Re: CHAP + Linux Accounts
On Wed, Jan 29, 2003 at 06:35:05PM -0600, Ryan Beisner wrote:
> Hi All
>
> My problem is: when a Win9x machine dials and auths, it uses CHAP.
> While I'm "tailing" the log file, it points out that it isn't gonna
> work, and to read the FAQ. OK.
>
> Is there any way to allow CHAP authentication to LINUX SYSTEM accounts
> (via passwd, shadow, etc) ??
no, but you CAN force the other end to only accept pap. We only accept
PAP here, and as far as i know, all dialup accounts work without any
special settings. we haven't had any customers complaining about it, and
most of them end up using win95/98 that they borrowed from friends.
here, we just set
authenticate {
authtype PAP {
pap
}
pap
}
in the radiusd.conf, and it's working nicely.
that said, the problem with chap is that the radius server *must* know
the full password, since CHAP is in effect a shared-secret based
authentication mechanism, and if it's encrypted using a one-way hash,
you won't be able to get the password out of it to build the
challenge/response packets.
Personally, i'd rather risk someone breaking into the phone exchange and
sniffing the password off the wire than someone lifting the entire set
of passwords from my radius server.
also, it's possible for you to actually add the cleartext password to
/etc/raddb/users(.conf) and have that override the shadow password. less
messing around than SQL, but harder to maintain, and still easy to
steal.
Andrew Pilley
>
>
> Thanks in advance!
>
> -Ryan
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with 1,000,000 users
On Mon, Jan 20, 2003 at 08:12:50PM -0200, leaobicalho wrote: > Why when use 1,000,000 of users, with users file, show > this message??? if i use 100,000 no have problem, but > when i use many always have problem...why? my struct of > uses files: > login1 auth-type=accept > login2 auth-type=accept > login3 auth-type=accept > login4 auth-type=accept > > root@lala> radiusd -x > Load > Loading fastusers > Usesfile... > Killed > root@lala> i'm guessing that either a) you got killed by the OOM killer (out of memory) in newer linux kernels, or b) you ran into a limit (run ulimit -a to check this, although this probably isn't the case, since you're running as root). run "dmesg" after this happens, and check that it hasn't mentioned something about killing your process. Andrew Pilley > > > __ > E-mail Premium BOL > Antivírus, anti-spam e até 100 MB de espaço. Assine já! > http://email.bol.com.br/ > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: best way to check additional SQL field?
On Thu, Jan 16, 2003 at 05:57:30PM -0600, matthew simpson wrote: > I have freeradius 0.8.1 running against a MySQL database successfully. ...[snip]... > > Do I need to patch the sql handler to do this, or is there a way to do it > with what I already have? This is usually where the more extended features of SQL kick in. sub-selects will probably do what you want here: select id.Username,Attribute,Value,op FROM radcheck WHERE Username IN (select Username from masteraccounts WHERE AccountStatus IS NOT '0'); edit sql.conf and replace the various fields with the variable names appropriately, and you should end up selecting entries that only have a non-zero accountstatus. you may need to test it manually a little in mysql to make sure you've got the syntax correct before testing it in freeradius. http://www.mysql.com/doc/en/ANSI_diff_Sub-selects.html has more info on the subject look into using JOIN too, but beware, that joins can take a large amount of memory and processing power, unless you're careful about your usage. Hope that helps Andrew Pilley > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sql authentication
On Sun, Jan 12, 2003 at 03:52:16PM +0300, CEBKA wrote: > Hello, Andrew. > > But there is a reckord in mysql database in radcheck table: > > ID UserName Attribute Op Value > 1 test Chap-Password := testing okay. i'm puzzled as to why you're using := and not ==, but it should still be a matching check item. that said, does authentication work if you attempt to use pap or cleartext passwords in the mysql database? getting it working at all is probably your first step, also, perhaps you could show us what other check and reply attributes you're setting in the database... other than that, i'm not sure what you're missing, unless it's part of the actual configuration file radiusd, but since it sounds like it's at least attempting rlm_sql, i'm not sure what you could be missing. have you tried running the queries manually, and seeing what they produce? make sure it's actually retreiving a useful set of attributes... Andrew Pilley > > -- > Best regards, > CEBKA mailto:[EMAIL PROTECTED] > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sql authentication
okay
rlm_chap: Could not find proper Chap-Password attribute in request
Here, it looks like it's attempting to do chap, but that the opposite
end isn't SENDING chap. make sure your authenticate section looks
something like
authenticate {
authtype CHAP {
chap
}
chap
}
keep in mind that i'm using pap here at my site, so i deal with
Crypt-Password md5 hashes. Make sure that the dialup user is DEFINENTLY
using chap.
