RE: FreeRadius with Mysql under Solaris can't work

[Gene Parks]

If I remember correctly the development package for MySQL that comes from sunfreeware 
(Bputs the files in the wrong location for freeradius to look for them.  You can specify 
(Bthe location of the files or you can download the source and install from that. 
(BSolaris 8 and 9 fixed the location problem without having ro specify.
(B
(BGene Parks
(BVIP Direct
(B
(B-Original Message-
(BFrom: [mailto:[EMAIL PROTECTED] 
(BSent: Wednesday, June 04, 2003 8:49 AM
(BTo: [EMAIL PROTECTED]
(BSubject: Re: FreeRadius with Mysql under Solaris can't work
(B
(B
(BThanks to Jeson.
(B
(BThe MYSQL package is downloaded from sunfreeware and installed directly by pkgadd 
(Bcommand. I am sure there are development header and lib included. Files in the lib 
(Bdirectory are as follows:
(Blibdbug.a  libmygcc.a  libmysqlclient.a  libmysqlclient_r.a
(Blibmystrings.a libmysys.a
(B
(BBy the way, I had ever compiled and installed mysql 3.23.52 from source package. 
(B
(BWhen I do install freeradius with configure, make and make install, there is no error 
(Breported. So I don't think it's the reason. 
(B
(BAm I right?
(B
(BBest,
(BZasp
(B
(B>Hi,
(B>
(B>  Please make sure you have the MySQL development package, FreeRADIUS 
(B> compile the rlm_sql_mysql module need the include >file from MySQL 
(B> development package.
(B>
(B>  Enjoy it!
(B>
(B>  $B!!(J  $B!!(JJeson
(B>
(B>
(B>>Hi,all
(B>>  I want to use freeradius with mysql support under Solaris sparc 2.7. 
(B>>I meet the same
(B>>problem as many newbies when I start radiusd:
(B>>
(B>>  rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found
(B>>  rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the 
(B>> search path of your system's ld.
(B>>  radiusd.conf[14]: sql: Module instantiation failed.
(B>>
(B>>  All methods have been tried but failed. MySQL is working well.=  I 
(B>>try to compile freeradius under gcc 3.2.3 as FAQ says "configure 
(B>>--disable-shared",  or set proper LD_LIBRARY_PATH variable, or copy 
(B>>the dynamic lib files to /usr/lib. But the problem keeps here.
(B>>
(B>>  When I do use rlm_unix not rlm_sql_mysql for authentication, it works 
(B>>well.
(B>>  I have been confused for several days. Maybe anyone can help me?  Thanks :)
(B
(B
(B
(B
(B- 
(BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(B
(B- 
(BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP/MD5 and ldap

[pahartmann]

Hello,
 
I want to use EAP/MD5 and Ldap. EAP/MD5 config 
is ok, but ldap config is not Ok.
Have you got example of radiusd.conf, users for 
EAP/MD5 and Ldap.
 
Thanks, 

Re: FreeRadius with Mysql under Solaris can't work

Thanks to Jeson.

The MYSQL package is downloaded from sunfreeware and installed directly by pkgadd 
command.
I am sure there are development header and lib included. Files in the lib directory 
are as follows:
libdbug.a  libmygcc.a  libmysqlclient.a  libmysqlclient_r.a
libmystrings.a libmysys.a

By the way, I had ever compiled and installed mysql 3.23.52 from source package. 

When I do install freeradius with configure, make and make install,
there is no error reported. So I don't think it's the reason. 

Am I right?

Best,
Zasp

>Hi,
>
>  Please make sure you have the MySQL development package, FreeRADIUS compile the 
> rlm_sql_mysql module need the include >file from MySQL development package.
>
>  Enjoy it!
>
>  　　　  　Jeson
>
>
>>Hi,all
>>  I want to use freeradius with mysql support under Solaris sparc 2.7. I meet 
>> the same 
>>problem as many newbies when I start radiusd:
>>
>>  rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found
>>  rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the 
>> search path of your system's ld.
>>  radiusd.conf[14]: sql: Module instantiation failed. 
>>
>>  All methods have been tried but failed. MySQL is working well.=
>> I try to compile freeradius under gcc 3.2.3 as FAQ says "configure 
>> --disable-shared", 
>> or set proper LD_LIBRARY_PATH variable, or copy the dynamic lib files to /usr/lib. 
>> But the problem keeps here. 
>>
>>  When I do use rlm_unix not rlm_sql_mysql for authentication, it works well. 
>>  I have been confused for several days. Maybe anyone can help me?  Thanks :)




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SMUX

[Leo Edmiston-Cyr]

Nathan Kufner wrote:

 I was under the impression that SMUX/SNMP was integral to the radius
server.
It can be :)

I am still unsure as to what functionality I just turned off.
What does having SNMP (dis|en)abled on freeRadius mean for the radius
server?  What kind of functionality do I gain or lose?
Long answer: SNMP/SMUX being enabled inside the radiusd server allows it 
to be polled using a seperate SNMP agent (for example 
http://net-snmp.sourceforge.net/) that connects to the radius server.  
This agent can then be polled by any SNMP managment software (for 
example http://people.ee.ethz.ch/~oetiker/webtools/mrtg/) to get 
statistics from the radius server and possibly put them in a database or 
graph (depending on the functionality of the SNMP mgmt software you 
use).  This can enable you to easily graph or log the utilization of 
your RADIUS server in terms of authentications per second or minute and 
other variables relating to the functioning of your RADIUS server.

Short answer: You can get RADIUS utilization statistics with a piece of 
SNMP managment software like MRTG 
(http://people.ee.ethz.ch/~oetiker/webtools/mrtg/) when SNMP/SMUX is 
turned on.

 Sorry if these
are newb questions, but I haven't found any docs or mail archive posts
that explains that one to me yet.  Does anyone know the answer or where
I can find the answer?
Most of what you are asking is basically "What is SNMP/SMUX anyway?"  To 
have that question answered look over the FAQ and other docs at the 
net-snmp site I mentioned above.

Good luck.



Thanks in advanced,
Nathan Kufner
 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: cisco_vsa_hack (rlm_preprocess)

[Vladimir Kravchenko]

Hi.

code from rlm_preprocess.c:

if ((vp->attribute & 0x) == 1) {
char *p;
DICT_ATTR   *dattr;

p = vp->strvalue;
getword(&p, newattr, sizeof(newattr));

if (((dattr = dict_attrbyname(newattr)) != NULL) &&

code from token.c

/*
 *  Read a "word" - this means we don't honor
   ~~
 *  tokens as delimiters.
 */ 
int getword(char **ptr, char *buf, int buflen)
{
return getthing(ptr, buf, buflen, 0, tokens) == T_EOL ? 0 : 1;
}


Original Pair:
  Cisco-AVPair = "h323-call-id=4a78b822 95b611d7 adceea25 76190b93"
vp->strvalue:
  'h323-call-id=4a78b822 95b611d7 adceea25 76190b93'
after getword:
  'h323-call-id=4a78b822'


gettoken() instead of a getword() ?

P.S.
--- src/modules/rlm_preprocess/rlm_preprocess.c.origWed Jun  4 14:00:58 2003
+++ src/modules/rlm_preprocess/rlm_preprocess.c Wed Jun  4 15:41:37 2003
@@ -145,7 +145,7 @@
DICT_ATTR   *dattr;
 
p = vp->strvalue;
-   getword(&p, newattr, sizeof(newattr));
+   if (gettoken(&p, newattr, sizeof(newattr)) == T_EOL) continue;
 
if (((dattr = dict_attrbyname(newattr)) != NULL) &&
(dattr->type == PW_TYPE_STRING)) {

-- 
Vladimir Kravchenko / PK Mostcom JSC / system engineer
Tel: +7 095 2312255 / UIN: 132038843 / Email: [EMAIL PROTECTED] 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_krb5 module options?

[Juha Sievi-Korte]

 Hi there!

 I am trying to set up radiusd to authenticate against kerberos (Windows
2003 AD). The rlm_krb5 module didn't compile from 0.8.1, but i got it now
as i upgraded my radiusd to a cvs snapshot.

 What configuration options should be passed to rlm_krb5 in modules
-section? Now it is there without any options and i get segfault every
time when authentication request reaches the module...

 So far in debug output there is nothing useful. Kerberos module
initialization went ok and it is last message from it. Before the crash it
says:

rad_check_password:  Found Auth-Type Kerberos
auth: type "Kerberos"
modcall: entering group authtype
Segmentation fault (core dumped)

 Hope someone can help, the rlm_krb5 documentation is quite minimalistic
:)

--
_
   | | "... Think about all the positive sides in life, they
 _ | |_   _  _   _  ___   never last forever ... (c)Sentenced
| || | | | || |_| || O |+-+ AMD Duron 1300MHz & ATI Radeon +--+
|| |_| || | | || | ||  http://students.oamk.fi/~sijuma00  |
|  E-mail: [EMAIL PROTECTED]  |


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAPOL-Key(WPA format) with WinXP - unsuccessful

[Nikhil Chauhan]

Hi:
 
I''m trying to test EAPOL-Key(4-way and group key handshaking) exchange inbetween the AP and the STA (Win XP-SP1-WPA).
 
I'm able to do 802.1X authentication, but when I send the 1st EAPOL-Key message(as defined in WPA/11i drafts) from the AP to the STA, the STA doesn't respond back with anything. My queries: 

Have you been able to perform this handshake successfully using Win XP as STA and using EAPOL-Key (WPA/802.11i format)?
I tried sending one EAPOL-Key (802.1X format) message with a broadcast key from the AP to the STA. What's the expected flow after this? I believe the STA doesn't need to respond back with anything...
After sending one EAPOL-Key (802.1X format) message with a broadcast key from the AP to the STA, how can I make sure that we have encrypted packets flowing between AP & STA. I mean what kind of data do I send to ensure that encryption works?
Best regards,
Nikhil Chauhan.Adam Haberlach <[EMAIL PROTECTED]> wrote:
On Mon, Jun 02, 2003 at 07:51:56AM -0700, Sepp Rudel wrote:> Hi,> > I've configured FreeRADIUS 0.8.1+OpenSSL 0.9.7b, Cisco> AP 350 and a laptop with Linux+xsupplicant and> WinXP+SP1.. With Linux+xsupplicant everything works> like a charm but with WinXPSP1 after radiusd sends> Access-Accept WinXP thinks for a second and then just> shows "No wireless connection available." Any ideas> what needs to be done to get WinXP to work?Apply all the service packs you possibly can.http://support.microsoft.com/default.aspx?scid=kb;en-us;328658(also, type '802.1x' into http://support.microsoft.com )-- Adam Haberlach | Gravity: so consistent and predictable, yet[EMAIL PROTECTED] | frequently surprising.http://mediariffic.com |- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Do you Yahoo!?
Free online calendar with sync to Outlook(TM).

