freeradius and postgresql
list, i have a working freeradius 0.8.1 with mysql 4.0 on freebsd 4.8 deployed. freeradius 0.8.1 with rlm-sql for postgresql 7.3 compiled and installed on freebsd 4.8 with no problems radiusd started without any complains but when i tried to run radtest rlm_sql_postgresql: PostgreSQL Query failed Error: no connection to the server rlm_sql_getvpdata: database query error i created user radiusd and database radius on postgresql with: createdb pgsql createuser -P -E radiusd createdb --owner=radiusd radius and in the /etc/raddb/postgresql.conf # Connect info server = "localhost" login = "radiusd" password = "radiusd" # Database table configuration radius_db = "radius" any help and comment is deeply appreciated. thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius does not try to register with SMUX
Here's my config.log
I have gcc 3.0.1
Perl 5.005_03
configure:7934: warning: function declaration isn't a prototype
configure:7935: warning: function declaration isn't a prototype
/usr/local/bin/ld: cannot find -lcrypto
collect2: ld returned 1 exit status
configure: failed program was:
#line 7933 "configure"
#include "confdefs.h"
extern char snmp_build_var_op();
int main() {
snmp_build_var_op()
; return 0; }
configure:7918: gcc -o conftest -g -O2 -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow
-Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings
-Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations
-Wnested-externs conftest.c -lnsl -lresolv -lsocket -lposix4
-lpthread -L/usr/local/lib -lsnmp 1>&5
configure:7912: warning: function declaration isn't a prototype
configure:7913: warning: function declaration isn't a prototype
/usr/local/lib/libsnmp.so: undefined reference to `kstat_read'
/usr/local/lib/libsnmp.so: undefined reference to `kstat_data_lookup'
/usr/local/lib/libsnmp.so: undefined reference to `kstat_close'
/usr/local/lib/libsnmp.so: undefined reference to `kstat_lookup'
/usr/local/lib/libsnmp.so: undefined reference to `kstat_open'
collect2: ld returned 1 exit status
configure: failed program was:
#line 7911 "configure"
#include "confdefs.h"
extern char snmp_build_var_op();
int main() {
snmp_build_var_op()
; return 0; }
configure:7940: gcc -o conftest -g -O2 -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow
-Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings
-Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations
-Wnested-externs conftest.c -lnsl -lresolv -lsocket -lposix4
-lpthread -L/usr/local/lib -lsnmp -lcrypto 1>&5
configure:7934: warning: function declaration isn't a prototype
configure:7935: warning: function declaration isn't a prototype
/usr/local/bin/ld: cannot find -lcrypto
collect2: ld returned 1 exit status
configure: failed program was:
#line 7933 "configure"
#include "confdefs.h"
extern char snmp_build_var_op();
int main() {
snmp_build_var_op()
; return 0; }
configure:7918: gcc -o conftest -g -O2 -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow
-Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings
-Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations
-Wnested-externs conftest.c -lnsl -lresolv -lsocket -lposix4
-lpthread -L/usr/local/snmp/lib -lsnmp 1>&5
configure:7912: warning: function declaration isn't a prototype
configure:7913: warning: function declaration isn't a prototype
/usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.1/../../../libsnmp.so:
undefined reference to `kstat_read'
/usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.1/../../../libsnmp.so:
undefined reference to `kstat_data_lookup'
/usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.1/../../../libsnmp.so:
undefined reference to `kstat_close'
/usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.1/../../../libsnmp.so:
undefined reference to `kstat_lookup'
/usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.1/../../../libsnmp.so:
undefined reference to `kstat_open'
collect2: ld returned 1 exit status
configure: failed program was:
#line 7911 "configure"
#include "confdefs.h"
extern char snmp_build_var_op();
int main() {
snmp_build_var_op()
; return 0; }
configure:7940: gcc -o conftest -g -O2 -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow
-Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings
-Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations
-Wnested-externs conftest.c -lnsl -lresolv -lsocket -lposix4
-lpthread -L/usr/local/snmp/lib -lsnmp -lcrypto 1>&5
configure:7934: warning: function declaration isn't a prototype
configure:7935: warning: function declaration isn't a prototype
/usr/local/bin/ld: cannot find -lcrypto
collect2: ld returned 1 exit status
configure: failed program was:
#line 7933 "configure"
#include "confdefs.h"
extern char snmp_build_var_op();
int main() {
snmp_build_var_op()
; return 0; }
configure:7978: checking gethostbyaddr_r() syntax
configure:7987: gcc -c -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS
-Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align
-Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes
-Wmissing-declarations -Wnested-externs conftest.c 1>&5
configure:7982: warning: function declaration isn't a prototype
configure:8009: gcc -c -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS
-Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align
-Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes
-Wmissing-declarations -Wnested-externs conftest.c 1>&5
configure:8004: warning: function declaration isn't a prototype
configure: In function `main':
configure:8005: too many arguments to function `gethostbyaddr_r'
configure: failed program was:
#line 8002 "configure"
#include "confdefs.h"
#include
int main() {
gethostbyaddr_r(NULL, 0, 0, NULL, NULL, 0, NULL, NULL)
; return 0; }
configure:8032: gcc -c -g -O
Re: ReAuth Every 6 minutes
Kind of silly, but a thought-have you checked your cron jobs? Jeff - Original Message - From: "Robert W. Kramer III" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, June 21, 2003 12:10 AM Subject: ReAuth Every 6 minutes > > We are using FreeRadius to authenticate wireless clients. For some reason > all clients are being reauthenticated every 6 minutes. > > I've searched every place for an option/setting that controls this, but with > no luck finding it. > > I'm not positive that FreeRadius is the culprit causing the reauth, but the > only other thing it could be is the hardware's settings. For sure, the > hardware has a setting to Reauthenticate ever nn minutes. Setting this to 0 > is supposed to disable reauthentication. But, not matter what I set it for > (0-65535) I get reauthentication every 6 minutes. The hardware manufacturer > has done testing and say they have ruled out a problem on their end. ;) > > Does anyone know why this might be happening? Is there such a setting? > > Thank you > > Bob Kramer > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ReAuth Every 6 minutes
We are using FreeRadius to authenticate wireless clients. For some reason all clients are being reauthenticated every 6 minutes. I've searched every place for an option/setting that controls this, but with no luck finding it. I'm not positive that FreeRadius is the culprit causing the reauth, but the only other thing it could be is the hardware's settings. For sure, the hardware has a setting to Reauthenticate ever nn minutes. Setting this to 0 is supposed to disable reauthentication. But, not matter what I set it for (0-65535) I get reauthentication every 6 minutes. The hardware manufacturer has done testing and say they have ruled out a problem on their end. ;) Does anyone know why this might be happening? Is there such a setting? Thank you Bob Kramer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to allow access to any client (clients.conf)
> From: Mark Gaither
> Sent: Saturday, 21 June 2003 6:25 AM
> Here's how to allow any client to authenticate against a FreeRadius AAA
> server:
> The reason you have to do this is becuase this DOES NOT work:
>
> client 0.0.0.0/0 {
> secret = foo
> shortname = goo
> }
(Assuming by 'not work' you mean 'spits and complains'...)
This was fixed in CVS on February 19th 2003. So it'll be fixed in
the 0.9 release.
http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/main/client.c
If it's still broken in a CVS checkout since then, then we
have a bug to fix. :-)
--
=
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Username dilemma-need clarification...
