Re: Request For Business Transaction

[Pieter Droogendijk]

He sure trusts a lot of people, asking a mailing list...

-- 
You will attract cultured and artistic people to your home.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Upcomming FreeRadius 0.9 release

[Matthew Wallis]

On Thursday, Jun 12, 2003, at 00:27 Australia/Melbourne, Peter Nixon 
wrote:

Hello List
For the MacOS X users on the list, this is built on 10.2.6, with
postgresql-7.3.3, and openssl-0.9.6i.
Seems to work nicely. I'll fire up postgres a bit later, and actually
try to log to it, but the build process works fine. Had a few problems
where EAP couldn't load any EAP modules, so I've stopped that from
loading for the time being.
Matt.



radiusd: FreeRADIUS Version 0.9-pre, for host powerpc-apple-darwin6.6, 
built on 06/13/03 at 15:56:23

dhcp68 /usr/local/sbin  sudo ./radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = /usr/local
 main: localstatedir = /usr/local/var
 main: logdir = /usr/local/var/log/radius
 main: libdir = /usr/local/lib
 main: radacctdir = /usr/local/var/log/radius/radacct
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = /usr/local/var/log/radius/radius.log
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
 main: user = (null)
 main: group = (null)
 main: usercollide = no
 main: lower_user = no
 main: lower_pass = no
 main: nospace_user = no
 main: nospace_pass = no
 main: checkrad = /usr/local/sbin/checkrad
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: passwd = (null)
 mschap: authtype = MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = (null)
 unix: shadow = (null)
 unix: group = (null)
 unix: radwtmp = /usr/local/var/log/radius/radwtmp
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded preprocess
 preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
 preprocess: hints = /usr/local/etc/raddb/hints
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = suffix
 realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = /usr/local/etc/raddb/users
 files: acctusersfile = /usr/local/etc/raddb/acct_users
 files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
 files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Addre
ss, NAS-Port-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile = 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/de
tail-%Y%m%d
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = /usr/local/var/log/radius/radutmp
 radutmp: username = %{User-Name}
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 
1814/udp.
Ready to process requests.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Newbie question ( i think ) on freeradius, LDAP and VPN3000 Cisco

[Pierluigi Frullani]

 Here the question: is there a way to receive some parameter from the
 LDAP server to pass back to radius ( not to Cisco 3015 ) to activate
 the rlm_ippool module ?

 radiusCheckItem: Pool-Name := pool1

While waiting on thi info I' ve also found that you can modify the
ldap.attrmap adding ( for example ) a line that says:

checkItem   Pool-Name   radiusPool

and adding to your ldap schema the radiusPool ( or whatever you want )
attribute.
In this way you can configure the pool from the LDAP server, and leave
your radius server to choose from various pool you may have configured on
it.
When the radius server ask the LDAP server for authorizing, and if the
LDAP is configured for this value, it will receive this attribute and use
it for the requested purpose.
Hope this will help someone other.
Thanks.
Pigi





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

session variables

[Arnas Milaauskas]

Hello,
Tell me please... Is there an individual instance of radius
authentication - accounting object created for each session? I mean if I
change in my module (authorization) global radius variable such as
auth-type or smth..., will it be visible in other user sessions? Because
I want to define auth-type in authorization part and use it in
accounting part too, but this value can't be changed by other sessions,
so Each user session would have it's own value of auth-type through his
session (from authorization  request to stop-accounting request)

Is it possible? Or just each variable is defined for each
request from NAS? Or maybe if I change variable once, it will be changed
to all sessions until I'll change it again?


Thanks in advance,
Arunas

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: session variables

[Arnas Milaauskas]

Or maybe there is in FreeRadius any type of variables, which are
stored for user from he connects until disconnects? Or smth...
It seems, I just can't tell what I want, but I hope, you'll
understand...

Thanks one more time,
Best regards, Arunas


-Original Message-
From: Arnas Milaauskas 
Sent: Friday, June 13, 2003 11:15 AM
To: [EMAIL PROTECTED]
Subject: session variables


Hello,
Tell me please... Is there an individual instance of radius
authentication - accounting object created for each session? I mean if I
change in my module (authorization) global radius variable such as
auth-type or smth..., will it be visible in other user sessions? Because
I want to define auth-type in authorization part and use it in
accounting part too, but this value can't be changed by other sessions,
so Each user session would have it's own value of auth-type through his
session (from authorization  request to stop-accounting request)

Is it possible? Or just each variable is defined for each
request from NAS? Or maybe if I change variable once, it will be changed
to all sessions until I'll change it again?


Thanks in advance,
Arunas

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius 0.8.1 + mysql + password md5

[Roberto Pioli]

I try to use freeradius whith user in mysql and all work fine if I use clear
password.
If I use the web interface to write  md5 password in the mysql db when I try
to anthenticate I'm reject.
If I use the web interface whit clear password option I have no problem.
How can I use cripted password with mysql?