Re: FreeRadius with Mysql under Solaris can't work

[王志欣]

Hi,

  Please make sure you have the MySQL development package, FreeRADIUS compile the 
rlm_sql_mysql module need the include file from MySQL development package.

  Enjoy it! 

  　　　  　Jeson
Welcome to: http://www.zyxel.com
[EMAIL PROTECTED]
　　2003-06-04

=== 2003-06-04 15:57:00 您在来信中写道：===

>Hi,all
>   I want to use freeradius with mysql support under Solaris sparc 2.7. I meet 
> the same
>problem as many newbies when I start radiusd:
>
>   rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found
>   rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the 
> search path of your system's ld.
>   radiusd.conf[14]: sql: Module instantiation failed.
>
>   All methods have been tried but failed. MySQL is working well. I try to 
> compile freeradius under gcc 3.2.3 as FAQ says "configure --disable-shared", or set 
> proper LD_LIBRARY_PATH variable, or copy the dynamic lib files to /usr/lib. But the 
> problem
> keeps here.
>
>   When I do use rlm_unix not rlm_sql_mysql for authentication, it works well. I 
> have been confused for several days. Maybe anyone can help me?  Thanks :)
>
>   
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html







-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius with Mysql under Solaris can't work

Hi,all
I want to use freeradius with mysql support under Solaris sparc 2.7. I meet 
the same 
problem as many newbies when I start radiusd:

rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found
rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the 
search path of your system's ld.
radiusd.conf[14]: sql: Module instantiation failed. 

All methods have been tried but failed. MySQL is working well. I try to 
compile freeradius under gcc 3.2.3 as FAQ says "configure --disable-shared", or set 
proper LD_LIBRARY_PATH variable, or copy the dynamic lib files to /usr/lib. But the 
problem
 keeps here. 

When I do use rlm_unix not rlm_sql_mysql for authentication, it works well. I 
have been confused for several days. Maybe anyone can help me?  Thanks :)





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Multiple attributes

[Gene Parks]

Title: Multiple attributes






I am using freeradius snapshot 20030603 and the server comes up fine and will authenticate.  The problem I have is now the server will not return multiple values for one attribute.  I have 3 other servers running 0.8.1 and they will return the attributes correctly.

The log says this


@40003edd845e18c408d4 ldap_get_conn: Got Id: 0

@40003edd845e18c41874 rlm_ldap: performing search in ou=premiernet.2dial.com, o=dcconnex.net, with filter (uid=dctichenor)

@40003edd845e19cdd7b4 rlm_ldap: Added password  in check items

@40003edd845e19ce0a7c rlm_ldap: looking for check items in directory...

@40003edd845e19ce21ec rlm_ldap: Adding chappassword as Chap-Password, value  & op=21

@40003edd845e19ce412c rlm_ldap: looking for reply items in directory...

@40003edd845e19ce589c rlm_ldap: Adding X-Ascend-Idle-Limit as X-Ascend-Idle-Limit, value 600 & op=11

@40003edd845e19ce7bc4 rlm_ldap: Adding X-Ascend-maximum-Time as X-Ascend-Maximum-Time, value 3600 & op=11

@40003edd845e19cfbc14 rlm_ldap: Adding X-ascend-data-filter as X-Ascend-Data-Filter, value ip in forward tcp est & op=11

@40003edd845e19cfe324 rlm_ldap: Adding X-ascend-data-filter as X-Ascend-Data-Filter, value ip in forward dstip 66.159.32.0/24 & op=11

@40003edd845e19d01204 rlm_ldap: Adding X-ascend-data-filter as X-Ascend-Data-Filter, value ip in drop tcp dstport = 25 & op=11

@40003edd845e19d03cfc rlm_ldap: Adding X-ascend-data-filter as X-Ascend-Data-Filter, value ip in forward & op=11

@40003edd845e19d2968c rlm_ldap: user dctichenor authorized to use remote access

@40003edd845e19d2b1e4 ldap_release_conn: Release Id: 0

@40003edd845e19d2c56c   modcall[authorize]: module "ldap" returns ok

@40003edd845e19d2dcdc rlm_counter: Entering module authorize code

@40003edd845e19d2f064 rlm_counter: Could not find Check item value pair

@40003edd845e19d307d4   modcall[authorize]: module "daily" returns noop

@40003edd845e19d503a4 modcall: group authorize returns ok

@40003edd845e19d5172c   rad_check_password:  Found Auth-Type CHAP

@40003edd845e19d52ab4 auth: type "CHAP"

@40003edd845e19d53a54 modcall: entering group Auth-Type

@40003edd845e19d549f4   rlm_chap: login attempt by "dctichenor" with CHAP password ÎW![?5XÍ4???ÕõZ?É

@40003edd845e19d56934   rlm_chap: Using clear text password for user dctichenor authentication.

@40003edd845e19d6e034   rlm_chap: chap user dctichenor authenticated succesfully

@40003edd845e19d6ff74   modcall[authenticate]: module "chap" returns ok

@40003edd845e19d712fc modcall: group Auth-Type returns ok

@40003edd845e19d72684 Login OK: [dctichenor] (from client 66.159.47.23 port 0)

@40003edd845e19d741dc Sending Access-Accept of id 26 to 66.159.47.23:4517

@40003edd845e19d7594c   Framed-Protocol = PPP

@40003edd845e19d7da34   Framed-Compression = Van-Jacobson-TCP-IP

@40003edd845e19d7f1a4   X-Ascend-Idle-Limit = 600

@40003edd845e19d80144   X-Ascend-Maximum-Time = 3600

@40003edd845e19d810e4   X-Ascend-Data-Filter = "ip input forward tcp est"

@40003edd845e19d82854 Finished request 1



Anyone have any ideas why it is not returning the values?


Gene Parks

VIP Direct

Re: Squid with Freeradius

[Wei Ming Long]

Hi Dan,
Excellent! It is great to know that you are using Squid with Freeradius,
that's exactly what I want to do too. I want Squid to authenticate the http
requests using Freeradius and I also want Squid to perform transparent
proxying so that users from another network do not have to change their
network settings like proxy-server etc.


>>> [EMAIL PROTECTED] 06/04/03 11:48AM >>>

We're using squid with freeradius as the authentication "engine".  As
far as I know, you can't have a transparent + authenticating proxy.  If
it's authenticating, then it has to be non-transparent.  

It's actually very easy.  You just need to set up the Squid ACL's right
(so that it requires auth).  Then you set Squid's external
authentication helper.  We're using a simple (40 lines) PERL script
which does the authentication. It uses a PERL radius module.  I'm not
even sure where I got the script.  I think I got it off of Squid's
site.  If you can't find it, let me know, and I can e-mail it to you.

The system works great for us.

- Dan

On Wed, 2003-06-04 at 11:32, Wei Ming Long wrote:
Hi everyone,
I would like to use the proxy server Squid to perform transparent
proxying
and to authenticate http requests with Freeradius and was wondering if
anyone
has done it and would appreciate it if you could provide
details(configuration
files) of how to setup Squid and Freeradius to do just that.
Thanks.

Best regards
Matthew

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html 
-- 
- Dan Perik
Computer Services Department
Lapilo Center
New Tribes Mission - PNG



- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Squid with Freeradius

[Wei Ming Long]

That is, if Squid receives a http request from a client, it first verifies
this client with a Radius Server to make sure that this client is a valid user
before servicing the http request and fetching the requested web page for the
client.

>>> [EMAIL PROTECTED] 06/04/03 10:55AM >>>
What do you mean by "authenticate http requests" ?

Navid

On 2003.06.03 21:32, Wei Ming Long wrote:
> Hi everyone,
> I would like to use the proxy server Squid to perform transparent
> proxying
> and to authenticate http requests with Freeradius and was wondering if
> anyone
> has done it and would appreciate it if you could provide
> details(configuration
> files) of how to setup Squid and Freeradius to do just that.
> Thanks.
> 
> Best regards
> Matthew
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html 
> 
> 

"Believe you can, believe you can't; either way, you're right" - Henry 
Ford
"Security is a process, not a product..." - Bruce Schneier

Navid Sheik <[EMAIL PROTECTED]>
Key fingerprint = D6FA 566F C9D0 7A17 F25A  1C7C 21F6 3E22 01A7 F604
GPG Key: http://www.navid.cyberbeat.it/shnavid.gpg 

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radwho not show anything

[ªÒÂá´¹ ÁÔè§àÁ×ͧ]

I'm using lastest version of freeradius with solaris 9 It seem to worked
find but radwho doesn't show anything, and radutmp siezed is zero , I
enable snmp at Cisco NAS already I don't how to solve this problem somebody
can help ?
thank for advance
Chaidan Mingmuang

http://www.friends.co.th
Friends.co.th ·ÐàºÕ¹ÃØè¹ ·Ø¡Ê¶ÒºÑ¹ 
ᨡ¿ÃÕ! ÊØ´ÂÍ´ E-mail ÀÒÉÒä·Â ¾×é¹·Õè 20 MB. (POP3) 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Squid with Freeradius

[Dan Perik]

We're using squid with freeradius as the authentication "engine".  As
far as I know, you can't have a transparent + authenticating proxy.  If
it's authenticating, then it has to be non-transparent.  

It's actually very easy.  You just need to set up the Squid ACL's right
(so that it requires auth).  Then you set Squid's external
authentication helper.  We're using a simple (40 lines) PERL script
which does the authentication. It uses a PERL radius module.  I'm not
even sure where I got the script.  I think I got it off of Squid's
site.  If you can't find it, let me know, and I can e-mail it to you.

The system works great for us.

- Dan

On Wed, 2003-06-04 at 11:32, Wei Ming Long wrote:
Hi everyone,
I would like to use the proxy server Squid to perform transparent proxying
and to authenticate http requests with Freeradius and was wondering if anyone
has done it and would appreciate it if you could provide details(configuration
files) of how to setup Squid and Freeradius to do just that.
Thanks.

