Re: TLS and TTLS

2003-09-26 Thread Michael Brown 
Of course they do: whether they SUPPORT (act as a pass-through device for) these
auth schemes or not.
I KNOW they have nothing to do with the actual auth beside that fact, but you
can't use EAP-TLS or TTLS with just any old AP, now can you?

Such nitpicking.



Quoting Artur Hecker <[EMAIL PROTECTED]>:

> hardly ever.
> 
> the APs have NOTHING to do with neither TTLS nor TLS.
> 
> 
> ciao
> artur
> 
> 
> Michael Brown wrote:
> 
> > I know the Linksys WAP/WRT54G accepts TTLS auth, but I don't know a D-Link
> > product that does TTLS.  That is most likely your problem.
> > 
> > Michael Brown
> 
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 


Michael Brown


<>
 mikro network solutions  *  http://www.mikro-net.com


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radutmp missing user IP address

2003-09-26 Thread Matthew Schumacher 
Anyone know why my radutmp file is missing the users IP address for some 
of the logins.  Is this because the user wasn't authenticated?  Or 
perhaps the nas didn't send it?  Any way to know for sure?

schu

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeside - Radius session Monitor

2003-09-26 Thread Alan DeKok 
"Kevin D. Alford" <[EMAIL PROTECTED]> wrote:
> Configure your RADIUS server's login and logout callbacks to use the
> command-line freeside-login and freeside-logout utilites. 

  See 'raddb/acct_users'

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple attributes (Kostas Kalevras)

2003-09-26 Thread J. S. Townsley 

Kostas Kaleveras wrote an email on this list a few months ago to help
someone with returning multiple attributes in an LDAP authenticated radius
installation.

http://www.mail-archive.com/[EMAIL PROTECTED]/msg15855.html

I am in this same spot, but do not userstand where I should be changing to
the += operator.  Can anyone help me understand where this change should
be made?

-JST



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Timekeeping (Was: PAP and CHAP)

2003-09-26 Thread Paul Hampson 
> From: Alan DeKok
> Sent: Thursday, 25 September 2003 9:13 PM

Alan, I think your clock's 4 hours behind again. That made this
little show slightly less fun to read (I kept getting the back-and-forth
out of sync. And anything that interferes with my entertainment
on this list must be bad! ;-)

> John Luker <[EMAIL PROTECTED]> wrote:
> > Be that as it may there are an abundance of RADIUS packages out
> > there that have wonderful technical support from the company you BUY
> > IT FROM.

>   Heck, for $500 U.S. a month retainer, I'll answer up to 10 problems
> by email or by phone, and will be oh-so-polite.  Or, for $100 U.S. per
> support call/email, I'll do the same.

>   So far, only a few people have taken me up on any offer of paid tech
> support ($200 so far).  I guess most people either find my free
> (i.e. blunt) style adequate, or they're unwilling to fork over the
> additional money to bribe me into being endlessly polite.

> Oh well.

If I gave you money to fix RADIUS problems for me, I'd probably expect
the blunt Alan. An endlessly polite Alan would leave me thinking I'd
been palmed off to your less idiot-abused brother or something.
"That's not Alan. He doesn't talk like that." :-)

--
=
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

On a sidewalk near Portland State
University someone wrote `Trust Jesus', and
someone else wrote `But Cut the Cards'.
-
Random signature generator 3.0 by Paul "TBBle" Hampson
=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRADIUS / ucd-snmp-4.2.3 snmp errors in config.log

2003-09-26 Thread Paul Hampson 
> From: [EMAIL PROTECTED]
> Sent: Friday, 26 September 2003 8:03 AM

> > $ LIBS=-lssl -lcrypto
> > $ export LIBS
> > $ ./configure 

> >   that may help.  

> Thanks, it's getting better!  I did as you suggested and now
> I am only getting:
> 
> /usr/lib/libsnmp.so: undefined reference to `des_cbc_encrypt'
> /usr/lib/libsnmp.so: undefined reference to `des_key_sched'

Your libsnmp.so is compiled against OpenSSL 0.9.6. In OpenSSL
0.9.7, these becamse DES_cbc_encrypt etc. So you'll have to build
FreeRADIUS against OpenSSL 0.9.6 instead. This means installing
the 0.9.6 devel package, the name of which I can't tell you. It
should have 0.9.6 and devel in it though, and force you to remove
openssl-devel-0.9.7a-5. :-)

And while you're at it, can you look in your config.log (without
the LIBS line above) and see why it didn't try -lcrypto for you
automatically? It's the test around configure:7940. It doesn't
link in -lssl but from your function list before I don't think
it should need to. (The test before it is 7918, the results of
that test are probably relevant to 7940)

--
=
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

On a sidewalk near Portland State
University someone wrote `Trust Jesus', and
someone else wrote `But Cut the Cards'.
-
Random signature generator 3.0 by Paul "TBBle" Hampson
=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ldap authentication / simultenious-use

2003-09-26 Thread Dustin Doris 


On Thu, 25 Sep 2003, Ossama Suleiman wrote:

> many many thanks, it is very useful
>
> but there is one thing left, i would be very grateful if you can help me
> with it
>
> i have to different isdn types isdn 64k (simultenous-use=1) and isdn 128k
> (simultenious-use=2)
>
> if i define it by nas-port-type in the users file, i won't be able to
> differntiate between user: isdn64 and isdn128
>
> beside i in the rare case that a user wants to use the same username and
> password pair with say 30 connections (simultenous-use=30) how will i be
> able to define a SPECIAL case like that?? should i create him too a new
> group?? and how should i define that group in the users file??
>
> Thank you so much for your help
> best regards
>
> ossama

I've never used simultenous-use, but I'll give it a shot.  In the schema
file you will find

attributetype
   ( 1.3.6.1.4.1.3317.4.3.1.53
  NAME 'radiusSimultaneousUse'
  DESC ''
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE
   )

So, then you could add this to the ldap entry

dn: uid=test1,ou=users,ou=radius,dc=mydomain,dc=com
objectclass:  radiusprofile
uid:  test
radiusgroupname:  isdn
radiussimultaneoususe: 2

Make sure you've got this in ldap.attrmap
checkItem   Simultaneous-UseradiusSimultaneousUse



> - Original Message -
> From: "Dustin Doris" <[EMAIL PROTECTED]>
> To: "freeradius-users" <[EMAIL PROTECTED]>
> Sent: Thursday, September 25, 2003 7:02 PM
> Subject: Re: ldap authentication / simultenious-use
>
>
> >
> >
> > On Thu, 25 Sep 2003, Ossama Suleiman wrote:
> >
> > > dear all,
> > >
> > > while authenticationg against ldap i enabled the compare_check_items
> > > = yes, cause i wanted to use nas-port-type based authentication, because
> > > i have to kinds of users, analog and ISDN, in order to prevent analog
> > > users from using ISDN services
> > > which is working fine now
> > >
> > > but the problem i faced is in simultenous-use, as it is a check item
> > > too, if the radius don't receive it while authenticating the user, the
> > > user get's rejected
> > >
> > > beside i want to use simultenous-use to differentiate between
> > > isdn64K and isdn 128K
> > >
> > > any help??
> > >
> > > thanks and best regards
> > >
> > > ossama
> > >
> >
> > You could try using Groups instead.
> >
> > in your ldap directory, say you have a user named test that has async
> > access and test1 that has isdn access
> >
> > dn: uid=test,ou=users,ou=radius,dc=mydomain,dc=com
> > objectclass:  radiusprofile
> > uid:  test
> > radiusgroupname:  dial
> >
> > dn: uid=test1,ou=users,ou=radius,dc=mydomain,dc=com
> > objectclass:  radiusprofile
> > uid:  test
> > radiusgroupname:  isdn
> >
> > Then in your users file you have
> >
> > DEFAULT NAS-Port-Type == ISDN, Ldap-Group == isdn
> >Fall-Through = no
> >
> > DEFAULT NAS-Port-TYpe == Async, Ldap-Group == dial
> >Fall-Through = no
> >
> > DEFAULT Auth-Type := Reject
> >Reply-Message = "Please call "
> >
> > Then in radiusd.conf in your ldap section, you define the attribute that
> > corresponds to ldap-group.
> >
> > groupmembership_attribute = radiusGroupName
> >
> > Here is what happens.
> >
> > User dials in and hits radius server with NAS-Port-Type = Async.  Radius
> > will lookup the user in the ldap directory and look for the attribute
> > radiusGroupName = dial.  If the user has that particular attribute set, it
> > will authorize the user.  If not, then it will fall through to Reject.
> > The same with the isdn users when they connect.
> >
> > If the users are able to have access to both, then include both
> > radiusGroupName entries.
> >
> > ie.
> >
> > dn: uid=test2,ou=users,ou=radius,dc=mydomain,dc=com
> > objectclass:  radiusprofile
> > uid:  test
> > radiusgroupname: isdn
> > radiusgroupname: dial
> >
> >
> > Hope that is helpful.
> >
> > Dustin Doris
> >
> >
> >
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius not calling checkrad.pl but still denying login.

