Re: Free RADIUS tutorials or manuals?
maybe you can't get what you want. i think the begin is reading RFC2865. and then you can download the freeradius' source code. reading src/README, FAQ. etc. doc/README, aaa.txt, configurable_failover, module_interface, processing_users_file. and then you can practise with special rlm_XXX modules(google it for some chinese article), watching output of radiusd -X, watching the code, ask to this list. just in my option.:) good luck. Hello World! = = = = = = = = = = = = = = = = = = = = ylei [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free RADIUS tutorials or manuals?
t q+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: malformed EAPOL-Key with LEAP and AEGIS Client
Hi Artur, Thanks for the info about the EAPOL packets. I've installed the latest drivers both for the AP and the pcmcia card. It seems that the AP340 has a bug(?:( Is there any website of Cisco where I can post my question? Thanks, Marios -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Artur Hecker Sent: Wednesday, November 19, 2003 1:28 AM To: [EMAIL PROTECTED] Subject: Re: malformed EAPOL-Key with LEAP and AEGIS Client hi I'm using WEP enabled mode where I get 2 EAPOL-Keys with the second malformed from the AP-340 !!! I use also AEGIS client in Windows XP Home. before you continue: do you use the latest versions of the firmware on both your AP _and_ your wifi card? I've attached the ethereal dumps to check what exactly I mean. I don't know if it is a bug in the AP or the freeradius, but I suspect that the freeradius doesn't construct well the second EAPOL-Key message and the AP forwards a malformed packet. freeradius does not construct any EAPOL frames at all. it only sends keys to the access point and those are used by the AP to derive all the rest. whatever freeradius might have done wrong with the key material which it provides to the AP, it can't EVER be the reason for a malformed EAPOL packet. only your AP and the card are speaking EAPOL. search there. ciao artur ps i didn't check your logs yet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Users in LDAP and mysql
Hi to all, I want to ask this: using freeradius, can you have users in LDAP and mysql so doing authentication from both simultaneous? Thanks a lot Costas A. Christonis Networking Communications Centre Gallos Campus - University of Crete email: [EMAIL PROTECTED] http://www.ucnet.uoc.gr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Class Attribute
Hi all, maybe a totally stupid question when I read the RFC 2865 RADIUS- then there is a section about CLASS attribute stateing : 5.25. Class Description This Attribute is available to be sent by the server to the client in an Access-Accept and SHOULD be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported. The client MUST NOT interpret the attribute locally. A summary of the Class Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type |Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Type 25 for Class. Length = 3 String The String field is one or more octets. The actual format of the information is site or application specific, and a robust implementation SHOULD support the field as undistinguished octets. The codification of the range of allowed usage of this field is outside the scope of this specification. If I look at the dictonary file of freeradius I see ATTRIBUTE Class 25 octets So shouldn`t this be like : ATTRIBUTE Class 25 string ?!? Sorry if I misunderstand something Regards Michael -- GMX Weihnachts-Special: Seychellen-Traumreise zu gewinnen! Rentier entlaufen. Finden Sie Rudolph! Als Belohnung winken tolle Preise. http://www.gmx.net/de/cgi/specialmail/ +++ GMX - die erste Adresse für Mail, Message, More! +++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free RADIUS tutorials or manuals?
On Wed, 19 Nov 2003, ylei wrote: maybe you can't get what you want. i think the begin is reading RFC2865. and then you can download the freeradius' source code. reading src/README, FAQ. etc. doc/README, aaa.txt, configurable_failover, module_interface, processing_users_file. and then you can practise with special rlm_XXX modules(google it for some chinese article), watching output of radiusd -X, watching the code, ask to this list. just in my option.:) good luck. There are actually a few HOWTOs for specific things: http://www.frontios.com/freeradius.html (freeradius+mysql) http://kstadler.ch/index.php?page=dialup and dialup_admin/doc/HOWTO (dialupadmin) http://doris.cc/radius (freeradius+ldap) along with the documentation floating around in the doc directory. Maybe someone could volunteer to take all those small pieces and make a big HOWTO out of it Hello World! = = = = = = = = = = = = = = = = = = = = ylei [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users in LDAP and mysql
On Wed, 19 Nov 2003, Costas Christonis wrote: Hi to all, I want to ask this: using freeradius, can you have users in LDAP and mysql so doing authentication from both simultaneous? In general yes. Though you will probably need to play with Autz-Type and Auth-Type to get that working ok Thanks a lot Costas A. Christonis Networking Communications Centre Gallos Campus - University of Crete email: [EMAIL PROTECTED] http://www.ucnet.uoc.gr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: tunneling
From dictionary.tunnel... ATTRIBUTE Tunnel-Type 64 integer has_tag what is mean by has_tag?? I'm currently working on RADIUS - MPLS-VPN project, and from example given by cisco.. Some of attributes needed for doing L2TP tunnelling are as below: Tunnel-Type = :1:L2TP Tunnel-Medium-Type = :1:IP Tunnel-Server-Endpoint = :1:172.21.9.13 So what is :1 from :1:L2TP means ?? The :1 is the tag, and the has_tag portion of the dictionary definition you refer to above informs the RADIUS software that it should expect (or append when necessary) certain characters as part of the attribute. From the RFCs included in the 'rfc' sub-directory of the 'doc' directory of the FreeRADIUS source code: Tag The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same tunnel. Valid values for this field are 0x01 through 0x1F, inclusive. If the value of the Tag field is greater than 0x00 and less than or equal to 0x1F, it SHOULD be interpreted as indicating which tunnel (of several alternatives) this attribute pertains; otherwise, the Tag field SHOULD be ignored. The tags mean nothing to the RADIUS server itself; the definition above is explaining how the NAS is going to use/interpret the Tag. As well, I'm not sure which RADIUS server that syntax (e.g. Tunnel-Type = :1:L2TP) is correct for, but for FreeRADIUS the attributes should be configured as follows: Tunnel-Password:0 = , Tunnel-Medium-Type:0 = IP, Tunnel-Type:0 = L2TP, Tunnel-Server-Endpoint:0 = xxx.xxx.xxx.xxx HTH, Chris Brotsos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: malformed EAPOL-Key with LEAP and AEGIS Client
hi Thanks for the info about the EAPOL packets. I've installed the latest drivers both for the AP and the pcmcia card. It seems that the AP340 has a bug(?:( Is there any website of Cisco where I can post my question? i've been using an AP340 with the 12T release for a quite a while now and i don't have this problem. i'm using freeradius with EAP/TLS and rotating wep keys. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Class Attribute
Michael Kopp [EMAIL PROTECTED] wrote: If I look at the dictonary file of freeradius I see ATTRIBUTEClass 25 octets So shouldn`t this be like : ATTRIBUTE Class 25 string ?!? No. The string type in the RFC simply means that the attribute is variable length. The string type in FreeRADIUS means printable string. The octets type in FreeRADIUS means: (from the RFC you quoted) ... The actual format of the information is site or application specific, and a robust implementation SHOULD support the field as undistinguished octets. ^^ See? Octets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Illegal attributes in update packets?
