Re: [PATCH] gethostbyaddr_r and gethostbyname_r corrections
On Sat, Jun 21, 2003 at 07:47:37PM -0400, Alan DeKok wrote: Oliver Graf [EMAIL PROTECTED] wrote: This patchs enables the detection of the correct gethostby(name|addr)_r command, which is needed by a threaded radiusd. Unless I'm greatly mistaken, that functionality was added many months ago. See 'src/main/misc.c' I don't see anything for gethostbyname_r. Or I have a different cvs than you. I haven't looked at the diffs though, so it may not be relevant. For me its relevant. Without freeradius is not thread-safe. But the server ALREADY uses the '..._r' functions. What's the problem? Or am I missing something? The BSD style check is done last. BSD style gethostby is not thread safe on glibc2 systems. Cause the BSD check is done last, the configure script overwrites the previous detected GNU style gethostbyaddr_r. Just look at the diff, you will see that the sequence is changed (and a warning is added). Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius does not try to register with SMUX
From: Yousef Jamous Sent: Saturday, 21 June 2003 4:09 PM Here's my config.log I have gcc 3.0.1 configure:7918: gcc -o conftest -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs conftest.c -lnsl -lresolv -lsocket -lposix4 -lpthread -L/usr/local/lib -lsnmp 15 configure:7912: warning: function declaration isn't a prototype configure:7913: warning: function declaration isn't a prototype /usr/local/lib/libsnmp.so: undefined reference to `kstat_read' /usr/local/lib/libsnmp.so: undefined reference to `kstat_data_lookup' /usr/local/lib/libsnmp.so: undefined reference to `kstat_close' /usr/local/lib/libsnmp.so: undefined reference to `kstat_lookup' /usr/local/lib/libsnmp.so: undefined reference to `kstat_open' Interesting... according to Google, kstat_read etc are in -lkstat CFLAGS=-lkstat ./configure ... Maybe? If this proves to fix it, maybe -lkstat should be added as a thing for the configure script to attempt... (Note to self: aclocal.m4:3903) collect2: ld returned 1 exit status configure: failed program was: #line 7911 configure #include confdefs.h extern char snmp_build_var_op(); int main() { snmp_build_var_op() ; return 0; } -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] The Creation of the Universe was made possible by a grant from Texas Instruments. -- PBS - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [PATCH] gethostbyaddr_r and gethostbyname_r corrections
On Sun, Jun 22, 2003 at 08:47:25AM +0200, Oliver Graf wrote: On Sat, Jun 21, 2003 at 07:47:37PM -0400, Alan DeKok wrote: Oliver Graf [EMAIL PROTECTED] wrote: This patchs enables the detection of the correct gethostby(name|addr)_r command, which is needed by a threaded radiusd. Unless I'm greatly mistaken, that functionality was added many months ago. See 'src/main/misc.c' I don't see anything for gethostbyname_r. Or I have a different cvs than you. I double checked this. There is no support in src/lib/misc.c for glibc2 style gethostbyname_r (hostent as param, not as return value) in cvs (I can't find src/main/misc.c, but this perhaps an typo of you). I haven't looked at the diffs though, so it may not be relevant. For me its relevant. Without freeradius is not thread-safe. But the server ALREADY uses the '..._r' functions. What's the problem? Or am I missing something? The BSD style check is done last. BSD style gethostby is not thread safe on glibc2 systems. Cause the BSD check is done last, the configure script overwrites the previous detected GNU style gethostbyaddr_r. Just look at the diff, you will see that the sequence is changed (and a warning is added). again, an cvs upd shows that the order is wrong and was wrong. at least for me. Perhaps an autoconf oddity? I use autoconf 2.57. But I can't remember that autoconf 1.x did it in another way. The last definition goes, and as glibc2 systems both have gethostby_r and gethostby, and the gethostby check is done last, the configure script will always prefer the bsd variant which uses static storage and so is bad for threading. iOliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius does not try to register with SMUX
Thanks Paul for your help Can you please tell me where to put this option? -lkstat!!