Auth-Type woes...
Title: Message Hi all, I'm having trouble with freeradius, I'm not actually sure if it's able to do what I want, but it seems to lean that way. Basically I have a cyclades TS-2000 console access server with 32 ports. From the radius side, 'admins' should be allowed access to the entire 32 ports, with different groups around the organisation being able to access different groups of ports. This is where I thought huntgroups should come into it, however I keep getting no Auth-Type found messages. Configuration and error is as per below, running freeradius 0.9.1. In the users file: DEFAULT Auth-Type = System, Huntgroup-Name == "test" In the huntgroups file: test NAS-IP-Address == x.x.x.x, NAS-Port-Id == 0-5 Group = test User 'radtest' is in the system group 'test'...output from radiusd -X follows... /usr/local/sbin/radiusd -XStarting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /usr/local/etc/raddb/proxy.confConfig: including file: /usr/local/etc/raddb/clients.confConfig: including file: /usr/local/etc/raddb/snmp.confConfig: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0read_config_files: reading dictionaryread_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsUsing deprecated clients file. Support for this will go away soon.read_config_files: reading realmsUsing deprecated realms file. Support for this will go away soon.radiusd: entering modules setupModule: Library search path is /usr/local/libModule: Loaded exprModule: Instantiated expr (expr)Module: Loaded PAP pap: encryption_scheme = "crypt"Module: Instantiated pap (pap)Module: Loaded CHAPModule: Instantiated chap (chap)Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP"Module: Instantiated mschap (mschap)Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600Module: Instantiated unix (unix)Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60rlm_eap: Loaded and initialized the type md5rlm_eap: Loaded and initialized the type leapModule: Instantiated eap (eap)Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = noModule: Instantiated preprocess (preprocess)Module: Loaded realm realm: format = "suffix" realm: delimiter = "@"Module: Instantiated realm (suffix)Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no"Module: Instantiated files (files)Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"Module: Instantiated acct_unique (acct_unique)Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = noModule: Instantiated detail (detail)Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes
ALERT - GroupShield ticket number OA970_1063065581_PVDEX01_3 was generated
Action Taken: The attachment was deleted from the message and replaced with a text file informing the recipient of the action taken. To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Sent: -1456359552,29587011 Subject: Re: That movie Attachment Details:- Attachment Name: thank_you.pif File: thank_you.pif Infected? No Repaired? No Blocked? Yes Deleted? Yes Virus Name: <>
ALERT - GroupShield ticket number OA962_1063065202_PVDEX01_3 was generated
Action Taken: The attachment was deleted from the message and replaced with a text file informing the recipient of the action taken. To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Sent: -1011392256,29587010 Subject: Re: Details Attachment Details:- Attachment Name: application.pif File: application.pif Infected? No Repaired? No Blocked? Yes Deleted? Yes Virus Name: <>
accounting_start_query_alt with rlm_sql
Hello everyone, I browsed rlm_sql source code and found out that if main accounting_start_query fails and no alternate query is set up or it is set to "", then no RLM_MODULE_FAIL error code is returned from rlm_sql_accounting (actually RLM_MODULE_OK is returned). The result is that if no alternate start query is present, accounting start always succeedes, even on SQL error. I think the source code should look like (inside rlm_sql_accounting function): case PW_STATUS_START: /*...*/ if (*querystr) { /* non-empty query */ /*...*/ if (*querystr) { /* non-empty query */ if (rlm_sql_query(sqlsocket, inst, querystr)) { radlog(L_ERR, "rlm_sql (%s): Couldn't update SQL" "accounting START record - %s", inst->config->xlat_name, (char *)(inst->module->sql_error)(sqlsocket, inst->config)); ret = RLM_MODULE_FAIL; } (inst->module->sql_finish_query)(sqlsocket, inst->config); +++ }else +++ ret = RLM_MODULE_FAIL; } --- Zygmuntowicz Michal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius realm logging
I am currently using cistron radius version 1.6.6 on Debian. Its been ok for what I have used it for. I am now starting to add realms to my users and I need to be able to see the realm in the actuall radius.log file. Right now it strips the realm and if I try a nostrip it wont authenticate the user at all. I was wondering if freeradius had resolved this issue. If so then I would take out cistron and use it. Thanks for your help, Jason Love - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compatibility / feature comparisons?