Best regards
Matthew

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 
- Dan Perik
Computer Services Department
Lapilo Center
New Tribes Mission - PNG



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Always Password Attribute and Multiple Password

[Gene Parks]

Sn is not stored correctly in LDAP for a userpassword.  Why would you
want it to be sn anyway?  If you are looking for a clear text password
then store it as chappassword.  LDAP will store it correctly.
Userpassword needs to be userpassword.

Gene Parks
VIP Direct

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]

Sent: Friday, May 30, 2003 11:36 AM
To: [EMAIL PROTECTED]
Subject: Always Password Attribute and Multiple Password
Importance: High


Always an Access-Reject when I use sn as userPassword

Another Idea ? or a correction ?

Philippe


Radiusd.conf :

ldap ldap1 {
server = "192.168.1.53"
identity = "cn=Root,dc=e-qual,dc=fr"
password = "poiuyt"
basedn = "ou=Users,dc=e-qual,dc=fr"
#filter =
"(&(description=*CiscoAccess*)(uid=%{Stripped-User-Name:-%{User-Name}}))
"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
start_tls = no
# set this to 'yes' to use TLS encrypted connections to
the
# LDAP database by passing the LDAP_OPT_X_TLS_TRY option
to
# the ldap library.
tls_mode = no

# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "sn"

# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap

# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
#password_header = "{MD5}"

password_attribute = sn
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-Use\
rDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
compare_check_items = yes
access_attr_used_for_allow = yes
}



Here is the log :


Config:   including file: /opt/freeradius-0.8.1/etc/raddb/proxy.conf
Config:   including file: /opt/freeradius-0.8.1/etc/raddb/clients.conf
Config:   including file: /opt/freeradius-0.8.1/etc/raddb/snmp.conf
Config:   including file: /opt/freeradius-0.8.1/etc/raddb/sql.conf
 main: prefix = "/opt/freeradius-0.8.1"
 main: localstatedir = "/opt/freeradius-0.8.1/var"
 main: logdir = "/opt/freeradius-0.8.1/var/log/radius"
 main: libdir = "/opt/freeradius-0.8.1/lib"
 main: radacctdir = "/opt/freeradius-0.8.1/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = yes
 main: log_file = "/opt/freeradius-0.8.1/var/log/radius/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = yes
 main: pidfile = "/opt/freeradius-0.8.1/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/opt/freeradius-0.8.1/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: servers_per_realm = 15
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = yes
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /opt/freeradius-0.8.1/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: ignore_password = no
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "/etc/passwd"
 unix: shadow = "(null)"
 unix: group = "/etc/group"
 unix: radwtmp = "/opt/freeradius-0.8.1/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
 ldap: server = "192.168.1.53"
 ldap: port = 389
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: ldap_cache

Re: Squid with Freeradius

[Navid Sheik]

What do you mean by "authenticate http requests" ?

Navid

On 2003.06.03 21:32, Wei Ming Long wrote:
Hi everyone,
I would like to use the proxy server Squid to perform transparent
proxying
and to authenticate http requests with Freeradius and was wondering if
anyone
has done it and would appreciate it if you could provide
details(configuration
files) of how to setup Squid and Freeradius to do just that.
Thanks.
Best regards
Matthew
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

"Believe you can, believe you can't; either way, you're right" - Henry 
Ford
"Security is a process, not a product..." - Bruce Schneier

Navid Sheik <[EMAIL PROTECTED]>
Key fingerprint = D6FA 566F C9D0 7A17 F25A  1C7C 21F6 3E22 01A7 F604
GPG Key: http://www.navid.cyberbeat.it/shnavid.gpg
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Squid with Freeradius

[Wei Ming Long]

Hi everyone,
I would like to use the proxy server Squid to perform transparent proxying
and to authenticate http requests with Freeradius and was wondering if anyone
has done it and would appreciate it if you could provide details(configuration
files) of how to setup Squid and Freeradius to do just that.
Thanks.

Best regards
Matthew

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS ok w/ xsupplicant, WinXP not

[Adam Haberlach]

On Mon, Jun 02, 2003 at 07:51:56AM -0700, Sepp Rudel wrote:
> Hi,
> 
> I've configured FreeRADIUS 0.8.1+OpenSSL 0.9.7b, Cisco
> AP 350 and a laptop with Linux+xsupplicant and
> WinXP+SP1.. With Linux+xsupplicant everything works
> like a charm but with WinXPSP1 after radiusd sends
> Access-Accept WinXP thinks for a second and then just
> shows "No wireless connection available." Any ideas
> what needs to be done to get WinXP to work?

Apply all the service packs you possibly can.

http://support.microsoft.com/default.aspx?scid=kb;en-us;328658

(also, type '802.1x' into http://support.microsoft.com )


-- 
Adam Haberlach |  Gravity: so consistent and predictable, yet
[EMAIL PROTECTED]   |  frequently surprising.
http://mediariffic.com |

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius - DLINK DWL-900+ - 802.1.X

[Artur Hecker]

hi Pascal


as Alan already advised you, try to read the EAP/MD5 faq. what you keep
on posting is NOT an error. there CAN'T be any user-password attribute
with EAP/MD5 or CHAP methodes.

thanks,
artur



Pascal PELONI wrote:
> 
> My mistake : this is the good extract of the log file :
> 
>  Auth: Login incorrect: [tst1/]
> 
> At 17:24 03/06/2003 +0200, you wrote:
> >I forget to say that :
> >
> >1. the authentication works well with radtest !
> >
> > $ radtest tst1 pp 127.0.0.1 1 test
> > Sending Access-Request of id 68 to 127.0.0.1:1812
> > User-Name = "tst1"
> > User-Password =
> > "\323\366\273\363\371Z\250]\231(w\265?\346G\253"
> > NAS-IP-Address = localhost
> > NAS-Port = 1
> >rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=68, length=20
> >
> >2. with my AP I have the following output in radius.log :
> >
> > Auth: Login incorrect: [pelo/]
> >
> >Thanks.
> >
> >At 16:58 03/06/2003 +0200, you wrote:
> >>I've already read the FAQ and the README's, but it still doesn't work.
> >>
> >>Here is part of my config :
> >>
> >>radiusd.conf
> >>
> >>modules {
> >> eap {
> >> default_eap_type = md5
> >> md5 {
> >> }
> >> }
> >>}
> >>
> >>authorize {
> >> eap
> >>}
> >>
> >>authenticate {
> >> eap
> >>}
> >>
> >>client.conf
> >>---
> >>client localhost {
> >> secret  = test
> >> nastype = other
> >> shortname   = test
> >>}
> >>
> >>huntgroups
> >>--
> >>TESTNAS-IP-Address == 127.0.0.1, NAS-Port-Id == 0-3
> >>
> >>users
> >>-
> >>DEFAULT Huntgroup-Name == "TEST"
> >> Framed-IP-Address = 192.168.1.11+
> >>
> >>tst1User-Password == "pp"
> >>
> >>tst2Auth-Type := Local, User-Password == "pp"
> >>
> >>Could someone help ?
> >>
> >>Thanks, PP.
> >>
> >>
> >>
> >>At 09:31 30/05/2003 -0400, you wrote:
> >>>Pascal PELONI <[EMAIL PROTECTED]> wrote:
> >>> > The problem is that when I try to authenticate with my AP & W2K, it
> >>> doesn't
> >>> > work :
> >>> >
> >>> > # less /var/log/radius.log
> >>> > Thu May 29 18:17:07 2003 : Auth: Login incorrect: [aa/ >>> > attribute>] (from client ap-wlan port 0 cli 00-40-05-CB-AD-7C)
> >>>
> >>>   Read the FAQ and the README's.
> >>>
> >>>   Read the FAQ and the README's.
> >>>
> >>>   Read the FAQ and the README's.
> >>>
> >>>   Read the FAQ and the README's.
> >>>
> >>>
> >>>   Did I mention I *really* meant that you should read the FAQ and the
> >>>README's?
> >>>
> >>>   Alan DeKok.
> >>>
> >>>-
> >>>List info/subscribe/unsubscribe? See
> >>>http://www.freeradius.org/list/users.html
> >
> >
> >- List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How do I dynamically insert and delete users with mysql?

[Tim McCracken]

Then you don't have it set up correctly to use MySql. My users
file is empty. All my users are in MySql, as I suspect is the
case with most people who use it.

There are lots of questions about MySql in the archives and
lots of info in the docs to get it going.


Tim

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Michael
> Davis
> Sent: Tuesday, June 03, 2003 4:42 PM
> To: [EMAIL PROTECTED]
> Subject: How do I dynamically insert and delete users with mysql?
>
>
> I am using mysql to populate my users list but I still have to insert each
> user name into the users file in order for radius to recognize
> it. It there
> a way to set up a table in mysql and change a config setting so that I can
> insert users dynamically without having to use the users file at all?
>
> Thanks
> Michael
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How do I dynamically insert and delete users with mysql?

[Nick Davis]

Yes.

If you put "sql" in your "authorize" section of radius.conf there should be no 
need to have users in the users file. Provided your sql.conf is setup 
correctly.

Just make sure you comment out the "files" entry in your authorize section or 
put "sql" before "files".

One you are correctly using the user entries from the database, you can add 
and remove them on the fly.

Nick

On Tuesday 03 June 2003 16:41, Michael Davis wrote:
> I am using mysql to populate my users list but I still have to insert each
> user name into the users file in order for radius to recognize it. It there
> a way to set up a table in mysql and change a config setting so that I can
> insert users dynamically without having to use the users file at all?
>
> Thanks
> Michael

-- 
Nick Davis 
Associate Systems Administrator 
[EMAIL PROTECTED] 
Internet Exposure, Inc. 
http://www.iexposure.com  

(612)676-1946 
Web Development-Web Marketing-ISP Services


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How do I dynamically insert and delete users with mysql?

[Michael Davis]

I am using mysql to populate my users list but I still have to insert each
user name into the users file in order for radius to recognize it. It there
a way to set up a table in mysql and change a config setting so that I can
insert users dynamically without having to use the users file at all?

Thanks
Michael


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How do I dynamically insert and delete users?

[Tim McCracken]

And pick up a copy of the Radius book.

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Steve
> Fulton
> Sent: Tuesday, June 03, 2003 4:30 PM
> To: [EMAIL PROTECTED]
> Subject: Re: How do I dynamically insert and delete users?
>
>
> > How do I dynamically insert and delete users that the radius server will
> > use? Modifying raddb/users each time is too cumbersome, isn't it?
>
> SQL or LDAP with a front-end of some sort.  Check the archives, there has
> been plenty of discussion about it.
>
> -- Steve.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How do I dynamically insert and delete users?

