Regexp matching in checkval module (Calling-Station-Id)
Hi All!
I have a trouble with pattern matching by checkval module.
For example, i need to access all clients who has Calling-Station-Id 11
digits length, begining with "6" or "7", with "123" at the second
position and "8" or "19" after "123" (i.e. on fifth position). Also i
need control that other positions are occupied by digits, not by
characters.
I.e.
61238xx
71238xx
612319x
712319x
I use checkval module for this.
In the user database (LDAP) i store next value defining needing regular
expression. (Mysteriously "([0-9]{5})" does not working... So i use "."
against [0-9] class with interval {})
"=~ ^[6|7]123[8.|19].$"
I`ve read POSIX regular expression routines manuals and didn`t find any
mistakes in my pattern.
But checkval module rejects numbers in any cases :-(
It would be wonderful if somebody has explained me my mistakes.
See logs please:
Wed Sep 17 17:37:50 2003 : Debug: rlm_checkval: Item Name:
Calling-Station-Id, Value: 61238123456
Wed Sep 17 17:37:50 2003 : Debug: rlm_checkval: Value Name:
Calling-Station-Id, Value: ^[6|7]123[8.|19].$
Wed Sep 17 17:37:50 2003 : Debug: rlm_checkval: Doing regex
Wed Sep 17 17:37:50 2003 : Debug: modcall[authorize]: module
"checkval" returns reject
Wed Sep 17 17:37:50 2003 : Debug: rlm_checkval: Item Name:
Calling-Station-Id, Value: 61231912345
Wed Sep 17 17:37:50 2003 : Debug: rlm_checkval: Value Name:
Calling-Station-Id, Value: ^[6|7]123[8.|19].$
Wed Sep 17 17:37:50 2003 : Debug: rlm_checkval: Doing regex
Wed Sep 17 17:37:50 2003 : Debug: modcall[authorize]: module
"checkval" returns reject
Thank`s
Roman
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wi-fi hotspot
[reordered to make a bit more sense...] [originally, I wrote an answer describing how my system works] > -Original Message- > From: Brynjar Hauksson > > Hi Tom > What prepaid system did you get? On Tuesday 16 September 2003 7:38 am, Jeremy Davis wrote: > ... It is relatively easy > to build a prepaid card engine due to the modular approach of FreeRadius. To which I'll say "ditto" to Jeremy's comment -- I built my "prepaid" card system from scratch, and with only some minor niggles it works just fine [I think a couple of people "ended up" with a free hour, but that isn't going to break the bank around here...] The only real caveat to a "prepaid" card system is that you have to actually print some cards! If you don't print enough, well, people can't use your system. Print too many and you'll get desperate to get them "sold". If I had a computer system "on site" with the AP [and a printer, naturally], I'd have set up a terminal at the register so the employees could print a "card" [login info] on demand [and I'd have probably also used the computer system and something like nocat to do the work that the hotspot-in-a-box AP is doing] I'll be discussing my "hotspot" business at our next Linux user group meeting [this is in Pasadena, California -- if you're close enough to attend and are interested, contact me off-list and I'll point you to the group's info] The presentation is a bit of a "showcase" of using nothing but open-source tools and Linux. pgp0.pgp Description: signature
Re: Limiting time to connect
On Tuesday 16 September 2003 3:24 pm, Michael Griego wrote: > I haven't had a chance to thoroughly test it yet, but Proxim support > tells me that they support the Session-Timeout attribute. So, if you > add a Session-Timeout attribute to the access accept packet, it should > give a per-client timeout on the AP. I can verify this -- I have the AP2500, which is basically a 2000 with added features specifically for support of "hotspots", and I do indeed set various session limits [15 minute "promo" accounts, 1- and 2-hour single-use accounts, etc.] In addition, there is a "side effect" to using acct-session-time as a "counter" variable -- if you set a maximum value in a check phrase, FR will automatically calculate the difference between that maximum and the time accumulated so far and return that as the "session limit" pgp0.pgp Description: signature
Re: FreeRadius and md5 hashed passwords
Hi Marius, guys
I am stucked. I made some changes in the config file and added Auth-Type to the
radgroupcheck table (which was previously empty) and now I cannot authenticate at all.
Seems like the problem is somewhere else.
My radiusd.conf:
modules {
mschap {
authtype = MD5
use_mppe = yes
require_encryption = yes
require_strong = yes
encryption_scheme = md5
}
authorize {
preprocess
suffix
sql
}
authenticate {
authtype MD5 {
mschap
}
}
mysql> select * from radgroupreply;
++---+---++-+--+
| id | GroupName | Attribute | op | Value | prio |
++---+---++-+--+
| 1 | user | Framed-IP-Netmask | := | 255.255.255.0 |0 |
| 2 | user | Framed-IP-Address | := | 255.255.255.254 |0 |
| 3 | user | Service-Type | := | Framed-User |0 |
| 4 | user | Auth-Type | := | Local |0 |
++---+---++-+--+
mysql> select * from usergroup;
++-+---+
| id | UserName| GroupName |
++-+---+
| 1 | [EMAIL PROTECTED] | user |
++-+---+
mysql> select * from radgroupcheck;
++---+---++---+
| id | GroupName | Attribute | op | Value |
++---+---++---+
| 1 | user | Auth-Type | := | MD5 |
++---+---++---+
mysql> select * from radcheck;
++-+---+++
| id | UserName| Attribute | op | Value |
++-+---+++
| 1 | [EMAIL PROTECTED] | User-Password | := | $1$bc8bf6f2fd343cab9d387d5dcc777be3
|
++-+---+++
Then running:
radtest [EMAIL PROTECTED] my_pass 127.0.0.1 1812 radius_pass 127.0.0.1
i get following error:
rad_recv: Access-Request packet from host 127.0.0.1:57048, id=44, length=73
User-Name = "[EMAIL PROTECTED]"
User-Password = "my_pass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "mschap" returns notfound
rlm_realm: Looking up realm yazzy.org for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm DEFAULT
rlm_realm: Adding Stripped-User-Name = "yazzy"
rlm_realm: Proxying request from user yazzy to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Authentication realm is LOCAL.
***SNIP***
rlm_sql (sql): Released sql socket id: 1
modcall[authorize]: module "sql" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type MD5
auth: type "MD5"
modcall: entering group authtype
rlm_mschap: No LM/NT password configured. Check authorization.
modcall[authenticate]: module "mschap" returns invalid
modcall: group authtype returns invalid
auth: Failed to validate the user.
Delaying request 4 for 1 seconds
Finished request 4
Any idea what can be wrong and how to fix it?
On Tue, 16 Sep 2003 20:27:03 -0500
Marius Strom <[EMAIL PROTECTED]> wrote:
> Martin,
> Try adding $1$ to the beginning of an MD5 password.
>
> On Wed, 17 Sep 2003, Martin Jessa wrote:
> > Hi guys.
> >
> > I have set up freeradius with authentication agains MySQL.
> > I have poptop talking to the radius server and in that way authenticating my users.
> > The problem is I cannot make the radius server read md5 encrypted passwords, only
> > plain text.
> > Any idea what to do to make it read md5 passwords?
> > Example of the password table:
> >
> > table 'radcheck' :
> >
> > Cleartext (works):
> > INSERT INTO radcheck VALUES (2,'[EMAIL
> > PROTECTED]','User-Password',':=','12233445');
> >
> > MD5 (no love):
> > INSERT INTO radcheck VALUES (3,'[EMAIL
> > PROTECTED]','User-Password',':=','bc8bf6f2fd343cab9d387d5dcc777be3');
> >
> >
> > Regards,
> > Martin Jessa
> > ___
> > [EMAIL PROTECTED] mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> > To unsubscribe, send any mail to "[EMAIL PROTECTED]"
> >
>
> --
>/->
> Marius Strom | Always carry a short length of fibre-optic cable.
> Professional Geek | If you get lost, then you can drop it on the
> System/Network Admin | ground, wait 10 minutes, and ask the backhoe
> http://www.marius.org/ | operator how to get back to civilization.
