File blocked - ScanMail for Lotus Notes --> Re: Wicked screensaver

[EUROPE-GW99%EUROPE]

SCANMAIL hat die Anlagedatei entfernt, da diese die Dateiendung SCR
(Bildschirmschoner) hat.
Diese ausführbaren Dateien können Viren enthalten und werden daher
grundsätzlich entfernt!
SCANMAIL has removed the attached file, due to its file extension SCR
(screen saver).
These executable files may contain viruses and are therefore blocked in
generall!
Rückfragen bitte an die Notes Hotline 77577 / For questions please call
Notes Helpdesk 77577


Date: 20.08.2003 05:16:30
Subject:  Re: Wicked screensaver
Virus:
File: wicked_scr.scr
From: [EMAIL PROTECTED]
To:   [EMAIL PROTECTED]
Action: Blocked by Filter Rules;

Scanned by ScanMail for Lotus Notes 2.6
with scanengine 6.510-1002
and patternfile lpt$vpn.618


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Segmentation fault on Freeradius

[Yasser Ahmed Hosny]

I am running Freeradius 0.9 and I am writing accounting records to an
Oracle DB ver 8i. If the Database goes down, the Freeradius gives a
segmentation fault error and dies. I've tried also to point to another
database as a fail-over option, but the same results were encountered.
Please find below the gdb output along with the debug output and the
configuration.

GDB output 


>

gdb /app/experimental/free-0.9/local/sbin/radiusd
/app/experimental/free-0.9/local/sbin/core
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are welcome to change it and/or distribute copies of it under certain
conditions. Type "show copying" to see the conditions. There is
absolutely no warranty for GDB.  Type "show warranty" for details. 
This GDB was configured as "sparc-sun-solaris2.8"
...(no debugging symbols found)
... Core was generated by `./radiusd'. 
Program terminated with signal 11, Segmentation fault. 
Reading symbols from /lib/libcrypt_i.so.1...(no debugging symbols
found)...done. 
Loaded symbols for /lib/libcrypt_i.so.1 Reading symbols from
/lib/librt.so.1...(no debugging symbols found)...done. Loaded symbols
for /lib/librt.so.1 Reading symbols from /lib/libpthread.so.1...(no
debugging symbols found)...done. Loaded symbols for /lib/libpthread.so.1
Reading symbols from
/app/experimental/free-0.9/local/lib/libradius-0.9.0.so...done.
Loaded symbols for
/app/experimental/free-0.9/local/lib/libradius-0.9.0.so
Reading symbols from /usr/local/lib/libsnmp-0.4.2.5.so...done.
Loaded symbols for /usr/local/lib/libsnmp-0.4.2.5.so
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libsocket.so.1...done.
Loaded symbols for /lib/libsocket.so.1
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libkstat.so.1...done.
Loaded symbols for /lib/libkstat.so.1
Reading symbols from /usr/local/lib/libltdl.so.3...done.
Loaded symbols for /usr/local/lib/libltdl.so.3
Reading symbols from /lib/libdl.so.1...done.
Loaded symbols for /lib/libdl.so.1
Reading symbols from /lib/libc.so.1...done.
Loaded symbols for /lib/libc.so.1
Reading symbols from /usr/local/lib/libgcc_s.so.1...done.
Loaded symbols for /usr/local/lib/libgcc_s.so.1
Reading symbols from /lib/libgen.so.1...done.
Loaded symbols for /lib/libgen.so.1
Reading symbols from /lib/libaio.so.1...done.
Loaded symbols for /lib/libaio.so.1
Reading symbols from /lib/libmp.so.2...done.
Loaded symbols for /lib/libmp.so.2
Reading symbols from
/usr/platform/SUNW,Ultra-4/lib/libc_psr.so.1...done.
Loaded symbols for /usr/platform/SUNW,Ultra-4/lib/libc_psr.so.1
Reading symbols from /lib/libthread.so.1...done.
Loaded symbols for /lib/libthread.so.1
Reading symbols from
/app/experimental/free-0.9/local/lib/rlm_expr-0.9.0.so...done.
Loaded symbols for
/app/experimental/free-0.9/local/lib/rlm_expr-0.9.0.so
Reading symbols from
/app/experimental/free-0.9/local/lib/rlm_pap-0.9.0.so...done.
Loaded symbols for /app/experimental/free-0.9/local/lib/rlm_pap-0.9.0.so
Reading symbols from
/app/experimental/free-0.9/local/lib/rlm_chap-0.9.0.so...done.
Loaded symbols for
/app/experimental/free-0.9/local/lib/rlm_chap-0.9.0.so
Reading symbols from
/app/experimental/free-0.9/local/lib/rlm_mschap-0.9.0.so...done.
Loaded symbols for
/app/experimental/free-0.9/local/lib/rlm_mschap-0.9.0.so
Reading symbols from
/app/experimental/free-0.9/local/lib/rlm_unix-0.9.0.so...done.
Loaded symbols for
/app/experimental/free-0.9/local/lib/rlm_unix-0.9.0.so
Reading symbols from
/app/experimental/free-0.9/local/lib/rlm_eap-0.9.0.so...done.
Loaded symbols for /app/experimental/free-0.9/local/lib/rlm_eap-0.9.0.so
Reading symbols from
/app/experimental/free-0.9/local/lib/rlm_eap_md5-0.9.0.so...done.
Loaded symbols for
/app/experimental/free-0.9/local/lib/rlm_eap_md5-0.9.0.so
Reading symbols from
/app/experimental/free-0.9/local/lib/rlm_eap_leap-0.9.0.so...done.
Loaded symbols for
/app/experimental/free-0.9/local/lib/rlm_eap_leap-0.9.0.so
Reading symbols from
/app/experimental/free-0.9/local/lib/rlm_preprocess-0.9.0.so...done.
Loaded symbols for
/app/experimental/free-0.9/local/lib/rlm_preprocess-0.9.0.so
Reading symbols from
/app/experimental/free-0.9/local/lib/rlm_sql-0.9.0.so...done.
Loaded symbols for /app/experimental/free-0.9/local/lib/rlm_sql-0.9.0.so
Reading symbols from
/app/experimental/free-0.9/local/lib/rlm_sql_oracle-0.9.0.so...done.
Loaded symbols for
/app/experimental/free-0.9/local/lib/rlm_sql_oracle-0.9.0.so
Reading symbols from /oracle/ora817/lib//libclntsh.so.8.0...done.
Loaded symbols for /oracle/ora817/lib//libclntsh.so.8.0
Reading symbols from /oracle/ora817/lib//libwtc8.so...done.
Loaded symbols for /oracle/ora817/lib//libwtc8.so
Reading symbols from /lib/libsched.so.1...done.
Loaded symbols for /lib/libsched.so.1
Reading symbols from 