Alex French [EMAIL PROTECTED] wrote: Having read the RFCs (well, skimmed them at least) I am aware that including Acct-Session-Time, Acct-Output-Octets and Acct-Input-Octets in UPDATE messages is illegal. However, we have what we think is a good reason to do it, and freeradius seems to allow this (and we've patched the postgresql config statements to update the accounting tables appropriately). FreeRADIUS is designed to be pretty forgiving about what it handls. My question is, how evil do people consider this to be? Does anyone have an insight into *why* this is illegal? And is anyone aware of how other Radius servers treat such packets (i.e. willl it break anything if we proxy these attributes to other people?) From what I read of the RFC's, they're not forbidden. Putting them into an update request shouldn't break anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Documentation Suggestion
This question seems to aim for a FAQ question :) Jon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Tuesday, November 18, 2003 9:27 PM Subject: Re: Documentation Suggestion Anson Rinesmith [EMAIL PROTECTED] wrote: What's the best online place for documentation of actual FR? I for one still don't know what the difference is between := and == in my sql database doc/rlm_sql ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: malformed EAPOL-Key with LEAP and AEGIS Client
Artur, Have you checked if the last EAPOL-Key is malformed. It works fine for me too even if the packet is not correct !! I tried to pass traffic with WEP enabled and I didn't have any problem, but I don't know if this packet should be malformed anyway!! Could you please try to pass traffic using LEAP method and WEP enabled? I would love to send me an ethereal sniff ! Thanks, Marios -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Artur Hecker Sent: Wednesday, November 19, 2003 5:00 PM To: [EMAIL PROTECTED] Subject: Re: malformed EAPOL-Key with LEAP and AEGIS Client hi Thanks for the info about the EAPOL packets. I've installed the latest drivers both for the AP and the pcmcia card. It seems that the AP340 has a bug(?:( Is there any website of Cisco where I can post my question? i've been using an AP340 with the 12T release for a quite a while now and i don't have this problem. i'm using freeradius with EAP/TLS and rotating wep keys. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: cisco authorization through freeradius
On Tue, 18 Nov 2003, John A. Hengstler wrote: Greetings. I have an Cisco as5300 that I am using for Dial customers. The customer connects, the authentication comes through, but then at the authorization level the connection gets dropped by the nas.. Are there any suggested attributes to put into radgroupreply for ISDN dial in customers to the Cisco 5300 or do I have an incorrect setting on the Nas.. Here is a snapshot of what I have for the cisco config: aaa new-model aaa authentication login default local aaa authentication ppp default group radius aaa authorization network default group radius if-authenticated aaa accounting delay-start interface Serial0:23 ip unnumbered Ethernet0 encapsulation ppp dialer-group 1 isdn switch-type primary-ni isdn tei-negotiation first-call isdn incoming-voice modem peer default ip address pool DIAL6_POOL ppp authentication pap chap interface Group-Async1 ip unnumbered Ethernet0 encapsulation ppp ip tcp header-compression passive no ip mroute-cache async mode interactive peer default ip address pool DIAL6_POOL ppp authentication chap pap group-range 1 96 RADIUS:radgroupreply contains: | 1 | dialerrouter | Session-Timeout| 28800 | == | NULL | 5 | dialerrouter | Idle-Timeout | 1200| == | NULL | | 8 | dialerrouter | Service-Type | Framed-User | == | NULL | | 9 | dialerrouter | Framed-Protocol| PPP | == | NULL | | 10 | dialerrouter | Auth-Type | Local | == | NULL | RADIUS:radcheckcontains diallerouter for the user All modem dial up customers work just fine, but ISDN dial in fails as indicated above. Can anyone shed some pointers on this. I still haven't figured it out.. Regards, John Hengstler I don't actually work with the NAS, but we also send back Framed-Routing = None in our radius replies. Might want to give it a shot. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: cisco authorization through freeradius
On Tue, 18 Nov 2003, John A. Hengstler wrote: Greetings. I have an Cisco as5300 that I am using for Dial customers. The customer connects, the authentication comes through, but then at the authorization level the connection gets dropped by the nas.. Are there any suggested attributes to put into radgroupreply for ISDN dial in customers to the Cisco 5300 or do I have an incorrect setting on the Nas.. Here is a snapshot of what I have for the cisco config: aaa new-model aaa authentication login default local aaa authentication ppp default group radius aaa authorization network default group radius if-authenticated aaa accounting delay-start interface Serial0:23 ip unnumbered Ethernet0 encapsulation ppp dialer-group 1 isdn switch-type primary-ni isdn tei-negotiation first-call isdn incoming-voice modem peer default ip address pool DIAL6_POOL ppp authentication pap chap interface Group-Async1 ip unnumbered Ethernet0 encapsulation ppp ip tcp header-compression passive no ip mroute-cache async mode interactive peer default ip address pool DIAL6_POOL ppp authentication chap pap group-range 1 96 RADIUS:radgroupreply contains: | 1 | dialerrouter | Session-Timeout| 28800 | == | NULL | 5 | dialerrouter | Idle-Timeout | 1200| == | NULL | | 8 | dialerrouter | Service-Type | Framed-User | == | NULL | | 9 | dialerrouter | Framed-Protocol| PPP | == | NULL | | 10 | dialerrouter | Auth-Type | Local | == | NULL | RADIUS:radcheckcontains diallerouter for the user All modem dial up customers work just fine, but ISDN dial in fails as indicated above. Can anyone shed some pointers on this. I still haven't figured it out.. Regards, John Hengstler I don't actually work with the NAS, but we also send back Framed-Routing = None in our radius replies. Might want to give it a shot. - Oh and we also send Framed-IP-Netmask = whateveryournetmask is. I really know nothing about the NAS, just letting you know what freeradius does for our dial isdn guys in case one of those helps. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple realm authentication with FreeRADIUS back to Active Directory?
Heiden, John [EMAIL PROTECTED] wrote: I am assuming I need to somehow have FreeRADIUS add a realm to the incoming information first, then pass that back to the Active Directory server? Are you using FreeRADIUS to put the users into different realms, or are the users logging in with different realms? You said you need multiple realms, but you haven't said *why*. Second, what is the best way to authenticate to an AD? FreeRADIUS can use it as an LDAP server, but CHAP MS-CHAP won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sample PEAP or TTLS with LDAP
Hello, I would like, for testing, a sample configuration for freeradius with peap or EAP/TTLS with a openLDAP server backend. Thanks. Escuse my english -- GQS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple realm authentication with FreeRADIUS back to Active Directory?