>\-| Alan Frame |-->
-
List info/subscri
Re: POSTGRESQL + FREERADIUS 0.9.1 configuration help
guy, my reason of using fr 0.9.1 for pgsql 7.3.2 is that pgsql has triggers and functions that i am using on. i am implementing a lot of stored procedures on it. can you send me the config files of fr + pgsql? i'll be delighted to study it. thanks> Hi> > I did have 0.8.1 working as a test, but late last week I decided to> upgrade to 0.9.1> before modifying dial-admin to work with PostgreSQL. Having run into a> problem> porting 0.9.1 to FreeBSD I no longer have a functional example to show> you.> > Unless you have a specific reason to use PostgreSQL, you are probably> better off> using MySQL. It appears as though PostgreSQL is barely supported. The> setup> in 0.9.1 is much better, but there is no setup for dialup-admin, and I> am not sure if> there is setup information for sql_counter because I have not looked at> it yet.> > I am still using cistron 1.6.6 that I patched to account to PostgreSQL,> and until I am> satisfied with PostgreSQL functions in FreeRadius I will be testing and> hopefully> providing patches and suggesting fixes for the implementation of> PostgreSQL.> > [EMAIL PROTECTED] wrote:> >> i did that already.it still wont... do you have working configs?al about FR and PGSQL>> > Make sure the user you have setup to access the database has insert>> and>> > update permissions>> > for the radacct table.>> >> > > > -> List info/subscribe/unsubscribe? See> http://www.freeradius.org/list/users.html> - Bringing First World Technology Closer to You. http://www.1asialink.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and md5 hash passwords
Hi guys. I have set up freeradius with authentication agains MySQL. I have poptop talking to the radius server and in that way authenticating my users. The problem is I cannot make the radius server read md5 encrypted passwords, only plain text. Any idea what to do to make it read md5 passwords? Example of the password table: table 'radcheck' : Cleartext (works): INSERT INTO radcheck VALUES (2,'[EMAIL PROTECTED]','User-Password',':=','12233445'); MD5 (no love): INSERT INTO radcheck VALUES (3,'[EMAIL PROTECTED]','User-Password',':=','bc8bf6f2fd343cab9d387d5dcc777be3'); Regards, Martin Jessa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
defaulting a user's Realm
We have had this working with earlier version of FreeRadius. When A User-Name does not have a Realm we want to default it’s realm. In the users file we have the following lines: DEFAULT Realm == "Site", Autz-Type := Site, Auth-Type := Site, PostAuth-Type := Site-postauth DEFAULT Proxy-To-Realm:="Site" The expected behavior would be to default the user’s Realm to Site and send the request through the proxy module again. This seems to have stopped working with the latest release. At the end Of the users file the Server just stops processing the request. Here’s some of the debug. Anyone else having this problem? Thanks, Ron. rad_recv: Access-Request packet from host 10.0.0.53:2370, id=35, length=57 User-Name = "ron" User-Password = "ronpassword" Calling-Station-Id = "" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop modcall[authorize]: module "mschap" returns noop rlm_realm: No '@' in User-Name = "ron", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop rlm_realm: No '/' in User-Name = "ron", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "realmslash" returns noop rlm_realm: No '\' in User-Name = "ron", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "backslash" returns noop rlm_realm: No '%' in User-Name = "ron", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "realmpercent" returns noop users: Matched DEFAULT at 21 modcall[authorize]: module "files" returns ok rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop modcall: group authorize returns ok Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... �
Re: Limiting time to connect
I haven't had a chance to thoroughly test it yet, but Proxim support tells me that they support the Session-Timeout attribute. So, if you add a Session-Timeout attribute to the access accept packet, it should give a per-client timeout on the AP. --Mike On Tue, 2003-09-16 at 16:41, Narasimha Reddy Gujja wrote: > Hi all > > I have a wireless set up, where I authenticate the clients (wireless card) with > RADIUS, request coming via NAS(Orinoco AP2000). > > Is there a way to limit the time, client connected to the network. > > I think we can limit the time to connect by changing some configuration within > NAS(Orinoco AP2000), but that will be same for all users. > > I want the time to connect to be varied based on each user. > > I can gather information about user from LDAP (I use LDAP for authorize and > authentication). > > Do i need to append something to access_accept packet? or send some other packet > to NAS before access_accept? > > I appreciate for patient hearing. > > Thanks > Narasimha R Gujja > > - > This mail sent through IMP: http://horde.org/imp/ > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --Mike Michael Griego Wireless Network Administrator University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
libpam not found
I'm trying to install Freeradius 0.9.1 on a Debian system (2.4.30), everything is fine except for the following: configuring in src/modules/rlm_pam running /bin/sh ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-experimental-modules --with-snmp --with-rlm-pam-lib-dir=/usr/lib --enable-ltdl-install --cache-file=../../.././config.cache --srcdir=. loading cache ../../.././config.cache checking for gcc... (cached) gcc checking whether the C compiler (gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG ) works... yes checking whether the C compiler (gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG ) is a cross-compiler... no checking whether we are using GNU C... (cached) yes checking whether gcc accepts -g... (cached) yes checking how to run the C preprocessor... (cached) gcc -E checking for dlopen in -ldl... (cached) yes checking for pam_start in -lpam... (cached) no checking for security/pam_appl.h... (cached) no checking for pam/pam_appl.h... (cached) no configure: warning: silently not building rlm_pam. configure: warning: FAILURE: rlm_pam requires: libpam. creating ./config.status creating Makefile creating config.h config.h is unchanged When I look in /usr/lib I find: -rw-r--r--1 root root 224608 Jan 21 2002 libpam.a lrwxrwxrwx1 root root 19 Sep 16 19:19 libpam.so -> /lib/libpam.so.0.72 -rw-r--r--1 root root 6436 Jan 21 2002 libpam_misc.a lrwxrwxrwx1 root root 24 Sep 16 19:19 libpam_misc.so -> /lib/libpam_misc.so.0.72 -rw-r--r--1 root root10050 Jan 21 2002 libpamc.a lrwxrwxrwx1 root root 20 Sep 16 19:19 libpamc.so -> /lib/libpamc.so.0.72 I'm using the following configure statement: ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-experimental-modules --with-snmp I've also tried it with --with-rlm-pam-lib-dir=/usr/lib and I get the same result. I've searched the archives, and not found any clues, what gives? -- Mark Moody Serious ISP 888-243-7011 x5108 [EMAIL PROTECTED] GPG Key fingerprint = ED26 261A E08F BCBC 4AB0 7C0D A483 F309 A856 ABEF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limiting time to connect
Hi all I have a wireless set up, where I authenticate the clients (wireless card) with RADIUS, request coming via NAS(Orinoco AP2000). Is there a way to limit the time, client connected to the network. I think we can limit the time to connect by changing some configuration within NAS(Orinoco AP2000), but that will be same for all users. I want the time to connect to be varied based on each user. I can gather information about user from LDAP (I use LDAP for authorize and authentication). Do i need to append something to access_accept packet? or send some other packet to NAS before access_accept? I appreciate for patient hearing. Thanks Narasimha R Gujja - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limiting time to connect
Hi all I have a wireless set up, where I authenticate the clients (wireless card) with RADIUS, request coming via NAS(Orinoco AP2000). Is there a way to limit the time, client connected to the network. I think we can limit the time to connect by changing some configuration within NAS(Orinoco AP2000), but that will be same for all users. I want the time to connect to be varied based on each user. I can gather information about user from LDAP (I use LDAP for authorize and authentication). Do i need to append something to access_accept packet? or send some other packet to NAS before access_accept? I appreciate for patient hearing. Thanks Narasimha R Gujja - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Failed Attempts to MySql database
"Paul Hampson" <[EMAIL PROTECTED]> wrote: > > In fact I posted on freeradius-devel a set of patches: one adds > > support for "Post-Auth-Type REJECT" > > I'll get on to adding this to CVS over the weekend. Sorry, I've > been a little busy with the 0.9.1 release, and then the stuff I > was ignoring while worrying about the 0.9.1 release. :-) Thanks. I've been out of the loop a lot, with bizarre panic situations. > There's only one issue for me to resolve, which is the same thing > holding up the documentation... What happens when there's no section > found or the Post-Auth-Type is not set? This is an issue for backwards > compatibility. :-) I believe it's ignored. Any new installation SHOULD have Post-Auth-Type. > > and an other provides an "authlog_query" in sql.conf > > I'd have to go dig this patch up again, but wouldn't a postauth-query > work better? That way it's more general than just logging. The only > provisio is that the return value gets chucked, so INSERT, DELETE or > UPDATE are the only sensible options. Sounds reasonable to me. The server really needs more configurable logging. What GNU radius does is useful. Though I can't figure out how the heck they have more "C" code than FreeRADIUS, with 1/10 the functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 0.9.1 on Redhat 8
