Re: Free RADIUS tutorials or manuals?

[ylei]

maybe you can't get what you want.

i think the begin is reading RFC2865.

and then you can download the freeradius' source code.

reading src/README, FAQ. etc.

doc/README, aaa.txt, configurable_failover, module_interface, 
processing_users_file.

and then you can practise with special rlm_XXX modules(google it for some 
chinese article), watching output of radiusd -X, 
watching the code, ask to this list.

just in my option.:) good luck.



Hello World!   
= = = = = = = = = = = = = = = = = = = =
ylei
[EMAIL PROTECTED]




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Free RADIUS tutorials or manuals?

[root]

t
q+






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: malformed EAPOL-Key with LEAP and AEGIS Client

[Marios Karagiannopoulos]

Hi Artur,

Thanks for the info about the EAPOL packets. I've installed the latest
drivers both for the AP and the pcmcia card.
It seems that the AP340 has a bug(?:( 
Is there any website of Cisco where I can post my question?

Thanks,
Marios

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Artur
Hecker
Sent: Wednesday, November 19, 2003 1:28 AM
To: [EMAIL PROTECTED]
Subject: Re: malformed EAPOL-Key with LEAP and AEGIS Client


hi


 I'm using WEP enabled mode where I get 2 EAPOL-Keys with the second 
 malformed from the AP-340 !!! I use also AEGIS client in Windows XP 
 Home.

before you continue: do you use the latest versions of the firmware on
both your AP _and_ your wifi card?


 I've attached the ethereal dumps to check what exactly I mean. I don't

 know if it is a bug in the AP or the freeradius, but I suspect that 
 the freeradius doesn't construct well the second EAPOL-Key message and

 the AP forwards a malformed packet.

freeradius does not construct any EAPOL frames at all. it only sends
keys to the access point and those are used by the AP to derive all the
rest. whatever freeradius might have done wrong with the key material
which it provides to the AP, it can't EVER be the reason for a malformed
EAPOL packet. only your AP and the card are speaking EAPOL. search
there.


ciao
artur

ps i didn't check your logs yet

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Users in LDAP and mysql

[Costas Christonis]

Hi to all,
I want to ask this:
using freeradius, can you have users in LDAP and mysql so doing
authentication from both simultaneous?










Thanks a lot

Costas A. Christonis
Networking  Communications Centre
Gallos Campus - University of Crete
email: [EMAIL PROTECTED]
http://www.ucnet.uoc.gr/



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Class Attribute

[Michael Kopp]

Hi all,

maybe a totally stupid question

when I read the RFC 2865 RADIUS- then there is a section about CLASS
attribute stateing :
5.25.  Class

   Description

  This Attribute is available to be sent by the server to the client
  in an Access-Accept and SHOULD be sent unmodified by the client to
  the accounting server as part of the Accounting-Request packet if
  accounting is supported.  The client MUST NOT interpret the
  attribute locally.

   A summary of the Class Attribute format is shown below.  The fields
   are transmitted from left to right.

0   1   2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
   | Type  |Length |  String ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

   Type

  25 for Class.

   Length

  = 3

   String

  The String field is one or more octets.  The actual format of the
  information is site or application specific, and a robust
  implementation SHOULD support the field as undistinguished octets.

  The codification of the range of allowed usage of this field is
  outside the scope of this specification.

If I look at the dictonary file of freeradius I see

ATTRIBUTE  Class   25  octets

So shouldn`t this be like :
ATTRIBUTE   Class 25 string ?!?

Sorry if I misunderstand something 

Regards

Michael

-- 
GMX Weihnachts-Special: Seychellen-Traumreise zu gewinnen!

Rentier entlaufen. Finden Sie Rudolph! Als Belohnung winken
tolle Preise. http://www.gmx.net/de/cgi/specialmail/

+++ GMX - die erste Adresse für Mail, Message, More! +++


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Free RADIUS tutorials or manuals?

[Kostas Kalevras]

On Wed, 19 Nov 2003, ylei wrote:


   maybe you can't get what you want.

   i think the begin is reading RFC2865.

   and then you can download the freeradius' source code.

   reading src/README, FAQ. etc.

   doc/README, aaa.txt, configurable_failover, module_interface, 
 processing_users_file.

   and then you can practise with special rlm_XXX modules(google it for some 
 chinese article), watching output of radiusd -X,
 watching the code, ask to this list.

   just in my option.:) good luck.

There are actually a few HOWTOs for specific things:

http://www.frontios.com/freeradius.html (freeradius+mysql)
http://kstadler.ch/index.php?page=dialup
and
dialup_admin/doc/HOWTO (dialupadmin)
http://doris.cc/radius (freeradius+ldap)

along with the documentation floating around in the doc directory.
Maybe someone could volunteer to take all those small pieces and make a big
HOWTO out of it





   Hello World!
 = = = = = = = = = = = = = = = = = = = =
 ylei
 [EMAIL PROTECTED]




 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Users in LDAP and mysql

[Kostas Kalevras]

On Wed, 19 Nov 2003, Costas Christonis wrote:

 Hi to all,
 I want to ask this:
 using freeradius, can you have users in LDAP and mysql so doing
 authentication from both simultaneous?

In general yes. Though you will probably need to play with Autz-Type and
Auth-Type to get that working ok











 Thanks a lot

 Costas A. Christonis
 Networking  Communications Centre
 Gallos Campus - University of Crete
 email: [EMAIL PROTECTED]
 http://www.ucnet.uoc.gr/



 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: tunneling

[Chris Brotsos]

From dictionary.tunnel...

ATTRIBUTE   Tunnel-Type 64  integer has_tag

what is mean by has_tag??

I'm currently working on RADIUS - MPLS-VPN project, and from example 
given by cisco.. Some of attributes needed for doing L2TP tunnelling 
are as below:

Tunnel-Type = :1:L2TP
Tunnel-Medium-Type = :1:IP
Tunnel-Server-Endpoint = :1:172.21.9.13
So what is :1 from :1:L2TP means ??
The :1 is the tag, and the has_tag portion of the dictionary 
definition you refer to above informs the RADIUS software that it 
should expect (or append when necessary) certain characters as part 
of the attribute.

From the RFCs included in the 'rfc' sub-directory of the 'doc' 
directory of the FreeRADIUS source code:

Tag
  The Tag field is one octet in length and is intended to provide a
  means of grouping attributes in the same packet which refer to the
  same tunnel.  Valid values for this field are 0x01 through 0x1F,
  inclusive.  If the value of the Tag field is greater than 0x00 and
  less than or equal to 0x1F, it SHOULD be interpreted as indicating
  which tunnel (of several alternatives) this attribute pertains;
  otherwise, the Tag field SHOULD be ignored.
The tags mean nothing to the RADIUS server itself; the definition 
above is explaining how the NAS is going to use/interpret the Tag.

As well, I'm not sure which RADIUS server that syntax (e.g. 
Tunnel-Type = :1:L2TP) is correct for, but for FreeRADIUS the 
attributes should be configured as follows:

Tunnel-Password:0 = ,
Tunnel-Medium-Type:0 = IP,
Tunnel-Type:0 = L2TP,
Tunnel-Server-Endpoint:0 = xxx.xxx.xxx.xxx
HTH,

Chris Brotsos



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: malformed EAPOL-Key with LEAP and AEGIS Client

[Artur Hecker]

hi


Thanks for the info about the EAPOL packets. I've installed the latest
drivers both for the AP and the pcmcia card.
It seems that the AP340 has a bug(?:( 
Is there any website of Cisco where I can post my question?
i've been using an AP340 with the 12T release for a quite a while now 
and i don't have this problem.

i'm using freeradius with EAP/TLS and rotating wep keys.

ciao
artur


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Class Attribute

[Alan DeKok]

Michael Kopp [EMAIL PROTECTED] wrote:
 If I look at the dictonary file of freeradius I see
 
 ATTRIBUTEClass   25  octets
 
 So shouldn`t this be like :
 ATTRIBUTE   Class 25 string ?!?

