Re: Interface with standard wireless access point
Omar, what did you change in the client file exactly ? --- MuLa_oMaR <[EMAIL PROTECTED]> wrote: > h, > I have probed agains Cisco 350 and Dlink 900AP+ and > some problems occurs > with this last. After a lot of hours and one > change in clients.conf > all is ok. > > Ragards. > Omar. > > Mauricio García Ocaña escribió: > > Yes, this is no problem, i.e a.p cisco 1200 with > radius in windows, linux o > > solaris, this work > > > > slds. > > Mauricio > > - Original Message - > > From: "Wireless Orbit Inc" > <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Monday, August 04, 2003 6:00 PM > > Subject: Interface with standard wireless access > point > > > > > > > >>Hello all, > >> > >>Will free radius work with any standard wireless > access > >>point that has a built in radius client such as > >>Aironet, Orinoco, colubris etc? i.e can it be used > as a > >>server to authenticate users coming through any of > the > >>standard radius-supported access point? Any help > will > >>be appreciated! > >> > >>Much thanks! > >> > >>Wireless Orbit Inc. > >> > >>- > >>List info/subscribe/unsubscribe? See > > > > http://www.freeradius.org/list/users.html > > > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 and User-Password
hi > An entry for an EAP user can look like this (say): > > "joe" Auth-Type := eap, User-Password == "hello" > Session-Timeout = 300 > > (side note: is the Auth-Type := eap part really necessary? I would expect > not since the eap module apparently adds the Auth-Type attribute to the > config list regardless of what's included in the user entry) it's not. set it to system or local before. it's more correct to let it be set by authorize section. eap module in authorize will do so if it finds relevant eap-message included. > The users file man page says this about the == operator (applied to the > User-Password attribute above): > > "Attribute == Value" > As a check item, it matches if the named attribute is present in the > request, AND has the given value. Not allowed as a reply item. > > And RFC 2269 says : > > [Note 1] An Access-Request that contains either a User-Password or > CHAP-Password or ARAP-Password or one or more EAP-Message attributes > MUST NOT contain more than one type of those four attributes. > > I take this to mean that the EAP-Message attribute and User-Password > attribute are mutually exclusive, i.e. you can never have a User-Password > attribute in a request if it has an EAP-Message attribute. yes, they are: in the access-request. that's logical: user-password as an attribute is only necessary when you use PAP. if CHAP is used, CHAP-Password attribute is used instead, when EAP is used, EAP-Message is used (since the method can contain more than just a "password"), etc. that's so far very consistent. the only problem you have is that you are generally confusing User-Password check item in the user configuration with the attributes sent in the Access-Request (which is not further suprising, since the names are the same). The fact is that the Radius server never sends Access-Requests except for proxying and the User-Password never appears in the Access-Requests containing EAP-Message since it is only used locally. thus, the both can not appear in the Access-Requests at the same time, which is perfectly RFC conform. now, for the probable reason: in EAP/MD5 you as a server receive the EAP/Identity and issue the EAP/MD5-Challenge (both contained in the EAP-Message attribute). then you get the answer back and this has to be verified against some shared secret. you CAN probably stock this secret in some special file, some new check item or something else. the guys simply re-used User-Password. remark: CHAP-Password would have been perhaps more logical since EAP/MD5 is almost identical to CHAP with MD5 *BUT* unfortunately CHAP-Passwords *are* sent in the Access-Replies and are thus not local check items. that's my understanding of the whole story. they just needed place where to put the password in. > The above user profile does indeed work on 0.8.1 for EAP-MD5. But it > shouldn't work, as far as I can see, since we have a check item > (User-Password) which does not technically match any attribute in the > request (User-Password isn't even present, since the request contains an > EAP-Message). The request should not make it past the authorization stage. > Any comments? it doesn't match any attributes in the request. BUT: the EAP-Message is present and thus the message is treated by EAP-module (the Auth-Type is explictly set to := EAP if EAP-Message is found). the latter happens to look for the password in the User-password check item of the user configuration. now, try to find an RFC which prescribes where EAP-Message verificator gets the user's password from. you probably won't since it's an implementation issue and IETF is all about protocols. ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advantages of Using SQL ?
maybe thats the problem, you are not designed to remember millions of girlfriends names/numbers etc. thats why you are inefficient by design in this area particular area of operation. so you hire a secretary which will improve your efficiency :) Evren Robert LaGrasse wrote: If I could remember the names and numbers of millions of girlfriends simultaneously, I could still call any of them faster myself. Having a secretary to keep track of my dates and remind me when special occasions come up is also useful. Either way, I'm a pretty happy guy... ;) -Original Message- From: SIMICRO ML [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 1:32 AM To: [EMAIL PROTECTED] Subject: Re: Advantages of Using SQL ? Peter Nixon wrote: On Tue August 5 2003 06:37, Evren Yurtesen wrote: Its like saying that example B is faster than example A in the following scenario: A) You need to call your girlfriend. You know her number, so you dial it and talk to her. B) You need to call your girlfriend, You don't know her number so you call your secretary and ask her to look it up in the phone book. Your secretary looks up the number, calls you back and give it to you, then you call your girlfriend. Which do you thing is faster?? Bzzzt. WRONG ANSWER. Just because the phone book has a great, wonderfully efficient index, and your secretary is very good at using it, doesn't mean that it's faster than having the number in your own head ... and what if you had _millions_ of girlfriends :-D @+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS with LDAP authentication -- problems - rlm_ldap
Hi, I want to make radius authentification with ldap.