Patrick Forsythe <[EMAIL PROTECTED]> wrote: > I am building out a new server. The old server had the Livingston version > of radius I believe 1.16. with about 100 users. The new server is a RedHat > 8 box. After many failed attempts to install the livingston radius I > downloaded and installed FreeRadius 0.9.1 . When I run it, it responds to > requests but will not authenticate anyone. Below is the output from the > radiusd -x ... >rad_check_password: Found Auth-Type System > auth: type "System" > modcall: entering group authenticate >modcall[authenticate]: module "unix" returns notfound The test user isn't listed in /etc/passwd > I am very new to this type of stuff and it has been dealing me fits for the > better part of a week so any help would be greatly appreciated. Read the FAQ, and try the test authentication there. If you're upgrading from Livingston, most of the 'users' file can be copied over, with only minor changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logging Failed Attempts to MySql database
> From: Nicolas Baradakis > Sent: Saturday, 13 September 2003 2:12 AM > Thor Spruyt wrote: > > > > The second point is you'll only get the login / password in the > > > database. For example the hotline staff may need the Calling-Station-Id > > > too. Therefore you need the rlm_sql module to execute the SQL query of > > > your choice after authentication. > > After authentication might mean: after a successful authentication > You're right. > In fact I posted on freeradius-devel a set of patches: one adds > support for "Post-Auth-Type REJECT" I'll get on to adding this to CVS over the weekend. Sorry, I've been a little busy with the 0.9.1 release, and then the stuff I was ignoring while worrying about the 0.9.1 release. :-) There's only one issue for me to resolve, which is the same thing holding up the documentation... What happens when there's no section found or the Post-Auth-Type is not set? This is an issue for backwards compatibility. :-) > and an other provides an "authlog_query" in sql.conf I'd have to go dig this patch up again, but wouldn't a postauth-query work better? That way it's more general than just logging. The only provisio is that the return value gets chucked, so INSERT, DELETE or UPDATE are the only sensible options. -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: (no subject)
From: [EMAIL PROTECTED] Sent: Wednesday, 17 September 2003 12:42 AM > I can't compile freeradius.0.9.1 in freeBSD 4.8.- > But when I compile this version in freeBSD 5.0 this problems are fixs.- > What can I do with this bugs??? Stick with FreeBSD 5? Actually, if you read the mailing list archives, you've having the same gethostbyname_r problem as everyone else. There're workarounds, which have been described. A solution within FreeRADIUS is not yet decided upon, but is under discussion. -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 0.9.1 on Redhat 8
rad_recv: Access-Request packet from host 127.0.0.1:32769, id=110, length=57 User-Name = "steve" User-Password = "testing" I am building out a new server. The old server had the Livingston version of radius I believe 1.16. with about 100 users. The new server is a RedHat 8 box. After many failed attempts to install the livingston radius I downloaded and installed FreeRadius 0.9.1 . When I run it, it responds to requests but will not authenticate anyone. Below is the output from the radiusd -x NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP-Message not found modcall[authorize]: module "eap" returns noop rlm_realm: No '@' in User-Name = "steve", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate modcall[authenticate]: module "unix" returns notfound modcall: group authenticate returns notfound auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 110 to 127.0.0.1:32769 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 110 with timestamp 3f673ce5 Nothing to do. Sleeping until we see a request. This is what is displayed on the console using radtest: Sending Access-Request of id 110 to 127.0.0.1:1812 User-Name = "steve" User-Password = "testing" NAS-IP-Address = kckcc2.toto.net NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=110, length=20 I am very new to this type of stuff and it has been dealing me fits for the better part of a week so any help would be greatly appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 0.9.1. under FreeBSD^ making errors
> From: andrew bogorodsky
> Sent: Sunday, 14 September 2003 8:28 PM
> Making static dynamic in rlm_dbm...
> gmake[5]: Entering directory
> `/usr/local/soft/freeradius-0.9.1/src/modules/rlm_dbm'
> gcc -g -O2 -pthread -D_THREAD_SAFE -Wall -D_GNU_SOURCE -DNDEBUG
> -I../../include -DHAVE_NDBM_H -c rlm_dbm.c -o rlm_dbm.o
> rlm_dbm.c: In function `sm_parse_user':
> rlm_dbm.c:172: warning: assignment discards qualifiers from pointer
> target type
> rlm_dbm.c:206: warning: passing arg 2 of `paircmp' discards qualifiers
> from pointer target type
> /usr/local/soft/freeradius-0.9.1/libtool --mode=link ld \
> -module -static -g -O2 -pthread -D_THREAD_SAFE -Wall -D_GNU_SOURCE
> -DNDEBUG -I../../include -DHAVE_NDBM_H rlm_dbm.o -o rlm_dbm.a
> mkdir .libs
> ar cru rlm_dbm.a rlm_dbm.o
> ranlib rlm_dbm.a
> gcc -g -O2 -pthread -D_THREAD_SAFE -Wall -D_GNU_SOURCE -DNDEBUG
> -I../../include -DHAVE_NDBM_H -c rlm_dbm_parser.c -o rlm_dbm_parser.o
> rlm_dbm_parser.c: In function `storecontent':
> rlm_dbm_parser.c:160: warning: assignment discards qualifiers from
> pointer target type
> /usr/local/soft/freeradius-0.9.1/libtool --mode=link gcc
> rlm_dbm_parser.o ../../lib/libradius.a -o rlm_dbm_parser
> gcc rlm_dbm_parser.o -o rlm_dbm_parser ../../lib/libradius.a
> ../../lib/libradius.a(misc.o): In function `ip_hostname':
> /usr/local/soft/freeradius-0.9.1/src/lib/misc.c:63: undefined reference
> to `gethostbyaddr_r'
> gmake[5]: *** [rlm_dbm_parser] Error 1
>
> (libtool-1.5)
I don't think we support libtool-1.5... No idea if it actually
breaks things.
This problem is triggered by FreeBSD's lying about the functions
provided by libc regarding name resolution. Specifically, it claims
to have gethostbyaddr_r but won't link with it. Try
CFLAGS=-lc_r ./configure {Rest of configure options}
from a clean copy of the tarball, and see if that helps.
--
=
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]
This is a one line proof...if we start
sufficiently far to the left.
-- Cambridge University Math Department
-
Random signature generator 3.0 by Paul "TBBle" Hampson
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Set a realm to authenticate all requests
With Isabella looming I've gotten a few requests to set a realm to
authenticate all should a downstream have stability issues. I need to set a
specific realm to authenticate all incoming requests while having the others
proxy as normal. Any ideas or experiences would be appreciated.
Brian
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, September 16, 2003 10:39 AM
To: [EMAIL PROTECTED]
Subject: Freeradius-Users digest, Vol 1 #2312 - 7 msgs
Send Freeradius-Users mailing list submissions to
[EMAIL PROTECTED]
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.cistron.nl/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: dialup-admin patch2 (Ulrich Walcher)
2. Newsletter - Aktivierungslink ([EMAIL PROTECTED])
3. Re: Https + RADIUS (Alan DeKok)
4. RE: [eap] non-wire related comments on eap-sim-11.txt
([EMAIL PROTECTED])
5. RE: Wi-fi hotspot (Brynjar Hauksson)
6. Re: Radiusd service script + daemontools supervise (Alan DeKok)
7. RE: Wi-fi hotspot (Jeremy Davis)
--__--__--
Message: 1
Subject: Re: dialup-admin patch2
From: Ulrich Walcher <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Organization:
Date: 16 Sep 2003 15:22:40 +0200
Reply-To: [EMAIL PROTECTED]
and here also...
--- /usr/local/cvs/radiusd/dialup_admin/lib/sql/defaults.php3
2003-01-28 15:14:53.0 +0100
+++ /usr/local/dialup_admin/lib/sql/defaults.php3 2003-09-16
15:18:27.0 +0200
@@ -121,10 +121,10 @@
$link = @da_sql_pconnect($config);
if ($link){
$res = @da_sql_query($link,$config,
- "SELECT DISTINCT GroupName FROM
$config[sql_usergroup_table];");
+ "SELECT DISTINCT s.groupname FROM
$config[sql_groupcheck_table] CROSS JOIN (SELECT DISTINCT u.groupname
FROM $config[sql_groupreply_table] CROSS JOIN
$config[sql_usergroup_table] u) as s;");
if ($res){
while(($row =
@da_sql_fetch_array($res,$config)))
- $member_groups[] = $row[GroupName];
+ $member_groups[] = $row[groupname];
}
else
echo "Database query failed: " .
da_sql_error($link,$config) . "\n";
Am Fre, 2003-09-12 um 16.08 schrieb Ulrich Walcher:
> Oops,
> forgot to add this one...
>
> OoLee
>
> --- /usr/local/cvs/radiusd/dialup_admin/lib/sql/defaults.php3
> 2003-01-28 15:14:53.0 +0100
> +++ /usr/local/dialup_admin/lib/sql/defaults.php3 2003-09-12
> 16:04:15.0 +0200
> @@ -121,10 +121,10 @@
> $link = @da_sql_pconnect($config);
> if ($link){
> $res = @da_sql_query($link,$config,
> - "SELECT DISTINCT GroupName FROM
> $config[sql_usergroup_table];");
> + "SELECT DISTINCT c.groupname FROM
> $config[sql_groupcheck_table] c CROSS JOIN $config[sql_groupreply_table]
> r;");
> if ($res){
> while(($row =
> @da_sql_fetch_array($res,$config)))
> - $member_groups[] = $row[GroupName];
> + $member_groups[] = $row[groupname];
> }
> else
> echo "Database query failed: " .
