RE: FreeRadius with Mysql under Solaris can't work
If I remember correctly the development package for MySQL that comes from sunfreeware (Bputs the files in the wrong location for freeradius to look for them. You can specify (Bthe location of the files or you can download the source and install from that. (BSolaris 8 and 9 fixed the location problem without having ro specify. (B (BGene Parks (BVIP Direct (B (B-Original Message- (BFrom: [mailto:[EMAIL PROTECTED] (BSent: Wednesday, June 04, 2003 8:49 AM (BTo: [EMAIL PROTECTED] (BSubject: Re: FreeRadius with Mysql under Solaris can't work (B (B (BThanks to Jeson. (B (BThe MYSQL package is downloaded from sunfreeware and installed directly by pkgadd (Bcommand. I am sure there are development header and lib included. Files in the lib (Bdirectory are as follows: (Blibdbug.a libmygcc.a libmysqlclient.a libmysqlclient_r.a (Blibmystrings.a libmysys.a (B (BBy the way, I had ever compiled and installed mysql 3.23.52 from source package. (B (BWhen I do install freeradius with configure, make and make install, there is no error (Breported. So I don't think it's the reason. (B (BAm I right? (B (BBest, (BZasp (B (B>Hi, (B> (B> Please make sure you have the MySQL development package, FreeRADIUS (B> compile the rlm_sql_mysql module need the include >file from MySQL (B> development package. (B> (B> Enjoy it! (B> (B> $B!!(J $B!!(JJeson (B> (B> (B>>Hi,all (B>> I want to use freeradius with mysql support under Solaris sparc 2.7. (B>>I meet the same (B>>problem as many newbies when I start radiusd: (B>> (B>> rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found (B>> rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the (B>> search path of your system's ld. (B>> radiusd.conf[14]: sql: Module instantiation failed. (B>> (B>> All methods have been tried but failed. MySQL is working well.= I (B>>try to compile freeradius under gcc 3.2.3 as FAQ says "configure (B>>--disable-shared", or set proper LD_LIBRARY_PATH variable, or copy (B>>the dynamic lib files to /usr/lib. But the problem keeps here. (B>> (B>> When I do use rlm_unix not rlm_sql_mysql for authentication, it works (B>>well. (B>> I have been confused for several days. Maybe anyone can help me? Thanks :) (B (B (B (B (B- (BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html (B (B- (BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/MD5 and ldap
Hello, I want to use EAP/MD5 and Ldap. EAP/MD5 config is ok, but ldap config is not Ok. Have you got example of radiusd.conf, users for EAP/MD5 and Ldap. Thanks,
Re: FreeRadius with Mysql under Solaris can't work
Thanks to Jeson. The MYSQL package is downloaded from sunfreeware and installed directly by pkgadd command. I am sure there are development header and lib included. Files in the lib directory are as follows: libdbug.a libmygcc.a libmysqlclient.a libmysqlclient_r.a libmystrings.a libmysys.a By the way, I had ever compiled and installed mysql 3.23.52 from source package. When I do install freeradius with configure, make and make install, there is no error reported. So I don't think it's the reason. Am I right? Best, Zasp >Hi, > > Please make sure you have the MySQL development package, FreeRADIUS compile the > rlm_sql_mysql module need the include >file from MySQL development package. > > Enjoy it! > > Jeson > > >>Hi,all >> I want to use freeradius with mysql support under Solaris sparc 2.7. I meet >> the same >>problem as many newbies when I start radiusd: >> >> rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found >> rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the >> search path of your system's ld. >> radiusd.conf[14]: sql: Module instantiation failed. >> >> All methods have been tried but failed. MySQL is working well.= >> I try to compile freeradius under gcc 3.2.3 as FAQ says "configure >> --disable-shared", >> or set proper LD_LIBRARY_PATH variable, or copy the dynamic lib files to /usr/lib. >> But the problem keeps here. >> >> When I do use rlm_unix not rlm_sql_mysql for authentication, it works well. >> I have been confused for several days. Maybe anyone can help me? Thanks :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SMUX
Nathan Kufner wrote: I was under the impression that SMUX/SNMP was integral to the radius server. It can be :) I am still unsure as to what functionality I just turned off. What does having SNMP (dis|en)abled on freeRadius mean for the radius server? What kind of functionality do I gain or lose? Long answer: SNMP/SMUX being enabled inside the radiusd server allows it to be polled using a seperate SNMP agent (for example http://net-snmp.sourceforge.net/) that connects to the radius server. This agent can then be polled by any SNMP managment software (for example http://people.ee.ethz.ch/~oetiker/webtools/mrtg/) to get statistics from the radius server and possibly put them in a database or graph (depending on the functionality of the SNMP mgmt software you use). This can enable you to easily graph or log the utilization of your RADIUS server in terms of authentications per second or minute and other variables relating to the functioning of your RADIUS server. Short answer: You can get RADIUS utilization statistics with a piece of SNMP managment software like MRTG (http://people.ee.ethz.ch/~oetiker/webtools/mrtg/) when SNMP/SMUX is turned on. Sorry if these are newb questions, but I haven't found any docs or mail archive posts that explains that one to me yet. Does anyone know the answer or where I can find the answer? Most of what you are asking is basically "What is SNMP/SMUX anyway?" To have that question answered look over the FAQ and other docs at the net-snmp site I mentioned above. Good luck. Thanks in advanced, Nathan Kufner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco_vsa_hack (rlm_preprocess)
Hi. code from rlm_preprocess.c: if ((vp->attribute & 0x) == 1) { char *p; DICT_ATTR *dattr; p = vp->strvalue; getword(&p, newattr, sizeof(newattr)); if (((dattr = dict_attrbyname(newattr)) != NULL) && code from token.c /* * Read a "word" - this means we don't honor ~~ * tokens as delimiters. */ int getword(char **ptr, char *buf, int buflen) { return getthing(ptr, buf, buflen, 0, tokens) == T_EOL ? 0 : 1; } Original Pair: Cisco-AVPair = "h323-call-id=4a78b822 95b611d7 adceea25 76190b93" vp->strvalue: 'h323-call-id=4a78b822 95b611d7 adceea25 76190b93' after getword: 'h323-call-id=4a78b822' gettoken() instead of a getword() ? P.S. --- src/modules/rlm_preprocess/rlm_preprocess.c.origWed Jun 4 14:00:58 2003 +++ src/modules/rlm_preprocess/rlm_preprocess.c Wed Jun 4 15:41:37 2003 @@ -145,7 +145,7 @@ DICT_ATTR *dattr; p = vp->strvalue; - getword(&p, newattr, sizeof(newattr)); + if (gettoken(&p, newattr, sizeof(newattr)) == T_EOL) continue; if (((dattr = dict_attrbyname(newattr)) != NULL) && (dattr->type == PW_TYPE_STRING)) { -- Vladimir Kravchenko / PK Mostcom JSC / system engineer Tel: +7 095 2312255 / UIN: 132038843 / Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_krb5 module options?
Hi there! I am trying to set up radiusd to authenticate against kerberos (Windows 2003 AD). The rlm_krb5 module didn't compile from 0.8.1, but i got it now as i upgraded my radiusd to a cvs snapshot. What configuration options should be passed to rlm_krb5 in modules -section? Now it is there without any options and i get segfault every time when authentication request reaches the module... So far in debug output there is nothing useful. Kerberos module initialization went ok and it is last message from it. Before the crash it says: rad_check_password: Found Auth-Type Kerberos auth: type "Kerberos" modcall: entering group authtype Segmentation fault (core dumped) Hope someone can help, the rlm_krb5 documentation is quite minimalistic :) -- _ | | "... Think about all the positive sides in life, they _ | |_ _ _ _ ___ never last forever ... (c)Sentenced | || | | | || |_| || O |+-+ AMD Duron 1300MHz & ATI Radeon +--+ || |_| || | | || | || http://students.oamk.fi/~sijuma00 | | E-mail: [EMAIL PROTECTED] | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAPOL-Key(WPA format) with WinXP - unsuccessful
Hi: I''m trying to test EAPOL-Key(4-way and group key handshaking) exchange inbetween the AP and the STA (Win XP-SP1-WPA). I'm able to do 802.1X authentication, but when I send the 1st EAPOL-Key message(as defined in WPA/11i drafts) from the AP to the STA, the STA doesn't respond back with anything. My queries: Have you been able to perform this handshake successfully using Win XP as STA and using EAPOL-Key (WPA/802.11i format)? I tried sending one EAPOL-Key (802.1X format) message with a broadcast key from the AP to the STA. What's the expected flow after this? I believe the STA doesn't need to respond back with anything... After sending one EAPOL-Key (802.1X format) message with a broadcast key from the AP to the STA, how can I make sure that we have encrypted packets flowing between AP & STA. I mean what kind of data do I send to ensure that encryption works? Best regards, Nikhil Chauhan.Adam Haberlach <[EMAIL PROTECTED]> wrote: On Mon, Jun 02, 2003 at 07:51:56AM -0700, Sepp Rudel wrote:> Hi,> > I've configured FreeRADIUS 0.8.1+OpenSSL 0.9.7b, Cisco> AP 350 and a laptop with Linux+xsupplicant and> WinXP+SP1.. With Linux+xsupplicant everything works> like a charm but with WinXPSP1 after radiusd sends> Access-Accept WinXP thinks for a second and then just> shows "No wireless connection available." Any ideas> what needs to be done to get WinXP to work?Apply all the service packs you possibly can.http://support.microsoft.com/default.aspx?scid=kb;en-us;328658(also, type '802.1x' into http://support.microsoft.com )-- Adam Haberlach | Gravity: so consistent and predictable, yet[EMAIL PROTECTED] | frequently surprising.http://mediariffic.com |- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Do you Yahoo!? Free online calendar with sync to Outlook(TM).