Lo everyone, Just a bit of a informational question... Feature wise, compatibility wise, management wise... You know.. The full monty.. How does FreeRadius compare against Radiator?? -- me - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm and authicatio
"Moktar KONE" <[EMAIL PROTECTED]> wrote: > I am using freeradius and I some of my users logins look like this : > (the string "" is commun to all these users logins) > > zddsd/[EMAIL PROTECTED] OK... > I want to treat this king of user differently; the same thing that they > had in commun is / in the login . ... > In realm definition we had prefix and suffix; in my radiusd.conf file I > ad this entry : > realm { > format = suffix > delimiter = "/" > } > but when the users try to connect they are refused and the field realm > in the log is not set to The string "/" is not a suffix of the User-Name attribute, is it? It's in the middle. > how can manage these users in order they can be authenticated in an > other way? Regular expressions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realm and authicatio
Hi all, I am using freeradius and I some of my users logins look like this : (the string "" is commun to all these users logins) zddsd/[EMAIL PROTECTED] I want to treat this king of user differently; the same thing that they had in commun is / in the login . so the realm is for me and in my proxy.conf file I had a specific entries for these users. In realm definition we had prefix and suffix; in my radiusd.conf file I ad this entry : realm { format = suffix delimiter = "/" }but when the users try to connect they are refused and the field realm in the log is not set to how can manage these users in order they can be authenticated in an other way? --|-Moktar KONE|-MTDS S.A.|-tel +212.3.767.4861|-fax +212.3.767.4863|-gsm +212.6.113.0545|-14, rue 16 novembre|-Rabat, Kingdom of Morocco
Re: mapping EAP payloads to attributes
Michael Richardson <[EMAIL PROTECTED]> wrote: > A problem with the method that I did is that the concatenation of > the EAP-Messages may be bigger than MAX_STRING_LEN. Aside from just > making MAX_STRING_LEN bigger, is there any other thoughts? I had thought of dynamically allocating the memory for strvalue(), but I hadn't done anything about it. It's one reason I hadn't yet done something like add an attribute 'EAP-TLS-Packet', as they can be ~16K. Maybe a new type PW_TYPE_DYNAMIC_STRING, which is identical to 'string', but which is dynamically allocated. But it would still have 'strvalue[MAX_STRING_LEN]' in the struct, which sucks. > I'd hate to go to external storage for an attribute due to the complexity > of making sure all the allocation/deallocations are done right. Nah. src/lib/valuepair.c All VALUE_PAIR's are freed ONLY in pairfree(). Hack that, and it should be OK. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PIX and FreeRadius on RedHat
My setup is RedHat 9 with FreeRadius 0.9.1 It's a server destined to replace a BSD server that has FreeRadius as well. I have a Cisco PIX firewall with IOS 6.2 and PDM 2.0 I've set the new server with the same IP and the same DNS name as the old server (after I took it offline of course) I've configured Radius on the new server with the same settings and the same shared secret. I've checked and the shared password is the same on the firewall. The Firewall is supposed to use the Radius server to authenticate incoming VPN connections. My problem is that client attempting to connect get "authentication failed" but when I look in my Radius log, that's what I get. Mon Sep 8 15:28:56 2003: Auth: Login OK: [testuser] (from nas firewall/S43) Mon Sep 8 15:28:46 2003: Auth: Login OK: [testuser] (from nas firewall/S42) Mon Sep 8 15:28:13 2003: Auth: Login OK: [testuser] (from nas firewall/S41) Mon Sep 8 15:28:03 2003: Auth: Login OK: [testuser] (from nas firewall/S40) Mon Sep 8 15:27:53 2003: Auth: Login OK: [testuser] (from nas firewall/S39) Mon Sep 8 15:27:43 2003: Auth: Login OK: [testuser] (from nas firewall/S38) So it seems to me like the server is getting the request and authenticating the user, but the PIX isn't either getting or understanding the reply.I'm pretty new with Radius so I'd really like a little help. Thank's - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mapping EAP payloads to attributes