Ok here is the situation The current RADIUS server that is running our dialup users is VERY old, running on bsd 2.x, and cistron radius I believe. What has been done since its inception (in 1995!) has required a capital "P" in front of all usernames in order to authenticate-hance all 3,000+ users login with Pusername syntax Instead of keeping this system I would like to use the hints file to strip incoming queries to the radius server to strip the "P" in front of the request. This will save the tech support guys A LOT of calls, and make the transition seemless for the users. The problem I have is that everything I have read indicates the hints file does the oppisite of what I want it to-it adds the P for a PPP connection, S for SLIP, (S is RARELY used by our usres, but the radius system REQUIRES the "S" in front to authenticate properly). Am Isimply misunderstanding the situation-or do I need to do this a different way? I'm assuming I can create a DEFAULT entry in my hints file-but not sure of the syntax to use to get the "P" or "S" removed BEFORE it goes to the server Anyone? Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius does not try to register with SMUX
> From: Yousef Jamous > Sent: Saturday, 21 June 2003 5:41 AM > Does this mean that I have missing packages? Dunno yet. The bits where I said "*FAIL: Appears to be missing crypto*" don't mean _you're_ missing crypto, they mean that the test-compile was missing crypto. > And should I send you more lines from the config.log file? Yes. I'm particularly interested in the lines starting with configure:7943: gcc -o up 'til configure:7981: checking gethostbyaddr_r() syntax -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using System Authentication
It's very easy to correct it. In the file /etc/shells, you can add the shells such as /usr/local/bin/bash, /bin/false, etc to it. Notice put each shell in one line. Now It will work well. Best, Zasp >Hi, >Further adding to my last email, System authentication is also not >working when "/usr/local/bin/bash" is defined as User's shell. Only >works when 'sh' is defined as the shell. >Am I missing something here ? > > >Regards \\ Naman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-PEAP [Was RE: EAP-TTLS]
On a related note, is anyone considering writing an EAP-PEAP module? PEAP is essentially MS-CHAPv2 tunneled inside of EAP-TLS. Conceptually, it's similar to HTTPS on the web where the server is authenticated using its certificate, and the user with a password. Windows XP and most RADIUS vendors support PEAP. -Mayank -Original Message- Message: 7 From: "Nirmala Bulusu" <[EMAIL PROTECTED]> Subject: Re: EAP-TTLS To: [EMAIL PROTECTED] Date: Fri, 20 Jun 2003 15:01:00 -0600 Reply-To: [EMAIL PROTECTED] Hi, I have been working with xsupplicant and free radius on redhat 8.2 I could successfully set-up the eap-tls config. Now I want to test EAP-TTLS protocol on free radius using xsupplicant as the client software. The latest version of Xsuplicant has the EAP-TTLS protocol. However the current freeradius cvs version I am working on does'nt seem to support the TTLS protocol. Want to know if any one is working on the free radius code right now for implementing EAP-TTLS. And if it in the future will support it. Would greatly help if anyone could give suggestions regarding the server side code for EAP-TTLS. Thanks and Regards BN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
understanding checkval
hi all I have been using RADIUS to authenticate wireless users with userbase in LDAP. Iam using checkval part of recent snapshot to restrict users based on access point. There are a few things which are dangling over my head. I hope someone could clarify. First of all, is it correct to say that checkval only checks for the attributes it can extract from the NAS(access point). Then can i modify checkval to say, call a function in it, this function will process on the various data elements in the LDAP entry for the user and then accept or reject or simply send a message. And last and equally important as the two above, what's the call-flow of checkval, how does it work. I hope Iam clear. Thanks in advance. Reddy ([EMAIL PROTECTED]) - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS
Hi, I have been working with xsupplicant and free radius on redhat 8.2 I could successfully set-up the eap-tls config. Now I want to test EAP-TTLS protocol on free radius using xsupplicant as the client software. The latest version of Xsuplicant has the EAP-TTLS protocol. However the current freeradius cvs version I am working on does'nt seem to support the TTLS protocol. Want to know if any one is working on the free radius code right now for implementing EAP-TTLS. And if it in the future will support it. Would greatly help if anyone could give suggestions regarding the server side code for EAP-TTLS. Thanks and Regards BN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FYI: How to allow access to any client (clients.conf)
FYI:
Here's how to allow any client to authenticate against a FreeRadius AAA
server:
Add this to your clients.conf file and restart the radiusd server:
cut here
client 1.0.0.0/1 {
secret = foo
shortname = goo
}
client 0.0.0.0/1 {
secret = foo
shortname = goo
}
cut here
The reason you have to do this is becuase this DOES NOT work:
client 0.0.0.0/0 {
secret = foo
shortname = goo
}
Enjoy.
Mark Gaither
--
--
Mark Gaither| [EMAIL PROTECTED]
Senior Software Engineer| ph: 512.275.0571 x 20
Rocksteady Networks, Inc. | fax: 512.275.0575
3410 Far West Blvd. Ste. 210| http://www.rocksteady.com/
Austin, TX 78731|
--
Enabling Shared Networks. *Rocksteady solutions securely
share wired and wireless networks.*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius does not try to register with SMUX- REPOSTED
So Paul Does this mean that I have missing packages? And should I send you more lines from the config.log file? Many thanks Paul. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Hampson Sent: June 20, 2003 8:48 PM To: [EMAIL PROTECTED] Subject: RE: Radius does not try to register with SMUX- REPOSTED > From: Yousef Jamous > Sent: Friday, 20 June 2003 9:36 PM > As I checked my config.log file, I found the following messages, do they > mean that my snmp support was not installed? And how can I fix it? > configure:7887: checking for snmp_build_var_op in -lsnmp > configure:7899: gcc -o conftest -g -O2 -D_REENTRANT > -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG c > onftest.c -lnsl -lresolv -lsocket -lposix4 -lpthread -lsnmp 1>&5 *FAIL: Appears to be missing crypto* > configure:7921: gcc -o conftest -g -O2 -D_REENTRANT > -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG c > onftest.c -lnsl -lresolv -lsocket -lposix4 -lpthread -L/usr/lib -lsnmp > 1>&5 *FAIL: Appears to be missing crypto* > configure:7943: gcc -o Aah, drat... That next set would have been helpful, since the next thing configure tries is to link in crypto as well Mind you, your configure's slightly different to mine... I have offsets 7918 and 7940 for the last test and the truncated test. Still, the next lines will help establish if SNMP was compiled in or not. -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] The Creation of the Universe was made possible by a grant from Texas Instruments. -- PBS - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Almost working after upgrade 0.3->0.8.1
Ok, so something went really bad wrong with my freeradius-0.3 today so I
used the FreeBSD port to update my server to 0.8.1
My setup is virtually the same as described at
http://www.frontios.com/freeradius.html and used to be exactly as
described on http://my.lostinfo.com/files_other/radius/ .
After installing the port, then editing the new configuration files (I
moved all the prior files before upgrading), then updating my database
schema to match the new 'op' column as well as the new lengths for the
existing columns, things are looking *almost* there.
I still can not authenticate users. Below I've attached my debug output
along with the configuration output from starting the server in
debugging mode. The SQL queries report as failing in the debug, but they
seem to return just fine for me.
I guess the ultimate problem is:
"auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user"
I guess if I understood the auth {} section more I might be able to
figure it out, but I don't.
I'd really appreciate any help provided. This one has me stumped!
John Straiton
[EMAIL PROTECTED]
Clickcom, Inc
704-365-9970x101
The 3 queries described in the debug output return these results for
this "username" user.
===
1) SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'username' ORDER BY id;
+-+--+---+++
| id | UserName | Attribute | Value | op |
+-+--+---+++
| 417 | username | Password | password | == |
+-+--+---+++
2) SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou
pcheck.Val
ue,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'username' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id;
+++---+---++
| id | GroupName | Attribute | Value | op |
+++---+---++
| 4 | isdnstatic | Auth-Type | Local | := |
+++---+---++
3) SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou
preply.Val
ue,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = 'username' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id;
++++-++
| id | GroupName | Attribute | Value | op |
++++-++
| 23 | isdnstatic | User-Service-Type | Framed-User | := |
| 24 | isdnstatic | Framed-Protocol| PPP | := |
| 25 | isdnstatic | Framed-Compression | Van-Jacobsen-TCP-IP | := |
| 26 | isdnstatic | Framed-MTU | 1500| := |
| 27 | isdnstatic | Idle-Timeout | 1800| := |
| 28 | isdnstatic | Port-Limit | 2 | := |
++++-++
FULL OUTPUT FROM DEBUG
===
rad_recv: Access-Request packet from host my_access_concentrator:1026,
id=45, length=78
User-Name = "username"
User-Password = "password"
NAS-IP-Address = 216.189.16.7
NAS-Port = 26
NAS-Port-Type = ISDN
Service-Type = Framed-User
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns notfound
rlm_realm: No '@' in User-Name = "username", looking up realm NULL
rlm_realm: Found realm DEFAULT
rlm_realm: Adding Stripped-User-Name = "username"
rlm_realm: Proxying request from user appliedr to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Authentication realm is LOCAL.
rlm_realm: auth_port is not set. proxy cancelled
modcall[authorize]: module "suffix" returns noop
radius_xlat: 'username'
rlm_sql (sql): sql_set_user escaped user --> 'username'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'username' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'username' ORDER BY id
rlm_sql (sql): User username not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou
pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'username' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou
pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Userna
Re: Using System Authentication
On Fri, Jun 20, 2003 at 11:50:17AM -0700, Naman Latif wrote:
> Thanks.