I'm sorry, I should have been more specific. I have multiple Cisco access servers (AS5300/AS5350/AS5400) and some are in one pool of users, some are in another, and some are in still another. I think about 5 different pools. So kind of imagine a tree of sorts. The leaves/branches are the Cisco AS servers, they go back and authenticate to a Linux server with Free Radius. The Linux/FreeRADIUS server then ultimately authenticates the users back to an AD server. But the different pools need different policies, etc. for connect time, and so forth. Does this make it clearer? I apologize if I was too confusing before. Or is there a way to get away from multiple realms given my situation? Oh, and I need to have separate accounting logs for each pool also. Meaning, I can't have everything accounted into the same file. Each pool would need to have separate accounting logs. Would it make sense to authenticate to the AD via RADIUS as well? Or just use LDAP? I'm curious, why won't chap work? I really don't care if MS-CHAP breaks, we have never supported it here in the past. But it strikes me as odd that it would break CHAP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Wednesday, November 19, 2003 11:12 AM To: [EMAIL PROTECTED] Subject: Re: Multiple realm authentication with FreeRADIUS back to Active Directory? Heiden, John [EMAIL PROTECTED] wrote: I am assuming I need to somehow have FreeRADIUS add a realm to the incoming information first, then pass that back to the Active Directory server? Are you using FreeRADIUS to put the users into different realms, or are the users logging in with different realms? You said you need multiple realms, but you haven't said *why*. Second, what is the best way to authenticate to an AD? FreeRADIUS can use it as an LDAP server, but CHAP MS-CHAP won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Interim accounting update +mysql
For some reason mysql is not being update with the interim accouting updates. Below is one of the accounting requests sent to free radius and you can see that it does not send the bytes and up time information to mysql. Anyone know why? rad_recv: Accounting-Request packet from host 204.228.226.18:1306, id=249, length=181 Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = SQN2 NAS-Port = 60 NAS-Port-Type = Ethernet User-Name = shawn Calling-Station-Id = 06:2d:1A:05:A2:6B Called-Station-Id = SpeedyQuick NAS-Port-Id = Clients Acct-Session-Id = 8120001a Framed-IP-Address = 10.69.4.22 Acct-Authentic = RADIUS Acct-Session-Time = 115201 Acct-Input-Octets = 2350343 Acct-Input-Packets = 27316 Acct-Output-Octets = 36915463 Acct-Output-Packets = 36681 Acct-Status-Type = Alive NAS-IP-Address = 205.28.26.18 Acct-Delay-Time = 0 modcall: entering group preacct modcall[preacct]: module preprocess returns noop rlm_realm: No '@' in User-Name = shawn, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop modcall[preacct]: module files returns noop modcall: group preacct returns noop modcall: entering group accounting rlm_acct_unique: Hashing 'NAS-Port-Id = Clients,Client-IP-Address = 205.28.26.18,NAS-IP-Address = 205.28.26.18,Acc t-Session-Id = 8120001a,User-Name = shawn' rlm_acct_unique: Acct-Unique-Session-ID = f56023f6b2ffca98. modcall[accounting]: module acct_unique returns ok radius_xlat: '/usr/local/var/log/radius/radacct/205.28.26.18/detail-20031119' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/ra dacct/205.28.26.18/detail-20031119 modcall[accounting]: module detail returns ok modcall[accounting]: module unix returns noop radius_xlat: 'shawn' rlm_sql (sql): sql_set_user escaped user -- 'shawn' radius_xlat: 'UPDATE radacct SET FramedIPAddress = '10.69.4.22' WHERE AcctSessionId = '8120001a' AND UserName = 'shawn' AND NASIPAddress= '205.28.26.18' AND AcctStopTime = 0' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 modcall[accounting]: module sql returns ok radius_xlat: '/usr/local/var/log/radius/radutmp' radius_xlat: 'shawn' modcall[accounting]: module radutmp returns ok modcall: group accounting returns ok Sending Accounting-Response of id 249 to 205.28.26.18:1306 Finished request 31 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple realm authentication with FreeRADIUS back to Active Directory?
Heiden, John [EMAIL PROTECTED] wrote: So kind of imagine a tree of sorts. The leaves/branches are the Cisco AS servers, they go back and authenticate to a Linux server with Free Radius. The Linux/FreeRADIUS server then ultimately authenticates the users back to an AD server. But the different pools need different policies, etc. for connect time, and so forth. That's nice. How do you tell which pool a user is in? Does this make it clearer? I apologize if I was too confusing before. Or is there a way to get away from multiple realms given my situation? Oh, and I need to have separate accounting logs for each pool also. Meaning, I can't have everything accounted into the same file. Each pool would need to have separate accounting logs. FreeRADIUS can do that, once you figure out how to separate the users into pools. Would it make sense to authenticate to the AD via RADIUS as well? Or just use LDAP? Active Directory doesn't do RADIUS. I'm curious, why won't chap work? I really don't care if MS-CHAP breaks, we have never supported it here in the past. But it strikes me as odd that it would break CHAP. Blame Active Directory. It won't let FreeRADIUS have access to the plain-text passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interim accounting update +mysql
On Wed, 19 Nov 2003, David Blood wrote: For some reason mysql is not being update with the interim accouting updates. Below is one of the accounting requests sent to free radius and you can see that it does not send the bytes and up time information to mysql. Anyone know why? rad_recv: Accounting-Request packet from host 204.228.226.18:1306, id=249, length=181 Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = SQN2 NAS-Port = 60 NAS-Port-Type = Ethernet User-Name = shawn Calling-Station-Id = 06:2d:1A:05:A2:6B Called-Station-Id = SpeedyQuick NAS-Port-Id = Clients Acct-Session-Id = 8120001a Framed-IP-Address = 10.69.4.22 Acct-Authentic = RADIUS Acct-Session-Time = 115201 Acct-Input-Octets = 2350343 Acct-Input-Packets = 27316 Acct-Output-Octets = 36915463 Acct-Output-Packets = 36681 Acct-Status-Type = Alive NAS-IP-Address = 205.28.26.18 Acct-Delay-Time = 0 modcall: entering group preacct modcall[preacct]: module preprocess returns noop rlm_realm: No '@' in User-Name = shawn, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop modcall[preacct]: module files returns noop modcall: group preacct returns