Freeradius snmp and MIBS problem

[Yasser Ahmed Hosny]

I've configured the Freeradius to work with snmp. I discovered that I
only get snmp response on some of the MIBS but not the others. Does
Freeradius treat or manipulate all MIBS, if yes, why I cannot get reply
for such MIB: radiusAccServTotalInvalidRequests, I am getting replies
only on radiusAccServTotalRequests, radiusAccServUpTime,
radiusAccServResetTime and radiusAccClientTable.

Appreciate your help.

Regards

Yasser Ahmed Hosny


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius and Cygwin

[Chris Parker]

At 04:49 PM 8/19/2003 -0700, A. Clausen wrote:
I'm sure you get this question quite a bit, but I was wondering if anyone
had successfully compiled FreeRadius under Cygwin, and if so, what
modifications were required.  I've tried a couple of quick compiles, but so
far have been unable to.
Yes, as far back as 0.2.

The trick was to compile static modules ala:

./configure --disable-shared

And also disabling a few of the modules that try to use stuff that cygwin
doesn't have.  Try disabling shared modules, and then clean up the 'stable'
module list to only list the modules you need/want.
-Chris
--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Again --User Expiration Date

[alantu]

HI all
As we know int conf/sql.attrmap write that:
  chechItem   Expiration  Expiration
when i set  User Expiration Date  "16 Aug 2003" ,it doesn't work. And i find the
attr"16 Aug 2003" is in the mysql radreply table but not radcheck table ?



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius and Cygwin

[A. Clausen]

I'm sure you get this question quite a bit, but I was wondering if anyone
had successfully compiled FreeRadius under Cygwin, and if so, what
modifications were required.  I've tried a couple of quick compiles, but so
far have been unable to.

-- 
Aaron Clausen

[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: reply-message

[Artur Hecker]

hi alan


your answers always appear before the oirignal questions, which is a
little bit suprising :-)

e.g. to my email originally written at 20:50 +02:00 you answered at
11:06 -04:00. evidently it's not possible, provided that we have the
same reference point. do you make reference to GMT or what?

then, to your email: i would like to test it with AP340/250. which is
the attribute to put into the user configuration in order to get
assigned an ip by the radius server? :-)


ciao
artur


Alan DeKok wrote:
> 
> Artur Hecker <[EMAIL PROTECTED]> wrote:
> > Alan: what do you think, if freeradius assigned an ip-address to the
> > user in a corresponding radius attribute and the client (AP) would use
> > it for the client's DHCP/BOOTP relay which then would emit an DHCPOFFER
> > message, could it work? I'm not an expert in BOOTP/DHCP, but do you
> > think something like this would be possible?
> 
>   It should be possible, but I don't know off-hand if any AP's work
> that way.
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

errors when starting in debug mode

[juan]

i´m having problems when starting the server, with mysql.
here are some lines im getting,
-*---
HERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found
rlm_sql (sql): Make sure it (and all its dependent libraries!) are in 
the search path of your system's ld.
radiusd.conf[14]: sql: Module instantiation failed.
[EMAIL PROTECTED] freeradius-0.9.0]#

what should i do?

thanks!!