-BEGIN PGP SIGNED MESSAGE- Alan, A problem with the method that I did is that the concatenation of the EAP-Messages may be bigger than MAX_STRING_LEN. Aside from just making MAX_STRING_LEN bigger, is there any other thoughts? I'd hate to go to external storage for an attribute due to the complexity of making sure all the allocation/deallocations are done right. ] Out and about in Ottawa.hmmm... beer.| firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another Debian/notebook using, kernel hacking, security guy"); [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys - custom hacks make this fully PGP2 compat iQCVAwUBP1zlf4qHRg3pndX9AQFM8gQA2nKGFRdaow+C6XPcY6s6B4cNxDa1euHU fEjI+UuMlRuhmS3PIF9bVxYfHWFcjMP1Ep5OXVYuVgkLR4YQRpA7Yy2BO/o4VurZ HOyD5MBEeElCsvlxNSBD3w6dyibV7IVcDtsGYNyxa3S12HMvturHbbMpdWHOcVf5 J8M+88qvDog= =sY2U -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access Point Errors
Could someone please tell me what these errors mean: Tue Sep 2 06:02:24 2003 : Error: rlm_radutmp: Logout entry for NAS NorthGate-D2 port 37 has wrong ID Tue Sep 2 06:43:48 2003 : Error: rlm_radutmp: Login entry for NAS NorthGate-D2 port 38 wrong order I get them constantly from our Cisco AP1200 access points and would like to know if this is a problem. Thanks! Mike Hall --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.515 / Virus Database: 313 - Release Date: 9/1/2003 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.1, gethostbyname_r again
hi, --without-threads works. It's possible to use threads under freebsd ? regards. -- S.N.O.O.P.: Synthetic Networked Organism Optimized for Peacekeeping - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 0.9.1 - AUTH
Hello PERSONAL, I am beginner in the freeradius list, I thank the collaboration of all. Use the freeradius with Solaris 9, would like anybody to know he/she knows how I should receive an authentication for instance [EMAIL PROTECTED] and to send this authentication for other equipment with other IP etc? I configured in proxy.conf IP, port, secret and etc. But qdo give a radtest with the username, secret, IP he is in looping ties that he/she gives the message radclient: in the response from server THE ONE what am making wrong? Thank you and I await - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.1, gethostbyname_r again
Hi, Try: --without-threads Regards Alex Kasatkin escreveu: Hi! There is the problem with gethostbyname detection in 0.9.1: dev:~/freeradius-0.9.1# uname -prs FreeBSD 4.8-RELEASE-p4 i386 configure says: checking gethostbyaddr_r() syntax... GNU-style checking gethostbyname_r() syntax... configure: warning: ** BSD Style gethostbyname might NOT be thread-safe! ** BSD-style config.log: configure:7978: checking gethostbyaddr_r() syntax configure:7990: gcc -o conftest -g -O2 -pthread -D_THREAD_SAFE -Wall -D_GNU_SOURCE -DNDEBUG conftest.c 1>&5 configure: In function `main': configure:7986: warning: implicit declaration of function `gethostbyaddr_r' configure:8068: checking gethostbyname_r() syntax configure:8080: gcc -o conftest -g -O2 -pthread -D_THREAD_SAFE -Wall -D_GNU_SOURCE -DNDEBUG conftest.c 1>&5 configure: In function `main': configure:8076: warning: implicit declaration of function `gethostbyname_r' /tmp/ccuKg0wk.o: In function `main': /home/snoop/freeradius-0.9.1/configure(.text+0x16): undefined reference to `gethostbyname_r' configure: failed program was: #line 8070 "configure" #include "confdefs.h" #include #include int main() { gethostbyname_r(NULL, NULL, NULL, 0, NULL, NULL) ; return 0; } configure:8106: gcc -o conftest -g -O2 -pthread -D_THREAD_SAFE -Wall -D_GNU_SOURCE -DNDEBUG conftest.c 1>&5 configure: In function `main': configure:8102: warning: implicit declaration of function `gethostbyname_r' /tmp/ccoZBWNY.o: In function `main': /home/snoop/freeradius-0.9.1/configure(.text+0x14): undefined reference to `gethostbyname_r' configure: failed program was: #line 8096 "configure" #include "confdefs.h" #include #include int main() { gethostbyname_r(NULL, NULL, NULL, 0, NULL) ; return 0; } configure:8133: gcc -o conftest -g -O2 -pthread -D_THREAD_SAFE -Wall -D_GNU_SOURCE -DNDEBUG conftest.c 1>&5 Building fails at this point: gcc -g -O2 -pthread -D_THREAD_SAFE -Wall -D_GNU_SOURCE -DNDEBUG -I../../include -DHAVE_NDBM_H -c rlm_dbm_parser.c -o rlm_dbm_parser.o rlm_dbm_parser.c: In function `storecontent': rlm_dbm_parser.c:160: warning: assignment discards qualifiers from pointer target type /vol1/home/snoop/freeradius-0.9.1/libtool --mode=link gcc rlm_dbm_parser.o ../../lib/libradius.a -o rlm_dbm_parser gcc rlm_dbm_parser.o -o rlm_dbm_parser ../../lib/libradius.a ../../lib/libradius.a(misc.o): In function `ip_hostname': /vol1/home/snoop/freeradius-0.9.1/src/lib/misc.c:63: undefined reference to `gethostbyaddr_r' When I've add -lc_r, rlm_dbm_parser links normally, but with some warnings. There is the bug or feature ? regards. P.S. radwho hangs with same error too. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch for EAP-MD5 client
-BEGIN PGP SIGNED MESSAGE- I have created a new client program, "radeapclient". This is a work-in-progress. I have refactored bits of rlm_eap/eap.c into src/lib/eapcommon.c and call it from radeapclient. radeapclient is mostly radclient, which changes - it will answer the MD5 challenge, do the calculation and reply. The patch is at: http://www.sandelman.ca/tmp/radeapclient.patch There are two minor patches to the TLS code to clear up when/if a macro is defined. There are some patches to radiusd.h since otherwise you can't include radiusd.h and libradius.h at the same time. This may be intentional, in which case, I am uncertain what to do. I also add "TAGS" target to top-level Makefile to run etags. In pursuing this I realized that I needed a newer OpenSSL than debian woody (stable) had, so I installed from source. The X9.9 module does not get the right openssl things. A second patch is at: http://www.sandelman.ca/tmp/x99.patch Finally, I still have problems building statically, particularly with a non-default -lcrypto/-lssl, thus the patches to Makefile.in. I still have to uncomment things, and force OPENSSL_LIB to include the right -L. I'm open to suggestions on what to do here. radeapclient could be made a superset of radclient, and right now it looks like it would make sense, but I intend for the program to evolve in a different direction than I think that radclient should go. ] Out and about in Ottawa.hmmm... beer.| firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another Debian/notebook using, kernel hacking, security guy"); [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys - custom hacks make this fully PGP2 compat iQCVAwUBP1y2ZIqHRg3pndX9AQH3VAQA2uXSW6v70ds8/FSEIpsJTiJkIK3Vm3go d2rQSxq5VqUSMlwqHIyHdemMSxPDoRsySyHWLuPYPUv0isBHdRqdPEjPwaQp6XjM bfrLjkUZj7WmCAH4U4d1UrWG67MhJZcRimT0TRMj8XyPtMZ5VKuOE2R8+0tk6RDT cIQoIyOkDcc= =Rh9Q -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ALERT - GroupShield ticket number OA411_1063038032_PVDEX01_3 was generated