[Steve Fulton]

> How do I dynamically insert and delete users that the radius server will
> use? Modifying raddb/users each time is too cumbersome, isn't it?

SQL or LDAP with a front-end of some sort.  Check the archives, there has
been plenty of discussion about it.

-- Steve.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How do I dynamically insert and delete users?

[Brian Hu]

Hi,

How do I dynamically insert and delete users that the radius server will use? 
Modifying raddb/users each time is too cumbersome, isn't it? For my purpose the user 
list is large and it changes very frequently.

Please suggest a solution. Thanks.

Regards,
Brian
-- 
__
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Having trouble getting LDAPs to Work w/FreeRadius

[Owen DeLong]

I'm running an LDAPs server using a self-signed certificate.  For my
purposes, that's OK.  FreeRadius is telling me that it can't connect
to the LDAP server because there's a self-signed certificate in the chain.
I haven't been able to find the option to tell it that it's OK to accept
a self-signed certificate.  Can anyone tell me how to achieve this?
Thanks,

Owen

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Netscreen Dictionary

[Owen DeLong]

Hi,
I'm pretty new to FreeRadius, but I've at least got my implementation
partially working (radtest could authenticate and fail to authenticate
under correct circumstances gainst my LDAP server).
My next step is to set it up to authenticate XAUTH users on my
Netscreen for VPN purposes.  I have taken a stab at converting the FUNK
RADIUS file from Netscreen to a freeradius format file called
dictionary.netscreen.  I'd appreciate it if there is someone out there
who could review what I've done and tell me if I've gotten it right.
Once I can verify it, I'll happily pass it back to the FreeRadius people
for inclusion as a standard dictionary if they wish.
Thanks,

Owen

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: SMUX

[Nathan Kufner]

Chris,

  Thank you very much.  I configured --with-snmp=no, make, make install
and I got the server up and running right away.  

  I was under the impression that SMUX/SNMP was integral to the radius
server. I am still unsure as to what functionality I just turned off.
What does having SNMP (dis|en)abled on freeRadius mean for the radius
server?  What kind of functionality do I gain or lose?  Sorry if these
are newb questions, but I haven't found any docs or mail archive posts
that explains that one to me yet.  Does anyone know the answer or where
I can find the answer?  


Thanks in advanced,
Nathan Kufner



> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Chris van Meerendonk
> Sent: Tuesday, June 03, 2003 2:15 PM
> To: [EMAIL PROTECTED]
> Subject: Re: SMUX
> 
> 
> If you don't need snmp support you can disable it in radius.cfg: 
> snmp= no 
> 
> Otherwise you need to configure your snmpd for smux. Smux is 
> used to pass information to your snmp daemon. In 
> /etc/raddb/snmp.conf: 
> smux_password = your_secret 
> 
> In /etc/snmp/snmpd.conf: 
> smuxpeer .1.3.6.1.4.1.3317.1.3.1 your_secret 
> 
> After that is configured you can read the radius values. F.e.: 
> Authentication requests:
> snmpget localhost your_secret .1.3.6.1.2.1.67.1.1.1.1.5.0 
> Accounting requests: snmpget localhost your_secret 
> .1.3.6.1.2.1.67.2.1.1.1.5.0
> 
> Use mrtg for some nice pictures...
> 
> Chris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SMUX

[Chris van Meerendonk]

If you don't need snmp support you can disable it in radius.cfg: 
snmp= no 

Otherwise you need to configure your snmpd for smux. Smux is used to
pass information to your snmp daemon.
In /etc/raddb/snmp.conf: 
smux_password = your_secret 

In /etc/snmp/snmpd.conf: 
smuxpeer .1.3.6.1.4.1.3317.1.3.1 your_secret 

After that is configured you can read the radius values. F.e.: 
Authentication requests:
snmpget localhost your_secret .1.3.6.1.2.1.67.1.1.1.1.5.0
Accounting requests:
snmpget localhost your_secret .1.3.6.1.2.1.67.2.1.1.1.5.0

Use mrtg for some nice pictures...

Chris


On Tue, 2003-06-03 at 15:57, Nathan Kufner wrote:
> Hello all,
> 
>   I have tried to search for this problem in the lists and with google,
> but to no avail :(  Anyway I am setting up freeRadius for the first time
> and when I start it I get:
> 
> [snip]
> 
> SMUX connect try 1
> SMUX open oid: 1.3.6.1.4.1.3317.1.3.1
> SMUX open progname: radiusd
> SMUX open password: 
> SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1
> SMUX register priority: -1
> SMUX register operation: 1
> SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1
> SMUX register priority: -1
> SMUX register operation: 1
> Broken pipe
> 
> [/snip]
> 
> 
> 
> I guess my first question is what is the SMUX and what is it trying to
> do?  Anybody have any insight for this newb?
> 
> 
> Thanks,
> Nathan
> 
> 
> 
> 
> The full radiusd -X output is below:
> 
> 
> Starting - reading configuration files ...
> reread_config:  reading radiusd.conf
> Config:   including file: /usr/local/etc/raddb/proxy.conf
> Config:   including file: /usr/local/etc/raddb/clients.conf
> Config:   including file: /usr/local/etc/raddb/snmp.conf
> Config:   including file: /usr/local/etc/raddb/sql.conf
>  main: prefix = "/usr/local"
>  main: localstatedir = "/usr/local/var"
>  main: logdir = "/usr/local/var/log/radius"
>  main: libdir = "/usr/local/lib"
>  main: radacctdir = "/usr/local/var/log/radius/radacct"
>  main: hostname_lookups = no
>  main: max_request_time = 30
>  main: cleanup_delay = 5
>  main: max_requests = 1024
>  main: delete_blocked_requests = 0
>  main: port = 0
>  main: allow_core_dumps = no
>  main: log_stripped_names = no
>  main: log_file = "/usr/local/var/log/radius/radius.log"
>  main: log_auth = no
>  main: log_auth_badpass = no
>  main: log_auth_goodpass = no
>  main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
>  main: user = "(null)"
>  main: group = "(null)"
>  main: usercollide = no
>  main: lower_user = "no"
>  main: lower_pass = "no"
>  main: nospace_user = "no"
>  main: nospace_pass = "no"
>  main: checkrad = "/usr/local/sbin/checkrad"
>  main: proxy_requests = yes
>  proxy: retry_delay = 5
>  proxy: retry_count = 3
>  proxy: synchronous = no
>  proxy: default_fallback = yes
>  proxy: dead_time = 120
>  proxy: servers_per_realm = 15
>  security: max_attributes = 200
>  security: reject_delay = 1
>  security: status_server = no
>  main: debug_level = 0
> read_config_files:  reading dictionary
> read_config_files:  reading naslist
> read_config_files:  reading clients
> read_config_files:  reading realms
> radiusd:  entering modules setup
> Module: Library search path is /usr/local/lib
> Module: Loaded expr 
> Module: Instantiated expr (expr) 
> Module: Loaded PAP 
>  pap: encryption_scheme = "crypt"
> Module: Instantiated pap (pap) 
> Module: Loaded CHAP 
> Module: Instantiated chap (chap) 
> Module: Loaded MS-CHAP 
>  mschap: ignore_password = no
>  mschap: use_mppe = yes
>  mschap: require_encryption = no
>  mschap: require_strong = no
>  mschap: passwd = "(null)"
>  mschap: authtype = "MS-CHAP"
> Module: Instantiated mschap (mschap) 
> Module: Loaded System 
>  unix: cache = no
>  unix: passwd = "(null)"
>  unix: shadow = "(null)"
>  unix: group = "(null)"
>  unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
>  unix: usegroup = no
>  unix: cache_reload = 600
> Module: Instantiated unix (unix) 
> Module: Loaded preprocess 
>  preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
>  preprocess: hints = "/usr/local/etc/raddb/hints"
>  preprocess: with_ascend_hack = no
>  preprocess: ascend_channels_per_line = 23
>  preprocess: with_ntdomain_hack = no
>  preprocess: with_specialix_jetstream_hack = no
>  preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess) 
> Module: Loaded realm 
>  realm: format = "suffix"
>  realm: delimiter = "@"
> Module: Instantiated realm (suffix) 
> Module: Loaded files 
>  files: usersfile = "/usr/local/etc/raddb/users"
>  files: acctusersfile = "/usr/local/etc/raddb/acct_users"
>  files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
>  files: compat = "no"
> Module: Instantiated files (files) 
> Module: Loaded Acct-Unique-Session-Id 
>  acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port-Id"
> Module: Instantiated acct_unique (acct_unique) 
> Module: Loaded detail 
>  detail: detailfile =
> "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%

Re: Cisco re-sends packets with different ids

[Alexander M. Pravking]

On Tue, Jun 03, 2003 at 12:14:58PM -0500, Chris Parker wrote:
> At 09:05 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
> >> There is no 'wrong' or 'right'.  They simply do it different ways.
> >
> >So is it possible to make freeradius determine both?
> 
> For what purpose?  What do you want Freeradius to do?

When freeradius receives a request, it checks if there was already
a request with same id/nas/udp-port a little time ago (cleanup_delay
in radiusd.conf) or is being processed now. If it was, it re-sends the
reply to NAS if the request was already processed, or otherwise simply
drops retransmitted request "due to live request id NNN".
Right?

It would be nice if freeradius did the same when ids are different, but
Acct-Session-Id's are the same. Don't know if it's a good idea...

Well, I can make it within sql module by doing something like
acct_stop_query = "\
INSERT INTO ${acct_table} \
(username, ...) \
VALUES (
SELECT '%u' WHERE NOT EXISTS ( \
SELECT 1 FROM ${acct_table} \
WHERE userName = '%u' \
AND sessionId = '%{Acct-Session-Id}' \
AND nasIpAddress = '%n' \
AND nasPort = '%{NAS-Port}' \
AND  \
), \
...
)"
assuming userName declared as NOT NULL, so the INSERT will fail in case
of re-sent packet and successfully processed original packet.

Thanks all for the input, let's consider the problem solved...
unless someone offers another solution :)

-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco re-sends packets with different ids

[Alexander M. Pravking]

On Tue, Jun 03, 2003 at 02:04:26PM -0400, Puneet B wrote:
> Accounting Requests are slightly different if your NAS includes the attribute 
> Acct-Delay-Time. This needs to be updated in each retransmit, and since now the 
> contents of the packet change, a new Identifier is needed.
> Here is the relevant section from RFC 2866:
> " Note that if Acct-Delay-Time is included in the attributes of an
> Accounting-Request then the Acct-Delay-Time value will be updated when the 
> packet is retransmitted, changing the content of the Attributes field and 
> requiring a new Identifier and Request Authenticator."
> Without this attribute the NAS can use the same identifier and you might still
> see 'duplicate' requests on the server.