2003-09-26 Thread Matthew Schumacher 
I ran into a problem last night where there was a user in radutmp while 
Simultaneous-Use was set to 1 and the server didn't call checkrad.  I 
put like in checkrad that logged every time it was called with the 
username and this user was never checked.

Anyone know of a circumstance where this might happen?

I seem to get a lot of these messages, perhaps that might be a clue:

Fri Sep 26 08:25:42 2003 : Info: rlm_radutmp: Login entry for NAS X port 
770 duplicate

Thanks,

schu

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: The exec module

2003-09-26 Thread Paul Hampson 
> From: Alex Chen
> Sent: Friday, 26 September 2003 8:34 AM

> > From: Paul Hampson
> > Sent: Thursday, September 25, 2003 3:03 PM

> > > 2. If the server is a proxy server, and I want the exec to
> > be called when
> > > the authentication
> > >is successful, i.e. the master server reply with
> > Access-Accept, do I
> > > still put the exec in
> > >'post-auth' section, i.e. the same place when the server
> > is a master
> > > server itself?
> > >What should the input_pairs and output_pairs be using?
> > 'proxy-request'
> > > and 'proxy-reply'?
> > >Will it be OK if I still use 'request' and 'reply' even
> > if the server is
> > > running as a proxy?
> >
> > Umm, you could (probably) put it in the post-proxy section.
> >
> > As for which pairs to use, do you want to operate on the
> > pairs you sent the
> > proxy, the pairs the proxy sent back, or the pairs you're
> > sending to the client,
> > or the pairs the client sent to you?
> >
> > That should determine which of request, reply, proxy-request
> > or proxy-reply you
> > want. (Not in that order, mind you.)

> If I understand correctly it would look like this:
> 
>   input_pairs = request
> NAS --->  Server
> <---
>   output_pairs = reply
> 
> If the exec runs on Server, it only has 'request' and 'reply' to work on.
> 
>   input_pairs = request   input_pairs = proxy-request
> NAS --->  Proxy  ---> Server
> <---  <-
>   output_pairs = replyoutput_pairs = proxy-reply
> 
> If the exec runs on Proxy and it wants to operate on the attributes sent
> from
> NAS or attributes sent to NAS, it would use 'request' and 'reply',
> respectively.
> If it wants to operate on the attributes sent by the proxy to the server,
> and the
> attributes sent from the server back to the proxy, it would use
> 'proxy-request' and
> 'proxy-reply'.
> 
> Is this correct?

That's how I understand it too, yes. :-) Although the input_pairs
and output_pairs in the diagrams above could be either either
input_pairs or output_pairs although there are some combinations
with limited usefulness, of course.

--
=
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

On a sidewalk near Portland State
University someone wrote `Trust Jesus', and
someone else wrote `But Cut the Cards'.
-
Random signature generator 3.0 by Paul "TBBle" Hampson
=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Installing Freeradius on Debian

2003-09-26 Thread Paul Hampson 
> From: Nick Davis
> Sent: Friday, 26 September 2003 7:57 AM

> I have been using freeradius since 0.3 installed from source and I wanted to 
> give the debian package a try. I did not see a freeradius package in unstable 
> nor testing. Is freeradius still changing too fast for debian?

Not anymore, I feel. The prospective Debian packaging of 0.9.1 is with the
prospective sponsor, so hopefully in time for Sarge's release...

> I am building the debian package on a debian Woody stable system and am going 
> to copy it over to a debian Sarge testing system. 

Wild. Any reason you're not building it on a testing system? I'd offer to
do so, but my testing machine is also PowerPC, and so the packages probably
aren't a lot of use to you. :-)

> The freeradius I downloaded is: freeradius-snapshot-20030925
>
> I found the instructions Paul H. wrote below along with his other post that 
> has the patch to take iodbc out of the main freeradius package. I applied 
> that patch with little trouble, and am now to the instructions in the email 
> below.

I'm still fielding good reasons to include that patch in the main package. :-)
There're concerns about package-list-bloat, and I've yet to come up with a
convincing argument that overrides that.

> When I run the command:
> dpkg-buildpackage -us -uc -b -rfakeroot
> 
> I get a list of missing build dependencies like I am supposed to. 
> 
> Here is the list I get:
> dpkg-checkbuilddeps: Unmet build dependencies: libltdl3-dev, libpam0g-dev, 
> postgresql-dev, libgdbm-dev | libgdbmg1-dev, libldap2-dev, libsasl2-dev, 
> libiodbc2-dev, libkrb5-dev
> 
> I do not plan to use kerberos, ldap,nor postgres and I'm not so sure that I 
> need libgdmg1 either. I use mysql for everything except the dictionaries. 
> 
> My question is: how can I remove some of the build dependencies for packages 
> that I do not intent to use?

libpam0g-dev is used by rlm_pam

libgbmg1 is used by rlm_counter, rlm_gdbm and rlm_ippool

postgresql-dev is for rlm_sql_postgresql

libldap2-dev and libsasl2-dev are for rlm_ldap

libiodbc2-dev is for rlm_sql_iodbc

libkrb5-dev is for rlm_krb5

None of these build-dependancies are for the core daemon.

The way I'd do it is remove those modules from the 'stable' file in 
src/modules or src/modules/rlm_sql/ depending on which modules they are.
This step is basically optional, since it should skip that which it can't
build.

Then remove the entries for those things from debian/rules in the various
'for each' clauses. And remove the entries from the debian/control file.
(ie. the opposite of the freeradius-iodbc patch you've already got. :-)

Then remove the build-dependancies that trouble you so.

You'll need that libltdl3-dev, however. No way around it except building
statically, and I dunno what that does to the build-dependancies, or the
rlm_sql and rlm_eap modules.

--
=
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

On a sidewalk near Portland State
University someone wrote `Trust Jesus', and
someone else wrote `But Cut the Cards'.
-
Random signature generator 3.0 by Paul "TBBle" Hampson
=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeside - Radius session Monitor

2003-09-26 Thread Kevin D. Alford 
Please,

Does anyone know how to setup this feature.  My company is using FreeRadius
 0.8.1 on slackware 9.  with freeside 1.4.1rc6.  Freeside is going to
manage the radius accounting (session monitoring), and the following link
establishes how freeside does this.

http://www.sisd.com/freeside/docs/session.html

The part I need help with is:

Configure your RADIUS server's login and logout callbacks to use the
command-line freeside-login and freeside-logout utilites. 

Does anyone know how to setup this?  Your asssistance in this matter is
greatly appreciated.



Kevin D. Alford
Sr. UNIX Engineer



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius-0.9.0-ora.i386.rpm build trouble

2003-09-26 Thread Yuri Novik 
Hello,

I was try to build my own RPM-package of freeradius-0.9.0 with rlm_sql_oracle- 
module support to deploy to Suse 8.2 servers. Oracle version is 8.1.7.4. 
The strange trouble was discovered.

If I take default suse freeradius.spec file, then I build a buggy binary. The 
error seems to in libclntsh.so.8.0 because 'gdb radiusd core' show me nothing

# gdb radiusd core

Core was generated by `/usr/sbin/radiusd -X'.
Program terminated with signal 11, Segmentation fault.
#0  0x in ?? ()
(gdb) bt
#0  0x in ?? ()
(gdb)


