Re: Request For Business Transaction
He sure trusts a lot of people, asking a mailing list... -- You will attract cultured and artistic people to your home. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upcomming FreeRadius 0.9 release
On Thursday, Jun 12, 2003, at 00:27 Australia/Melbourne, Peter Nixon wrote: Hello List For the MacOS X users on the list, this is built on 10.2.6, with postgresql-7.3.3, and openssl-0.9.6i. Seems to work nicely. I'll fire up postgres a bit later, and actually try to log to it, but the build process works fine. Had a few problems where EAP couldn't load any EAP modules, so I've stopped that from loading for the time being. Matt. radiusd: FreeRADIUS Version 0.9-pre, for host powerpc-apple-darwin6.6, built on 06/13/03 at 15:56:23 dhcp68 /usr/local/sbin sudo ./radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Addre ss, NAS-Port-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/de tail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /usr/local/var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie question ( i think ) on freeradius, LDAP and VPN3000 Cisco
Here the question: is there a way to receive some parameter from the LDAP server to pass back to radius ( not to Cisco 3015 ) to activate the rlm_ippool module ? radiusCheckItem: Pool-Name := pool1 While waiting on thi info I' ve also found that you can modify the ldap.attrmap adding ( for example ) a line that says: checkItem Pool-Name radiusPool and adding to your ldap schema the radiusPool ( or whatever you want ) attribute. In this way you can configure the pool from the LDAP server, and leave your radius server to choose from various pool you may have configured on it. When the radius server ask the LDAP server for authorizing, and if the LDAP is configured for this value, it will receive this attribute and use it for the requested purpose. Hope this will help someone other. Thanks. Pigi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
session variables
Hello, Tell me please... Is there an individual instance of radius authentication - accounting object created for each session? I mean if I change in my module (authorization) global radius variable such as auth-type or smth..., will it be visible in other user sessions? Because I want to define auth-type in authorization part and use it in accounting part too, but this value can't be changed by other sessions, so Each user session would have it's own value of auth-type through his session (from authorization request to stop-accounting request) Is it possible? Or just each variable is defined for each request from NAS? Or maybe if I change variable once, it will be changed to all sessions until I'll change it again? Thanks in advance, Arunas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: session variables
Or maybe there is in FreeRadius any type of variables, which are stored for user from he connects until disconnects? Or smth... It seems, I just can't tell what I want, but I hope, you'll understand... Thanks one more time, Best regards, Arunas -Original Message- From: Arnas Milaauskas Sent: Friday, June 13, 2003 11:15 AM To: [EMAIL PROTECTED] Subject: session variables Hello, Tell me please... Is there an individual instance of radius authentication - accounting object created for each session? I mean if I change in my module (authorization) global radius variable such as auth-type or smth..., will it be visible in other user sessions? Because I want to define auth-type in authorization part and use it in accounting part too, but this value can't be changed by other sessions, so Each user session would have it's own value of auth-type through his session (from authorization request to stop-accounting request) Is it possible? Or just each variable is defined for each request from NAS? Or maybe if I change variable once, it will be changed to all sessions until I'll change it again? Thanks in advance, Arunas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 0.8.1 + mysql + password md5
I try to use freeradius whith user in mysql and all work fine if I use clear password. If I use the web interface to write md5 password in the mysql db when I try to anthenticate I'm reject. If I use the web interface whit clear password option I have no problem. How can I use cripted password with mysql? Thanks Robert Pioli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting time
Roberto, It's possible for sure, I'm using start/stop date/time, in Dialup-Admin is implemented something for callduration per month if I remember correctly. I changed the sql query in the Authorization Queries: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' AND onhold'Y' AND NOW() BETWEEN StartDate AND StopDate ORDER BY id authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id For the call-duration you'll have to calculate the 'Ascend-Maximum-Time' or something like that. Hope this gives you an idea on how to implement. Regards, Chris On Thu, 2003-06-12 at 11:49, Roberto Pioli wrote: I want that a user can be authenticate the 14/6/2003 for 2 hours , and not other day.I want wirte this in the DB or ldap at tha biginning of the month. Or from 14/6 20/06 2003 for 4 hours at day. Is it possible with freeradius ?( I can use freeradius with ldap and mysql) Thanks Roberto - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Require Urgent Help