Thanks, I got it. It's really useful to read docs accurately :)


-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco re-sends packets with different ids

[Puneet B]

> > It's not a dupe because it is different, that's the point. It is not
> > the same set of a/v pairs that was originally sent. I don't see anything
> > violating the RFC here.
>
> Hmm... Maybe I'm wrong here, assuming that NAS should re-send
> packet with the same id. But then what the "duplicate" requests for?
> And in which case should we expect 'em?

RFC 2865 says: "The Identifier field MUST be changed whenever the content 
of the Attributes field changes, and whenever a valid reply has been
received for a previous request.  For retransmissions, the Identifier MUST 
remain unchanged."

In Access Requests usually all attributes remain the same when retransmitting.
In that case the NAS would use the same identifier and you might see 'duplicate'
request on the Radius server.

Accounting Requests are slightly different if your NAS includes the attribute 
Acct-Delay-Time. This needs to be updated in each retransmit, and since now the 
contents of the packet change, a new Identifier is needed.
Here is the relevant section from RFC 2866:
" Note that if Acct-Delay-Time is included in the attributes of an
Accounting-Request then the Acct-Delay-Time value will be updated when the 
packet is retransmitted, changing the content of the Attributes field and 
requiring a new Identifier and Request Authenticator."
Without this attribute the NAS can use the same identifier and you might still
see 'duplicate' requests on the server.

So the Cisco NAS seems to be RFC-compliant (atleast in this respect)!

Puneet

___
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can RADIUS attributes pass through to Apache?

[Mark Lavi]

Alan DeKok wrote:

Mark Lavi <[EMAIL PROTECTED]> wrote:
 

So long as the list of RADIUS attributes don't get sent out in the
HTTP response. That's my biggest worry with the use of HTTP headers,
and with Apache.
 

I'm not sure what response you mean, the web browser/client's response 
to the HTTP headers upon the next HTTP request back to the web server?
   

The response from the web server to the browser CANNOT contain any
RADIUS attributes.
Ah, if we are talking about the standard RADIUS attributes, then yes - 
that should not go down to the browser via HTTP headers. However, I am 
talking about the extended (potentially vendor specific) attributes 
included into the access-accept packet that are currently discarded in 
mod_auth_radius.

You bring up a good point: there could be information communicated down 
to the browser that could be utilized to undermind security, abuse a 
system, etc. So that suggests that sending down all extended attributes, 
by default, would be a bad design.

So if mod_auth_radius could be configured to specify what attributes 
could be "public" and passed down, that would solve the problem. 
Attributes are promoted as public information could be utilitzed. My 
example would be to enable a "group=Engineering" attribute to utilized 
in the server side environment.

By passing the attributes, they can be used in the server side environment (CGI/PHP/etc.) and that's the value I am after.
   

 Where are the attributes passed to, inside of the server?
a) environment variables: no, they stick around from request to request
b) HTTP headers: no, they get sent back to the browser
c) ?
 

Own suggested ENVIRONMENT  variables, too and we had already discussed 
this. Unless ENVIRONMENT variables can be made live for only the 
connection's lifecycle, this would not be a good solution.

Option C would be inter-module passing or another internal data 
structure used in the server (sounds painful). I feel that option B, 
with specific attributes enabled, would be a workable solution.

--
--Mark
o  Atarex Communications: Web, Software, and Network Development
/\/ Public key attachment for secure e-mail enclosed.
//  mailto:[EMAIL PROTECTED] || http://www.atarex.com


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco re-sends packets with different ids

[Chris Parker]

At 09:05 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
On Tue, Jun 03, 2003 at 11:53:48AM -0500, Chris Parker wrote:
> At 08:38 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
> >On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote:
> >> Hmm... Maybe I'm wrong here, assuming that NAS should re-send
> >> packet with the same id.
> >
> >I think I'm not. Here's the PortMaster 2 example:
>
> There is no 'wrong' or 'right'.  They simply do it different ways.
So is it possible to make freeradius determine both?
For what purpose?  What do you want Freeradius to do?

-Chris

--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco re-sends packets with different ids

[Alexander M. Pravking]

On Tue, Jun 03, 2003 at 11:53:48AM -0500, Chris Parker wrote:
> At 08:38 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
> >On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote:
> >> Hmm... Maybe I'm wrong here, assuming that NAS should re-send
> >> packet with the same id.
> >
> >I think I'm not. Here's the PortMaster 2 example:
> 
> There is no 'wrong' or 'right'.  They simply do it different ways.

So is it possible to make freeradius determine both?

-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco re-sends packets with different ids

[Jim Underwood]

You can't apply your criteria without considering the device. If you 
want a NAS that
delivers accounting reliably. Your reading of the RFC is correct but the 
RFC does not
specify what a NAS does once it reaches the end of its attempt to 
deliver the Accounting. It
does not even give guidance as to the extent and duration of retry attempts.
In many devices, it is simply discarded. That stinks too. Hats off to 
Cisco that the NAS saves "failed" accounting delivery
advice and reattempts it in the future as, yes, a NEW REQUEST.

If you want independence from the vagaries of individual devices and 
versions, you just have to
post-filter duplicate accounting advice. At iPass we filter with a 
30-day window to deal with some
devices that do binary backoff retries.

Alexander M. Pravking wrote:

On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote:
 

Hmm... Maybe I'm wrong here, assuming that NAS should re-send
packet with the same id.
   

I think I'm not. Here's the PortMaster 2 example:

rad_recv: Accounting-Request packet from host pm2:1026, id=168, length=129
Sun Jun  1 13:22:57 2003 : Debug: Thread 5 assigned request 7679
Sun Jun  1 13:22:57 2003 : Debug: Waking up in 2 seconds...
Sun Jun  1 13:22:57 2003 : Debug: Thread 5 handling request 7679, (1331 handled so far)
   Acct-Session-Id = "5B012519"
   User-Name = "user-name"
   NAS-IP-Address = ...
   NAS-Port = 10
   NAS-Port-Type = Async
   Acct-Status-Type = Stop
   Acct-Session-Time = 1527
   Acct-Authentic = RADIUS
   Acct-Input-Octets = 620905
   Acct-Output-Octets = 3171185
   Acct-Terminate-Cause = User-Request
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Framed-IP-Address = ...
   Acct-Delay-Time = 0
...
rad_recv: Accounting-Request packet from host pm2:1026, id=168, length=129
Sun Jun  1 13:23:43 2003 : Debug: Thread 6 assigned request 7688
Sun Jun  1 13:23:43 2003 : Debug: --- Walking the entire request list ---
Sun Jun  1 13:23:43 2003 : Debug: Threads: total/active/spare threads = 7/1/6
Sun Jun  1 13:23:43 2003 : Debug: Waking up in 5 seconds...
Sun Jun  1 13:23:43 2003 : Debug: Thread 6 handling request 7688, (501 handled so far)
   Acct-Session-Id = "5B012519"
   User-Name = "user-name"
   NAS-IP-Address = ...
   NAS-Port = 10
   NAS-Port-Type = Async
   Acct-Status-Type = Stop
   Acct-Session-Time = 1527
   Acct-Authentic = RADIUS
   Acct-Input-Octets = 620905
   Acct-Output-Octets = 3171185
   Acct-Terminate-Cause = User-Request
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Framed-IP-Address = ...
   Acct-Delay-Time = 45
 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco re-sends packets with different ids

[Chris Parker]

At 08:38 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote:
> Hmm... Maybe I'm wrong here, assuming that NAS should re-send
> packet with the same id.
I think I'm not. Here's the PortMaster 2 example:
There is no 'wrong' or 'right'.  They simply do it different ways.

-Chris
--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius, MS-CHAP, mppe, and 128-bit encryption

[3APA3A]

Dear Steven Fries,

128-bit  encryption  is  possible,  because it's implemented in a way it
works,  not in a way RFC says to do. RFC authors acknowledged problem in
RFC.

--Tuesday, June 3, 2003, 9:54:47 PM, you wrote to [EMAIL PROTECTED]:

SF> After reading one of the files that is in the docs/ directory, it says 128-bit 
encryption with mppe is not possible because of some confusion with the Cisco 
RFCIs this true? And if so,
SF> are there any current versions beyond 0.8.1?

SF> I'm trying to use Radius to validate VPN PPTP users and am having alot of 
difficulties. I need to use the strongest encryption possible as this is for patient 
data. Anyone have similar experience?
 


-- 
~/ZARAZA
Сэр Исаак Ньютон открыл, что яблоки падают на землю. (Твен)


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius, MS-CHAP, mppe, and 128-bit encryption

[Steven Fries]

After reading one of the files that is in the docs/ directory, it says 128-bit 
encryption with mppe is not possible because of some confusion with the Cisco 
RFCIs this true? And if so, are there any current versions beyond 0.8.1?

I'm trying to use Radius to validate VPN PPTP users and am having alot of 
difficulties. I need to use the strongest encryption possible as this is for patient 
data. Anyone have similar experience?

Re: Cisco re-sends packets with different ids

[Alexander M. Pravking]

On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote:
> Hmm... Maybe I'm wrong here, assuming that NAS should re-send
> packet with the same id.