> da_sql_error($link,$config) . "\n";
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
--__--__--
Message: 2
To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Subject: Newsletter - Aktivierungslink
Date: Tue, 16 Sep 2003 15:59:03 +0200 (CEST)
Reply-To: [EMAIL PROTECTED]
Hallo,
Wenn sie diesen Newsletter erhalten wollen klicken sie bitte auf die
Internet-Adresse.
Falls sie diesen Newsletter nicht wollen löschen sie einfach diese E-Mail.
Aktivierungslink:
http://www.1a-network.de/cgi-bin/newsletter/newsletter.cgi?id=mcsmail&email=
[EMAIL PROTECTED]&key=WXIYX3q7yHnwU&action=aktiv
Mit freundlichen Grüssen Newsletter-Team
--__--__--
Message: 3
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: Https + RADIUS
Date: Tue, 16 Sep 2003 10:16:52 -0400
Reply-To: [EMAIL PROTECTED]
"JM Fernandez" <[EMAIL PROTECTED]> wrote:
> Alan can you tell me the details on how the NAS gets the end user
> username and password?
It depends on the local implementation.
> I'm planning to nake a web based login with an access point that
> acts as a radius client.
So have the NAS take the username & password from the web login
form, and put them into a RADIUS packet.
Am I missing something?
Alan DeKok.
--__--__--
Message: 4
Subject: RE: [eap] non-wire related comments on eap-sim-11.txt
Date: Tue, 16 Sep 2003 17:20
Re: module failure with multiple accounting methods
Dave Mason <[EMAIL PROTECTED]> wrote: > I have a Freeradius server (v0.8.1) where I may configure multiple > accounting methods in radiusd.conf. These could be any of the ones > supplied with Freeradius, like detail, radutmp, etc, or a new one that I > wrote. My new one may succeed or fail in writing the accounting > record. Currently, I return RLM_MODULE_FAIL if it fails and > RLM_MODULE_OK if it succeeds. The problem is, if I run another method > like detail first and it succeeds, then I run mine and it fails, the > accounting group returns failure and no Accounting-Response is sent. Is > that the correct behavior? That depends on what you mean by "correct". It's the way it currently works... > If not, should my accounting method return RLM_MODULE_NOOP or some > other code in the failure case? I looked at rlm_detail..c and it > returns RLM_MODULE_FAIL in its failure cases. I thought we should > send Accounting-Response if any succeed, so the remaining > Accounting-Requests will be sent. I think that's a good idea. The accounting modules can generally return "NOOP", which is better in some cases. However, the SQL modules should return *something* useful when the database is down. This will allow configurable fail-over for SQL back-ends. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/SIM ... when?
-BEGIN PGP SIGNED MESSAGE-
I expect to complete an alpha patch by the end of the month, and then
it will have to be tested against other implementations. There is a day
or two of work left, but there are other priorities for a while.
] Out and about in Ottawa.hmmm... beer.| firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat
iQCVAwUBP2c3n4qHRg3pndX9AQE+8gP+JyD0VOoucIG/oEUiOOaHGuUfqdEY6CBy
SrDTPj3YueL1PeGJfVQG7wu7CxR7cbRFGVUKu+dGO5TMBIuj6hqZ1wKz5nzUfsam
1C/E+EaA+GLVTz5zCExMJXm8HVgCBx81qsvInB7MW2mnhH89JixZEVWiih6hN/2O
+TclZTnCWng=
=Uysr
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wi-fi hotspot
Rio Martin <[EMAIL PROTECTED]> wrote: > Perhaps if i succeed, would you allow me to share my documentation > about it to this list Alan ? Sure. If it's useful to a wider audience, we can include it with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/SIM ... when?
=?iso-8859-1?Q?Marcos_V=E1zquez?= <[EMAIL PROTECTED]> wrote: > I've heard some rumors claiming that EAP/SIM will be available with > FreeRadius in the near future. > Can anyone tell me what is the current status of this project and an > estimated release date? It's being worked on. No estimated release date. > - Original Message - ... > Subject: Freeradius-Users digest, Vol 1 #2312 - 7 msgs *PLEASE* edit your messages, so you don't quote tons of useless information. It's annoying. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hotspot billing
"Jeremy Davis" <[EMAIL PROTECTED]> wrote: > Like a radius client capable of PAP or CHAP authentication would be a good > start. It only has an 802.1x client, so the only password enable > authentication revolves around EAP-MD5 which has yanked from XP SP1. The latest CVS snapshot supports TTLS. As a protocol, it's very nice. There are TTLS clients for Windows & many Unixes. While Windows does support PEAP, it's a *horrible* protocol, and entirely typical of Microsoft's method of trying to be "smart", and breaking everything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Newsletter: Vielen dank für ihre Anmeldung!
Hallo, Ihre E-Mailadresse "[EMAIL PROTECTED]" wurde in den Newsletterverteiler hinzugefügt. URL: http://www.1a-network.de/cgi-bin/newsletter/newsletter.cgi?id=mcsmail Mit freundlichen Grüssen Ihr Newsletter-Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/SIM ... when?
Hi there!
I've heard some rumors claiming that EAP/SIM will be available with
FreeRadius in the near future.
Can anyone tell me what is the current status of this project and an
estimated release date?
Thanks a lot,
Marcos
- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 16, 2003 4:39 PM
Subject: Freeradius-Users digest, Vol 1 #2312 - 7 msgs
> Send Freeradius-Users mailing list submissions to
> [EMAIL PROTECTED]
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.cistron.nl/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> [EMAIL PROTECTED]
>
> You can reach the person managing the list at
> [EMAIL PROTECTED]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>1. Re: dialup-admin patch2 (Ulrich Walcher)
>2. Newsletter - Aktivierungslink ([EMAIL PROTECTED])
>3. Re: Https + RADIUS (Alan DeKok)
>4. RE: [eap] non-wire related comments on eap-sim-11.txt
([EMAIL PROTECTED])
>5. RE: Wi-fi hotspot (Brynjar Hauksson)
>6. Re: Radiusd service script + daemontools supervise (Alan DeKok)
>7. RE: Wi-fi hotspot (Jeremy Davis)
>
> --__--__--
>
> Message: 1
> Subject: Re: dialup-admin patch2
> From: Ulrich Walcher <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Organization:
> Date: 16 Sep 2003 15:22:40 +0200
> Reply-To: [EMAIL PROTECTED]
>
> and here also...
>
> --- /usr/local/cvs/radiusd/dialup_admin/lib/sql/defaults.php3
> 2003-01-28 15:14:53.0 +0100
> +++ /usr/local/dialup_admin/lib/sql/defaults.php3 2003-09-16
> 15:18:27.0 +0200
> @@ -121,10 +121,10 @@
> $link = @da_sql_pconnect($config);
> if ($link){
> $res = @da_sql_query($link,$config,
> - "SELECT DISTINCT GroupName FROM
> $config[sql_usergroup_table];");
> + "SELECT DISTINCT s.groupname FROM
> $config[sql_groupcheck_table] CROSS JOIN (SELECT DISTINCT u.groupname
> FROM $config[sql_groupreply_table] CROSS JOIN
> $config[sql_usergroup_table] u) as s;");
> if ($res){
> while(($row =
> @da_sql_fetch_array($res,$config)))
> - $member_groups[] = $row[GroupName];
> + $member_groups[] = $row[groupname];
> }
> else
> echo "Database query failed: " .
> da_sql_error($link,$config) . "\n";
>
>
> Am Fre, 2003-09-12 um 16.08 schrieb Ulrich Walcher:
> > Oops,
> > forgot to add this one...
> >
> > OoLee
> >
> > --- /usr/local/cvs/radiusd/dialup_admin/lib/sql/defaults.php3
> > 2003-01-28 15:14:53.0 +0100
> > +++ /usr/local/dialup_admin/lib/sql/defaults.php3 2003-09-12
> > 16:04:15.0 +0200
> > @@ -121,10 +121,10 @@
> > $link = @da_sql_pconnect($config);
> > if ($link){
> > $res = @da_sql_query($link,$config,
> > - "SELECT DISTINCT GroupName FROM
> > $config[sql_usergroup_table];");
> > + "SELECT DISTINCT c.groupname FROM
> > $config[sql_groupcheck_table] c CROSS JOIN $config[sql_groupreply_table]
> > r;");
> > if ($res){
> > while(($row =
> > @da_sql_fetch_array($res,$config)))
> > - $member_groups[] = $row[GroupName];
> > + $member_groups[] = $row[groupname];
> > }
> > else
> > echo "Database query failed: " .