> Will the passwords in ${confdir}/radius.passwd be encrypted ? (Is there
> a utility that I should use for defining\storing encrypting passwords).
Yes. The file would look like an old-school, pre-shadow v7 password
file. It's also possible, though I don't do it this way for historical
reasons, to define seperate shadow and password files. There's just not
a real reason that I can see do do them seperately if they're not the
system password files.
You can generate the passwords using the crypt function in Perl or C,
for example.
Matt
--
/* Matt Sayler-- Sr. Network Engineer, Speedsite Online
* (773) 324-2954 -- [EMAIL PROTECTED] */
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module counter
On Fri, Jun 20, 2003 at 09:30:51AM -0700, Tom Emerson wrote:
Content-Description: signed data
> On Friday 20 June 2003 3:53 am, Kostas Kalevras wrote:
> > On Wed, 18 Jun 2003, Roberto Pioli wrote:
> > > when he module counter return:
> > >
> > > rlm_counter: Entering module authorize code
> > > rlm_counter: Could not find Check item value pair
> >
> > > modcall[authorize]: module "counter" returns noop
> > > modcall: group authorize returns ok
> > >
> > > What's the matter?
> >
> > Isn't it obvious?
>
> Actually, it isn't. I ran into this problem when I first started to use this,
> and it was rather annoying because as far as I could tell, I **had** defined
> a check item, so I was totally bewildered by the comment "could not find it".
>
> My line of thinking was that the "counter" module CREATED a variable (i.e.,
> the "counter-name") that later modules could compare against for a pass/fail
> condition test.
Yes, it does this, but only "on demand". It registers a function which
performs comparison on counter attribute (say, Daily-Session-Time), and
this function is called on every occurance of this attribute in *check*
items. In this case you even need not to list counter in authorize {}
section (only in instantiate {}) - it will be called automatically.
> It took several passes through the documentation to
> understand this is backward: other modules set the "check-name" variable to a
> particular cutoff value, and THEN the counter module performs the comparison.
This is the second way to use it. You supply *configuration* item (say,
Max-Daily-Session) for this counter somewhere, and list the instance in
authorize {} section. And being called from where, counter will search
config items for the attribute and do its magic if one was found.
Unfortunately, *config* and *check* items are synonims in freeradius...
> In re-reading the documentation right now, I think I see why I thought that
> AND a possible "impossible situation". The comments read:
>
> # The counter-name can also be used like below:
> #
> # DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
> # Reply-Message = "You've used up more than one hour today"
>
> which would appear in the "users" file and/or in an SQL table. The
> implication with this comment is that the counter module has to occur FIRST
> in order to define a value of "daily-session-time" so the comparison can take
> place...
As I said, counter module defines its value in the very moment of
comparison, moreover, it does the comparison itself.
I hope I'm clear enough :)
To be quite honest about it, I had to dig the source in my time ;)
--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using System Authentication
Thanks.
Will the passwords in ${confdir}/radius.passwd be encrypted ? (Is there
a utility that I should use for defining\storing encrypting passwords).
Regards \\ Naman
> -Original Message-
> From: Matthew Sayler [mailto:[EMAIL PROTECTED]
> Sent: Friday, June 20, 2003 11:33 AM
> You can modify the allowed list of shells, but one solution
> to consider is specifying an alternate password file:
>
> passwd = ${confdir}/radius.passwd
> shadow = ${confdir}/radius.passwd
> usegroup = no
> # group = ${confdir}/radius.group
>
> This way the users in no way are known about by the larger system.
>
> Regards,
>
> Matt Sayler
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using System Authentication
On Fri, Jun 20, 2003 at 11:21:09AM -0700, Naman Latif wrote:
> Hi,
> I want to use the System Authentication feature with FreeRADIUS while
> the user defined on the UNIX machine doesn't have any Shell (because I
> don't want that user to login to the Unix machine). Only objective is to
> have him authenticated for some other service.
>
> However when the user have no\false shell, authentication doesn't work
> and comes up with the message
You can modify the allowed list of shells, but one solution to consider
is specifying an alternate password file:
passwd = ${confdir}/radius.passwd
shadow = ${confdir}/radius.passwd
usegroup = no
# group = ${confdir}/radius.group
This way the users in no way are known about by the larger system.
Regards,
Matt Sayler
--
/* Matt Sayler-- Sr. Network Engineer, Speedsite Online
* (773) 324-2954 -- [EMAIL PROTECTED] */
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using System Authentication
Hi, Further adding to my last email, System authentication is also not working when "/usr/local/bin/bash" is defined as User's shell. Only works when 'sh' is defined as the shell. Am I missing something here ? Regards \\ Naman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using System Authentication
Hi, I want to use the System Authentication feature with FreeRADIUS while the user defined on the UNIX machine doesn't have any Shell (because I don't want that user to login to the Unix machine). Only objective is to have him authenticated for some other service. However when the user have no\false shell, authentication doesn't work and comes up with the message Fri Jun 20 11:07:16 2003 : Auth: rlm_unix: [it]: invalid shell [/bin/false] Fri Jun 20 11:07:16 2003 : Auth: Login incorrect: [it/hello] (from client core-devices port 1 cli 172.16.250.19) Can I fix this ? Regards \\ Naman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroups in users file
On Thu, 2003-06-19 at 10:05, gunce ciftci wrote: > > Hi All, > I am stuck at a point while configuring FreeRadius 0.8.1 for a pool of NAS's and > annex's. > > I want to give a group of admin users such ip's that they are above > 10.0.0.100 and won't be affected by simultaneous-use parameter. My users > and huntgroups file are below (ip's are changed) > > users: > --- > DEFAULT Huntgroup-Name=="admin", Auth-Type :=System > User-Service-Type = NAS-Prompt-User, > Framed-IP-Address = 10.0.0.100+, ^ That comma shouldn't be there, can't find any other errors... Chris > DEFAULT Auth-Type :=System, BSimultaneous-Use:=1 > User-Service-Type = NAS-Prompt-User, Framed-IP-Address = 10.0.0.1+ > > huntgroups: > --- > admin NAS-IP-Address == A.B.C.D > User-Name = gunce, > User-Name = gciftci > > > However, when a user, other than gunce and gciftci logs in to A.B.C.D, > (ahmet logs in) radiusd -X says and gives 10.0.0.100+ > > .. > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > huntgroups: Matched admin at 2 > users: Matched DEFAULT at 1 > modcall[authorize]: module "files" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type System > auth: type "System" > modcall: entering group authenticate > modcall[authenticate]: module "unix" returns ok > modcall: group authenticate returns ok > Login OK: [ahmet] (from client ras port 32 cli [03334445566) > Sending Access-Accept of id 149 to A.B.C.D:4504 > User-Service-Type = NAS-Prompt-User > Framed-IP-Address = 10.0.0.100+ > Finished request 2 > .. > > I could not figure out what is the wrong thing, could anybody point me please? > Is it related with my understanding of huntgroups or users file? > > Regards, > - Gunce > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: digest configuration
yacine rebahi <[EMAIL PROTECTED]> wrote: > Can anyone give a hint about how to configure freeradius to support > digest authentication. it is not possible to link to the rlm_digest module. Nonsense. The latest CVS snapshot comes configured to automatically do digest authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implement PEAP part 2 into Freeradius?