Hi, I have started a new job in Linux. I have been involved quite a lot into daily system admin functions in Linux as well as Solaris Now the requirement for this job are to set up a RADIUS server with LDAP and mysql database. This is for a small ISP which will be used for Wireless access for dial up users. I am completely unaware of RADIUS,LDAP and mysql. They want to use FREERADIUS,OPENLDAP from netscape and mysql. What shoud be the starting point. Which favour of Linux will be far suitable for wirelss applications? Any help will be much appreciated. Thanks, Sagar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius ldap and chap authentication problems
I stored the passwords clear-text in the ldap server and its working fine now. Thanks for the help, greetings, Tjeerd Bos PinkRoccade InfraStructure Services Apeldoorn The passwords used in CHAP are actually a one-way hash generated by the client machine, using the password entered by the user, and the challenge sent by the NAS. At the Radius server the same is done with the same challenge from the NAS and the clear-text password stored in the db. The RADIUS server compares the two hashes, giving an accept or deny. The challenge is different every time a connection is made resulting in new hash every time. If an attacker intercepted the packets he-she would see the hash which cannot be reversed to give the password. As you can see, with CHAP, the clear text password is a requirement at both ends of the connection. Regards Mike D. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require Urgent Help
This is often a good starting point. http://www.google.com On Friday, Jun 13, 2003, at 10:21 Europe/London, Sagar Bikebits wrote: Hi, I have started a new job in Linux. I have been involved quite a lot into daily system admin functions in Linux as well as Solaris Now the requirement for this job are to set up a RADIUS server with LDAP and mysql database. This is for a small ISP which will be used for Wireless access for dial up users. I am completely unaware of RADIUS,LDAP and mysql. They want to use FREERADIUS,OPENLDAP from netscape and mysql. What shoud be the starting point. Which favour of Linux will be far suitable for wirelss applications? Any help will be much appreciated. Thanks, Sagar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting time
It's possible for sure, I'm using start/stop date/time, in Dialup-Admin is implemented something for callduration per month if I remember correctly. I changed the sql query in the Authorization Queries: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' AND onhold'Y' AND NOW() BETWEEN StartDate AND StopDate ORDER BY id Thanks,but how is the table ?I don't know very well sql .do you have an example of the table? Rob authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id For the call-duration you'll have to calculate the 'Ascend-Maximum-Time' or something like that. Hope this gives you an idea on how to implement. Regards, Chris On Thu, 2003-06-12 at 11:49, Roberto Pioli wrote: I want that a user can be authenticate the 14/6/2003 for 2 hours , and not other day.I want wirte this in the DB or ldap at tha biginning of the month. Or from 14/6 20/06 2003 for 4 hours at day. Is it possible with freeradius ?( I can use freeradius with ldap and mysql) Thanks Roberto - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 0.8.1 + mysql + password md5
Hi Robert, It is the authentication method that the client-nas have decided on that determines what format the password needs to be in. The CHAP method requires clear text passwords. The MS-CHAP method requires a NT-PASSWORD or LM-PASSWORD format. The PAP method requires... and so on. Regards Mike D. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roberto Pioli Sent: 13 June 2003 10:52 To: [EMAIL PROTECTED] Subject: freeradius 0.8.1 + mysql + password md5 I try to use freeradius whith user in mysql and all work fine if I use clear password. If I use the web interface to write md5 password in the mysql db when I try to anthenticate I'm reject. If I use the web interface whit clear password option I have no problem. How can I use cripted password with mysql? Thanks Robert Pioli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require Urgent Help
First off get teh radius book from o'reilly. Next read all the documentation for installing and using freeradius. As for which linux, I use FreeBSD and it runs really well. If you are to use linux I would use Slackware. Key step, READ, READ, and read some more. 6/13/2003 5:21:08 AM, Sagar Bikebits [EMAIL PROTECTED] wrote: Hi, I have started a new job in Linux. I have been involved quite a lot into daily system admin functions in Linux as well as Solaris Now the requirement for this job are to set up a RADIUS server with LDAP and mysql database. This is for a small ISP which will be used for Wireless access for dial up users. I am completely unaware of RADIUS,LDAP and mysql. They want to use FREERADIUS,OPENLDAP from netscape and mysql. What shoud be the starting point. Which favour of Linux will be far suitable for wirelss applications? Any help will be much appreciated. Thanks, Sagar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 0.8.1 + mysql + password md5