Re: FreeRadius with Mysql under Solaris can't work
Hi, Please make sure you have the MySQL development package, FreeRADIUS compile the rlm_sql_mysql module need the include file from MySQL development package. Enjoy it! Jeson Welcome to: http://www.zyxel.com [EMAIL PROTECTED] 2003-06-04 === 2003-06-04 15:57:00 您在来信中写道:=== >Hi,all > I want to use freeradius with mysql support under Solaris sparc 2.7. I meet > the same >problem as many newbies when I start radiusd: > > rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found > rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the > search path of your system's ld. > radiusd.conf[14]: sql: Module instantiation failed. > > All methods have been tried but failed. MySQL is working well. I try to > compile freeradius under gcc 3.2.3 as FAQ says "configure --disable-shared", or set > proper LD_LIBRARY_PATH variable, or copy the dynamic lib files to /usr/lib. But the > problem > keeps here. > > When I do use rlm_unix not rlm_sql_mysql for authentication, it works well. I > have been confused for several days. Maybe anyone can help me? Thanks :) > > > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius with Mysql under Solaris can't work
Hi,all I want to use freeradius with mysql support under Solaris sparc 2.7. I meet the same problem as many newbies when I start radiusd: rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. radiusd.conf[14]: sql: Module instantiation failed. All methods have been tried but failed. MySQL is working well. I try to compile freeradius under gcc 3.2.3 as FAQ says "configure --disable-shared", or set proper LD_LIBRARY_PATH variable, or copy the dynamic lib files to /usr/lib. But the problem keeps here. When I do use rlm_unix not rlm_sql_mysql for authentication, it works well. I have been confused for several days. Maybe anyone can help me? Thanks :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple attributes
Title: Multiple attributes I am using freeradius snapshot 20030603 and the server comes up fine and will authenticate. The problem I have is now the server will not return multiple values for one attribute. I have 3 other servers running 0.8.1 and they will return the attributes correctly. The log says this @40003edd845e18c408d4 ldap_get_conn: Got Id: 0 @40003edd845e18c41874 rlm_ldap: performing search in ou=premiernet.2dial.com, o=dcconnex.net, with filter (uid=dctichenor) @40003edd845e19cdd7b4 rlm_ldap: Added password in check items @40003edd845e19ce0a7c rlm_ldap: looking for check items in directory... @40003edd845e19ce21ec rlm_ldap: Adding chappassword as Chap-Password, value & op=21 @40003edd845e19ce412c rlm_ldap: looking for reply items in directory... @40003edd845e19ce589c rlm_ldap: Adding X-Ascend-Idle-Limit as X-Ascend-Idle-Limit, value 600 & op=11 @40003edd845e19ce7bc4 rlm_ldap: Adding X-Ascend-maximum-Time as X-Ascend-Maximum-Time, value 3600 & op=11 @40003edd845e19cfbc14 rlm_ldap: Adding X-ascend-data-filter as X-Ascend-Data-Filter, value ip in forward tcp est & op=11 @40003edd845e19cfe324 rlm_ldap: Adding X-ascend-data-filter as X-Ascend-Data-Filter, value ip in forward dstip 66.159.32.0/24 & op=11 @40003edd845e19d01204 rlm_ldap: Adding X-ascend-data-filter as X-Ascend-Data-Filter, value ip in drop tcp dstport = 25 & op=11 @40003edd845e19d03cfc rlm_ldap: Adding X-ascend-data-filter as X-Ascend-Data-Filter, value ip in forward & op=11 @40003edd845e19d2968c rlm_ldap: user dctichenor authorized to use remote access @40003edd845e19d2b1e4 ldap_release_conn: Release Id: 0 @40003edd845e19d2c56c modcall[authorize]: module "ldap" returns ok @40003edd845e19d2dcdc rlm_counter: Entering module authorize code @40003edd845e19d2f064 rlm_counter: Could not find Check item value pair @40003edd845e19d307d4 modcall[authorize]: module "daily" returns noop @40003edd845e19d503a4 modcall: group authorize returns ok @40003edd845e19d5172c rad_check_password: Found Auth-Type CHAP @40003edd845e19d52ab4 auth: type "CHAP" @40003edd845e19d53a54 modcall: entering group Auth-Type @40003edd845e19d549f4 rlm_chap: login attempt by "dctichenor" with CHAP password ÎW![?5XÍ4???ÕõZ?É @40003edd845e19d56934 rlm_chap: Using clear text password for user dctichenor authentication. @40003edd845e19d6e034 rlm_chap: chap user dctichenor authenticated succesfully @40003edd845e19d6ff74 modcall[authenticate]: module "chap" returns ok @40003edd845e19d712fc modcall: group Auth-Type returns ok @40003edd845e19d72684 Login OK: [dctichenor] (from client 66.159.47.23 port 0) @40003edd845e19d741dc Sending Access-Accept of id 26 to 66.159.47.23:4517 @40003edd845e19d7594c Framed-Protocol = PPP @40003edd845e19d7da34 Framed-Compression = Van-Jacobson-TCP-IP @40003edd845e19d7f1a4 X-Ascend-Idle-Limit = 600 @40003edd845e19d80144 X-Ascend-Maximum-Time = 3600 @40003edd845e19d810e4 X-Ascend-Data-Filter = "ip input forward tcp est" @40003edd845e19d82854 Finished request 1 Anyone have any ideas why it is not returning the values? Gene Parks VIP Direct
Re: Squid with Freeradius
Hi Dan, Excellent! It is great to know that you are using Squid with Freeradius, that's exactly what I want to do too. I want Squid to authenticate the http requests using Freeradius and I also want Squid to perform transparent proxying so that users from another network do not have to change their network settings like proxy-server etc. >>> [EMAIL PROTECTED] 06/04/03 11:48AM >>> We're using squid with freeradius as the authentication "engine". As far as I know, you can't have a transparent + authenticating proxy. If it's authenticating, then it has to be non-transparent. It's actually very easy. You just need to set up the Squid ACL's right (so that it requires auth). Then you set Squid's external authentication helper. We're using a simple (40 lines) PERL script which does the authentication. It uses a PERL radius module. I'm not even sure where I got the script. I think I got it off of Squid's site. If you can't find it, let me know, and I can e-mail it to you. The system works great for us. - Dan On Wed, 2003-06-04 at 11:32, Wei Ming Long wrote: Hi everyone, I would like to use the proxy server Squid to perform transparent proxying and to authenticate http requests with Freeradius and was wondering if anyone has done it and would appreciate it if you could provide details(configuration files) of how to setup Squid and Freeradius to do just that. Thanks. Best regards Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Squid with Freeradius
That is, if Squid receives a http request from a client, it first verifies this client with a Radius Server to make sure that this client is a valid user before servicing the http request and fetching the requested web page for the client. >>> [EMAIL PROTECTED] 06/04/03 10:55AM >>> What do you mean by "authenticate http requests" ? Navid On 2003.06.03 21:32, Wei Ming Long wrote: > Hi everyone, > I would like to use the proxy server Squid to perform transparent > proxying > and to authenticate http requests with Freeradius and was wondering if > anyone > has done it and would appreciate it if you could provide > details(configuration > files) of how to setup Squid and Freeradius to do just that. > Thanks. > > Best regards > Matthew > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > "Believe you can, believe you can't; either way, you're right" - Henry Ford "Security is a process, not a product..." - Bruce Schneier Navid Sheik <[EMAIL PROTECTED]> Key fingerprint = D6FA 566F C9D0 7A17 F25A 1C7C 21F6 3E22 01A7 F604 GPG Key: http://www.navid.cyberbeat.it/shnavid.gpg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho not show anything
I'm using lastest version of freeradius with solaris 9 It seem to worked find but radwho doesn't show anything, and radutmp siezed is zero , I enable snmp at Cisco NAS already I don't how to solve this problem somebody can help ? thank for advance Chaidan Mingmuang http://www.friends.co.th Friends.co.th ·ÐàºÕ¹ÃØè¹ ·Ø¡Ê¶ÒºÑ¹ ᨡ¿ÃÕ! ÊØ´ÂÍ´ E-mail ÀÒÉÒä·Â ¾×é¹·Õè 20 MB. (POP3) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Squid with Freeradius
We're using squid with freeradius as the authentication "engine". As far as I know, you can't have a transparent + authenticating proxy. If it's authenticating, then it has to be non-transparent. It's actually very easy. You just need to set up the Squid ACL's right (so that it requires auth). Then you set Squid's external authentication helper. We're using a simple (40 lines) PERL script which does the authentication. It uses a PERL radius module. I'm not even sure where I got the script. I think I got it off of Squid's site. If you can't find it, let me know, and I can e-mail it to you. The system works great for us. - Dan On Wed, 2003-06-04 at 11:32, Wei Ming Long wrote: Hi everyone, I would like to use the proxy server Squid to perform transparent proxying and to authenticate http requests with Freeradius and was wondering if anyone has done it and would appreciate it if you could provide details(configuration files) of how to setup Squid and Freeradius to do just that. Thanks. Best regards Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Always Password Attribute and Multiple Password