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: errors when starting in debug mode

[Artur Hecker]

make sure the module's got built in the first place. see the output of
your ./configure script and add the mysql-dev libs if necessary.


ciao
artur


juan wrote:
> 
> i´m having problems when starting the server, with mysql.
> here are some lines im getting,
> 
> -*---
> HERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
> rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found
> rlm_sql (sql): Make sure it (and all its dependent libraries!) are in
> the search path of your system's ld.
> radiusd.conf[14]: sql: Module instantiation failed.
> [EMAIL PROTECTED] freeradius-0.9.0]#
> 
> what should i do?
> 
> thanks!!
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

I finaly got PostgreSQL Authentication Working :)

[Guy Fraser]

Yah I know it's not a big deal for some people in this list but rather 
than make everyone guess how it is done, I am going to give up the details.

I have supplied a patch file to run against the raddb directory.

The file postgres-test.sql contains sample data that can be put into
the configured database {radiusd} for testing.
NOTE: make sure pg_hba.conf will allow the user {radiusd} to connect
to the database. Also make sure the user {radiusd} has permission to
select data from the uthentication tables and has appropriate access
to the accounting and session tables.
Hope this will help someone.

--
Guy Fraser
Network Administrator
The Internet Centre
780-450-6787 , 1-888-450-6787
There is a fine line between genius and lunacy, fear not, walk the
line with pride. Not all things will end up as you wanted, but you
will certainly discover things the meek and timid will miss out on.

diff -ruN orig/clients raddb/clients
--- orig/clients2003-08-12 15:53:01.0 -0600
+++ raddb/clients   1969-12-31 17:00:00.0 -0700
@@ -1,25 +0,0 @@
-#
-#  THIS FILE IS DEPRECATED.
-#
-#  You should NOT be using this file to configure the server.
-#  It is here ONLY for backwards compatibility.
-#
-#  See 'clients.conf' for the new configuration.
-#
-#
-# clients  This file contains a list of clients which are allowed to
-#  make authentication requests and their encryption key.
-#
-#  Description of the fields:
-#
-#  * The first field is a valid hostname or IP address
-#for the client.
-#  * The second field (seperated by blanks or tabs) is the 
-#encryption key.
-
-# Client Name  Key
-#  --
-#portmaster1.isp.com   testing123
-#portmaster2.isp.com   testing123
-#proxyradius.isp2.com  TheirKey
-#localhost testing123
diff -ruN orig/clients.conf raddb/clients.conf
--- orig/clients.conf   2003-08-12 15:53:01.0 -0600
+++ raddb/clients.conf  2003-08-19 14:09:24.0 -0600
@@ -113,3 +113,8 @@
 #  password= someadminpas
 #}
 
+client 10.10.10.10 {
+   secret  = MySneakyPassWord
+   shortname   = saturn
+   nastype = other
+}
diff -ruN orig/naslist raddb/naslist
--- orig/naslist2003-08-12 15:53:02.0 -0600
+++ raddb/naslist   1969-12-31 17:00:00.0 -0700
@@ -1,31 +0,0 @@
-#
-#  THIS FILE IS DEPRECATED.
-#
-#  You should NOT be using this file to configure the server.
-#  It is here ONLY for backwards compatibility.
-#
-#  See 'clients.conf' for the new configuration.
-#
-#
-# naslist  This file contains a list of NASes (Network Access Servers,
-#  also known as terminal servers) which we know.
-#
-#  Description of the fields:
-#
-#  * The first field is a valid hostname or IP address
-#for the client.
-#  * The second field (seperated by blanks or tabs) is the 
-#short name we use in the logfiles for this NAS.
-#  * The third field defines what type of device it is. Valid
-#values are "cisco", "computone", "livingston", "max40xx", 
-# "multitech", "netserver", "pathras", "patton", "portslave", 
-# "tc", "usrhiper" or "other".
-#
-#  This is used to find out how to detect double logins.
-#
-
-# NAS Name Short Name  Type
-#  --  
-#portmaster1.isp.com   pm1.NY  livingston
-#portmaster2.isp.com   pm1.LA  livingston
-localhost  local   portslave
diff -ruN orig/postgresql.conf raddb/postgresql.conf
--- orig/postgresql.conf2003-08-12 15:53:02.0 -0600
+++ raddb/postgresql.conf   2003-08-19 14:26:27.0 -0600
@@ -19,11 +19,11 @@
# The following credentials will most likely work on a default install of 
Postgresql
# If they do work however, it means that you have a HUGE GAPING SECURITY RISK 
on your
# server! Please change the "postgres" users password and setup a separate 
radius user.
-   login = "postgres"
+   login = "radiusd"
password = ""