Thanks

Robert Pioli


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: accounting time

[Chris van Meerendonk]

Roberto,

It's possible for sure, I'm using start/stop date/time, in Dialup-Admin
is implemented something for callduration per month if I remember
correctly. I changed the sql query in the Authorization Queries:

authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM
${authcheck_table} WHERE Username = '%{SQL-User-Name}' AND onhold'Y'
AND NOW() BETWEEN StartDate AND StopDate ORDER BY id

authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM
${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id

For the call-duration you'll have to calculate the 'Ascend-Maximum-Time'
or something like that.
Hope this gives you an idea on how to implement.

Regards,

Chris

On Thu, 2003-06-12 at 11:49, Roberto Pioli wrote:
 I want that a user can be authenticate the 14/6/2003 for 2 hours , and not
 other day.I want wirte this in the DB or ldap at tha biginning of the month.
 Or from 14/6 20/06 2003 for 4 hours at day.
 
 Is it possible with freeradius ?( I can use freeradius with ldap and mysql)
 
 Thanks
 
 Roberto
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Require Urgent Help

[Sagar Bikebits]

Hi,

I have started a new job in Linux.
I have been involved quite a lot into daily system admin functions in Linux
as well as Solaris
Now the requirement for this job are to set up a RADIUS server with LDAP and
mysql database.
This is for a small ISP which will be used for Wireless access for dial up
users.

I am completely unaware of RADIUS,LDAP and mysql.
They want to use FREERADIUS,OPENLDAP from netscape and mysql.

What shoud be the starting point. Which favour of Linux will be far suitable
for wirelss applications?
Any help will be much appreciated.

Thanks,
Sagar





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius ldap and chap authentication problems

[Bos Tjeerd]

I stored the passwords clear-text in the ldap server and its working fine now.
Thanks for the help,
greetings,
Tjeerd Bos
PinkRoccade InfraStructure Services
Apeldoorn

The passwords used in CHAP are actually a one-way hash generated by the client 
machine, using the password entered by the user, and the challenge sent by the 
NAS. At the Radius server the same is done with the same challenge from the NAS and 
the clear-text password stored in the db. The RADIUS server compares the two hashes, 
giving an accept or deny.

The challenge is different every time a connection is made resulting in new hash 
every time. If an attacker intercepted the packets he-she would see the hash which 
cannot be reversed to give the password. 

As you can see, with CHAP,  the clear text password is a requirement at both ends of 
the connection. 

Regards Mike D. 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Require Urgent Help

[Mark Lowe]

This is often a good starting point.

http://www.google.com

On Friday, Jun 13, 2003, at 10:21 Europe/London, Sagar Bikebits wrote:

Hi,

I have started a new job in Linux.
I have been involved quite a lot into daily system admin functions in 
Linux
as well as Solaris
Now the requirement for this job are to set up a RADIUS server with 
LDAP and
mysql database.
This is for a small ISP which will be used for Wireless access for 
dial up
users.

I am completely unaware of RADIUS,LDAP and mysql.
They want to use FREERADIUS,OPENLDAP from netscape and mysql.
What shoud be the starting point. Which favour of Linux will be far 
suitable
for wirelss applications?
Any help will be much appreciated.

Thanks,
Sagar




-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: accounting time

[Roberto Pioli]

 It's possible for sure, I'm using start/stop date/time, in Dialup-Admin
 is implemented something for callduration per month if I remember
 correctly. I changed the sql query in the Authorization Queries:

 authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM
 ${authcheck_table} WHERE Username = '%{SQL-User-Name}' AND onhold'Y'
 AND NOW() BETWEEN StartDate AND StopDate ORDER BY id

Thanks,but how is the table ?I don't know very well sql .do you have an
example of the table?

Rob


 authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM
 ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id

 For the call-duration you'll have to calculate the 'Ascend-Maximum-Time'
 or something like that.
 Hope this gives you an idea on how to implement.

 Regards,

 Chris

 On Thu, 2003-06-12 at 11:49, Roberto Pioli wrote:
  I want that a user can be authenticate the 14/6/2003 for 2 hours , and
not
  other day.I want wirte this in the DB or ldap at tha biginning of the
month.
  Or from 14/6 20/06 2003 for 4 hours at day.
 
  Is it possible with freeradius ?( I can use freeradius with ldap and
mysql)
 
  Thanks
 
  Roberto
 
 
  -
  List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
 



 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius 0.8.1 + mysql + password md5

[Michael Davidson]

Hi Robert,
 It is the authentication method that the client-nas have decided on that
determines what format the password needs to be in. The CHAP method requires
clear text passwords. The MS-CHAP method requires a NT-PASSWORD or
LM-PASSWORD format. The PAP method requires... and so on.

Regards Mike D.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Roberto
Pioli
Sent: 13 June 2003 10:52
To: [EMAIL PROTECTED]
Subject: freeradius 0.8.1 + mysql + password md5


I try to use freeradius whith user in mysql and all work fine if I use clear
password.
If I use the web interface to write  md5 password in the mysql db when I try
to anthenticate I'm reject.
If I use the web interface whit clear password option I have no problem.
How can I use cripted password with mysql?