Sn is not stored correctly in LDAP for a userpassword. Why would you want it to be sn anyway? If you are looking for a clear text password then store it as chappassword. LDAP will store it correctly. Userpassword needs to be userpassword. Gene Parks VIP Direct -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, May 30, 2003 11:36 AM To: [EMAIL PROTECTED] Subject: Always Password Attribute and Multiple Password Importance: High Always an Access-Reject when I use sn as userPassword Another Idea ? or a correction ? Philippe Radiusd.conf : ldap ldap1 { server = "192.168.1.53" identity = "cn=Root,dc=e-qual,dc=fr" password = "poiuyt" basedn = "ou=Users,dc=e-qual,dc=fr" #filter = "(&(description=*CiscoAccess*)(uid=%{Stripped-User-Name:-%{User-Name}})) " filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. start_tls = no # set this to 'yes' to use TLS encrypted connections to the # LDAP database by passing the LDAP_OPT_X_TLS_TRY option to # the ldap library. tls_mode = no # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "sn" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 5 #password_header = "{MD5}" password_attribute = sn # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr oupOfUniqueNames)(uniquemember=%{Ldap-Use\ rDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = yes access_attr_used_for_allow = yes } Here is the log : Config: including file: /opt/freeradius-0.8.1/etc/raddb/proxy.conf Config: including file: /opt/freeradius-0.8.1/etc/raddb/clients.conf Config: including file: /opt/freeradius-0.8.1/etc/raddb/snmp.conf Config: including file: /opt/freeradius-0.8.1/etc/raddb/sql.conf main: prefix = "/opt/freeradius-0.8.1" main: localstatedir = "/opt/freeradius-0.8.1/var" main: logdir = "/opt/freeradius-0.8.1/var/log/radius" main: libdir = "/opt/freeradius-0.8.1/lib" main: radacctdir = "/opt/freeradius-0.8.1/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/opt/freeradius-0.8.1/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/opt/freeradius-0.8.1/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/opt/freeradius-0.8.1/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: servers_per_realm = 15 security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /opt/freeradius-0.8.1/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: ignore_password = no mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "(null)" unix: group = "/etc/group" unix: radwtmp = "/opt/freeradius-0.8.1/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "192.168.1.53" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: ldap_cache
Re: Squid with Freeradius
What do you mean by "authenticate http requests" ? Navid On 2003.06.03 21:32, Wei Ming Long wrote: Hi everyone, I would like to use the proxy server Squid to perform transparent proxying and to authenticate http requests with Freeradius and was wondering if anyone has done it and would appreciate it if you could provide details(configuration files) of how to setup Squid and Freeradius to do just that. Thanks. Best regards Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "Believe you can, believe you can't; either way, you're right" - Henry Ford "Security is a process, not a product..." - Bruce Schneier Navid Sheik <[EMAIL PROTECTED]> Key fingerprint = D6FA 566F C9D0 7A17 F25A 1C7C 21F6 3E22 01A7 F604 GPG Key: http://www.navid.cyberbeat.it/shnavid.gpg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Squid with Freeradius
Hi everyone, I would like to use the proxy server Squid to perform transparent proxying and to authenticate http requests with Freeradius and was wondering if anyone has done it and would appreciate it if you could provide details(configuration files) of how to setup Squid and Freeradius to do just that. Thanks. Best regards Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS ok w/ xsupplicant, WinXP not
On Mon, Jun 02, 2003 at 07:51:56AM -0700, Sepp Rudel wrote: > Hi, > > I've configured FreeRADIUS 0.8.1+OpenSSL 0.9.7b, Cisco > AP 350 and a laptop with Linux+xsupplicant and > WinXP+SP1.. With Linux+xsupplicant everything works > like a charm but with WinXPSP1 after radiusd sends > Access-Accept WinXP thinks for a second and then just > shows "No wireless connection available." Any ideas > what needs to be done to get WinXP to work? Apply all the service packs you possibly can. http://support.microsoft.com/default.aspx?scid=kb;en-us;328658 (also, type '802.1x' into http://support.microsoft.com ) -- Adam Haberlach | Gravity: so consistent and predictable, yet [EMAIL PROTECTED] | frequently surprising. http://mediariffic.com | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - DLINK DWL-900+ - 802.1.X
hi Pascal as Alan already advised you, try to read the EAP/MD5 faq. what you keep on posting is NOT an error. there CAN'T be any user-password attribute with EAP/MD5 or CHAP methodes. thanks, artur Pascal PELONI wrote: > > My mistake : this is the good extract of the log file : > > Auth: Login incorrect: [tst1/] > > At 17:24 03/06/2003 +0200, you wrote: > >I forget to say that : > > > >1. the authentication works well with radtest ! > > > > $ radtest tst1 pp 127.0.0.1 1 test > > Sending Access-Request of id 68 to 127.0.0.1:1812 > > User-Name = "tst1" > > User-Password = > > "\323\366\273\363\371Z\250]\231(w\265?\346G\253" > > NAS-IP-Address = localhost > > NAS-Port = 1 > >rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=68, length=20 > > > >2. with my AP I have the following output in radius.log : > > > > Auth: Login incorrect: [pelo/] > > > >Thanks. > > > >At 16:58 03/06/2003 +0200, you wrote: > >>I've already read the FAQ and the README's, but it still doesn't work. > >> > >>Here is part of my config : > >> > >>radiusd.conf > >> > >>modules { > >> eap { > >> default_eap_type = md5 > >> md5 { > >> } > >> } > >>} > >> > >>authorize { > >> eap > >>} > >> > >>authenticate { > >> eap > >>} > >> > >>client.conf > >>--- > >>client localhost { > >> secret = test > >> nastype = other > >> shortname = test > >>} > >> > >>huntgroups > >>-- > >>TESTNAS-IP-Address == 127.0.0.1, NAS-Port-Id == 0-3 > >> > >>users > >>- > >>DEFAULT Huntgroup-Name == "TEST" > >> Framed-IP-Address = 192.168.1.11+ > >> > >>tst1User-Password == "pp" > >> > >>tst2Auth-Type := Local, User-Password == "pp" > >> > >>Could someone help ? > >> > >>Thanks, PP. > >> > >> > >> > >>At 09:31 30/05/2003 -0400, you wrote: > >>>Pascal PELONI <[EMAIL PROTECTED]> wrote: > >>> > The problem is that when I try to authenticate with my AP & W2K, it > >>> doesn't > >>> > work : > >>> > > >>> > # less /var/log/radius.log > >>> > Thu May 29 18:17:07 2003 : Auth: Login incorrect: [aa/ >>> > attribute>] (from client ap-wlan port 0 cli 00-40-05-CB-AD-7C) > >>> > >>> Read the FAQ and the README's. > >>> > >>> Read the FAQ and the README's. > >>> > >>> Read the FAQ and the README's. > >>> > >>> Read the FAQ and the README's. > >>> > >>> > >>> Did I mention I *really* meant that you should read the FAQ and the > >>>README's? > >>> > >>> Alan DeKok. > >>> > >>>- > >>>List info/subscribe/unsubscribe? See > >>>http://www.freeradius.org/list/users.html > > > > > >- List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I dynamically insert and delete users with mysql?
Then you don't have it set up correctly to use MySql. My users file is empty. All my users are in MySql, as I suspect is the case with most people who use it. There are lots of questions about MySql in the archives and lots of info in the docs to get it going. Tim > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Michael > Davis > Sent: Tuesday, June 03, 2003 4:42 PM > To: [EMAIL PROTECTED] > Subject: How do I dynamically insert and delete users with mysql? > > > I am using mysql to populate my users list but I still have to insert each > user name into the users file in order for radius to recognize > it. It there > a way to set up a table in mysql and change a config setting so that I can > insert users dynamically without having to use the users file at all? > > Thanks > Michael > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I dynamically insert and delete users with mysql?
Yes. If you put "sql" in your "authorize" section of radius.conf there should be no need to have users in the users file. Provided your sql.conf is setup correctly. Just make sure you comment out the "files" entry in your authorize section or put "sql" before "files". One you are correctly using the user entries from the database, you can add and remove them on the fly. Nick On Tuesday 03 June 2003 16:41, Michael Davis wrote: > I am using mysql to populate my users list but I still have to insert each > user name into the users file in order for radius to recognize it. It there > a way to set up a table in mysql and change a config setting so that I can > insert users dynamically without having to use the users file at all? > > Thanks > Michael -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do I dynamically insert and delete users with mysql?
I am using mysql to populate my users list but I still have to insert each user name into the users file in order for radius to recognize it. It there a way to set up a table in mysql and change a config setting so that I can insert users dynamically without having to use the users file at all? Thanks Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I dynamically insert and delete users?
And pick up a copy of the Radius book. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Steve > Fulton > Sent: Tuesday, June 03, 2003 4:30 PM > To: [EMAIL PROTECTED] > Subject: Re: How do I dynamically insert and delete users? > > > > How do I dynamically insert and delete users that the radius server will > > use? Modifying raddb/users each time is too cumbersome, isn't it? > > SQL or LDAP with a front-end of some sort. Check the archives, there has > been plenty of discussion about it. > > -- Steve. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I dynamically insert and delete users?