Hi Robert, It is the authentication method that the client-nas have decided on that determines what format the password needs to be in. The CHAP method requires clear text passwords. The MS-CHAP method requires a NT-PASSWORD or LM-PASSWORD format. The PAP method requires... and so on. thanks and so If I wantto use an MD5 password it is not possible!?! Rob Regards Mike D. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 0.8.1 + mysql + password md5
On Fri, Jun 13, 2003 at 11:55:26AM +0200, Roberto Pioli wrote: Hi Robert, It is the authentication method that the client-nas have decided on that determines what format the password needs to be in. The CHAP method requires clear text passwords. The MS-CHAP method requires a NT-PASSWORD or LM-PASSWORD format. The PAP method requires... and so on. The PAP method requires nothing. PAP states that a clear text password is sent over the line. How it is compared against a stored password is in your hands. It's the standart problem: will the hacker hijack your phone lines an sniff clear text PAP passwords, or will he hack your servers and see those clear text passwords required for CHAP in your database? thanks and so If I wantto use an MD5 password it is not possible!?! If you use CHAP, you need clear text passwords. With PAP you can use any encryption supported by freeradius. the standart crypt of glibc2 will also support md5 crypts, if the crypted password (use the Crypt-Password Attribute in your mysql db) has a certain format: $1$SEED$CRYPT (see man crypt o your glibc2 system). If you don't have glibc2 you have to use the pap module of freeradius. This is a bit tricky, cause freeradius will do an string compare of passwords if it finds a Password attribute, and so rlm_pap gets not called. I send a patch for this to the list two days ago. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 0.8.1 + mysql + password md5
On Fri, Jun 13, 2003 at 12:38:29PM +0200, Oliver Graf wrote: thanks and so If I wantto use an MD5 password it is not possible!?! If you use CHAP, you need clear text passwords. With PAP you can use any encryption supported by freeradius. the standart crypt of glibc2 will also support md5 crypts, if the crypted password (use the Crypt-Password Attribute in your mysql db) has a certain format: $1$SEED$CRYPT (see man crypt o your glibc2 system). Just another note: if you don't use the pap module, please note that using the internal crypt of freeradius is not thread-safe. It will start failing all crypted auths after some hours (if crypt is used by multiple threads at the same time). mod PAP has a mutex against it, but you will have a hard time getting freeradius to use it (as I said: search the list for my patches). Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 0.8.1 + mysql + password md5
From: Oliver Graf Sent: Friday, 13 June 2003 8:43 PM On Fri, Jun 13, 2003 at 12:38:29PM +0200, Oliver Graf wrote: thanks and so If I wantto use an MD5 password it is not possible!?! With PAP you can use any encryption supported by freeradius. the standart crypt of glibc2 will also support md5 crypts, if the crypted password (use the Crypt-Password Attribute in your mysql db) has a certain format: $1$SEED$CRYPT (see man crypt o your glibc2 system). mod PAP has a mutex against it, but you will have a hard time getting freeradius to use it (as I said: search the list for my patches). Huh? I've got mysql+freeradius (CVS, mind you) + PAP/md5 working fine here I think... Passwords in the database are store with MD5(password), and it auths OK... Is the patch you're referring to freeradius-cvs-cryptmutex.diff?? Maybe you're solving a problem I don't have, but I'm wondering why I've not _got_ that problem. Quick glance at the patch, it matters only if your use Crypt-Password instead of Password? Bleh, over my head. I can post my config sans comments if it you're willing to explain why I'm not having problems. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] The Creation of the Universe was made possible by a grant from Texas Instruments. -- PBS - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mac address file
Hello, I apologize for this newbie question ! In what file must I write mac address for authentication of my wireless network ? I read so many things that I am lost ! Jean Frontin System team I R I T Université Paul-Sabatier 118, rte de Narbonne 31062 Toulouse cedex 04 France tel (33)(0)5 61 55 63 03 mail [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 0.8.1 + mysql + password md5