  No.  The string type in the RFC simply means that the attribute is
variable length.

  The string type in FreeRADIUS means printable string.

  The octets type in FreeRADIUS means: (from the RFC you quoted)

   ... The actual format of the
   information is site or application specific, and a robust
   implementation SHOULD support the field as undistinguished
   octets.
 ^^

  See?  Octets.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Illegal attributes in update packets?

[Alan DeKok]

Alex French [EMAIL PROTECTED] wrote:
 Having read the RFCs (well, skimmed them at least) I am aware that 
 including Acct-Session-Time, Acct-Output-Octets and Acct-Input-Octets in 
 UPDATE messages is illegal. However, we have what we think is a good reason 
 to do it, and freeradius seems to allow this (and we've patched the 
 postgresql config statements to update the accounting tables appropriately).

  FreeRADIUS is designed to be pretty forgiving about what it handls.

 My question is, how evil do people consider this to be? Does anyone have an 
 insight into *why* this is illegal? And is anyone aware of how other Radius 
 servers treat such packets (i.e. willl it break anything if we proxy these 
 attributes to other people?)

  From what I read of the RFC's, they're not forbidden.  Putting them
into an update request shouldn't break anything.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Documentation Suggestion

[Jonathan Ruano]

This question seems to aim for a FAQ question :)

Jon

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok
 Sent: Tuesday, November 18, 2003 9:27 PM
 Subject: Re: Documentation Suggestion 
 
 Anson Rinesmith [EMAIL PROTECTED] wrote:
  What's the best online place for documentation of actual FR? I for
  one still don't know what the difference is between := and == in my
  sql database
 
   doc/rlm_sql ?
 
   Alan DeKok.
 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: malformed EAPOL-Key with LEAP and AEGIS Client

[Marios Karagiannopoulos]

Artur,

Have you checked if the last EAPOL-Key is malformed. It works fine for
me too even if the packet is not correct !!
I tried to pass traffic with WEP enabled and I didn't have any problem,
but I don't know if this packet should be malformed anyway!!
Could you please try to pass traffic using LEAP method and WEP enabled?

I would love to send me an ethereal sniff ! Thanks,
Marios

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Artur
Hecker
Sent: Wednesday, November 19, 2003 5:00 PM
To: [EMAIL PROTECTED]
Subject: Re: malformed EAPOL-Key with LEAP and AEGIS Client


hi


 Thanks for the info about the EAPOL packets. I've installed the latest

 drivers both for the AP and the pcmcia card. It seems that the AP340 
 has a bug(?:( Is there any website of Cisco where I can post my 
 question?

i've been using an AP340 with the 12T release for a quite a while now 
and i don't have this problem.

i'm using freeradius with EAP/TLS and rotating wep keys.


ciao
artur



- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: cisco authorization through freeradius

[Dustin Doris]

On Tue, 18 Nov 2003, John A. Hengstler wrote:

 Greetings.
 I have an Cisco as5300 that I am using for Dial customers.
 The customer connects, the authentication comes through, but then at the
 authorization level the connection gets dropped by the nas..
 Are there any suggested attributes to put into radgroupreply for ISDN dial
 in customers to the Cisco 5300  or do I have an incorrect setting on the
 Nas..
 Here is a snapshot of what I have for the cisco config:
 aaa new-model
 aaa authentication login default local
 aaa authentication ppp default group radius
 aaa authorization network default group radius if-authenticated
 aaa accounting delay-start
 interface Serial0:23
  ip unnumbered Ethernet0
  encapsulation ppp
  dialer-group 1
  isdn switch-type primary-ni
  isdn tei-negotiation first-call
  isdn incoming-voice modem
  peer default ip address pool DIAL6_POOL
  ppp authentication pap chap
 interface Group-Async1
  ip unnumbered Ethernet0
  encapsulation ppp
  ip tcp header-compression passive
  no ip mroute-cache
  async mode interactive
  peer default ip address pool DIAL6_POOL
  ppp authentication chap pap
  group-range 1 96
 RADIUS:radgroupreply contains:
 |  1 | dialerrouter  | Session-Timeout| 28800   | ==   |
 NULL
 |  5 | dialerrouter  | Idle-Timeout   | 1200| ==   |
 NULL |
 |  8 | dialerrouter  | Service-Type   | Framed-User | ==   |
 NULL |
 |  9 | dialerrouter  | Framed-Protocol| PPP | ==   |
 NULL |
 | 10 | dialerrouter  | Auth-Type  | Local   | ==   |
 NULL |
 RADIUS:radcheckcontains diallerouter for the user
 All modem dial up customers work just fine, but ISDN dial in fails as
 indicated above.
 Can anyone shed some pointers on this.   I still haven't figured it out..

 Regards,
 John Hengstler




I don't actually work with the NAS, but we also send back Framed-Routing =
None in our radius replies.  Might want to give it a shot.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: cisco authorization through freeradius

[Dustin Doris]

 On Tue, 18 Nov 2003, John A. Hengstler wrote:

  Greetings.
  I have an Cisco as5300 that I am using for Dial customers.
  The customer connects, the authentication comes through, but then at the
  authorization level the connection gets dropped by the nas..
  Are there any suggested attributes to put into radgroupreply for ISDN dial
  in customers to the Cisco 5300  or do I have an incorrect setting on the
  Nas..
  Here is a snapshot of what I have for the cisco config:
  aaa new-model
  aaa authentication login default local
  aaa authentication ppp default group radius
  aaa authorization network default group radius if-authenticated
  aaa accounting delay-start
  interface Serial0:23
   ip unnumbered Ethernet0
   encapsulation ppp
   dialer-group 1
   isdn switch-type primary-ni
   isdn tei-negotiation first-call
   isdn incoming-voice modem
   peer default ip address pool DIAL6_POOL
   ppp authentication pap chap
  interface Group-Async1
   ip unnumbered Ethernet0
   encapsulation ppp
   ip tcp header-compression passive
   no ip mroute-cache
   async mode interactive
   peer default ip address pool DIAL6_POOL
   ppp authentication chap pap
   group-range 1 96
  RADIUS:radgroupreply contains:
  |  1 | dialerrouter  | Session-Timeout| 28800   | ==   |
  NULL
  |  5 | dialerrouter  | Idle-Timeout   | 1200| ==   |
  NULL |
  |  8 | dialerrouter  | Service-Type   | Framed-User | ==   |
  NULL |
  |  9 | dialerrouter  | Framed-Protocol| PPP | ==   |
  NULL |
  | 10 | dialerrouter  | Auth-Type  | Local   | ==   |
  NULL |
  RADIUS:radcheckcontains diallerouter for the user
  All modem dial up customers work just fine, but ISDN dial in fails as
  indicated above.
  Can anyone shed some pointers on this.   I still haven't figured it out..
 
  Regards,
  John Hengstler
 
 


 I don't actually work with the NAS, but we also send back Framed-Routing =
 None in our radius replies.  Might want to give it a shot.

 -

Oh and we also send Framed-IP-Netmask = whateveryournetmask is.  I really
know nothing about the NAS, just letting you know what freeradius does for
our dial isdn guys in case one of those helps.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple realm authentication with FreeRADIUS back to Active Directory?