Then I make strace dump of crash of /usr/sbin/radiusd

write(1, "Ready to process requests.\n", 27) = 27
time(NULL)  = 1064587304
select(13, [10 11 12], NULL, NULL, NULL) = 1 (in [10])
recvfrom(10, "\1\0\0Z  1064587317\1\6serg\2\22\211\1\f\243"..., 4096, 0, 
{sa_family=AF_INET, sin_port=htons(3660), 
sin_addr=inet_addr("192.168.0.11")}, [16]) = 90
write(1, "rad_recv: Access-Request packet "..., 77) = 77
time(NULL)  = 1064587317
write(1, "\tUser-Name = \"serg\"\n", 20) = 20
write(1, "\tUser-Password = \"2007811\"\n", 27) = 27
write(1, "\tNAS-IP-Address = 192.168.0.11\n", 31) = 31
write(1, "\tNAS-Port-Id = \"100\"\n", 21) = 21
write(1, "\tCalled-Station-Id = \"2892992\"\n", 31) = 31
write(1, "\tCalling-Station-Id = \"017291760"..., 35) = 35
write(1, "\tNAS-Port-Type = Async\n", 23) = 23
write(1, "\tConnect-Info = \"wsghgh\"\n", 25) = 25
time(NULL)  = 1064587317
write(1, "modcall: entering group authoriz"..., 34) = 34
time(NULL)  = 1064587317
write(1, "  modcall[authorize]: module \"pr"..., 53) = 53
time(NULL)  = 1064587317
write(1, "  modcall[authorize]: module \"ch"..., 49) = 49
time(NULL)  = 1064587317
write(1, "  rlm_eap: No EAP-Message, not d"..., 41) = 41
time(NULL)  = 1064587317
write(1, "  modcall[authorize]: module \"ea"..., 48) = 48
time(NULL)  = 1064587317
write(1, "rlm_realm: No \'@\' in User-Na"..., 67) = 67
time(NULL)  = 1064587317
time(NULL)  = 1064587317
write(1, "rlm_realm: No such realm \"NU"..., 36) = 36
time(NULL)  = 1064587317
write(1, "  modcall[authorize]: module \"su"..., 51) = 51
time(NULL)  = 1064587317
write(1, "radius_xlat:  \'serg\'\n", 21) = 21
time(NULL)  = 1064587317
write(1, "rlm_sql (sql): sql_set_user esca"..., 52) = 52
time(NULL)  = 1064587317
write(1, "radius_xlat:  \'SELECT 1 id,\'serg"..., 186) = 186
time(NULL)  = 1064587317
write(1, "rlm_sql (sql): Reserving sql soc"..., 42) = 42
time(NULL)  = 1064587317
write(1, "SELECT 1 id,\'serg\' UserName,\'Use"..., 170) = 170
write(9, "\0015\0\0\6\0\0\0\0\0\21k\4\26\0\0\0U\0\0\0\1\0\0\0\3^"..., 309) = 
309
read(9, "\3R\0\0\6\0\0\0\0\0\20\31\v\234\342\25\210W\342P\0\0xg"..., 2064) = 
850
brk(0)  = 0x8174000
brk(0x8175000)  = 0x8175000
brk(0)  = 0x8175000
brk(0x8177000)  = 0x8177000
brk(0)  = 0x8177000
brk(0x8178000)  = 0x8178000
brk(0)  = 0x8178000
brk(0x8179000)  = 0x8179000
brk(0)  = 0x8179000
brk(0x817b000)  = 0x817b000
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

The current %build section of freeradius.spec look like

%build
CFLAGS="$RPM_OPT_FLAGS" ./configure \
--prefix=%{_prefix} \
--sysconfdir=%{_sysconfdir} \
--infodir=%{_infodir} \
--mandir=%{_mandir} \
--libdir=%{_libdir} \
--localstatedir=/var \
--enable-developer 
make


But the main problem what I can make the right binary just by typing
./configure
make
make install

This is a strace-log of same place of /usr/local/sbin/radiusd. It's works 
fine!

write(1, "Ready to process requests.\n", 27) = 27
time(NULL)  = 1064587919
select(10, [7 8 9], NULL, NULL, NULL)   = 1 (in [7])
recvfrom(7, "\1\10\0Z  1064587941\1\6serg\2\22\\\236w\203"..., 4096, 0, 
{sa_family=AF_INET, sin_port=htons(3711), s
in_addr=inet_addr("192.168.0.11")}, [16]) = 90
write(1, "rad_recv: Access-Request packet "..., 77) = 77
time(NULL)  = 1064587941
write(1, "\tUser-Name = \"serg\"\n", 20) = 20
write(1, "\tUser-Password = \"2007811\"\n", 27) = 27
write(1, "\tNA

Re: threads hanging around

2003-09-26 Thread Graeme Hinchliffe 
On Fri, 26 Sep 2003 07:35:22 -0400
"Alan DeKok" <[EMAIL PROTECTED]> wrote:

> Graeme Hinchliffe <[EMAIL PROTECTED]> wrote:
> > I haven't needed to check the log dump yet as the problem hasn't
> > duplicated with this new code.
> 
>   That's good, but I would like to know what was broken, and what got
> fixed.

don't ask me I just type make :)

> > One thing I did notice was that the eap module wouldn't compile from
> > the CVS version of the code (I am not using it so was able to simply
> > remove the module from the source), just thought I would let you
> > know. 
> 
>   Hmm... it appears to work for me.  What errors are you seeing?

code not found in directory errors..


-- 
-
Graeme Hinchliffe (BSc)
Core Team Member
Zen Internet (http://www.zen.co.uk)

ICQ 3842605 (link)

Direct: 0845 058 9074
Main  : 0845 058 9000
Fax   : 0845 058 9005


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy Issue

2003-09-26 Thread Alan DeKok 
"Ivan Meic" <[EMAIL PROTECTED]> wrote:
> Also I'm using proxy features to be able to send the accounting data
> to one more server, just to have another copy.

  Ok..

> realm NULL {
>type= radius
>authhost= 80.253.170.52:1812
>accthost= 80.253.170.52:1813
>secret  = rad213bmf
> }
> realm NULL {
>type= radius
>authhost= LOCAL 
>accthost= LOCAL 
> }

  Huh?  You have *two* NULL realms, and two DEFAULT realms?  I don't
expect that to work at all.

  In fact, it's intendend to NOT work.

> In this case it works fine, but if I want to proxy it 
> to one additional server it doesn't work.
> The proxy only sends the accounting data to the first server on the list
> and leaves one copy for itself.

  See 'radrelay'.  It's designed to copy requests to another server.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Configure Vendor-Id by NAS-IP-Address??? (only one client, but 3 types of NASes)

2003-09-26 Thread Alan DeKok 
[EMAIL PROTECTED] wrote:
> In the past we had configured the Vendor-Id in the clients.conf file
> per Client-IP, but this will no more work for us, because all
> Radius-Servers have now only one Client entry, the Proxy itself.

  The 'clients.conf' file has never had a 'Vendor-Id' entry.

  It has had a 'nastype' entry, but that's a little different.

> How is it possible to define the Vendor-Id by NAS-IP-Address instead
> for the whole client??? Is it possible to add Vendor-Id in the hints
> file by adding some DEFAULT entries??? Or should the Proxy add a
> Attribute, which contains the Vendor-Id, to each request before
> proxying it to the Radius-Server???

  I'm really not sure what you're trying to do.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius and Cisco C2950G (http server problem)

2003-09-26 Thread Vincent_Giovannone 
Just goes to show that paid support isn't all that it's cracked up to be.

I opened a Cisco TAC case on this kind of issue over a year ago, and had 
Cisco TAC swear up and DOWN it wasn't possible to authenticate to the http 
server w/o using TACACS. 

I didn't believe them at the time,but I didn't really give a flying flip 
(I was just messing around and don't use http configuration interfaces if 
I can avoid them), and had wasted enough time so I let the issue drop. 
Good to know I was right in suspecting the TAC guy was full of s**t.

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush University Medical Center

"A four-year-old will very quickly get over news of the death of Santa if 
told that it was due to his fully loaded sleigh crashing in the back 
garden." 
-- Mil Millington





"Ville Leinonen" <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED]
09/26/2003 12:18 AM
Please respond to
[EMAIL PROTECTED]


To
[EMAIL PROTECTED]
cc

Subject
Freeradius and Cisco C2950G (http server problem)






Hi!

I have a little problem with my Cisco switch. I can log in with telnet and
freeradius says ok you can log in.
But when i try to log in via http freeradius says ok, but cisco would not
let me in. I have configure ip http authentication aaa.
Here is freeradius log when i try to get in vie http.

rad_recv: Access-Request packet from host xx.xx.xx.xx:1812, id=117,
length=81
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 2
NAS-Port-Type = Virtual
User-Name = "zz"
Calling-Station-Id = "xx.xx.xx.xx"
User-Password = ""
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
  modcall[authorize]: module "chap" returns noop
rlm_eap: EAP-Message not found
  modcall[authorize]: module "eap" returns noop
rlm_realm: No '@' in User-Name = "", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 154
  modcall[authorize]: module "files" returns ok
  modcall[authorize]: module "mschap" returns noop
radius_xlat:  ''
rlm_sql (sql): sql_set_user escaped user --> ''
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = '' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '' ORDER BY id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = '' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 0
  modcall[authorize]: module "sql" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [/] (from client radtest port 2 cli xx.xx.xx.xx)
Sending Access-Accept of id 117 to xx.xx.xx.xx:1812
Service-Type := NAS-Prompt-User
Finished request 9
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 9 ID 117 with timestamp 3f73cb8e
Nothing to do.  Sleeping until we see a request.


Any suggestion what i do wrong?

Best regards,

Ville Leinonen




- 
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: threads hanging around

2003-09-26 Thread Alan DeKok 
Graeme Hinchliffe <[EMAIL PROTECTED]> wrote:
> I haven't needed to check the log dump yet as the problem hasn't
> duplicated with this new code.

  That's good, but I would like to know what was broken, and what got
fixed.

> One thing I did notice was that the eap module wouldn't compile from
> the CVS version of the code (I am not using it so was able to simply
> remove the module from the source), just thought I would let you
> know. 

  Hmm... it appears to work for me.  What errors are you seeing?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Peabird's AP(Earthcom-network)

2003-09-26 Thread Alan DeKok 
=?iso-8859-1?b?RulsaXg=?= Dewaleyne <[EMAIL PROTECTED]> wrote:
>  As i don't want to use MS software but linux I choosed to use
> freeradius, but I need to configure the radius server to be Win 2000
> IAS compatible.