Andrew Pilley
On Sat, Jan 11, 2003 at 09:51:03PM +0300, CEBKA wrote:
> Hello, Andrew
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Not quite working right
On Fri, Jan 10, 2003 at 08:20:04PM -0800, Don O'Neil wrote: > Everyone, > I'm a newbie here, so please don't hack me to shreds. I've read the FAQ and > Docs closely, and tried everything I can, but I must be missing something OT to this, but think about getting the book RADIUS, from the oreilly network. has sections on freeradius, and deals with freeradius+mysql in particular > > I sucsessfully built v81 of FreeRadius on my server, and I can properly > authenticate using the USERS file, and demo user of 'steve' > > However, for whatever reason, I cannot get the server to connect to the mySQL > database to look up users there, and the dialup_admin program can't seem to add > or edit users because of this. i suspect that when you built freeradius, it couldn't find the MySQL development files. make sure you've got any development packages for mysql installed on your server (or whatever host you built freeradius on). if they're not available through /usr/include or /usr/local/include, then you'll need to specify ./configure --with-rlm-mysql-lib-dir=/path --with-rlm-mysql-include-dir=/path but if you're using the more common linux distributions (for example) typically, the packages install these files in /usr/lib|/usr/include, and they'll be found automatically. > > I know the DB is working, as I can connect to it using mysql, or phpmyadmin. The > tables are there, as per the schema for both apps. > > I'm thinking that I missed a configure option when I built it, but a > configure --help doesn't say anything about mysql. I've properly configured the try and find a file called "mysql.h" somewhere on your system, or the provided packages for mysql (client development packages or whatever) once that's installed, configure will probably just work. > > Now, there is no module in my /usr/local/lib directory called rlm_sql_mysql... > there is one called rlm_sql though, nor is there source for such a module name. > So, in the sql.conf file I changed the driver from 'rlm_sql_mysql' to > 'rlm_sql'... and then the server just hangs with this in the log: unfortunately, you got that part wrong. rlm_sql is a wrapper around the various rlm_sql_* libraries, to allow radius to have a write-once-use-many approach to SQL servers. the particular server is chosen inside sql.conf, and iirc, mysql is the default. > > Fri Jan 10 20:13:32 2003 : Info: rlm_sql (sql): Driver rlm_sql (module SQL) > loaded and linked > Fri Jan 10 20:13:32 2003 : Info: rlm_sql (sql): Attempting to connect to > root@localhost:/radius > > running radiusd -X results in the following: > > rlm_sql (sql): Driver rlm_sql (module SQL) loaded and linked > rlm_sql (sql): Attempting to connect to root@localhost:/radius > rlm_sql (sql): starting 0 > rlm_sql (sql): Attempting to connect SQL #0 > Segmentation fault you get the segmentation fault, probably because radiusd isn't doing strict function-name checking on the rlm modules, and didn't notice that the functions it needed were available. then it tries to call a non-existant function, and *boom*. > > Any clues as to what I'm doing wrong here? Maybe the MySQL module just got left > out of the .81 distrib? it's definently there :) > > I'm running this on a FreeBSD 4.5 system. right. if you've installed the mysql port, it's probably added itself to /usr/local/somedir. use /usr/local/somedir/include and /usr/local/somedir/lib as the /path options i mentioned near the top. Andrew 'ashridah' Pilley > > Thanks! > Don > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting problems
On Fri, Jan 10, 2003 at 11:26:32AM -0600, Ray wrote: > everything seems to be working well. but we are having some minor issues. > OT humor: how do you make it clear that 'HP Authorized Customer' is not their > username? if it happens regularly enough with that exact username, create a user with that, assign an rfc1918 Framed-Address to them, filtered at your border gateway, and ignored by most servers, and then redirect it to a webpage at a particular port number using a relatively complex router, and tell them. works for users who have used their alotted hours for me. if the server's 404 document points to an existing page, usually you can get any site to redirect to your error message, in a similar fashion to transparent proxying. Andrew 'ashridah' Pilley > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sql authentication