On Fri, Jun 13, 2003 at 09:15:45PM +1000, Paul Hampson wrote: From: Oliver Graf Sent: Friday, 13 June 2003 8:43 PM On Fri, Jun 13, 2003 at 12:38:29PM +0200, Oliver Graf wrote: thanks and so If I wantto use an MD5 password it is not possible!?! With PAP you can use any encryption supported by freeradius. the standart crypt of glibc2 will also support md5 crypts, if the crypted password (use the Crypt-Password Attribute in your mysql db) has a certain format: $1$SEED$CRYPT (see man crypt o your glibc2 system). mod PAP has a mutex against it, but you will have a hard time getting freeradius to use it (as I said: search the list for my patches). Huh? I've got mysql+freeradius (CVS, mind you) + PAP/md5 working fine here I think... Passwords in the database are store with MD5(password), and it auths OK... Is the patch you're referring to freeradius-cvs-cryptmutex.diff?? Maybe you're solving a problem I don't have, but I'm wondering why I've not _got_ that problem. Yup, if you use rlm_pap, scheme md5, you are fine. You are not fine if you use crypt, and crypt is made by main/auth.c rlm_pap is thread-safe. Quick glance at the patch, it matters only if your use Crypt-Password instead of Password? Bleh, over my head. I can post my config sans comments if it you're willing to explain why I'm not having problems. Yep. Only if you use Crypt-Password. rlm_pap uses the Password attribute. Perhaps it is only a documentation bug, but the the fallback crypt in auth.c is vulnerable in any way. I'm all open for your config. The problem is that you have many ways to get freeradius to work. Even ways that should not work (I used Auth-Type := 'Login' which is nonexistent, gave me no error, but worked!) work sometimes... So what freeradius needs is lots of clarifications, I think. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 0.8.1 + mysql + password md5
The PAP method requires nothing. PAP states that a clear text password is sent over the line. How it is compared against a stored password is in your hands. It's the standart problem: will the hacker hijack your phone lines an sniff clear text PAP passwords, or will he hack your servers and see those clear text passwords required for CHAP in your database? thanks but the problem is that I'm using the nokia p022 access controller that don't use Pap but normal radius. So in authorize I use sql but in authtntication I use local. What can I use for md5? Thanks Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Upcomming FreeRadius 0.9 release
Currently the script that builds the rpm package of FreeRADIUS does not include the dictionary files as they are no longer in the /etc/raddb directory. It's simply the case of adding the following to the %files section in suse/freeradius.spec # dictionary %config /%{_prefix}/share/freeradius/* -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nick Davis Sent: 11 June 2003 17:31 To: [EMAIL PROTECTED] Subject: Re: Upcomming FreeRadius 0.9 release I just downloaded the CVS snapshotfreeradius-snapshot-20030611 . Here is my experience. I compiled it with no erors. I installed it with no errors. When I went to start radiusd it didn't start and the radius.log had a message telling me I was using an incorrect dictionary file. I looked at the dictionary file in ~/snapshot-dir/raddb and found out that the dictionary files are now installed in a different location. I put my configs in /etc/raddb. So in my currently running version all of the dictionary files were in that folder. The new radius version puts the dictionary files here: /usr/local/share/freeradius/dictionary The end of the make install messages did not tell me the dictionary files were in a new location, nor inform me to update the INCLUDES in /etc/raddb/dictionary to point to the new location. So it might be good to put a message at the end of the make install in the WARNING section informing people of this. This brings a question to mind. If radiusd has a set location for the main dictionary file, and that file just contains an include to the actual dictionary files why not just put the INCLUDE line in the radius.conf and get rid of this extra step? Once I fixed the dictionary file issue, radiusd started properly. I then went and used radtest on a valid user and it worked correctly. I am using mysql for my users and accounting. I know it can read the db, because it accepted my radtest user. I'll just have to keep an eye on the logs and watch for other random errors. The dictionary file is a simple problem. Overall think freeradius is an excellent product! Thanks! Nick D. --- This email, and any files transmitted with it, is copyright and may contain confidential information. The contents are intended for the use of the addressee(s) only. Unauthorized use may be unlawful. If you receive this email by mistake, please advise sender immediately. The views of the author may not necessarily constitute the views of Telco Electronics Limited. Nothing in this mail shall bind Telco Electronics Limited in any contract or obligation. Telco Electronics Limited 6-8 Oxford Court Brackley Northants NN13 7XY Tel 07000 701999 Fax 07000 701777 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mac address file