[Alan DeKok]

Heiden, John [EMAIL PROTECTED] wrote:
 I am assuming I need to somehow have FreeRADIUS add a realm
 to the incoming information first, then pass that back to the
 Active Directory server?

  Are you using FreeRADIUS to put the users into different realms, or
are the users logging in with different realms?

  You said you need multiple realms, but you haven't said *why*.

  Second, what is the best way to authenticate to an AD?

  FreeRADIUS can use it as an LDAP server, but CHAP  MS-CHAP won't
work.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Sample PEAP or TTLS with LDAP

[QUISTREBERT Gregory]

Hello,

I would like, for testing, a sample configuration for freeradius with
peap or EAP/TTLS with a openLDAP server backend.


Thanks.

Escuse my english

-- 
GQS



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Multiple realm authentication with FreeRADIUS back to Active Directory?

[Heiden, John]

I'm sorry, I should have been more specific.  I have multiple
Cisco access servers (AS5300/AS5350/AS5400) and some are in
one pool of users, some are in another, and some are in still
another.  I think about 5 different pools.

So kind of imagine a tree of sorts.  The leaves/branches are
the Cisco AS servers, they go back and authenticate to a
Linux server with Free Radius.  The Linux/FreeRADIUS server
then ultimately authenticates the users back to an AD server.
But the different pools need different policies, etc. for
connect time, and so forth.

Does this make it clearer?  I apologize if I was too confusing
before.  Or is there a way to get away from multiple realms
given my situation?  Oh, and I need to have separate accounting
logs for each pool also.  Meaning, I can't have everything
accounted into the same file.  Each pool would need to have
separate accounting logs.

Would it make sense to authenticate to the AD via RADIUS as
well?  Or just use LDAP?

I'm curious, why won't chap work?  I really don't care if
MS-CHAP breaks, we have never supported it here in the past.
But it strikes me as odd that it would break CHAP.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok
Sent: Wednesday, November 19, 2003 11:12 AM
To: [EMAIL PROTECTED]
Subject: Re: Multiple realm authentication with FreeRADIUS back to
Active Directory? 


Heiden, John [EMAIL PROTECTED] wrote:
 I am assuming I need to somehow have FreeRADIUS add a realm
 to the incoming information first, then pass that back to the
 Active Directory server?

  Are you using FreeRADIUS to put the users into different realms, or
are the users logging in with different realms?

  You said you need multiple realms, but you haven't said *why*.

  Second, what is the best way to authenticate to an AD?

  FreeRADIUS can use it as an LDAP server, but CHAP  MS-CHAP won't
work.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Interim accounting update +mysql

[David Blood]

For some reason mysql is not being update with the interim accouting
updates.  Below is one of the accounting requests sent to free radius and
you can see that it does not send the bytes and up time information to
mysql.
Anyone know why?


 rad_recv: Accounting-Request packet from host 204.228.226.18:1306, id=249,
length=181
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = SQN2
NAS-Port = 60
NAS-Port-Type = Ethernet
User-Name = shawn
Calling-Station-Id = 06:2d:1A:05:A2:6B
Called-Station-Id = SpeedyQuick
NAS-Port-Id = Clients
Acct-Session-Id = 8120001a
Framed-IP-Address = 10.69.4.22
Acct-Authentic = RADIUS
Acct-Session-Time = 115201
Acct-Input-Octets = 2350343
Acct-Input-Packets = 27316
Acct-Output-Octets = 36915463
Acct-Output-Packets = 36681
Acct-Status-Type = Alive
NAS-IP-Address = 205.28.26.18
Acct-Delay-Time = 0
modcall: entering group preacct
  modcall[preacct]: module preprocess returns noop
rlm_realm: No '@' in User-Name = shawn, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[preacct]: module suffix returns noop
  modcall[preacct]: module files returns noop
modcall: group preacct returns noop
modcall: entering group accounting
rlm_acct_unique: Hashing 'NAS-Port-Id = Clients,Client-IP-Address =
205.28.26.18,NAS-IP-Address = 205.28.26.18,Acc
t-Session-Id = 8120001a,User-Name = shawn'
rlm_acct_unique: Acct-Unique-Session-ID = f56023f6b2ffca98.
  modcall[accounting]: module acct_unique returns ok
radius_xlat:
'/usr/local/var/log/radius/radacct/205.28.26.18/detail-20031119'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /usr/local/var/log/radius/ra
dacct/205.28.26.18/detail-20031119
  modcall[accounting]: module detail returns ok
  modcall[accounting]: module unix returns noop
radius_xlat:  'shawn'
rlm_sql (sql): sql_set_user escaped user -- 'shawn'
radius_xlat:  'UPDATE radacct SET FramedIPAddress = '10.69.4.22' WHERE
AcctSessionId = '8120001a' AND UserName = 'shawn' AND NASIPAddress=
'205.28.26.18' AND AcctStopTime = 0'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
  modcall[accounting]: module sql returns ok
radius_xlat:  '/usr/local/var/log/radius/radutmp'
radius_xlat:  'shawn'
  modcall[accounting]: module radutmp returns ok
modcall: group accounting returns ok
Sending Accounting-Response of id 249 to 205.28.26.18:1306
Finished request 31


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple realm authentication with FreeRADIUS back to Active Directory?

[Alan DeKok]

Heiden, John [EMAIL PROTECTED] wrote:
 So kind of imagine a tree of sorts.  The leaves/branches are
 the Cisco AS servers, they go back and authenticate to a
 Linux server with Free Radius.  The Linux/FreeRADIUS server
 then ultimately authenticates the users back to an AD server.
 But the different pools need different policies, etc. for
 connect time, and so forth.

  That's nice.  How do you tell which pool a user is in?

 Does this make it clearer?  I apologize if I was too confusing
 before.  Or is there a way to get away from multiple realms
 given my situation?  Oh, and I need to have separate accounting
 logs for each pool also.  Meaning, I can't have everything
 accounted into the same file.  Each pool would need to have
 separate accounting logs.

  FreeRADIUS can do that, once you figure out how to separate the
users into pools.

 Would it make sense to authenticate to the AD via RADIUS as
 well?  Or just use LDAP?

  Active Directory doesn't do RADIUS.

 I'm curious, why won't chap work?  I really don't care if
 MS-CHAP breaks, we have never supported it here in the past.
 But it strikes me as odd that it would break CHAP.

  Blame Active Directory.  It won't let FreeRADIUS have access to the
plain-text passwords.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Interim accounting update +mysql

[Dustin Doris]

On Wed, 19 Nov 2003, David Blood wrote:

 For some reason mysql is not being update with the interim accouting
 updates.  Below is one of the accounting requests sent to free radius and
 you can see that it does not send the bytes and up time information to
 mysql.
 Anyone know why?