On Fri, Jan 10, 2003 at 07:50:35PM +0300, CEBKA wrote: > Hello > > Sorry, if this question took place, but I want to know may rlm_mysql > module make authentication. If I have a user in radcheck/radreply > tables with correct AV values, when I use radtest with this username > and password my server send Access-Reject pascket. This works well > with local files. So can I do this without local authentication, using > only MySQL database? run your freeradius server using the command "radius -x", to get debug output. you may also want to examine sql.conf, and set some extra settings there, and make mysql log in fairly verbose terms. That should show you where the problem is coming from. i had to play with the exact name of the AV pairs for the password for a day or two to realise i wanted Crypt-Password for an md5/crypt hash password. make sure you set Auth-Type, and use the correct entry in the "op" field. Andrew 'ashridah' Pilley > > -- Best regards, > CEBKAmailto:[EMAIL PROTECTED] > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication time
On Fri, Jan 10, 2003 at 10:07:34AM -0500, Roy Wills wrote: > hmmmid ont think i am explaining this very well. I need some users to only have >access for a week > (ie: monday to following monday) and some users have a month of access (ie: Jan 1 to >Jan 31). I do not > think that actuall session times are going to work in this case since they are not >actually doing a > traditional dial-in setup. Radius is just there to have centralized authorization >for about 6 networks > across the city. Is there an attribute to allow from first login to say disable >after 7 days or 30 days? i suspect you'll have to use perl/python and friends to write a script to check through their logs, and when they reach their limit, modify their password so they can no longer authenticate properly. I'm in the middle of doing something similar to work with pre-paid accounts, but i'm in no position to be giving out code at this time. in my case, however, i'm adding a Framed-Address reply for that user, (made easy by using mysql for auth/logging) which belongs to the rfc1918 address range. this allows me to filter any web requests to our own webpage, whch displays an appropriate message (since windows ignores any ppp messages iirc) allowing us to let them on, but not to do anything useful (stops people who have autodial from dialing up a fortune in connect/disconnect charges) Andrew 'ashridah' Pilley > > 1/10/03 4:18:42 AM, Kostas Kalevras <[EMAIL PROTECTED]> wrote: > > >On Thu, 9 Jan 2003, Roy Wills wrote: > > > >> ok...i have read the radiusd.conf and scoured once again the docs and am not > >> grasping where i need to put the attrib. i have users that only have access > >> for a week and some for a month. Its > >> all time-frame based and varies. i guess my question now is do i have a line > >> like this for every usrs on top of the accept lines? > >>DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject > >>Reply-Message = "You've used up more than one hour today > >> or do i need to create a db.counter file for theese? If this is totally wrong > >> can you point me to a faq better than the docs that are with it? > > > >The docs are really just fine. > > > >You can set the corresponding attribute for each user: > > > >userweekly Max-Weekly-Session := 4500 > > > >usermonthly Max-Monthly-Session := 45000 > > > >Just make sure you don't set DEFAULT entries with these attributes. > > > >> > >> > >> 1/9/2003 4:30:35 PM, "Alan DeKok" <[EMAIL PROTECTED]> wrote: > >> > >> >Roy Wills <[EMAIL PROTECTED]> wrote: > >> >> Is there a way to limit the time a user can spend online? What i > >> >> want to do is say that user X has 1 week of use and after that they > >> >> are no longer allowed to log in. > >> > > >> > Yes. Read 'raddb/radiusd.conf', and look for the 'counter' module. > >> > > >> >> If so when does the time start, when the first logins or when i put > >> >> the user/pass in the users file? > >> > > >> > When the user first logs in. > >> > > >> > Alan DeKok. > >> > > >> >- > >> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > >> > > >> > > >> > >> > >> > >> > >> - > >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > >> > > > >-- > >Kostas Kalevras Network Operations Center > >[EMAIL PROTECTED] National Technical University of Athens, Greece > >Work Phone: +30 210 7721861 > >'Go back to the shadow' Gandalf > > > >- > >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: quick rlm_sql radacct question