Thanks

Robert Pioli


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Require Urgent Help

[Roy Wills]

First off get teh radius book from o'reilly. Next read all the documentation for 
installing and using freeradius. As for which linux, I use FreeBSD 
and it runs really well. If you are to use linux I would use Slackware. Key step, 
READ, READ, and read some more. 
6/13/2003 5:21:08 AM, Sagar Bikebits [EMAIL PROTECTED] wrote:

Hi,

I have started a new job in Linux.
I have been involved quite a lot into daily system admin functions in Linux
as well as Solaris
Now the requirement for this job are to set up a RADIUS server with LDAP and
mysql database.
This is for a small ISP which will be used for Wireless access for dial up
users.

I am completely unaware of RADIUS,LDAP and mysql.
They want to use FREERADIUS,OPENLDAP from netscape and mysql.

What shoud be the starting point. Which favour of Linux will be far suitable
for wirelss applications?
Any help will be much appreciated.

Thanks,
Sagar





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 0.8.1 + mysql + password md5

[Roberto Pioli]

 Hi Robert,
  It is the authentication method that the client-nas have decided on that
 determines what format the password needs to be in. The CHAP method
requires
 clear text passwords. The MS-CHAP method requires a NT-PASSWORD or
 LM-PASSWORD format. The PAP method requires... and so on.

thanks
and so If I wantto use an MD5 password it is not possible!?!

Rob



 Regards Mike D.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 0.8.1 + mysql + password md5

[Oliver Graf]

On Fri, Jun 13, 2003 at 11:55:26AM +0200, Roberto Pioli wrote:
  Hi Robert,
   It is the authentication method that the client-nas have decided on that
  determines what format the password needs to be in. The CHAP method
 requires
  clear text passwords. The MS-CHAP method requires a NT-PASSWORD or
  LM-PASSWORD format. The PAP method requires... and so on.

The PAP method requires nothing. PAP states that a clear text password
is sent over the line. How it is compared against a stored password is
in your hands.

It's the standart problem: will the hacker hijack your phone lines an
sniff clear text PAP passwords, or will he hack your servers and see
those clear text passwords required for CHAP in your database?

 thanks
 and so If I wantto use an MD5 password it is not possible!?!

If you use CHAP, you need clear text passwords.

With PAP you can use any encryption supported by freeradius. the
standart crypt of glibc2 will also support md5 crypts, if the crypted
password (use the Crypt-Password Attribute in your mysql db) has a
certain format: $1$SEED$CRYPT (see man crypt o your glibc2 system).

If you don't have glibc2 you have to use the pap module of freeradius.
This is a bit tricky, cause freeradius will do an string compare of
passwords if it finds a Password attribute, and so rlm_pap gets not
called. I send a patch for this to the list two days ago.

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 0.8.1 + mysql + password md5

[Oliver Graf]

On Fri, Jun 13, 2003 at 12:38:29PM +0200, Oliver Graf wrote:
  thanks
  and so If I wantto use an MD5 password it is not possible!?!
 
 If you use CHAP, you need clear text passwords.
 
 With PAP you can use any encryption supported by freeradius. the
 standart crypt of glibc2 will also support md5 crypts, if the crypted
 password (use the Crypt-Password Attribute in your mysql db) has a
 certain format: $1$SEED$CRYPT (see man crypt o your glibc2 system).

Just another note: if you don't use the pap module, please note that
using the internal crypt of freeradius is not thread-safe. It will
start failing all crypted auths after some hours (if crypt is used by
multiple threads at the same time).

mod PAP has a mutex against it, but you will have a hard time getting
freeradius to use it (as I said: search the list for my patches).

Oliver.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius 0.8.1 + mysql + password md5

[Paul Hampson]

 From: Oliver Graf
 Sent: Friday, 13 June 2003 8:43 PM

 On Fri, Jun 13, 2003 at 12:38:29PM +0200, Oliver Graf wrote:
   thanks
   and so If I wantto use an MD5 password it is not possible!?!

  With PAP you can use any encryption supported by freeradius. the
  standart crypt of glibc2 will also support md5 crypts, if the crypted
  password (use the Crypt-Password Attribute in your mysql db) has a
  certain format: $1$SEED$CRYPT (see man crypt o your glibc2 system).

 mod PAP has a mutex against it, but you will have a hard time getting
 freeradius to use it (as I said: search the list for my patches).

Huh? I've got mysql+freeradius (CVS, mind you) + PAP/md5 working fine
here I think... Passwords in the database are store with MD5(password),
and it auths OK...

Is the patch you're referring to freeradius-cvs-cryptmutex.diff??

Maybe you're solving a problem I don't have, but I'm wondering why I've
not _got_ that problem.

Quick glance at the patch, it matters only if your use Crypt-Password
instead of Password? Bleh, over my head. I can post my config sans
comments if it you're willing to explain why I'm not having problems.