In what file must I write mac address for authentication of my wireless network ? I read so many things that I am lost ! in the users file I'm using freeradius with hostap... So one example from users file is 001122aabbcc Auth-Type := Local, Password == 001122aabbcc // Joachim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require Urgent Help
I have started a new job in Linux. I have been involved quite a lot into daily system admin functions in Linux as well as Solaris Now the requirement for this job are to set up a RADIUS server with LDAP and mysql database. This is for a small ISP which will be used for Wireless access for dial up users. I am completely unaware of RADIUS,LDAP and mysql. They want to use FREERADIUS,OPENLDAP from netscape and mysql. What shoud be the starting point. Which favour of Linux will be far suitable for wirelss applications? Any help will be much appreciated. Thanks, Sagar Go here: http://www.freeradius.org/related/ Order the book. It will help greatly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require Urgent Help
see www.freeradius.org read the faq, and subscribe to the list. att. Mauricio - Original Message - From: Sagar Bikebits [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 13, 2003 3:21 AM Subject: Require Urgent Help Hi, I have started a new job in Linux. I have been involved quite a lot into daily system admin functions in Linux as well as Solaris Now the requirement for this job are to set up a RADIUS server with LDAP and mysql database. This is for a small ISP which will be used for Wireless access for dial up users. I am completely unaware of RADIUS,LDAP and mysql. They want to use FREERADIUS,OPENLDAP from netscape and mysql. What shoud be the starting point. Which favour of Linux will be far suitable for wirelss applications? Any help will be much appreciated. Thanks, Sagar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 0.8.1 + mysql + password md5
Hi, I think we are all going in different directions with this one. that don't use Pap but normal radius. What do you mean by normal radius ? what are you expecting? What function does the Nokia box perform for you. What type of authentication will it be doing? Regards Mike D. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roberto Pioli Sent: 13 June 2003 01:48 To: [EMAIL PROTECTED] Subject: Re: freeradius 0.8.1 + mysql + password md5 The PAP method requires nothing. PAP states that a clear text password is sent over the line. How it is compared against a stored password is in your hands. It's the standart problem: will the hacker hijack your phone lines an sniff clear text PAP passwords, or will he hack your servers and see those clear text passwords required for CHAP in your database? thanks but the problem is that I'm using the nokia p022 access controller that don't use Pap but normal radius. So in authorize I use sql but in authtntication I use local. What can I use for md5? Thanks Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Require Urgent Help
It sounds like they have a dialup system running - if they are using Ascend MAXs the manuals that come with them have lots of good information on radius in general -especially attributes. And of course the RFCs. And The RADIUS book. And the FAQs. And the docs that come with the distribution. And review their design requirements closely. If they are a small ISP the use of LDAP and mysql sounds redundant to me unless they are using LDAP for authorization and authentication and mysql for accounting. IMHO if you don't have some other reason to use LDAP, I would stick with just mysql. There is no reason to add complexity to something you are just learning about, and from my experience, the sql solution is a little simpler. However there are lots of good reasons for using LDAP if you are integrating this with another auth server of some kind and want to use a common user database. As far as the best OS - I would recommend the one that runs all the software you need and that you (or whoever is going to maintain the system) knows the best. :) The wireless system could care less what the OS is. Tim Hi, I have started a new job in Linux. I have been involved quite a lot into daily system admin functions in Linux as well as Solaris Now the requirement for this job are to set up a RADIUS server with LDAP and mysql database. This is for a small ISP which will be used for Wireless access for dial up users. I am completely unaware of RADIUS,LDAP and mysql. They want to use FREERADIUS,OPENLDAP from netscape and mysql. What shoud be the starting point. Which favour of Linux will be far suitable for wirelss applications? Any help will be much appreciated. Thanks, Sagar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upcomming FreeRadius 0.9 release