  Huh?  WHat do you mean by that?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sizelimit on user record?

2003-09-26 Thread Alan DeKok 
Nils-Henner Krueger <[EMAIL PROTECTED]> wrote:
> We're observing segfaults of freeradius 0.9.1 on Solaris 8
> immediatly after delivering large user records (that means
> many reply items per user) to the client.

  That's bad.

> Is there any kind of limit on the maximum number of reply
> items, expressed in bytes or no of items?

  Nope.

  Are you using Ascend "data filter" attributes?  There's a patch
pending to fix some issues with them.  That may help.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap-ttls pap can't work with aegis client

2003-09-26 Thread Alan DeKok 
"george" <[EMAIL PROTECTED]> wrote:
> I have tested eap-ttls with freeradius and client is aegis, the
> ms-chap, ms-chap-v2 and eap-md5 is work, but it seems the pap and chap
> isn't work, here is the message from radiusd(using eap-ttls-pap),
> thanks !

  PAP & CHAP work fine with the Aegis client.  You've broken your
local configuration, to disable PAP & CHAP.

>  modcall[authorize]: module "suffix" returns noop
> users: Matched test at 114

  You've set 'Auth-Type := EAP' here, for this user.  Don't do that.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: defaulting a user's Realm

2003-09-26 Thread Ron Wahler 

There were 2 places you must change to get NULL realms to work.

The first was in the users file. A default user realm must be added
With the Autz-Type set on the required line. 

DEFAULT Realm == "NULL", Autz-Type:=sql

And the proxy.conf must have a NULL realm defined.

Realm NULL {
  type= radius
authhost= Local
secret = yoursec
}



Ron Wahler


> -Original Message-
> From: Alan DeKok [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, September 24, 2003 7:51 AM
> To: [EMAIL PROTECTED]
> Subject: Re: defaulting a user's Realm
> 
> "Ron Wahler" <[EMAIL PROTECTED]> wrote:
> > With this syntax as the default user it seems to get further but
still
> > fails.
> ...
> > Mon Sep 22 11:55:26 2003 : Debug: auth: No authenticate method
> > (Auth-Type) configuration found for the request: Rejecting the user
> 
>   ?  Fix that, and the problem should be resolved.
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_ldap --without-threads

2003-09-26 Thread Kostas Kalevras 
On Thu, 25 Sep 2003, Rohaizam Abu Bakar wrote:

> still the same... error.. no other indication from debug log..
> for the time being... i'm using freeradius 0.9.0 with my FreeBSD 4.8...
>
> ldap: access_attr = "dialupAccess"
>  ldap: groupname_attribute = "cn"
>  ldap: groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
> fUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>  ldap: groupmembership_attribute = "(null)"
>  ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
>  ldap: ldap_debug = 0
>  ldap: ldap_connections_number = 256
>  ldap: compare_check_items = no
>  ldap: access_attr_used_for_allow = yes
> conns: 0x0
> /usr/libexec/ld-elf.so.1: /usr/local/lib/rlm_ldap-0.9.1.so: Undefined symbol
> "pthread_mutex_init"

Do a cvs update on the ldap module. It should now compile even without pthread
functions.

>
>
>
>
> - Original Message -
> From: "Timm " <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, September 25, 2003 10:06 AM
> Subject: RE: rlm_ldap --without-threads
>
>
> > did you try runnin in dubug mode? is the -X flag and it may provide you a
> cooler err message.
> >
> > Tim
> >
> >
> >
> > -Original Message-
> > From: Rohaizam Abu Bakar [mailto:[EMAIL PROTECTED]
> > Sent: Wed 9/24/2003 9:35 PM
> > To: [EMAIL PROTECTED]
> > Cc:
> > Subject: rlm_ldap --without-threads
> >
> >
> > Installing 0.9.1 on FreeBSD 4.8 but cannot start radiusd
> > Is it because of i'm configure using --without threads???
> >
> > bash-2.05b# /usr/local/etc/rc.d/radiusd.sh start
> > Starting FreeRADIUS:Thu Sep 25 09:30:28 2003 : Info: Starting - reading
> configuration files ...
> > /usr/libexec/ld-elf.so.1: /usr/local/lib/rlm_ldap-0.9.1.so: Undefined
> symbol "pthread_mutex_init"
> >
> > --haizam
> >
> > IƧ[  ф1V*'wi 0 6x&
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ldap authentication / simultenious-use

2003-09-26 Thread Kostas Kalevras 
On Thu, 25 Sep 2003, Ossama Suleiman wrote:

> dear all,
>
> while authenticationg against ldap i enabled the compare_check_items
> = yes, cause i wanted to use nas-port-type based authentication, because
> i have to kinds of users, analog and ISDN, in order to prevent analog
> users from using ISDN services
> which is working fine now
>
> but the problem i faced is in simultenous-use, as it is a check item
> too, if the radius don't receive it while authenticating the user, the
> user get's rejected
>
> beside i want to use simultenous-use to differentiate between
> isdn64K and isdn 128K
>
> any help??

compare_check_items does not work great with check items like simultaneous-use
You could disable it and use rlm_checkval for the nas-port-type based
authentication.

>
> thanks and best regards
>
> ossama
>
>
>
>
> --
> Ossama Suleiman
> Systems Engineer
> TE Data S.A.E
> Email: [EMAIL PROTECTED]
> Web:   www.tedata.net
> Phone: +(202)-416-6600, EXT: 1105
>
> "Learn from yesterday, live for today, hope for tomorrow."
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

mppe and cisco problem

2003-09-26 Thread Roberto Pioli 
I want use a cisco 7100 for vpn with mschap.
If 7100 have mppe passive mode all fill good and mscap-mppe work fine.The
user is aunthenticated and the connection is encypt 128 bit.
If 7100 il in mppe auto the user login was ok but in one second the 7100
send access accounting stop segnal foe mppe error.

What' the matter?(radius with ldap;)

Thanks

Roberto



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy Issue

2003-09-26 Thread Ivan Meic 
Hi,

I'm using FreeRADIUS v0.8.1 on RedHat 7.1.
I'm using it strictly for accounting purposes with
MySQL running in the background.

Also I'm using proxy features to be able to send the accounting data
to one more server, just to have another copy.
--- proxy.conf ---
proxy server {
synchronous = no
retry_delay = 5
retry_count = 10
dead_time = 120
servers_per_realm = 15
default_fallback = yes
}
realm NULL {
   type= radius
   authhost= 80.253.170.52:1812
   accthost= 80.253.170.52:1813
   secret  = rad213bmf
}
realm NULL {
   type= radius
   authhost= LOCAL 
   accthost= LOCAL 
}
realm DEFAULT {
   type= radius
   authhost= 80.253.170.52:1812
   accthost= 80.253.170.52:1813
   secret  = rad213bmf  
}
realm DEFAULT {
   type= radius
   authhost= LOCAL 
   accthost= LOCAL
}

In this case it works fine, but if I want to proxy it 
to one additional server it doesn't work.
The proxy only sends the accounting data to the first server on the list
and leaves one copy for itself.

Why is this happening ? What can I do regarding this issue ?

Thanks in advance.

Regards,
Ivan Meic
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Mysql Optimize Table without losing accounting-data???

2003-09-26 Thread m . prenger 
Alan wrote:

>Huh?  Logging to the 'detail' file takes nearly zero time.
>
>Let me guess: You're running MySQL on the same machine as
FreeRADIUS.
>
>The solution is simple: Don't do that.

Hi Alan,

thanks for replying. Yes, we're running mysqld on the same machine as
radiusd, but we're not able to change this :( I have now set up a
Radius-Proxy with sends requests to an other Radius-Server, when the
first is in maintainance.

But now i don't know how to tell radiusd that different Vendor-Ids
for each request are needed ... well, that's configurable in
clients.conf file, but it contains only one client, our Proxy-Server.
Please see thread named "Configure Vendor-Id by NAS-IP-Address???
(only one client, but 3 types of NASes)" ...

Thanks a lot!
Marc Prenger

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: WPA w/ EAP-TLS against 0.8.1

2003-09-26 Thread Guy Davies 
 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Artur is right.  This was a problem previously seen by one AP vendor
with whom I talk, which affected both Microsoft's IAS and Funk's
Steel Belted RADIUS servers.  The session-timeout returned by default
by those was very low and caused repeated authentication which
dramatically reduced the perceived throughput.  I found that
explicitly setting the session-timeout value for MAC authenticated
users dramatically improved things.  It is possible that such an
explicit session-timeout is required for users authenticating using
TLS?

As Artur said, nothing to do with the supplicant (those bring their
own problems ;-).  Apologies for the confusion.