--
=
Paul TBBle Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

The Creation of the Universe was made
possible by a grant from Texas Instruments.
-- PBS
-
Random signature generator 3.0 by Paul TBBle Hampson
=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

mac address file

[Jean Frontin]

Hello,

I apologize for this newbie question !
In what file must I write mac address for authentication of my wireless 
network ?
I read so many things that I am lost !

Jean Frontin
System team
I R I T
Université Paul-Sabatier
118, rte de Narbonne
31062 Toulouse cedex 04
France
tel  (33)(0)5 61 55 63 03
mail [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 0.8.1 + mysql + password md5

[Oliver Graf]

On Fri, Jun 13, 2003 at 09:15:45PM +1000, Paul Hampson wrote:
  From: Oliver Graf
  Sent: Friday, 13 June 2003 8:43 PM
 
  On Fri, Jun 13, 2003 at 12:38:29PM +0200, Oliver Graf wrote:
thanks
and so If I wantto use an MD5 password it is not possible!?!
 
   With PAP you can use any encryption supported by freeradius. the
   standart crypt of glibc2 will also support md5 crypts, if the crypted
   password (use the Crypt-Password Attribute in your mysql db) has a
   certain format: $1$SEED$CRYPT (see man crypt o your glibc2 system).
 
  mod PAP has a mutex against it, but you will have a hard time getting
  freeradius to use it (as I said: search the list for my patches).
 
 Huh? I've got mysql+freeradius (CVS, mind you) + PAP/md5 working fine
 here I think... Passwords in the database are store with MD5(password),
 and it auths OK...
 
 Is the patch you're referring to freeradius-cvs-cryptmutex.diff??
 
 Maybe you're solving a problem I don't have, but I'm wondering why I've
 not _got_ that problem.

Yup, if you use rlm_pap, scheme md5, you are fine.

You are not fine if you use crypt, and crypt is made by main/auth.c

rlm_pap is thread-safe.

 Quick glance at the patch, it matters only if your use Crypt-Password
 instead of Password? Bleh, over my head. I can post my config sans
 comments if it you're willing to explain why I'm not having problems.

Yep. Only if you use Crypt-Password. rlm_pap uses the Password attribute.

Perhaps it is only a documentation bug, but the the fallback crypt in
auth.c is vulnerable in any way.

I'm all open for your config. The problem is that you have many ways
to get freeradius to work. Even ways that should not work (I used
Auth-Type := 'Login' which is nonexistent, gave me no error, but
worked!) work sometimes...

So what freeradius needs is lots of clarifications, I think.

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 0.8.1 + mysql + password md5

[Roberto Pioli]

 The PAP method requires nothing. PAP states that a clear text password
 is sent over the line. How it is compared against a stored password is
 in your hands.

 It's the standart problem: will the hacker hijack your phone lines an
 sniff clear text PAP passwords, or will he hack your servers and see
 those clear text passwords required for CHAP in your database?

thanks but the problem is that I'm using the nokia p022 access controller
that don't use Pap but normal radius.
So in authorize I use sql but in authtntication I use local.
What can I use for md5?

Thanks

Rob


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Upcomming FreeRadius 0.9 release

[Alan Litster]

Currently the script that builds the rpm package of FreeRADIUS does not
include the dictionary files as they are no longer in the /etc/raddb
directory. It's simply the case of adding the following to the %files
section in suse/freeradius.spec

# dictionary
%config /%{_prefix}/share/freeradius/*

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Nick Davis
 Sent: 11 June 2003 17:31
 To: [EMAIL PROTECTED]
 Subject: Re: Upcomming FreeRadius 0.9 release


  I just downloaded the CVS snapshotfreeradius-snapshot-20030611 .
 Here is my
 experience.

  I compiled it with no erors. I installed it with no errors.

  When I went to start radiusd it didn't start and the radius.log
 had a message
 telling me I was using an incorrect dictionary file. I looked at the
 dictionary file in ~/snapshot-dir/raddb and found out that the dictionary
 files are now installed in a different location.

  I put my configs in /etc/raddb. So in my currently running
 version all of the
 dictionary files were in that folder. The new radius version puts the
 dictionary files here: /usr/local/share/freeradius/dictionary

 The end of the make install messages did not tell me the
 dictionary files
 were in a new location, nor inform me to update the INCLUDES in
 /etc/raddb/dictionary to point to the new location.

 So it might be good to put a message at the end of the make
 install in the
 WARNING section informing people of this.

  This brings a question to mind. If radiusd has a set location
 for the main
 dictionary file, and that file just contains an include to the actual
 dictionary files why not just put the INCLUDE line in the
 radius.conf and get
 rid of this extra step?

 Once I fixed the dictionary file issue, radiusd started properly.

 I then went and used radtest on a valid user and it worked correctly.

 I am using mysql for my users and accounting. I know it can read the db,
 because it accepted my radtest user. I'll just have to keep an eye on the
 logs and watch for other random errors.

 The dictionary file is a simple problem. Overall think freeradius is an
 excellent product!

 Thanks!

 Nick D.


