAIL PROTECTED]
Subject: Re: Realm Specific Accounting


On Sat, 22 Mar 2003, Gene Parks wrote:

> Can I do the same with the details file?
>
> i.e Realm1 = details1
> Realm2 = details2
> Realm3=details3

Try something like:

detailfile = ${radacctdir}/%{Realm:-NOREALM}/detail

in radiusd.conf.

That will put each realm in its own directory, named for the realm,
based on the value of 'Realm' in the accounting packet. If no realm is
defined, the directory NOREALM is used.

See doc/variables.txt for more information.

Franklin

--
Franklin Trumpy, NFA, MNGS, GSc |  The wound of peace is surety, Sr.
UNIX Systems Administrator  |  Surety secure; but modest doubt is called
Lighthouse Communications   |  The beacon of the wise, the tent that
searches
[EMAIL PROTECTED] |  To th' bottom of the worst.
(515)244-1115   |
(888)953-3278   |William Shakespeare
http://www.lh.net   |Troilus and Cressida (II,
ii)

On Sat, 22 Mar 2003, Gene Parks wrote:

> Date: Sat, 22 Mar 2003 19:32:22 -0500
> From: Gene Parks <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Realm Specific Accounting
>
> Alan,
>
> Can I do the same with the details file?
>
> i.e Realm1 = details1
> Realm2 = details2
> Realm3=details3
>
>
>
> Thanks
> Gene
>


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-Message dictionary entry [Re: 802.1X tunnel attributes and VLANsettings]

[Dave Mason]

Hi,
On a related note, should the entry for EAP-Message in the dictionary 
file have type octets?  It is currently string, so it assumes everything 
is ASCII.  I had to change this to octets so the server would interpret 
my EAP attributes correctly.  Let me know if this is wrong.

Dave

Alan DeKok wrote:

"Terry Green" <[EMAIL PROTECTED]> wrote:

I think there may be a small bug in the dictionary.tunnel file... 
 

..

#ATTRIBUTE  Tunnel-Private-Group-Id 81  integer has_tag
ATTRIBUTE   Tunnel-Private-Group-Id 81  string  has_tag
 

 You're right.  See http://www.freeradius.org/rfc/attributes.html

 I'll fix this on Monday.

 Alan DeKok.







- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can RADIUS attributes pass through to Apache?

[Mark Lavi]

Alan DeKok wrote:

"Mark Lavi" <[EMAIL PROTECTED]> wrote:
 

...For instance: user-name, class, connect-info, and vendor-specific attributes 
all might be information from the RADIUS server that could be further 
utilized by an application without relying on another data source.
   

 How?

Right now, a RADIUS authenticated user for a web server is a binary 
solution. This is fine for many situations: you are either authorized or 
not authorized.

However, it is common to have different "groups" in an authenticated 
population. Say, for instance, a department of an organization. Once you 
know that attribute (if it exists) for a person, you can say restict 
access to different resources on the web server. This is usually used 
for controlling directories of content. An example would be: 
group=Engineering can read and publish to the /engineering directory, 
but group=Engineering cannot read the /sales directory.

Being able to determine the group is crucial for permissions and most 
Apache server authenication modules that I have encountered support 
group attributes. See URL:
http://httpd.apache.org/docs/howto/auth.html#basicconfig

Groups are usually defined as a list of usernames in a file (an external 
source), but it is much more useful/secure/managable to have the group 
attribute provided by the authenticating resource.

The web application I am helping to design and RADIUS is the only 
authentication allowed in the environment I must work in. I hope it is 
now noted that the additional access-accept attributes could be useful 
in a web server environment.
   

 Sure, but what do you do with them?  Would anyone else do the same
things?
I would enable permissions for a group of an authenticated population to 
access certain areas of content, typically.

I believe that others would do the same since most Apache authentication 
modules provide the provision (although I will grant you, it is entirely 
optional to use it for authentication) for groups.

Finally, if the group (or any other RADIUS attribute) is exposed at a 
server environment variable, this would be a mechanism for any server 
side web application to leverage that information for conditional 
security based upon those attributes within a page of an application. 
(i.e.: show the executive group a link to some important report but do 
not show that link to engineering).