noop modcall: entering group accounting rlm_acct_unique: Hashing 'NAS-Port-Id = Clients,Client-IP-Address = 205.28.26.18,NAS-IP-Address = 205.28.26.18,Acc t-Session-Id = 8120001a,User-Name = shawn' rlm_acct_unique: Acct-Unique-Session-ID = f56023f6b2ffca98. modcall[accounting]: module acct_unique returns ok radius_xlat: '/usr/local/var/log/radius/radacct/205.28.26.18/detail-20031119' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/ra dacct/205.28.26.18/detail-20031119 modcall[accounting]: module detail returns ok modcall[accounting]: module unix returns noop radius_xlat: 'shawn' rlm_sql (sql): sql_set_user escaped user -- 'shawn' radius_xlat: 'UPDATE radacct SET FramedIPAddress = '10.69.4.22' WHERE AcctSessionId = '8120001a' AND UserName = 'shawn' AND NASIPAddress= '205.28.26.18' AND AcctStopTime = 0' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 modcall[accounting]: module sql returns ok radius_xlat: '/usr/local/var/log/radius/radutmp' radius_xlat: 'shawn' modcall[accounting]: module radutmp returns ok modcall: group accounting returns ok Sending Accounting-Response of id 249 to 205.28.26.18:1306 Finished request 31 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html What does your sql.conf look like? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: double Login
Am Die, 2003-11-18 um 20.26 schrieb Mario Duve: Hello, how I can reach, which can log in each user, not two times at the same time? The Simultaneous-Use Attribute not work in my groupcheck. that's what it should look like... | id | groupname |attribute | op | value ++---+--++-- 02 | test | Simultaneous-Use | := | 1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
My problem with PEAP
Hey everyone, I continue to have a problem using peap with freeradius-snapshot-20031110. From what I have read about EAP, and from my discussions with others on this list, I believe I am seeing a problem from freeradius. Please correct me if I am wrong. According to the documentation in ./doc/rlm_eap. The client is not responding to step 6 Access Challenge from the radius server. I can see the Radius packet making it to the client. The only thing I can find that is odd about the challenge is that there are two eap portions of the frame. My hope is that the client is ignoring the frame because of this. Since there is no response from the client(supplicant) I do not get an EAP-Success/EAP-failure and begin to negotiate any ssl/wep stuff. So I don't even think I am verifying the server using the installed CERT at this point. In other words, I don't suspect I have a key/cert problem yet :). I have included the frames in this email. They were captured on the radius server side. Note there are two separate attempts from the client to authenticate itself. I am questioning either of the Access Challenge frames. I would love it if someone could look at these frames and tell me if they are correct (that freeradius is creating them properly). Below the message Authenticator is similar to 0x00. In the frame sent to the supplicant, the second portion EAP type 79 does not have the authenticator, the first portion EAP type 79 does have the Message Authenticator and is filled with a value other then 0x0. I am guessing that is where the hash for the password goes. Any help would be greatly appreciated. Here is the output of radiusd -Xxx Tue Nov 18 14:52:33 2003 : Info: Starting - reading configuration files ... Tue Nov 18 14:52:33 2003 : Debug: reread_config: reading radiusd.conf Tue Nov 18 14:52:33 2003 : Debug: Config: including file: /usr/local/etc/raddb/clients.conf Tue Nov 18 14:52:33 2003 : Debug: Config: including file: /usr/local/etc/raddb/snmp.conf Tue Nov 18 14:52:33 2003 : Debug: main: prefix = /usr/local Tue Nov 18 14:52:33 2003 : Debug: main: localstatedir = /usr/local/var Tue Nov 18 14:52:33 2003 : Debug: main: logdir = /var/log/radius Tue Nov 18 14:52:33 2003 : Debug: main: libdir = /usr/local/lib Tue Nov 18 14:52:33 2003 : Debug: main: radacctdir = /var/log/radius/radacct Tue Nov 18 14:52:33 2003 : Debug: main: hostname_lookups = no Tue Nov 18 14:52:33 2003 : Debug: main: max_request_time = 30 Tue Nov 18 14:52:33 2003 : Debug: main: cleanup_delay = 5 Tue Nov 18 14:52:33 2003 : Debug: main: max_requests = 1024 Tue Nov 18 14:52:33 2003 : Debug: main: delete_blocked_requests = 0 Tue Nov 18 14:52:33 2003 : Debug: main: port = 0 Tue Nov 18 14:52:33 2003 : Debug: main: allow_core_dumps = no Tue Nov 18 14:52:33 2003 : Debug: main: log_stripped_names = no Tue Nov 18 14:52:33 2003 : Debug: main: log_file = /var/log/radius/radius.log Tue Nov 18 14:52:33 2003 : Debug: main: log_auth = yes Tue Nov 18 14:52:33 2003 : Debug: main: log_auth_badpass = yes Tue Nov 18 14:52:33 2003 : Debug: main: log_auth_goodpass = no Tue Nov 18 14:52:33 2003 : Debug: main: pidfile = /usr/local/var/run/radiusd/radiusd.pid Tue Nov 18 14:52:33 2003 : Debug: main: user = (null) Tue Nov 18 14:52:33 2003 : Debug: main: group = (null) Tue Nov 18 14:52:33 2003 : Debug: main: usercollide = yes Tue Nov 18 14:52:33 2003 : Debug: main: lower_user = before Tue Nov 18 14:52:33 2003 : Debug: main: lower_pass = no Tue Nov 18 14:52:33 2003 : Debug: main: nospace_user = no Tue Nov 18 14:52:33 2003 : Debug: main: nospace_pass = no Tue Nov 18 14:52:33 2003 : Debug: main: checkrad = /usr/local/sbin/checkrad Tue Nov 18 14:52:33 2003 : Debug: main: proxy_requests = no Tue Nov 18 14:52:33 2003 : Debug: security: max_attributes = 200 Tue Nov 18 14:52:33 2003 : Debug: security: reject_delay = 1 Tue Nov 18 14:52:33 2003 : Debug: security: status_server = no Tue Nov 18 14:52:33 2003 : Debug: main: debug_level = 0 Tue Nov 18 14:52:33 2003 : Debug: read_config_files: reading dictionary Tue Nov 18 14:52:34 2003 : Debug: read_config_files: reading naslist Tue Nov 18 14:52:34 2003 : Info: Using deprecated naslist file. Support for this will go away soon. Tue Nov 18 14:52:34 2003 : Debug: read_config_files: reading clients Tue Nov 18 14:52:34 2003 : Debug: read_config_files: reading realms Tue Nov 18 14:52:34 2003 : Info: Using deprecated realms file. Support for this will go away soon. Tue Nov 18 14:52:34 2003 : Debug: radiusd: entering modules setup Tue Nov 18 14:52:34 2003 : Debug: Module: Library search path is /usr/local/lib Tue Nov 18 14:52:34 2003 : Debug: Module: Loaded expr Tue Nov 18 14:52:34 2003 : Debug: Module: Instantiated expr (expr) Tue Nov 18 14:52:34 2003 : Debug: Module: Loaded eap Tue Nov 18 14:52:34 2003 : Debug: eap: default_eap_type = peap Tue Nov 18 14:52:34 2003 : Debug: eap: timer_expire = 60 Tue Nov 18 14:52:34 2003 :
RE: Multiple realm authentication with FreeRADIUS back to Active Directory?