On Mon, Jan 06, 2003 at 10:51:48AM -0500, Alan DeKok wrote: > Andrew Pilley <[EMAIL PROTECTED]> wrote: > > Hey. Just a quick question. if a radius+mysql server is unexpectedly > > shut down (power failure or otherwise) without being given a chance to > > quit, and there are active sessions, will freeradius clean out any > > leftover sessions in the raddacct table? > > Uh, when? If it dies when the power goes off, it doesn't have time > to clean them out. When the power comes back up, the server won't > root through all of the accounting data, to "fix" it, as that is > pointless. Granted. I was more checking for unexpected behavior, like adding in weird entries. It doesn't do that, that's okay. > > > and what if only the radius+mysql server died, and the sessions were > > still active? > > Sessions were? On the NAS? Yes, on the NAS, since the radius server can't really assume they're still active. > > If you're thinking that "active sessions" are stored in the SQL > database, you're wrong. The server gets information about active > sessions from the NAS, and stores that information in the database. > But the information amay be delayed seconds to minutes, and it may be > wrong. No, I assumed that. It was more along the lines of "will the radius server 'deal' with a connection that closes after state loss at the radius server's end". If rlm_sql just "works out" which entry to update from the session id from the NAS, then that's fine, I just wanted to know what it would do, given the two scenarios. > > You're better off thinking of the SQL database as a collection of > "the most recent things the NAS told me about". But it's NOT a "list > of active sessions". Fair enough. And I'll add some extra scripts to my startup stuff to close off any entries that are basically useless for accounting (I don't want my normal accounting software to be confusable because of power issues.) If I want a complete log of what the NAS said, I'll use the detail file, since that'll still contain the relevant data. The sql database is more for accounting convenience. > > > I'm just looking into things i have to do on startup of the system to > > possibly handle catastrophic failures and dealing with accounting > > adequately. I'm using an ascend 4000max series access server. > > I don't understand what you're worried about. If the power goes off > to the server and/or the SQL database, then the collection of "things > the NAS told it" is untouched. If the power to the NAS goes off, then > you can tell the old information in the database about a NAS port is > no longer valid, when new information for that NAS port comes in. I'm not worried. as I said, I was enquiring about unexpected behaviour (like rlm_sql marking entries it considers "unfinishable" in some way, due to state loss. since that's not going to happen, that's no problem). Covering the unexpected is my job as a system administrator. I'd prefer to not find out about it if I have another 3am extended power failure :) Thanks for the answers, Andrew Pilley > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: quick rlm_sql radacct question
On Sun, Jan 05, 2003 at 08:04:29AM -0800, bogdan wrote: > I had this problem today, it didn't clean them up, i had to do it > manually, anyhow i say ups the machines dealing aaa, as i did today > :). ah cool. We're currently provisioning a better UPS at the moment, largely because the original one was only meant to arrest the flickers we get far more often than a prolonged outage. It also doesn't support system notification, since it's a workstation model. I'll make sure the new one does, so the radius server can kick everyone off then shut down cleanly. > > --- > Use phpMyadmin, its usefull... and do this operation : I am using phpmyadmin. it's very handy :) > > SELECT DISTINCT UserName,AcctStartTime,FramedIPAddress,CallingStationId FROM radacct >WHERE AcctStopTime = '0'; hmm. DISTINCT is a new one on me. *checks the mysql manual*. hmm. why would you need to use distinct? they all look like they'd be fairly distinct already... > > So then you can clean them up good :). Brute force. yeah. i'll have to write a quick python script to fix them up. just at least make sure the sessions are completely closed off, and approximate the kill-time. won't be able to guess the download time tho, but we don't have too many clients on that plan that aren't using satellite (where we charge rates for the satellite instead of the dialup downloads) Thanks Andrew Pilley > --- > > Hope it helped. > > --- > Best regards, > Bogdan > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
quick rlm_sql radacct question
Hey. Just a quick question. if a radius+mysql server is unexpectedly shut down (power failure or otherwise) without being given a chance to quit, and there are active sessions, will freeradius clean out any leftover sessions in the raddacct table? (for simplicity, we assume the connections died at the same time as the power failure) and what if only the radius+mysql server died, and the sessions were still active? I'm just looking into things i have to do on startup of the system to possibly handle catastrophic failures and dealing with accounting adequately. I'm using an ascend 4000max series access server. (obviously, the first goal will be to not lose power on the access server at all, since that contains the final accounting data.) thanks for the advice, Andrew Pilley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL vs LDAP with FreeRADIUS.