Hypothetical example, not any particular language, consider it 
pseudocode that could exist inside of a web server pasred page or 
application:

$attributes = $APACHE_SERVER_ENVIRONMENT["RADIUS_ATTRIBUTES"];
if ( index($attributes, "Engineering") > -1 )
{ print "Hello to everyone in Engineering\n"; }
# or use your favorite regular expression search
So it is quite useful to leverage that information, whatever it might 
be, from the authenticating resource.

I will agree that this is site/application specific and optional.  I 
will not fault you on saying that pragmattically this is not an intended 
use of RADIUS or that this cannot be a priority over producing more 
documentation or getting 0.81 out of beta.

But I trying to convey two notions to justify the expansion of 
mod_auth_radius.c:

1. Groups are an important attribute utilized in many situations and 
environments.
  They are enabled in even the most basic Apache authentication modules.
  We can witness a fork which, amongst other things, attempts an 
implementation of groups.
2. The ability to leverage RADIUS attributes in a web server environment
   extends the utility of RADIUS, whatever those attributes may be.
   Discarding those attributes reduces RADIUS' utility.
   It also forces the use of a third party resource when such 
attributes are required,
   adding data and security overhead, management, and exposure when RADIUS
   could be utilized.

One can see that groups are just a special case/instance of the RADIUS 
attributes, reducing this to only one agument.

Re: the other deviation/fork and adding it to the Other Resources section:

 Yeah.  He spent a year making changes, and finally mailed me about
it last November.  I responded, and asked to merge our efforts, so
 

   Sure.  But it would validate the approach of forking the
code base, making incompatible changes, and never feeding patches or
fixes back upstream to the original author.
I understand why you would take that policy stance: I would prefer a 
unified mod_auth_radius.c, too! One must understand what the motivation 
is for each fork.

That is SO location-specific that I doubt it should go into the
default source for the module.
 

I feel that groups are a more generic requirement in authentication (and 
less site specific, although the above implementation is fairly 
specific) which we can witness in every modern operating system and all 
(up until now :~) Apache authentication modules I've encountered.

Not having the "escape mechanism" or back channel to expose the RADIUS 
attributes to the web server reduces the full utility of this module

Re: Cisco LEAP

[FreeRadius]

On Monday 24 March 2003 08:11 am, Alan DeKok wrote:
> David Tran II <[EMAIL PROTECTED]> wrote:
> > I am wondering if anyone get FreeRadius to work with Cisco LEAP.
> > I understand that LEAP is a Cisco Proprietary; however, I think I
> > saw a post in recent weeks that someone get it to work with Cisco
> > LEAP.  If you don't mind, can you share the configuration file and
> > what needed to be done?  I am currently using Freeradius 0.8.1
> > (stable version) running on RedHat linux version 7.3.
>
>   Read the main web page.  Cisco LEAP is only implemented in the
> current CVS head.
>
>   Once you download the CVS snapshot, read 'radiusd.conf', and look
> for 'leap'.  It will tell you what to do to configure it.
>
>   Alan DeKok.
>

And yes it does seem to work great.



> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: access to db.counter

[Bill Anderson]

Option b) is definately an option for me.  Basically what I need is to be
able to do the following with the db.counter file based on monthly time
limits.

1)  Get a current listing of users and total monthly hours used to date.
2)  Query a specific user account for total hours.

For those interested, please contact me at [EMAIL PROTECTED] or
(503)885-8908 x225.  Thank you.


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok
> Sent: Sunday, March 23, 2003 7:16 AM
> To: [EMAIL PROTECTED]
> Subject: Re: access to db.counter
>
>
> "Bill Anderson" <[EMAIL PROTECTED]> wrote:
> > My mistake in phrasing the question.  What I meant was where do
> I request
> > the patch?
>
>   On this list.  But remember, it's free software, and no one gets
> paid for doing this.  Your choices are:
>
>   a) do it yourself
>   b) offer on the list to pay someone else to do it
>   c) give up, and live without it
>
>   99% of the people 'requesting' patches end up doing (c).
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco LEAP

[Alan DeKok]

David Tran II <[EMAIL PROTECTED]> wrote:
> I am wondering if anyone get FreeRadius to work with Cisco LEAP.
> I understand that LEAP is a Cisco Proprietary; however, I think I 
> saw a post in recent weeks that someone get it to work with Cisco
> LEAP.  If you don't mind, can you share the configuration file and
> what needed to be done?  I am currently using Freeradius 0.8.1
> (stable version) running on RedHat linux version 7.3.