The idea is that the only place where pool membership would be defined is in the AD. The problem is that each pool needs to be independent, and sometimes users move between pools. And the only place (that they want to keep track of ) membership is in the AD. That kind of sucks about CHAP. OH well, not my problem then. I am pretty sure that AD does RADIUS. Or am I thinking of the OS under AD? (2000?) John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Wednesday, November 19, 2003 12:13 PM To: [EMAIL PROTECTED] Subject: Re: Multiple realm authentication with FreeRADIUS back to Active Directory? Heiden, John [EMAIL PROTECTED] wrote: So kind of imagine a tree of sorts. The leaves/branches are the Cisco AS servers, they go back and authenticate to a Linux server with Free Radius. The Linux/FreeRADIUS server then ultimately authenticates the users back to an AD server. But the different pools need different policies, etc. for connect time, and so forth. That's nice. How do you tell which pool a user is in? Does this make it clearer? I apologize if I was too confusing before. Or is there a way to get away from multiple realms given my situation? Oh, and I need to have separate accounting logs for each pool also. Meaning, I can't have everything accounted into the same file. Each pool would need to have separate accounting logs. FreeRADIUS can do that, once you figure out how to separate the users into pools. Would it make sense to authenticate to the AD via RADIUS as well? Or just use LDAP? Active Directory doesn't do RADIUS. I'm curious, why won't chap work? I really don't care if MS-CHAP breaks, we have never supported it here in the past. But it strikes me as odd that it would break CHAP. Blame Active Directory. It won't let FreeRADIUS have access to the plain-text passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: My problem with PEAP
Umm... dumb question, but you don't have eap listed in the authenticate section of your radiusd.conf file twice do you? --Mike On Wed, 2003-11-19 at 12:31, Bill Reid wrote: Hey everyone, I continue to have a problem using peap with freeradius-snapshot-20031110. From what I have read about EAP, and from my discussions with others on this list, I believe I am seeing a problem from freeradius. Please correct me if I am wrong. According to the documentation in ./doc/rlm_eap. The client is not responding to step 6 Access Challenge from the radius server. I can see the Radius packet making it to the client. The only thing I can find that is odd about the challenge is that there are two eap portions of the frame. My hope is that the client is ignoring the frame because of this. Since there is no response from the client(supplicant) I do not get an EAP-Success/EAP-failure and begin to negotiate any ssl/wep stuff. So I don't even think I am verifying the server using the installed CERT at this point. In other words, I don't suspect I have a key/cert problem yet :). I have included the frames in this email. They were captured on the radius server side. Note there are two separate attempts from the client to authenticate itself. I am questioning either of the Access Challenge frames. I would love it if someone could look at these frames and tell me if they are correct (that freeradius is creating them properly). Below the message Authenticator is similar to 0x00. In the frame sent to the supplicant, the second portion EAP type 79 does not have the authenticator, the first portion EAP type 79 does have the Message Authenticator and is filled with a value other then 0x0. I am guessing that is where the hash for the password goes. Any help would be greatly appreciated. Here is the output of radiusd -Xxx Tue Nov 18 14:52:33 2003 : Info: Starting - reading configuration files ... Tue Nov 18 14:52:33 2003 : Debug: reread_config: reading radiusd.conf Tue Nov 18 14:52:33 2003 : Debug: Config: including file: /usr/local/etc/raddb/clients.conf Tue Nov 18 14:52:33 2003 : Debug: Config: including file: /usr/local/etc/raddb/snmp.conf Tue Nov 18 14:52:33 2003 : Debug: main: prefix = /usr/local Tue Nov 18 14:52:33 2003 : Debug: main: localstatedir = /usr/local/var Tue Nov 18 14:52:33 2003 : Debug: main: logdir = /var/log/radius Tue Nov 18 14:52:33 2003 : Debug: main: libdir = /usr/local/lib Tue Nov 18 14:52:33 2003 : Debug: main: radacctdir = /var/log/radius/radacct Tue Nov 18 14:52:33 2003 : Debug: main: hostname_lookups = no Tue Nov 18 14:52:33 2003 : Debug: main: max_request_time = 30 Tue Nov 18 14:52:33 2003 : Debug: main: cleanup_delay = 5 Tue Nov 18 14:52:33 2003 : Debug: main: max_requests = 1024 Tue Nov 18 14:52:33 2003 : Debug: main: delete_blocked_requests = 0 Tue Nov 18 14:52:33 2003 : Debug: main: port = 0 Tue Nov 18 14:52:33 2003 : Debug: main: allow_core_dumps = no Tue Nov 18 14:52:33 2003 : Debug: main: log_stripped_names = no Tue Nov 18 14:52:33 2003 : Debug: main: log_file = /var/log/radius/radius.log Tue Nov 18 14:52:33 2003 : Debug: main: log_auth = yes Tue Nov 18 14:52:33 2003 : Debug: main: log_auth_badpass = yes Tue Nov 18 14:52:33 2003 : Debug: main: log_auth_goodpass = no Tue Nov 18 14:52:33 2003 : Debug: main: pidfile = /usr/local/var/run/radiusd/radiusd.pid Tue Nov 18 14:52:33 2003 : Debug: main: user = (null) Tue Nov 18 14:52:33 2003 : Debug: main: group = (null) Tue Nov 18 14:52:33 2003 : Debug: main: usercollide = yes Tue Nov 18 14:52:33 2003 : Debug: main: lower_user = before Tue Nov 18 14:52:33 2003 : Debug: main: lower_pass = no Tue Nov 18 14:52:33 2003 : Debug: main: nospace_user = no Tue Nov 18 14:52:33 2003 : Debug: main: nospace_pass = no Tue Nov 18 14:52:33 2003 : Debug: main: checkrad = /usr/local/sbin/checkrad Tue Nov 18 14:52:33 2003 : Debug: main: proxy_requests = no Tue Nov 18 14:52:33 2003 : Debug: security: max_attributes = 200 Tue Nov 18 14:52:33 2003 : Debug: security: reject_delay = 1 Tue Nov 18 14:52:33 2003 : Debug: security: status_server = no Tue Nov 18 14:52:33 2003 : Debug: main: debug_level = 0 Tue Nov 18 14:52:33 2003 : Debug: read_config_files: reading dictionary Tue Nov 18 14:52:34 2003 : Debug: read_config_files: reading naslist Tue Nov 18 14:52:34 2003 : Info: Using deprecated naslist file. Support for this will go away soon. Tue Nov 18 14:52:34 2003 : Debug: read_config_files: reading clients Tue Nov 18 14:52:34 2003 : Debug: read_config_files: reading realms Tue Nov 18 14:52:34 2003 : Info: Using deprecated realms file. Support for this will go away soon. Tue Nov 18 14:52:34 2003 : Debug: radiusd: entering modules setup Tue Nov 18 14:52:34 2003 : Debug: Module: Library search path is /usr/local/lib Tue Nov 18 14:52:34 2003 : Debug: Module: Loaded expr
Re: My problem with PEAP