"Zhou Ping" <[EMAIL PROTECTED]> wrote: > I'm working on the TTLS support, which is mostly the same as PEAP. Maybe we > can have some discussion. I STRONGLY recommend that you two discuss it. Please continue that discussion on the freeradius-devel list. > As far as I know, we have to extract the AVPs from the TLS packet, > put them into the RADIUS packet, and the next module you configured > will handle it. That would be my suggestion. My recommendation for action is this: 1 - move TLS code from rlm_eap_tls to rlm_eap 2 - verify tls still works 3 - submit patches to freeradius-devel Only AFTER that should work be done on TTLS and PEAP. Those two protocols depend on common code, and that common code should exist before any TTLS or PEAP specific work is done. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: can't turn off SNMP
> From: Dave Mason > Sent: Saturday, 21 June 2003 1:59 AM > Woops - As you might guess libltdl is a different problem. My build > machine seems to have a different version installed, libltdl.so.3. If > configure would use libltdl.so I'd be OK - is that an option? I don't think so. The ABI/API changes between soversions, I hope. libltdl.so.0's pretty old now, isn't it? -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] The Creation of the Universe was made possible by a grant from Texas Instruments. -- PBS - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [PATCH] gethostbyaddr_r and gethostbyname_r corrections
> From: Oliver Graf > Sent: Saturday, 21 June 2003 12:39 AM > This patchs enables the detection of the correct > gethostby(name|addr)_r command, which is needed by a threaded radiusd. Which patch? Oh, did you have a look at the CVS history for configure.in and configure.in? I noticed the other day that gethostbyname_r seems to have been in and out (and shaken all about) about a year ago. I haven't looked at the diffs though, so it may not be relevant. -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] The Creation of the Universe was made possible by a grant from Texas Instruments. -- PBS - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems Install CVS Snapshot
Hi, Im running Solaris 8, GNUmake, GCC 3.1 and im having problems compiling the latest snapshot (freeradius-snapshot-20030620). I can install 8.1 with no problems, however the snapshot, which I believe supports LEAP, fails when I run the command "make". gmake[6]: Leaving directory `/usr/local/src/freeradius-snapshot-20030620/src/modules/rlm_attr_filter ' Making static dynamic in rlm_attr_rewrite... gmake[6]: Entering directory `/usr/local/src/freeradius-snapshot-20030620/src/modules/rlm_attr_rewrit e' gmake[6]: *** No rule to make target `static'. Stop. gmake[6]: Leaving directory `/usr/local/src/freeradius-snapshot-20030620/src/modules/rlm_attr_rewrit e' gmake[5]: *** [common] Error 1 gmake[5]: Leaving directory `/usr/local/src/freeradius-snapshot-20030620/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/usr/local/src/freeradius-snapshot-20030620/src/modules' gmake[3]: *** [common] Error 1 gmake[3]: Leaving directory `/usr/local/src/freeradius-snapshot-20030620/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/local/src/freeradius-snapshot-20030620/src' gmake[1]: *** [common] Error 1 gmake[1]: Leaving directory `/usr/local/src/freeradius-snapshot-20030620' *** Error code 2 make: Fatal error: Command failed for target `all' Any suggestions? ** E. Rivera "The trouble with doing something right the first time is that nobody will be able to appreciate how difficult it was" ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius does not try to register with SMUX- REPOSTED
> From: Yousef Jamous > Sent: Friday, 20 June 2003 9:36 PM > As I checked my config.log file, I found the following messages, do they > mean that my snmp support was not installed? And how can I fix it? > configure:7887: checking for snmp_build_var_op in -lsnmp > configure:7899: gcc -o conftest -g -O2 -D_REENTRANT > -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG c > onftest.c -lnsl -lresolv -lsocket -lposix4 -lpthread -lsnmp 1>&5 *FAIL: Appears to be missing crypto* > configure:7921: gcc -o conftest -g -O2 -D_REENTRANT > -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG c > onftest.c -lnsl -lresolv -lsocket -lposix4 -lpthread -L/usr/lib -lsnmp > 1>&5 *FAIL: Appears to be missing crypto* > configure:7943: gcc -o Aah, drat... That next set would have been helpful, since the next thing configure tries is to link in crypto as well Mind you, your configure's slightly different to mine... I have offsets 7918 and 7940 for the last test and the truncated test. Still, the next lines will help establish if SNMP was compiled in or not. -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] The Creation of the Universe was made possible by a grant from Texas Instruments. -- PBS - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module counter
On Friday 20 June 2003 3:53 am, Kostas Kalevras wrote: > On Wed, 18 Jun 2003, Roberto Pioli wrote: > > when he module counter return: > > > > rlm_counter: Entering module authorize code > > rlm_counter: Could not find Check item value pair > > > modcall[authorize]: module "counter" returns noop > > modcall: group authorize returns ok > > > > What's the matter? > > Isn't it obvious? Actually, it isn't. I ran into this problem when I first started to use this, and it was rather annoying because as far as I could tell, I **had** defined a check item, so I was totally bewildered by the comment "could not find it". My line of thinking was that the "counter" module CREATED a variable (i.e., the "counter-name") that later modules could compare against for a pass/fail condition test. It took several passes through the documentation to understand this is backward: other modules set the "check-name" variable to a particular cutoff value, and THEN the counter module performs the comparison. In re-reading the documentation right now, I think I see why I thought that AND a possible "impossible situation". The comments read: # The counter-name can also be used like below: # # DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject # Reply-Message = "You've used up more than one hour today" which would appear in the "users" file and/or in an SQL table. The implication with this comment is that the counter module has to occur FIRST in order to define a value of "daily-session-time" so the comparison can take place, however if the counter module occurs first, no "check-items" have been defined, so the counter module noop's out without setting daily-session-time. So now I'm curious, can the "counter-name" actually be used as per the example in the comments, and if so, how? [and if not, why is it documented that way in the released code?] -- Yet another Blog: http://osnut.homelinux.net pgp0.pgp Description: signature
Re: can't turn off SNMP
Woops - As you might guess libltdl is a different problem. My build machine seems to have a different version installed, libltdl.so.3. If configure would use libltdl.so I'd be OK - is that an option? Dave Dave Mason wrote: Hi, This is related to some similar SNMP questions that appeared recently. I'm building a radius server on a machine that has SNMP libraries installed, but I want to run it on one that does not have them. I ran configure both with --with-snmp=no and --without-snmp. In both cases, when I build the server and move it to the other machine, it cant run there because libltdl.so.0 is missing. When I built the server on the machine without SNMP, I never saw that error. Any ideas? Regards, Dave -- Dave Mason (817)481-4412 x139 voice, (817)481-4461 fax, [EMAIL PROTECTED] Transat Technologies180 State St, Suite 240, Southlake, TX 76092 Integrating 3GSM and WLANhttp://www.transat-tech.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch: Caller Id not stored in ippool files
Hello all (TGiF!):
Not yet assimilated the rlm_ippool pseudo-code Paul posted (I haven't
spent much time with it either), but I solved a little flaw in rlm_ippool.
While dumping the contents of the files (so to trace "the strange case
of disappearing IPs"), I noticed that no caller ids were stored.
I did a little patch that fixes it. While it's not very useful
(except for MPP detection, but the latter is proved not to be
working smoothly), at least gives more info about session log.
Jonathan.
--
Jonathan Ruano diff -urN org.freeradius-0.8.1/src/modules/rlm_ippool/rlm_ippool.c
new.freeradius-0.8.1/src/modules/rlm_ippool/rlm_ippool.c
--- org.freeradius-0.8.1/src/modules/rlm_ippool/rlm_ippool.c2002-10-11
15:26:20.0 +0200
+++ new.freeradius-0.8.1/src/modules/rlm_ippool/rlm_ippool.c2003-06-20
17:37:49.0 +0200
@@ -67,6 +67,7 @@
#define ALL_ONES 4294967295
#define MAX_NAS_NAME_SIZE 64
+#define MAX_CLI_SIZE 32
static const char rcsid[] = "$Id: rlm_ippool.c,v 1.12 2002/10/11 13:26:20 kkalev Exp
$";
@@ -94,7 +95,7 @@
typedef struct ippool_info {
uint32_tipaddr;
charactive;
- charcli[32];
+ charcli[MAX_CLI_SIZE];
} ippool_info;
typedef struct ippool_key {
@@ -571,6 +572,11 @@
*/
if (key_datum.dptr){
entry.active = 1;
+
+ memset(entry.cli,0,MAX_CLI_SIZE);
+ if (cli != NULL)
+strncpy( entry.cli, cli, MAX_CLI_SIZE - 1);
+
data_datum.dptr = (ippool_info *) &entry;
data_datum.dsize = sizeof(ippool_info);
is ok
Do You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes.
can't turn off SNMP
Hi, This is related to some similar SNMP questions that appeared recently. I'm building a radius server on a machine that has SNMP libraries installed, but I want to run it on one that does not have them. I ran configure both with --with-snmp=no and --without-snmp. In both cases, when I build the server and move it to the other machine, it cant run there because libltdl.so.0 is missing. When I built the server on the machine without SNMP, I never saw that error. Any ideas? Regards, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help configuring FR with cisco aironet 350, eap/leap and W2000
At 09:35 AM 6/20/2003, you wrote:
I'm trying to set up a configuration where the freeradius server
authenticates win 2000 clients in a wireless lan with cisco aironet 350.
