Realms and SQL
Dear all,
I was just wondering when I set up realms through the proxy.conf file how do
I specify when it gets authenticated locally that it will check the SQL
Database. At the moment in the proxy.conf file it has
realm paris {
type = radius
authhost= LOCAL
accthost= LOCAL
}
I want it to authenticate against the mysql database instead of the user
file currently specified. Sorry I have tried a few different combinations
and have read the mailing list but the threads I have read has either no
responses or responses that are vague.
Thanks in advance,
Alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password
Dear Evren, Thank you Evren for all the help. It has solved my problem. Alan > further reading in README tells that if the script returns 1 then the > access is not granted and if it returns 0 then granted so a simple script > which checks the username from a file and if it is there returns 1 or if > not adds the username to file and returns 0 would do. Without touching to > passwords. Then you can if you want delete these users from radius at a > later time with another script parsing the file where the logged in users > and deleting info about these users from both files > > Evren > > On Thu, 5 Dec 2002, Evren Yurtesen wrote: > > > I am little bit newbie to radius too. But in tacacs+ it would be possible > > to run a shell script when a user logs on. It is possible to run a script > > before authorization. > > > > Also in freeradius faq it mentions about > > > > o Exec-Program-Wait, allows you to set up an external program which > >is executed after authentication and outputs a list of A/V pairs > >which is then added to the reply. > > > > So maybe its possible to make such script which will change the password > > of the user right after authentication. Also in docs README file it says > > > > Exec-Program string program to execute after authentication > > Exec-Program-Wait string ditto, but wait for program to finish > > before sending back auth. reply > > > > In any case you can fix this with a script perhaps =) What do you say? > > > > Evren > > > > On Thu, 5 Dec 2002, Mail Admin wrote: > > > > > Dear Evren, > > > > > > Yes it is crucial that they can only logon once. This is the most important > > > factor and unfortunately cannot be changed. So I was thinking of trying to > > > change the code that will change their password to null once they have > > > authenicated but am finding great difficulty being a C beginner. Is there a > > > better way to allow them to logon only once than the way I have suggested? > > > > > > Thanks in advance > > > Alan > > > > > > > > > - Original Message - > > > From: "Evren Yurtesen" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Thursday, December 05, 2002 11:35 AM > > > Subject: Re: Password > > > > > > > > > > Why dont you search the accounting logs then delete the users which logged > > > > in once with a script? Lets say every day? or you can actually change > > > > their passwords too. Is it very crucial that they only logon once? or is > > > > it ok if they can use the account for 1 day? > > > > > > > > Evren > > > > > > > > On Thu, 5 Dec 2002, Alan Wong wrote: > > > > > > > > > > > > > > >> I need your advice regarding the password. I want to know how to set > > > the > > > > > >> password to null after authentication. > > > > > > > > > > > Huh? Why would you want to do that? > > > > > > > > > > Because Im trying to set up a system where people can only use there > > > > > accounts only once. > > > > > > > > > > Alan > > > > > > > > > > - > > > > > List info/subscribe/unsubscribe? See > > > > > http://www.freeradius.org/list/users.html > > > > > > > > > > > > > > > > > > > > - > > > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > > > > > > > > > > > > - > > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > > > > - > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password
Dear Evren, Thank you for your advice but I just read the readme file and it does indicate that Exec-Program-Wait is to be used in the user file. We are currently using a mysql database, so would it be possible to set it up in a mysql db? If possible how because Im having lots of trouble setting up accounting for the database at the moment. Thanks for all the help > I am little bit newbie to radius too. But in tacacs+ it would be possible > to run a shell script when a user logs on. It is possible to run a script > before authorization. > > Also in freeradius faq it mentions about > > o Exec-Program-Wait, allows you to set up an external program which >is executed after authentication and outputs a list of A/V pairs >which is then added to the reply. > > So maybe its possible to make such script which will change the password > of the user right after authentication. Also in docs README file it says > > Exec-Program string program to execute after authentication > Exec-Program-Wait string ditto, but wait for program to finish > before sending back auth. reply > > In any case you can fix this with a script perhaps =) What do you say? > > Evren > > On Thu, 5 Dec 2002, Mail Admin wrote: > > > Dear Evren, > > > > Yes it is crucial that they can only logon once. This is the most important > > factor and unfortunately cannot be changed. So I was thinking of trying to > > change the code that will change their password to null once they have > > authenicated but am finding great difficulty being a C beginner. Is there a > > better way to allow them to logon only once than the way I have