I working under linux mandrake 9.0, freeradius and openldap-2.1.21
I modified radiusd.conf file like this:
--
ldap {
server = "127.0.0.1"
identity = "cn=Manager,dc=prism,dc=fr"
password = nobodys
basedn = "dc=prism,dc=fr"
filter = "(&(objectclass=posixAccount)(uid=%u))"
start_tls = no
tls_mode = no
ldap_connections_number = 5
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
timeout = 4
timelimit = 3
net_timeout = 1
}
authenticate {
# pam
# unix
# Uncomment it if you want to use ldap for authentication
authtype LDAP {
ldap
}
}
but i have this error:
read_config_files: entering modules setup
Module: Library search path is /usr/local/lib
radiusd.conf[636] Failed to link to module 'rlm_ldap': rlm_ldap.so:
cannot open shared object
file: No such file or directory
---
I do not have this file "rlm_ldap.so', how I make to create it?
Regards
Octavio
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R:PROBLEM IN START SERVICE
ELF is an object file access library used by Solaris. Is it installed on your system? See http://www.netsys.com/cgi-bin/man2html?elf(3ELF) for more info. On Tuesday 05 August 2003 07:11 am, Simone Giovanardi wrote: > I have installed freeradius 0_8_1 on on solaris 8 platform. > when i try to start 'radiusd' service, compares the follow message by > promt: "cannot find ELF" > "Killed" > > What's happened?? > > Thank you in advance. -- Earl C. Ruby III <[EMAIL PROTECTED]> Senior Systems Engineer / Developer Switch Management - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interface with standard wireless access point
h, I have probed agains Cisco 350 and Dlink 900AP+ and some problems occurs with this last. After a lot of hours and one change in clients.conf all is ok. Ragards. Omar. Mauricio García Ocaña escribió: Yes, this is no problem, i.e a.p cisco 1200 with radius in windows, linux o solaris, this work slds. Mauricio - Original Message - From: "Wireless Orbit Inc" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 04, 2003 6:00 PM Subject: Interface with standard wireless access point Hello all, Will free radius work with any standard wireless access point that has a built in radius client such as Aironet, Orinoco, colubris etc? i.e can it be used as a server to authenticate users coming through any of the standard radius-supported access point? Any help will be appreciated! Much thanks! Wireless Orbit Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advantages of Using SQL ?
I think if you had millions of girlfriends you would be broke :) *lol* and your memory would wear off because of too many write attempts from millions of girlfriends. :))) Jeremy Davis wrote: It is a good analogy, obviously if you had millions of girlfriends it would take more memory :) Memory in both cases would still be faster, anything loaded in memory will always be faster, anything accessing a harddrive will almost always be the bottleneck compard to loading from memory. Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Peter Nixon Sent: Tuesday, August 05, 2003 2:34 AM To: [EMAIL PROTECTED] Subject: Re: Advantages of Using SQL ? On Tue August 5 2003 08:32, SIMICRO ML wrote: Peter Nixon wrote: On Tue August 5 2003 06:37, Evren Yurtesen wrote: Its like saying that example B is faster than example A in the following scenario: A) You need to call your girlfriend. You know her number, so you dial it and talk to her. B) You need to call your girlfriend, You don't know her number so you call your secretary and ask her to look it up in the phone book. Your secretary looks up the number, calls you back and give it to you, then you call your girlfriend. Which do you thing is faster?? Bzzzt. WRONG ANSWER. Just because the phone book has a great, wonderfully efficient index, and your secretary is very good at using it, doesn't mean that it's faster than having the number in your own head ... and what if you had _millions_ of girlfriends :-D Yes. Like all analogies it not perfect, but it does illistrate the point we were talking about. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS with LDAP authentication -- problems - rlm_ldap
Install ldap (such as www.openldap.org)
Use these if you install somewhere funky
--with-rlm-ldap-include-dir=/path/to/ldap/include
--with-rlm-ldap-lib-dir=/path/to/ldap/lib
-Original Message-
From: Octavio Ramirez Rojas [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 05, 2003 9:24 AM
To: [EMAIL PROTECTED]
Subject: RADIUS with LDAP authentication -- problems - rlm_ldap
Hi, I want to make radius authentification with ldap.
