Re: Cache /etc/passwd, /etc/shadow, and /etc/group
I get similar behaviour with mine (FreeRadius 0.4 debian testing package, 2.4.18 kernel). I just set a new box to auth against /etc/raddb/passwd and /etc/raddb/sahdow. The only way I could get it to work is with caching. However, on the original radius server that the passwd and shadow file originate from, I have caching disabled, and am NOT specifying the location of the shadow file. And that is the only way I can get that box to work. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "User for Free Radius mail list" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 10, 2002 11:11 AM Subject: Cache /etc/passwd, /etc/shadow, and /etc/group > > System = Linux with kernel 2.4.18 > > In the radiusd.conf file: > The "Cache" setup does not work if you do not use shadow passwords. If the > "shadow" line is left at the default value: (ie commented out) > > To force the module to use the system password functions, > # instead of reading the files, comment out the 'passwd' > # and 'shadow' configuration entries. This is required > # for some systems, like FreeBSD. > # > passwd = /etc/passwd > # shadow = /etc/shadow > > Then you will get an error: > > Wed Oct 9 17:51:06 2002 : Info: HASH: Reinitializing hash structures > and lists for caching... > Wed Oct 9 17:51:06 2002 : Error: rlm_unix: You MUST specify a shadow > password file! > Wed Oct 9 17:51:06 2002 : Error: HASH: unable to create user hash table. > disable caching and run debugs > Wed Oct 9 17:51:06 2002 : Error: radiusd.conf[462]: unix: Module > instantiation failed. > > If you say "no" to the "cache" option: > ># For FreeBSD, you do NOT want to enable the cache, > # as it's password lookups are done via a database. > # > # allowed values: {no, yes} > cache = no > > It loads up just fine. > > > Is there something I'm missing or is the the default behavior of this > setup? > > Thanks, > > Ken Rea > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Licensing Issue
http://www.gnu.org/licenses/gpl.txt You can do (almost) anything you want with it. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Sheldon Fougere" <[EMAIL PROTECTED]> To: "Freeradius-Users" <[EMAIL PROTECTED]> Sent: Monday, October 07, 2002 9:13 AM Subject: Licensing Issue > Hi All, > > Is there a web site I can go to read up on the licesing? I would like to > know if it is ok to include Freeradius in a distribution and use it if I > don't modify the code? > > Thanks, > Sheldon > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alteracao de dominio
I thought of that already. We can fake a request, but it needs to be confirmed, which we can't do :-( Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Adam Jendrosek" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 09, 2002 5:22 PM Subject: Re: Alteracao de dominio At 09:06 09.08.2002, you wrote: >Esta caixa postal mudará de @tramandai.com.br para @tramandai.net.br. >Assim sendo da proxima vez que enviar mensagens para este endereço >altere o final do destinatário para @tramandai.net.br Hi is it possible that anybody unsubscribe this guy. regards Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stop spaming
It's not spam. Its an automated message stating that their domain name (@tramandai.com.br) is going to change to (@tramandai.net.br). Can we remove any @tramandai.[com/net].br address from the mailing list? I love google http://www.google.com/language_tools?hl=en Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "äÉÎÁÒ" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 09, 2002 2:42 PM Subject: Stop spaming > Hello freeradius-users, > > This is spam and nothing else > >Esta caixa postal mudar de @tramandai.com.br para @tramandai.net.br. > >Assim sendo da proxima vez que enviar mensagens para este endereÚo > >altere o final do destinatÂrio para @tramandai.net.br > > > -- > Best regards, > Dinar mailto:[EMAIL PROTECTED] > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alteracao de dominio
I was thinking that he's got an auto reply, and he's auto replying to his auto reply... Of course I have no idea what the message actually says. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Yuri Bazhukov" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 09, 2002 2:32 PM Subject: Re: Alteracao de dominio > Hello, Andrew! > You wrote to <[EMAIL PROTECTED]> on Fri, 9 Aug 2002 13:40:30 > +1000: > > AT> It looks like we have a mail loop. Can we get this fixed up? > > It's not loop - messages have different Message-Id's. It's > damned spam. > > = > Yuri Bazhukov > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alteracao de dominio
It looks like we have a mail loop. Can we get this fixed up? Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 09, 2002 1:27 PM Subject: Alteracao de dominio > Esta caixa postal mudará de @tramandai.com.br para @tramandai.net.br. > Assim sendo da proxima vez que enviar mensagens para este endereço > altere o final do destinatário para @tramandai.net.br > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Info/code on CHAP in FreeRadius
May I suggest the FAQ. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Lee Xing" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 09, 2002 12:52 AM Subject: Info/code on CHAP in FreeRadius Hi, I'm new here, and someone told me I could find some info and sample code for CHAP (Challenge Handshake Authentication Protocol) in FreeRadius. I searched for a while but couldn't find anything on CHAP. Could someone tell me where I can find info/code on CHAP from FreeRadius if they do exist. Thanks, Lee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to have more than one users list?