I think I'm not. Here's the PortMaster 2 example:

rad_recv: Accounting-Request packet from host pm2:1026, id=168, length=129
Sun Jun  1 13:22:57 2003 : Debug: Thread 5 assigned request 7679
Sun Jun  1 13:22:57 2003 : Debug: Waking up in 2 seconds...
Sun Jun  1 13:22:57 2003 : Debug: Thread 5 handling request 7679, (1331 handled so far)
Acct-Session-Id = "5B012519"
User-Name = "user-name"
NAS-IP-Address = ...
NAS-Port = 10
NAS-Port-Type = Async
Acct-Status-Type = Stop
Acct-Session-Time = 1527
Acct-Authentic = RADIUS
Acct-Input-Octets = 620905
Acct-Output-Octets = 3171185
Acct-Terminate-Cause = User-Request
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = ...
Acct-Delay-Time = 0
...
rad_recv: Accounting-Request packet from host pm2:1026, id=168, length=129
Sun Jun  1 13:23:43 2003 : Debug: Thread 6 assigned request 7688
Sun Jun  1 13:23:43 2003 : Debug: --- Walking the entire request list ---
Sun Jun  1 13:23:43 2003 : Debug: Threads: total/active/spare threads = 7/1/6
Sun Jun  1 13:23:43 2003 : Debug: Waking up in 5 seconds...
Sun Jun  1 13:23:43 2003 : Debug: Thread 6 handling request 7688, (501 handled so far)
Acct-Session-Id = "5B012519"
User-Name = "user-name"
NAS-IP-Address = ...
NAS-Port = 10
NAS-Port-Type = Async
Acct-Status-Type = Stop
Acct-Session-Time = 1527
Acct-Authentic = RADIUS
Acct-Input-Octets = 620905
Acct-Output-Octets = 3171185
Acct-Terminate-Cause = User-Request
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = ...
Acct-Delay-Time = 45

-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco re-sends packets with different ids

[Alexander M. Pravking]

On Tue, Jun 03, 2003 at 10:52:45AM -0500, Chris Parker wrote:
> At 07:45 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
> It's not a dupe because it is different, that's the point.  It is not
> the same set of a/v pairs that was originally sent.  I don't see anything
> violating the RFC here.

Hmm... Maybe I'm wrong here, assuming that NAS should re-send
packet with the same id. But then what the "duplicate" requests for?
And in which case should we expect 'em?


> >As I said, the server processed the first request too long - more than
> >5 seconds. It happens sometimes, and I don't think it's too bad.
> 
> Then increase the retry timeout on the cisco so it waits longer for a
> response.

Yes, but what if request will be processed more longer?

> Alternatively, fix your radius server so it doesn't take 5
> *seconds* to process a request.  :)

I can do nothing here - it's proxied to remote server.

-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: User attributes

[Burkhard Weeber]

Using Ascend gear here is what works at our site:

Service-Type = Framed-User,
Framed-Protocol = PPP,
Ascend-Bridge = Bridge-Yes,
Ascend-DHCP-Reply = DHCP-Reply-Yes,
Ascend-DHCP-Pool-Number = 3,
Ascend-Assign-IP-Pool = 3,
Framed-Netmask = 255.255.255.255,
Ascend-Link-Compression = Link-Comp-Stac,
Framed-Compression = Van-Jacobsen-TCP-IP,
Ascend-Client-Primary-DNS = gate.way.ip.addr,
Ascend-Client-Assign-DNS = DNS-Assign-Yes,
Framed-Routing = None,
Ascend-Route-IP = Route-IP-Yes,
Ascend-MTU = 576,
Ascend-Idle-Limit = 240,
Ascend-Preempt-Limit = 35,
Ascend-Metric = 2

HiH

Burkhard Weeber
viastore systems GmbH
P/O Box 300668
D-70446 Stuttgart
Tel: +49-711-9818-0
Email: [EMAIL PROTECTED]

Disclaimer:
The opinions expressed herein are my personal points of view and do not
represent those of my employer.

Windows95:  n.
32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit
operating system originally coded for a 4 bit microprocessor, written by
a 2 bit company, that can't stand 1 bit of competition.



> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Mauro
> Sent: Tuesday, June 03, 2003 5:15 PM
> To: [EMAIL PROTECTED]
> Subject: User attributes
> 
> 
> Having this basic user configuration
> linus Auth-Type = Local, Password = 'password'
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-IP-Address = 192.168.28.152,
> Framed-IP-Netmask = 255.255.255.255,
> Framed-Routing = Broadcast-Listen,
> Framed-MTU = 1500,
> Framed-Compression = Van-Jacobson-TCP-IP
> I'd like to know how is possible to pass it the dns value as 
> weel as the
> gateway to let the remote user let into the local lan.
> Cheers
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius - DLINK DWL-900+ - 802.1.X

[Pascal PELONI]

My mistake : this is the good extract of the log file :

Auth: Login incorrect: [tst1/]

At 17:24 03/06/2003 +0200, you wrote:
I forget to say that :

1. the authentication works well with radtest !

$ radtest tst1 pp 127.0.0.1 1 test
Sending Access-Request of id 68 to 127.0.0.1:1812
User-Name = "tst1"
User-Password = 
"\323\366\273\363\371Z\250]\231(w\265?\346G\253"
NAS-IP-Address = localhost
NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=68, length=20

2. with my AP I have the following output in radius.log :

Auth: Login incorrect: [pelo/]

Thanks.

At 16:58 03/06/2003 +0200, you wrote:
I've already read the FAQ and the README's, but it still doesn't work.

Here is part of my config :

radiusd.conf

modules {
eap {
default_eap_type = md5
md5 {
}
}
}
authorize {
eap
}
authenticate {
eap
}
client.conf
---
client localhost {
secret  = test
nastype = other
shortname   = test
}
huntgroups
--
TESTNAS-IP-Address == 127.0.0.1, NAS-Port-Id == 0-3
users
-
DEFAULT Huntgroup-Name == "TEST"
Framed-IP-Address = 192.168.1.11+
tst1User-Password == "pp"

tst2Auth-Type := Local, User-Password == "pp"

Could someone help ?

Thanks, PP.



At 09:31 30/05/2003 -0400, you wrote:
Pascal PELONI <[EMAIL PROTECTED]> wrote:
> The problem is that when I try to authenticate with my AP & W2K, it 
doesn't
> work :
>
> # less /var/log/radius.log
> Thu May 29 18:17:07 2003 : Auth: Login incorrect: [aa/
> attribute>] (from client ap-wlan port 0 cli 00-40-05-CB-AD-7C)

  Read the FAQ and the README's.

  Read the FAQ and the README's.

  Read the FAQ and the README's.

  Read the FAQ and the README's.

  Did I mention I *really* meant that you should read the FAQ and the
README's?
  Alan DeKok.

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco re-sends packets with different ids

[Chris Parker]

At 07:45 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
On Tue, Jun 03, 2003 at 09:14:01AM -0500, Chris Parker wrote:
> At 05:53 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
> >I discovered that our Cisco 5200 resends acct-requests (not sure about
> >auth-requests) with different request identifiers, which violates
> >RFC 2866. Here is sample debug output (note the id's!):
>
> Acct-Delay-Time has changed.  It is not the same packet.
Of course, it's changed - it retransmits it because it timed out
waiting the responce. But RFC 2866 says:
   Identifier

  The Identifier field is one octet, and aids in matching requests
  and replies.  The RADIUS server can detect a duplicate request if
  it has the same client source IP address and source UDP port and
  Identifier within a short span of time.
Once ids are different, radiusd can't detect duplicate request
and process them as they were independent.
It's not a dupe because it is different, that's the point.  It is not
the same set of a/v pairs that was originally sent.  I don't see anything
violating the RFC here.
As I said, the server processed the first request too long - more than
5 seconds. It happens sometimes, and I don't think it's too bad.
Then increase the retry timeout on the cisco so it waits longer for a
response.  Alternatively, fix your radius server so it doesn't take 5
*seconds* to process a request.  :)
-Chris

--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco re-sends packets with different ids

[Alexander M. Pravking]

On Tue, Jun 03, 2003 at 07:06:38AM -0700, Jim Underwood wrote:
> That's what those acct-session-ids are for...

Don't think developers will hack radius for this very Cisco's bug :)

-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: User attributes

[Jonathan Ruano]

Hola:

It depends on which hardware you use. We have Ascend MAX 6x/TNTs and
these attributes seem to work (not using them currently, but did
in the past):

[EMAIL PROTECTED] radius]# grep DNS /etc/raddb/dictionary.ascend
ATTRIBUTE   X-Ascend-Client-Primary-DNS 135 ipaddr
ATTRIBUTE   X-Ascend-Client-Secondary-DNS   136 ipaddr
ATTRIBUTE   X-Ascend-Client-Assign-DNS  137 integer
ATTRIBUTE   Ascend-Client-Primary-DNS   135 ipaddr
Ascend
ATTRIBUTE   Ascend-Client-Secondary-DNS 136 ipaddr
Ascend
ATTRIBUTE   Ascend-Client-Assign-DNS137 integer
Ascend
VALUE   Ascend-Client-Assign-DNSDNS-Assign-No   0
VALUE   Ascend-Client-Assign-DNSDNS-Assign-Yes  1
VALUE   Ascend-Client-Assign-DNSDNS-Assign-No   0
VALUE   Ascend-Client-Assign-DNSDNS-Assign-Yes  1

Hope it helps.

Jonathan.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco re-sends packets with different ids

[Alexander M. Pravking]

On Tue, Jun 03, 2003 at 09:14:01AM -0500, Chris Parker wrote:
> At 05:53 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
> >I discovered that our Cisco 5200 resends acct-requests (not sure about
> >auth-requests) with different request identifiers, which violates
> >RFC 2866. Here is sample debug output (note the id's!):
> 
> Acct-Delay-Time has changed.  It is not the same packet.

Of course, it's changed - it retransmits it because it timed out
waiting the responce. But RFC 2866 says:

   Identifier

  The Identifier field is one octet, and aids in matching requests
  and replies.  The RADIUS server can detect a duplicate request if
  it has the same client source IP address and source UDP port and
  Identifier within a short span of time.

Once ids are different, radiusd can't detect duplicate request
and process them as they were independent.

> The solution
> is to figure out why your cisco nas isn't seeing an acct-accept from
> the radius server and is retransmitting acct requests.

As I said, the server processed the first request too long - more than
5 seconds. It happens sometimes, and I don't think it's too bad.

In any way, thanks for the input.

-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius - DLINK DWL-900+ - 802.1.X

[Pascal PELONI]

I forget to say that :

1. the authentication works well with radtest !

$ radtest tst1 pp 127.0.0.1 1 test
Sending Access-Request of id 68 to 127.0.0.1:1812
User-Name = "tst1"
User-Password = 
"\323\366\273\363\371Z\250]\231(w\265?\346G\253"
NAS-IP-Address = localhost
NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=68, length=20

2. with my AP I have the following output in radius.log :

Auth: Login incorrect: [pelo/]

Thanks.

At 16:58 03/06/2003 +0200, you wrote:
I've already read the FAQ and the README's, but it still doesn't work.

Here is part of my config :

radiusd.conf

modules {
eap {
default_eap_type = md5
md5 {
}
}
}
authorize {
eap
}
authenticate {
eap
}
client.conf
---
client localhost {
secret  = test
nastype = other
shortname   = test
}
huntgroups
--
TESTNAS-IP-Address == 127.0.0.1, NAS-Port-Id == 0-3
users
-
DEFAULT Huntgroup-Name == "TEST"
Framed-IP-Address = 192.168.1.11+
tst1User-Password == "pp"

tst2Auth-Type := Local, User-Password == "pp"

Could someone help ?