(Sorry for this long mex)
My forbidden dream is ldap, but ... for the moment eap is enough.
Here are the main portion of conf files.
radiusd.conf
* * *
bind_address = 192.168.27.4
modules {
eap {
# default_eap_type = md5
timer_expire = 60
# md5 {
# }
I don't use rlm_eap but suggest you read src/radiusd/doc/rlm_eap. It
explains exactly what your problem is, (e.g. "At least one EAP-Type
sub-stanza should be defined as above, otherwise the server will not know
what type of eap authentication mechanism to be usedAll the various
options and their associated default values for each EAP-Type are
documented in the sample radiusd.conf that is provided with the
distribution."). Looks to me like you have said requirements commented out
in your eap block.
HTH,
Chris Brotsos
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap + rlm_sqlcounter(2)
> Hi All, > i'm using freradius 0.8.1.with accounting stored in sql backend and > user accounts stored in ldap. > is there any way to use user ldap attributes values in the definition > of the rlm_sqlcounter SQL statement? Hi all, let's add some explanations. In fact i need sqlcounter computes the SUM(AcctSessiontime) between to timestamps 'startTime' end 'endTime' stored in the ldap user-profile. thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[PATCH] gethostbyaddr_r and gethostbyname_r corrections
Hi! This patchs enables the detection of the correct gethostby(name|addr)_r command, which is needed by a threaded radiusd. Without this patch a heavy used server my create bogus entries vor various generated attributes (for example Client-Ip-Address for accounting requests). If BSDSTYLE gethostby(name|addr) is used (not thread-safe) a warning is issued by configure. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help configuring FR with cisco aironet 350, eap/leap and W2000
I'm trying to set up a configuration where the freeradius server
authenticates win 2000 clients in a wireless lan with cisco aironet 350.
(Sorry for this long mex)
My forbidden dream is ldap, but ... for the moment eap is enough.
Here are the main portion of conf files.
radiusd.conf
* * *
bind_address = 192.168.27.4
modules {
eap {
# default_eap_type = md5
timer_expire = 60
# md5 {
# }
leap {
}
}
authorize {
eap
files
}
authenticate {
eap
}
* * *
users
* * *
abc Password = "123"
Reply-Message = "Hy !!! :)"
* * *
clients.conf
* * *
client 192.168.27.4 {
secret = testing123
shortname = lb
}
* * *
I've got my freeradius running on my server, and if I use radtest or
radclient I receive the correct Access-Accept:
* * *
radtest abc 123 192.168.27.4 1 testing123
Sending Access-Request of id 98 to 192.168.27.4:1812
User-Name = "abc"
User-Password = " [EMAIL PROTECTED]"
NAS-IP-Address = wha
NAS-Port = 1
rad_recv: Access-Accept packet from host 192.168.27.4:1812, id=98,
length=31
Reply-Message = "Hy !!! :)"
* * *
And on the the server:
* * *
radiusd -sfxxyz -l stdout
[...]
Listening on IP address 192.168.27.4, ports 1812/udp and 1813/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.27.4:35883, id=98,
length=55
User-Name = "abc"
User-Password = "123"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
modcall: entering group authorize
rlm_eap: EAP-Message not found
modcall[authorize]: module "eap" returns noop
users: Matched abc at 159
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
auth: type Local
auth: user supplied User-Password matches local User-Password
radius_xlat: 'Hy !!! :)'
Sending Access-Accept of id 98 to 192.168.27.4:35883
Reply-Message = "Hy !!! :)"
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 98 with timestamp 3ef3157c
Nothing to do. Sleeping until we see a request.
* * *
I've run radtest on the same machine running radiusd.
Now the problem: trying to authenticate from a windows 2000 client
(SP3) to a cisco aironet 350.
Here is the output from radiusd:
* * *
rad_recv: Access-Request packet from host 195.250.227.169:1770, id=218,
length=1
42
User-Name = "abc"
Cisco-AVPair = "ssid=tsunami"
NAS-IP-Address = 195.250.227.169
Called-Station-Id = "0040965dfff9"
Calling-Station-Id = "000d28464a26"
NAS-Identifier = "CISCOWR01"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x0205000801616263
Message-Authenticator = 0xeaee53e33aa0f00ab1b17dba7f15a508
modcall: entering group authorize
rlm_eap: EAP packet type notification id 5 length 8
modcall[authorize]: module "eap" returns updated
users: Matched abc at 159
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP packet type notification id 5 length 8
rlm_eap: Unsupported EAP_TYPE 1
modcall[authenticate]: module "eap" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 218 to 195.250.227.169:1770
EAP-Message = 0x04050004
Message-Authenticator = 0x
Reply-Message = "Hy !!! :)"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 218 with timestamp 3ef31717
Nothing to do. Sleeping until we see a request.
* * *
It seems that the problem is here:
rlm_eap: Unsupported EAP_TYPE 1
but I'm not able to understand it.
Any hint/help? :)))
Thanks in advance.
Bye,
Luca
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access-Reject problem.
hi ! I use freeradius 0.8.1. i've configured freeradius with a reject_delay of one second. I send an acces-request for a bad user with ntradping. (time-out 15sec, only one attempt ) with ethereal, I get : time 0 : source 10.0.9.192 access request id 7 and nothing else... if I send another access-request : time 20 : source 10.0.9.192 access request id 8 time 20 : source 10.0.9.192 access reject id 7 the access-reject corresponding with the 1st access request is sent ... weird isn't it ? is there something I missed ? here's the log : rad_recv: Access-Request packet from host 10.0.9.192:61007, id=7, length=44 Thread 5 assigned request 45 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Nothing to do. Sleeping until we see a request. Thread 5 handling request 45, (8 handled so far) User-Name = "toto" User-Password = "titi" modcall: entering group authorize radius_xlat: 'toto' rlm_sql (SQL1): sql_set_user escaped user --> 'toto' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'toto' ORDER BY id' rlm_sql (/usr/local/var/log/radius/sqltrace.sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'toto' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'toto' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'toto' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (SQL1): Pairs do not match for user [toto] rlm_sql (/usr/local/var/log/radius/sqltrace.sql): Released sql socket id: 0 modcall[authorize]: module "SQL1" returns notfound modcall[authorize]: module "mschap" returns notfound modcall: group authorize returns notfound auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 45 for 1 seconds Finished request 45 Going to the next request Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 10.0.9.192:61008, id=8, length=44 Thread 1 assigned request 46 --- Walking the entire request list --- Sending Access-Reject of id 7 to 10.0.9.192:61007 Cleaning up request 45 ID 7 with timestamp 3ef30d3c Nothing to do. Sleeping until we see a request. Thread 1 handling request 46, (9 handled so far) User-Name = "toto" User-Password = "titi" modcall: entering group authorize radius_xlat: 'toto' rlm_sql (SQL1): sql_set_user escaped user --> 'toto' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'toto' ORDER BY id' rlm_sql (/usr/local/var/log/radius/sqltrace.sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'toto' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'toto' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'toto' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.