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Hampson Sent: June 22, 2003 11:01 AM To: [EMAIL PROTECTED] Subject: RE: Radius does not try to register with SMUX From: Yousef Jamous Sent: Saturday, 21 June 2003 4:09 PM Here's my config.log I have gcc 3.0.1 configure:7918: gcc -o conftest -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs conftest.c -lnsl -lresolv -lsocket -lposix4 -lpthread -L/usr/local/lib -lsnmp 15 configure:7912: warning: function declaration isn't a prototype configure:7913: warning: function declaration isn't a prototype /usr/local/lib/libsnmp.so: undefined reference to `kstat_read' /usr/local/lib/libsnmp.so: undefined reference to `kstat_data_lookup' /usr/local/lib/libsnmp.so: undefined reference to `kstat_close' /usr/local/lib/libsnmp.so: undefined reference to `kstat_lookup' /usr/local/lib/libsnmp.so: undefined reference to `kstat_open' Interesting... according to Google, kstat_read etc are in -lkstat CFLAGS=-lkstat ./configure ... Maybe? If this proves to fix it, maybe -lkstat should be added as a thing for the configure script to attempt... (Note to self: aclocal.m4:3903) collect2: ld returned 1 exit status configure: failed program was: #line 7911 configure #include confdefs.h extern char snmp_build_var_op(); int main() { snmp_build_var_op() ; return 0; } -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] The Creation of the Universe was made possible by a grant from Texas Instruments. -- PBS - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [PATCH] gethostbyaddr_r and gethostbyname_r corrections
From: Alan DeKok Sent: Sunday, 22 June 2003 9:48 AM Oliver Graf [EMAIL PROTECTED] wrote: This patchs enables the detection of the correct gethostby(name|addr)_r command, which is needed by a threaded radiusd. Unless I'm greatly mistaken, that functionality was added many months ago. See 'src/main/misc.c' (That's src/lib/misc.c) Currently this file uses gethostbyaddr{,_r} either BSD, GNU or SYSV However, gethostbyname{,_r} is only using BSD or SYSV I haven't looked at the diffs though, so it may not be relevant. For me its relevant. Without freeradius is not thread-safe. But the server ALREADY uses the '..._r' functions. What's the problem? Or am I missing something? The problems are: gethostbyaddr_r determination will pick BSD (The non-_r version) over GNU or SYSV. This is because the BSD version was added to configure after the other two, and added _after_. gethostbyname_r detection was backed out of configure (meaning only the BSD (non-_r) version is used) because it was using a simple Does gethostbyname_r exist test, at the link I posted earlier... and hence not able to tell the difference between the SYSV and GNU versions. However, problems with the patch: the patch to src/lib/misc.c shows a cut and paste oversight by testing GETHOSTBYADDRRSTYLE when choosing the gethostbyname_r function to call. Oh, and when submitting patches to configure.in, I'd suggest submitting the equivalent patch to configure. Otherwise if someone overlooks the regeneration, it appears to not work for no apparent reason. The rest looks OK. I'm going to apply it to my copy, try it out, and commit it this evening barring problems. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] The Creation of the Universe was made possible by a grant from Texas Instruments. -- PBS - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius does not try to register with SMUX
From: Yousef Jamous Sent: Sunday, 22 June 2003 5:48 PM Thanks Paul for your help Can you please tell me where to put this option? -lkstat!!! When you call configure, use CFLAGS=-lkstat before the ./configure ... command. This assumes you're using bash: CFLAGS=-lkstat ./configure ... For {,t}csh, I _think_ it's set CFLAGS=-lkstat ./configure ... In both these cases, ... is the parameters you'd normally pass to configure. 12345678911234567892123456789312345678941234567895123456789612345678971234567898 -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] The Creation of the Universe was made possible by a grant from Texas Instruments. -- PBS - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accumulated time limit
Thanks Tom, worked perfectly first time! pity it doesn't keep the accumulated time between restarts, I guess I'll have to wait a little more. Thanks again A -Original Message- From: Tom Emerson [mailto:[EMAIL PROTECTED] Sent: Sat 21/06/2003 18:09 To: [EMAIL PROTECTED] Cc: Subject: Re: Accumulated time limit Andrea Coppini +356 79 ANDREA (263732) [EMAIL PROTECTED] EMPOWER PEOPLE - THE WORLD IN YOUR HAND iWG (iWORLD GROUP) is a global e-mobile company creating, building and growing new businesses. iWG founders are pioneers in creating multi-billion dollar mobile and Internet businesses in Europe, Asia and the US. The Global Partners include the shareholders Bank of America, Deutsche Bank, Hikari Tsushin, McCaw, PaineWebber/UBS, The Dolphins' Trust, Perikles Trust and the iAA Advisory Network. www.iWG.info www.countryprofiler.com/iWG Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. winmail.dat
creating users
can any one help me in creating users through the dialupadmin in freeradius i loaded freeradius and placed the dialupadmin in /usr/local/ but not able to create anyusers using this... radius is up and running fine with out any problem... i checked this thrugh the debugging mode.. and more over i made the authorization and accounting through sql but i am not able to create sql users through the free radius. can any one help me in making things done with this dialupadmin. P.Suresh Vijayawada, A.P, India.Suresh.P, Vijayawada - 520 010. India. Ph : +91-866-485230 +91-866-483111 Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month!