  Read the main web page.  Cisco LEAP is only implemented in the
current CVS head.

  Once you download the CVS snapshot, read 'radiusd.conf', and look
for 'leap'.  It will tell you what to do to configure it.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Cisco LEAP

[David Tran II]

Hi Everyone,

I am wondering if anyone get FreeRadius to work with Cisco LEAP.
I understand that LEAP is a Cisco Proprietary; however, I think I 
saw a post in recent weeks that someone get it to work with Cisco
LEAP.  If you don't mind, can you share the configuration file and
what needed to be done?  I am currently using Freeradius 0.8.1
(stable version) running on RedHat linux version 7.3.

Regards,
David

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can RADIUS attributes pass through to Apache?

[Alan DeKok]

"Mark Lavi" <[EMAIL PROTECTED]> wrote:
> Agreed, few attributes are specifically for web servers. However, a 
> number of attributes are user or group specific and they would be of use 
> for further authorization or personalization of a web page. For 
> instance: user-name, class, connect-info, and vendor-specific attributes 
> all might be information from the RADIUS server that could be further 
> utilized by an application without relying on another data source.

  How?

> The web application I am helping to design and RADIUS is the only 
> authentication allowed in the environment I must work in. I hope it is 
> now noted that the additional access-accept attributes could be useful 
> in a web server environment.

  Sure, but what do you do with them?  Would anyone else do the same
things?

> First Question: could the web page at URL: 
> http://www.freeradius.org/mod_auth_radius/ be updated to reflect the 
> current released version of 1.5.6 - that is what I downloaded with the 
> link for http://www.freeradius.org/mod_auth_radius/! The "Updates" 
> section currently lists 1.5.5 and the page hasn't been updated since 
> September.

  I'll take a look.

> For the general benefit of the freeradius community, I stumbled upon 
> another deviation on mod_auth_radius.c for Apache at URL: 
> https://www.gnarst.net/authradius/ which is listed in the Apache Modules 
> directory, it is in release for Apache 1.3.x and pre-release mode. for 
> Apache 2.x.

  Yeah.  He spent a year making changes, and finally mailed me about
it last November.  I responded, and asked to merge our efforts, so
that we wouldn't duplicate work, and I haven't heard back since.

  Alan DeKok.
> Second Question: could the web page add a link to this deviation in the 
> "Related Pages" section?

Sure.  But it would validate the approach of forking the
code base, making incompatible changes, and never feeding patches or
fixes back upstream to the original author.

> This deviation module seems to allow group-id attributes to be passsed 
> back, probably requiring an extension to the RADIUS dictionary, I think. 
> I'm about to experiment with this today.

  That is SO location-specific that I doubt it should go into the
default source for the module.

> So my final note is that it looks like there is a demonstrated need for 
> additional attributes in the web server environment.

  Have I ever said otherwise?

> It would be ideal to unify the deviations, but in the meantime I
> will look into finding my own resource to work or update
> mod_auth_radius.c

  For site-specific changes, of course.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Realm Specific Accounting

[Franklin Trumpy]

On Sat, 22 Mar 2003, Gene Parks wrote:

> Can I do the same with the details file?
>
> i.e Realm1 = details1
> Realm2 = details2
> Realm3=details3

Try something like:

detailfile = ${radacctdir}/%{Realm:-NOREALM}/detail

in radiusd.conf.

That will put each realm in its own directory, named for the realm, based
on the value of 'Realm' in the accounting packet. If no realm is defined,
the directory NOREALM is used.

See doc/variables.txt for more information.

Franklin

--
Franklin Trumpy, NFA, MNGS, GSc |  The wound of peace is surety,
Sr. UNIX Systems Administrator  |  Surety secure; but modest doubt is called
Lighthouse Communications   |  The beacon of the wise, the tent that searches
[EMAIL PROTECTED] |  To th' bottom of the worst.
(515)244-1115   |
(888)953-3278   |William Shakespeare
http://www.lh.net   |Troilus and Cressida (II, ii)

On Sat, 22 Mar 2003, Gene Parks wrote:

> Date: Sat, 22 Mar 2003 19:32:22 -0500
> From: Gene Parks <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Realm Specific Accounting
>
> Alan,
>
> Can I do the same with the details file?
>
> i.e Realm1 = details1
> Realm2 = details2
> Realm3=details3
>
>
>
> Thanks
> Gene
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

wireless IP (TCP/IP) communication based alarm system

[Kallo Zoli tech.net list mailbox]

Dear all!