# Database table configuration
-   radius_db = "radius"
+   radius_db = "radiusd"

# If you want both stop and start records logged to the
# same SQL table, leave this as is.  If you want them in
diff -ruN orig/postgres-test.sql raddb/postgres-test.sql
--- orig/postgres-test.sql  1969-12-31 17:00:00.0 -0700
+++ raddb/postgres-test.sql 2003-08-19 14:03:38.0 -0600
@@ -0,0 +1,45 @@
+DELETE FROM  radcheck ;
+COPY radcheck (username, attribute, op, value) FROM stdin;
+fredf  Password==  wilma
+barney Password==  betty
+dialrouter Password==  dialup
+troll  Crypt-Password  ==  $1$nccboTC8$iTa7cikTy1Ito27dpdkT90
+\.
+
+D

Re: MySQL Authentication Logging

[Alan DeKok]

"Adam Carmichael" <[EMAIL PROTECTED]> wrote:
> I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with MySQL4
> for logging accounting and retrieving authentication information. I am
> interested in knowing how to log authentication attempts and even
> possibly why an attempt failled.

  See the 'detail' module in the latest CVS snapshot.  It will create
"detail" style files for authentication requests, responses, proxied
packets, and replies from a home server.

  It won't log all of the information you see in debugging mode, but
it will log a fair amount of useful data.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: reply-message

[Alan DeKok]

Artur Hecker <[EMAIL PROTECTED]> wrote:
> Alan: what do you think, if freeradius assigned an ip-address to the
> user in a corresponding radius attribute and the client (AP) would use
> it for the client's DHCP/BOOTP relay which then would emit an DHCPOFFER
> message, could it work? I'm not an expert in BOOTP/DHCP, but do you
> think something like this would be possible?

  It should be possible, but I don't know off-hand if any AP's work
that way.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: reply-message

[Artur Hecker]

hi sylvain


i have to admit that i don't really understand the first part of your
question. but, in the case you are using EAP/MD5 try to read the FAQ
under http://www.freeradius.org/doc/EAP-MD5.html and look for
Reply-Message. Could it be this kind of problem?

for the second part, it's interesting - i didn't try it but, as alan, i
asked myself if it is possible some time ago and i promptly came up with
a solution which i'm not sure about.

Alan: what do you think, if freeradius assigned an ip-address to the
user in a corresponding radius attribute and the client (AP) would use
it for the client's DHCP/BOOTP relay which then would emit an DHCPOFFER
message, could it work? I'm not an expert in BOOTP/DHCP, but do you
think something like this would be possible?


ciao
artur



Alan DeKok wrote:
> 
> =?iso-8859-1?q?Sylvain=20Masnada?= <[EMAIL PROTECTED]> wrote:
> > I'd like to know why the "reply-message" attribute is sent by
> > freeradius in a access-reject packet.  I use this attribute to
> > welcome people who connected themselves on my wireless network. But
> > with xsupplicant, this access-reject disconnects my user, who
> > reconnects immediately and is disconnected and reconnected and ...
> 
>   I don't think that the Reply-Message has anything to do with it.
> 
>   If the user is rejected, they can try again immediately.  After some
> number of retries, the AP will deny them access.  See the AP
> configuration for details.
> 
> > I'd like to know if my AP which is a cisco AP350 can cause me
> > troubles when I try to assign an ip to the users.
> 
>   So far as I know, it can't be done.  The users are authenticating to
> the AP (and then FreeRADIUS) through the EAP protocol, which doesn't
> support setting the IP address.
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: reply-message

[Alan DeKok]

=?iso-8859-1?q?Sylvain=20Masnada?= <[EMAIL PROTECTED]> wrote:
> I'd like to know why the "reply-message" attribute is sent by
> freeradius in a access-reject packet.  I use this attribute to
> welcome people who connected themselves on my wireless network. But
> with xsupplicant, this access-reject disconnects my user, who
> reconnects immediately and is disconnected and reconnected and ...

  I don't think that the Reply-Message has anything to do with it.

  If the user is rejected, they can try again immediately.  After some
number of retries, the AP will deny them access.  See the AP
configuration for details.

> I'd like to know if my AP which is a cisco AP350 can cause me
> troubles when I try to assign an ip to the users.

  So far as I know, it can't be done.  The users are authenticating to
the AP (and then FreeRADIUS) through the EAP protocol, which doesn't
support setting the IP address.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

reply-message

[Sylvain Masnada]

hi everybody,
I'd like to know why the "reply-message" attribute is sent by freeradius in a 
access-reject
packet.
I use this attribute to welcome people who connected themselves on my wireless 
network. But with
xsupplicant, this access-reject disconnects my user, who reconnects immediately and is
disconnected and reconnected and ...