I am asking the dumb questions here! No I don't. thanks Mike. -=Bill Michael Griego wrote: Umm... dumb question, but you don't have eap listed in the authenticate section of your radiusd.conf file twice do you? --Mike On Wed, 2003-11-19 at 12:31, Bill Reid wrote: Hey everyone, I continue to have a problem using peap with freeradius-snapshot-20031110. From what I have read about EAP, and from my discussions with others on this list, I believe I am seeing a problem from freeradius. Please correct me if I am wrong. According to the documentation in ./doc/rlm_eap. The client is not responding to step 6 Access Challenge from the radius server. I can see the Radius packet making it to the client. The only thing I can find that is odd about the challenge is that there are two eap portions of the frame. My hope is that the client is ignoring the frame because of this. Since there is no response from the client(supplicant) I do not get an EAP-Success/EAP-failure and begin to negotiate any ssl/wep stuff. So I don't even think I am verifying the server using the installed CERT at this point. In other words, I don't suspect I have a key/cert problem yet :). I have included the frames in this email. They were captured on the radius server side. Note there are two separate attempts from the client to authenticate itself. I am questioning either of the Access Challenge frames. I would love it if someone could look at these frames and tell me if they are correct (that freeradius is creating them properly). Below the message Authenticator is similar to 0x00. In the frame sent to the supplicant, the second portion EAP type 79 does not have the authenticator, the first portion EAP type 79 does have the Message Authenticator and is filled with a value other then 0x0. I am guessing that is where the hash for the password goes. Any help would be greatly appreciated. Here is the output of radiusd -Xxx Tue Nov 18 14:52:33 2003 : Info: Starting - reading configuration files ... Tue Nov 18 14:52:33 2003 : Debug: reread_config: reading radiusd.conf Tue Nov 18 14:52:33 2003 : Debug: Config: including file: /usr/local/etc/raddb/clients.conf Tue Nov 18 14:52:33 2003 : Debug: Config: including file: /usr/local/etc/raddb/snmp.conf Tue Nov 18 14:52:33 2003 : Debug: main: prefix = /usr/local Tue Nov 18 14:52:33 2003 : Debug: main: localstatedir = /usr/local/var Tue Nov 18 14:52:33 2003 : Debug: main: logdir = /var/log/radius Tue Nov 18 14:52:33 2003 : Debug: main: libdir = /usr/local/lib Tue Nov 18 14:52:33 2003 : Debug: main: radacctdir = /var/log/radius/radacct Tue Nov 18 14:52:33 2003 : Debug: main: hostname_lookups = no Tue Nov 18 14:52:33 2003 : Debug: main: max_request_time = 30 Tue Nov 18 14:52:33 2003 : Debug: main: cleanup_delay = 5 Tue Nov 18 14:52:33 2003 : Debug: main: max_requests = 1024 Tue Nov 18 14:52:33 2003 : Debug: main: delete_blocked_requests = 0 Tue Nov 18 14:52:33 2003 : Debug: main: port = 0 Tue Nov 18 14:52:33 2003 : Debug: main: allow_core_dumps = no Tue Nov 18 14:52:33 2003 : Debug: main: log_stripped_names = no Tue Nov 18 14:52:33 2003 : Debug: main: log_file = /var/log/radius/radius.log Tue Nov 18 14:52:33 2003 : Debug: main: log_auth = yes Tue Nov 18 14:52:33 2003 : Debug: main: log_auth_badpass = yes Tue Nov 18 14:52:33 2003 : Debug: main: log_auth_goodpass = no Tue Nov 18 14:52:33 2003 : Debug: main: pidfile = /usr/local/var/run/radiusd/radiusd.pid Tue Nov 18 14:52:33 2003 : Debug: main: user = (null) Tue Nov 18 14:52:33 2003 : Debug: main: group = (null) Tue Nov 18 14:52:33 2003 : Debug: main: usercollide = yes Tue Nov 18 14:52:33 2003 : Debug: main: lower_user = before Tue Nov 18 14:52:33 2003 : Debug: main: lower_pass = no Tue Nov 18 14:52:33 2003 : Debug: main: nospace_user = no Tue Nov 18 14:52:33 2003 : Debug: main: nospace_pass = no Tue Nov 18 14:52:33 2003 : Debug: main: checkrad = /usr/local/sbin/checkrad Tue Nov 18 14:52:33 2003 : Debug: main: proxy_requests = no Tue Nov 18 14:52:33 2003 : Debug: security: max_attributes = 200 Tue Nov 18 14:52:33 2003 : Debug: security: reject_delay = 1 Tue Nov 18 14:52:33 2003 : Debug: security: status_server = no Tue Nov 18 14:52:33 2003 : Debug: main: debug_level = 0 Tue Nov 18 14:52:33 2003 : Debug: read_config_files: reading dictionary Tue Nov 18 14:52:34 2003 : Debug: read_config_files: reading naslist Tue Nov 18 14:52:34 2003 : Info: Using deprecated naslist file. Support for this will go away soon. Tue Nov 18 14:52:34 2003 : Debug: read_config_files: reading clients Tue Nov 18 14:52:34 2003 : Debug: read_config_files: reading realms Tue Nov 18 14:52:34 2003 : Info: Using deprecated realms file. Support for this will go away soon. Tue Nov 18 14:52:34 2003 : Debug: radiusd: entering modules setup Tue Nov 18 14:52:34 2003 : Debug: Module: Library search path is /usr/local/lib Tue Nov 18 14:52:34 2003 : Debug: Module: Loaded
Re: My problem with PEAP
Bill Reid [EMAIL PROTECTED] wrote: I continue to have a problem using peap with freeradius-snapshot-20031110. From what I have read about EAP, and from my discussions with others on this list, I believe I am seeing a problem from freeradius. I've looked at your packet trace, and there are two EAP packets (and therefore PEAP packets) in the Access-Challenge. I've never seen this before, so I suspect it's a local configuration issue. Still, the server should be fixed to NOT do this. From the debug output, it looks like you've managed to make the server call the EAP module *twice* for the request, during the authenticate stage. I have no clue how you managed to do this, but it's definitely wrong. What did you edit in the server configuration to make it do this? Under normal circumstances, PEAP should work out of the box, by simple configuring the peap{} module section, and starting the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: My problem with PEAP
On Wed, 2003-11-19 at 13:09, Alan DeKok wrote: From the debug output, it looks like you've managed to make the server call the EAP module *twice* for the request, during the authenticate stage. I have no clue how you managed to do this, but it's definitely wrong. That's exactly what I'm seeing. Bill, You didn't by chance put authorize or an Autz-Type in the authenticate section did you? Based on the trace, it really looks like this is what happened. The server jumps into the authorize section upon receiving the request (as normal), then begins the authenticate phase, but it then jumps BACK into an authorize block again before coming back out of all the mess. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco VPN 3000 experience
Hi list, I was wondering what peoples experiences have been with using FreeRadius with the cisco VPN 3000 concentrator. Are there any documents outlining this? Thanks, Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN 3000 experience
I have two 3005s and a 3015 that authenticate users via Freeradius. It just works right out of the box. I'm using our central LDAP directory that already contains user authentication info. -Tom On Wed, Nov 19, 2003 at 03:46:18PM -0500, Dan Didier wrote: Hi list, I was wondering what peoples experiences have been with using FreeRadius with the cisco VPN 3000 concentrator. Are there any documents outlining this? Thanks, Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Tom Miller, System Administrator | 5700 SW 34th St. Suite 1235 Info Tech, Inc.| Gainesville, FL 32608 | (352)381-4400 Voice [EMAIL PROTECTED] | (352)381- Fax - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql and Assigning an IP