Sorry if my message off

You know wireless IP (TCP/IP) communication based alarm system?
For example the German Sectra?

In the house communication between sensors and central keypay
and accessories wireless. Between house central system and
security co. also wireless, but TCP/IP based.
Servers received alarm signals and send brodcast controll
packages.

I' interested prices, technical informations, etc.

-- 
K
Z


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Authenication

[Travis Best]

I am using radius to authenticate users when they dial-up and also to 
alow them to login to our news group server. I want to be able to only 
allow one login to the dial-up and still be able to allow them access to 
the news group right now i am using a sql database and have it set to 
allow one login how can I set radius to only allow one login for dial-up 
and one for news and not have someone login twice to the dial-up???

--

Travis M. Best  "Systems Administrator"
SunQwest Internet Services
1040 Walnut St
Sunbury, PA 17801
Phone: 866-344-9509
Direct: 570-279-1746




--
This message has been scanned for viruses and
dangerous content by SunQwest MailScanner, and 
is believed to be clean.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MySQL Authentication

[Mace . Scott]

OK, it's working now.   Here is what I changed:

in sql.conf I changed from sql_user_name = "%{Stripped-User-Name}" to 
sql_user_name = "%{User-Name}"  Not sure there's a difference, but that's 
what I did...

in radius.conf in the authorize section commented out all but preprocess, 
chap, mschap, and sql.

in radius.conf in the authenticate section, commented out all but pap, 
chap, mschap, and unix.

In my radcheck table:

mysql> select *from radcheck;
++--++++
| id | UserName | Attribute  | op | Value |
++--++++
|  4 | foo  | Crypt-Password | := | $1$HuWuTTVg$GqVJ5SOZfZqBn3F0gcAp// 
|
|  3 | scotty   | Password   | == | testing |
++--++++

Both of which work just fine.

Now off to figure out how to get this to work with our Cisco VPN 3000, and 
certificates...





Scott Mace
Network Administrator
TravelCenters of America
24601 Center Ridge Rd.
Westlake, OH 44145
440-808-4318


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MySQL Authentication

[Scott Bartlett]

Scott,

Hmmm Does your sqltrace file give any clues? That'll show the actual
SQL which is executing against the database... 

Scott.

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] 
> Posted At: Monday, March 24, 2003 1:42 PM
> Posted To: FreeRadius
> Conversation: MySQL Authentication
> Subject: RE: MySQL Authentication
> 
> 
> Well, I used the Dialup Admin tool with the default setting
> of using crypt 
> passwords. 
> 
> Here's my DB info, thanks for your help!
> 

 
---
This message (and any associated files) is intended only for the 
use of the individual or entity to which it is addressed and may 
contain information that is confidential, subject to copyright or
constitutes a trade secret. If you are not the intended recipient 
you are hereby notified that any dissemination, copying or 
distribution of this message, or files associated with this message, 
is strictly prohibited. If you have received this message in error, 
please notify us immediately by replying to the message and deleting 
it from your computer. Messages sent to and from us may be monitored. 

Internet communications cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, arrive 
late or incomplete, or contain viruses. Therefore, we do not accept 
responsibility for any errors or omissions that are present in this 
message, or any attachment, that have arisen as a result of e-mail 
transmission. If verification is required, please request a hard-copy 
version. Any views or opinions presented are solely those of the author 
and do not necessarily represent those of BTA Ltd.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can RADIUS attributes pass through to Apache?

[Mark Lavi]

Alan:

Thanks for the rapid response. I will now investigate extending the 
mod_auth_radius.c using my own resources. I have some follow up 
commentary and three questions.

Alan DeKok wrote:

"Mark Lavi" <[EMAIL PROTECTED]> wrote:
 

I would like to utilize the attributes on an access-accept packet. Does 
mod_auth_radius pass through attributes back to the Apache server, and 
if so, is it available via a server environment variable?
   

 No.  The Apache module looks for Accept/Reject only, and ignores any
attributes sent back to it.
 

I've looked but can't find the attributes that are passed back to 
mod_auth_radius from the RADIUS server. ... Can attributes be retrieved?
   