> How do I dynamically insert and delete users that the radius server will > use? Modifying raddb/users each time is too cumbersome, isn't it? SQL or LDAP with a front-end of some sort. Check the archives, there has been plenty of discussion about it. -- Steve. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do I dynamically insert and delete users?
Hi, How do I dynamically insert and delete users that the radius server will use? Modifying raddb/users each time is too cumbersome, isn't it? For my purpose the user list is large and it changes very frequently. Please suggest a solution. Thanks. Regards, Brian -- __ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Having trouble getting LDAPs to Work w/FreeRadius
I'm running an LDAPs server using a self-signed certificate. For my purposes, that's OK. FreeRadius is telling me that it can't connect to the LDAP server because there's a self-signed certificate in the chain. I haven't been able to find the option to tell it that it's OK to accept a self-signed certificate. Can anyone tell me how to achieve this? Thanks, Owen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Netscreen Dictionary
Hi, I'm pretty new to FreeRadius, but I've at least got my implementation partially working (radtest could authenticate and fail to authenticate under correct circumstances gainst my LDAP server). My next step is to set it up to authenticate XAUTH users on my Netscreen for VPN purposes. I have taken a stab at converting the FUNK RADIUS file from Netscreen to a freeradius format file called dictionary.netscreen. I'd appreciate it if there is someone out there who could review what I've done and tell me if I've gotten it right. Once I can verify it, I'll happily pass it back to the FreeRadius people for inclusion as a standard dictionary if they wish. Thanks, Owen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SMUX
Chris, Thank you very much. I configured --with-snmp=no, make, make install and I got the server up and running right away. I was under the impression that SMUX/SNMP was integral to the radius server. I am still unsure as to what functionality I just turned off. What does having SNMP (dis|en)abled on freeRadius mean for the radius server? What kind of functionality do I gain or lose? Sorry if these are newb questions, but I haven't found any docs or mail archive posts that explains that one to me yet. Does anyone know the answer or where I can find the answer? Thanks in advanced, Nathan Kufner > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Chris van Meerendonk > Sent: Tuesday, June 03, 2003 2:15 PM > To: [EMAIL PROTECTED] > Subject: Re: SMUX > > > If you don't need snmp support you can disable it in radius.cfg: > snmp= no > > Otherwise you need to configure your snmpd for smux. Smux is > used to pass information to your snmp daemon. In > /etc/raddb/snmp.conf: > smux_password = your_secret > > In /etc/snmp/snmpd.conf: > smuxpeer .1.3.6.1.4.1.3317.1.3.1 your_secret > > After that is configured you can read the radius values. F.e.: > Authentication requests: > snmpget localhost your_secret .1.3.6.1.2.1.67.1.1.1.1.5.0 > Accounting requests: snmpget localhost your_secret > .1.3.6.1.2.1.67.2.1.1.1.5.0 > > Use mrtg for some nice pictures... > > Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SMUX
If you don't need snmp support you can disable it in radius.cfg: snmp= no Otherwise you need to configure your snmpd for smux. Smux is used to pass information to your snmp daemon. In /etc/raddb/snmp.conf: smux_password = your_secret In /etc/snmp/snmpd.conf: smuxpeer .1.3.6.1.4.1.3317.1.3.1 your_secret After that is configured you can read the radius values. F.e.: Authentication requests: snmpget localhost your_secret .1.3.6.1.2.1.67.1.1.1.1.5.0 Accounting requests: snmpget localhost your_secret .1.3.6.1.2.1.67.2.1.1.1.5.0 Use mrtg for some nice pictures... Chris On Tue, 2003-06-03 at 15:57, Nathan Kufner wrote: > Hello all, > > I have tried to search for this problem in the lists and with google, > but to no avail :( Anyway I am setting up freeRadius for the first time > and when I start it I get: > > [snip] > > SMUX connect try 1 > SMUX open oid: 1.3.6.1.4.1.3317.1.3.1 > SMUX open progname: radiusd > SMUX open password: > SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1 > SMUX register priority: -1 > SMUX register operation: 1 > SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1 > SMUX register priority: -1 > SMUX register operation: 1 > Broken pipe > > [/snip] > > > > I guess my first question is what is the SMUX and what is it trying to > do? Anybody have any insight for this newb? > > > Thanks, > Nathan > > > > > The full radiusd -X output is below: > > > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /usr/local/etc/raddb/proxy.conf > Config: including file: /usr/local/etc/raddb/clients.conf > Config: including file: /usr/local/etc/raddb/snmp.conf > Config: including file: /usr/local/etc/raddb/sql.conf > main: prefix = "/usr/local" > main: localstatedir = "/usr/local/var" > main: logdir = "/usr/local/var/log/radius" > main: libdir = "/usr/local/lib" > main: radacctdir = "/usr/local/var/log/radius/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = "/usr/local/var/log/radius/radius.log" > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" > main: user = "(null)" > main: group = "(null)" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/local/sbin/checkrad" > main: proxy_requests = yes > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: default_fallback = yes > proxy: dead_time = 120 > proxy: servers_per_realm = 15 > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > main: debug_level = 0 > read_config_files: reading dictionary > read_config_files: reading naslist > read_config_files: reading clients > read_config_files: reading realms > radiusd: entering modules setup > Module: Library search path is /usr/local/lib > Module: Loaded expr > Module: Instantiated expr (expr) > Module: Loaded PAP > pap: encryption_scheme = "crypt" > Module: Instantiated pap (pap) > Module: Loaded CHAP > Module: Instantiated chap (chap) > Module: Loaded MS-CHAP > mschap: ignore_password = no > mschap: use_mppe = yes > mschap: require_encryption = no > mschap: require_strong = no > mschap: passwd = "(null)" > mschap: authtype = "MS-CHAP" > Module: Instantiated mschap (mschap) > Module: Loaded System > unix: cache = no > unix: passwd = "(null)" > unix: shadow = "(null)" > unix: group = "(null)" > unix: radwtmp = "/usr/local/var/log/radius/radwtmp" > unix: usegroup = no > unix: cache_reload = 600 > Module: Instantiated unix (unix) > Module: Loaded preprocess > preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" > preprocess: hints = "/usr/local/etc/raddb/hints" > preprocess: with_ascend_hack = no > preprocess: ascend_channels_per_line = 23 > preprocess: with_ntdomain_hack = no > preprocess: with_specialix_jetstream_hack = no > preprocess: with_cisco_vsa_hack = no > Module: Instantiated preprocess (preprocess) > Module: Loaded realm > realm: format = "suffix" > realm: delimiter = "@" > Module: Instantiated realm (suffix) > Module: Loaded files > files: usersfile = "/usr/local/etc/raddb/users" > files: acctusersfile = "/usr/local/etc/raddb/acct_users" > files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" > files: compat = "no" > Module: Instantiated files (files) > Module: Loaded Acct-Unique-Session-Id > acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, > Client-IP-Address, NAS-Port-Id" > Module: Instantiated acct_unique (acct_unique) > Module: Loaded detail > detail: detailfile = > "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%
Re: Cisco re-sends packets with different ids
On Tue, Jun 03, 2003 at 12:14:58PM -0500, Chris Parker wrote: > At 09:05 PM 6/3/2003 +0400, Alexander M. Pravking wrote: > >> There is no 'wrong' or 'right'. They simply do it different ways. > > > >So is it possible to make freeradius determine both? > > For what purpose? What do you want Freeradius to do? When freeradius receives a request, it checks if there was already a request with same id/nas/udp-port a little time ago (cleanup_delay in radiusd.conf) or is being processed now. If it was, it re-sends the reply to NAS if the request was already processed, or otherwise simply drops retransmitted request "due to live request id NNN". Right? It would be nice if freeradius did the same when ids are different, but Acct-Session-Id's are the same. Don't know if it's a good idea... Well, I can make it within sql module by doing something like acct_stop_query = "\ INSERT INTO ${acct_table} \ (username, ...) \ VALUES ( SELECT '%u' WHERE NOT EXISTS ( \ SELECT 1 FROM ${acct_table} \ WHERE userName = '%u' \ AND sessionId = '%{Acct-Session-Id}' \ AND nasIpAddress = '%n' \ AND nasPort = '%{NAS-Port}' \ AND \ ), \ ... )" assuming userName declared as NOT NULL, so the INSERT will fail in case of re-sent packet and successfully processed original packet. Thanks all for the input, let's consider the problem solved... unless someone offers another solution :) -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
On Tue, Jun 03, 2003 at 02:04:26PM -0400, Puneet B wrote: > Accounting Requests are slightly different if your NAS includes the attribute > Acct-Delay-Time. This needs to be updated in each retransmit, and since now the > contents of the packet change, a new Identifier is needed. > Here is the relevant section from RFC 2866: > " Note that if Acct-Delay-Time is included in the attributes of an > Accounting-Request then the Acct-Delay-Time value will be updated when the > packet is retransmitted, changing the content of the Attributes field and > requiring a new Identifier and Request Authenticator." > Without this attribute the NAS can use the same identifier and you might still > see 'duplicate' requests on the server. Thanks, I got it. It's really useful to read docs accurately :) -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
> > It's not a dupe because it is different, that's the point. It is not > > the same set of a/v pairs that was originally sent. I don't see anything > > violating the RFC here. > > Hmm... Maybe I'm wrong here, assuming that NAS should re-send > packet with the same id. But then what the "duplicate" requests for? > And in which case should we expect 'em? RFC 2865 says: "The Identifier field MUST be changed whenever the content of the Attributes field changes, and whenever a valid reply has been received for a previous request. For retransmissions, the Identifier MUST remain unchanged." In Access Requests usually all attributes remain the same when retransmitting. In that case the NAS would use the same identifier and you might see 'duplicate' request on the Radius server. Accounting Requests are slightly different if your NAS includes the attribute Acct-Delay-Time. This needs to be updated in each retransmit, and since now the contents of the packet change, a new Identifier is needed. Here is the relevant section from RFC 2866: " Note that if Acct-Delay-Time is included in the attributes of an Accounting-Request then the Acct-Delay-Time value will be updated when the packet is retransmitted, changing the content of the Attributes field and requiring a new Identifier and Request Authenticator." Without this attribute the NAS can use the same identifier and you might still see 'duplicate' requests on the server. So the Cisco NAS seems to be RFC-compliant (atleast in this respect)! Puneet ___ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can RADIUS attributes pass through to Apache?