Action Taken: The attachment was deleted from the message and replaced with a text file informing the recipient of the action taken. To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Sent: -2098452608,29586947 Subject: Re: Your application Attachment Details:- Attachment Name: wicked_scr.scr File: wicked_scr.scr Infected? No Repaired? No Blocked? Yes Deleted? Yes Virus Name: <>
ALERT - GroupShield ticket number OA368_1063036419_PVDEX01_3 was generated
Action Taken: The attachment was deleted from the message and replaced with a text file informing the recipient of the action taken. To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Sent: -1018583424,29586943 Subject: Re: Thank you! Attachment Details:- Attachment Name: thank_you.pif File: thank_you.pif Infected? No Repaired? No Blocked? Yes Deleted? Yes Virus Name: <>
0.9.1, gethostbyname_r again
Hi! There is the problem with gethostbyname detection in 0.9.1: dev:~/freeradius-0.9.1# uname -prs FreeBSD 4.8-RELEASE-p4 i386 configure says: checking gethostbyaddr_r() syntax... GNU-style checking gethostbyname_r() syntax... configure: warning: ** BSD Style gethostbyname might NOT be thread-safe! ** BSD-style config.log: configure:7978: checking gethostbyaddr_r() syntax configure:7990: gcc -o conftest -g -O2 -pthread -D_THREAD_SAFE -Wall -D_GNU_SOURCE -DNDEBUG conftest.c 1>&5 configure: In function `main': configure:7986: warning: implicit declaration of function `gethostbyaddr_r' configure:8068: checking gethostbyname_r() syntax configure:8080: gcc -o conftest -g -O2 -pthread -D_THREAD_SAFE -Wall -D_GNU_SOURCE -DNDEBUG conftest.c 1>&5 configure: In function `main': configure:8076: warning: implicit declaration of function `gethostbyname_r' /tmp/ccuKg0wk.o: In function `main': /home/snoop/freeradius-0.9.1/configure(.text+0x16): undefined reference to `gethostbyname_r' configure: failed program was: #line 8070 "configure" #include "confdefs.h" #include #include int main() { gethostbyname_r(NULL, NULL, NULL, 0, NULL, NULL) ; return 0; } configure:8106: gcc -o conftest -g -O2 -pthread -D_THREAD_SAFE -Wall -D_GNU_SOURCE -DNDEBUG conftest.c 1>&5 configure: In function `main': configure:8102: warning: implicit declaration of function `gethostbyname_r' /tmp/ccoZBWNY.o: In function `main': /home/snoop/freeradius-0.9.1/configure(.text+0x14): undefined reference to `gethostbyname_r' configure: failed program was: #line 8096 "configure" #include "confdefs.h" #include #include int main() { gethostbyname_r(NULL, NULL, NULL, 0, NULL) ; return 0; } configure:8133: gcc -o conftest -g -O2 -pthread -D_THREAD_SAFE -Wall -D_GNU_SOURCE -DNDEBUG conftest.c 1>&5 Building fails at this point: gcc -g -O2 -pthread -D_THREAD_SAFE -Wall -D_GNU_SOURCE -DNDEBUG -I../../include -DHAVE_NDBM_H -c rlm_dbm_parser.c -o rlm_dbm_parser.o rlm_dbm_parser.c: In function `storecontent': rlm_dbm_parser.c:160: warning: assignment discards qualifiers from pointer target type /vol1/home/snoop/freeradius-0.9.1/libtool --mode=link gcc rlm_dbm_parser.o ../../lib/libradius.a -o rlm_dbm_parser gcc rlm_dbm_parser.o -o rlm_dbm_parser ../../lib/libradius.a ../../lib/libradius.a(misc.o): In function `ip_hostname': /vol1/home/snoop/freeradius-0.9.1/src/lib/misc.c:63: undefined reference to `gethostbyaddr_r' When I've add -lc_r, rlm_dbm_parser links normally, but with some warnings. There is the bug or feature ? regards. P.S. radwho hangs with same error too. -- S.N.O.O.P.: Synthetic Networked Organism Optimized for Peacekeeping - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + Mysql
How do I deny access to a specific group of users in Mysql, using Nas-Ip-Address or Called-Station-Id? I have NAS1 for dial-up access and NAS2 for cable, but user´s from NAS1 can connect in cable. It´s wrong, ok?? Help me. Lucas PS: In radgroupcheck I put ('1',dial-up,'Nas-Ip-Address','==','my-NAS-ip') and don´t work.