Regards,

Guy

> -Original Message-
> From: Artur Hecker [mailto:[EMAIL PROTECTED]
> Sent: 26 September 2003 13:50
> To: [EMAIL PROTECTED]
> Subject: Re: WPA w/ EAP-TLS against 0.8.1
> 
> 
> that is the response i kind of feared. sorry, that's nonsense.
> 
> in that case the whole story has nothing to do with the respective 
> supplicant, since it simply NEVER gets in touch with Radius 
> attributes. 
> that would be the problem of the AP and NOT of the supplicant as
> you  pointed out.
> 
> 
> ciao
> artur
> 
> 
> Guy Davies wrote:
> 
> >  
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> > 
> > Hi Artur,
> > 
> > You don't :-)  You set the session-timeout in the RADIUS reply.
> > 
> > Regards,
> > 
> > Guy
> > 
> > 
> >>-Original Message-
> >>From: Artur Hecker [mailto:[EMAIL PROTECTED]
> >>Sent: 26 September 2003 12:56
> >>To: [EMAIL PROTECTED]
> >>Subject: Re: WPA w/ EAP-TLS against 0.8.1
> >>
> >>
> >>hi Guy!
> >>
> >>
> >>how can you change the session time in windows?
> >>
> >>thanks,
> >>artur
> >>
> >>
> >>
> >>
> >>Guy Davies wrote:
> >>
> >>
> >>> 
> >>>-BEGIN PGP SIGNED MESSAGE-
> >>>Hash: SHA1
> >>>
> >>>Hi Ian,
> >>>
> >>>I've seen something like this when doing MAC 
> authentication.  It was
> >>>actually a "feature" of the WinXP/Win2k supplicant which 
> >>
> >>defaults the
> >>
> >>>session time to about 6 seconds!  If I explicitly set the 
> >>
> >>session time to be
> >>
> >>>something more useful (1800 seconds is good) then 
> >>
> >>everything was happy.
> >>
> >>>Sorry if this is totally unrelated but I thought it might help.
> >>>
> >>>Regards,
> >>>
> >>>Guy
> >>>
> >>>
> >>>
> -Original Message-
> From: Ian Pritchard [mailto:[EMAIL PROTECTED]
> Sent: 26 September 2003 11:42
> To: [EMAIL PROTECTED]
> Subject: WPA w/ EAP-TLS against 0.8.1
> 
> 
> 
> Hi,
> 
> We're running FreeRADIUS version 0.8.1, and have been trying out 
> authentication using a couple of "WPA-capable" 802.11 APs and 
> PCMCIA cards 
> on laptops, with EAP-TLS and certs.
> 
> We've tried a matrix of the following:
> 
> Laptops
> - Win2K SP4 w/ MS 802.1x patch and with Funk Odyssey client
> - WinXP
> - EAP-TLS certs installed
> 
> PCMCIA cards
> - Linksys WPC54G
> - SMC2635W
> 
> APs
> - Linksys WRT54G
> - SMC2804WBR
> - Cisco AP340
> 
> All devices running latest possible drivers.
> 
> Before testing WPA we were running the Cisco AP340 and the 
> Win2K 802.1x auth 
> patch, plus XP.
> 
> Running either of the two PCMCIA cards, on either the Win2K 
> or WinXP laptop, 
> via the Linksys WRT54G AP, we see behaviour where the AP 
> initiates access 
> request to the FreeRADIUS server, the process runs through as 
> normal, the 
> access accept is sent to the AP, but it then immediately starts 
> authentication again, and you run through the whole process 
> repeatedly, 
> starting again immediately after the accept is sent. Nothing 
> seems abnormal 
> if running FreeRADIUS in debug mode. With the Funk Odyssey 
> client running on 
> Win2K the behaviour is the same.
> 
> Using the SMC AP, things are more interesting. The SMC AP's 
> >>
> >>web-based 
> >>
> control interface has a "security" main menu, with 802.1x as 
> a sub-menu. If 
> you turn the main security to "WPA/TKIP w/ RADIUS", then the 
> behaviour is as 
> with the Linksys above. However, if you turn it to "No 
> Encryption" (so not 
> even WEP enabled according to its interface), but leave the 
> "enable 802.1x" 
> turned on in the sub-menu, authentication takes place as 
> normal. The SMC 
> client card has client manager software, and if you turn on 
> WPA on the AP, 
> then the client manager shows a "key" symbol (presumably 
> denoting some kind 
> of security) next to the AP, but if you turn off encryption 
> and leave 802.1x 
> turned on, the key goes away.
> 
> The Cisco AP doesn't have WPA but will do 802.1x as before.
> 
> We're having trouble reaching a conclusion here (partly 
> >>
> >>because it's 
> >>
> difficult to tell w

Re: Is it allowed to describe several check items in single checkval module section?

2003-09-26 Thread Kostas Kalevras 
On Thu, 25 Sep 2003, Roman M. Bibikov wrote:

> Hi all!
> Is it allowed to describe several check items in checkval module?
> I setted up Calling-Station-Id and Called-Station-Id checking by adding
> new checkval section in radiusd.conf, so each of them instantiates. See
> below...
>
>
>checkval CALLINGID {
> item-name = Calling-Station-Id
> check-name = Calling-Station-Id
> data-type = string
> notfound-reject = yes
> }
>
> checkval CALLEDID {
> item-name = Called-Station-Id
> check-name = Called-Station-Id
> data-type = string
> notfound-reject = yes
> }
>
> May be it is allowed to do the same like this (see below) for a smaller
> memory usage, not for several checkval modules?

No it is not allowed.
Anyway, a smaller memory usage is not an issue with a module so small as
checkval.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Configure Vendor-Id by NAS-IP-Address??? (only one client, but 3 types of NASes)

2003-09-26 Thread m . prenger 
Dear ML,

we have to setup a Radius-Proxy which will proxy auth/acct packets to
an individual
Radius-Server by NAS-IP-Address. The Proxy works quiet probally, we
are using the 
hints file in combination with DEFAULT entries to setup the
Proxy-to-Realm attribute.

Now our Problem:
In the past we had configured the Vendor-Id in the clients.conf file
per Client-IP,
but this will no more work for us, because all Radius-Servers have
now only one 
Client entry, the Proxy itself.

How is it possible to define the Vendor-Id by NAS-IP-Address instead
for the whole
client??? Is it possible to add Vendor-Id in the hints file by adding
some DEFAULT
entries??? Or should the Proxy add a Attribute, which contains the
Vendor-Id, to
each request before proxying it to the Radius-Server???

I have added a quick and dirty layout of our actual configuration:

--  --  --
|NAS1|  |NAS2|  |NAS3| (3 different NASes,
Vendor-Ids)
--  --  --
   \   |  /
\  | /
 \ |/
  \|---/
   -
   | Proxy | (unique machine, the one and only Client of
Radius-Servers)
   -
   |   |   |
  /|\
 / | \
/  |  \
   /   |   \
--- --- ---
|Rad 1| |Rad 2| |Rad 3| (different machines)
--- --- ---

Thanks for reading!! Best regards,
Marc Prenger (thankfull to each reply of this thread)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WPA w/ EAP-TLS against 0.8.1

2003-09-26 Thread Artur Hecker 
that is the response i kind of feared. sorry, that's nonsense.

in that case the whole story has nothing to do with the respective 
supplicant, since it simply NEVER gets in touch with Radius attributes. 
that would be the problem of the AP and NOT of the supplicant as you 
pointed out.

ciao
artur
Guy Davies wrote:

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Artur,

You don't :-)  You set the session-timeout in the RADIUS reply.

Regards,

Guy


-Original Message-
From: Artur Hecker [mailto:[EMAIL PROTECTED]
Sent: 26 September 2003 12:56
To: [EMAIL PROTECTED]
Subject: Re: WPA w/ EAP-TLS against 0.8.1
hi Guy!

how can you change the session time in windows?

thanks,
artur


Guy Davies wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Ian,

I've seen something like this when doing MAC authentication.  It was
actually a "feature" of the WinXP/Win2k supplicant which 
defaults the

session time to about 6 seconds!  If I explicitly set the 
session time to be

something more useful (1800 seconds is good) then 
everything was happy.

Sorry if this is totally unrelated but I thought it might help.

Regards,

Guy



-Original Message-
From: Ian Pritchard [mailto:[EMAIL PROTECTED]
Sent: 26 September 2003 11:42
To: [EMAIL PROTECTED]
Subject: WPA w/ EAP-TLS against 0.8.1


Hi,

We're running FreeRADIUS version 0.8.1, and have been trying out 
authentication using a couple of "WPA-capable" 802.11 APs and 
PCMCIA cards 
on laptops, with EAP-TLS and certs.

We've tried a matrix of the following:

Laptops
- Win2K SP4 w/ MS 802.1x patch and with Funk Odyssey client
- WinXP
- EAP-TLS certs installed
PCMCIA cards
- Linksys WPC54G
- SMC2635W
APs
- Linksys WRT54G
- SMC2804WBR
- Cisco AP340
All devices running latest possible drivers.

Before testing WPA we were running the Cisco AP340 and the 
Win2K 802.1x auth 
patch, plus XP.