Alan DeKok wrote: Mark Lavi <[EMAIL PROTECTED]> wrote: So long as the list of RADIUS attributes don't get sent out in the HTTP response. That's my biggest worry with the use of HTTP headers, and with Apache. I'm not sure what response you mean, the web browser/client's response to the HTTP headers upon the next HTTP request back to the web server? The response from the web server to the browser CANNOT contain any RADIUS attributes. Ah, if we are talking about the standard RADIUS attributes, then yes - that should not go down to the browser via HTTP headers. However, I am talking about the extended (potentially vendor specific) attributes included into the access-accept packet that are currently discarded in mod_auth_radius. You bring up a good point: there could be information communicated down to the browser that could be utilized to undermind security, abuse a system, etc. So that suggests that sending down all extended attributes, by default, would be a bad design. So if mod_auth_radius could be configured to specify what attributes could be "public" and passed down, that would solve the problem. Attributes are promoted as public information could be utilitzed. My example would be to enable a "group=Engineering" attribute to utilized in the server side environment. By passing the attributes, they can be used in the server side environment (CGI/PHP/etc.) and that's the value I am after. Where are the attributes passed to, inside of the server? a) environment variables: no, they stick around from request to request b) HTTP headers: no, they get sent back to the browser c) ? Own suggested ENVIRONMENT variables, too and we had already discussed this. Unless ENVIRONMENT variables can be made live for only the connection's lifecycle, this would not be a good solution. Option C would be inter-module passing or another internal data structure used in the server (sounds painful). I feel that option B, with specific attributes enabled, would be a workable solution. -- --Mark o Atarex Communications: Web, Software, and Network Development /\/ Public key attachment for secure e-mail enclosed. // mailto:[EMAIL PROTECTED] || http://www.atarex.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
At 09:05 PM 6/3/2003 +0400, Alexander M. Pravking wrote: On Tue, Jun 03, 2003 at 11:53:48AM -0500, Chris Parker wrote: > At 08:38 PM 6/3/2003 +0400, Alexander M. Pravking wrote: > >On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote: > >> Hmm... Maybe I'm wrong here, assuming that NAS should re-send > >> packet with the same id. > > > >I think I'm not. Here's the PortMaster 2 example: > > There is no 'wrong' or 'right'. They simply do it different ways. So is it possible to make freeradius determine both? For what purpose? What do you want Freeradius to do? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
On Tue, Jun 03, 2003 at 11:53:48AM -0500, Chris Parker wrote: > At 08:38 PM 6/3/2003 +0400, Alexander M. Pravking wrote: > >On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote: > >> Hmm... Maybe I'm wrong here, assuming that NAS should re-send > >> packet with the same id. > > > >I think I'm not. Here's the PortMaster 2 example: > > There is no 'wrong' or 'right'. They simply do it different ways. So is it possible to make freeradius determine both? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
You can't apply your criteria without considering the device. If you want a NAS that delivers accounting reliably. Your reading of the RFC is correct but the RFC does not specify what a NAS does once it reaches the end of its attempt to deliver the Accounting. It does not even give guidance as to the extent and duration of retry attempts. In many devices, it is simply discarded. That stinks too. Hats off to Cisco that the NAS saves "failed" accounting delivery advice and reattempts it in the future as, yes, a NEW REQUEST. If you want independence from the vagaries of individual devices and versions, you just have to post-filter duplicate accounting advice. At iPass we filter with a 30-day window to deal with some devices that do binary backoff retries. Alexander M. Pravking wrote: On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote: Hmm... Maybe I'm wrong here, assuming that NAS should re-send packet with the same id. I think I'm not. Here's the PortMaster 2 example: rad_recv: Accounting-Request packet from host pm2:1026, id=168, length=129 Sun Jun 1 13:22:57 2003 : Debug: Thread 5 assigned request 7679 Sun Jun 1 13:22:57 2003 : Debug: Waking up in 2 seconds... Sun Jun 1 13:22:57 2003 : Debug: Thread 5 handling request 7679, (1331 handled so far) Acct-Session-Id = "5B012519" User-Name = "user-name" NAS-IP-Address = ... NAS-Port = 10 NAS-Port-Type = Async Acct-Status-Type = Stop Acct-Session-Time = 1527 Acct-Authentic = RADIUS Acct-Input-Octets = 620905 Acct-Output-Octets = 3171185 Acct-Terminate-Cause = User-Request Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = ... Acct-Delay-Time = 0 ... rad_recv: Accounting-Request packet from host pm2:1026, id=168, length=129 Sun Jun 1 13:23:43 2003 : Debug: Thread 6 assigned request 7688 Sun Jun 1 13:23:43 2003 : Debug: --- Walking the entire request list --- Sun Jun 1 13:23:43 2003 : Debug: Threads: total/active/spare threads = 7/1/6 Sun Jun 1 13:23:43 2003 : Debug: Waking up in 5 seconds... Sun Jun 1 13:23:43 2003 : Debug: Thread 6 handling request 7688, (501 handled so far) Acct-Session-Id = "5B012519" User-Name = "user-name" NAS-IP-Address = ... NAS-Port = 10 NAS-Port-Type = Async Acct-Status-Type = Stop Acct-Session-Time = 1527 Acct-Authentic = RADIUS Acct-Input-Octets = 620905 Acct-Output-Octets = 3171185 Acct-Terminate-Cause = User-Request Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = ... Acct-Delay-Time = 45 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
At 08:38 PM 6/3/2003 +0400, Alexander M. Pravking wrote: On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote: > Hmm... Maybe I'm wrong here, assuming that NAS should re-send > packet with the same id. I think I'm not. Here's the PortMaster 2 example: There is no 'wrong' or 'right'. They simply do it different ways. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, MS-CHAP, mppe, and 128-bit encryption
Dear Steven Fries, 128-bit encryption is possible, because it's implemented in a way it works, not in a way RFC says to do. RFC authors acknowledged problem in RFC. --Tuesday, June 3, 2003, 9:54:47 PM, you wrote to [EMAIL PROTECTED]: SF> After reading one of the files that is in the docs/ directory, it says 128-bit encryption with mppe is not possible because of some confusion with the Cisco RFCIs this true? And if so, SF> are there any current versions beyond 0.8.1? SF> I'm trying to use Radius to validate VPN PPTP users and am having alot of difficulties. I need to use the strongest encryption possible as this is for patient data. Anyone have similar experience? -- ~/ZARAZA Сэр Исаак Ньютон открыл, что яблоки падают на землю. (Твен) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius, MS-CHAP, mppe, and 128-bit encryption
After reading one of the files that is in the docs/ directory, it says 128-bit encryption with mppe is not possible because of some confusion with the Cisco RFCIs this true? And if so, are there any current versions beyond 0.8.1? I'm trying to use Radius to validate VPN PPTP users and am having alot of difficulties. I need to use the strongest encryption possible as this is for patient data. Anyone have similar experience?