 You can modify the source to the module to look for the RADIUS
attributes, and do something with them.  But since few RADIUS
attributes are meant for web servers, there's little you can do with
them, which is why the module ignored RADIUS attributes in the first place.
-- Commentary on this issue:
Agreed, few attributes are specifically for web servers. However, a 
number of attributes are user or group specific and they would be of use 
for further authorization or personalization of a web page. For 
instance: user-name, class, connect-info, and vendor-specific attributes 
all might be information from the RADIUS server that could be further 
utilized by an application without relying on another data source.

The web application I am helping to design and RADIUS is the only 
authentication allowed in the environment I must work in. I hope it is 
now noted that the additional access-accept attributes could be useful 
in a web server environment.

-- Related commentary:
First Question: could the web page at URL: 
http://www.freeradius.org/mod_auth_radius/ be updated to reflect the 
current released version of 1.5.6 - that is what I downloaded with the 
link for http://www.freeradius.org/mod_auth_radius/! The "Updates" 
section currently lists 1.5.5 and the page hasn't been updated since 
September.

Note: the link on this page for the mod_auth_radius.c C source file in 
the "Files included with the module" section is broken. It needs to be 
corrected to omit the trailing .html or to rename the existing 
./mod_auth_radius.c file to something else to make it palatable for a 
browser like ./mod_auth_radius.c.txt.

For the general benefit of the freeradius community, I stumbled upon 
another deviation on mod_auth_radius.c for Apache at URL: 
https://www.gnarst.net/authradius/ which is listed in the Apache Modules 
directory, it is in release for Apache 1.3.x and pre-release mode. for 
Apache 2.x.

Second Question: could the web page add a link to this deviation in the 
"Related Pages" section?

-- Final commentary:
This deviation module seems to allow group-id attributes to be passsed 
back, probably requiring an extension to the RADIUS dictionary, I think. 
I'm about to experiment with this today.

So my final note is that it looks like there is a demonstrated need for 
additional attributes in the web server environment. It would be ideal 
to unify the deviations, but in the meantime I will look into finding my 
own resource to work or update mod_auth_radius.c

Final Question: if anyone on this mailing list is interested in making a 
bid to perform this work (extend mod_auth_radius.c to export additional 
attributes to the web server environment as a server environment 
variable in Apache 1.3.x), I would be happy to review the offer while I 
am considering internal resources.

Thank you for your time. I hope I have contributed positively to the 
good work at freeradius.org!

--Mark

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

[[EMAIL PROTECTED]]

Hello,
finally I made EAP-MD5 authentication work. 
I thanks Artur and Joao for the helpful cooperation.
Only a question: what does "Auth-Type = System" mean? I.e. what does "System" mean?

Thanks a lot again,
emi



hi


 > challenge. EAP-MD5 specifies that supplicant, replying to the server
 > at the challenge, carries out a hash on the password and sends it to
 > the server. The server performs a hash on the password for that
 > supplicant in its database and compares the two hashed values. If
 > there's a matching the user is authenticated.  My doubt is: is there

that's not very precise.


 > a common key used to hash the password that have to be configured on
 > the server or this step is not necessary??

your explanation is not precise and so you have difficulties 
understanding it.

"the common key" which you are talking about *is* the password. the hash 
is actually performed on the received (unique) challenge, of course 
including the shared secret, i.e. the password, in order to make it 
impossible for somebody who doesn't know the password to produce the 
same response to the challenge.

server  user
username
<--

challenge   
gen. random chal.   --> md5(challenge+secret)
=:res

res
md5(challenge+secret)   <--
==res?

success
yes?-->
failure
no? -->



ciao
artur


-- 
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Nas-Port-Type parameter?

[Alan DeKok]

Eric <[EMAIL PROTECTED]> wrote:
> I have 2 kind of nas-port-types: ISDN & Async.
> And I want to limit users by this parameter, but i have no found any variables
> in variables.txt for Nas-Port-Type for Exec-Program-Wait.
> How can I define this parameter in Exec-Program-Wait?

  Read variables.txt again?

  You can use attribute names from the dictionary, too...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

TLS handshake

[Manuel Sánchez Cuenca]

Hello, somebody can tell me where can I find in the code of freeradius-0.8.1 where 
start the tls handshake?