  rad_recv: Accounting-Request packet from host 204.228.226.18:1306, id=249,
 length=181
 Service-Type = Framed-User
 Framed-Protocol = PPP
 NAS-Identifier = SQN2
 NAS-Port = 60
 NAS-Port-Type = Ethernet
 User-Name = shawn
 Calling-Station-Id = 06:2d:1A:05:A2:6B
 Called-Station-Id = SpeedyQuick
 NAS-Port-Id = Clients
 Acct-Session-Id = 8120001a
 Framed-IP-Address = 10.69.4.22
 Acct-Authentic = RADIUS
 Acct-Session-Time = 115201
 Acct-Input-Octets = 2350343
 Acct-Input-Packets = 27316
 Acct-Output-Octets = 36915463
 Acct-Output-Packets = 36681
 Acct-Status-Type = Alive
 NAS-IP-Address = 205.28.26.18
 Acct-Delay-Time = 0
 modcall: entering group preacct
   modcall[preacct]: module preprocess returns noop
 rlm_realm: No '@' in User-Name = shawn, looking up realm NULL
 rlm_realm: No such realm NULL
   modcall[preacct]: module suffix returns noop
   modcall[preacct]: module files returns noop
 modcall: group preacct returns noop
 modcall: entering group accounting
 rlm_acct_unique: Hashing 'NAS-Port-Id = Clients,Client-IP-Address =
 205.28.26.18,NAS-IP-Address = 205.28.26.18,Acc
 t-Session-Id = 8120001a,User-Name = shawn'
 rlm_acct_unique: Acct-Unique-Session-ID = f56023f6b2ffca98.
   modcall[accounting]: module acct_unique returns ok
 radius_xlat:
 '/usr/local/var/log/radius/radacct/205.28.26.18/detail-20031119'
 rlm_detail:
 /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
 to /usr/local/var/log/radius/ra
 dacct/205.28.26.18/detail-20031119
   modcall[accounting]: module detail returns ok
   modcall[accounting]: module unix returns noop
 radius_xlat:  'shawn'
 rlm_sql (sql): sql_set_user escaped user -- 'shawn'
 radius_xlat:  'UPDATE radacct SET FramedIPAddress = '10.69.4.22' WHERE
 AcctSessionId = '8120001a' AND UserName = 'shawn' AND NASIPAddress=
 '205.28.26.18' AND AcctStopTime = 0'
 rlm_sql (sql): Reserving sql socket id: 3
 rlm_sql (sql): Released sql socket id: 3
   modcall[accounting]: module sql returns ok
 radius_xlat:  '/usr/local/var/log/radius/radutmp'
 radius_xlat:  'shawn'
   modcall[accounting]: module radutmp returns ok
 modcall: group accounting returns ok
 Sending Accounting-Response of id 249 to 205.28.26.18:1306
 Finished request 31


 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



What does your sql.conf look like?



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: double Login

[Ulrich Walcher]

Am Die, 2003-11-18 um 20.26 schrieb Mario Duve:
 Hello, 
 how I can reach, which can log in each user, 
 not two times at the same time?
 
 The Simultaneous-Use Attribute not work in
 my groupcheck.
 

that's what it should look like...

| id | groupname |attribute | op | value
++---+--++--
  02 | test  | Simultaneous-Use | := | 1




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

My problem with PEAP

[Bill Reid]

Hey everyone,

I continue to have a problem using peap with 
freeradius-snapshot-20031110.  From what I have read about EAP,  and 
from my discussions with others on this list, I believe I am seeing a 
problem from freeradius.

Please correct me if I am wrong.

According to the documentation in ./doc/rlm_eap.  The client is not 
responding to step 6 Access Challenge from the radius server.  I can 
see the Radius packet making it  to the client.  The only thing I can 
find that is odd about the challenge is that there are two eap portions 
of the frame.  My hope is that the client is ignoring the frame because 
of this.

Since there is no response from the client(supplicant) I do not get an 
EAP-Success/EAP-failure and begin to negotiate any ssl/wep stuff.  So I 
don't even think I am verifying the server using the installed CERT at 
this point.  In other words, I don't suspect I have a key/cert problem 
yet :).

I have included the frames in this email.  They were captured on the 
radius server side.  Note there are two separate attempts from the 
client to authenticate itself.  I am questioning either of the Access 
Challenge frames.  I would love it if someone could look at these frames 
and tell me if they are correct (that freeradius is creating them properly).

Below the message Authenticator is similar to 0x00.  In 
the frame sent to the supplicant, the second portion EAP type 79  does 
not have the authenticator, the first portion EAP type 79 does have the 
Message Authenticator and is filled with a value other then 
0x0.  I am guessing that is where the hash for the password 
goes.

Any help would be greatly appreciated.

Here is the output of radiusd -Xxx

Tue Nov 18 14:52:33 2003 : Info: Starting - reading configuration files ...
Tue Nov 18 14:52:33 2003 : Debug: reread_config:  reading radiusd.conf
Tue Nov 18 14:52:33 2003 : Debug: Config:   including file: 
/usr/local/etc/raddb/clients.conf
Tue Nov 18 14:52:33 2003 : Debug: Config:   including file: 
/usr/local/etc/raddb/snmp.conf
Tue Nov 18 14:52:33 2003 : Debug:  main: prefix = /usr/local
Tue Nov 18 14:52:33 2003 : Debug:  main: localstatedir = /usr/local/var
Tue Nov 18 14:52:33 2003 : Debug:  main: logdir = /var/log/radius
Tue Nov 18 14:52:33 2003 : Debug:  main: libdir = /usr/local/lib
Tue Nov 18 14:52:33 2003 : Debug:  main: radacctdir = 
/var/log/radius/radacct
Tue Nov 18 14:52:33 2003 : Debug:  main: hostname_lookups = no
Tue Nov 18 14:52:33 2003 : Debug:  main: max_request_time = 30
Tue Nov 18 14:52:33 2003 : Debug:  main: cleanup_delay = 5
Tue Nov 18 14:52:33 2003 : Debug:  main: max_requests = 1024
Tue Nov 18 14:52:33 2003 : Debug:  main: delete_blocked_requests = 0
Tue Nov 18 14:52:33 2003 : Debug:  main: port = 0
Tue Nov 18 14:52:33 2003 : Debug:  main: allow_core_dumps = no
Tue Nov 18 14:52:33 2003 : Debug:  main: log_stripped_names = no
Tue Nov 18 14:52:33 2003 : Debug:  main: log_file = 
/var/log/radius/radius.log
Tue Nov 18 14:52:33 2003 : Debug:  main: log_auth = yes
Tue Nov 18 14:52:33 2003 : Debug:  main: log_auth_badpass = yes
Tue Nov 18 14:52:33 2003 : Debug:  main: log_auth_goodpass = no
Tue Nov 18 14:52:33 2003 : Debug:  main: pidfile = 
/usr/local/var/run/radiusd/radiusd.pid
Tue Nov 18 14:52:33 2003 : Debug:  main: user = (null)
Tue Nov 18 14:52:33 2003 : Debug:  main: group = (null)
Tue Nov 18 14:52:33 2003 : Debug:  main: usercollide = yes
Tue Nov 18 14:52:33 2003 : Debug:  main: lower_user = before
Tue Nov 18 14:52:33 2003 : Debug:  main: lower_pass = no
Tue Nov 18 14:52:33 2003 : Debug:  main: nospace_user = no
Tue Nov 18 14:52:33 2003 : Debug:  main: nospace_pass = no
Tue Nov 18 14:52:33 2003 : Debug:  main: checkrad = 
/usr/local/sbin/checkrad
Tue Nov 18 14:52:33 2003 : Debug:  main: proxy_requests = no
Tue Nov 18 14:52:33 2003 : Debug:  security: max_attributes = 200
Tue Nov 18 14:52:33 2003 : Debug:  security: reject_delay = 1
Tue Nov 18 14:52:33 2003 : Debug:  security: status_server = no
Tue Nov 18 14:52:33 2003 : Debug:  main: debug_level = 0
Tue Nov 18 14:52:33 2003 : Debug: read_config_files:  reading dictionary
Tue Nov 18 14:52:34 2003 : Debug: read_config_files:  reading naslist
Tue Nov 18 14:52:34 2003 : Info: Using deprecated naslist file.  Support 
for this will go away soon.
Tue Nov 18 14:52:34 2003 : Debug: read_config_files:  reading clients
Tue Nov 18 14:52:34 2003 : Debug: read_config_files:  reading realms
Tue Nov 18 14:52:34 2003 : Info: Using deprecated realms file.  Support 
for this will go away soon.
Tue Nov 18 14:52:34 2003 : Debug: radiusd:  entering modules setup
Tue Nov 18 14:52:34 2003 : Debug: Module: Library search path is 
/usr/local/lib
Tue Nov 18 14:52:34 2003 : Debug: Module: Loaded expr
Tue Nov 18 14:52:34 2003 : Debug: Module: Instantiated expr (expr)
Tue Nov 18 14:52:34 2003 : Debug: Module: Loaded eap
Tue Nov 18 14:52:34 2003 : Debug:  eap: default_eap_type = peap
Tue Nov 18 14:52:34 2003 : Debug:  eap: timer_expire = 60
Tue Nov 18 14:52:34 2003 : 

RE: Multiple realm authentication with FreeRADIUS back to Active Directory?