Running either of the two PCMCIA cards, on either the Win2K 
or WinXP laptop, 
via the Linksys WRT54G AP, we see behaviour where the AP 
initiates access 
request to the FreeRADIUS server, the process runs through as 
normal, the 
access accept is sent to the AP, but it then immediately starts 
authentication again, and you run through the whole process 
repeatedly, 
starting again immediately after the accept is sent. Nothing 
seems abnormal 
if running FreeRADIUS in debug mode. With the Funk Odyssey 
client running on 
Win2K the behaviour is the same.

Using the SMC AP, things are more interesting. The SMC AP's 
web-based 

control interface has a "security" main menu, with 802.1x as 
a sub-menu. If 
you turn the main security to "WPA/TKIP w/ RADIUS", then the 
behaviour is as 
with the Linksys above. However, if you turn it to "No 
Encryption" (so not 
even WEP enabled according to its interface), but leave the 
"enable 802.1x" 
turned on in the sub-menu, authentication takes place as 
normal. The SMC 
client card has client manager software, and if you turn on 
WPA on the AP, 
then the client manager shows a "key" symbol (presumably 
denoting some kind 
of security) next to the AP, but if you turn off encryption 
and leave 802.1x 
turned on, the key goes away.

The Cisco AP doesn't have WPA but will do 802.1x as before.

We're having trouble reaching a conclusion here (partly 
because it's 

difficult to tell what's happening), and certainly don't 
think we've got any 
"WPA" AP/client combination working with WPA/Radius. We had 
thought that, 

from an authentication perspective, there was no difference 

between 802.1x 
and WPA.

Has anyone else managed to get WPA APs and clients running against 
FreeRADIUS using EAP-TLS?

Many thanks,

Ian

_
Help protect your PC.  Get a FREE computer virus scan online 

from McAfee. 

http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

- 
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-BEGIN PGP SIGNATURE-
Version: PGP 8.0
iQA/AwUBP3Qlno3dwu/Ss2PCEQLQgwCg/vsD8wvFkhBEgcdhP0sJgmu2UzgAn11N
1NaRCSe7TQUC9g9L4sj3gFhS
=yiwB
-END PGP SIGNATURE-


30th Telindus International Symposium 
Thursday, October 30, 2003 - Brussels Expo, Belgium 

Check out the complete conference programme, exhibition, 
workshops and register now for this high value'must attend' event! 

http://www.telindussymposium.com 
<<<



- 
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

- - 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-BEGIN PGP SIGNATURE-
Version: PGP 8.0
iQA/AwUBP3Q0pI3dwu/Ss2PCEQK/ZQCffwWnxmOll5CFxxDegAlDwNlaNjYAoNEo
GSmsMRRmN+Cj5MnwYPgSpJce
=9E/H
-END PGP SIGNATURE-


30th Telindus International Symposium 
Thursday, October 30, 2003 - Brussels Expo, Belgium 

Check out the complete conference programme, exhibition, 
workshops and register now for this high value'must attend' event! 

http://www.telindussymposium.com 
<<<



- 
List info/subscribe/

RE: WPA w/ EAP-TLS against 0.8.1

2003-09-26 Thread Guy Davies 
 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Artur,

You don't :-)  You set the session-timeout in the RADIUS reply.

Regards,

Guy

> -Original Message-
> From: Artur Hecker [mailto:[EMAIL PROTECTED]
> Sent: 26 September 2003 12:56
> To: [EMAIL PROTECTED]
> Subject: Re: WPA w/ EAP-TLS against 0.8.1
> 
> 
> hi Guy!
> 
> 
> how can you change the session time in windows?
> 
> thanks,
> artur
> 
> 
> 
> 
> Guy Davies wrote:
> 
> >  
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> > 
> > Hi Ian,
> > 
> > I've seen something like this when doing MAC authentication.  It was
> > actually a "feature" of the WinXP/Win2k supplicant which 
> defaults the
> > session time to about 6 seconds!  If I explicitly set the 
> session time to be
> > something more useful (1800 seconds is good) then 
> everything was happy.
> > 
> > Sorry if this is totally unrelated but I thought it might help.
> > 
> > Regards,
> > 
> > Guy
> > 
> > 
> >>-Original Message-
> >>From: Ian Pritchard [mailto:[EMAIL PROTECTED]
> >>Sent: 26 September 2003 11:42
> >>To: [EMAIL PROTECTED]
> >>Subject: WPA w/ EAP-TLS against 0.8.1
> >>
> >>
> >>
> >>Hi,
> >>
> >>We're running FreeRADIUS version 0.8.1, and have been trying out 
> >>authentication using a couple of "WPA-capable" 802.11 APs and 
> >>PCMCIA cards 
> >>on laptops, with EAP-TLS and certs.
> >>
> >>We've tried a matrix of the following:
> >>
> >>Laptops
> >>- Win2K SP4 w/ MS 802.1x patch and with Funk Odyssey client
> >>- WinXP
> >>- EAP-TLS certs installed
> >>
> >>PCMCIA cards
> >>- Linksys WPC54G
> >>- SMC2635W
> >>
> >>APs
> >>- Linksys WRT54G
> >>- SMC2804WBR
> >>- Cisco AP340
> >>
> >>All devices running latest possible drivers.
> >>
> >>Before testing WPA we were running the Cisco AP340 and the 
> >>Win2K 802.1x auth 
> >>patch, plus XP.
> >>
> >>Running either of the two PCMCIA cards, on either the Win2K 
> >>or WinXP laptop, 
> >>via the Linksys WRT54G AP, we see behaviour where the AP 
> >>initiates access 
> >>request to the FreeRADIUS server, the process runs through as 
> >>normal, the 
> >>access accept is sent to the AP, but it then immediately starts 
> >>authentication again, and you run through the whole process 
> >>repeatedly, 
> >>starting again immediately after the accept is sent. Nothing 
> >>seems abnormal 
> >>if running FreeRADIUS in debug mode. With the Funk Odyssey 
> >>client running on 
> >>Win2K the behaviour is the same.
> >>
> >>Using the SMC AP, things are more interesting. The SMC AP's 
> web-based 
> >>control interface has a "security" main menu, with 802.1x as 
> >>a sub-menu. If 
> >>you turn the main security to "WPA/TKIP w/ RADIUS", then the 
> >>behaviour is as 
> >>with the Linksys above. However, if you turn it to "No 
> >>Encryption" (so not 
> >>even WEP enabled according to its interface), but leave the 
> >>"enable 802.1x" 
> >>turned on in the sub-menu, authentication takes place as 
> >>normal. The SMC 
> >>client card has client manager software, and if you turn on 
> >>WPA on the AP, 
> >>then the client manager shows a "key" symbol (presumably 
> >>denoting some kind 
> >>of security) next to the AP, but if you turn off encryption 
> >>and leave 802.1x 
> >>turned on, the key goes away.
> >>
> >>The Cisco AP doesn't have WPA but will do 802.1x as before.
> >>
> >>We're having trouble reaching a conclusion here (partly 
> because it's 
> >>difficult to tell what's happening), and certainly don't 
> >>think we've got any 
> >>"WPA" AP/client combination working with WPA/Radius. We had 
> >>thought that, 
> >>from an authentication perspective, there was no difference 
> >>between 802.1x 
> >>and WPA.
> >>
> >>Has anyone else managed to get WPA APs and clients running against 
> >>FreeRADIUS using EAP-TLS?
> >>
> >>
> >>Many thanks,
> >>
> >>
> >>Ian
> >>
> >>_
> >>Help protect your PC.  Get a FREE computer virus scan online 
> >>from McAfee. 
> >>http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> >>
> >>
> >>- 
> >>List info/subscribe/unsubscribe? See 
> > 
> > http://www.freeradius.org/list/users.html
> > 
> > -BEGIN PGP SIGNATURE-
> > Version: PGP 8.0
> > 
> > iQA/AwUBP3Qlno3dwu/Ss2PCEQLQgwCg/vsD8wvFkhBEgcdhP0sJgmu2UzgAn11N
> > 1NaRCSe7TQUC9g9L4sj3gFhS
> > =yiwB
> > -END PGP SIGNATURE-
> > 
> > 
> > 
> > 30th Telindus International Symposium 
> > Thursday, October 30, 2003 - Brussels Expo, Belgium 
> > 
> > Check out the complete conference programme, exhibition, 
> > workshops and register now for this high value'must attend' event! 
> > 
> > http://www.telindussymposium.com 
> > <<<
> > 
> > 
> > 
> > - 
> > List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- - 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-BEGIN PGP SIGNATURE-
Version: PGP 8.0

iQA/AwUBP3Q0pI3dwu/Ss2PCEQK/ZQCffwWnxmOll5CFxxDegAlDwNlaNjYAoNEo
GSmsMRRmN+Cj5MnwYPgSpJce
=9E/H
--