---
This email, and any files transmitted with it, is copyright and may contain 
confidential information.
The contents are intended for the use of the addressee(s) only.
Unauthorized use may be unlawful.
If you receive this email by mistake, please advise sender immediately.
The views of the author may not necessarily constitute the views of Telco Electronics 
Limited.
Nothing in this mail shall bind Telco Electronics Limited in any contract or 
obligation.

Telco Electronics Limited
6-8 Oxford Court
Brackley
Northants
NN13 7XY

Tel 07000 701999
Fax 07000 701777

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mac address file

[Joachim Wickman]

 In what file must I write mac address for authentication of my wireless 
 network ?
 I read so many things that I am lost !

in the users file
I'm using freeradius with hostap... 
So one example from users file is

001122aabbcc   Auth-Type := Local, Password == 001122aabbcc



// Joachim



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Require Urgent Help

[Dustin Doris]

 I have started a new job in Linux.
 I have been involved quite a lot into daily system admin functions in Linux
 as well as Solaris
 Now the requirement for this job are to set up a RADIUS server with LDAP and
 mysql database.
 This is for a small ISP which will be used for Wireless access for dial up
 users.

 I am completely unaware of RADIUS,LDAP and mysql.
 They want to use FREERADIUS,OPENLDAP from netscape and mysql.

 What shoud be the starting point. Which favour of Linux will be far suitable
 for wirelss applications?
 Any help will be much appreciated.

 Thanks,
 Sagar


Go here:
http://www.freeradius.org/related/

Order the book.

It will help greatly.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Require Urgent Help

[Mauricio Rocael García Ocaña]

see www.freeradius.org read the faq, and subscribe to the list.

att.
Mauricio
- Original Message -
From: Sagar Bikebits [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, June 13, 2003 3:21 AM
Subject: Require Urgent Help


 Hi,

 I have started a new job in Linux.
 I have been involved quite a lot into daily system admin functions in
Linux
 as well as Solaris
 Now the requirement for this job are to set up a RADIUS server with LDAP
and
 mysql database.
 This is for a small ISP which will be used for Wireless access for dial up
 users.

 I am completely unaware of RADIUS,LDAP and mysql.
 They want to use FREERADIUS,OPENLDAP from netscape and mysql.

 What shoud be the starting point. Which favour of Linux will be far
suitable
 for wirelss applications?
 Any help will be much appreciated.

 Thanks,
 Sagar





 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius 0.8.1 + mysql + password md5

[Michael Davidson]

Hi, I think we are all going in different directions with this one.

that don't use Pap but normal radius.

 What do you mean by normal radius ? what are you expecting?

What function does the Nokia box perform for you. What type of
authentication will it be doing?

Regards Mike D.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Roberto
Pioli
Sent: 13 June 2003 01:48
To: [EMAIL PROTECTED]
Subject: Re: freeradius 0.8.1 + mysql + password md5


 The PAP method requires nothing. PAP states that a clear text password
 is sent over the line. How it is compared against a stored password is
 in your hands.

 It's the standart problem: will the hacker hijack your phone lines an
 sniff clear text PAP passwords, or will he hack your servers and see
 those clear text passwords required for CHAP in your database?

thanks but the problem is that I'm using the nokia p022 access controller
that don't use Pap but normal radius.
So in authorize I use sql but in authtntication I use local.
What can I use for md5?

Thanks

Rob


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Require Urgent Help

[Tim McCracken]

It sounds like they have a dialup system running - if they are using Ascend
MAXs the manuals that come with them have lots of good information on radius
in general -especially attributes. And of course the RFCs. And The RADIUS
book. And the FAQs. And the docs that come with the distribution.

And review their design requirements closely. If they are a small ISP the
use of LDAP and mysql sounds redundant to me unless they are using LDAP for
authorization and authentication and mysql for accounting.

IMHO if you don't have some other reason to use LDAP, I would stick with
just mysql. There is no reason to add complexity to something you are just
learning about, and from my experience, the sql solution is a little
simpler. However there are lots of good reasons for using LDAP if you are
integrating this with another auth server of some kind and want to use a
common user database.

As far as the best OS - I would recommend the one that runs all the software
you need and that you (or whoever is going to maintain the system) knows the
best. :) The wireless system could care less what the OS is.

Tim

  Hi,
 
  I have started a new job in Linux.
  I have been involved quite a lot into daily system admin functions in
 Linux
  as well as Solaris
  Now the requirement for this job are to set up a RADIUS server with LDAP
 and
  mysql database.
  This is for a small ISP which will be used for Wireless access
 for dial up
  users.
 
  I am completely unaware of RADIUS,LDAP and mysql.
  They want to use FREERADIUS,OPENLDAP from netscape and mysql.
 
  What shoud be the starting point. Which favour of Linux will be far
 suitable
  for wirelss applications?
  Any help will be much appreciated.
 
  Thanks,
  Sagar
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Upcomming FreeRadius 0.9 release

[Nick Davis]

Sir,
 As I said in my message I downloaded the CVS snapshot  i.e. the tarball. I 
run debian and always do a source install, so the rpm fix is irrelevant for 
me.
 However, I'm sure your fix could help a Suse user though.

Thanks!