Sir, As I said in my message I downloaded the CVS snapshot i.e. the tarball. I run debian and always do a source install, so the rpm fix is irrelevant for me. However, I'm sure your fix could help a Suse user though. Thanks! Nick On Friday 13 June 2003 06:50, Alan Litster wrote: Currently the script that builds the rpm package of FreeRADIUS does not include the dictionary files as they are no longer in the /etc/raddb directory. It's simply the case of adding the following to the %files section in suse/freeradius.spec # dictionary %config /%{_prefix}/share/freeradius/* -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nick Davis Sent: 11 June 2003 17:31 To: [EMAIL PROTECTED] Subject: Re: Upcomming FreeRadius 0.9 release I just downloaded the CVS snapshotfreeradius-snapshot-20030611 . Here is my experience. I compiled it with no erors. I installed it with no errors. When I went to start radiusd it didn't start and the radius.log had a message telling me I was using an incorrect dictionary file. I looked at the dictionary file in ~/snapshot-dir/raddb and found out that the dictionary files are now installed in a different location. I put my configs in /etc/raddb. So in my currently running version all of the dictionary files were in that folder. The new radius version puts the dictionary files here: /usr/local/share/freeradius/dictionary The end of the make install messages did not tell me the dictionary files were in a new location, nor inform me to update the INCLUDES in /etc/raddb/dictionary to point to the new location. So it might be good to put a message at the end of the make install in the WARNING section informing people of this. This brings a question to mind. If radiusd has a set location for the main dictionary file, and that file just contains an include to the actual dictionary files why not just put the INCLUDE line in the radius.conf and get rid of this extra step? Once I fixed the dictionary file issue, radiusd started properly. I then went and used radtest on a valid user and it worked correctly. I am using mysql for my users and accounting. I know it can read the db, because it accepted my radtest user. I'll just have to keep an eye on the logs and watch for other random errors. The dictionary file is a simple problem. Overall think freeradius is an excellent product! Thanks! Nick D. -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 0.8.1 + mysql + password md5
On Fri, Jun 13, 2003 at 04:27:05PM +0200, Michael Davidson wrote: thanks but the problem is that I'm using the nokia p022 access controller that don't use Pap but normal radius. So in authorize I use sql but in authtntication I use local. What can I use for md5? Hi, I think we are all going in different directions with this one. that don't use Pap but normal radius. What do you mean by normal radius ? what are you expecting? Yep, you are right... Mr. Pioli seems not to know where to put which protocol. PAP and CHAP are authetication schemes of PPP, which is done between CPE (the 'modem') and NAS (the nokia in this case). PAP transfers a username and a password clear text over the PPP connection, CHAP transfers a station name and a encrypted string over the PPP connection. RADIUS is a protocol in which the NAS (nokia) talks to the AAA server (freeradius). The AAA server has to have some data about the user (username and password). Normally the password is encrypted (except with CHAP, cause chap needs a clear text password) in local storage. This can be done with many different methods. So the question is: where would he like to use MD5? to encrypt the password on the AAA server or does the nokia nas talk some strange protocol which uses MD5 encryption (I bet it's the first one)? Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Upcomming FreeRadius 0.9 release
Oh, reading about this reminded me of something left in the spec file for 0.8.1. users.conf should be chown'd radiusd:radiusd. Otherwise, issuing a 'service radiusd reload' doesn't work (actually, it stops radiusd!), cause the radiusd-suid daemon cannot re-read that file. I have something like: --- freeradius-snapshot-20030613.org/redhat/freeradius.spec 2003-05-26 17:40:00.0 +0200 +++ freeradius-snapshot-20030613/redhat/freeradius.spec 2003-06-13 17:01:34.0 +0200 @@ -85,6 +85,13 @@ chmod 600 /var/log/$i done +mkdir -p /etc/raddb/pooles +for i in radiusd.conf clients.conf pooles +do + chown radiusd:radiusd /etc/raddb/$i +done + + %postun if [ $1 -ge 1 ]; then /sbin/service radiusd condrestart /dev/null 21 Jonathan. -- Jonathan Ruano kobalt at pobox dot com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem when implementing TTLS
Hello, I have some problems when implementing the TTLS module. According to the draft, the client does not need to have a certificate to authenticate itself, which leads to phase 2 of the protocol. If the client has a proper certificate, then mutual authentication is achieved and there is no need for phase 2. So I think I have to modify the eaptls_ack_handler() to handle the Finished message. But how can I know if the client has already authenticated itself (i.e. it has a certificate)? Maybe I should also modify some of the callback function? Thanks for any help. regards, Zhou Ping~?????0~??b+?b?¥
Security issue?