Re: GPL headers
Alan DeKok wrote: > > As FreeRADIUS is developed under the GNU General Public License, all > > the contributions fall under the GPL too. Therefore I was thinking it > > would be better to make it explicit in all files in the source tree. > > Or is it ok to leave it like that ? I don't really know. > > Submit patches, if it's important to you. It was really a boring job but I spent some time for that. The following files already had a GPL header but it was incomplete or contained a typo: src/modules/rlm_acct_unique/rlm_acct_unique.c src/modules/rlm_always/rlm_always.c src/modules/rlm_attr_filter/rlm_attr_filter.c src/modules/rlm_dbm/rlm_dbm.c src/modules/rlm_dbm/rlm_dbm_cat.c src/modules/rlm_dbm/rlm_dbm_parser.c src/modules/rlm_detail/rlm_detail.c src/modules/rlm_unix/cache.c src/modules/rlm_unix/compat.c The following file had no licence, so I inserted a GPL header: src/lib/crypt.c src/lib/dict.c src/lib/hmac.c src/lib/log.c src/lib/misc.c src/lib/missing.c src/lib/print.c src/lib/radius.c src/lib/snprintf.c src/lib/token.c src/lib/valuepair.c src/modules/rlm_ldap/rlm_ldap.c src/modules/rlm_mschap/smbencrypt.c src/modules/rlm_passwd/rlm_passwd.c src/modules/rlm_smb/valid.c src/modules/rlm_sql/drivers/rlm_sql_iodbc/sql_iodbc.c src/modules/rlm_sql/drivers/rlm_sql_oracle/sql_oracle.c src/modules/rlm_sql/drivers/rlm_sql_sybase/sql_sybase.c src/modules/rlm_sql/drivers/rlm_sql_unixodbc/sql_unixodbc.c The following files already have a licence, but it's not GPL. In doubt, I didn't touch them. It should be wise to ask someone who knows well about free software licence stuff if it's all right to have these in Freeradius: src/lib/filters.c src/lib/isaac.c src/lib/md4.c src/lib/md5.c src/lib/sha1.csrc You'll find above a patch against current CVS... $ cvs diff -u Index: src/lib/crypt.c === RCS file: /source/radiusd/src/lib/crypt.c,v retrieving revision 1.4 diff -u -r1.4 crypt.c --- src/lib/crypt.c 3 Sep 2003 15:19:28 - 1.4 +++ src/lib/crypt.c 8 Sep 2003 15:06:49 - @@ -1,5 +1,21 @@ /* - * a thread-safe crypt wrapper + * crypt.c A thread-safe crypt wrapper + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Copyright 2000 The FreeRADIUS server project */ #include "libradius.h" Index: src/lib/dict.c === RCS file: /source/radiusd/src/lib/dict.c,v retrieving revision 1.41 diff -u -r1.41 dict.c --- src/lib/dict.c 3 Sep 2003 15:19:28 - 1.41 +++ src/lib/dict.c 8 Sep 2003 15:06:49 - @@ -3,6 +3,21 @@ * * Version:$Id: dict.c,v 1.41 2003/09/03 15:19:28 cparker Exp $ * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Copyright 2000 The FreeRADIUS server project */ static const char rcsid[] = "$Id: dict.c,v 1.41 2003/09/03 15:19:28 cparker Exp $"; Index: src/lib/hmac.c === RCS file: /source/radiusd/src/lib/hmac.c,v retrieving revision 1.4 diff -u -r1.4 hmac.c --- src/lib/hmac.c 6 Sep 2001 20:10:59 - 1.4 +++ src/lib/hmac.c 8 Sep 2003 15:06:49 - @@ -1,8 +1,25 @@ /* - For the sake of illustration we provide the following sample code for - the implementation of HMAC-MD5 as well as some corresponding test - vectors (the code is based on MD5 code as described in [MD5]). -*/ + * hmac.c For the sake of illustration we provide the following + * sample code for the implementation of HMAC-MD5 as well + *
ALERT - GroupShield ticket number OA317_1063034367_PVDEX01_3 was generated
Action Taken: The attachment was deleted from the message and replaced with a text file informing the recipient of the action taken. To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Sent: -93746944,29586938 Subject: Re: Thank you! Attachment Details:- Attachment Name: movie0045.pif File: movie0045.pif Infected? No Repaired? No Blocked? Yes Deleted? Yes Virus Name: <>