I'd like to know if my AP which is a cisco AP350 can cause me troubles when I try to 
assign an ip
to the users.
My user is configured like steve example in users. Freeradius sends framed-IP-Address, 
Netmask ...
correctly (freeradius debug tell me it) but my client has never an IP assigned as I 
would like.
What have I to do to assign an IP to my users?

Please help me.

Thx in advance
Sylvain

___
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Mail : http://fr.mail.yahoo.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: users configuration using mysql

[Jeremy Davis]

If all your users are using chap, set default chap authentication in the
users file.

Jeremy


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of apellido
jr., wilfredo p
Sent: Tuesday, August 19, 2003 11:48 AM
To: [EMAIL PROTECTED]
Subject: users configuration using mysql


hello,


  good day, i just want to know what is the
users configuration if im using mysql as user
information (database).i want to use chap as
authentication.

=
[ apellido jr., wilfredo p. ]
+63 034 4880-449

If you can't hear me, it's because i'm in parentheses.

__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

users configuration using mysql

[apellido jr., wilfredo p]

hello,


  good day, i just want to know what is the
users configuration if im using mysql as user
information (database).i want to use chap as
authentication. 

=
[ apellido jr., wilfredo p. ]
+63 034 4880-449

If you can't hear me, it's because i'm in parentheses.

__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: testing acl with radius

[Eric Leblond]

On Tue, 2003-08-19 at 17:10, Oliver Graf wrote:
> On Tue, Aug 19, 2003 at 05:04:54PM +0200, Eric Leblond wrote:
> > On Tue, 2003-08-19 at 16:58, Oliver Graf wrote:
> > > On Tue, Aug 19, 2003 at 04:56:17PM +0200, Eric Leblond wrote:
> > 
> > > 
> > > Can your firewall software speak to a radius server?
> > 
> > I'm coding it ;-) (http://www.gnufw.org)
> > I just wanna know it a test of the kind :
> > IP in good range
> > port in good range
> > ...
> >  is admissible on a radius server like freeradius.
> 
> I would try it the other way around... the radius returns some rules
> in the attributes and your software does the matching.
> 
> Other solution: just program a freeradius module which does the
> address checking magic. This is not really hard.

good idea

> On the other hand: should every ip packet result in a radius request=
> than your server is dead meat.

True, but not if you only test packet with state NEW (beginning of
connection in netfilter) that's only a few number you have to test.

> So the best solution is to just load the firewall config from the
> server, but does this make sense?

really no for me.

-- 
Eric Leblond <[EMAIL PROTECTED]>
Alphalink


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Volubill dictionary

[Frederic . Mazzella]

Hello,

I'm looking for a volubill dictionary for freeradius 0.8 or later. Would
anyone have that?

Thans,

Fred.








- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: clients.conf

[Jeremy Davis]

I understand that much.  I the ips range from 141. 208. 65. to a few others.
I tried using the 0.0.0.0/1 but that only worked when the nas was behide a
firewall with a private address.

Thanks

Jeremy


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Oliver Graf
Sent: Tuesday, August 19, 2003 10:58 AM
To: [EMAIL PROTECTED]
Subject: Re: clients.conf


On Tue, Aug 19, 2003 at 10:48:09AM -0400, Jeremy Davis wrote:
>
>
> I want to have just one entry into clients.conf for all of my radius
usage.
> I tried the man page, it wasn't there, but its referenced to exist in man
> clients.  Anyway if someone could point to me the document, the man page,
or
> the answer.

something like this?

client / {
  secret = 
  shortname = 
}

Oliver.


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: testing acl with radius

[Oliver Graf]

On Tue, Aug 19, 2003 at 05:04:54PM +0200, Eric Leblond wrote:
> On Tue, 2003-08-19 at 16:58, Oliver Graf wrote:
> > On Tue, Aug 19, 2003 at 04:56:17PM +0200, Eric Leblond wrote:
> 
> > 
> > Can your firewall software speak to a radius server?
> 
> I'm coding it ;-) (http://www.gnufw.org)
> I just wanna know it a test of the kind :
>   IP in good range
>   port in good range
>   ...
>  is admissible on a radius server like freeradius.

I would try it the other way around... the radius returns some rules
in the attributes and your software does the matching.

Other solution: just program a freeradius module which does the
address checking magic. This is not really hard.

FreeRadius can do regular expression matching on attributes. but I
don't think this would be good.

On the other hand: should every ip packet result in a radius request=
than your server is dead meat.

So the best solution is to just load the firewall config from the
server, but does this make sense?

Oliver.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: testing acl with radius

[Eric Leblond]

On Tue, 2003-08-19 at 16:58, Oliver Graf wrote:
> On Tue, Aug 19, 2003 at 04:56:17PM +0200, Eric Leblond wrote:

> 
> Can your firewall software speak to a radius server?