Some time ago, I submitted the below security issue, and I wanted to know when the next release was due that (hopefully) fixed the issue(!?!?) -Ben If I know a valid password for any account, I can get in with a username of *, and the valid password. Passwords appear to be properly handled, usernames are apparently not being escaped by the rlm_ldap module. (as of 0.8.1) Anytime more than one user has the same password, this hole does not work. (so it's properly checking for multiple query returns) -Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem when implementing TTLS
On Fri, 2003-06-13 at 10:25, Zhou Ping wrote: Hello, I have some problems when implementing the TTLS module. According to the draft, the client does not need to have a certificate to authenticate itself, which leads to phase 2 of the protocol. If the client has a proper certificate, then mutual authentication is achieved and there is no need for phase 2. So I think I have to modify the eaptls_ack_handler() to handle the Finished message. But how can I know if the client has already authenticated itself (i.e. it has a certificate)? Maybe I should also modify some of the callback function? Thanks for any help. I don't think that's exactly true. If you're using the TTLS EAP-Type, then you have to stick with that and not short-circuit if the client sends a certificate during the first phase. Once phase 1 has completed in TTLS, and the server has authenticated itself, it goes into Phase 2. Phase 2 is handled as a totally new EAP conversation embedded in the TLS-secured context of the first phase. It is in this phase where the client can then choose to either send a certificate or to use one of the other available EAP methods. IOW, if the EAP-Type is TTLS, then there has to be two phases regardless of whether the client authentication is also performed with certificates. -- --Mike Michael Griego Wireless Network Administrator University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging anomalies
On Thu, 12 Jun 2003, Omachonu Ogali wrote: The reason you only see one login in radius.log is due to the cleanup_delay setting. After some more discussion and review, we think this is the problem. We've increased cleanup_delay from 5 seconds to 10 and we'll revisit the question in the next few days and see if that was it. thanks, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem when implementing TTLS
I wanted to add a little bit to what I said in this email Part of the reason for not short-circuiting (at least in my understanding) and going through with the full two-phase authentication in TTLS even when certificates are used is so that the identity of the client is not sent in the clear. Since a new EAP conversation is started inside the context of the first one, with the new conversation being encrypted, the true identity of the user is sent in the EAP-Identity response in Phase two. This allows for fully encrypted identification and authorization/authentication of the user. --Mike On Fri, 2003-06-13 at 12:10, Michael Griego wrote: On Fri, 2003-06-13 at 10:25, Zhou Ping wrote: Hello, I have some problems when implementing the TTLS module. According to the draft, the client does not need to have a certificate to authenticate itself, which leads to phase 2 of the protocol. If the client has a proper certificate, then mutual authentication is achieved and there is no need for phase 2. So I think I have to modify the eaptls_ack_handler() to handle the Finished message. But how can I know if the client has already authenticated itself (i.e. it has a certificate)? Maybe I should also modify some of the callback function? Thanks for any help. I don't think that's exactly true. If you're using the TTLS EAP-Type, then you have to stick with that and not short-circuit if the client sends a certificate during the first phase. Once phase 1 has completed in TTLS, and the server has authenticated itself, it goes into Phase 2. Phase 2 is handled as a totally new EAP conversation embedded in the TLS-secured context of the first phase. It is in this phase where the client can then choose to either send a certificate or to use one of the other available EAP methods. IOW, if the EAP-Type is TTLS, then there has to be two phases regardless of whether the client authentication is also performed with certificates. -- --Mike Michael Griego Wireless Network Administrator University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to deny access based on realm