Re: SQL user generation script
On Sunday 07 September 2003 2:40 am, jc fulknier wrote: > is there a script to auto generate users and passwds > into a mySQL DB? Here is one I use: = #!/bin/sh # # usage: radadd # # creates a range of users from start to end with randomized passwords # "format" should be a format string for the "seq" command, and is # generally in the form "%0g" # where "digit" refers to how many digits are in the "sequence" # rm /tmp/hgusers /tmp/hgpass for uid in `seq -f"$1" $2 $3`;do echo insert into usergroup values \(0,\"$uid\",\"$4\"\)\; >>/tmp/hgusers echo insert into radcheck values [line continues] \(0,\"$uid\",\"Password\",\"==\",\"`randpass`\"\)\; >>/tmp/hgpass; done cat /tmp/hgusers /tmp/hgpass | mysql -h [continues] -u -p = [when cutting/pasting, fix the "line continues" parts, and insert appropriate for your MySQL database...] the temp files, hgusers & hgpass, can be deleted afterwords or reviewed to see what was added this time around. the routine "randpass" generates the actual password -- this is my version, but you can create one that makes passwords in whatever format you require [upper vs. lower case, alpha vs. numeric, special symbols, length, etc.] = #!/usr/bin/perl my $c="bcdfghjklmnpqrstvwxyz"; my $v="aeiou"; for ($i=0;$i<4;$i++) {print substr($c,rand(21),1),substr($v,rand(5),1)}; = This deceptively simple routine generates passwords that are, for the most part, pronounceable and rememberable without having to write them down [the words look to be asian or hawaiian, though occaisionally a recognizable english word will be generated, such as "rope" or "vase"] however since it produces an 8-character password, you'll end up with "ropevase" as a password -- Yet another Blog: http://osnut.homelinux.net pgp0.pgp Description: signature
Re: Freeradius-Users digest, Vol 1 #2274 - 12 msgs
"arniel" <[EMAIL PROTECTED]> wrote: > I am implementing Wireless EAP-TLS for my Windows XP and Windows 2000 PRO. > > Just want to ask if I can instruct my freeradius to look into my LINUX local > users (/home/users) or /etc/passwd for authentication? FreeRADIUS comes configured to do that by default. Did you try it? As for combining EAP-TLS with /etc/passwd, it won't work. Ever. > Has anyone have tried Freeradius and Microsoft Active Directory integration? Have you tried searching the list archives? THis question has been asked & answered many times. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute "User-Name" is required for authentication.
Vishal Jose <[EMAIL PROTECTED]> wrote: > Hi, > " Attribute "User-Name" is required for authentication. " In the server side and it > is saying "Access-Reject" to the client. > This is the problem I'm facing..hope u people can give me a solution to the above > the probs Hi, Let me add some more details to the former mail $ echo "User-Name = \"test\", User-Password = \"test123test\"" | ./radclient -x 10.0.1.55 auth testing123 Sending Access-Request of id 43 to 10.0.1.55:1812 :110 = UNKNOWN-TYPE :110 = UNKNOWN-TYPE Re-sending Access-Request of id 43 to 10.0.1.55:1812 :110 = UNKNOWN-TYPE :110 = UNKNOWN-TYPE rad_recv: Access-Reject packet from host 10.0.1.55:1812, id=43, length=20 How to solve this? Thanx in advance Rgds, Vishal -- \\\|||/// \ Vishal Jose M \ Software Engineer \ \ ~ ~ / \ [EMAIL PROTECTED] \ iCOPE Technologies Pvt. Ltd. \ | @ @ |\ Tel: 91-80-5716909 \ www.icope.com \ oOo---(_)---oOo---\ ...the Linux philosophy is "laugh in the face of danger". Oops. Wrong one. "Do it yourself". That's it.\ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attribute "User-Name" is required for authentication.