ldap + rlm_sqlcounter
Hi All, i'm using freradius 0.8.1.with accounting stored in sql backend and user accounts stored in ldap. is there any way to use user ldap attributes values in the definition of the rlm_sqlcounter SQL statement? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS + LDAP + TLS
On Fri, 20 Jun 2003, Francisco Orozco/Upcnet wrote: > Hiya, > > > StartTLS is an extended operation for starting TLS while connecting to > the > > normal ldap port (389). I would suggest > > start_tls=yes,tls_mode=no and port=389 > > > > I think that the tls_mode directive should go away completely and > > start_tls only > > be allowed if we don't use the ldaps port. But I am not sure that the > above is > > correct. > > Is necessary install OpenSSL or other software in order to use TLS with > RADIUS? Yes you must install OpenSSL for TLS to even be available in compile time. > > This is my big dude > > __ > Paco Orozco ([EMAIL PROTECTED]) > Divisi? de Telecomunicacions > UPCNet > Edifici V?rtex - Pl. Eusebi G?ell, 6 > Tel?fon centraleta: 93.40.11600 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
digest configuration
Hi all, Can anyone give a hint about how to configure freeradius to support digest authentication. it is not possible to link to the rlm_digest module. thanks yacine - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS + LDAP + TLS
Hiya, > StartTLS is an extended operation for starting TLS while connecting to the > normal ldap port (389). I would suggest > start_tls=yes,tls_mode=no and port=389 > > I think that the tls_mode directive should go away completely and > start_tls only > be allowed if we don't use the ldaps port. But I am not sure that the above is > correct. Is necessary install OpenSSL or other software in order to use TLS with RADIUS? This is my big dude __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Squid - Freeradius authentication
Wei Ming Long said: > Hi everyone, > I have been tasked with a project to grant web access to some laptop > clients. > I have some wireless clients & some of them have permission to surf the > internet & others don't. All web requests on port 80 are redirected by > iptables to the Squid proxy server, can I use Freeradius to authenticate > the > users before sending the requests out into the internet. And if the users > are > not allowed to surf the internet, a web page will be sent to them telling > them > they are denied access. Can this be done? has anybody done this & care to > share their experience & knowledge with me? Please help me. Thanks. > > Best regards > Matthew Squid when running in transparent mode (as you currently have) can't do authentication, not to my humble knowledge anyway. So you would have to configure each client with the appropriate proxy settings and disable interception/transparent proxying. You can use PAM to get squid to authenticate via a radius server, or use the Squid RADIUS Authenticator module from http://selm.www.cistron.nl/authtools/ . As for the deny page - squid will throw one up by default, you can customise it if you like. -- Regards, Ben Johns http://www.naturalnetworks.net http://www.marinanet.com.au http://www.accessplus.com.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-Ip-Address mysteriosity
On Fri, Jun 20, 2003 at 02:03:23PM +0200, Oliver Graf wrote: > ok, diving into glibc2... the prototype of gethostbyaddr_r (which > would be the right thing to use is: > > extern int gethostbyaddr_r (__const void *__restrict __addr, __socklen_t __len, > int __type, > struct hostent *__restrict __result_buf, > char *__restrict __buf, size_t __buflen, > struct hostent **__restrict __result, > int *__restrict __h_errnop) __THROW; > > i.e. it has an additional errno pointer parameter. > > So I will make up a configure patch for this. Mhhh... I think the maintainers can fix this easy on their own. The problem is that the gethostbyaddr checks got this sequence: SYSV, GNU, BSD. But my system has GNU (reentrant) and BSD (crash-and-burn). So just check first for the unsave BSD (perhaps issue a big DON'T USE THREADS WITH THIS?) and then check for SYSV or GNU style gethostbyaddr_r. gethostbyname seems to have semiliar issues. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-Ip-Address mysteriosity
On Fri, Jun 20, 2003 at 01:46:50PM +0200, Oliver Graf wrote: > On Fri, Jun 20, 2003 at 01:40:08PM +0200, Oliver Graf wrote: > > Hi! > > > > Currently I'm testing freeradius also as accounting server (we have to > > change our script stuff to make the full switch) and I'm encountering > > mysterious accounting packets (about 10 in one hour -- from different > > NASes, even different vendors [ascend, cisco, redback]). > > > > They get added a Client-Ip-Address = vlan-aaa2 (only defined in > > /etc/hosts as 192.168.24.2, not interface has this ip) und so the > > pakets get accounted in a detail file below this path. > > > > I don't know where this comes from. > > oh, oh, oh, let me guess!!! > > gethostbyaddr is not thread safe. > > I will produce a patch for this. Any chance that those threading > issues get into to official source? crypt is still unfixed... ok, diving into glibc2... the prototype of gethostbyaddr_r (which would be the right thing to use is: extern int gethostbyaddr_r (__const void *__restrict __addr, __socklen_t __len, int __type, struct hostent *__restrict __result_buf, char *__restrict __buf, size_t __buflen, struct hostent **__restrict __result, int *__restrict __h_errnop) __THROW; i.e. it has an additional errno pointer parameter. So I will make up a configure patch for this. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module counter
On Fri, Jun 20, 2003 at 01:53:06PM +0300, Kostas Kalevras wrote:
> On Wed, 18 Jun 2003, Roberto Pioli wrote:
>
> > when he module counter return:
> >
> > rlm_counter: Entering module authorize code
> > rlm_counter: Could not find Check item value pair
>
> > modcall[authorize]: module "counter" returns noop
> > modcall: group authorize returns ok
> >
> >
> >
> > What's the matter?
>
> Isn't it obvious?
IMHO, it looks like a warning. Maybe it's better to silently return?
Or print something like
DEBUG2("rlm_counter: nothing to do - no %s for the user", inst->check_name);
?
Same for rlm_sqlcounter.
--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous-use reply-message
Alexander,
Users' native language is Turkish which uses Latin alphabet
so,luckily, ascii characters will do good.
And yes it would be nice to have customizable messages :)
Thanks,
Gunce
On Fri, 20 Jun 2003, Alexander M. Pravking wrote:
> On Fri, Jun 20, 2003 at 11:57:46AM +0300, gunce ciftci wrote:
> > Dear list,
> > I am using (v0.8.1)
> > simultaneous-use attribute with Bay RAC 8000 without problems.
> > Users also get and see the "You are already logged in - access denied"
> > message through NAS-Prompt when they are trying to connect beyond the
> > limit. To make life easier for hot-line staff, we should have it in
> > native language.
>
> Are you sure your NAS won't go crazy because of non-ascii characters?
> Don't you expect charset problems?
>
> > I don't know if somebody ever needed it.I looked for
> > the this reply message in radiusd.conf,radcheck,could not see..
>
> It's hard-coded currently, so you can edit the sources and then recompile
> radius.
>
>
> Dear developers, how about customizable messages? Something like this in
> radiusd.conf:
> messages {
> multiple_login = "You are already logged in %{Simultaneous-Use} times\r\n"
> timespan_violation = "You are calling outside allowed timespan\r\n"
> ...
> }
>
> I probably could work on that, but I need some guidelines:
> 1. Should it be a set of static variables, or searchable list like
>dictionary?
> 2. Should it be per-module configuration, or global?
> 3. Where to put these parameters in config?
> 4. Recommended naming conventions?