> > da_sql_error($link,$config) . "\n";
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
> >
>
>
>
> --__--__--
>
> Message: 2
> To: [EMAIL PROTECTED]
> From: [EMAIL PROTECTED]
> Subject: Newsletter - Aktivierungslink
> Date: Tue, 16 Sep 2003 15:59:03 +0200 (CEST)
> Reply-To: [EMAIL PROTECTED]
>
> Hallo,
>
> Wenn sie diesen Newsletter erhalten wollen klicken sie bitte auf die
Internet-Adresse.
> Falls sie diesen Newsletter nicht wollen löschen sie einfach diese E-Mail.
>
> Aktivierungslink:
http://www.1a-network.de/cgi-bin/newsletter/newsletter.cgi?id=mcsmail&[EMAIL
PROTECTED]&key=WXIYX3q7yHnwU&action=aktiv
>
> Mit freundlichen Grüssen Newsletter-Team
>
>
> --__--__--
>
> Message: 3
> From: "Alan DeKok" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: Https + RADIUS
> Date: Tue, 16 Sep 2003 10:16:52 -0400
> Reply-To: [EMAIL PROTECTED]
>
> "JM Fernandez" <[EMAIL PROTECTED]> wrote:
> > Alan can you tell me the details on how the NAS gets the end user
> > username and password?
>
> It depends on the local implementation.
>
> > I'm planning to nake a web based login with an access point that
> > acts as a radius client.
>
> So have the NAS take the username & password from the web login
> form, and put them into a RADIUS packet.
>
> Am I missing something?
>
> Alan DeKok.
>
>
> --__--__--
RE: [eap] wire related comments on eap-sim-11.txt
Hi Michael,
Although EAP/SIM is an Internet-Draft, there are implementations
and other documents that depend on it. So in general, we would like
to maintain compatibility and interoperability with implementations
of old draft versions, unless there is a very good reason to break
compatibility. We have version numbers in order to help us make new
incompatible versions of the protocol, but we'd like to
avoid doing that unless we really have to.
I believe that these three issues are not critical but rather
they are matters of opinion, nicer ways of doing the same thing.
I agree that your proposals would be as good as or better than
what we currently have. But there isn't anything fundamentally
wrong in the current ways that would justify an incompatible
change. So I think we should not change the document with regard
to these issues.
By the way, do you have a separate comment B3?
Best regards,
Henry
> -Original Message-
> From: ext Michael Richardson [mailto:[EMAIL PROTECTED]
> Sent: 15 September, 2003 22:40
> To: eap; freeradius-users
> Cc: [EMAIL PROTECTED]
> Subject: [eap] wire related comments on eap-sim-11.txt
>
>
>
> *** PGP Signature Status: unknown
> *** Signer: Unknown, Key ID = 0xE99DD5FD
> *** Signed: 15.09.2003 10:39:47 PM
> *** Verified: 16.09.2003 11:12:23 AM
> *** BEGIN PGP VERIFIED MESSAGE ***
>
>
>
> B1) why is the TLV format different from the RADIUS one?
> The length is the only difference. (being /4)
> How often do we need attributes longer than 253 bytes?
> What happens if the length is 0? (Yeah, it is illegal,
> but why have such a situation)
>
> The 4* the length is there so that one can have 1022 byte
> attributes. These don't fit into single EAP-Message payloads in
> radius, is the situation better in LCP?
>
> The 4* length seems to simply result in there needing
> to be another
> length in many packets. That probably cancels any advantage in
> encoding the length as a byte.
>
> The rounding up to 32-bit size also seems to waste a
> lot of bytes
> needlessly - the EAP messages won't be aligned when they arrive
> in at a radius server, which is likely the end that
> will biggest load
> due to EAP messages, so why bother here?
>
> I suggest that the TLV format be junked in favour of one that is
> either identical to PPP or identical to radius.
>
> This is gratuitously different.
>
> B2) why are there boath IV and ENCR attribues?
> Just put the IV at the front of cipher text. This makes
> much more
> sense.
>
> B4) It appears that AT_FULLAUTH_ID_REQ, PERMANEND_ID_REQ and
> ANY_ID_REQ are always mutually exclusive. I strongly suggest
> that there be an "ID_REQ" attribute, with three values:
>FULLAUTH/PERMANENT/ANY
>
> In fact, these three cases seem like they are really three
> different "Start" situations, and I suggest that they be
> turned into three "Start" messages. This would be much easier
> to document and analyze.
>
> ] Out and about in Ottawa.hmmm... beer.
> | firewalls [
> ] Michael Richardson, Sandelman Software Works, Ottawa, ON
> |net architect[
> ] [EMAIL PROTECTED]
> http://www.sandelman.ottawa.on.ca/ |device driver[
> ] panic("Just another Debian/notebook using, kernel hacking,
> security guy"); [
>
>
> *** END PGP VERIFIED MESSAGE ***
> ___
> eap mailing list
> [EMAIL PROTECTED]
> http://mail.frascone.com/mailman/listinfo/eap
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Newsletter: Vielen dank für ihre Anmeldung!
Hallo, Ihre E-Mailadresse "[EMAIL PROTECTED]" wurde in den Newsletterverteiler hinzugefügt. URL: http://www.1a-network.de/cgi-bin/newsletter/newsletter.cgi?id=mcsmail Mit freundlichen Grüssen Ihr Newsletter-Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hi... I can't compile freeradius.0.9.1 in freeBSD 4.8.- But when I compile this version in freeBSD 5.0 this problems are fixs.- What can I do with this bugs??? Regards.- Hernan.-
RE: Hotspot billing
Like a radius client capable of PAP or CHAP authentication would be a good start. It only has an 802.1x client, so the only password enable authentication revolves around EAP-MD5 which has yanked from XP SP1. Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thor Spruyt Sent: Tuesday, September 16, 2003 5:52 AM To: [EMAIL PROTECTED] Subject: Re: Hotspot billing Well... the Gemtek P-360 lacks a lot of other important functionality! Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Wi-fi hotspot
I recommend the Colubris CN3000 and the Zyzel 4000 for multi-AP deployments and the
AP2500 or StarOS for single AP deployments. It is relatively easy to build a prepaid
card engine due to the modular approach of FreeRadius. I have built one, and have
another customer in the queue for this type of application. If you need help contact
me off-list.
Jeremy
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Brynjar
Hauksson
Sent: Tuesday, September 16, 2003 10:28 AM
To: [EMAIL PROTECTED]; 'Tom Emerson'
Cc: [EMAIL PROTECTED]
Subject: RE: Wi-fi hotspot
Hi Tom
What prepaid system did you get?
I've been searching for these systems with little success?
Thanks in advance
Kveðja / Best regards / ด้วยความคิดถึง
Brynjar Hauksson
ICQ# 15512204
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Emerson
Sent: Tuesday, September 16, 2003 2:47 PM
To: [EMAIL PROTECTED]
Subject: Re: Wi-fi hotspot
On Monday 15 September 2003 1:34 pm, Juliano Moises da Luz wrote:
> Can someone point me some documentation about how to setup hotspot
> authenticantion?
As Alan mentioned, there is no one simple answer -- mainly because there are
several ways of doing "a hotspot", some of which do not even NEED a "radius"
server!
> I need to setup a wi-fi hotspot and I am a little confused. I've already
> configured radius to authenticate users based on mac addresses, but i'm not
> sure this is the best way.
A better place to begin is with the "Access point" you'll be using [hereafter
referred to as a "NAS"] Some will do "all the work" for you [like the
Proxim/Orinoco AP-2500 that I have] while others will require a
behind-the-scenes approach [such as grabbing the least expensive AP at
Circuit City or Best Buy, then hanging it off of a used/refurbished system
running linux to act as a "gateway"]
Generally the NAS will be responsible for managing connections, IP addresses,
and so on. The proxim that I have will intercept a web-request, put up a
banner and a login screen, authenticate against an external RADIUS, and
enforce time limits if specified in the "reply" packet. Using a program such
as NOCAT will let you do the same in a roll-your-own environment.
The next question to consider is "are users going to pay for access?" For
instance, in a coffee-shop environment, it might make sense to "give away"
access time (i.e., don't charge at all) and use it as a "draw" to get
customers into the building. [otoh, coffee-house clientelle are often
"leeches" in that they will gladly sit around all day using your internet
connection without a hint of a purchase...] On the third hand, however,
folks who hang out at a coffee house are "regular" customers, so a "monthly
rate" is often a good compromise.