Re: freeradius send only one Ascend-IP-Pool-Definition

2003-09-26 Thread Chris Brotsos 
At 07:30 AM 9/26/2003, you wrote:
Hi,

please help. I want to send more than one IP-Pool-Definition to my
ascend box. Freeradius sends only one of them.
users-file:

"pools-Moritz"  Auth-Type := Local, User-Password =="secret"
Service-Type = Dialout-Framed-User,
Ascend-IP-Pool-Definition = "1 111.111.100.129 70",
Ascend-IP-Pool-Definition = "2 111.111.101.0 32"
Use += for your operator



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius send only one Ascend-IP-Pool-Definition

2003-09-26 Thread Hans Bornemann 
Hi,

please help. I want to send more than one IP-Pool-Definition to my
ascend box. Freeradius sends only one of them.

users-file:

"pools-Moritz"  Auth-Type := Local, User-Password =="secret"
Service-Type = Dialout-Framed-User, 
Ascend-IP-Pool-Definition = "1 111.111.100.129 70",
Ascend-IP-Pool-Definition = "2 111.111.101.0 32"

debug mode:

auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 34 to 111.111.111.60:1541
Service-Type = Outbound-User
Ascend-IP-Pool-Definition = "1 111.111.111.129 70"
Finished request 0

Thanks



-- 
Hans Bornemann

Universtitaet Dortmund
Hochschulrechenzentrum
August Schmidt Str. 12

44227 Dortmund

Tel. ++49 231 7552132
Fax. ++49 231 7552731


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WPA w/ EAP-TLS against 0.8.1

2003-09-26 Thread Artur Hecker 
hi Guy!

how can you change the session time in windows?

thanks,
artur


Guy Davies wrote:

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Ian,

I've seen something like this when doing MAC authentication.  It was
actually a "feature" of the WinXP/Win2k supplicant which defaults the
session time to about 6 seconds!  If I explicitly set the session time to be
something more useful (1800 seconds is good) then everything was happy.
Sorry if this is totally unrelated but I thought it might help.

Regards,

Guy


-Original Message-
From: Ian Pritchard [mailto:[EMAIL PROTECTED]
Sent: 26 September 2003 11:42
To: [EMAIL PROTECTED]
Subject: WPA w/ EAP-TLS against 0.8.1


Hi,

We're running FreeRADIUS version 0.8.1, and have been trying out 
authentication using a couple of "WPA-capable" 802.11 APs and 
PCMCIA cards 
on laptops, with EAP-TLS and certs.

We've tried a matrix of the following:

Laptops
- Win2K SP4 w/ MS 802.1x patch and with Funk Odyssey client
- WinXP
- EAP-TLS certs installed
PCMCIA cards
- Linksys WPC54G
- SMC2635W
APs
- Linksys WRT54G
- SMC2804WBR
- Cisco AP340
All devices running latest possible drivers.

Before testing WPA we were running the Cisco AP340 and the 
Win2K 802.1x auth 
patch, plus XP.

Running either of the two PCMCIA cards, on either the Win2K 
or WinXP laptop, 
via the Linksys WRT54G AP, we see behaviour where the AP 
initiates access 
request to the FreeRADIUS server, the process runs through as 
normal, the 
access accept is sent to the AP, but it then immediately starts 
authentication again, and you run through the whole process 
repeatedly, 
starting again immediately after the accept is sent. Nothing 
seems abnormal 
if running FreeRADIUS in debug mode. With the Funk Odyssey 
client running on 
Win2K the behaviour is the same.

Using the SMC AP, things are more interesting. The SMC AP's web-based 
control interface has a "security" main menu, with 802.1x as 
a sub-menu. If 
you turn the main security to "WPA/TKIP w/ RADIUS", then the 
behaviour is as 
with the Linksys above. However, if you turn it to "No 
Encryption" (so not 
even WEP enabled according to its interface), but leave the 
"enable 802.1x" 
turned on in the sub-menu, authentication takes place as 
normal. The SMC 
client card has client manager software, and if you turn on 
WPA on the AP, 
then the client manager shows a "key" symbol (presumably 
denoting some kind 
of security) next to the AP, but if you turn off encryption 
and leave 802.1x 
turned on, the key goes away.

The Cisco AP doesn't have WPA but will do 802.1x as before.

We're having trouble reaching a conclusion here (partly because it's 
difficult to tell what's happening), and certainly don't 
think we've got any 
"WPA" AP/client combination working with WPA/Radius. We had 
thought that, 
from an authentication perspective, there was no difference 
between 802.1x 
and WPA.

Has anyone else managed to get WPA APs and clients running against 
FreeRADIUS using EAP-TLS?

Many thanks,

Ian

_
Help protect your PC.  Get a FREE computer virus scan online 
from McAfee. 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

- 
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-BEGIN PGP SIGNATURE-
Version: PGP 8.0
iQA/AwUBP3Qlno3dwu/Ss2PCEQLQgwCg/vsD8wvFkhBEgcdhP0sJgmu2UzgAn11N
1NaRCSe7TQUC9g9L4sj3gFhS
=yiwB
-END PGP SIGNATURE-


30th Telindus International Symposium 
Thursday, October 30, 2003 - Brussels Expo, Belgium 

Check out the complete conference programme, exhibition, 
workshops and register now for this high value'must attend' event! 

http://www.telindussymposium.com 
<<<



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: WPA w/ EAP-TLS against 0.8.1

2003-09-26 Thread Guy Davies 
 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Ian,

I've seen something like this when doing MAC authentication.  It was
actually a "feature" of the WinXP/Win2k supplicant which defaults the
session time to about 6 seconds!  If I explicitly set the session time to be
something more useful (1800 seconds is good) then everything was happy.

Sorry if this is totally unrelated but I thought it might help.

Regards,

Guy

> -Original Message-
> From: Ian Pritchard [mailto:[EMAIL PROTECTED]
> Sent: 26 September 2003 11:42
> To: [EMAIL PROTECTED]
> Subject: WPA w/ EAP-TLS against 0.8.1
> 
> 
> 
> Hi,
> 
> We're running FreeRADIUS version 0.8.1, and have been trying out 
> authentication using a couple of "WPA-capable" 802.11 APs and 
> PCMCIA cards 
> on laptops, with EAP-TLS and certs.
> 
> We've tried a matrix of the following:
> 
> Laptops
> - Win2K SP4 w/ MS 802.1x patch and with Funk Odyssey client
> - WinXP
> - EAP-TLS certs installed
> 
> PCMCIA cards
> - Linksys WPC54G
> - SMC2635W
> 
> APs
> - Linksys WRT54G
> - SMC2804WBR
> - Cisco AP340
> 
> All devices running latest possible drivers.
> 
> Before testing WPA we were running the Cisco AP340 and the 
> Win2K 802.1x auth 
> patch, plus XP.
> 
> Running either of the two PCMCIA cards, on either the Win2K 
> or WinXP laptop, 
> via the Linksys WRT54G AP, we see behaviour where the AP 
> initiates access 
> request to the FreeRADIUS server, the process runs through as 
> normal, the 
> access accept is sent to the AP, but it then immediately starts 
> authentication again, and you run through the whole process 
> repeatedly, 
> starting again immediately after the accept is sent. Nothing 
> seems abnormal 
> if running FreeRADIUS in debug mode. With the Funk Odyssey 
> client running on 
> Win2K the behaviour is the same.
> 
> Using the SMC AP, things are more interesting. The SMC AP's web-based 
> control interface has a "security" main menu, with 802.1x as 
> a sub-menu. If 
> you turn the main security to "WPA/TKIP w/ RADIUS", then the 
> behaviour is as 
> with the Linksys above. However, if you turn it to "No 
> Encryption" (so not 
> even WEP enabled according to its interface), but leave the 
> "enable 802.1x" 
> turned on in the sub-menu, authentication takes place as 
> normal. The SMC 
> client card has client manager software, and if you turn on 
> WPA on the AP, 
> then the client manager shows a "key" symbol (presumably 
> denoting some kind 
> of security) next to the AP, but if you turn off encryption 
> and leave 802.1x 
> turned on, the key goes away.
> 
> The Cisco AP doesn't have WPA but will do 802.1x as before.
> 
> We're having trouble reaching a conclusion here (partly because it's 
> difficult to tell what's happening), and certainly don't 
> think we've got any 
> "WPA" AP/client combination working with WPA/Radius. We had 
> thought that, 
> from an authentication perspective, there was no difference 
> between 802.1x 
> and WPA.
> 
> Has anyone else managed to get WPA APs and clients running against 
> FreeRADIUS using EAP-TLS?
> 
> 
> Many thanks,
> 
> 
> Ian
> 
> _
> Help protect your PC.  Get a FREE computer virus scan online 
> from McAfee. 
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-BEGIN PGP SIGNATURE-
Version: PGP 8.0

iQA/AwUBP3Qlno3dwu/Ss2PCEQLQgwCg/vsD8wvFkhBEgcdhP0sJgmu2UzgAn11N
1NaRCSe7TQUC9g9L4sj3gFhS
=yiwB
-END PGP SIGNATURE-


>>> 
30th Telindus International Symposium 
Thursday, October 30, 2003 - Brussels Expo, Belgium 

Check out the complete conference programme, exhibition, 
workshops and register now for this high value'must attend' event! 

http://www.telindussymposium.com 
<<<



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

WPA w/ EAP-TLS against 0.8.1

2003-09-26 Thread Ian Pritchard 
Hi,

We're running FreeRADIUS version 0.8.1, and have been trying out 
authentication using a couple of "WPA-capable" 802.11 APs and PCMCIA cards 
on laptops, with EAP-TLS and certs.