On Fri, Jan 03, 2003 at 05:38:49PM -0500, Steve Fulton wrote: > Hi all, > > I'm evaluating FreeRADIUS, and will be using a backend DB of some sort for > AAA as necessary. I'm looking for opinions and observations between using > an SQL backend, like MySQL or PostgreSQL, or possibly LDAP. What is your > experience? I've recently started using Freeradius with MySQL here at a small isp I'm running. So far, i've been fairly impressed with the capabilities, after i made a few slight modifications to the SQL schema (i added a single "unprocessed" flag that defaults to 1 and can't be null, so that i can mark off entries in the SQL radacct table after i've processed them for billing and accounting). I don't know of many people who are using PostgreSQL, but i imagine it works equally well with that. I can't comment on LDAP, but I'd be inclined to choose whichever you can get data back out of and add data to the easiest. Currently i'm writing a custom administration frontend for my own purposes, and doing that for SQL is a tad easier than for LDAP (if only because of the extensive documentation). That said, I don't know why there'd be any reason why you couldn't mix-n-match. :og accounting details to a SQL database, and get authorization details from LDAP. just the added annoyance of relying on one more point of failure. Other people may have more extensive comments, but generally, freeradius+SQL seems fast, and responsive (since it doesn't need to keep checking the shadow/passwd files every time someone logs on). Yhe added security can be a bonus too (I've seen a few instances where all radius users could login to the radius server itself!) HTH Andrew Pilley > > -- Steve > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hmmmm, is it working
On Fri, Jan 03, 2003 at 05:36:25PM -0600, Robert Canary wrote: > Where is the documentation that explains this. I can't seem to find it. It's a little hard to find, and not completely up to date with recent versions of freeradius, but the file RADIUS-SQL.schema contains a link to a site, http://www.frontios.com/freeradius.html which gives some help. (note that you don't need to add the sql keyword into the "authenticate" section anymore, since that's actually the sort of thing PAP/CHAP takes care of. The distiction is vague however.) Also, I'm told that the book published by O'reilly called "RADIUS" also contains a section on setting up freeradius, and using it with mysql. Andrew Pilley > > -- > robert canary > system services > OhioCounty.Net > [EMAIL PROTECTED] > (270)298-9331 Office > (270)298-7449 Fax > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: Cisco AS
On Thu, Jan 02, 2003 at 01:36:12AM +0200, Chris Knipe wrote: > Hi everyone, > > We've been having allot of problems lately with our Cisco AS series access servers. >We're heard that Cisco does make poor Remote Access? products and that it is actually >quite common for Cisco AS to drop calls when the CPU or Port Utilization becomes to >high. This would mainly mean that analogue connections would all of a sudden connect >allot slower, and that ISDN calls would be terminated... i've recently become an administrator for a cisco as5200 series access server. i'd have to actually agree with you in that part. I've been informed several times about the poor quality of the cisco equipment, and i'm inclined to agree with what i've been told. Running a 60 port cisco as5200 is yielding us constant dropouts with the second line in the cisco device, to the point where i'm considering splitting off the two lines, and installing the second standby cisco AS to handle the second 30 lines. Keep in mind, the cisco as5200 i'm using is OLD. there are newer models, and they may operate better, but this certainly appears to have issues (quite possibly due to the configuration, mind you) > > Have any of you ever experienced something like this on Cisco AS, or know of any >possible links or sites which may have something on these matters? I'm sorry for the >OT post, this is basically the closest mailing list that I am subscribed in that I >can ask something like this, so I hope you'll still be helpful... Depending on what country you're in, allow me to recommend you find an organisation of professional system administrators, like SAGE (System Administrators Guild, www.sage.org for america, or www.sage-au.org.au for australia) for your area. These organisations are often pay-to-join, but are invaluable for technical advice. Regards Andrew Pilley > > Thanks! > -- > me - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