I have freeradius/mysql setup authenticating on a MAX2000, the Max has the IP pool. I would like to know how to setup mysql/freeradius to handle giving out the IP. Im sure I its just setting up the table, but I dont know the syntax.
Can this be done first time user
Hello everyone, I've never used FreeRadius before. I think I successfully installed it on RedHat and it seems to start up OK. I added my windows XP IP address in the clients file along with a key; added the same IP address, short name, and portslave as the type; and uncommented out the 3 lines in the radiusd.conf file for password, shadow, and group. I'm using a utility on my XP box called NTRadPing Test Utility to see if the radius server responds. So far, I'm not getting any responses, just the no response from server error. This is my first time messing with a RADIUS server. Does anyone see a step that I missed? Also, the reason I'm doing this is to build a list of MAC addresses that are allowed to associate with our several wireless access points. Right now, each one has a static list of valid MAC addresses, and when we get a new employee, we have to go to each one and enter the MAC address. From what I read, a RADIUS server can be set up so that we can centralize this list. Is this a correct assumption? Thanks very much, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can this be done first time user
FOR MAC based auth only - Make sure the IP address of you AP's are in the clients.conf - edit the users file and add the MAC address of the clients as the user name. Thepassword is the key you set on your AP's. Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: Michael Shanafelt [EMAIL PROTECTED] Date: Wednesday, November 19, 2003 4:28 pm Subject: Can this be done first time user Hello everyone, I've never used FreeRadius before. I think I successfully installed it on RedHat and it seems to start up OK. I added my windows XP IP addressin the clients file along with a key; added the same IP address, short name, and portslave as the type; and uncommented out the 3 lines in the radiusd.conf file for password, shadow, and group. I'm using a utility on my XP box called NTRadPing Test Utility to see if the radius server responds. So far, I'm not getting any responses, just the no response from server error. This is my first time messing with a RADIUS server. Does anyone see a step that I missed? Also, the reason I'm doing this is to build a list of MAC addresses that are allowed to associate with our several wireless access points. Rightnow, each one has a static list of valid MAC addresses, and when we get a new employee, we have to go to each one and enter the MAC address. From what I read, a RADIUS server can be set up so that we can centralize this list. Is this a correct assumption? Thanks very much, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limiting access at a proxy server based on Called-Station-ID
I've been asked if the following is possible. We operate a pair of radius servers that proxy several realms to their respective home servers. We need to limit their users access based on Called-Station-ID. When the Auth request comes in from the NAS, I need to be able to consult a (possibly large) list of access numbers and determine if the user called an approved number, if so allow the request to proceed to the home server. If not, return an Access-Reject to the NAS. I've experimented with the DEFAULT entries in the users file, and looked at pre-proxy as well. So far I haven't come up with a good way to do this. If anyone is currently doing something like this could you let me know how you're doing it? Keep in mind the potential list of Called-Station-IDs is potentially very large, management of and updates to this list need to be straight forward. Any help will be most appreciated. -- Mark Moody - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco VPN 3000 experience
Do you use group functions, or is everyone in the base group? Thanks, Dan -Original Message- From: Tom Miller [mailto:[EMAIL PROTECTED] Sent: Wed 11/19/2003 4:14 PM To: [EMAIL PROTECTED] Cc: Subject: Re: Cisco VPN 3000 experience I have two 3005s and a 3015 that authenticate users via Freeradius. It just works right out of the box. I'm using our central LDAP directory that already contains user authentication info. -Tom On Wed, Nov 19, 2003 at 03:46:18PM -0500, Dan Didier wrote: Hi list, I was wondering what peoples experiences have been with using FreeRadius with the cisco VPN 3000 concentrator. Are there any documents outlining this? Thanks, Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Tom Miller, System Administrator | 5700 SW 34th St. Suite 1235 Info Tech, Inc.| Gainesville, FL 32608 | (352)381-4400 Voice [EMAIL PROTECTED] | (352)381- Fax - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html winmail.dat
Re: Cisco VPN 3000 experience
Dan Didier [EMAIL PROTECTED] wrote: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 Please fix your mailer to send text as text, instead of encoding it. Content-Type: application/ms-tnef; name=winmail.dat Please also fix your mailer to not send garbage to the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limiting access at a proxy server based on Called-Station-ID
Mark Moody [EMAIL PROTECTED] wrote: We need to limit their users access based on Called-Station-ID. When the Auth request comes in from the NAS, I need to be able to consult a (possibly large) list of access numbers and determine if the user called an approved number, if so allow the request to proceed to the home server. If not, return an Access-Reject to the NAS. You're probably going to have to write a module yourself to do that work. It shouldn't be too large. Use a database to store the list of access numbers, and it should be easy to manage, too. The issue is that most modules in the server are written to find some small amount of configuration in a database for a user, and then allow other modules to use that configuration to do things. What you want is to check the users request against a large number of things in a database. I'm not sure how that would be possible in the current server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can this be done first time user