Hi, " Attribute "User-Name" is required for authentication. " In the server side and it is saying "Access-Reject" to the client. This is the problem I'm facing..hope u people can give me a solution to the above the probs //Vishal -- \\\|||/// \ Vishal Jose M \ Software Engineer \ \ ~ ~ / \ [EMAIL PROTECTED] \ iCOPE Technologies Pvt. Ltd. \ | @ @ |\ Tel: 91-80-5716909 \ www.icope.com \ oOo---(_)---oOo---\ ...the Linux philosophy is "laugh in the face of danger". Oops. Wrong one. "Do it yourself". That's it.\ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and C++
there have more info about build freeradius on win32 platform? I want make a radius run on win32, could someone give me some advise? thanks Yorgo Sun Deputy Director Information Technology Department Beijing Super Channel Network Limited A TOM Group Company Email:[EMAIL PROTECTED] Mobile:13701243390 Phone:65283399-6121 ICQ:2221711 http://www.ruisoft.com Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail! http://login.mail.lycos.com/r/referral?aid=27005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radacct
Dear all, I am curious to find out, is there any sample script that can be used for radacct. I found inside /etc/raddb/acct_users like this: DEFAULT Acct-Status-Type == Start # Exec-Program = "/path/to/exec/acct/start" # #DEFAULT Acct-Status-Type == Stop # Exec-Program = "/path/to/exec/acct/stop" Thanks. Regards, Rio Martin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: centralised radutmp
> > Is it possible to centralised radutmp file for a few radius > servers?? > > Let say I've 5 radius servers used by a few NAS boxes... Then I would > like > > to control multiple login for all 5 radius servers using one radutmp > > centralised in log server... So user authenticate using one radius > server > > cannot do 2nd authenticate is another server... > > You can use radrelay to maintain a full radutmp file on each radius > server. So to maintain full radutmp file.. each radius server will need to relay data to other radius servers .. So in the case if we have 5 server ... each radius server will have to relay to other 4 servers So by the end.. All 5 radius server will have full radutmp file.. But is the accounting data in detail file will be replicated also... I just need radutmp data... --haizam This e-mail has been sent via JARING webmail at http://www.jaring.my - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL user generation script | scripts/create-users.pl rewrite
I just did a little rewrite on the script I use... http://www.bcore.de/data/create-users.tar.gz It should now fit to the most common needs... Cheers, OoLee Am Son, 2003-09-07 um 11.40 schrieb jc fulknier: > is there a script to auto generate users and passwds > into a mySQL DB? > Thanks > JC > > __ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
avaya nas
Hello everybody, Avaya AP3 I use can send mac-address of the end-user. They alos use 802-1X. I don't understand and I found anything about the way these NAS work. May I only use Auth-Type := system or may I combine both mac address and authentification unix. Any help will be appreciated Thanks in advance Jean Frontin System team I R I T Université Paul-Sabatier 118, rte de Narbonne 31062 Toulouse cedex 04 France tel (33)(0)5 61 55 63 03 mail [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: centralised radutmp
On Mon, 8 Sep 2003, Rohaizam Abu Bakar wrote: > > Is it possible to centralised radutmp file for a few radius servers?? > Let say I've 5 radius servers used by a few NAS boxes... Then I would like > to control multiple login for all 5 radius servers using one radutmp > centralised in log server... So user authenticate using one radius server > cannot do 2nd authenticate is another server... You can use radrelay to maintain a full radutmp file on each radius server. > > > Freeradius version: 0.9.0 > Authentication method: LDAP - openldap-2.0.27.tgz > > > --haizam > > > > This e-mail has been sent via JARING webmail at http://www.jaring.my > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help:radius+ldap
On Mon, 8 Sep 2003, [GB2312] 黄建波 wrote: > Hi all! > My userdata is in ldap and I want to use EAP-MD5 authentication.I configure > radiusd.conf: > modules { > ldap { > #password_header = "{CLEAR}" > password_header = "{crypt}" > #password_a=ttribute > password_attribute = userPassword > } > > > > The passwd_header in my ldap is crypt.But when I login,the Error message is : > ldap_release_conn: Release Id: 0 > rlm_eap_md5: Challenge failed > Login OK: [jbhuang] (from client gznet18 port 1024 cli ) > rad_recv: Access-Request packet from host 202.112.18.253:1024, id=182, length=166 > Sending Access-Reject of id 182 to 202.112.18.253:1024 > EAP-Message = 0x04020004 > Message-Authenticator = 0x > Why? See http://www.freeradius.org/faq/#4.4 In short you are using crypted passwords not clear text. These will not work with EAP-MD5 (or CHAP for that matter). -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP TLS multiple auth
HI to all, anybody know if there is a method to detect multiple auth. of EAP-TLS client? If i produce a valid couple of certificate (root + client) anybody with this certificate can be auth. on radius. I have seen that after auth, with the accounting phase i can see if someone with the same certificate is logged or not. Is there any way to avoid this? (if someone is just logged, no auth) thanks _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html