I working under linux mandrake 9.0, freeradius and openldap-2.1.21
I modified radiusd.conf file like this:
--
ldap {
server = "127.0.0.1"
identity = "cn=Manager,dc=prism,dc=fr"
password = nobodys
basedn = "dc=prism,dc=fr"
filter = "(&(objectclass=posixAccount)(uid=%u))"
start_tls = no
tls_mode = no
ldap_connections_number = 5
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
timeout = 4
timelimit = 3
net_timeout = 1
}
authenticate {
# pam
# unix
# Uncomment it if you want to use ldap for authentication
authtype LDAP {
ldap
}
}
but i have this error:
read_config_files: entering modules setup
Module: Library search path is /usr/local/lib
radiusd.conf[636] Failed to link to module 'rlm_ldap': rlm_ldap.so:
cannot open shared object
file: No such file or directory
---
I do not have this file "rlm_ldap.so', how I make to create it?
Regards
Octavio
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Querry Regarding Radius server running
Can u tell any command that will remove all installed files the files regards rudra - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy.conf - Question
Hello all,
I want to test and install freeradius on a new maschine parallel to our
dialin-service, which works with an old ascend radius version. The
runnung dialin-service runs without realms. My idea for testing and
configuration was the following:
proxy.conf
-
# for testing [EMAIL PROTECTED] --> freeradius
realm test {
type= radius
authhost= LOCAL
accthost= LOCAL
}
# for production, dialin-service
realm NULL {
type= radius
authhost= old-ascend-maschine:1645
accthost= old-ascend-maschine:1646
secret = blabla
-
but this does not work, because freeradius is looking for the user
[EMAIL PROTECTED] (without cutting the real) in my mysql-db.
when i changed the proxy.conf to:
--
# for testing [EMAIL PROTECTED] --> freeradius
realm test {
type= radius
authhost= old-ascend-maschine:1645
accthost= old-ascend-maschine:1646
secret = blabla
}
# for production, dialin-service
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
---
any ideas to get the first config running?
Thanks
--
Hans Bornemann
Universtitaet Dortmund
Hochschulrechenzentrum
August Schmidt Str. 12
44227 Dortmund
Tel. ++49 231 7552132
Fax. ++49 231 7552731
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advantages of Using SQL ?
> > About the operating system stuff, the load of exchanging few messages in > > memory can not be so overwhelming compared to an inefficient search of a > > few hundred thousands of users from a text database even when its in > > memory already. > > What is so inefficient about the search algorithm used by FreeRadius. (I have > not looked currently) If is IS slow, then once again, we can simply use the > "efficient" algorithm from MySQL instead of the one currently in use. Perhaps FreeRADIUS generates a random number and then checks the corresponding entry, if it's not right it does a do nothing loop for a bit and then generates another random number.. repeat until it finds the record. :) -- - Graeme Hinchliffe (BSc) Core Team Member Zen Internet (http://www.zen.co.uk) ICQ 3842605 (link) Direct: 01706 900 212 Sales : 0870 6000 971 Fax : 0870 6000 972 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using sql_counter to limit session time within a 24 hour period
On Monday 04 August 2003 1:26 pm, Roger Sherwood wrote:
> I'm looking for some guidance on how to limit a user's session time (i.e.
> to 1 hour) within a 24 hour period and not reset the counter afterwards.
Let me rephrase this and see if I understand what you're looking for:
Are you trying to create a counter such that once a user logs in, he has up to
24 hours to use just one actual hour of connect time
-OR-
once a user is entered into the database, he can use one hour anytime between
now and 24 hours from now
in either case, once the 24 hours is up, the user cannot login again [ever],
and if the initial hour wasn't fully used, oh well, it's lost?
> My sqlcounter.conf looks like this (the "daily" counter provided in the
> example with the reset set to never instead of daily):
There is a "known bug" with 0.8.1 and reset=never -- if the radius server
itself is reset, all the "reset=never" counters get reset anyway -- if you're
testing (very likely) you are also probably restarting the server as you make
changes to the config file and test. [though I think this "bug" is related
more for the "normal" DB counter, not the sql-counter, but it may apply here
as well...]
> sqlcounter hourcounter {
> counter-name = Max-Hour-Session-Time
> check-name = Max-Hour-Session
> sqlmod-inst = sql
> key = User-Name
> reset = never
> query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND
> UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
> }
Actually, now that I think of it, "reset=" doesn't necessarilly apply to
sql-counter style counters, since the "select" statement itself can be
constructed to imply a reset time [i.e., something like "...where
day(acctstarttime) = day(now())" or similar for something that is reset
"daily"]
> I set Max-Hour-Session to 3600 in radgroupcheck and the login does expire
> after an hour's usage but not within a 24 hour period, I can use it over
> several days until the limit is reached.
Hmmm... this kind of implies you want something different altogether [and I'm
not sure my guesses above match] let me take another shot: do you want to
limit a user to one WALLTIME hour, i.e., even if the user logs out and back
in, he only has one hour from the initial login? And further, this "hour of
access" should reset after a day?
> I've searched the archive and tried out a few variations but no joy. Is
> this possible?
>
> Thanks for any enlightenment,
>
> Rog.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Yet another Blog: http://osnut.homelinux.net
pgp0.pgp
Description: signature