Re: Cisco re-sends packets with different ids
On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote: > Hmm... Maybe I'm wrong here, assuming that NAS should re-send > packet with the same id. I think I'm not. Here's the PortMaster 2 example: rad_recv: Accounting-Request packet from host pm2:1026, id=168, length=129 Sun Jun 1 13:22:57 2003 : Debug: Thread 5 assigned request 7679 Sun Jun 1 13:22:57 2003 : Debug: Waking up in 2 seconds... Sun Jun 1 13:22:57 2003 : Debug: Thread 5 handling request 7679, (1331 handled so far) Acct-Session-Id = "5B012519" User-Name = "user-name" NAS-IP-Address = ... NAS-Port = 10 NAS-Port-Type = Async Acct-Status-Type = Stop Acct-Session-Time = 1527 Acct-Authentic = RADIUS Acct-Input-Octets = 620905 Acct-Output-Octets = 3171185 Acct-Terminate-Cause = User-Request Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = ... Acct-Delay-Time = 0 ... rad_recv: Accounting-Request packet from host pm2:1026, id=168, length=129 Sun Jun 1 13:23:43 2003 : Debug: Thread 6 assigned request 7688 Sun Jun 1 13:23:43 2003 : Debug: --- Walking the entire request list --- Sun Jun 1 13:23:43 2003 : Debug: Threads: total/active/spare threads = 7/1/6 Sun Jun 1 13:23:43 2003 : Debug: Waking up in 5 seconds... Sun Jun 1 13:23:43 2003 : Debug: Thread 6 handling request 7688, (501 handled so far) Acct-Session-Id = "5B012519" User-Name = "user-name" NAS-IP-Address = ... NAS-Port = 10 NAS-Port-Type = Async Acct-Status-Type = Stop Acct-Session-Time = 1527 Acct-Authentic = RADIUS Acct-Input-Octets = 620905 Acct-Output-Octets = 3171185 Acct-Terminate-Cause = User-Request Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = ... Acct-Delay-Time = 45 -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
On Tue, Jun 03, 2003 at 10:52:45AM -0500, Chris Parker wrote: > At 07:45 PM 6/3/2003 +0400, Alexander M. Pravking wrote: > It's not a dupe because it is different, that's the point. It is not > the same set of a/v pairs that was originally sent. I don't see anything > violating the RFC here. Hmm... Maybe I'm wrong here, assuming that NAS should re-send packet with the same id. But then what the "duplicate" requests for? And in which case should we expect 'em? > >As I said, the server processed the first request too long - more than > >5 seconds. It happens sometimes, and I don't think it's too bad. > > Then increase the retry timeout on the cisco so it waits longer for a > response. Yes, but what if request will be processed more longer? > Alternatively, fix your radius server so it doesn't take 5 > *seconds* to process a request. :) I can do nothing here - it's proxied to remote server. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User attributes
Using Ascend gear here is what works at our site: Service-Type = Framed-User, Framed-Protocol = PPP, Ascend-Bridge = Bridge-Yes, Ascend-DHCP-Reply = DHCP-Reply-Yes, Ascend-DHCP-Pool-Number = 3, Ascend-Assign-IP-Pool = 3, Framed-Netmask = 255.255.255.255, Ascend-Link-Compression = Link-Comp-Stac, Framed-Compression = Van-Jacobsen-TCP-IP, Ascend-Client-Primary-DNS = gate.way.ip.addr, Ascend-Client-Assign-DNS = DNS-Assign-Yes, Framed-Routing = None, Ascend-Route-IP = Route-IP-Yes, Ascend-MTU = 576, Ascend-Idle-Limit = 240, Ascend-Preempt-Limit = 35, Ascend-Metric = 2 HiH Burkhard Weeber viastore systems GmbH P/O Box 300668 D-70446 Stuttgart Tel: +49-711-9818-0 Email: [EMAIL PROTECTED] Disclaimer: The opinions expressed herein are my personal points of view and do not represent those of my employer. Windows95: n. 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor, written by a 2 bit company, that can't stand 1 bit of competition. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mauro > Sent: Tuesday, June 03, 2003 5:15 PM > To: [EMAIL PROTECTED] > Subject: User attributes > > > Having this basic user configuration > linus Auth-Type = Local, Password = 'password' > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-IP-Address = 192.168.28.152, > Framed-IP-Netmask = 255.255.255.255, > Framed-Routing = Broadcast-Listen, > Framed-MTU = 1500, > Framed-Compression = Van-Jacobson-TCP-IP > I'd like to know how is possible to pass it the dns value as > weel as the > gateway to let the remote user let into the local lan. > Cheers > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - DLINK DWL-900+ - 802.1.X
My mistake : this is the good extract of the log file : Auth: Login incorrect: [tst1/] At 17:24 03/06/2003 +0200, you wrote: I forget to say that : 1. the authentication works well with radtest ! $ radtest tst1 pp 127.0.0.1 1 test Sending Access-Request of id 68 to 127.0.0.1:1812 User-Name = "tst1" User-Password = "\323\366\273\363\371Z\250]\231(w\265?\346G\253" NAS-IP-Address = localhost NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=68, length=20 2. with my AP I have the following output in radius.log : Auth: Login incorrect: [pelo/] Thanks. At 16:58 03/06/2003 +0200, you wrote: I've already read the FAQ and the README's, but it still doesn't work. Here is part of my config : radiusd.conf modules { eap { default_eap_type = md5 md5 { } } } authorize { eap } authenticate { eap } client.conf --- client localhost { secret = test nastype = other shortname = test } huntgroups -- TESTNAS-IP-Address == 127.0.0.1, NAS-Port-Id == 0-3 users - DEFAULT Huntgroup-Name == "TEST" Framed-IP-Address = 192.168.1.11+ tst1User-Password == "pp" tst2Auth-Type := Local, User-Password == "pp" Could someone help ? Thanks, PP. At 09:31 30/05/2003 -0400, you wrote: Pascal PELONI <[EMAIL PROTECTED]> wrote: > The problem is that when I try to authenticate with my AP & W2K, it doesn't > work : > > # less /var/log/radius.log > Thu May 29 18:17:07 2003 : Auth: Login incorrect: [aa/ > attribute>] (from client ap-wlan port 0 cli 00-40-05-CB-AD-7C) Read the FAQ and the README's. Read the FAQ and the README's. Read the FAQ and the README's. Read the FAQ and the README's. Did I mention I *really* meant that you should read the FAQ and the README's? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
At 07:45 PM 6/3/2003 +0400, Alexander M. Pravking wrote: On Tue, Jun 03, 2003 at 09:14:01AM -0500, Chris Parker wrote: > At 05:53 PM 6/3/2003 +0400, Alexander M. Pravking wrote: > >I discovered that our Cisco 5200 resends acct-requests (not sure about > >auth-requests) with different request identifiers, which violates > >RFC 2866. Here is sample debug output (note the id's!): > > Acct-Delay-Time has changed. It is not the same packet. Of course, it's changed - it retransmits it because it timed out waiting the responce. But RFC 2866 says: Identifier The Identifier field is one octet, and aids in matching requests and replies. The RADIUS server can detect a duplicate request if it has the same client source IP address and source UDP port and Identifier within a short span of time. Once ids are different, radiusd can't detect duplicate request and process them as they were independent. It's not a dupe because it is different, that's the point. It is not the same set of a/v pairs that was originally sent. I don't see anything violating the RFC here. As I said, the server processed the first request too long - more than 5 seconds. It happens sometimes, and I don't think it's too bad. Then increase the retry timeout on the cisco so it waits longer for a response. Alternatively, fix your radius server so it doesn't take 5 *seconds* to process a request. :) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
On Tue, Jun 03, 2003 at 07:06:38AM -0700, Jim Underwood wrote: > That's what those acct-session-ids are for... Don't think developers will hack radius for this very Cisco's bug :) -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User attributes
Hola: It depends on which hardware you use. We have Ascend MAX 6x/TNTs and these attributes seem to work (not using them currently, but did in the past): [EMAIL PROTECTED] radius]# grep DNS /etc/raddb/dictionary.ascend ATTRIBUTE X-Ascend-Client-Primary-DNS 135 ipaddr ATTRIBUTE X-Ascend-Client-Secondary-DNS 136 ipaddr ATTRIBUTE X-Ascend-Client-Assign-DNS 137 integer ATTRIBUTE Ascend-Client-Primary-DNS 135 ipaddr Ascend ATTRIBUTE Ascend-Client-Secondary-DNS 136 ipaddr Ascend ATTRIBUTE Ascend-Client-Assign-DNS137 integer Ascend VALUE Ascend-Client-Assign-DNSDNS-Assign-No 0 VALUE Ascend-Client-Assign-DNSDNS-Assign-Yes 1 VALUE Ascend-Client-Assign-DNSDNS-Assign-No 0 VALUE Ascend-Client-Assign-DNSDNS-Assign-Yes 1 Hope it helps. Jonathan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
On Tue, Jun 03, 2003 at 09:14:01AM -0500, Chris Parker wrote: > At 05:53 PM 6/3/2003 +0400, Alexander M. Pravking wrote: > >I discovered that our Cisco 5200 resends acct-requests (not sure about > >auth-requests) with different request identifiers, which violates > >RFC 2866. Here is sample debug output (note the id's!): > > Acct-Delay-Time has changed. It is not the same packet. Of course, it's changed - it retransmits it because it timed out waiting the responce. But RFC 2866 says: Identifier The Identifier field is one octet, and aids in matching requests and replies. The RADIUS server can detect a duplicate request if it has the same client source IP address and source UDP port and Identifier within a short span of time. Once ids are different, radiusd can't detect duplicate request and process them as they were independent. > The solution > is to figure out why your cisco nas isn't seeing an acct-accept from > the radius server and is retransmitting acct requests. As I said, the server processed the first request too long - more than 5 seconds. It happens sometimes, and I don't think it's too bad. In any way, thanks for the input. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - DLINK DWL-900+ - 802.1.X