I'm coding it ;-) (http://www.gnufw.org)
I just wanna know it a test of the kind :
IP in good range
port in good range
...
 is admissible on a radius server like freeradius.

BR,
-- 
Eric Leblond <[EMAIL PROTECTED]>
Alphalink


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: L2TP Accounting

[Alan DeKok]

"Roy" <[EMAIL PROTECTED]> wrote:
>How can I make rlm_mysql support L2TP accounting ?
>Did I miss some ? 

  No.  The sql module doesn't currently handle Tunnel-Link-Stop
messages.

  It shouldn't be hard to add, though.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: testing acl with radius

[Oliver Graf]

On Tue, Aug 19, 2003 at 04:56:17PM +0200, Eric Leblond wrote:
> On Tue, 2003-08-19 at 16:51, Oliver Graf wrote:
> > On Tue, Aug 19, 2003 at 04:01:18PM +0200, Eric Leblond wrote:
> > > I like to know if it is possible to test Acl with freeradius (classic IP
> > > filtering)
> > 
> > block the radius ports and see if your nas gets to your freeradius. is
> > this the test you have in mind? but perhaps a packet generator would
> > be more fitting for this task...
> 
> Oops, I was meaning : Is it possible to have a firewall check packet
> against premission given by a radius server ?

Can your firewall software speak to a radius server?

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: clients.conf

[Oliver Graf]

On Tue, Aug 19, 2003 at 10:48:09AM -0400, Jeremy Davis wrote:
> 
> 
> I want to have just one entry into clients.conf for all of my radius usage.
> I tried the man page, it wasn't there, but its referenced to exist in man
> clients.  Anyway if someone could point to me the document, the man page, or
> the answer.

something like this?

client / {
  secret = 
  shortname = 
}

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: testing acl with radius

[Eric Leblond]

On Tue, 2003-08-19 at 16:51, Oliver Graf wrote:
> On Tue, Aug 19, 2003 at 04:01:18PM +0200, Eric Leblond wrote:
> > I like to know if it is possible to test Acl with freeradius (classic IP
> > filtering)
> 
> block the radius ports and see if your nas gets to your freeradius. is
> this the test you have in mind? but perhaps a packet generator would
> be more fitting for this task...

Oops, I was meaning : Is it possible to have a firewall check packet
against premission given by a radius server ?

-- 
Eric Leblond <[EMAIL PROTECTED]>
Alphalink


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: testing acl with radius

[Oliver Graf]

On Tue, Aug 19, 2003 at 04:01:18PM +0200, Eric Leblond wrote:
> I like to know if it is possible to test Acl with freeradius (classic IP
> filtering)

block the radius ports and see if your nas gets to your freeradius. is
this the test you have in mind? but perhaps a packet generator would
be more fitting for this task...

or do you want to configure some client via radius to do ip filtering?
than you should consult the documentation of your nas equipment which
attributes are used for this purpose...

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

clients.conf

[Jeremy Davis]

I want to have just one entry into clients.conf for all of my radius usage.
I tried the man page, it wasn't there, but its referenced to exist in man
clients.  Anyway if someone could point to me the document, the man page, or
the answer.

TiA,

Jeremy


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

testing acl with radius

[Eric Leblond]

Hi,

I like to know if it is possible to test Acl with freeradius (classic IP
filtering)

Thanks in advance,
-- 
Eric Leblond <[EMAIL PROTECTED]>
Alphalink


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: (no subject)

[Oliver Graf]

On Tue, Aug 19, 2003 at 10:51:49AM -0300, German Viera wrote:
> I would like to know how could I configure freeradius to log in a db (mySQL) and ask 
> for users data also in a db, instead of flat file,

read the example config and doc/rlm_sql. The list archive has also
some examples.

> Can sombody tell me hoy to configure cisco VSA's in freeradius,

Example: Assign IP Pool via VSA

pools-bkhead-test  Auth-Type := Accept
Framed-Protocol = PPP,
Service-Type = Outbound-User,
Cisco-AVPair = "ip:pool-def#1=pool1 192.168.1.2 192.168.1.254"

You can see that you simply use the Attribute Cisco-AVPair which is
defined as a VSA in the dictionary.cisco. There is no need for a
special configuration.