quick cistron to freeradius migration question
Hi. i'm currently in the process of migrating a cistron radiusd which is inappropriately configured to a freeradius server using mysql. I've run into a slight issue i haven't been able to find documentation on in cistron or freeradius's documentation. we have a number of existing users in the /etc/raddb/users file, who have entries like usernamePassword = "password" attributes = stuff, my question is about the use of '=' for the Password entry. is that a special entry which is used as a "check" attribute, or is the '=' signifying (as in freeradius) that that is a "reply" attribute? If it's a check, i need to crypt() those password from the users file (no problems for me there). however, if it's being used as a reply, i'm guessing the lack of Auth-Type = System would make the login fail. Am i correct in my assumptions? Thanks Andrew Pilley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file reloading
judging by the documentation and sample scripts, it looks like you can use kill -HUP on radiusd's PID, which will cause it to reload the config files, without restarting the radius server. that said, restarting the radius daemon doesn't log everyone out (whereas a dialin server restarting itself without disconnecting people may make radius think so, until the accounting packets come in) Andrew Pilley On Sat, Dec 21, 2002 at 08:10:04AM +0400, Wisam Najim wrote: > Hi All, > > I'm authenticating ISDN users from users file while normal dialup users are > authenticated from Oracle database. Every time I add an ISDN user, I need to > stop and start the freeRADIUS instance. I want to know if I can reload the > users file without stopping and starting the freeRADIUS. > > > > Regards, > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: converting md5-based crypt keys for use with rlm_sql
whoa. okay. false alarm. looks like it was a bug in 0.8.0. 0.8.1 (which i didn't notice was out yet) works fine. sorry to bug people Andrew Pilley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: converting md5-based crypt keys for use with rlm_sql
okay. it definently refuses to do md5 password authentication, which is
strange.
i've got Crypt-Password == $1$salt$password style md5 entries in the
radcheck sql table for that user. if i replace it with an ENCRYPT()'ed
string, it works fine, but that's not an md5 password.
i've tried setting
encryption_scheme = md5 and crypt, and sha1.
have i got the Attribute name correct for an md5 password?
I've checked through the rlm_pap.c code as best i can, and barring a
failure of the MD5 encryption routines, i can't see where it's going
wrong...
appropriate snippets of radius -x -x output:
Thread 2 handling request 7, (2 handled so far)
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 192.168.100.108
NAS-Port = 1
NAS-Port-Type = Async
Service-Type = Framed-User
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
radius_xlat: 'testuser'
rlm_sql (sql): sql_set_user escaped user --> 'testuser'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'testuser' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'testuser' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns ok
modcall: group authorize returns ok
auth: type Crypt
auth: Failed to validate the user.
Login incorrect: [testuser/testpass] (from client pm1 port 1)
now, i've double-checked that it's using pap as best i can, but from
there, it doesn't look like it is...
can anyone shed some light on where i may have left something out of the
config?
thanks
Andrew Pilley
On Thu, Dec 19, 2002 at 10:38:39AM +1100, Andrew Pilley wrote:
> On Wed, Dec 18, 2002 at 11:18:56AM -0500, Alan DeKok wrote:
> > Andrew Pilley <[EMAIL PROTECTED]> wrote:
> > > since md5 is a one-way hash, i can't just recover the passwords and
> > > recrypt them.