Thanks, PP.



At 09:31 30/05/2003 -0400, you wrote:
Pascal PELONI <[EMAIL PROTECTED]> wrote:
> The problem is that when I try to authenticate with my AP & W2K, it 
doesn't
> work :
>
> # less /var/log/radius.log
> Thu May 29 18:17:07 2003 : Auth: Login incorrect: [aa/
> attribute>] (from client ap-wlan port 0 cli 00-40-05-CB-AD-7C)

  Read the FAQ and the README's.

  Read the FAQ and the README's.

  Read the FAQ and the README's.

  Read the FAQ and the README's.

  Did I mention I *really* meant that you should read the FAQ and the
README's?
  Alan DeKok.

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

User attributes

[Mauro]

Having this basic user configuration
linus Auth-Type = Local, Password = 'password'
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 192.168.28.152,
Framed-IP-Netmask = 255.255.255.255,
Framed-Routing = Broadcast-Listen,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
I'd like to know how is possible to pass it the dns value as weel as the
gateway to let the remote user let into the local lan.
Cheers


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simultaneous-Use

[Leo Edmiston-Cyr]

If configured correctly the "Simultaneous-Use =1" parameter will limit 
simultaneous logins into THAT RADIUS server to 1.  If you have 1 or 
fifty NAS devices pointed at the same RADIUS server with 
Simultaneous-Use = 1 set for a user, that user will only be allowed to 
login once no matter which NAS they dial into.

Jeff Sullivan wrote:

Q: I have 4 usrhipers setup for dial in. If customer A dials into arc 1
and then dials in again and gets a modem on arc 2, will they be denied
access if the Simultaneous-Use is set to 1. Or will it only check if
they are attempting to connect to the same arc as the original
connection?
Jeff

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Cisco re-sends packets with different ids

[Michael Hardrick]

Hey Alex,
Try using "aaa accounting delay-start"... This may help.
I use it on our 5800 to get accounting IP addresses correctly from the NAS.
Mike

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexander M. Pravking
Sent: Tuesday, June 03, 2003 8:53 AM
To: [EMAIL PROTECTED]
Subject: Cisco re-sends packets with different ids


I discovered that our Cisco 5200 resends acct-requests (not sure about
auth-requests) with different request identifiers, which violates RFC 2866. Here is 
sample debug output (note the id's!):

rad_recv: Accounting-Request packet from host cisco-5200:1646, id=205, length=119 Sun 
Jun  1 13:57:15 2003 : Debug: Thread 4
assigned request 7988 Sun Jun  1 13:57:15 2003 : Debug: --- Walking the entire request 
list --- Sun Jun  1 13:57:15 2003 : Debug:
Waking up in 1 seconds... Sun Jun  1 13:57:15 2003 : Debug: Thread 4 handling request 
7988, (1373 handled so far)
NAS-IP-Address = ...
NAS-Port = 52
NAS-Port-Type = Async
User-Name = "some-user"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed-User
Acct-Session-Id = "00010CC2"
Framed-Protocol = PPP
Framed-IP-Address = ...
Acct-Delay-Time = 0
...
(this request was being processed more than 5 seconds)
...
rad_recv: Accounting-Request packet from host cisco-5200:1646, id=206, length=119 Sun 
Jun  1 13:57:20 2003 : Debug: Thread 7
assigned request 7992 Sun Jun  1 13:57:20 2003 : Debug: --- Walking the entire request 
list --- Sun Jun  1 13:57:20 2003 : Debug:
Threads: total/active/spare threads = 7/1/6 Sun Jun  1 13:57:20 2003 : Debug: Waking 
up in 1 seconds... Sun Jun  1 13:57:20 2003 :
Debug: Thread 7 handling request 7992, (543 handled so far)
NAS-IP-Address = ...
NAS-Port = 52
NAS-Port-Type = Async
User-Name = "user-name"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed-User
Acct-Session-Id = "00010CC2"
Framed-Protocol = PPP
Framed-IP-Address = ...
Acct-Delay-Time = 5

Finally, both requests are logged successfully, so we got two active sessions for the 
same request.

Alan would say "So, fix the NAS!", but it doesn't seem possible. (I'll feel myself 
happy if I'm wrong)

Please, let me know if you saw similar things and if you have found a workarond. 
Thanks in advance.

-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---
[This E-mail scanned for viruses at TNWEB LLC]


---
[This E-mail scanned for viruses at TNWEB LLC]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius - DLINK DWL-900+ - 802.1.X

[Pascal PELONI]

I've already read the FAQ and the README's, but it still doesn't work.

Here is part of my config :

radiusd.conf

modules {
eap {
default_eap_type = md5
md5 {
}
}
}
authorize {
eap
}
authenticate {
eap
}
client.conf
---
client localhost {
secret  = test
nastype = other
shortname   = test
}
huntgroups
--
TESTNAS-IP-Address == 127.0.0.1, NAS-Port-Id == 0-3
users
-
DEFAULT Huntgroup-Name == "TEST"
Framed-IP-Address = 192.168.1.11+
tst1User-Password == "pp"

tst2Auth-Type := Local, User-Password == "pp"

Could someone help ?

Thanks, PP.



At 09:31 30/05/2003 -0400, you wrote:
Pascal PELONI <[EMAIL PROTECTED]> wrote:
> The problem is that when I try to authenticate with my AP & W2K, it 
doesn't
> work :
>
> # less /var/log/radius.log
> Thu May 29 18:17:07 2003 : Auth: Login incorrect: [aa/
> attribute>] (from client ap-wlan port 0 cli 00-40-05-CB-AD-7C)

  Read the FAQ and the README's.

  Read the FAQ and the README's.

  Read the FAQ and the README's.

  Read the FAQ and the README's.

  Did I mention I *really* meant that you should read the FAQ and the
README's?
  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy-To-Realm and Replicate-To-Realm

[freeradius]

On Thu, 8 May 2003, Alan DeKok wrote:
> [EMAIL PROTECTED] wrote:
> > support multiple Replicate-To-Realm attributes in the acct_users file? Can
> > I do something like this in acct_users and is it supported?:
>
>   The server no longer supports Replicate-To-Realm.  Similar
> functionality can be acheived using features outside of the server.
>
>   e.g. Selectively logging packets to a 'detail' file, and then using
> 'radrelay' to replicate those records:
>
> DEFAULT  Called-Station-Id =~ "123456[0-3]789", Acct-Type = 'foo'
>
>   where "foo" is an instance of the 'detail' module.

Well I finally got around to using this method and it seems to be working
fine. I do have a couple of questions though. I'm using snapshot 20030602.

In the accounting{} section, it isn't obvious to me what instances are
called at what time for different Acct-Type's. If I call number
123456789 the accounting{} section only seems to 'execute' the instances
within Acct_IDA and not the other ones (e.g. radutmp) and I therefore
have to duplicate everything inside each instance. Is this correct?
Current configuration is something like this:

(acct_users):
DEFAULT Called-Station-Id == "123456789", Acct-Type := "Acct_IDA"
Fall-Through = No

DEFAULT Called-Station-Id == "876543210", Acct-Type := "Acct_TEST"
Fall-Through = No

DEFAULT Acct-Type := "Acct_STANDARD"
Fall-Through = No


(radiusd.conf):
modules {
[--SNIP--]
detail  detail_IDA {
detailfile = ${radacctdir}/detail_IDA
detailperm = 0600
locking = yes
}
detail  detail_TEST {
detailfile = ${radacctdir}/detail_TEST
detailperm = 0600
locking = yes
}
detail  detail_STANDARD {
detailfile = ${radacctdir}/detail_STANDARD
detailperm = 0600
locking = yes
}
}

accounting {
detail
sql
radutmp
Acct-Type Acct_IDA {
detail
sql
detail_STANDARD
detail_IDA
}
Acct-Type Acct_TEST {
detail
sql
detail_STANDARD
detail_TEST
}
}

The second point is a bug I found in radrelay. We use CVXs and there are
some pretty large attributes included in the accounting packet.
FreeRadius is happy with these attributes but radrelay hangs when reading
it and causes FreeRadius to start dropping the packets with these errors:

Tue Jun  3 11:28:30 2003 : Error: rlm_detail: Failed to aquire filelock
for /var/log/radius_proxy/radacct/detail_STANDARD, giving up

A partial stop packet that causes this is has "Attribute-172818433" with a
large hexadecimal value as below (obfuscated-not original):

Acct-Status-Type = Stop
NAS-Identifier = "cvx5"
Attr-172818433 =
0x86345834658346583465237987aedcf789e7dc97987987897ec987de9f789ce897d987de987cde98798cde978979c8797cde97d97cf9e7df98c7d9e87c97de97fc987edf97ed97fc97def97c97e987c89d79f7e97fcabababdec97ed9f7c9ef9c7def9c79de7f9c7e9f7c9de7f89c79e7f97897089089785e7645c56d463fce65476ef89cef0980e8cf986de6f5ce6d6e3df65e76cef87ed9c09e8f90c8e90f9ce6f76ced56f4e6d3fce6f4de86f9de78f0ef80def89ef78e5f574e56fe56f4e76fde78f9dcd
Attr-172818435 = 0x3030303030303030303030303030303030303030
Service-Type = Framed-User
NAS-Port = 1063
NAS-Port-Type = Async
Called-Station-Id = "1234567890"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 15
Framed-IP-Address = 1.2.3.14
User-Name = "JoeBloggs"
Framed-Protocol = PPP
Acct-Input-Octets = 1076
Acct-Output-Octets = 1344
[--SNIP--]

It would appear that there is some sort of buffer overflow possibility
here in read_one() in radrelay.c

A patch is included below. I realise that this doesn't fix the problem,
but merely hides it, but it is good enough to get me going again with
RadRelay.

diff against: "$Id: radrelay.c,v 1.9 2002/12/04 17:24:29 aland Exp $";
[EMAIL PROTECTED] main]# diff -u radrelay.c.orig radrelay.c
--- radrelay.c.orig 2003-06-03 12:39:13.0 +0100
+++ radrelay.c  2003-06-03 12:40:59.0 +0100
@@ -179,7 +179,7 @@
 {
VALUE_PAIR *vp;
char *s;
-   char buf[256];
+   char buf[1024];
char key[32], val[32];
int skip;
long fpos;


Cheers,
Dave.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: radtest help

[Carugati Paul-APC050]

Thanks for the information. I am not sure what version I am using. It was
the latest and greatest compile from the web site.