Other locations, such as an airport or hotel, have a much more "fluid"
clientelle -- you'll never see the same guy twice in a month [unless he's the
pilot...] so these people you want to hit with a per-hour rate, or even
per-quarter-hour [heck, T-mobile charges BY THE MINUTE]
The next question is HOW are they going to pay? cash is always the easiest,
but may lead to difficulties depending on the location [that airport
again...] Credit cards billed-as-used are great, but may require a merchant
account [which is OK if you are the owner of the location -- you're probably
already set up for such...] Again, the NAS may play a role in this -- the
Proxim can be configured to talk to an "industry standard" [hah!] website and
thus manage the billing for you. With a roll-your-own, well, you'll be
rolling it anyway, might as well build a custom merchant/CC gateway while
you're at it...
In my case I opted for a pre-paid/pre-printed "card" system. I generate a
number of user ID's and passwords, each with an hour's worth of "time"
associated with it, then print regular business-cards with the logo, user ID,
and password. Since these are stored in a locked drawer behind the counter,
I don't need fancy "scratch-off" style cards. One "hotspot-in-a-box" vendor
actually has a thermal printer included with the setup -- pressing a button
generates a user ID/password "on the fly" and allocates some amount of time
to it.
I've ALSO set up an interesting compromise to the aformentioned "leech"
problem: I've set up a "counter" that tallies time on a per-MAC basis, with a
limit of 15 minutes per day. This actually uses a set user ID/password
combo, which is actually included in the login banner. This lets people use
it seemingly like a promo ("with the purchase of a drink, you get...") yet
doesn't require extensive configuration on my part [i.e., building
potentially hundreds of "15 minute user ID's"] [search the archive for
details -- I have posted the configuration items neccesary to do this]
There are probably lots of other things that can be brought up for discussion,
but notice VERY LITTLE of the above discussion really
Re: Radiusd service script + daemontools supervise
"simon mackey" <[EMAIL PROTECTED]> wrote: > When I boot up I can see the message "Starting radiusd [OK]" amongst all > the other services like httpd, etc., so I presume it's running, but when I > log in and type "lsof -i" at the command line I don't see any radiusd > processes running :( 'ps' is the usual command to use. 'lsof' does something else. > I would realy appreciate it if someone would take me through how to get > radiusd to start at boot time (with daemontools also monitoring it without > me having to type supervise /var/svc/radiusd every time I reboot)? The 'doc' directory has documentaion on setting up daemontools. As for getting it to run on boot, that's a function of your local OS. Read it's documentation, and look at the scripts for the other programs which *do* run on boot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Wi-fi hotspot
Hi Tom
What prepaid system did you get?
I've been searching for these systems with little success?
Thanks in advance
Kveðja / Best regards / ด้วยความคิดถึง
Brynjar Hauksson
ICQ# 15512204
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Emerson
Sent: Tuesday, September 16, 2003 2:47 PM
To: [EMAIL PROTECTED]
Subject: Re: Wi-fi hotspot
On Monday 15 September 2003 1:34 pm, Juliano Moises da Luz wrote:
> Can someone point me some documentation about how to setup hotspot
> authenticantion?
As Alan mentioned, there is no one simple answer -- mainly because there are
several ways of doing "a hotspot", some of which do not even NEED a "radius"
server!
> I need to setup a wi-fi hotspot and I am a little confused. I've already
> configured radius to authenticate users based on mac addresses, but i'm not
> sure this is the best way.
A better place to begin is with the "Access point" you'll be using [hereafter
referred to as a "NAS"] Some will do "all the work" for you [like the
Proxim/Orinoco AP-2500 that I have] while others will require a
behind-the-scenes approach [such as grabbing the least expensive AP at
Circuit City or Best Buy, then hanging it off of a used/refurbished system
running linux to act as a "gateway"]
Generally the NAS will be responsible for managing connections, IP addresses,
and so on. The proxim that I have will intercept a web-request, put up a
banner and a login screen, authenticate against an external RADIUS, and
enforce time limits if specified in the "reply" packet. Using a program such
as NOCAT will let you do the same in a roll-your-own environment.
The next question to consider is "are users going to pay for access?" For
instance, in a coffee-shop environment, it might make sense to "give away"
access time (i.e., don't charge at all) and use it as a "draw" to get
customers into the building. [otoh, coffee-house clientelle are often
"leeches" in that they will gladly sit around all day using your internet
connection without a hint of a purchase...] On the third hand, however,
folks who hang out at a coffee house are "regular" customers, so a "monthly
rate" is often a good compromise.
Other locations, such as an airport or hotel, have a much more "fluid"
clientelle -- you'll never see the same guy twice in a month [unless he's the
pilot...] so these people you want to hit with a per-hour rate, or even
per-quarter-hour [heck, T-mobile charges BY THE MINUTE]
The next question is HOW are they going to pay? cash is always the easiest,
but may lead to difficulties depending on the location [that airport
again...] Credit cards billed-as-used are great, but may require a merchant
account [which is OK if you are the owner of the location -- you're probably
already set up for such...] Again, the NAS may play a role in this -- the
Proxim can be configured to talk to an "industry standard" [hah!] website and
thus manage the billing for you. With a roll-your-own, well, you'll be
rolling it anyway, might as well build a custom merchant/CC gateway while
you're at it...
In my case I opted for a pre-paid/pre-printed "card" system. I generate a
number of user ID's and passwords, each with an hour's worth of "time"
associated with it, then print regular business-cards with the logo, user ID,
and password. Since these are stored in a locked drawer behind the counter,
I don't need fancy "scratch-off" style cards. One "hotspot-in-a-box" vendor
actually has a thermal printer included with the setup -- pressing a button
generates a user ID/password "on the fly" and allocates some amount of time
to it.
I've ALSO set up an interesting compromise to the aformentioned "leech"
problem: I've set up a "counter" that tallies time on a per-MAC basis, with a
limit of 15 minutes per day. This actually uses a set user ID/password
combo, which is actually included in the login banner. This lets people use
it seemingly like a promo ("with the purchase of a drink, you get...") yet
doesn't require extensive configuration on my part [i.e., building
potentially hundreds of "15 minute user ID's"] [search the archive for
details -- I have posted the configuration items neccesary to do this]
There are probably lots of other things that can be brought up for discussion,
but notice VERY LITTLE of the above discussion really "needs" (or involves)
Radius -- the NAS/AP can be configured with a list of known acceptible MAC
addresses and/or set for "billing" people via a credit card, or you may be in
a "don't care" situation in which case you really only need a "typical"
consumer/home "wireless access point" set with a known SSID (and with a DHCP
server enabled internally...) About the only thing you'll need a radius
server for is managing "pre-printed" access cards (in which case you'll
really be managing a mysql or postgresql database...) or "monthly
subscribers"
--
Yet another Blog: http://osnut.homelinux
RE: [eap] non-wire related comments on eap-sim-11.txt
Michael, Many thanks for your comments. I agree the document could use some restructuring and clarification. It's a result of cumulative revisioning, and we haven't really thought about the structure since the beginning. It's very hard to structure the document so that you can understand everything by reading it once. I think we need to have a good overview section. It's not a good idea to duplicate the same information in several places of the document, so it may be hard to avoid referencing sections that follow the current section. > A1) please include real packet dumps, including encrypted data > with keys, to help people. We're planning to do that in appendix A. > A2) There is no per-attribute description/reference. >-> AT_VERSION_LIST for instance has no reference. ... > A4) The definitions of the attributes seems to be partially defined > only in the scenarios of sections 9-15. I would rather the > attributes were defined seperately from the messages in which > they are used. Otherwise, it appears that one has to > code per-message > marshalling/etc. It is hard to tell if this is true or not. > Most of the attributes can be used in a certain message only, but there are attributes like AT_MAC that are general. Maybe we should have a separate section for the attribute definitions, like for example RFC2865. That would make the message definitions simpler. > A3) paragraph 1 of 5.2. This conversation seems totally out of > place, and very confusing. OK. > A5) It was not at all obvious that the AT_MAC is a keyed operation. > The last sentence of 8.1 says so, but I missed it at > least twice, > thinking, but, it must be keyed, I remembered reading about it. > > Maybe this is just the way that I read the document. Yes, it is a keyed operation, as described in section 8.1. > A5b) Annex A/B might be a little more detailed. > In particular, I think that you have chosen G to be SHA1, but > I'm not particularly certain. > Nor do I understahe what "m" is, or what the "optional > user input" > is in this context. Please see other postings on the EAP mailing list about the PRF. > A6) split normative and informative references. OK. > A7) section 3, overview, para 3. > It seemed that this was the only place that the value > of the Start > subtype was clearly stated. In addition, all protocol numbers are stated in section 18 (IANA considerations). > A8) section 5.1, page 9, > > > In this case, the permanent username MUST be of the > format "1imsi". > > It took me awhile to understand that the thing in quotes is a > pattern, not a string. Please remove "", or use another > notation. OK > A9) section 5.1, page 9, para 4. > This seems really nebulous. > Do you mean it's hard to understand if you don't know about re-authentication and IMSI privacy, which are discussed in later sections? > A10) section 5.2, first paragraph. > It seems that you are putting the most complicated "gotcha" > at the beginning. At this point, I don't even know what you are > talking about yet! The "gotcha" is rationale for the feature. Maybe the first paragraph can be removed altogether. > A11) time-sequence diagrams. They are simply not useful to > me. They just > seem to take lots of space. > They are useful when there are more than two parties. > A12) section 5.1, 5.2 and 5.3 should have *NO* mention of > re-authentication. Please describe the base protocol first, > (including state machines), and then give the version that > supports re-authentication. I agree it should be easy to understand the protocol in a general level by reading the first sections. But I'm not sure if we really need to first specify the base protocol only and cut corners in the specification of the Start messages for example. > A13) section 5.3, page 15, para 7. > " A received AT_PERMANENT_ID_REQ does not necessarily > originate from " > > The advice given seems very complicated and very dubious to me. > I believe that this must come out from the client state machine. The "advice" could be removed from the base description (and even omitted from state machine if we have such a thing), and we could discuss protection against active attacks on anonymity separately. > A14) section 6. > Caveat: I read this much less carefully. > page 22, para 4: > > " >Re-authentication identities are one-time identities. If > the client >does not receive a new re-authentication identity, it MUST use >either the permanent identity or a pseudonym identity on the next >authentication to initiate full authentication. > " > > Given that the identity is involved in the AT_MACs, are there > any cryptographic restrictions on the one-time identities? The identities are i
Re: Https + RADIUS
"JM Fernandez" <[EMAIL PROTECTED]> wrote: > Alan can you tell me the details on how the NAS gets the end user > username and password? It depends on the local implementation. > I'm planning to nake a web based login with an access point that > acts as a radius client. So have the NAS take the username & password from the web login form, and put them into a RADIUS packet. Am I missing something? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Newsletter - Aktivierungslink
Hallo, Wenn sie diesen Newsletter erhalten wollen klicken sie bitte auf die Internet-Adresse. Falls sie diesen Newsletter nicht wollen löschen sie einfach diese E-Mail. Aktivierungslink: http://www.1a-network.de/cgi-bin/newsletter/newsletter.cgi?id=mcsmail&[EMAIL PROTECTED]&key=WXIYX3q7yHnwU&action=aktiv Mit freundlichen Grüssen Newsletter-Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup-admin patch2
and here also...