suggested? > > > > Thanks in advance > > Alan > > > > > > - Original Message - > > From: "Evren Yurtesen" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Thursday, December 05, 2002 11:35 AM > > Subject: Re: Password > > > > > > > Why dont you search the accounting logs then delete the users which logged > > > in once with a script? Lets say every day? or you can actually change > > > their passwords too. Is it very crucial that they only logon once? or is > > > it ok if they can use the account for 1 day? > > > > > > Evren > > > > > > On Thu, 5 Dec 2002, Alan Wong wrote: > > > > > > > > > > > >> I need your advice regarding the password. I want to know how to set > > the > > > > >> password to null after authentication. > > > > > > > > > Huh? Why would you want to do that? > > > > > > > > Because Im trying to set up a system where people can only use there > > > > accounts only once. > > > > > > > > Alan > > > > > > > > - > > > > List info/subscribe/unsubscribe? See > > > > http://www.freeradius.org/list/users.html > > > > > > > > > > > > > > > > - > > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > > > > > > > > - > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password
>> I need your advice regarding the password. I want to know how to set the >> password to null after authentication. > Huh? Why would you want to do that? Because Im trying to set up a system where people can only use there accounts only once. Alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Password
Dear all, I need your advice regarding the password. I want to know how to set the password to null after authentication. I have looked at the code and being a total programming newbie I am totally stumped. Can you please point me to the right direction. Thanks in advance Alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Session-Id = negative
Alan, I am currently using 0.8 should I checkout the latest snapshot? Thanks in advance! "Alan Wong" <[EMAIL PROTECTED]> wrote: > Im not sure if this value is valid or not but I keep getting for > acct-session-id a negative value. > rad_recv: Accounting-Request packet from host 192.168.111.30:1604, id=38, > length=41 > User-Name = "test" > Acct-Status-Type = Start > Acct-Session-Id = "-640703" You must have an old version of the server. > Also I get this error. I know Im meant to remove that attribute from > previous postings but Im not sure how to? > Do remove it from the c file then recompile sorry Im totally lost here. > rlm_acct_unique: WARNING: Attribute 87 was not found in request, unique ID > MAY be inconsistent So configure rlm_acct_unique with attributes which ARE in the request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct-Session-Id = negative
Dear all, Im not sure if this value is valid or not but I keep getting for acct-session-id a negative value. rad_recv: Accounting-Request packet from host 192.168.111.30:1604, id=38, length=41 User-Name = "test" Acct-Status-Type = Start Acct-Session-Id = "-640703" Also I get this error. I know Im meant to remove that attribute from previous postings but Im not sure how to? Do remove it from the c file then recompile sorry Im totally lost here. rlm_acct_unique: WARNING: Attribute 87 was not found in request, unique ID MAY be inconsistent Also with regrads to accounting I have tried to configure sql counter but am alittle confused. Can someone please provide a example table for radcheck. Because I want to set a maximum login session time but not sure where to set it in which table. I think its in radcheck but not 100% sure. Thanks in advance for the help Alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP Protocol
Dear all, I was wondering if it is possible to test out the EAP protocol over a LAN without actually using a AP or Wi Fi Client. If they are needed is it possible to simulate them with some type of software? Thanks in advance, Alan Wong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linux+freeradius+mysql
be via the World Wide Web, visit
> > http://lists.cistron.nl/mailman/listinfo/freeradius-users
> > or, via email, send a message with subject or body 'help' to
> > [EMAIL PROTECTED]
> >
> > You can reach the person managing the list at
> > [EMAIL PROTECTED]
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Freeradius-Users digest..."
> >
> >
> > Today's Topics:
> >
> >1. RE: Re: FreeRadius 0.8, Oracle 8.1.7. Problem with CPU load
> (Novoselsky Alexander)
> >2. Re: User Configuartion Help and Interesting Scenario (Alan Wong)
> >3. Re: EAP/TLS testing: SSL_set_my_callback (Artur Hecker)
> >4. Re: SSL_read Error: EAP-TLS (Artur Hecker)
> >5. RE: use freeradius to clear line (Chhai Thach)
> >6. RE: use freeradius to clear line (Chhai Thach)
> >7. Please Confirm Your $10,000 Entries! ([EMAIL PROTECTED])
> >8. Recommend-It: PLS REPLY to CONFIRM
> [[EMAIL PROTECTED]/6947] (Recommend-It Confirmation Bot)
> >9. Can I do eap/tls use 2 wire NIC and cisco 2950? (Huter.Liu)
> > 10. Re: Recommend-It: PLS REPLY to CONFIRM
> [[EMAIL PROTECTED]/6947] ([EMAIL PROTECTED])
> >
> > --__--__--
> >
> > Message: 1
> > From: Novoselsky Alexander <[EMAIL PROTECTED]>
> > To: "'[EMAIL PROTECTED]'"
> > <[EMAIL PROTECTED]>
> > Cc: Rubinstein Dmitry <[EMAIL PROTECTED]>
> > Subject: RE: Re: FreeRadius 0.8, Oracle 8.1.7. Problem with CPU load
> > Date: Wed, 27 Nov 2002 21:37:36 +0200
> > Reply-To: [EMAIL PROTECTED]
> >
> > This message is in MIME format. Since your mail reader does not
understand
> > this format, some or all of this message may not be legible.