[Heiden, John]

The idea is that the only place where pool membership would be
defined is in the AD.  The problem is that each pool needs to
be independent, and sometimes users move between pools.  And the
only place (that they want to keep track of ) membership is in
the AD.

That kind of sucks about CHAP.  OH well, not my problem then.

I am pretty sure that AD does RADIUS.  Or am I thinking of the
OS under AD?  (2000?)



John

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok
Sent: Wednesday, November 19, 2003 12:13 PM
To: [EMAIL PROTECTED]
Subject: Re: Multiple realm authentication with FreeRADIUS back to
Active Directory? 


Heiden, John [EMAIL PROTECTED] wrote:
 So kind of imagine a tree of sorts.  The leaves/branches are
 the Cisco AS servers, they go back and authenticate to a
 Linux server with Free Radius.  The Linux/FreeRADIUS server
 then ultimately authenticates the users back to an AD server.
 But the different pools need different policies, etc. for
 connect time, and so forth.

  That's nice.  How do you tell which pool a user is in?

 Does this make it clearer?  I apologize if I was too confusing
 before.  Or is there a way to get away from multiple realms
 given my situation?  Oh, and I need to have separate accounting
 logs for each pool also.  Meaning, I can't have everything
 accounted into the same file.  Each pool would need to have
 separate accounting logs.

  FreeRADIUS can do that, once you figure out how to separate the
users into pools.

 Would it make sense to authenticate to the AD via RADIUS as
 well?  Or just use LDAP?

  Active Directory doesn't do RADIUS.

 I'm curious, why won't chap work?  I really don't care if
 MS-CHAP breaks, we have never supported it here in the past.
 But it strikes me as odd that it would break CHAP.

  Blame Active Directory.  It won't let FreeRADIUS have access to the
plain-text passwords.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: My problem with PEAP

[Michael Griego]

Umm... dumb question, but you don't have eap listed in the
authenticate section of your radiusd.conf file twice do you?

--Mike


On Wed, 2003-11-19 at 12:31, Bill Reid wrote:
 Hey everyone,
 
 I continue to have a problem using peap with 
 freeradius-snapshot-20031110.  From what I have read about EAP,  and 
 from my discussions with others on this list, I believe I am seeing a 
 problem from freeradius.
 
 Please correct me if I am wrong.
 
 According to the documentation in ./doc/rlm_eap.  The client is not 
 responding to step 6 Access Challenge from the radius server.  I can 
 see the Radius packet making it  to the client.  The only thing I can 
 find that is odd about the challenge is that there are two eap portions 
 of the frame.  My hope is that the client is ignoring the frame because 
 of this.
 
 Since there is no response from the client(supplicant) I do not get an 
 EAP-Success/EAP-failure and begin to negotiate any ssl/wep stuff.  So I 
 don't even think I am verifying the server using the installed CERT at 
 this point.  In other words, I don't suspect I have a key/cert problem 
 yet :).
 
 I have included the frames in this email.  They were captured on the 
 radius server side.  Note there are two separate attempts from the 
 client to authenticate itself.  I am questioning either of the Access 
 Challenge frames.  I would love it if someone could look at these frames 
 and tell me if they are correct (that freeradius is creating them properly).
 
 Below the message Authenticator is similar to 0x00.  In 
 the frame sent to the supplicant, the second portion EAP type 79  does 
 not have the authenticator, the first portion EAP type 79 does have the 
 Message Authenticator and is filled with a value other then 
 0x0.  I am guessing that is where the hash for the password 
 goes.
 
 Any help would be greatly appreciated.
 
 Here is the output of radiusd -Xxx
 
 Tue Nov 18 14:52:33 2003 : Info: Starting - reading configuration files ...
 Tue Nov 18 14:52:33 2003 : Debug: reread_config:  reading radiusd.conf
 Tue Nov 18 14:52:33 2003 : Debug: Config:   including file: 
 /usr/local/etc/raddb/clients.conf
 Tue Nov 18 14:52:33 2003 : Debug: Config:   including file: 
 /usr/local/etc/raddb/snmp.conf
 Tue Nov 18 14:52:33 2003 : Debug:  main: prefix = /usr/local
 Tue Nov 18 14:52:33 2003 : Debug:  main: localstatedir = /usr/local/var
 Tue Nov 18 14:52:33 2003 : Debug:  main: logdir = /var/log/radius
 Tue Nov 18 14:52:33 2003 : Debug:  main: libdir = /usr/local/lib
 Tue Nov 18 14:52:33 2003 : Debug:  main: radacctdir = 
 /var/log/radius/radacct
 Tue Nov 18 14:52:33 2003 : Debug:  main: hostname_lookups = no
 Tue Nov 18 14:52:33 2003 : Debug:  main: max_request_time = 30
 Tue Nov 18 14:52:33 2003 : Debug:  main: cleanup_delay = 5
 Tue Nov 18 14:52:33 2003 : Debug:  main: max_requests = 1024
 Tue Nov 18 14:52:33 2003 : Debug:  main: delete_blocked_requests = 0
 Tue Nov 18 14:52:33 2003 : Debug:  main: port = 0
 Tue Nov 18 14:52:33 2003 : Debug:  main: allow_core_dumps = no
 Tue Nov 18 14:52:33 2003 : Debug:  main: log_stripped_names = no
 Tue Nov 18 14:52:33 2003 : Debug:  main: log_file = 
 /var/log/radius/radius.log
 Tue Nov 18 14:52:33 2003 : Debug:  main: log_auth = yes
 Tue Nov 18 14:52:33 2003 : Debug:  main: log_auth_badpass = yes
 Tue Nov 18 14:52:33 2003 : Debug:  main: log_auth_goodpass = no
 Tue Nov 18 14:52:33 2003 : Debug:  main: pidfile = 
 /usr/local/var/run/radiusd/radiusd.pid
 Tue Nov 18 14:52:33 2003 : Debug:  main: user = (null)
 Tue Nov 18 14:52:33 2003 : Debug:  main: group = (null)
 Tue Nov 18 14:52:33 2003 : Debug:  main: usercollide = yes
 Tue Nov 18 14:52:33 2003 : Debug:  main: lower_user = before
 Tue Nov 18 14:52:33 2003 : Debug:  main: lower_pass = no
 Tue Nov 18 14:52:33 2003 : Debug:  main: nospace_user = no
 Tue Nov 18 14:52:33 2003 : Debug:  main: nospace_pass = no
 Tue Nov 18 14:52:33 2003 : Debug:  main: checkrad = 
 /usr/local/sbin/checkrad
 Tue Nov 18 14:52:33 2003 : Debug:  main: proxy_requests = no
 Tue Nov 18 14:52:33 2003 : Debug:  security: max_attributes = 200
 Tue Nov 18 14:52:33 2003 : Debug:  security: reject_delay = 1
 Tue Nov 18 14:52:33 2003 : Debug:  security: status_server = no
 Tue Nov 18 14:52:33 2003 : Debug:  main: debug_level = 0
 Tue Nov 18 14:52:33 2003 : Debug: read_config_files:  reading dictionary
 Tue Nov 18 14:52:34 2003 : Debug: read_config_files:  reading naslist
 Tue Nov 18 14:52:34 2003 : Info: Using deprecated naslist file.  Support 
 for this will go away soon.
 Tue Nov 18 14:52:34 2003 : Debug: read_config_files:  reading clients
 Tue Nov 18 14:52:34 2003 : Debug: read_config_files:  reading realms
 Tue Nov 18 14:52:34 2003 : Info: Using deprecated realms file.  Support 
 for this will go away soon.
 Tue Nov 18 14:52:34 2003 : Debug: radiusd:  entering modules setup
 Tue Nov 18 14:52:34 2003 : Debug: Module: Library search path is 
 /usr/local/lib
 Tue Nov 18 14:52:34 2003 : Debug: Module: Loaded expr
 