Nick

On Friday 13 June 2003 06:50, Alan Litster wrote:
 Currently the script that builds the rpm package of FreeRADIUS does not
 include the dictionary files as they are no longer in the /etc/raddb
 directory. It's simply the case of adding the following to the %files
 section in suse/freeradius.spec

 # dictionary
 %config /%{_prefix}/share/freeradius/*

  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] Behalf Of Nick Davis
  Sent: 11 June 2003 17:31
  To: [EMAIL PROTECTED]
  Subject: Re: Upcomming FreeRadius 0.9 release
 
 
   I just downloaded the CVS snapshotfreeradius-snapshot-20030611 .
  Here is my
  experience.
 
   I compiled it with no erors. I installed it with no errors.
 
   When I went to start radiusd it didn't start and the radius.log
  had a message
  telling me I was using an incorrect dictionary file. I looked at the
  dictionary file in ~/snapshot-dir/raddb and found out that the dictionary
  files are now installed in a different location.
 
   I put my configs in /etc/raddb. So in my currently running
  version all of the
  dictionary files were in that folder. The new radius version puts the
  dictionary files here: /usr/local/share/freeradius/dictionary
 
  The end of the make install messages did not tell me the
  dictionary files
  were in a new location, nor inform me to update the INCLUDES in
  /etc/raddb/dictionary to point to the new location.
 
  So it might be good to put a message at the end of the make
  install in the
  WARNING section informing people of this.
 
   This brings a question to mind. If radiusd has a set location
  for the main
  dictionary file, and that file just contains an include to the actual
  dictionary files why not just put the INCLUDE line in the
  radius.conf and get
  rid of this extra step?
 
  Once I fixed the dictionary file issue, radiusd started properly.
 
  I then went and used radtest on a valid user and it worked correctly.
 
  I am using mysql for my users and accounting. I know it can read the db,
  because it accepted my radtest user. I'll just have to keep an eye on the
  logs and watch for other random errors.
 
  The dictionary file is a simple problem. Overall think freeradius is an
  excellent product!
 
  Thanks!
 
  Nick D.


-- 
Nick Davis 
Associate Systems Administrator 
[EMAIL PROTECTED] 
Internet Exposure, Inc. 
http://www.iexposure.com  

(612)676-1946 
Web Development-Web Marketing-ISP Services


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 0.8.1 + mysql + password md5

[Oliver Graf]

On Fri, Jun 13, 2003 at 04:27:05PM +0200, Michael Davidson wrote:
  thanks but the problem is that I'm using the nokia p022 access controller
  that don't use Pap but normal radius.
  So in authorize I use sql but in authtntication I use local.
  What can I use for md5?
 Hi, I think we are all going in different directions with this one.
 
   that don't use Pap but normal radius.
 
  What do you mean by normal radius ? what are you expecting?

Yep, you are right... 

Mr. Pioli seems not to know where to put which protocol.

PAP and CHAP are authetication schemes of PPP, which is done between
CPE (the 'modem') and NAS (the nokia in this case).

PAP transfers a username and a password clear text over the PPP
connection, CHAP transfers a station name and a encrypted string over
the PPP connection.

RADIUS is a protocol in which the NAS (nokia) talks to the AAA server
(freeradius). The AAA server has to have some data about the user
(username and password). Normally the password is encrypted (except
with CHAP, cause chap needs a clear text password) in local storage.
This can be done with many different methods.

So the question is: where would he like to use MD5? to encrypt the
password on the AAA server or does the nokia nas talk some strange
protocol which uses MD5 encryption (I bet it's the first one)?

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Upcomming FreeRadius 0.9 release

[Jonathan Ruano]

Oh, reading about this reminded me of something left in the
spec file for 0.8.1.

users.conf should be chown'd radiusd:radiusd. Otherwise,
issuing a 'service radiusd reload' doesn't work (actually, it
stops radiusd!), cause the radiusd-suid daemon cannot re-read
that file.

I have something like:

--- freeradius-snapshot-20030613.org/redhat/freeradius.spec 2003-05-26
17:40:00.0 +0200
+++ freeradius-snapshot-20030613/redhat/freeradius.spec 2003-06-13
17:01:34.0 +0200
@@ -85,6 +85,13 @@
chmod 600 /var/log/$i
 done

+mkdir -p /etc/raddb/pooles
+for i in radiusd.conf clients.conf pooles
+do
+   chown radiusd:radiusd /etc/raddb/$i
+done
+
+
 %postun
 if [ $1 -ge 1 ]; then
/sbin/service radiusd condrestart /dev/null 21

Jonathan.

--
Jonathan Ruano kobalt at pobox dot com


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem when implementing TTLS

[Zhou Ping]

Hello,

I have some problems when implementing the TTLS module. According to the draft, the 
client does not need to have a certificate to authenticate itself, which leads to 
phase 2 of the protocol. If the client has a proper certificate, then mutual 
authentication is achieved and there is no need for phase 2. So I think I have to 
modify the eaptls_ack_handler() to handle the Finished message. But how can I know if 
the client has already authenticated itself (i.e. it has a certificate)? Maybe I 
should also modify some of the callback function? Thanks for any help.

regards,
Zhou Ping~?????0~??b+?b?¥

Security issue?