Re: [PATCH] gethostbyaddr_r and gethostbyname_r corrections
Oliver Graf [EMAIL PROTECTED] wrote: The BSD style check is done last. BSD style gethostby is not thread safe on glibc2 systems. Cause the BSD check is done last, the configure script overwrites the previous detected GNU style gethostbyaddr_r. Just look at the diff, you will see that the sequence is changed (and a warning is added). The solution is NOT to re-order the checks so that they *accidentally* work. The solution is to check for one re-entrant version, if that fails, check for another, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [PATCH] gethostbyaddr_r and gethostbyname_r corrections
Oliver Graf [EMAIL PROTECTED] wrote: Oh, and when submitting patches to configure.in, I'd suggest submitting the equivalent patch to configure. Otherwise if someone overlooks the regeneration, it appears to not work for no apparent reason. Hmmm. I did not do this, cause other projects I'm participiating in do not keep configure in cvs cause its an autogenerated thing. But I will try to keep this in mind, if I have to do another configure.in patch sometimes. Personally, I'd prefer to *not* see patches to 'configure'. They tend to be huge and pointless, as they can be re-generated from 'configure.in'. The reason that 'configure' is in CVS is that it's easier that way. I've seen projects where the instructions for the snapshots are run autoconf, then ./configure But if you have a different version of autoconf than they do, it doesn't work. And even if you have the same version of autoconf, they didn't bother to explain which extra magic parameters you need to pass to it, etc. Having 'configure' in CVS means that the developers need to take an extra step, involving ~15 seconds when they make (rare) changes to the configure scripts. NOT having it in CVS means that endless other developers and users will curse your name. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stop packet confirmation when in proxy mode - Feature Request
Drew Flickema [EMAIL PROTECTED] wrote: For the most part, I run my FR install in proxy mode. It has been seen that session stop packets are received by my FR, but on occasion, these stop packets are not received by the FR authentication endpoint due to network issues or possibly the FR endpoint experienced a hiccup. The server is configured by default to re-transmit proxied packets, until the middle server sees a reply. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ascend Binary attribute error
Robert Haskins [EMAIL PROTECTED] wrote: The situation is this. The server starts up, will authenticate about the first 12 users or so, and then give the following error, at which time the proxy feeding this server will put it in dead status, causing major headache as you can probably imagine. I cannot figure out why this error isn't there at the start. The code which parses Ascend attributes is horrible, and probably the cause of that error. It should be re-written from scratch to follow the rest of the servers style and requirements. Until then, try running the server with '-s'. It may work better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help configuring FR with cisco aironet 350, eap/leap and W2000
At 10.13 20/06/03 -0500, you wrote: I don't use rlm_eap but suggest you read src/radiusd/doc/rlm_eap. It explains exactly what your problem is, (e.g. At least one EAP-Type sub-stanza should be defined as above, otherwise the server will not know what type of eap authentication mechanism to be usedAll the various options and their associated default values for each EAP-Type are documented in the sample radiusd.conf that is provided with the distribution.). Looks to me like you have said requirements commented out in your eap block. Thank you Cris, now it's all ok. I've changed the bind_address to *one* of my two IP on the machine, instead of using = *. Now I'm battleing with ldap ;) Bye, Luca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Frree access to every damn channel k ysdpgt25b1cy
Title: Global Tech - WE SELL MORE SO YOU SAVE MORE!!LOWEST PRICES! BEST BOXES!! HELLO WELCOME TO THE MAGIC BOX YEAR ANNUAL BLOW OUT SALE!!! Start receiving: Pay-Per View, HBO, Showtime, Cinamax, Playboy, Spice and much more If you cant see this go to http://g-d-w.tv/email.html What is a Cable Descrambler? A descrambler is a cable box/converter that is able to descramble all the premium channels on your cable line. Premium channels like Pay-Per View, HBO, Showtime, Cinemax, Playboy, Spice and much more. Providing the best quality on all channels, adult and pay-per-view channels. The product is fully legal and works on almost any cable system. The units are all bullet-proof and all have pass-through technology (undetectable) Enhances your; Comcast Communications, Charter Communications, Adelphia Communications, Cox Communications, AOL Time Warner, Cable Vision Communications, ATT SupermaX Pro 2003 More Information... I must admit at first I was a little skeptical, about buying a cable boxover the internet, but I decided to give it a shot. Boy am I glad I did! twodays later my cable box arrived at my front door, and all channels worked perfectly! thanks so much!!! Jake Jung Which box is best for you? Testimonials FAQ Your Money$ SupermaX Pro 2003 is the most loved and respected descrambler among customer on the market to date! Its new smart quality design insures not only will it deliver great quality premium channels 24/7 but you'll love it! Features such as 100% untraceable, Second Generation Chip12b fully automatic, Toshiba tuner