Thanks.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: Auth MS-CHAP against LDAP

[3APA3A]

Dear Alan DeKok,

I  did  password  encoding code in both authorization and authentication
for  maximum  compatibility, but now I have no chance to test. I hope it
will work OK though.

--Sunday, March 23, 2003, 6:04:27 PM, you wrote to [EMAIL PROTECTED]:

AD> 3APA3A <[EMAIL PROTECTED]> wrote:
>> Set Auth-Type to MS-CHAP.

AD>   Could you also please move the 'create NT/LM' password code from the
AD> 'authorize' section to the 'authenticate' section of rlm_mschap?
AD> There are a LOT of people trying to use MS-CHAP, and failing, because
AD> they've listed it *before* setting User-Password.

AD>   Having an MS-CHAP-* attribute in the packet means that 99% of the
AD> time, rlm_mschap does the authentication.

AD>   Alan DeKok.

AD> - 
AD> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
~/ZARAZA
Ну а в целом, Уильям, здешний климат - ежели только
это можно назвать климатом, вполне сносный. (Твен)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MySQL Authentication

[Mace . Scott]

Well, I used the Dialup Admin tool with the default setting of using crypt 
passwords. 

Here's my DB info, thanks for your help!

mysql> select *from radcheck;
++--++++
| id | UserName | Attribute  | op | Value |
++--++++
|  3 | scotty   | Crypt-Password | := | $1$k.732Mhx$oNSh46n4YSq7NvAsGQnIu. 
|
++--++++
1 row in set (0.00 sec)

mysql> select *from radreply;
++--+-++---+
| id | UserName | Attribute   | op | Value |
++--+-++---+
|  1 | scotty   | Framed-Protocol | =  | PPP   |
++--+-++---+
1 row in set (0.01 sec)

mysql> select *from radgroupcheck;
++---+---++---+
| id | GroupName | Attribute | op | Value |
++---+---++---+
|  1 | test  | Auth-Type | := | Local |
++---+---++---+
1 row in set (0.01 sec)

mysql> select *from usergroup;
++--+---+
| id | UserName | GroupName |
++--+---+
|  2 | scotty   | test  |
++--+---+
1 row in set (0.00 sec)

mysql> select *from radgroupreply;
++---+++-+--+
| id | GroupName | Attribute  | op | Value   | prio |
++---+++-+--+
|  1 | test  | Framed-Compression | := | Van-Jacobsen-TCP-IP |1 |
|  2 | test  | Framed-Protocol| := | PPP |1 |
|  3 | test  | Service-Type   | := | Framed-User |1 |
++---+++-+--+
3 rows in set (0.00 sec)


Scott Mace
Network Administrator
TravelCenters of America
24601 Center Ridge Rd.
Westlake, OH 44145
440-808-4318





"Scott Bartlett" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
03/22/2003 05:54 AM
Please respond to freeradius-users

 
To: <[EMAIL PROTECTED]>
cc: 
Subject:RE: MySQL Authentication


Scott,

Your debug notes you've got PAP encryption set - is this the issue?  I'd
try with it set to 'clear' first if I were you, then go from there once
that works...

Can you post examples of what you've got in the database? 

SB

Scott Bartlett
BTA Limited, 100 High Street Wandsworth, London SW18 4LA, United Kingdom
e: [EMAIL PROTECTED]v: +44 (0)20 8871 4240  f: +44 (0)20 8871 4584

Network Consultancy and Support for Windows, MacOS and Linux.
Internet connectivity, solutions, web/database development and business
services..










- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL Authentication

[Mace . Scott]

Would it be possible to let me look at your config?  Maybe a sample user 
from your database?  (No user id's/passwords/ip addresses of course)








Scott Mace
Network Administrator
TravelCenters of America
24601 Center Ridge Rd.
Westlake, OH 44145
440-808-4318





Pablo Veliz <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
03/21/2003 07:29 PM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:Re: MySQL Authentication


El Fri, 21 Mar 2003 17:31:16 -0500
[EMAIL PROTECTED] escribió:

> I've seen quite a few messages in the archives regarding different 
issues 
> with MySQL authentication.  I can get nothing to work.  I tried this 
> patch, 
> http://www.mail-archive.com/[EMAIL PROTECTED]/msg12306.html 
> and this patch, 
> http://www.mail-archive.com/[EMAIL PROTECTED]/msg14684.html 
> (which wouldn't apply properly, I'm no programmer) and I still can't get 