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

(no subject)

[German Viera]

I would like to know how could I configure freeradius to log in a db 
(mySQL) and ask for users data also in a db, instead of flat file,
 
Can sombody tell me hoy to configure cisco VSA's in freeradius,
 
 
Regards,
 
 
 
German Viera[EMAIL PROTECTED]DISTRICORP 
S.A.MontevideoUruguay+598-2-9019344 
ext(110)

L2TP Accounting

[Roy]

Dear all,
   How can I make rlm_mysql support L2TP accounting ?
   Did I miss some ? 
Regards
Roy.
  ---
Acct-Session-Id = "12CEF81A207C"
User-Name = "leotest"
Acct-Status-Type = Tunnel-Link-Stop
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
Tunnel-Type:0 = L2TP
Tunnel-Medium-Type:0 = IP
Tunnel-Client-Endpoint:0 = "x.x.x.x"
Tunnel-Server-Endpoint:0 = "x.x.x.x"
Acct-Terminate-Cause = User-Request
Acct-Session-Time = 681
Acct-Output-Octets = 109
Acct-Input-Octets = 690
Acct-Output-Packets = 9
Acct-Input-Packets = 14
Calling-Station-Id = "00:E0:63:83:1F:B3"
NAS-Port-Type = Virtual
NAS-Identifier = "lac"
NAS-Port = 0
Acct-Delay-Time = 0
  modcall: entering group preacct
  modcall[preacct]: module "preprocess" returns noop

  rlm_sql (sql): Unsupported Acct-Status-Type = 13
  modcall[accounting]: module "sql" returns noop 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius vrs Cisco RADIUS

[Vincent_Giovannone]

[EMAIL PROTECTED] wrote on 08/19/2003 04:21:20 AM:

> > If you need paid support ("It's busted and I need it fixed RIGHT 
NOW!!"), 
> > then you're obviously SOL running freeradius.  (Don't misinterpret 
this; 
> > the FR team does a bang up job.  BUT they're NOT obligated to do 
> > _anything_ if something in FR doesn't quite work right.)
> 
>   Can I put that paragraph in the FAQ?

Feel free.  :)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

"A four-year-old will very quickly get over news of the death of Santa if 
told that it was due to his fully loaded sleigh crashing in the back 
garden." 
-- Mil Millington

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius vrs Cisco RADIUS

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> If you need to securID authentication _directly_, don't even bother 
> thinking about freeradius; it simply doesn't do it.  (search the mailing 
> archives for a few diatribes by myself.)

  It's at least partially a licensing issue.  However, I *think* that
SecurID comes with a command-line token chek utility, which could then
be run from FreeRADIUS.

> If you need paid support ("It's busted and I need it fixed RIGHT NOW!!"), 
> then you're obviously SOL running freeradius.  (Don't misinterpret this; 
> the FR team does a bang up job.  BUT they're NOT obligated to do 
> _anything_ if something in FR doesn't quite work right.)

  Can I put that paragraph in the FAQ?

> Now, don't get me wrong here.  I _love_ freeradius.  To that end, for my 
> wireless access points, I have ACS handle the radius PEAP requests, and 
> freeradius handle the direct AP management (console login, ssh login, 
> etc.) radius requests.

  Wait a few months.  With the discussions on -devel about TTLS &
PEAP, I'm sure they will be in FreeRADIUS before January.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRadius vrs Cisco RADIUS

[Vincent_Giovannone]

[EMAIL PROTECTED] wrote on 08/19/2003 03:02:17 AM:

> I would agree.  Cisco makes two products for Radius.  One that is
> expensive and the other that is even more expensive.  Neither one has
> all the same features as Freeradius AND neither one works as well.
> 
> Gene Parks
> VIP Direct

That's a rather blanket reply.  I use both freeradius and Cisco ACS. There 
are some HUGE differences between the two, which is why (*duh*) we use 
both.

If you need to securID authentication _directly_, don't even bother 
thinking about freeradius; it simply doesn't do it.  (search the mailing 
archives for a few diatribes by myself.)  Sure, FR can proxy against the 
absolute PILE OF S**T radius server built into ACE, but why put a _great_ 
proxy against a _crap_ source radius server?

PEAP support still seems pretty skechy, at best.  It's experimental, it's 
new, and if you need it to work right now then FR isn't the best choice. 
(LEAP, otoh, seems to be pretty stable in FR.)

If you need paid support ("It's busted and I need it fixed RIGHT NOW!!"), 
then you're obviously SOL running freeradius.  (Don't misinterpret this; 
the FR team does a bang up job.  BUT they're NOT obligated to do 
_anything_ if something in FR doesn't quite work right.)

And lastly, ACS supports some other odd things (safetoken support, plus a 
few other securID wannabees) that just aren't in FR.

Now, don't get me wrong here.  I _love_ freeradius.  To that end, for my 
wireless access points, I have ACS handle the radius PEAP requests, and 
freeradius handle the direct AP management (console login, ssh login, 
etc.) radius requests.

I keep trying to push freeradius into MORE stuff on my network.  But as 
things stand _right_ _now_, they're two different products with different 
strengths.

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

"A four-year-old will very quickly get over news of the death of Santa if 
told that it was due to his fully loaded sleigh crashing in the back 
garden." 
-- Mil Millington


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Again - rlm_ippool problem.