> >
> > --_=_NextPart_001_01C2964C.7057D822
> > Content-Type: text/plain;
> > charset="iso-8859-1"
> >
> > > -Original Message-
> > > From: Chris Parker [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, November 26, 2002 7:47 PM
> > > To: [EMAIL PROTECTED]
> > >
> > > > > Maybe they cache the responses from Oracle. Look at the queries
> they
> > do to Oracle, to see what's going on.
> > > >May be. But OpenRADIUS and Navis Radius use simple SQL queries:
"SELECT
> > password FROM users WHERE username = ?".
> > > >It seems to me, in FreeRadius 0.8 SQL query is not configurable
> > parameter.
> > > >But FreeRadius 0.7.1 used almost the same SQL query (it was in file
> > sql.conf).
> > >
> > > Nope, you can edit the queries in 'sql.conf' for all versions of
> > FreeRADIUS.
> > > Try editing it and see what it does to the performance. A simpler
> > > query ( assuming properly indexed tables, etc ) should return faster.
> >
> > Thank you for advice, Chris.
> >
> > I tried to leave in file 'sql.conf' only 1 line with SELECT:
> > authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM
> > ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"
> >
> > It improved results: instead of 25-30% CPU load, now works with Oracle
> takes
> > 15-20% CPU load.
> >
> > May be, source of my problem was so. I filled only table 'radcheck', but
> > left in file 'sql.conf' all SQL queries, which tried to search in empty
> > tables.
> >
> > Best regards,
> > Alexander Novoselsky, Programmer
> > E-mail: [EMAIL PROTECTED]
> >
> > --_=_NextPart_001_01C2964C.7057D822
> > Content-Type: text/html;
> > charset="iso-8859-1"
> > Content-Transfer-Encoding: quoted-printable
> >
> >
> >
> >
> > > charset=3Diso-8859-1">
> > > 5.5.2655.35">
> > RE: Re: FreeRadius 0.8, Oracle 8.1.7. Problem with CPU =
> > load
> >
> >
> >
> > > -Original Message-
> > > From: Chris Parker [ >
HREF=3D"mailto:[EMAIL PROTECTED]";>mailto:[EMAIL PROTECTED]=
> > ]
> > > Sent: Tuesday, November 26, 2002 7:47 PM
> > > To: [EMAIL PROTECTED]
> > >
> > > > > Maybe they cache the responses from =
> > Oracle. Look at the queries they do to Oracle, to see
=
> > what's going on.
> > > >May be. But OpenRADIUS and Navis Radius use
=
> > simple SQL queries: "SELECT password FROM users WHERE username =3D
=
> > ?".
> > > >It seems to me, in FreeRadius 0.8 SQL query
=
> > is n
Re: User Configuartion Help and Interesting Scenario
Dear all, Sorry for the badly worded question which has caused a big confusion. I think I should explain the problem at hand instead of asking bits and pieces. I want to be able to use an authenication server which will receive a request. This request asks the authentication server to dynamically add the user and also generate a one time password. Then after the user is authenticated with that password it will be deleted. Therefore the question is, are there add on modules that can dynamically add a user and generate a one time password? But now that the only way to dynamically add a user is through a database (we do not want to even restart the auth server) therefore the main question is is there a module to generate a one time password (and also be able to delete the user after the password has been used?) Sorry for the confusion caused. THanks in advance, Alan >From: Chris Brotsos <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: Re: User Configuartion Help and Interesting Scenario >Date: Wed, 27 Nov 2002 07:39:13 -0600 > >Alan, > >At 11:38 PM 11/27/2002 +1100, you wrote: >>Dear all, >> >>I have just installed radius 0.8 on my redhat 7.2 box. Being a total >>newbie I just wanted to know two things... >> >>1) Firstly how do I add new users and then without restarting make radius >>reread the users file? Is there a configuration switch to allow me to do >>that? If it isnt possible, can i set up a database and do it that way? I >>just need to know how to dynamically add new users without restarting the >>radius server. > >Yes, you will need to use a database. > > >>2) Is it possible for radius to also send back a string (password) back to >>the client instead of just accept-accept. Or will I have to set up another >>machine or program to do that? > >I am a little unsure of what you mean here, but I think you are referring >to the use of a Reply-Message attribute that can be added to the user's >profile to send back a string with your Access-Accept packet. > >Chris > > > >- List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User Configuartion Help and Interesting Scenario
Dear all, I have just installed radius 0.8 on my redhat 7.2 box. Being a total newbie I just wanted to know two things... 1) Firstly how do I add new users and then without restarting make radius reread the users file? Is there a configuration switch to allow me to do that? If it isnt possible, can i set up a database and do it that way? I just need to know how to dynamically add new users without restarting the radius server. 2) Is it possible for radius to also send back a string (password) back to the client instead of just accept-accept. Or will I have to set up another machine or program to do that? Thanks for the help in advance... Alan Wong _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