--- /usr/local/cvs/radiusd/dialup_admin/lib/sql/defaults.php3
2003-01-28 15:14:53.0 +0100
+++ /usr/local/dialup_admin/lib/sql/defaults.php3 2003-09-16
15:18:27.0 +0200
@@ -121,10 +121,10 @@
$link = @da_sql_pconnect($config);
if ($link){
$res = @da_sql_query($link,$config,
- "SELECT DISTINCT GroupName FROM
$config[sql_usergroup_table];");
+ "SELECT DISTINCT s.groupname FROM
$config[sql_groupcheck_table] CROSS JOIN (SELECT DISTINCT u.groupname
FROM $config[sql_groupreply_table] CROSS JOIN
$config[sql_usergroup_table] u) as s;");
if ($res){
while(($row =
@da_sql_fetch_array($res,$config)))
- $member_groups[] = $row[GroupName];
+ $member_groups[] = $row[groupname];
}
else
echo "Database query failed: " .
da_sql_error($link,$config) . "\n";
Am Fre, 2003-09-12 um 16.08 schrieb Ulrich Walcher:
> Oops,
> forgot to add this one...
>
> OoLee
>
> --- /usr/local/cvs/radiusd/dialup_admin/lib/sql/defaults.php3
> 2003-01-28 15:14:53.0 +0100
> +++ /usr/local/dialup_admin/lib/sql/defaults.php3 2003-09-12
> 16:04:15.0 +0200
> @@ -121,10 +121,10 @@
> $link = @da_sql_pconnect($config);
> if ($link){
> $res = @da_sql_query($link,$config,
> - "SELECT DISTINCT GroupName FROM
> $config[sql_usergroup_table];");
> + "SELECT DISTINCT c.groupname FROM
> $config[sql_groupcheck_table] c CROSS JOIN $config[sql_groupreply_table]
> r;");
> if ($res){
> while(($row =
> @da_sql_fetch_array($res,$config)))
> - $member_groups[] = $row[GroupName];
> + $member_groups[] = $row[groupname];
> }
> else
> echo "Database query failed: " .
> da_sql_error($link,$config) . "\n";
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup-admin patch
Forgot one case...
--- /usr/local/cvs/radiusd/dialup_admin/htdocs/show_groups.php3
2003-05-11 16:03
:37.0 +0200
+++ /usr/local/dialup_admin/htdocs/show_groups.php3 2003-09-16
15:17:24.
0 +0200
@@ -58,13 +58,23 @@
$link = @da_sql_pconnect($config);
if ($link){
$search = @da_sql_query($link,$config,
- "SELECT COUNT(*),GroupName FROM $config[sql_usergroup_table]
GROUP BY Gr
oupName;");
+ "SELECT DISTINCT s.groupname FROM $config[sql_groupcheck_table]
CROSS JO
IN (SELECT DISTINCT u.groupname FROM $config[sql_groupreply_table] CROSS
JOIN $c
onfig[sql_usergroup_table] u) as s;");
if ($search){
if (@da_sql_num_rows($search,$config)){
while( $row =
@da_sql_fetch_array($search,$config) ){
$num++;
- $group = $row[GroupName];
- $num_members = $row['COUNT(*)'];
+ $group = $row[groupname];
+ $search2 = @da_sql_query($link,$config,
+ "SELECT COUNT(*) FROM
$config[sql_usergroup_tabl
e] WHERE groupname = '$group';");
+ if ($search2) {
+ if
(@da_sql_num_rows($search,$config)){
+ while( $row2 =
@da_sql_fetch_arr
ay($search2,$config) ){
+ $num_members =
$row2['co
unt'];
+ }
+ }
+ }
+ else
+ echo "Database query failed:
" . da_s
ql_error($link,$config) . "\n";
echo <<
$num
Am Fre, 2003-09-12 um 15.52 schrieb Ulrich Walcher:
> Hi,
> a little patch that solves the problem of groups with no members
> assigned not being displayed. (At least it works for Postgres).
>
> OoLee
>
> --- /usr/local/cvs/radiusd/dialup_admin/htdocs/show_groups.php3
> 2003-05-11 16:03:37.0 +0200
> +++ /usr/local/dialup_admin/htdocs/show_groups.php3 2003-09-12
> 15:45:18.0 +0200
> @@ -58,13 +58,23 @@
> $link = @da_sql_pconnect($config);
> if ($link){
> $search = @da_sql_query($link,$config,
> - "SELECT COUNT(*),GroupName FROM $config[sql_usergroup_table]
> GROUP BY GroupName;");
> + "SELECT DISTINCT c.groupname FROM $config[sql_groupcheck_table]
> c CROSS JOIN $config[sql_groupreply_table] r;");
> if ($search){
> if (@da_sql_num_rows($search,$config)){
> while( $row =
> @da_sql_fetch_array($search,$config) ){
> $num++;
> - $group = $row[GroupName];
> - $num_members = $row['COUNT(*)'];
> + $group = $row[groupname];
> + $search2 = @da_sql_query($link,$config,
> + "SELECT COUNT(*) FROM
> $config[sql_usergroup_table] WHERE groupname = '$group';");
> + if ($search2) {
> + if
> (@da_sql_num_rows($search,$config)){
> + while( $row2 =
> @da_sql_fetch_array($search2,$config) ){
> + $num_members =
> $row2['count'];
> + }
> + }
> + }
> + else
> + echo "Database query failed:
> " . da_sql_error($link,$config) . "\n";
> echo <<
> $num
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wi-fi hotspot
- Original Message - From: "Rio Martin" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 16, 2003 6:13 AM Subject: Re: Wi-fi hotspot > On Tuesday 16 September 2003 04:29, Alan DeKok wrote: > > Juliano Moises da Luz <[EMAIL PROTECTED]> wrote: > > > Can someone point me some documentation about how to setup hotspot > > > authenticantion? > > There's no documentation specifically for "hotspot" configuration. > > > I need to setup a wi-fi hotspot and I am a little confused. I've already > > > configured radius to authenticate users based on mac addresses, but i'm > > > not sure this is the best way. > > > Can anyone help me? > > What, exactly, do you want to do? Mario, There's more to a hotspot than just authenticating! Maybe first start with defining what you want to do exactly, then look for solutions that can do want you need. Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hotspot billing
Well... the Gemtek P-360 lacks a lot of other important functionality! Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin on different server
Can I run dialup_admin tool on a different server?I want to separate it from my radius and mysql server. TIA! Bernie
Radiusd service script + daemontools supervise
Hello all, I'm trying to setup radiusd to start when the computer boots up, and to get started again if it fails. I'm running Mandrake Linux 8.2. I've read a good few of the mailing list posts about this and have installed daemontools, which works fine :) I tried to run radiusd as a service (please excuse my terminology if that's not a unix term!) by putting the provided radiusd script (from the scripts directory in the extracted source files) into the /etc/rc.d/init.d directory and created all the appropriate symlinks in rc0.d, rc1.d, rc3.d, and rc5.d. When I boot up I can see the message "Starting radiusd [OK]" amongst all the other services like httpd, etc., so I presume it's running, but when I log in and type "lsof -i" at the command line I don't see any radiusd processes running :( Does this mean that the radius server isn't running (that's where I've seen it when I run it just from the command line) or is it in fact running but services are shown somewhere else? I would realy appreciate it if someone would take me through how to get radiusd to start at boot time (with daemontools also monitoring it without me having to type supervise /var/svc/radiusd every time I reboot)? Many thanks in advance, simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius stops responding but still running
On Mon, Sep 15, 2003 at 05:47:39PM -0500, Josh Burks wrote: > Please help! Our radius server has been acting funny the past 2 days. > The radius server will quit sending accepts and responses > back to the user trying to log in. The daemon still has an entry in the > ps listing, so it hasn't crashed, just stopped responding. > We've done a tcpdump to help locate the problem, but we can't trace it > to anyone or anything in particular. Is their any bugs related > to this in our freeradius version? Here's a tcpdump of one of the times > that freeradius stopped responding. Note: the usernames have 0.8.1 has a bug with threading and crypt passwords, but this will result in rejects and not in no response. But you did not tell anything about your configuration... Try 0.9.X, lots of bugs got fixed... Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin web tool browsing problem.