[Kleyson Rios]

Please, someone can help-me !!!
I have installed freeradius and i need to use ippool, but when enable the
option in post-auth {} i get the follow error : "radiusd.conf[1258] Failed
to link to module 'rlm_ippool': file not found"

In my lib directory exist the files.

# ll /usr/local/freeradius/lib/rlm_ippool*
lrwxrwxrwx1 root root   13 Aug  7 11:12
/usr/local/freeradius/lib/rlm_ippool-0.9.0.la -> rlm_ippool.la
-rwxr-xr-x1 root root50606 Aug  7 11:12
/usr/local/freeradius/lib/rlm_ippool-0.9.0.so
-rw-r--r--1 root root91296 Aug  7 11:12
/usr/local/freeradius/lib/rlm_ippool.a
-rwxr-xr-x1 root root  770 Aug  7 11:12
/usr/local/freeradius/lib/rlm_ippool.la
lrwxrwxrwx1 root root   19 Aug  7 11:12
/usr/local/freeradius/lib/rlm_ippool.so -> rlm_ippool-0.9.0.so


my_server:/usr/local/freeradius/sbin # ./radiusd -X -p 1645
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/freeradius/etc/raddb/clients.conf
Config:   including file: /usr/local/freeradius/etc/raddb/snmp.conf
Config:   including file: /usr/local/freeradius/etc/raddb/postgresql.conf
 main: prefix = "/usr/local/freeradius"
 main: localstatedir = "/usr/local/freeradius/var"
 main: logdir = "/usr/local/freeradius/var/log/radius"
 main: libdir = "/usr/local/freeradius/lib"
 main: radacctdir = "/usr/local/freeradius/var/log/radius/radacct"
 ...
radiusd.conf[1258] Failed to link to module 'rlm_ippool': file not found


Where is the problem ?

Tanks.
Kleyson Rios.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Antwort: Re: Antwort: Re: Problem with Framed-IP-Address

[JDamisch]

[EMAIL PROTECTED] wrote:
> i have this settings:
>
> My Network: 192.168.202.0/24
> RadiusServer: 192.168.202.58/24Route: 192.168.202.0/24
> Gateway:192.168.202.59
> Router: 192.168.202.59/24  Route: 192.168.202.0/24
> Gateway:192.168.202.59
> User1Network: 10.20.30.0/24
>
> User1 get IP-Address "192.168.202.50"!
> Radiusd in Debug mode says "sending access-accept"
Radius and routing are diffirent things.
> but no ping and no telnet works
Yes.

Why you need to give user ip from 192.168.202.0/24 ?

 > help.
For normal work you can give to user any ip except ip used in you and
user networks


Have solf the Problem!

The Problem was, the Router don´t know the network 10.20.30.0/24 with WAN
Partner User1.
OK, i can set a static route, but it is not so easy, because i must bind
the network with a WAN-Partner.
My Router have no Entries yet, these are all in the Radius-Server. In this
Situation the Radius must give the NAS the Network-Route.

I implement the Attribute "Framed-Route" in the User1 Dialin-Account
 Framed-Route = "10.20.30.0/24 user1 Password"


Now  everything works fine!


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRadius vrs Cisco RADIUS

[Gene Parks]

I would agree.  Cisco makes two products for Radius.  One that is
expensive and the other that is even more expensive.  Neither one has
all the same features as Freeradius AND neither one works as well.

Gene Parks
VIP Direct

-Original Message-
From: Michael Brown [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 19, 2003 1:22 AM
To: [EMAIL PROTECTED]
Subject: Re: FreeRadius vrs Cisco RADIUS


it's free, and it WORKS.

Quoting Zuheir Mheir <[EMAIL PROTECTED]>:

> 
> Team,
> 
>  
> 
> How would FreeRADIUS compete with Cisco RADIUS (or other vendors for
that
> matter).  I guess what I am looking for is some feedback from people
whom
> have experienced commercial RADIUS and migrated to freeRADIUS.  Your
quick
> response is greatly apperciated.
> 
>  
> 
> Regards,
> 
>  
> 
> Zuheir
> 
> 
> 
> -
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software


Michael Brown


<>
 mikro network solutions  *  http://www.mikro-net.com


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco VSA hack problem

[Dmitry Melekhov]

Peter Nixon wrote:
On Tue August 19 2003 07:55, Dmitry Melekhov wrote:

Hello!

I have following in preprocess:

  with_cisco_vsa_hack = yes

But I have following in detail :

  h323-call-origin = "h323-call-origin=proxy"
   h323-call-type = "h323-call-type=VoIP"
Do I have something wrong in configuration or this feature doesn't work?


Which version are you using? If not 0.9.0 then upgrade...
It should work, I have been using it for a long time, although versions prior 
to 0.7 (I think) were broken and needed a patch.
Thank you!

I used freeradius from SLES8 (something like 0.5).
Upgrade solved problem.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html