Hi, I checked the FAQ and comments in the users file, and thought I had this, but I gave it a shot and it didnt work. I need to reject any user who tries to authenticate from a particular realm, then if it's OK use EAP. I added this to the users file: --- DEFAULT Realm == badrealm.com, Auth-Type := Reject Reply-Message = This realm is not supported. DEFAULT Auth-Type := EAP However when I send Access-Request for [EMAIL PROTECTED] it gets past this line and starts the auth process. Am I missing something? I turn on eap in the authorize section. Maybe I dont really need the DEFAULT Auth-Type := EAP line but it makes life simple. I'll add the trace below. Also, it may be preferrable to define a group of bad realms somewhere, rather than list them all separately here. I saw the example that looks like this: DEFAULTGroup == disabled, Auth-Type := Reject Where do you define the group? Here's the trace: rad_recv: Access-Request packet from host 127.0.0.1:32768, id=53, length=85 Thread 1 assigned request 0 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds... Thread 1 handling request 0, (1 handled so far) User-Name = [EMAIL PROTECTED] Message-Authenticator = 0x09d10d402d5ad1c98c60e4081f729884 EAP-Message = 0x020100180165617075736572407472616e7361742e636f6d modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module eap returns updated rlm_realm: Looking up realm badrealm.com for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm badrealm.com modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 194 --- this is the DEFAULT Auth-Type := EAP modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: processing type sim rlm_eap_sim: Issuing EAP-Request/SIM/Start for [EMAIL PROTECTED] modcall[authenticate]: module eap returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 53 to 127.0.0.1:32768 EAP-Message = 0x01020014120a0f02000200010a01 Message-Authenticator = 0x State = state1 Finished request 0 Regards, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to deny access based on realm
At 01:51 PM 6/13/2003 -0500, Dave Mason wrote: Hi, I checked the FAQ and comments in the users file, and thought I had this, but I gave it a shot and it didnt work. I need to reject any user who tries to authenticate from a particular realm, then if it's OK use EAP. I added this to the users file: --- DEFAULT Realm == badrealm.com, Auth-Type := Reject Reply-Message = This realm is not supported. DEFAULT Auth-Type := EAP I'm going to take a stab in the dark and guess that you don't have a DEFAULT realm configured. I would suggest you add a DEFAULT realm entry to process it locally. The Realm attribute is not added unless if matches a realm ( and *everything* not otherwise defined will match DEFAULT ). Alternatively, you could define 'badrealm' in your config in lieu of a DEFAULT entry if you didn't want to create the DEFAULT for other reasons. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems running radiusd as non-root user.
My problem is I cannot authenticate using the PAM or System methods without running freeradius as root. When I comment out user and group in radiusd.conf to force it to run as root, it works great. I can understand System, since it appears to check /etc/passwd/shadow and probably needs the perms, but I thought PAM helped to get around that limitation. I've tried running as radiusd and nobody, neither will work. Is this just a limitation of PAM, or freeradius? I'd really rather not run as root! And insight is appreciated, thanks. -- David Ritchey [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting VSA problem
Cisco, in their infinite wisdom have decided to implement their VSA's in some strange and wonderful ways. My problem at the moment is as follows: Accounting requests from from the Cisco SSG come with several VSA's included of the form: Cisco-Service-Info = Usomeusername Cisco-Service-Info = NserviceName etc. The VSA is sub-classified by the first character of the value (N and U in the example). I need to log the value of the N attribute in my sql database in this case. My brain is hurting at this stage, but I cannot seem to find any way logging a particular attribute to SQL when there are several of the same name in the request. I have looked at rlm_attr_rewrite and acct_users but have not come up with anything. Has anyone come across this issue before? Any ideas how to do this? Thanks, Ed (Hoping I am overlooking something quite obvious) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems running radiusd as non-root user.
David Ritchey wrote: I can understand System, since it appears to check /etc/passwd/shadow and probably needs the perms, but I thought PAM helped to get around that limitation. How can it? PAM is a library that is linked in to your process, and therefore runs with the same privileges as the process does. -- Regards, Daryl Tester, Software Wrangler and Bit Herder, IOCANE Pty. Ltd. SCO Rep: Linux must die! We shall prevail! Offsider: Bill, they can see your shirt sleeve. -- http://ars.userfriendly.org/cartoons/?id=20030609 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius NT4 not recording data used
Hello, Hi Have an NT4 Radius client (yea, I know) and am using sql All is well excpet I never get data used in the logfile: This is some output AcctSessionTime = '122', AcctInputOctets = '', AcctOutputOctets = '' Any Idea's? Thanks Rhys
Freeradius NT4
Hello, Hi Have an NT4 Radius client (yea, I know) and am using sql All is well excpet I never get data used in the logfile: This is some output AcctSessionTime = '122', AcctInputOctets = '', AcctOutputOctets = '' Any Idea's? Thanks Rhys