[bens]

Some time ago, I submitted the below security issue, and I wanted to know when 
the next release was due that (hopefully) fixed the issue(!?!?) 

-Ben 

 If I know a valid password for any 
 account, I can get in with a username of *, and the valid password.

 Passwords appear to be properly handled, usernames are apparently not being 
 escaped by the rlm_ldap module. (as of 0.8.1) Anytime more than one user has 
 the same password, this hole does not work. (so it's properly checking for 
 multiple query returns) 

 -Ben 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem when implementing TTLS

[Michael Griego]

On Fri, 2003-06-13 at 10:25, Zhou Ping wrote:
 Hello,
 
 I have some problems when implementing the TTLS module. According to the draft, the 
 client does not need to have a certificate to authenticate itself, which leads to 
 phase 2 of the protocol. If the client has a proper certificate, then mutual 
 authentication is achieved and there is no need for phase 2. So I think I have to 
 modify the eaptls_ack_handler() to handle the Finished message. But how can I know 
 if the client has already authenticated itself (i.e. it has a certificate)? Maybe I 
 should also modify some of the callback function? Thanks for any help.

I don't think that's exactly true.  If you're using the TTLS EAP-Type,
then you have to stick with that and not short-circuit if the client
sends a certificate during the first phase.  Once phase 1 has completed
in TTLS, and the server has authenticated itself, it goes into Phase 2. 
Phase 2 is handled as a totally new EAP conversation embedded in the
TLS-secured context of the first phase.  It is in this phase where the
client can then choose to either send a certificate or to use one of the
other available EAP methods.  IOW, if the EAP-Type is TTLS, then there
has to be two phases regardless of whether the client authentication is
also performed with certificates.

-- 

--Mike


Michael Griego
Wireless Network Administrator
University of Texas at Dallas



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: logging anomalies

[Jim]

On Thu, 12 Jun 2003, Omachonu Ogali wrote:

 The reason you only see one login in radius.log is due to the cleanup_delay
 setting.

After some more discussion and review, we think this is the problem. We've
increased cleanup_delay from 5 seconds to 10 and we'll revisit the
question in the next few days and see if that was it.

thanks,
Jim


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem when implementing TTLS

[Michael Griego]

I wanted to add a little bit to what I said in this email  Part of the
reason for not short-circuiting (at least in my understanding) and going
through with the full two-phase authentication in TTLS even when
certificates are used is so that the identity of the client is not sent
in the clear.  Since a new EAP conversation is started inside the
context of the first one, with the new conversation being encrypted, the
true identity of the user is sent in the EAP-Identity response in Phase
two.  This allows for fully encrypted identification and
authorization/authentication of the user.

--Mike



On Fri, 2003-06-13 at 12:10, Michael Griego wrote:
 On Fri, 2003-06-13 at 10:25, Zhou Ping wrote:
  Hello,
  
  I have some problems when implementing the TTLS module. According to the draft, 
  the client does not need to have a certificate to authenticate itself, which leads 
  to phase 2 of the protocol. If the client has a proper certificate, then mutual 
  authentication is achieved and there is no need for phase 2. So I think I have to 
  modify the eaptls_ack_handler() to handle the Finished message. But how can I know 
  if the client has already authenticated itself (i.e. it has a certificate)? Maybe 
  I should also modify some of the callback function? Thanks for any help.
 
 I don't think that's exactly true.  If you're using the TTLS EAP-Type,
 then you have to stick with that and not short-circuit if the client
 sends a certificate during the first phase.  Once phase 1 has completed
 in TTLS, and the server has authenticated itself, it goes into Phase 2. 
 Phase 2 is handled as a totally new EAP conversation embedded in the
 TLS-secured context of the first phase.  It is in this phase where the
 client can then choose to either send a certificate or to use one of the
 other available EAP methods.  IOW, if the EAP-Type is TTLS, then there
 has to be two phases regardless of whether the client authentication is
 also performed with certificates.
-- 

--Mike


Michael Griego
Wireless Network Administrator
University of Texas at Dallas



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

how to deny access based on realm

[Dave Mason]

Hi,
I checked the FAQ and comments in the users file, and thought I had 
this, but I gave it a shot and it didnt work.  I need to reject any user 
who tries to authenticate from a particular realm, then if it's OK use 
EAP.  I added this to the users file:

---
DEFAULT Realm == badrealm.com, Auth-Type := Reject
   Reply-Message = This realm is not supported.
DEFAULT Auth-Type := EAP

However when I send Access-Request for [EMAIL PROTECTED] it gets past 
this line and starts the auth process.  Am I missing something?  I turn 
on eap in the authorize section.  Maybe I dont really need the DEFAULT 
Auth-Type := EAP line but it makes life simple.  I'll add the trace below.