Re: My problem with PEAP

[Bill Reid]

I am asking the dumb questions here!

No I don't.

thanks Mike.

-=Bill

Michael Griego wrote:

Umm... dumb question, but you don't have eap listed in the
authenticate section of your radiusd.conf file twice do you?
--Mike

On Wed, 2003-11-19 at 12:31, Bill Reid wrote:
 

Hey everyone,

I continue to have a problem using peap with 
freeradius-snapshot-20031110.  From what I have read about EAP,  and 
from my discussions with others on this list, I believe I am seeing a 
problem from freeradius.

Please correct me if I am wrong.

According to the documentation in ./doc/rlm_eap.  The client is not 
responding to step 6 Access Challenge from the radius server.  I can 
see the Radius packet making it  to the client.  The only thing I can 
find that is odd about the challenge is that there are two eap portions 
of the frame.  My hope is that the client is ignoring the frame because 
of this.

Since there is no response from the client(supplicant) I do not get an 
EAP-Success/EAP-failure and begin to negotiate any ssl/wep stuff.  So I 
don't even think I am verifying the server using the installed CERT at 
this point.  In other words, I don't suspect I have a key/cert problem 
yet :).

I have included the frames in this email.  They were captured on the 
radius server side.  Note there are two separate attempts from the 
client to authenticate itself.  I am questioning either of the Access 
Challenge frames.  I would love it if someone could look at these frames 
and tell me if they are correct (that freeradius is creating them properly).

Below the message Authenticator is similar to 0x00.  In 
the frame sent to the supplicant, the second portion EAP type 79  does 
not have the authenticator, the first portion EAP type 79 does have the 
Message Authenticator and is filled with a value other then 
0x0.  I am guessing that is where the hash for the password 
goes.

Any help would be greatly appreciated.

Here is the output of radiusd -Xxx

Tue Nov 18 14:52:33 2003 : Info: Starting - reading configuration files ...
Tue Nov 18 14:52:33 2003 : Debug: reread_config:  reading radiusd.conf
Tue Nov 18 14:52:33 2003 : Debug: Config:   including file: 
/usr/local/etc/raddb/clients.conf
Tue Nov 18 14:52:33 2003 : Debug: Config:   including file: 
/usr/local/etc/raddb/snmp.conf
Tue Nov 18 14:52:33 2003 : Debug:  main: prefix = /usr/local
Tue Nov 18 14:52:33 2003 : Debug:  main: localstatedir = /usr/local/var
Tue Nov 18 14:52:33 2003 : Debug:  main: logdir = /var/log/radius
Tue Nov 18 14:52:33 2003 : Debug:  main: libdir = /usr/local/lib
Tue Nov 18 14:52:33 2003 : Debug:  main: radacctdir = 
/var/log/radius/radacct
Tue Nov 18 14:52:33 2003 : Debug:  main: hostname_lookups = no
Tue Nov 18 14:52:33 2003 : Debug:  main: max_request_time = 30
Tue Nov 18 14:52:33 2003 : Debug:  main: cleanup_delay = 5
Tue Nov 18 14:52:33 2003 : Debug:  main: max_requests = 1024
Tue Nov 18 14:52:33 2003 : Debug:  main: delete_blocked_requests = 0
Tue Nov 18 14:52:33 2003 : Debug:  main: port = 0
Tue Nov 18 14:52:33 2003 : Debug:  main: allow_core_dumps = no
Tue Nov 18 14:52:33 2003 : Debug:  main: log_stripped_names = no
Tue Nov 18 14:52:33 2003 : Debug:  main: log_file = 
/var/log/radius/radius.log
Tue Nov 18 14:52:33 2003 : Debug:  main: log_auth = yes
Tue Nov 18 14:52:33 2003 : Debug:  main: log_auth_badpass = yes
Tue Nov 18 14:52:33 2003 : Debug:  main: log_auth_goodpass = no
Tue Nov 18 14:52:33 2003 : Debug:  main: pidfile = 
/usr/local/var/run/radiusd/radiusd.pid
Tue Nov 18 14:52:33 2003 : Debug:  main: user = (null)
Tue Nov 18 14:52:33 2003 : Debug:  main: group = (null)
Tue Nov 18 14:52:33 2003 : Debug:  main: usercollide = yes
Tue Nov 18 14:52:33 2003 : Debug:  main: lower_user = before
Tue Nov 18 14:52:33 2003 : Debug:  main: lower_pass = no
Tue Nov 18 14:52:33 2003 : Debug:  main: nospace_user = no
Tue Nov 18 14:52:33 2003 : Debug:  main: nospace_pass = no
Tue Nov 18 14:52:33 2003 : Debug:  main: checkrad = 
/usr/local/sbin/checkrad
Tue Nov 18 14:52:33 2003 : Debug:  main: proxy_requests = no
Tue Nov 18 14:52:33 2003 : Debug:  security: max_attributes = 200
Tue Nov 18 14:52:33 2003 : Debug:  security: reject_delay = 1
Tue Nov 18 14:52:33 2003 : Debug:  security: status_server = no
Tue Nov 18 14:52:33 2003 : Debug:  main: debug_level = 0
Tue Nov 18 14:52:33 2003 : Debug: read_config_files:  reading dictionary
Tue Nov 18 14:52:34 2003 : Debug: read_config_files:  reading naslist
Tue Nov 18 14:52:34 2003 : Info: Using deprecated naslist file.  Support 
for this will go away soon.
Tue Nov 18 14:52:34 2003 : Debug: read_config_files:  reading clients
Tue Nov 18 14:52:34 2003 : Debug: read_config_files:  reading realms
Tue Nov 18 14:52:34 2003 : Info: Using deprecated realms file.  Support 
for this will go away soon.
Tue Nov 18 14:52:34 2003 : Debug: radiusd:  entering modules setup
Tue Nov 18 14:52:34 2003 : Debug: Module: Library search path is 
/usr/local/lib
Tue Nov 18 14:52:34 2003 : Debug: Module: Loaded 

Re: My problem with PEAP

[Alan DeKok]

Bill Reid [EMAIL PROTECTED] wrote:
 I continue to have a problem using peap with 
 freeradius-snapshot-20031110.  From what I have read about EAP,  and 
 from my discussions with others on this list, I believe I am seeing a 
 problem from freeradius.

  I've looked at your packet trace, and there are two EAP packets (and
therefore PEAP packets) in the Access-Challenge.