> MySQL authentication to work.  I used the instructions here: 
> http://www.frontios.com/freeradius.html and got authentication working 
> just fine with using the users file.  I can get accounting info into my 
> database, but the rlm_mysql doesn't seem to be connecting to the db at 
> all, which indicates the port issue described in the second patch thread 
I 
> listed. 
> 
 
I don't know how to help you, but I can tell you that I installed 
freeRadius 0.8.1 in Mandrake 9.0
and I have it working without problem right now. I use only mysql for auth 
and acct, maybe my radius.conf can give you a clue.
I must say that my "users" file is empty.



I'm planning to move this to a RH7.0 server or maybe a RH8.0

-- 
Pablo Veliz

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL Authentication

[Mace . Scott]

Ok, tried that, no change.  Thanks anyway.  BTW, am I incorrect in 
assuming that these are tried in order until a) they all fail, or b) one 
is successful?








Scott Mace
Network Administrator
TravelCenters of America
24601 Center Ridge Rd.
Westlake, OH 44145
440-808-4318





"Ed H" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
03/21/2003 07:05 PM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:Re: MySQL Authentication


Hello Scott:

It looks like you might be trying to use unix passwd/shadow authentication 

and sql both.  Make sure your radiusd.conf file comments out all 
references 
to unix, and file. Should like something similar to this (this is just an 
example):

authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}
#   pam
#   unix
#   authtype LDAP {
#   ldap
#   }
#   eap
}
preacct {
preprocess
suffix
#   files
}
accounting {
#   acct_unique
#   detail
#   counter
#   unix# wtmp file
sql
#   radutmp
#   sradutmp
}
session {
#   radutmp
sql
}



Ed



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

individual wep keys

[Manuel Sánchez Cuenca]

Hello, what is the method that hostap uses to generate the individual wep keys with 
eaptls? It is a random method?

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl %RAD_REQUEST re-write (snapshot-20030310)

[Boian Jordanov]

On _ 2003-03-23 at 16:41, Latte wrote:
> Hi folks,
> 
> I'm using freeradius-snapshot-20030310
> with rlm_perl feature.
> 
> I want to re-write (modify) values in RAD_REQUEST 
> in 'authorize' phase by some reason.
> In my case here, that is 'User-Name'
> and I want to let other modules (like rlm_realm, rlm_pap/chap)
> process 're-writed' User-Name.
> 
perl hashes are not ordered so if you don't know what are you doing it
is not correct way to do this.
But you can always use rlm_rewrite. 

> In src/modules/rlm_perl/rlm_perl.c functiuon "rlmperl_call"
> I added 
> > PERL_SET_CONTEXT(my_perl);
> > if ((get_hv_content(inst->rad_check_hv, &vp)) == 1 ) {
> > pairmove(&request->packet->vps, &vp);
> > pairfree(&vp);
> > }
> at the bottom of it (though before return of course),
> but it seems not suffice at all. (Erk, sorry for such dummy guess).
> 
> 3 questions:-
>  1. How I modify rlm_perl.c to have it allow me to 
> modify RAD_REQUEST?
> 
>  2. 'experimental.conf' perl module config part says
> > #  Only the %RAD_REPLY hash can be modified.
> > #  All of the other are read only.
> But, I can modify att/value pair for %RAD_CHECK 
> on this version, (and that works for me ;-)).
> Could I understand the status 
> that '%RAD_CHECK' can be also modified (not %RAD_REPLY only) 
> is 'correct'?

Probably i missed this.

> 
>  3. Could it be considerable to modify the rlm_perl module
> in the freeradius distribution
> to allow users to modify RAD_REQUEST, RAD_CHECK and RAD_REPLY
> all in next (or whenever appropriate) version?
> It might be helpful when pre-proxy, post-proxy are implemented 
> in this module as well, no?
> 

From my point of view this can be fixed if %RAD_XXX will be replaced
with some Array of hashes and every element of array will be the single
hash that contains AV pair

> 
> Any comments are welcome.
> Thanks a lot in advance.
> 
> Best regards, 
> Latte
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 
Best Regards,

Boian Jordanov
SNE
Orbitel - the Internet Company
tel. +359 2 937 07 23



signature.asc
Description: This is a digitally signed message part