I forget to say that : 1. the authentication works well with radtest ! $ radtest tst1 pp 127.0.0.1 1 test Sending Access-Request of id 68 to 127.0.0.1:1812 User-Name = "tst1" User-Password = "\323\366\273\363\371Z\250]\231(w\265?\346G\253" NAS-IP-Address = localhost NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=68, length=20 2. with my AP I have the following output in radius.log : Auth: Login incorrect: [pelo/] Thanks. At 16:58 03/06/2003 +0200, you wrote: I've already read the FAQ and the README's, but it still doesn't work. Here is part of my config : radiusd.conf modules { eap { default_eap_type = md5 md5 { } } } authorize { eap } authenticate { eap } client.conf --- client localhost { secret = test nastype = other shortname = test } huntgroups -- TESTNAS-IP-Address == 127.0.0.1, NAS-Port-Id == 0-3 users - DEFAULT Huntgroup-Name == "TEST" Framed-IP-Address = 192.168.1.11+ tst1User-Password == "pp" tst2Auth-Type := Local, User-Password == "pp" Could someone help ? Thanks, PP. At 09:31 30/05/2003 -0400, you wrote: Pascal PELONI <[EMAIL PROTECTED]> wrote: > The problem is that when I try to authenticate with my AP & W2K, it doesn't > work : > > # less /var/log/radius.log > Thu May 29 18:17:07 2003 : Auth: Login incorrect: [aa/ > attribute>] (from client ap-wlan port 0 cli 00-40-05-CB-AD-7C) Read the FAQ and the README's. Read the FAQ and the README's. Read the FAQ and the README's. Read the FAQ and the README's. Did I mention I *really* meant that you should read the FAQ and the README's? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User attributes
Having this basic user configuration linus Auth-Type = Local, Password = 'password' Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.28.152, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP I'd like to know how is possible to pass it the dns value as weel as the gateway to let the remote user let into the local lan. Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use
If configured correctly the "Simultaneous-Use =1" parameter will limit simultaneous logins into THAT RADIUS server to 1. If you have 1 or fifty NAS devices pointed at the same RADIUS server with Simultaneous-Use = 1 set for a user, that user will only be allowed to login once no matter which NAS they dial into. Jeff Sullivan wrote: Q: I have 4 usrhipers setup for dial in. If customer A dials into arc 1 and then dials in again and gets a modem on arc 2, will they be denied access if the Simultaneous-Use is set to 1. Or will it only check if they are attempting to connect to the same arc as the original connection? Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco re-sends packets with different ids
Hey Alex, Try using "aaa accounting delay-start"... This may help. I use it on our 5800 to get accounting IP addresses correctly from the NAS. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexander M. Pravking Sent: Tuesday, June 03, 2003 8:53 AM To: [EMAIL PROTECTED] Subject: Cisco re-sends packets with different ids I discovered that our Cisco 5200 resends acct-requests (not sure about auth-requests) with different request identifiers, which violates RFC 2866. Here is sample debug output (note the id's!): rad_recv: Accounting-Request packet from host cisco-5200:1646, id=205, length=119 Sun Jun 1 13:57:15 2003 : Debug: Thread 4 assigned request 7988 Sun Jun 1 13:57:15 2003 : Debug: --- Walking the entire request list --- Sun Jun 1 13:57:15 2003 : Debug: Waking up in 1 seconds... Sun Jun 1 13:57:15 2003 : Debug: Thread 4 handling request 7988, (1373 handled so far) NAS-IP-Address = ... NAS-Port = 52 NAS-Port-Type = Async User-Name = "some-user" Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = "00010CC2" Framed-Protocol = PPP Framed-IP-Address = ... Acct-Delay-Time = 0 ... (this request was being processed more than 5 seconds) ... rad_recv: Accounting-Request packet from host cisco-5200:1646, id=206, length=119 Sun Jun 1 13:57:20 2003 : Debug: Thread 7 assigned request 7992 Sun Jun 1 13:57:20 2003 : Debug: --- Walking the entire request list --- Sun Jun 1 13:57:20 2003 : Debug: Threads: total/active/spare threads = 7/1/6 Sun Jun 1 13:57:20 2003 : Debug: Waking up in 1 seconds... Sun Jun 1 13:57:20 2003 : Debug: Thread 7 handling request 7992, (543 handled so far) NAS-IP-Address = ... NAS-Port = 52 NAS-Port-Type = Async User-Name = "user-name" Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = "00010CC2" Framed-Protocol = PPP Framed-IP-Address = ... Acct-Delay-Time = 5 Finally, both requests are logged successfully, so we got two active sessions for the same request. Alan would say "So, fix the NAS!", but it doesn't seem possible. (I'll feel myself happy if I'm wrong) Please, let me know if you saw similar things and if you have found a workarond. Thanks in advance. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses at TNWEB LLC] --- [This E-mail scanned for viruses at TNWEB LLC] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - DLINK DWL-900+ - 802.1.X
I've already read the FAQ and the README's, but it still doesn't work. Here is part of my config : radiusd.conf modules { eap { default_eap_type = md5 md5 { } } } authorize { eap } authenticate { eap } client.conf --- client localhost { secret = test nastype = other shortname = test } huntgroups -- TESTNAS-IP-Address == 127.0.0.1, NAS-Port-Id == 0-3 users - DEFAULT Huntgroup-Name == "TEST" Framed-IP-Address = 192.168.1.11+ tst1User-Password == "pp" tst2Auth-Type := Local, User-Password == "pp" Could someone help ? Thanks, PP. At 09:31 30/05/2003 -0400, you wrote: Pascal PELONI <[EMAIL PROTECTED]> wrote: > The problem is that when I try to authenticate with my AP & W2K, it doesn't > work : > > # less /var/log/radius.log > Thu May 29 18:17:07 2003 : Auth: Login incorrect: [aa/ > attribute>] (from client ap-wlan port 0 cli 00-40-05-CB-AD-7C) Read the FAQ and the README's. Read the FAQ and the README's. Read the FAQ and the README's. Read the FAQ and the README's. Did I mention I *really* meant that you should read the FAQ and the README's? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy-To-Realm and Replicate-To-Realm
On Thu, 8 May 2003, Alan DeKok wrote: > [EMAIL PROTECTED] wrote: > > support multiple Replicate-To-Realm attributes in the acct_users file? Can > > I do something like this in acct_users and is it supported?: > > The server no longer supports Replicate-To-Realm. Similar > functionality can be acheived using features outside of the server. > > e.g. Selectively logging packets to a 'detail' file, and then using > 'radrelay' to replicate those records: > > DEFAULT Called-Station-Id =~ "123456[0-3]789", Acct-Type = 'foo' > > where "foo" is an instance of the 'detail' module. Well I finally got around to using this method and it seems to be working fine. I do have a couple of questions though. I'm using snapshot 20030602. In the accounting{} section, it isn't obvious to me what instances are called at what time for different Acct-Type's. If I call number 123456789 the accounting{} section only seems to 'execute' the instances within Acct_IDA and not the other ones (e.g. radutmp) and I therefore have to duplicate everything inside each instance. Is this correct? Current configuration is something like this: (acct_users): DEFAULT Called-Station-Id == "123456789", Acct-Type := "Acct_IDA" Fall-Through = No DEFAULT Called-Station-Id == "876543210", Acct-Type := "Acct_TEST" Fall-Through = No DEFAULT Acct-Type := "Acct_STANDARD" Fall-Through = No (radiusd.conf): modules { [--SNIP--] detail detail_IDA { detailfile = ${radacctdir}/detail_IDA detailperm = 0600 locking = yes } detail detail_TEST { detailfile = ${radacctdir}/detail_TEST detailperm = 0600 locking = yes } detail detail_STANDARD { detailfile = ${radacctdir}/detail_STANDARD detailperm = 0600 locking = yes } } accounting { detail sql radutmp Acct-Type Acct_IDA { detail sql detail_STANDARD detail_IDA } Acct-Type Acct_TEST { detail sql detail_STANDARD detail_TEST } } The second point is a bug I found in radrelay. We use CVXs and there are some pretty large attributes included in the accounting packet. FreeRadius is happy with these attributes but radrelay hangs when reading it and causes FreeRadius to start dropping the packets with these errors: Tue Jun 3 11:28:30 2003 : Error: rlm_detail: Failed to aquire filelock for /var/log/radius_proxy/radacct/detail_STANDARD, giving up A partial stop packet that causes this is has "Attribute-172818433" with a large hexadecimal value as below (obfuscated-not original): Acct-Status-Type = Stop NAS-Identifier = "cvx5" Attr-172818433 = 0x86345834658346583465237987aedcf789e7dc97987987897ec987de9f789ce897d987de987cde98798cde978979c8797cde97d97cf9e7df98c7d9e87c97de97fc987edf97ed97fc97def97c97e987c89d79f7e97fcabababdec97ed9f7c9ef9c7def9c79de7f9c7e9f7c9de7f89c79e7f97897089089785e7645c56d463fce65476ef89cef0980e8cf986de6f5ce6d6e3df65e76cef87ed9c09e8f90c8e90f9ce6f76ced56f4e6d3fce6f4de86f9de78f0ef80def89ef78e5f574e56fe56f4e76fde78f9dcd Attr-172818435 = 0x3030303030303030303030303030303030303030 Service-Type = Framed-User NAS-Port = 1063 NAS-Port-Type = Async Called-Station-Id = "1234567890" Calling-Station-Id = "987654321" Acct-Delay-Time = 15 Framed-IP-Address = 1.2.3.14 User-Name = "JoeBloggs" Framed-Protocol = PPP Acct-Input-Octets = 1076 Acct-Output-Octets = 1344 [--SNIP--] It would appear that there is some sort of buffer overflow possibility here in read_one() in radrelay.c A patch is included below. I realise that this doesn't fix the problem, but merely hides it, but it is good enough to get me going again with RadRelay. diff against: "$Id: radrelay.c,v 1.9 2002/12/04 17:24:29 aland Exp $"; [EMAIL PROTECTED] main]# diff -u radrelay.c.orig radrelay.c --- radrelay.c.orig 2003-06-03 12:39:13.0 +0100 +++ radrelay.c 2003-06-03 12:40:59.0 +0100 @@ -179,7 +179,7 @@ { VALUE_PAIR *vp; char *s; - char buf[256]; + char buf[1024]; char key[32], val[32]; int skip; long fpos; Cheers, Dave. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radtest help