At 03:28 PM 11/19/2003, Michael Shanafelt wrote: Hello everyone, I've never used FreeRadius before. I think I successfully installed it on RedHat and it seems to start up OK. I added my windows XP IP address in the clients file along with a key; added the same IP address, short name, and portslave as the type; and uncommented out the 3 lines in the radiusd.conf file for password, shadow, and group. I'm using a utility on my XP box called NTRadPing Test Utility to see if the radius server responds. So far, I'm not getting any responses, just the no response from server error. This is my first time messing with a RADIUS server. Does anyone see a step that I missed? Run the server in debugging mode: radiusd -x -x -x to see what the server is doing. Try using the 'radtest' utility that comes with FreeRADIUS. Make sure radius is listening on the same ports you are sending to. A common problem is for one side to be using 1645/1646 and the other side to be using 1812/1813. ( Historically, radius used 1645/1646, but then was found to be in conflict on the assigned ports, and moved to 18 Also, the reason I'm doing this is to build a list of MAC addresses that are allowed to associate with our several wireless access points. Right now, each one has a static list of valid MAC addresses, and when we get a new employee, we have to go to each one and enter the MAC address. From what I read, a RADIUS server can be set up so that we can centralize this list. Is this a correct assumption? Yes. Depending on the AP, the MAC addresses are sent as the User-Name. The best thing to do, IMHO is to get one of the AP's pointed at the FR server, and run radius in debug mode so that you can see what the AP is sending to the Radius server. From there, you should be able to figure out what entries you'll need to add in the 'users' file to authenticate the users. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN 3000 experience
On Wed, 19 Nov 2003, Dan Didier wrote: Hi list, I was wondering what peoples experiences have been with using FreeRadius with the cisco VPN 3000 concentrator. Are there any documents outlining this? Thanks, Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html We use it with freeradius and ldap as a backend. We use the radiusclass attribute, which will lock the user into the group that we provision them to, regardless of the group they put in their vpn client. They will still need a valid group/password in the client to authenticate. An example reply item for the user [EMAIL PROTECTED] would be Radius-Class = OU=mydomain.com; Must have the OU capital and the ; at the end. Check out: http://www.cisco.com/en/US/tech/tk583/tk547/technologies_configuration_example09186a00800946a2.shtml for more info. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rad Acct attribute show up in flat file but not database
Hi, I working on getting my radius accounting records in MySQL. I noticed that the attribute: Freeradius-Proxied-To = aa.bbb.ccc.ddd shows up in my radius accounting flat files but when I look at sqltrace.sql it shows up as ' ' and when I select that record from my radacct table it shows up as blank. I have checked over my table structure and sql.conf and everything seems to match up correctly. Any ideas on why it show up in the flat files and not the database? Any help would be appreciated. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OSX Installation Using Mysql
Hello, After a good night, everything is better. So Andreas Congratulation for your great work, here with your package file everything work perfectly (without a glitch) on any panther distrib (tested on 3 Emac and 2 G4) I m really impressed by it (installing it with a mouse in graphical mode without doing nothing is a real pleasure ) So thanks you very much, but I will continue to check why when I compile it myself I got those error ... I have read many doc on library and OSX/Darwin, but maybe that I need to read more (or maybe that I have read to many ...) Anyway I have a well install version to work with now, so I wish to be able to help you soon. Thanks again for your help Julien - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Get your prescription filled right now!
Huntgroup file SQL syntax.
Hi all, Could someone please verify I'm using the right syntax for the huntgroups file and a sample row of data from the radcheck table in an SQL DB. huntgroups: # Group 1 group1 NAS-IP-Address == 10.100.50.6 NAS-IP-Address == 10.100.50.7 # Group 2 group2 NAS-IP-Address == 10.101.6.2 Sample radcheck, relevant part: Attribute,op,Value: Huntgroup-Name,==,group2 The reason I ask is because when I place the AV pair in an SQL table, authentication fails. But when taken out, it works. Debug output does not show an SQL query before authentication fails. Any suggestions are appreciated. -- Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup file SQL syntax, solved
At 09:12 PM 19/11/2003 -0500, you wrote: Disregard, I made an error in the huntgroups syntax. Hi all, Could someone please verify I'm using the right syntax for the huntgroups file and a sample row of data from the radcheck table in an SQL DB. huntgroups: # Group 1 group1 NAS-IP-Address == 10.100.50.6 NAS-IP-Address == 10.100.50.7 # Group 2 group2 NAS-IP-Address == 10.101.6.2 Sample radcheck, relevant part: Attribute,op,Value: Huntgroup-Name,==,group2 The reason I ask is because when I place the AV pair in an SQL table, authentication fails. But when taken out, it works. Debug output does not show an SQL query before authentication fails. Any suggestions are appreciated. -- Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mailing Liat
confirm 482356 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limiting access at a proxy server based on Called-Station-ID
I think this can also be achieved by writing a function/procedure in database which return the values after doing the checking. Deepak Singhal - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 20, 2003 3:28 AM Subject: Re: Limiting access at a proxy server based on Called-Station-ID Mark Moody [EMAIL PROTECTED] wrote: We need to limit their users access based on Called-Station-ID. When the Auth request comes in from the NAS, I need to be able to consult a (possibly large) list of access numbers and determine if the user called an approved number, if so allow the request to proceed to the home server. If not, return an Access-Reject to the NAS. You're probably going to have to write a module yourself to do that work. It shouldn't be too large. Use a database to store the list of access numbers, and it should be easy to manage, too. The issue is that most modules in the server are written to find some small amount of configuration in a database for a user, and then allow other modules to use that configuration to do things. What you want is to check the users request against a large number of things in a database. I'm not sure how that would be possible in the current server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
itz urgent
hello sir, i'm trying to connect freeradius db2 . i want to know how the freeradius my sql works. 1) i mean to say the front end of freeradius is available on -? where shall i find it? the interface? 2) also how the tables are maintained in the freeradius server as well as the db2 server. 3) also about the NAS 4) about the connection from the freeradius to the NAS and then to the db2 server. i will be very greatful also very eagerly waiting for the reply puneeth Do you Yahoo!? Free Pop-Up Blocker - Get it now
Simultaneous-Use works only with finger?
If I use freeradius with portsale check mulltiple logins (Simultaneous-Use) works only with finger? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html