I can modify the radtest to manually enter more attributes. That might work.
Does anyone know how to configure the radtest script (or create a new one)
to do LEAP authentication? Thanks

Regards,
Paul Carugati


-Original Message-
From: Oliver Graf [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 10:17 AM
To: [EMAIL PROTECTED]
Subject: Re: radtest help


On Mon, Jun 02, 2003 at 07:53:07AM -0500, Carugati Paul-APC050 wrote:
> Thank you for this however I am already using this as a Windows RADIUS
test
> tool. I need a command line version. Any additional information?

Is it possible that you use an old version? cvs radtest does not strip
/ from usernames.

You should also note that radtest is only a shell script for
radclient. Perhaps radclient will do what you want...

Oliver.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: dynamic ip addresses

[Robin Garbutt]

excellent! cheers very much!

Rob.

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Michael
> Hardrick
> Sent: 03 June 2003 14:44
> To: [EMAIL PROTECTED]
> Subject: RE: dynamic ip addresses
> 
> 
> Change these two.
> 
> Framed-IP-Address = 255.255.255.254,
> Framed-IP-Netmask = 255.255.255.255,
> 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Robin Garbutt
> Sent: Tuesday, June 03, 2003 4:09 AM
> To: [EMAIL PROTECTED]
> Subject: dynamic ip addresses
> 
> 
> Hi all,
> 
> I can set up freeradius with a static ip address per user but 
> how do you do it so that it picks an ip address from a pool i.e
> dynamically?
> 
> The kind of user details I've got for static are like the 
> following.  What would I change for it to be dynamic?
> 
> testAuth-Type = Local, Password = "testing"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-IP-Address = 192.168.31.152,
> Framed-IP-Netmask = 255.255.255.255,
> Framed-Routing = Broadcast-Listen,
> Framed-Filter-Id = "std.ppp",
> Framed-MTU = 1500,
> Framed-Compression = Van-Jacobson-TCP-IP
> 
> cheers in advance
> 
> Rob.
> 
> 
> 
> ===
> Netnorth Limited
> 7-8 Queensbrook
> Bolton Technology Exchange
> Bolton
> BL1 4AY
> 
> d/l: 01204 900714
> tel: 01204 900700
> Fax: 01204 900777
> 
> email: [EMAIL PROTECTED]
> 
> ===
> 
> ~~
> 
> Why not try our dial-up ? 
> Modem Tel: 0845 055 0006
> Username: netnorthdial
> Password: netnorthdial
> 
> All formats supported, including V90, ISDN, ISDN dual 
> channel, Mobile Phones
> 
> ~~
> 
> - 
> List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
---
[This E-mail scanned for viruses at TNWEB LLC]


---
[This E-mail scanned for viruses at TNWEB LLC]


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Simultaneous-Use

[Jeff Sullivan]

Q: I have 4 usrhipers setup for dial in. If customer A dials into arc 1
and then dials in again and gets a modem on arc 2, will they be denied
access if the Simultaneous-Use is set to 1. Or will it only check if
they are attempting to connect to the same arc as the original
connection?

Jeff


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Virus Detected by Network Associates, Inc. Webshield SMTP V4.5 MR1a

[postmaster]

The City of Greater Sudbury has detected virus W32/[EMAIL PROTECTED] in an attachment
movie.pif from <[EMAIL PROTECTED]> to
<[EMAIL PROTECTED]> . Please be advised that the e-mail did not get forwarded to the 
recipient(s)
listed above. The City of Greater Sudbury does not accept infected mail onto or through
their e-mail server.  Please scan your computer for viruses before resending.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco re-sends packets with different ids

[Chris Parker]

At 05:53 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
I discovered that our Cisco 5200 resends acct-requests (not sure about
auth-requests) with different request identifiers, which violates
RFC 2866. Here is sample debug output (note the id's!):
Acct-Delay-Time has changed.  It is not the same packet.  The solution
is to figure out why your cisco nas isn't seeing an acct-accept from
the radius server and is retransmitting acct requests.
-Chris

--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco re-sends packets with different ids

[Jim Underwood]

That's what those acct-session-ids are for...

Alexander M. Pravking wrote:

I discovered that our Cisco 5200 resends acct-requests (not sure about
auth-requests) with different request identifiers, which violates
RFC 2866. Here is sample debug output (note the id's!):
rad_recv: Accounting-Request packet from host cisco-5200:1646, id=205, length=119
Sun Jun  1 13:57:15 2003 : Debug: Thread 4 assigned request 7988
Sun Jun  1 13:57:15 2003 : Debug: --- Walking the entire request list ---
Sun Jun  1 13:57:15 2003 : Debug: Waking up in 1 seconds...
Sun Jun  1 13:57:15 2003 : Debug: Thread 4 handling request 7988, (1373 handled so far)
   NAS-IP-Address = ...
   NAS-Port = 52
   NAS-Port-Type = Async
   User-Name = "some-user"
   Acct-Status-Type = Start
   Acct-Authentic = RADIUS
   Service-Type = Framed-User
   Acct-Session-Id = "00010CC2"
   Framed-Protocol = PPP
   Framed-IP-Address = ...
   Acct-Delay-Time = 0
...
(this request was being processed more than 5 seconds)
...
rad_recv: Accounting-Request packet from host cisco-5200:1646, id=206, length=119
Sun Jun  1 13:57:20 2003 : Debug: Thread 7 assigned request 7992
Sun Jun  1 13:57:20 2003 : Debug: --- Walking the entire request list ---
Sun Jun  1 13:57:20 2003 : Debug: Threads: total/active/spare threads = 7/1/6
Sun Jun  1 13:57:20 2003 : Debug: Waking up in 1 seconds...
Sun Jun  1 13:57:20 2003 : Debug: Thread 7 handling request 7992, (543 handled so far)
   NAS-IP-Address = ...
   NAS-Port = 52
   NAS-Port-Type = Async
   User-Name = "user-name"
   Acct-Status-Type = Start
   Acct-Authentic = RADIUS
   Service-Type = Framed-User
   Acct-Session-Id = "00010CC2"
   Framed-Protocol = PPP
   Framed-IP-Address = ...
   Acct-Delay-Time = 5
Finally, both requests are logged successfully, so we got two active
sessions for the same request.
Alan would say "So, fix the NAS!", but it doesn't seem possible.
(I'll feel myself happy if I'm wrong)
Please, let me know if you saw similar things and if you have found a
workarond. Thanks in advance.
 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SMUX

[Nathan Kufner]

Hello all,

  I have tried to search for this problem in the lists and with google,
but to no avail :(  Anyway I am setting up freeRadius for the first time
and when I start it I get:

[snip]

SMUX connect try 1
SMUX open oid: 1.3.6.1.4.1.3317.1.3.1
SMUX open progname: radiusd
SMUX open password: 
SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1
SMUX register priority: -1
SMUX register operation: 1
SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1
SMUX register priority: -1
SMUX register operation: 1
Broken pipe

[/snip]



I guess my first question is what is the SMUX and what is it trying to
do?  Anybody have any insight for this newb?


Thanks,
Nathan




The full radiusd -X output is below:


Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/usr/local/var"
 main: logdir = "/usr/local/var/log/radius"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/usr/local/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: servers_per_realm = 15
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
 mschap: ignore_password = no
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap) 
Module: Loaded System 
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix) 
Module: Loaded preprocess 
 preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess) 
Module: Loaded realm 
 realm: format = "suffix"
 realm: delimiter = "@"
Module: Instantiated realm (suffix) 
Module: Loaded files 
 files: usersfile = "/usr/local/etc/raddb/users"
 files: acctusersfile = "/usr/local/etc/raddb/acct_users"
 files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files) 
Module: Loaded Acct-Unique-Session-Id 
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique) 
Module: Loaded detail 
 detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail) 
Module: Loaded radutmp 
 radutmp: filename = "/usr/local/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp) 
 main: smux_password = ""
 main: snmp_write_access = no
SMUX connect try 1
SMUX open oid: 1.3.6.1.4.1.3317.1.3.1
SMUX open progname: radiusd
SMUX open password: 
SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1
SMUX register priority: -1
SMUX register operation: 1
SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1
SMUX register priority: -1
SMUX register operation: 1
Broken pipe


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Cisco re-sends packets with different ids

[Alexander M. Pravking]

I discovered that our Cisco 5200 resends acct-requests (not sure about
auth-requests) with different request identifiers, which violates
RFC 2866. Here is sample debug output (note the id's!):

rad_recv: Accounting-Request packet from host cisco-5200:1646, id=205, length=119
Sun Jun  1 13:57:15 2003 : Debug: Thread 4 assigned request 7988
Sun Jun  1 13:57:15 2003 : Debug: --- Walking the entire request list ---
Sun Jun  1 13:57:15 2003 : Debug: Waking up in 1 seconds...
Sun Jun  1 13:57:15 2003 : Debug: Thread 4 handling request 7988, (1373 handled so far)
NAS-IP-Address = ...
NAS-Port = 52
NAS-Port-Type = Async
User-Name = "some-user"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed-User
Acct-Session-Id = "00010CC2"
Framed-Protocol = PPP
Framed-IP-Address = ...
Acct-Delay-Time = 0
...
(this request was being processed more than 5 seconds)
...
rad_recv: Accounting-Request packet from host cisco-5200:1646, id=206, length=119
Sun Jun  1 13:57:20 2003 : Debug: Thread 7 assigned request 7992
Sun Jun  1 13:57:20 2003 : Debug: --- Walking the entire request list ---
Sun Jun  1 13:57:20 2003 : Debug: Threads: total/active/spare threads = 7/1/6
Sun Jun  1 13:57:20 2003 : Debug: Waking up in 1 seconds...
Sun Jun  1 13:57:20 2003 : Debug: Thread 7 handling request 7992, (543 handled so far)
NAS-IP-Address = ...
NAS-Port = 52
NAS-Port-Type = Async
User-Name = "user-name"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed-User
Acct-Session-Id = "00010CC2"
Framed-Protocol = PPP
Framed-IP-Address = ...
Acct-Delay-Time = 5

Finally, both requests are logged successfully, so we got two active
sessions for the same request.

Alan would say "So, fix the NAS!", but it doesn't seem possible.
(I'll feel myself happy if I'm wrong)

Please, let me know if you saw similar things and if you have found a
workarond. Thanks in advance.

-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html