>
>
> --
> Fduch M. Pravking
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-Ip-Address mysteriosity
On Fri, Jun 20, 2003 at 01:40:08PM +0200, Oliver Graf wrote: > Hi! > > Currently I'm testing freeradius also as accounting server (we have to > change our script stuff to make the full switch) and I'm encountering > mysterious accounting packets (about 10 in one hour -- from different > NASes, even different vendors [ascend, cisco, redback]). > > They get added a Client-Ip-Address = vlan-aaa2 (only defined in > /etc/hosts as 192.168.24.2, not interface has this ip) und so the > pakets get accounted in a detail file below this path. > > I don't know where this comes from. oh, oh, oh, let me guess!!! gethostbyaddr is not thread safe. I will produce a patch for this. Any chance that those threading issues get into to official source? crypt is still unfixed... Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Client-Ip-Address mysteriosity
Hi! Currently I'm testing freeradius also as accounting server (we have to change our script stuff to make the full switch) and I'm encountering mysterious accounting packets (about 10 in one hour -- from different NASes, even different vendors [ascend, cisco, redback]). They get added a Client-Ip-Address = vlan-aaa2 (only defined in /etc/hosts as 192.168.24.2, not interface has this ip) und so the pakets get accounted in a detail file below this path. I don't know where this comes from. example paket (tcpdump -s 0 -X) 13:35:34.714060 max0.pop-koblenz.rz-online.NET.afs3-rmtsys > aaa1.rz-online.NET. radius-acct: rx abort (153) 0x 4500 00b5 0073 3f11 85b6 d407 acc2Es..?... 0x0010 d407 a03d 1b61 0715 00a1 416a 044f 0099...=.aAj.O.. 0x0020 0a63 67e4 5e98 56e0 8f6a 805c 3544 b0f6.cg.^.V..j.\5D.. 0x0030 0406 d407 acc2 0506 0489 3d06 =... 0x0040 0002 2806 0002 2906 2c0c..(.).,. 0x0050 3432 3231 3533 3639 3400 c306 002a422153694..* 0x0060 c406 0041 c506 fa00 c606 .A.. 0x0070 0003 be06 00a1 bf06 007c c006.|.. 0x0080 000b c106 000b ff06 fa00 0x0090 7806 002e 7906 0007 7a06 x.y.z... 0x00a0 0001 1f0b 3236 3131 3332 3730 321e 0839261132702..9 0x00b0 3834 3536 30 84560 and that dets into vlan-aaa2/detail: Fri Jun 20 13:35:34 2003 NAS-IP-Address = 212.7.172.194 NAS-Port = 1161 NAS-Port-Type = ISDN Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Id = "422153694" X-Ascend-Disconnect-Cause = 42 X-Ascend-Connect-Progress = 65 X-Ascend-Data-Rate = 64000 X-Ascend-PreSession-Time = 3 X-Ascend-Pre-Input-Octets = 161 X-Ascend-Pre-Output-Octets = 124 X-Ascend-Pre-Input-Packets = 11 X-Ascend-Pre-Output-Packets = 11 X-Ascend-Xmit-Rate = 64000 X-Ascend-Modem-PortNo = 46 X-Ascend-Modem-SlotNo = 7 X-Ascend-Modem-ShelfNo = 1 Calling-Station-Id = "261132702" Called-Station-Id = "984560" Client-IP-Address = vlan-aaa2 Timestamp = 1056108934 Any idea where this gets mixed up? Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius does not try to register with SMUX- REPOSTED
As I checked my config.log file, I found the following messages, do they
mean that my snmp support was not installed? And how can I fix it?
configure: In function `main':
configure:7755: warning: unused variable `a'
configure:7887: checking for snmp_build_var_op in -lsnmp
configure:7899: gcc -o conftest -g -O2 -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG c
onftest.c -lnsl -lresolv -lsocket -lposix4 -lpthread -lsnmp 1>&5
Undefined first referenced
symbol in file
EVP_md5 /usr/local/lib/libsnmp.so
EVP_DigestFinal /usr/local/lib/libsnmp.so
EVP_DigestUpdate/usr/local/lib/libsnmp.so
kstat_close /usr/local/lib/libsnmp.so
des_cbc_encrypt /usr/local/lib/libsnmp.so
EVP_sha1/usr/local/lib/libsnmp.so
EVP_DigestInit /usr/local/lib/libsnmp.so
kstat_lookup/usr/local/lib/libsnmp.so
kstat_read /usr/local/lib/libsnmp.so
des_key_sched /usr/local/lib/libsnmp.so
RAND_bytes /usr/local/lib/libsnmp.so
des_ncbc_encrypt/usr/local/lib/libsnmp.so
HMAC/usr/local/lib/libsnmp.so
kstat_open /usr/local/lib/libsnmp.so
kstat_data_lookup /usr/local/lib/libsnmp.so
ld: fatal: Symbol referencing errors. No output written to conftest
collect2: ld returned 1 exit status
configure: failed program was:
#line 7892 "configure"
#include "confdefs.h"
extern char snmp_build_var_op();
int main() {
snmp_build_var_op()
; return 0; }
configure:7921: gcc -o conftest -g -O2 -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG c
onftest.c -lnsl -lresolv -lsocket -lposix4 -lpthread -L/usr/lib -lsnmp
1>&5
Undefined first referenced
symbol in file
EVP_md5 /usr/local/lib/libsnmp.so
EVP_DigestFinal /usr/local/lib/libsnmp.so
EVP_DigestUpdate/usr/local/lib/libsnmp.so
kstat_close /usr/local/lib/libsnmp.so
des_cbc_encrypt /usr/local/lib/libsnmp.so
EVP_sha1/usr/local/lib/libsnmp.so
EVP_DigestInit /usr/local/lib/libsnmp.so
kstat_lookup/usr/local/lib/libsnmp.so
kstat_read /usr/local/lib/libsnmp.so
des_key_sched /usr/local/lib/libsnmp.so
RAND_bytes /usr/local/lib/libsnmp.so
des_ncbc_encrypt/usr/local/lib/libsnmp.so
HMAC/usr/local/lib/libsnmp.so
kstat_open /usr/local/lib/libsnmp.so
kstat_data_lookup /usr/local/lib/libsnmp.so
ld: fatal: Symbol referencing errors. No output written to conftest
collect2: ld returned 1 exit status
configure: failed program was:
#line 7914 "configure"
#include "confdefs.h"
extern char snmp_build_var_op();
int main() {
snmp_build_var_op()
; return 0; }
configure:7943: gcc -o
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
Hampson
Sent: June 20, 2003 5:49 AM
To: [EMAIL PROTECTED]
Subject: RE: Radius does not try to register with SMUX- REPOSTED
> From: Yousef Jamous
> Sent: Friday, 20 June 2003 7:18 AM
> Can you please send me the lines before and after the "$INCLUDE
> ${confdir}/snmp.conf" to compare it with mine?
# SNMP CONFIGURATION
#
# Snmp configuration is only valid if SNMP support was enabled
# at compile time.
#
# To enable SNMP querying of the server, set the value of the
# 'snmp' attribute to 'yes'
#
snmp= yes
$INCLUDE ${confdir}/snmp.conf
# THREAD POOL CONFIGURATION
--
=
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]
The Creation of the Universe was made
possible by a grant from Texas Instruments.
-- PBS
-
Random signature generator 3.0 by Paul "TBBle" Hampson
=
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin w/ postgre..