  I've never seen this before, so I suspect it's a local configuration
issue.  Still, the server should be fixed to NOT do this.

  From the debug output, it looks like you've managed to make the
server call the EAP module *twice* for the request, during the
authenticate stage.  I have no clue how you managed to do this, but
it's definitely wrong.

  What did you edit in the server configuration to make it do this?
Under normal circumstances, PEAP should work out of the box, by
simple configuring the peap{} module section, and starting the server.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: My problem with PEAP

[Michael Griego]

On Wed, 2003-11-19 at 13:09, Alan DeKok wrote:
   From the debug output, it looks like you've managed to make the
 server call the EAP module *twice* for the request, during the
 authenticate stage.  I have no clue how you managed to do this, but
 it's definitely wrong.

That's exactly what I'm seeing.

Bill, You didn't by chance put authorize or an Autz-Type in the
authenticate section did you?  Based on the trace, it really looks
like this is what happened.  The server jumps into the authorize section
upon receiving the request (as normal), then begins the authenticate
phase, but it then jumps BACK into an authorize block again before
coming back out of all the mess.

-- 

--Mike

---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Cisco VPN 3000 experience

[Dan Didier]

Hi list,

I was wondering what peoples experiences have been with using FreeRadius
with the cisco VPN 3000 concentrator.  

Are there any documents outlining this?

Thanks,
Dan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco VPN 3000 experience

[Tom Miller]

I have two 3005s and a 3015 that authenticate users via Freeradius. It just
works right out of the box. I'm using our central LDAP directory that already
contains user authentication info.

-Tom

On Wed, Nov 19, 2003 at 03:46:18PM -0500, Dan Didier wrote:
 Hi list,
 
 I was wondering what peoples experiences have been with using FreeRadius
 with the cisco VPN 3000 concentrator.  
 
 Are there any documents outlining this?
 
 Thanks,
 Dan
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Tom Miller, System Administrator   |   5700 SW 34th St. Suite 1235
Info Tech, Inc.|   Gainesville, FL 32608
   |   (352)381-4400 Voice
[EMAIL PROTECTED]  |   (352)381- Fax

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mysql and Assigning an IP

[Anson Rinesmith]

I have freeradius/mysql setup authenticating on a MAX2000,
the Max has the IP pool. I would like to know how to setup mysql/freeradius to
handle giving out the IP.

Im sure I its just setting up the table, but I
dont know the syntax. 

Can this be done first time user

[Michael Shanafelt]

Hello everyone,

I've never used FreeRadius before.  I think I successfully installed it
on RedHat and it seems to start up OK.  I added my windows XP IP address
in the clients file along with a key; added the same IP address, short
name, and portslave as the type; and uncommented out the 3 lines in
the radiusd.conf file for password, shadow, and group.

I'm using a utility on my XP box called NTRadPing Test Utility to see if
the radius server responds.  So far, I'm not getting any responses, just
the no response from server error.

This is my first time messing with a RADIUS server.  Does anyone see a
step that I missed?

Also, the reason I'm doing this is to build a list of MAC addresses that
are allowed to associate with our several wireless access points.  Right
now, each one has a static list of valid MAC addresses, and when we get
a new employee, we have to go to each one and enter the MAC address.
From what I read, a RADIUS server can be set up so that we can
centralize this list.  Is this a correct assumption?

Thanks very much,
Mike

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can this be done first time user

[kconnell]

FOR MAC based auth only

- Make sure the IP address of you AP's are in the clients.conf
- edit the users file and add the MAC address of the clients as the user name. 
Thepassword is the key you set on your AP's.


Ken Connell
Intermediate Network Engineer
Computer  Communication Services
Ryerson University
350 Victoria St
RM AB50
Toronto, Ont
M5B 2K3
416-979-5000 x6709

- Original Message -
From: Michael Shanafelt [EMAIL PROTECTED]
Date: Wednesday, November 19, 2003 4:28 pm
Subject: Can this be done  first time user

 Hello everyone,
 
 I've never used FreeRadius before.  I think I successfully 
 installed it
 on RedHat and it seems to start up OK.  I added my windows XP IP 
 addressin the clients file along with a key; added the same IP 
 address, short
 name, and portslave as the type; and uncommented out the 3 lines in
 the radiusd.conf file for password, shadow, and group.
 
 I'm using a utility on my XP box called NTRadPing Test Utility to 
 see if
 the radius server responds.  So far, I'm not getting any 
 responses, just
 the no response from server error.
 
 This is my first time messing with a RADIUS server.  Does anyone 
 see a
 step that I missed?
 
 Also, the reason I'm doing this is to build a list of MAC 
 addresses that
 are allowed to associate with our several wireless access points.  
 Rightnow, each one has a static list of valid MAC addresses, and 
 when we get
 a new employee, we have to go to each one and enter the MAC address.
 From what I read, a RADIUS server can be set up so that we can
 centralize this list.  Is this a correct assumption?
 
 Thanks very much,
 Mike
 
 - 
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Limiting access at a proxy server based on Called-Station-ID

[Mark Moody]

I've been asked if the following is possible. We operate a pair of
radius servers that proxy several realms to their respective home
servers.  We need to limit their users access based on
Called-Station-ID.  When the Auth request comes in from the NAS, I need
to be able to consult a (possibly large) list of access numbers and
determine if the user called an approved number, if so allow the request
to proceed to the home server.  If not, return an Access-Reject to the
NAS.  I've experimented with the DEFAULT entries in the users file, and
looked at pre-proxy as well.  So far I haven't come up with a good way
to do this.  If anyone is currently doing something like this could you
let me know how you're doing it?  Keep in mind the potential list of
Called-Station-IDs is potentially very large, management of and updates
to this list need to be straight forward.  Any help will be most
appreciated. 

-- 
Mark Moody 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Cisco VPN 3000 experience

[Dan Didier]

Do you use group functions, or is everyone in the base group?
 
Thanks,
Dan
 

-Original Message- 
From: Tom Miller [mailto:[EMAIL PROTECTED] 
Sent: Wed 11/19/2003 4:14 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Re: Cisco VPN 3000 experience



I have two 3005s and a 3015 that authenticate users via Freeradius. It just
works right out of the box. I'm using our central LDAP directory that already
contains user authentication info.

-Tom

On Wed, Nov 19, 2003 at 03:46:18PM -0500, Dan Didier wrote:
 Hi list,

 I was wondering what peoples experiences have been with using FreeRadius
 with the cisco VPN 3000 concentrator. 

 Are there any documents outlining this?

 Thanks,
 Dan

 -
 List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

--
Tom Miller, System Administrator   |   5700 SW 34th St. Suite 1235
Info Tech, Inc.|   Gainesville, FL 32608
   |   (352)381-4400 Voice
[EMAIL PROTECTED]  |   (352)381- Fax

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


winmail.dat

Re: Cisco VPN 3000 experience

[Alan DeKok]

Dan Didier [EMAIL PROTECTED] wrote:
 Content-Type: text/plain;
   charset=UTF-8
 Content-Transfer-Encoding: base64

  Please fix your mailer to send text as text, instead of encoding it.

 Content-Type: application/ms-tnef;
   name=winmail.dat

  Please also fix your mailer to not send garbage to the list.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Limiting access at a proxy server based on Called-Station-ID

[Alan DeKok]

Mark Moody [EMAIL PROTECTED] wrote:
 We need to limit their users access based on Called-Station-ID.
 When the Auth request comes in from the NAS, I need to be able to
 consult a (possibly large) list of access numbers and determine if
 the user called an approved number, if so allow the request to
 proceed to the home server.  If not, return an Access-Reject to the
 NAS.