RE: [PATCH] gethostbyaddr_r and gethostbyname_r corrections
From: Alan DeKok Sent: Sunday, 22 June 2003 10:50 PM Oliver Graf [EMAIL PROTECTED] wrote: The BSD style check is done last. BSD style gethostby is not thread safe on glibc2 systems. Cause the BSD check is done last, the configure script overwrites the previous detected GNU style gethostbyaddr_r. Just look at the diff, you will see that the sequence is changed (and a warning is added). The solution is NOT to re-order the checks so that they *accidentally* work. The solution is to check for one re-entrant version, if that fails, check for another, etc. OK, that's done now. I hope what's there now is more acceptable. Consider me somewhat chastised. :-) -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] When the DM smiles, it's too late -- Ancient Geek Proverb - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help making Radius and Dialup ready
i am really new to Linux... but some how managed to get the info about intsalling and making the free-radius up. i am using mysql for database. i loaded php and running every thing on Linux 7.2 not i am not able to create users using dialup-admin in database and even if i try just opening the newuser page it is keeping quiet. can any one help me in making things ok. mysql is running and raidus is also running fine whihc i was able to find out by running the radius in debugging mode using ./radiusd -x i am really very new to Linux and just started to do the things... if any one can help me in making things tune and run them well.. i will be very thankfull to them... Thanks in Advance... = Suresh.P,Vijayawada - 520 010.India. Ph : +91-866-485230+91-866-483111 __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
understanding checkval
hi all I posted a question regarding checkval module, but i got no response from anyone. Iam posting the question again on the list. Hope I a reply this time. This is my question: 1) First of all, is it correct to say that checkval only checks for the=20 attributes it can extract from the NAS(access point). 2) Then can i modify checkval to say, call a function in it, this function w= ill=20 process on the various data elements in the LDAP entry for the user and t= hen=20 accept or reject or simply send a message. 3) And last and equally important as the two above, what's the call-flow of=20 checkval, how does it work. thanks Reddy ([EMAIL PROTECTED]) - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
log message patch for kerberos module
Hello, I have created a simple patch that standardises the log output for the kerberos module with other modules. If it could be included that would be great. Regards Allister --- rlm_krb5.orig Fri Apr 11 16:26:04 2003 +++ rlm_krb5.c Sun Apr 13 19:48:31 2003 @@ -156,6 +156,9 @@ krb5_context context = *(krb5_context *) instance; /* copy data */ const char *user, *pass; + VALUE_PAIR *module_fmsg_vp; + char module_fmsg[MAX_STRING_LEN]; + /* * We can only authenticate user requests which HAVE * a User-Name attribute. @@ -233,8 +236,11 @@ if ( (r = krb5_get_in_tkt_with_password(context, 0, NULL, NULL, NULL, pass, ccache, kcreds, 0)) ) { - radlog(L_AUTH, rlm_krb5: [%s] krb5_g_i_t_w_p failed: %s, + DEBUG(rlm_krb5: [%s] krb5_g_i_t_w_p failed: %s, user, error_message(r)); + snprintf(module_fmsg,sizeof(module_fmsg),rlm_krb5: %s, error_message(r)); + module_fmsg_vp = pairmake(Module-Failure-Message, module_fmsg, T_OP_EQ); + pairadd(request-packet-vps, module_fmsg_vp); krb5_free_cred_contents(context, kcreds); krb5_cc_destroy(context, ccache); return RLM_MODULE_REJECT; - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: understanding checkval
On Sun, 22 Jun 2003, Narasimha Reddy Gujja wrote: hi all I posted a question regarding checkval module, but i got no response from anyone. Iam posting the question again on the list. Hope I a reply this time. This is my question: 1) First of all, is it correct to say that checkval only checks for the=20 attributes it can extract from the NAS(access point). It checks attributes it finds in the access-request with attributes it gets from the check items (config items) list. 2) Then can i modify checkval to say, call a function in it, this function w= ill=20 process on the various data elements in the LDAP entry for the user and t= hen=20 accept or reject or simply send a message. Without code patches no. In any case why? You can just extract the data elements in the ldap module and make them available as check items to the checkval module. 3) And last and equally important as the two above, what's the call-flow of=20 checkval, how does it work. Read the code. In any case you haven't told us anything about what exactly you are trying to do. That would make both our lifes and yours much easier. thanks Reddy ([EMAIL PROTECTED]) - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: EAP/TLS Setup problem