Also, it may be preferrable to define a group of bad realms somewhere, 
rather than list them all separately here.  I saw the example that looks 
like this:
DEFAULTGroup == disabled, Auth-Type := Reject
Where do you define the group?

Here's the trace:
rad_recv: Access-Request packet from host 127.0.0.1:32768, id=53, length=85
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
   User-Name = [EMAIL PROTECTED]
   Message-Authenticator = 0x09d10d402d5ad1c98c60e4081f729884
   EAP-Message = 0x020100180165617075736572407472616e7361742e636f6d
modcall: entering group authorize
 modcall[authorize]: module preprocess returns ok
 modcall[authorize]: module eap returns updated
   rlm_realm: Looking up realm badrealm.com for User-Name = 
[EMAIL PROTECTED]
   rlm_realm: No such realm badrealm.com
 modcall[authorize]: module suffix returns noop
   users: Matched DEFAULT at 194   --- this is the DEFAULT Auth-Type 
:= EAP
 modcall[authorize]: module files returns ok
modcall: group authorize returns updated
 rad_check_password:  Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate
rlm_eap: processing type sim
rlm_eap_sim: Issuing EAP-Request/SIM/Start for [EMAIL PROTECTED]
 modcall[authenticate]: module eap returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 53 to 127.0.0.1:32768
   EAP-Message = 0x01020014120a0f02000200010a01
   Message-Authenticator = 0x
   State = state1
Finished request 0

Regards,
Dave


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to deny access based on realm

[Chris Parker]

At 01:51 PM 6/13/2003 -0500, Dave Mason wrote:
Hi,
I checked the FAQ and comments in the users file, and thought I had this, 
but I gave it a shot and it didnt work.  I need to reject any user who 
tries to authenticate from a particular realm, then if it's OK use EAP.  I 
added this to the users file:

---
DEFAULT Realm == badrealm.com, Auth-Type := Reject
   Reply-Message = This realm is not supported.
DEFAULT Auth-Type := EAP

I'm going to take a stab in the dark and guess that you don't have
a DEFAULT realm configured.
I would suggest you add a DEFAULT realm entry to process it locally.  The
Realm attribute is not added unless if matches a realm ( and *everything*
not otherwise defined will match DEFAULT ).
Alternatively, you could define 'badrealm' in your config in lieu of a
DEFAULT entry if you didn't want to create the DEFAULT for other reasons.
-Chris
--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problems running radiusd as non-root user.

[David Ritchey]

My problem is I cannot authenticate using the PAM or System methods
without running freeradius as root. When I comment out user and group in
radiusd.conf to force it to run as root, it works great. I can
understand System, since it appears to check /etc/passwd/shadow and
probably needs the perms, but I thought PAM helped to get around that
limitation.

I've tried running as radiusd and nobody, neither will work. Is this
just a limitation of PAM, or freeradius? I'd really rather not run as
root!

And insight is appreciated, thanks.

-- 
David Ritchey [EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Accounting VSA problem

[Eddie Stassen]

Cisco, in their infinite wisdom have decided to implement their VSA's in 
some strange and wonderful ways.  My problem at the moment is as 
follows:  Accounting requests from from the Cisco SSG come with several 
VSA's included of the form:

Cisco-Service-Info = Usomeusername
Cisco-Service-Info = NserviceName

etc.
The VSA is sub-classified by the first character of the value (N and U 
in the example).  I need to log the value of the N attribute in my sql 
database in this case.  My brain is hurting at this stage, but I cannot 
seem to find any way logging a particular attribute to SQL when there 
are several of the same name in the request.  I have looked at 
rlm_attr_rewrite and acct_users but have not come up with anything.

Has anyone come across this issue before?  Any ideas how to do this?

Thanks,
Ed
(Hoping I am overlooking something quite obvious)
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems running radiusd as non-root user.

[Daryl Tester]

David Ritchey wrote:

 I can understand System, since it appears to check /etc/passwd/shadow
 and probably needs the perms, but I thought PAM helped to get around
 that limitation.

How can it?  PAM is a library that is linked in to your process,
and therefore runs with the same privileges as the process does.


-- 
Regards,
  Daryl Tester,  Software Wrangler and Bit Herder, IOCANE Pty. Ltd.

SCO Rep:  Linux must die!  We shall prevail!
Offsider: Bill, they can see your shirt sleeve.
  -- http://ars.userfriendly.org/cartoons/?id=20030609

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius NT4 not recording data used

[Rhys \(Gallamda\)]

Hello,

Hi Have an NT4 Radius client (yea, I know) and am 
using sql
All is well excpet I never get data used in the 
logfile:
This is some output

AcctSessionTime = '122', AcctInputOctets = '', 
AcctOutputOctets = ''

Any Idea's?

Thanks

Rhys

Freeradius NT4

[Rhys \(Dezigner.com\)]

Hello,

Hi Have an NT4 Radius client (yea, I know) and am 
using sql
All is well excpet I never get data used in the 
logfile:
This is some output

AcctSessionTime = '122', AcctInputOctets = '', 
AcctOutputOctets = ''

Any Idea's?

Thanks

Rhys