  You're probably going to have to write a module yourself to do that
work.  It shouldn't be too large.  Use a database to store the list of
access numbers, and it should be easy to manage, too.

  The issue is that most modules in the server are written to find
some small amount of configuration in a database for a user, and then
allow other modules to use that configuration to do things.

  What you want is to check the users request against a large number
of things in a database.  I'm not sure how that would be possible in
the current server.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can this be done first time user

[Chris Parker]

At 03:28 PM 11/19/2003, Michael Shanafelt wrote:
Hello everyone,

I've never used FreeRadius before.  I think I successfully installed it
on RedHat and it seems to start up OK.  I added my windows XP IP address
in the clients file along with a key; added the same IP address, short
name, and portslave as the type; and uncommented out the 3 lines in
the radiusd.conf file for password, shadow, and group.
I'm using a utility on my XP box called NTRadPing Test Utility to see if
the radius server responds.  So far, I'm not getting any responses, just
the no response from server error.
This is my first time messing with a RADIUS server.  Does anyone see a
step that I missed?
Run the server in debugging mode:  radiusd -x -x -x to see what the
server is doing.
Try using the 'radtest' utility that comes with FreeRADIUS.

Make sure radius is listening on the same ports you are sending to.
A common problem is for one side to be using 1645/1646 and the other
side to be using 1812/1813.
( Historically, radius used 1645/1646, but then was found to be in
  conflict on the assigned ports, and moved to 18
Also, the reason I'm doing this is to build a list of MAC addresses that
are allowed to associate with our several wireless access points.  Right
now, each one has a static list of valid MAC addresses, and when we get
a new employee, we have to go to each one and enter the MAC address.
From what I read, a RADIUS server can be set up so that we can
centralize this list.  Is this a correct assumption?
Yes.  Depending on the AP, the MAC addresses are sent as the User-Name.

The best thing to do, IMHO is to get one of the AP's pointed at the
FR server, and run radius in debug mode so that you can see what the
AP is sending to the Radius server.  From there, you should be able to
figure out what entries you'll need to add in the 'users' file to
authenticate the users.
-Chris
--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco VPN 3000 experience

[Dustin Doris]

On Wed, 19 Nov 2003, Dan Didier wrote:

 Hi list,

 I was wondering what peoples experiences have been with using FreeRadius
 with the cisco VPN 3000 concentrator.

 Are there any documents outlining this?

 Thanks,
 Dan

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



We use it with freeradius and ldap as a backend.

We use the radiusclass attribute, which will lock the user into the group
that we
provision them to, regardless of the group they put in their vpn client.
They will still need a valid group/password in the client to authenticate.

An example reply item for the user [EMAIL PROTECTED] would be
Radius-Class = OU=mydomain.com;

Must have the OU capital and the ; at the end.

Check out:

http://www.cisco.com/en/US/tech/tk583/tk547/technologies_configuration_example09186a00800946a2.shtml

for more info.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Rad Acct attribute show up in flat file but not database

[[EMAIL PROTECTED]]

Hi,

I working on getting my radius accounting records in MySQL.

I noticed that the attribute: Freeradius-Proxied-To = aa.bbb.ccc.ddd
shows up in my radius accounting flat files but when I look at 
sqltrace.sql it shows up as ' '  and when I select that record from
my radacct table it shows up as blank.  

I have checked over my table structure and sql.conf and everything
seems to match up correctly.

Any ideas on why it show up in the flat files and not the database?

Any help would be appreciated.

Thanks,


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: OSX Installation Using Mysql

[Julien Gabry]

Hello,

After a good night, everything is better.

So Andreas Congratulation for your great work, here with your package file
everything work perfectly (without a glitch) on any panther distrib (tested
on 3 Emac and 2 G4)
I m really impressed by it (installing it with a mouse in graphical mode
without doing nothing is a real pleasure )

So thanks you very much, but I will continue to check why when I compile it
myself I got those error ...
I have read many doc on library and OSX/Darwin, but maybe that I need to
read more (or maybe that I have read to many ...)

Anyway I have a well install version to work with now, so I wish to be able
to help you soon.

Thanks again for your help

Julien


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Get your prescription filled right now!

[Mabel Carver]

Huntgroup file SQL syntax.

[Stephen Fulton]

Hi all,

Could someone please verify I'm using the right syntax for the huntgroups 
file and a sample row of data from the radcheck table in an SQL DB.

huntgroups:

# Group 1

group1  NAS-IP-Address == 10.100.50.6
NAS-IP-Address == 10.100.50.7
# Group 2
group2  NAS-IP-Address == 10.101.6.2
Sample radcheck, relevant part:

Attribute,op,Value:

Huntgroup-Name,==,group2

The reason I ask is because when I place the AV pair in an SQL table, 
authentication fails.  But when taken out, it works.  Debug output does not 
show an SQL query before authentication fails.  Any suggestions are 
appreciated.

-- Steve

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Huntgroup file SQL syntax, solved

[Stephen Fulton]

At 09:12 PM 19/11/2003 -0500, you wrote:

Disregard, I made an error in the huntgroups syntax.

Hi all,

Could someone please verify I'm using the right syntax for the huntgroups 
file and a sample row of data from the radcheck table in an SQL DB.

huntgroups:

# Group 1

group1  NAS-IP-Address == 10.100.50.6
NAS-IP-Address == 10.100.50.7
# Group 2
group2  NAS-IP-Address == 10.101.6.2
Sample radcheck, relevant part:

Attribute,op,Value:

Huntgroup-Name,==,group2

The reason I ask is because when I place the AV pair in an SQL table, 
authentication fails.  But when taken out, it works.  Debug output does 
not show an SQL query before authentication fails.  Any suggestions are 
appreciated.

-- Steve

- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mailing Liat

[fenderdood]

confirm 482356


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Limiting access at a proxy server based on Called-Station-ID

[Deepak Singhal]

I think this can also be achieved by writing a function/procedure in
database which return the values after doing the checking.

Deepak Singhal
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, November 20, 2003 3:28 AM
Subject: Re: Limiting access at a proxy server based on Called-Station-ID


 Mark Moody [EMAIL PROTECTED] wrote:
  We need to limit their users access based on Called-Station-ID.
  When the Auth request comes in from the NAS, I need to be able to
  consult a (possibly large) list of access numbers and determine if
  the user called an approved number, if so allow the request to
  proceed to the home server.  If not, return an Access-Reject to the
  NAS.

   You're probably going to have to write a module yourself to do that
 work.  It shouldn't be too large.  Use a database to store the list of
 access numbers, and it should be easy to manage, too.

   The issue is that most modules in the server are written to find
 some small amount of configuration in a database for a user, and then
 allow other modules to use that configuration to do things.

   What you want is to check the users request against a large number
 of things in a database.  I'm not sure how that would be possible in
 the current server.

   Alan DeKok.

 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

itz urgent

[puneeth b]

hello sir,
 i'm trying to connect freeradius  db2 . 
i want to know how the freeradius  my sql works. 
1) i mean to say the front end of freeradius is available on -? where shall i find it? the interface?
2) also how the tables are maintained in the freeradius server as well as the db2 server.
3) also about the NAS
4) about the connection from the freeradius to the NAS and then to the db2 server.

i will be very greatful 
also very eagerly waiting for the reply
puneeth
Do you Yahoo!?
Free Pop-Up Blocker - Get it now

Simultaneous-Use works only with finger?

[Double]

If I use freeradius with portsale check mulltiple logins (Simultaneous-Use) works only 
with finger?

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html