> >
> > Just use them in place.
>
> i've tried that. i changed the Crypt-Password's Value field to basically
> be a copy of an existing md5 based password, but i think pap is having
> issues with it, as it basically seems to reject me... am i using the
> right Attribute name for an md5-based password?
>
> >
> > > What would i need to do to acheive basically a straight copy-paste of
> > > the existing md5 passwords into appropriate SQL rows? i've tried setting
> > > pap {
> > > encryption_scheme = md5
> > > }
> > > as well as setting it to crypt, and neither seem to work.
> >
> > Wow. Why doesn't it work? Did you read the FAQ?
>
> there isn't anything in the FAQ on www.freeradius.org about this
> particular issue, as far as i can see... i'll try turning up the
> debugging output, and seeing what i can get pap's code to tell me
> tomorrow (not at work today, so it's a little hard to test)
>
> that said, it works fine if i insert the plaintext password into the
> Value field, running the ENCRYPT mysql function on it (so it's CRYPT'ed
> in the database). (when using encryption_scheme=crypt)
>
> Andrew Pilley
>
> >
> > Alan DeKok.
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: script execution?
On Wed, Dec 18, 2002 at 10:52:17AM +0200, Remus Anca wrote: > > > can i execute a script after a user has logged in, and using his > account name as a parameter? i'm not particularly familiar with freeradius yet, but it looks like you can use the Attributes Exec-Program and Exec-Program-Wait to run programs after authentication, optionally waiting until it finishes before proceeding. i believe the details are documented in the file variables.txt. Andrew Pilley > > > thx > > -- > Remus > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: converting md5-based crypt keys for use with rlm_sql
On Wed, Dec 18, 2002 at 11:18:56AM -0500, Alan DeKok wrote:
> Andrew Pilley <[EMAIL PROTECTED]> wrote:
> > since md5 is a one-way hash, i can't just recover the passwords and
> > recrypt them.
>
> Just use them in place.
i've tried that. i changed the Crypt-Password's Value field to basically
be a copy of an existing md5 based password, but i think pap is having
issues with it, as it basically seems to reject me... am i using the
right Attribute name for an md5-based password?
>
> > What would i need to do to acheive basically a straight copy-paste of
> > the existing md5 passwords into appropriate SQL rows? i've tried setting
> > pap {
> > encryption_scheme = md5
> > }
> > as well as setting it to crypt, and neither seem to work.
>
> Wow. Why doesn't it work? Did you read the FAQ?
there isn't anything in the FAQ on www.freeradius.org about this
particular issue, as far as i can see... i'll try turning up the
debugging output, and seeing what i can get pap's code to tell me
tomorrow (not at work today, so it's a little hard to test)
that said, it works fine if i insert the plaintext password into the
Value field, running the ENCRYPT mysql function on it (so it's CRYPT'ed
in the database). (when using encryption_scheme=crypt)
Andrew Pilley
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
converting md5-based crypt keys for use with rlm_sql
I took a quick look through the list, but couldn't see anything
specific.
currently our dialup system, using cistron's radiusd, uses /etc/passwd
to get the passwords from. this is currently running on a GNU/Linux
machine, which is using md5 shadow passwords.
I'm in the process of migrating this system over to a
freeradius+rlm_sql+mysql setup, and while i can get crypted passwords to
work (using Crypt-Password) fine, i'm not too sure how i'd go about
getting pap and rlm_sql to deal with an md5'ed password. obviously,
since md5 is a one-way hash, i can't just recover the passwords and
recrypt them.
What would i need to do to acheive basically a straight copy-paste of
the existing md5 passwords into appropriate SQL rows? i've tried setting
pap {
encryption_scheme = md5
}
as well as setting it to crypt, and neither seem to work.
This us using freeradius 0.8, compiled by me into a debian package, and
a portmaster 2e to access the radius server (my test platform)
Thanks for the help
Andrew Pilley
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