I have been trying look for the solution in my problem for almost a week regarding installation of dialup_admin. Even for just a test without any change in configuration, I should view the the dialup admin web tool especially the diff function button on the left side. But when i browsed it i just see only blank page on it, (ex "New user","Accounting","Bad Users", etc.).Im using Red Hat 9,http 2.0,php-4.2.,mysql 4.But my other test works on Red Hat 7.2 using http-1.3.20,php-4.0. I want to install freeradius,mysql,dialup_admin in one Red Hat linux 9 machine. Your help will be appreciated very much! TIA! More Power to ALL! Bernie
Re: Wi-fi hotspot
hi But we want some sort of standardized secure login for windows users ? ->I only see PEAP here. or ttls, it depends on available clients. but peap is more microsoft... you are probably right. Another solution would be the "Portal" approach: users will have to authenticate on a https webpage which starts a script and changes firewall rules (like NoCat). yes, but it's not really wifi authentication. My preference would be to have a central authentication system, with only the access points out in the field (not the radius/portal servers), and NOT having to use VPNs to connect the access points to a central gateway (portal). This would allow the use of "simple" dynamically (IP Addr) connected Aps. well, radius is a centralized auth system. and only the aps are out in the field. and it has nothing to do with a portal. you only need fixed IPs for the APs because of some simple restrictions, i'm sure you could patch a radius server to accept whatever incoming request, as long as the shared secret is ok. you should be clear about the identity of your APs though... the problem with what you propose is that you NEED a trust relationship between your auth system (whichever it would be) and your APs, because otherwise everybody would be served. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wi-fi hotspot
On Monday 15 September 2003 1:34 pm, Juliano Moises da Luz wrote:
> Can someone point me some documentation about how to setup hotspot
> authenticantion?
As Alan mentioned, there is no one simple answer -- mainly because there are
several ways of doing "a hotspot", some of which do not even NEED a "radius"
server!
> I need to setup a wi-fi hotspot and I am a little confused. I've already
> configured radius to authenticate users based on mac addresses, but i'm not
> sure this is the best way.
A better place to begin is with the "Access point" you'll be using [hereafter
referred to as a "NAS"] Some will do "all the work" for you [like the
Proxim/Orinoco AP-2500 that I have] while others will require a
behind-the-scenes approach [such as grabbing the least expensive AP at
Circuit City or Best Buy, then hanging it off of a used/refurbished system
running linux to act as a "gateway"]
Generally the NAS will be responsible for managing connections, IP addresses,
and so on. The proxim that I have will intercept a web-request, put up a
banner and a login screen, authenticate against an external RADIUS, and
enforce time limits if specified in the "reply" packet. Using a program such
as NOCAT will let you do the same in a roll-your-own environment.
The next question to consider is "are users going to pay for access?" For
instance, in a coffee-shop environment, it might make sense to "give away"
access time (i.e., don't charge at all) and use it as a "draw" to get
customers into the building. [otoh, coffee-house clientelle are often
"leeches" in that they will gladly sit around all day using your internet
connection without a hint of a purchase...] On the third hand, however,
folks who hang out at a coffee house are "regular" customers, so a "monthly
rate" is often a good compromise.
Other locations, such as an airport or hotel, have a much more "fluid"
clientelle -- you'll never see the same guy twice in a month [unless he's the
pilot...] so these people you want to hit with a per-hour rate, or even
per-quarter-hour [heck, T-mobile charges BY THE MINUTE]
The next question is HOW are they going to pay? cash is always the easiest,
but may lead to difficulties depending on the location [that airport
again...] Credit cards billed-as-used are great, but may require a merchant
account [which is OK if you are the owner of the location -- you're probably
already set up for such...] Again, the NAS may play a role in this -- the
Proxim can be configured to talk to an "industry standard" [hah!] website and
thus manage the billing for you. With a roll-your-own, well, you'll be
rolling it anyway, might as well build a custom merchant/CC gateway while
you're at it...
In my case I opted for a pre-paid/pre-printed "card" system. I generate a
number of user ID's and passwords, each with an hour's worth of "time"
associated with it, then print regular business-cards with the logo, user ID,
and password. Since these are stored in a locked drawer behind the counter,
I don't need fancy "scratch-off" style cards. One "hotspot-in-a-box" vendor
actually has a thermal printer included with the setup -- pressing a button
generates a user ID/password "on the fly" and allocates some amount of time
to it.
I've ALSO set up an interesting compromise to the aformentioned "leech"
problem: I've set up a "counter" that tallies time on a per-MAC basis, with a
limit of 15 minutes per day. This actually uses a set user ID/password
combo, which is actually included in the login banner. This lets people use
it seemingly like a promo ("with the purchase of a drink, you get...") yet
doesn't require extensive configuration on my part [i.e., building
potentially hundreds of "15 minute user ID's"] [search the archive for
details -- I have posted the configuration items neccesary to do this]
There are probably lots of other things that can be brought up for discussion,
but notice VERY LITTLE of the above discussion really "needs" (or involves)
Radius -- the NAS/AP can be configured with a list of known acceptible MAC
addresses and/or set for "billing" people via a credit card, or you may be in
a "don't care" situation in which case you really only need a "typical"
consumer/home "wireless access point" set with a known SSID (and with a DHCP
server enabled internally...) About the only thing you'll need a radius
server for is managing "pre-printed" access cards (in which case you'll
really be managing a mysql or postgresql database...) or "monthly
subscribers"
--
Yet another Blog: http://osnut.homelinux.net
pgp0.pgp
Description: signature
Re: Wi-fi hotspot
It too seem to be missing the obvious. A WiFi Hotspot should be easy to use, right ? ->Authentication that requires user-certificates is too complicated. But we want some sort of standardized secure login for windows users ? ->I only see PEAP here. Another solution would be the "Portal" approach: users will have to authenticate on a https webpage which starts a script and changes firewall rules (like NoCat). My preference would be to have a central authentication system, with only the access points out in the field (not the radius/portal servers), and NOT having to use VPNs to connect the access points to a central gateway (portal). This would allow the use of "simple" dynamically (IP Addr) connected Aps. CU Peter De Schrijver >On Tuesday 16 September 2003 04:29, Alan DeKok wrote: >> Juliano Moises da Luz <[EMAIL PROTECTED]> wrote: >> > Can someone point me some documentation about how to setup hotspot >> > authenticantion? >> There's no documentation specifically for "hotspot" configuration. >> > I need to setup a wi-fi hotspot and I am a little >confused. I've already >> > configured radius to authenticate users based on mac >addresses, but i'm >> > not sure this is the best way. >> > Can anyone help me? >> What, exactly, do you want to do? > > >This is exactly the same just as i wanted to build. >Perhaps if i succeed, would you allow me to share my >documentation about it to >this list Alan ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