Thanks for the information. I am not sure what version I am using. It was the latest and greatest compile from the web site. I can modify the radtest to manually enter more attributes. That might work. Does anyone know how to configure the radtest script (or create a new one) to do LEAP authentication? Thanks Regards, Paul Carugati -Original Message- From: Oliver Graf [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 10:17 AM To: [EMAIL PROTECTED] Subject: Re: radtest help On Mon, Jun 02, 2003 at 07:53:07AM -0500, Carugati Paul-APC050 wrote: > Thank you for this however I am already using this as a Windows RADIUS test > tool. I need a command line version. Any additional information? Is it possible that you use an old version? cvs radtest does not strip / from usernames. You should also note that radtest is only a shell script for radclient. Perhaps radclient will do what you want... Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dynamic ip addresses
excellent! cheers very much! Rob. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Michael > Hardrick > Sent: 03 June 2003 14:44 > To: [EMAIL PROTECTED] > Subject: RE: dynamic ip addresses > > > Change these two. > > Framed-IP-Address = 255.255.255.254, > Framed-IP-Netmask = 255.255.255.255, > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Robin Garbutt > Sent: Tuesday, June 03, 2003 4:09 AM > To: [EMAIL PROTECTED] > Subject: dynamic ip addresses > > > Hi all, > > I can set up freeradius with a static ip address per user but > how do you do it so that it picks an ip address from a pool i.e > dynamically? > > The kind of user details I've got for static are like the > following. What would I change for it to be dynamic? > > testAuth-Type = Local, Password = "testing" > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-IP-Address = 192.168.31.152, > Framed-IP-Netmask = 255.255.255.255, > Framed-Routing = Broadcast-Listen, > Framed-Filter-Id = "std.ppp", > Framed-MTU = 1500, > Framed-Compression = Van-Jacobson-TCP-IP > > cheers in advance > > Rob. > > > > === > Netnorth Limited > 7-8 Queensbrook > Bolton Technology Exchange > Bolton > BL1 4AY > > d/l: 01204 900714 > tel: 01204 900700 > Fax: 01204 900777 > > email: [EMAIL PROTECTED] > > === > > ~~ > > Why not try our dial-up ? > Modem Tel: 0845 055 0006 > Username: netnorthdial > Password: netnorthdial > > All formats supported, including V90, ISDN, ISDN dual > channel, Mobile Phones > > ~~ > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses at TNWEB LLC] --- [This E-mail scanned for viruses at TNWEB LLC] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use
Q: I have 4 usrhipers setup for dial in. If customer A dials into arc 1 and then dials in again and gets a modem on arc 2, will they be denied access if the Simultaneous-Use is set to 1. Or will it only check if they are attempting to connect to the same arc as the original connection? Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Virus Detected by Network Associates, Inc. Webshield SMTP V4.5 MR1a
The City of Greater Sudbury has detected virus W32/[EMAIL PROTECTED] in an attachment movie.pif from <[EMAIL PROTECTED]> to <[EMAIL PROTECTED]> . Please be advised that the e-mail did not get forwarded to the recipient(s) listed above. The City of Greater Sudbury does not accept infected mail onto or through their e-mail server. Please scan your computer for viruses before resending. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
At 05:53 PM 6/3/2003 +0400, Alexander M. Pravking wrote: I discovered that our Cisco 5200 resends acct-requests (not sure about auth-requests) with different request identifiers, which violates RFC 2866. Here is sample debug output (note the id's!): Acct-Delay-Time has changed. It is not the same packet. The solution is to figure out why your cisco nas isn't seeing an acct-accept from the radius server and is retransmitting acct requests. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
That's what those acct-session-ids are for... Alexander M. Pravking wrote: I discovered that our Cisco 5200 resends acct-requests (not sure about auth-requests) with different request identifiers, which violates RFC 2866. Here is sample debug output (note the id's!): rad_recv: Accounting-Request packet from host cisco-5200:1646, id=205, length=119 Sun Jun 1 13:57:15 2003 : Debug: Thread 4 assigned request 7988 Sun Jun 1 13:57:15 2003 : Debug: --- Walking the entire request list --- Sun Jun 1 13:57:15 2003 : Debug: Waking up in 1 seconds... Sun Jun 1 13:57:15 2003 : Debug: Thread 4 handling request 7988, (1373 handled so far) NAS-IP-Address = ... NAS-Port = 52 NAS-Port-Type = Async User-Name = "some-user" Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = "00010CC2" Framed-Protocol = PPP Framed-IP-Address = ... Acct-Delay-Time = 0 ... (this request was being processed more than 5 seconds) ... rad_recv: Accounting-Request packet from host cisco-5200:1646, id=206, length=119 Sun Jun 1 13:57:20 2003 : Debug: Thread 7 assigned request 7992 Sun Jun 1 13:57:20 2003 : Debug: --- Walking the entire request list --- Sun Jun 1 13:57:20 2003 : Debug: Threads: total/active/spare threads = 7/1/6 Sun Jun 1 13:57:20 2003 : Debug: Waking up in 1 seconds... Sun Jun 1 13:57:20 2003 : Debug: Thread 7 handling request 7992, (543 handled so far) NAS-IP-Address = ... NAS-Port = 52 NAS-Port-Type = Async User-Name = "user-name" Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = "00010CC2" Framed-Protocol = PPP Framed-IP-Address = ... Acct-Delay-Time = 5 Finally, both requests are logged successfully, so we got two active sessions for the same request. Alan would say "So, fix the NAS!", but it doesn't seem possible. (I'll feel myself happy if I'm wrong) Please, let me know if you saw similar things and if you have found a workarond. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SMUX
Hello all, I have tried to search for this problem in the lists and with google, but to no avail :( Anyway I am setting up freeRadius for the first time and when I start it I get: [snip] SMUX connect try 1 SMUX open oid: 1.3.6.1.4.1.3317.1.3.1 SMUX open progname: radiusd SMUX open password: SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1 SMUX register priority: -1 SMUX register operation: 1 SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1 SMUX register priority: -1 SMUX register operation: 1 Broken pipe [/snip] I guess my first question is what is the SMUX and what is it trying to do? Anybody have any insight for this newb? Thanks, Nathan The full radiusd -X output is below: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: servers_per_realm = 15 security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: ignore_password = no mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) main: smux_password = "" main: snmp_write_access = no SMUX connect try 1 SMUX open oid: 1.3.6.1.4.1.3317.1.3.1 SMUX open progname: radiusd SMUX open password: SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1 SMUX register priority: -1 SMUX register operation: 1 SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1 SMUX register priority: -1 SMUX register operation: 1 Broken pipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco re-sends packets with different ids
I discovered that our Cisco 5200 resends acct-requests (not sure about auth-requests) with different request identifiers, which violates RFC 2866. Here is sample debug output (note the id's!): rad_recv: Accounting-Request packet from host cisco-5200:1646, id=205, length=119 Sun Jun 1 13:57:15 2003 : Debug: Thread 4 assigned request 7988 Sun Jun 1 13:57:15 2003 : Debug: --- Walking the entire request list --- Sun Jun 1 13:57:15 2003 : Debug: Waking up in 1 seconds... Sun Jun 1 13:57:15 2003 : Debug: Thread 4 handling request 7988, (1373 handled so far) NAS-IP-Address = ... NAS-Port = 52 NAS-Port-Type = Async User-Name = "some-user" Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = "00010CC2" Framed-Protocol = PPP Framed-IP-Address = ... Acct-Delay-Time = 0 ... (this request was being processed more than 5 seconds) ... rad_recv: Accounting-Request packet from host cisco-5200:1646, id=206, length=119 Sun Jun 1 13:57:20 2003 : Debug: Thread 7 assigned request 7992 Sun Jun 1 13:57:20 2003 : Debug: --- Walking the entire request list --- Sun Jun 1 13:57:20 2003 : Debug: Threads: total/active/spare threads = 7/1/6 Sun Jun 1 13:57:20 2003 : Debug: Waking up in 1 seconds... Sun Jun 1 13:57:20 2003 : Debug: Thread 7 handling request 7992, (543 handled so far) NAS-IP-Address = ... NAS-Port = 52 NAS-Port-Type = Async User-Name = "user-name" Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = "00010CC2" Framed-Protocol = PPP Framed-IP-Address = ... Acct-Delay-Time = 5 Finally, both requests are logged successfully, so we got two active sessions for the same request. Alan would say "So, fix the NAS!", but it doesn't seem possible. (I'll feel myself happy if I'm wrong) Please, let me know if you saw similar things and if you have found a workarond. Thanks in advance. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html