Hi Jean-Guillaume, Sorry for delay. I look through your script. Only difference between us is I only use OpenSSL-0.9.7b. Please create Root certificate first, and then server and client certificate. Let's test it again. Jeson [EMAIL PROTECTED] 2003-06-23 Hi Jason, I forgot to say that I am on a freeBSD box. I put in attachment the install programs, I used. In addition I give you the logs (when doing ./CA.clt client, the ./CA.root and ./CA.svr server were OK) : X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication Certificate is to be certified until Jun 19 07:46:03 2004 GMT (365 days) Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 No certificate matches private key 1228:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:138:unable to load certificate 1229:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE Thanks a lot for your help. Best Regards Jean-Guillaume - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 20, 2003 3:22 AM Subject: Re: Re: EAP/TLS Setup problem Hi Jean-Guillaume, I also follow this guide. I succeed. Please post your log information. Jeson [EMAIL PROTECTED] 2003-06-20 Hi Umesh, I am trying to install a freeradius/EAP-TLS athentification for my wireless network (DWL 1000 AP +) by following the instructions at http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but I don't manage to create correctly the certificate ... (I use openssl-0.9.7b) How do you manage to do it ? Thanks a lot for your help, Best regards, Jean-Guillaume - Original Message - From: Umesh [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 10, 2003 8:54 AM Subject: EAP/TLS Setup problem Hi All, I am new to FreeRadius. I am trying to setup EAP/TLS authentication. I have installed OpenSSL-0.9.7b and FreeRadius 0.8.1. I followed the instructions at http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but when I run radiusd -x -A, an error occurs - Unknown value EAP. (I have set Auth-Type=EAP in /etc/raddb/users) Any help would be appreciated. Regards, Umesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius.log logging NAS address
Hi there, We have a situation where our radius server (in radius.log) is logging packets from the NAS as well as the proxy server. If I add the IP's to the clients.conf file, then the packets get listed as duplicates, if I leave them out, then I get unknown client messages. We dont have entries in radacct for these IP's, just the two proxies. cheers craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Squid - Freeradius authentication
Hi Ben, [EMAIL PROTECTED] 06/20/03 08:41PM Wei Ming Long said: Hi everyone, I have been tasked with a project to grant web access to some laptop clients. I have some wireless clients some of them have permission to surf the internet others don't. All web requests on port 80 are redirected by iptables to the Squid proxy server, can I use Freeradius to authenticate the users before sending the requests out into the internet. And if the users are not allowed to surf the internet, a web page will be sent to them telling them they are denied access. Can this be done? has anybody done this care to share their experience knowledge with me? Please help me. Thanks. Best regards Matthew Squid when running in transparent mode (as you currently have) can't do authentication, not to my humble knowledge anyway. So you would have to configure each client with the appropriate proxy settings and disable interception/transparent proxying. You can use PAM to get squid to authenticate via a radius server, or use the Squid RADIUS Authenticator module from http://selm.www.cistron.nl/authtools/ . I don't understand why Squid can't do authentication when running in transparent mode, can you explain it to me? Thank you very much As for the deny page - squid will throw one up by default, you can customise it if you like. -- Regards, Ben Johns http://www.naturalnetworks.net http://www.marinanet.com.au http://www.accessplus.com.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP and User files
I have a small problem. Currently I have a VOIP system here which uses freeradius 0.8.1 to authenticate. I have a users file which contains entry's like: 5551234Auth-Type := Accept, Huntgroup-Name == VOICE at the end of the file I have Unfortantly I have close over 150,000 of these entry's and as you can imagine the userfile is quite big. Ie 10meg now. Freeradius takes a wee while to start. I currently have an LDAP database used to auth my dialup customers. I need a way to put the phone customers in also. I need to be able to do something like this DEFAULT Huntgroup-Name == VOICE, User-Profile == cn=${User-Name}, dn=isp,dn=co,dn=nz If the userfile is not found in LDAP then falls back to this default profile which is in the users file. DEFAULT Auth-Type := Reject, Huntgroup-Name == VOICE Is that possible, if not what are my options? Bear in mind that I have to use LDAP, I can't convert to mysql or oracle. The aim of the game is to reduce the 10meg userfile down to virtually nothing. Thanks in Advance Simon Allard Simon Allard (Senior Tool Monkey) IHUG Ph (09) 358-5067 Email: [EMAIL PROTECTED] I'm out of my mind right now, but feel free to leave a message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html