We've tried a matrix of the following:

Laptops
- Win2K SP4 w/ MS 802.1x patch and with Funk Odyssey client
- WinXP
- EAP-TLS certs installed
PCMCIA cards
- Linksys WPC54G
- SMC2635W
APs
- Linksys WRT54G
- SMC2804WBR
- Cisco AP340
All devices running latest possible drivers.

Before testing WPA we were running the Cisco AP340 and the Win2K 802.1x auth 
patch, plus XP.

Running either of the two PCMCIA cards, on either the Win2K or WinXP laptop, 
via the Linksys WRT54G AP, we see behaviour where the AP initiates access 
request to the FreeRADIUS server, the process runs through as normal, the 
access accept is sent to the AP, but it then immediately starts 
authentication again, and you run through the whole process repeatedly, 
starting again immediately after the accept is sent. Nothing seems abnormal 
if running FreeRADIUS in debug mode. With the Funk Odyssey client running on 
Win2K the behaviour is the same.

Using the SMC AP, things are more interesting. The SMC AP's web-based 
control interface has a "security" main menu, with 802.1x as a sub-menu. If 
you turn the main security to "WPA/TKIP w/ RADIUS", then the behaviour is as 
with the Linksys above. However, if you turn it to "No Encryption" (so not 
even WEP enabled according to its interface), but leave the "enable 802.1x" 
turned on in the sub-menu, authentication takes place as normal. The SMC 
client card has client manager software, and if you turn on WPA on the AP, 
then the client manager shows a "key" symbol (presumably denoting some kind 
of security) next to the AP, but if you turn off encryption and leave 802.1x 
turned on, the key goes away.

The Cisco AP doesn't have WPA but will do 802.1x as before.

We're having trouble reaching a conclusion here (partly because it's 
difficult to tell what's happening), and certainly don't think we've got any 
"WPA" AP/client combination working with WPA/Radius. We had thought that, 
from an authentication perspective, there was no difference between 802.1x 
and WPA.

Has anyone else managed to get WPA APs and clients running against 
FreeRADIUS using EAP-TLS?

Many thanks,

Ian

_
Help protect your PC.  Get a FREE computer virus scan online from McAfee. 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: threads hanging around

2003-09-26 Thread Graeme Hinchliffe 
> >  There are a few references to Thread 6 which it is assigned to, but
> > nothing in the log that lets me know what the request was or what
> > happened to it... There appear to be dumps of requests in the log
> > but I cannot see any relation to this info and a request number.
> 
>   That's a little difficult to track down.
> 
>   Grab the CVS snapshot tomorrow morning, and run it via:
> 
> ./radiusd -xx
> 
>   You should see much more debug output.  Look for 'modsingle', and
> 'request ###' (whatever the number is).  You should be able to track
> down exactly which module is taking forever to respond.

I haven't needed to check the log dump yet as the problem hasn't duplicated with this 
new code.

I guess whatever it was has been fixed at some point.

One thing I did notice was that the eap module wouldn't compile from the CVS version 
of the code (I am not using it so was able to simply remove the module from the 
source), just thought I would let you know.

I will keep my eye on this version of the code and see if the problem starts up again. 
 so far it seems a lot happier.

-- 
-
Graeme Hinchliffe (BSc)
Core Team Member
Zen Internet (http://www.zen.co.uk)

ICQ 3842605 (link)

Direct: 0845 058 9074
Main  : 0845 058 9000
Fax   : 0845 058 9005


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Peabird's AP(Earthcom-network)

2003-09-26 Thread Félix Dewaleyne 
Hi,

 I am trying to build a wireless network based on time limited accounting 
which uses Peabird's Access Points (alias Earthcom-networks). These APs are 
built with a radius server that is *supposed* to be Windows 2000 adv serv 
compatible (I did not test them with it).
 As i don't want to use MS software but linux I choosed to use freeradius, 
but I need to configure the radius server to be Win 2000 IAS compatible.

please help...

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: TLS and TTLS

2003-09-26 Thread Artur Hecker 
hardly ever.

the APs have NOTHING to do with neither TTLS nor TLS.

ciao
artur
Michael Brown wrote:

I know the Linksys WAP/WRT54G accepts TTLS auth, but I don't know a D-Link
product that does TTLS.  That is most likely your problem.
Michael Brown


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

eap-ttls pap can't work with aegis client

2003-09-26 Thread george 


I have tested eap-ttls with freeradius and client is aegis, the ms-chap, ms-chap-v2 
and eap-md5 is work, but it seems the pap and chap isn't work, here is the message 
from radiusd(using eap-ttls-pap), thanks !

rad_recv: Access-Request packet from host 192.168.102.1:1200, id=187, length=281
EAP-Message = 
0x027b006c1580006217030100183a14f67f8fde6b4b1d02e5224ceccd80d3ab2425d32b17030100400fffe387d3edb5fc712b6e29492e410bbd8fb4457bf19a7bde6f4d8ebe40439da8871e1abaabf15e3783cb4ba34a97faf7fe2a8e69734e09ac105340d4a8bea6
User-Name = "test"
NAS-Identifier = "IPONE_AG2000_KT"
NAS-IP-Address = 192.168.102.1
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Service-Type = Framed-User
Framed-MTU = 1400
Connect-Info = "CONNECT 11Mbps 802.11b"
Calling-Station-Id = "00-60-b3-6a-38-7f"
Called-Station-Id = "00-07-13-40-00-7c"
State = 0x8675b25f15e3b78950a070be27e214c8
Message-Authenticator = 0xfe666e934d24293a78b6577a5bde650d
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
  modcall[authorize]: module "chap" returns noop
  rlm_eap: EAP packet type response id 123 length 108
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop
users: Matched test at 114
  modcall[authorize]: module "files" returns ok
  modcall[authorize]: module "mschap" returns noop
modcall: group authorize returns updated
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP_TYPE - ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11 
  eaptls_process returned 7 
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.

  TTLS: Got tunneled request
User-Name = "test"
User-Password = "test"
Freeradius-Proxied-To = 127.0.0.1
  TTLS: Sending tunneled request
User-Name = "test"
User-Password = "test"
Freeradius-Proxied-To = 127.0.0.1
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
  modcall[authorize]: module "chap" returns noop
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop
users: Matched test at 114
  modcall[authorize]: module "files" returns ok
  modcall[authorize]: module "mschap" returns noop
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP-Message not found
rlm_eap: Malformed EAP Message
  modcall[authenticate]: module "eap" returns fail
modcall: group authenticate returns fail
auth: Failed to validate the user.
  TTLS: Got tunneled reply RADIUS code 3
Service-Type = Framed-User
Idle-Timeout = 2000
Session-Timeout = 2
  TTLS: Rejecting tunneled user
 rlm_eap: Handler failed in EAP type 21
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Delaying request 35 for 1 seconds
Finished request 35
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 187 to 192.168.102.1:1200
EAP-Message = 0x047b0004
Message-Authenticator = 0x
--


Best Regard

george
獠丕~?够?撖殪够??纭囤?0~??b菏+?b策畋觎?¥

How to configure freeradius to authenticate with window 2000

2003-09-26 Thread Khoo, Damien 
Hi,

My current shiva box not allow to ause Window NT for authetication.
I am thinking using freeradius to proxy the request to window NT for
authetication. May I know how can I configure the radius proxy,

Damien

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

sizelimit on user record?

2003-09-26 Thread Nils-Henner Krueger 

We're observing segfaults of freeradius 0.9.1 on Solaris 8
immediatly after delivering large user records (that means
many reply items per user) to the client.

Is there any kind of limit on the maximum number of reply
items, expressed in bytes or no of items?


nhk


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl

2003-09-26 Thread Boian Jordanov 
On Thu, Sep 25, 2003 at 06:14:56PM +0200, Laurens Pit wrote:
> Trying to compile rlm_perl module, but no luck. Missing perl.h file. Can
> anyone give me a hint what I should do to get this compiling okay?
>

Hello,
it seems that perl.h is missing.
i suggest you to upgrade your perl to 5.6.1 or 5.8.x 

> 
> [freeradius-0.9.1]# ./configure
> --with-rlm-perl-include-dir=/usr/lib/perl5/5.00503/i386-linux/CORE
> --with-experimental-modules

-- 
Best Regards,

Boian Jordanov
SNE
Orbitel - the Internet Company
tel. +359 2 937 07 23


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html