On Wed, 18 Jun 2003, twomsman wrote: > > Hello Lister... > > any one has successfully deploy dialup_admin w/ postgre backend. I have > problems when deploy it: > > 1. I tried many times and when i create a user using dialup_admin there is > a message say "Could not connect to SQL database". FYI I have set the > postgre to listen to TCP socket (with -i options). I set the > user,password,host=localhost,table etc. The message always show up. Do you see anything in your db log file? Post the sql_* directives of admin.conf Enable sql debug in dialupadmin In general I haven't tested postgresql support for dialupadmin so I am not sure how well it works. > > 2. I cannot use the sql command in /sql dir into postgre. Aways error. any > one has the right sql command for postgre? What's the error? Can't help you much on that though. > > > > Regards > > > Maurice > > Quasarmail.net > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module counter
On Wed, 18 Jun 2003, Roberto Pioli wrote: > when he module counter return: > > rlm_counter: Entering module authorize code > rlm_counter: Could not find Check item value pair > modcall[authorize]: module "counter" returns noop > modcall: group authorize returns ok > > > > What's the matter? Isn't it obvious? > > Rob > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Module counter reset option
On Wed, 18 Jun 2003, Roberto Pioli wrote: > I read in the radiusd.conf that the reset option fo the counter module can > be user define. > How can I do this? # It can also be user defined. It should be of the form: # num[hdwm] where: # h: hours, d: days, w: weeks, m: months # If the letter is ommited days will be assumed. In example: # reset = 10h (reset every 10 hours) # reset = 12 (reset every 12 days) # > > Thanks > > Rob > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS + LDAP + TLS
On Fri, 20 Jun 2003, Kostas Kalevras wrote: > On Wed, 18 Jun 2003, Owen DeLong wrote: > > > I don't know how to get TLS to work, but you should be able to do > > SSL by specifying that the LDAP port to use is 669 (LDAPs) in > > your radius.conf. I'm, however, having a similar problem in that > > I am unable to get it to work because of a complaint about a self-signed > > certificate. If you have any ideas on how to rectify that one, I'd > > appreciate it. I've posted my question to the list twice and have > > received zero response. > > > > Owen > > Try the attached patch. I haven't tested it though. Also you could also just try to change the configuration of the ldap client library: http://www.openldap.org/doc/admin21/tls.html > > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS + LDAP + TLS
On Fri, 20 Jun 2003, Francisco Orozco/Upcnet wrote: > Hiya, > > I'm bit confused. I'd like to use, as I mentioned, RADIUS + LDAP over > encripted comunications (TLS). > > I order to user RADIUS + LDAP I've compiled FreeRadius, but I haven't > installed any OpenLDAP SDK. Then I've configured radiusd.conf as mentioned > in past messages. > > I try it and It works great. I can authenticate users via LDAP. > > When I try to use TLS I've configured radiusd.conf parameters: > "stat_tls=yes" "tls_mode=yes" "port=636" StartTLS is an extended operation for starting TLS while connecting to the normal ldap port (389). I would suggest start_tls=yes,tls_mode=no and port=389 I think that the tls_mode directive should go away completely and start_tls only be allowed if we don't use the ldaps port. But I am not sure that the above is correct. > > It's not working, see log. "Protocol Error", It means that I need to > compile something. > > I don't want to authenticate LDAP server from RADIUS, so I doesn't need to > install OpenSSL and CA certificates. I only want to encrypt RADIUS - LDAP > comunication, without ensuring identity of any. > > Please... can you put some light on my work > > > >> > > >> rad_recv: Access-Request packet from host 127.0.0.1:32792, > id=101, > > >> length=60 > > >> User-Name = "test" > > >> User-Password = "1234567890" > > >> NAS-IP-Address = 255.255.255.255 > > >> NAS-Port = 1 > > >> rad_lowerpair: User-Name now 'test' > > >> rad_lowerpair: User-Password now '1234567890' > > >> modcall: entering group authorize > > >> rlm_ldap: - authorize > > >> rlm_ldap: performing user authorization for test > > >> radius_xlat: '(uid=test)' > > >> radius_xlat: 'o=Prova' > > >> ldap_get_conn: Got Id: 0 > > >> rlm_ldap: attempting LDAP reconnection > > >> rlm_ldap: (re)connect to ldap.server.mycompany.es:636, > > >> > authentication > > >> >>> 0 > > >> rlm_ldap: setting TLS mode to 1 > > >> rlm_ldap: starting TLS > > >> rlm_ldap: ldap_start_tls_s() > > >> rlm_ldap: could not start TLS Protocol error > > >> rlm_ldap: (re)connection attempt failed > > >> rlm_ldap: search failed > > >> ldap_release_conn: Release Id: 0 > > >> modcall[authorize]: module "ldap" returns fail > > >> modcall: group authorize returns fail > > >> There was no response configured: rejecting request 0 > > >> Server rejecting request 0. > > >> Finished request 0 > > >> Going to the next request > > >> --- Walking the entire request list --- > > >> Waking up in 1 seconds... > > >> --- Walking the entire request list --- > > >> Waking up in 1 seconds... > > >> --- Walking the entire request list --- > > >> Sending Access-Reject of id 101 to 127.0.0.1:32792 > > >> Waking up in 4 seconds... > > >> --- Walking the entire request list --- > > >> Cleaning up request 0 ID 101 with timestamp 3ef0694c > > >> Nothing to do. Sleeping until we see a request. > > __ > Paco Orozco ([EMAIL PROTECTED]) > Divisi? de Telecomunicacions > UPCNet > Edifici V?rtex - Pl. Eusebi G?ell, 6 > Tel?fon centraleta: 93.40.11600 > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS + LDAP + TLS
On Wed, 18 Jun 2003, Owen DeLong wrote:
> I don't know how to get TLS to work, but you should be able to do
> SSL by specifying that the LDAP port to use is 669 (LDAPs) in
> your radius.conf. I'm, however, having a similar problem in that
> I am unable to get it to work because of a complaint about a self-signed
> certificate. If you have any ideas on how to rectify that one, I'd
> appreciate it. I've posted my question to the list twice and have
> received zero response.
>
> Owen
Try the attached patch. I haven't tested it though.
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' GandalfIndex: rlm_ldap.c
===
RCS file: /source/radiusd/src/modules/rlm_ldap/rlm_ldap.c,v
retrieving revision 1.106
diff -u -r1.106 rlm_ldap.c
--- rlm_ldap.c 19 May 2003 07:50:47 - 1.106
+++ rlm_ldap.c 20 Jun 2003 09:58:59 -
@@ -1450,6 +1450,8 @@
radlog(L_ERR, "rlm_ldap: could not set LDAP_OPT_X_TLS option
%s", ldap_err2string(ldap_errno));
}
}
+ if (ldap_int_tls_config(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, "allow") !=
LDAP_OPT_SUCCESS)
+ radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_X_TLS_REQUIRE_CERT");
if (inst->start_tls) {
DEBUG("rlm_ldap: starting TLS");
Re: simultaneous-use reply-message
On Fri, Jun 20, 2003 at 11:57:46AM +0300, gunce ciftci wrote:
> Dear list,
> I am using (v0.8.1)
> simultaneous-use attribute with Bay RAC 8000 without problems.
> Users also get and see the "You are already logged in - access denied"
> message through NAS-Prompt when they are trying to connect beyond the
> limit. To make life easier for hot-line staff, we should have it in
> native language.
Are you sure your NAS won't go crazy because of non-ascii characters?
Don't you expect charset problems?
> I don't know if somebody ever needed it.I looked for
> the this reply message in radiusd.conf,radcheck,could not see..
It's hard-coded currently, so you can edit the sources and then recompile
radius.
Dear developers, how about customizable messages? Something like this in
radiusd.conf:
messages {
multiple_login = "You are already logged in %{Simultaneous-Use} times\r\n"
timespan_violation = "You are calling outside allowed timespan\r\n"
...
}
I probably could work on that, but I need some guidelines:
1. Should it be a set of static variables, or searchable list like
dictionary?
2. Should it be per-module configuration, or global?
3. Where to put these parameters in config?
4. Recommended naming conventions?
--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous-use reply-message
Dear list, I am using (v0.8.1) simultaneous-use attribute with Bay RAC 8000 without problems. Users also get and see the "You are already logged in - access denied" message through NAS-Prompt when they are trying to connect beyond the limit. To make life easier for hot-line staff, we should have it in native language.I don't know if somebody ever needed it.I looked for the this reply message in radiusd.conf,radcheck,could not see.. Reply-Message := "\r\nYou are already logged in - access denied\r\n\n" Where is this reply message defined, so that admins can change/add it? Regards, Gunce Gunce Ciftci Middle East Technical University Computer Center [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: EAP/TLS Setup problem
Hi Jason, I forgot to say that I am on a freeBSD box. I put in attachment the install programs, I used. In addition I give you the logs (when doing ./CA.clt , the ./CA.root and ./CA.svr were OK) : X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication Certificate is to be certified until Jun 19 07:46:03 2004 GMT (365 days) Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 No certificate matches private key 1228:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:138:unable to load certificate 1229:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE Thanks a lot for your help. Best Regards Jean-Guillaume - Original Message - From: "王志欣" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 20, 2003 3:22 AM Subject: Re: Re: EAP/TLS Setup problem Hi Jean-Guillaume, I also follow this guide. I succeed. Please post your log information. Jeson [EMAIL PROTECTED] 2003-06-20 >Hi Umesh, > >I am trying to install a freeradius/EAP-TLS athentification for my wireless >network (DWL 1000 AP +) by following the instructions at >http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but >I don't manage to create correctly the certificate ... >(I use openssl-0.9.7b) >How do you manage to do it ? > >Thanks a lot for your help, > >Best regards, > >Jean-Guillaume > > >- Original Message - >From: "Umesh" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Tuesday, June 10, 2003 8:54 AM >Subject: EAP/TLS Setup problem > > >> Hi All, >> >> I am new to FreeRadius. I am trying to setup EAP/TLS authentication. I >have >> installed OpenSSL-0.9.7b and FreeRadius 0.8.1. I followed the instructions >at >> http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but when I run >> >> radiusd -x -A, an error occurs - Unknown value "EAP". >> (I have set Auth-Type=EAP in /etc/raddb/users) >> Any help would be appreciated. >> >> Regards, >> Umesh >> >> - >> List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CA.clt Description: Binary data CA.root Description: Binary data CA.svr Description: Binary data installfreeradius Description: Binary data openssl Description: Binary data openssl.cnf Description: Binary data random Description: Binary data xpextensions Description: Binary data