It most certainly is. Put something like this in your main users file: $INCLUDE /etc/raddb/users.perm$INCLUDE /etc/raddb/users.sat Andrew TaitSystem AdministratorCountry NetLink Pty, LtdE-Mail: [EMAIL PROTECTED]WWW: http://www.cnl.com.au30 Bank St Cobram, VIC 3644, AustraliaPh: +61 (03) 58 711 000Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: Kim To: [EMAIL PROTECTED] Sent: Friday, August 02, 2002 9:49 AM Subject: Is it possible to have more than one users list? Hi, Im using FreeRADIUS 0.4 and I have one users file and one access deny list. The access deny list contains ID and Phonenumbers extracted from a DB2 database.I need to use this access deny list and make sure that all users on this list can NOT access the Radius server. The access deny list is dynamic and it changes. Does anybody know if this is possible ? Is there some documentation how to use more than one users files ,one users file and one access deny list? I would appreciate any help or hint. Thanks Kim
Re: Redirect Home Page or force URL in CVX1800
What I would suggest is looking doing a search through your radius detail files for the "Called-Station-Id" attribute. If it matches the old phone number, send them an e-mail, or contact them another way. You might find this program useful: http://www.arduous.net/projects/radgrep/ Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Juan Garavaglia" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, July 19, 2002 11:24 AM Subject: Redirect Home Page or force URL in CVX1800 > Hi: > > I don´t find the way to force all the dial up users to see a specific HTML I > don´t care if the only HTML they can see is that but I need to inform to my > users that the number they are dialing has change. > > Unfortunatelly I cant´t modify the Nortel CVX 1800 to do that because the > company that rent me that dial up ports is not intrested in helping me so I > need to find some way to inform some users the change of the phone number > using the radius I control. > > I heard some commets about if is possible by returning some parameters or > attributes to the NAS but I have no idea how can this could be done and > witch parameter I should retrun to the CVX 1800 during the autentication > proccess. > > Also could be grate if I could redirect to different URLs based in the DNIS > value. > > Best Regards > > Juan Garavaglia > http://www.netpad.com.ar > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: promiscuous authentication
I asked a similar question a while back There is some basic encryption on the password (using the shared secret as a key). However, the rest of the details (username, phone number) are all transmitted in plaintext. And the encryption on the password is very weak. Search for a program called radsniff if you want to see exactly how weak. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Ilguiz Latypov" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 16, 2002 10:34 AM Subject: Re: promiscuous authentication > > I agree that promiscuous authentication is not how FreeRadius was supposed > to work. Sorry for not reading the documentation first. I thought that > communication between Radius clients and servers is secure by design. Is > this not always true? > > Ilguiz > > On Mon, 15 Jul 2002, Alan DeKok wrote: > > > > Is this a good idea to allow testing of a given user name/password pair > > > from anywhere in internet? > > > > I would say no. I'm not sure why it would be necessary, and it's a > > bad idea to expose a RADIUS server to anyone's traffic. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie: Database in MS Access file... does it work woth FreeRadius?
There is a program out the called ODBC Socket Server, which is going to be the backbone of one of my future projects. http://odbcsock.sourceforge.net It allows access to Access databases (.mdb) amount other things, over a TCP/IP connection. There are sample clients for perl, c, and a few other languages. It would be possible to write a module do what you are after. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Vlasis Hatzistavrou" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, July 01, 2002 4:58 PM Subject: Re: Newbie: Database in MS Access file... does it work woth FreeRadius? > Hello Alan, > > Thank you very much for your reply. Unfortunately, the user database is on an > Access file (.mdb) and not on MS-SQL... Is there a workaround for this? > > Regards, > Vlasis. > > Alan DeKok wrote: > > > [EMAIL PROTECTED] wrote: > > > I wonder if and how it is possible to "read" the user > > > info from the remote PC running Win2k which has the > > > user database. > > > > Sure. The latest CVS has a 'freetds' module, which interacts with > > MS-SQL. > > > > Alan DeKok. > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: test radius without terminal server
That program looks very useful indeed. Has anyone seen a linux equivalent? (terminal based preferably) Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Alexandre Strube" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 14, 2002 10:16 AM Subject: test radius without terminal server >How can I test the radius server without a terminal server? Mastersoft has something called NTRADPING... I use it for testing authorization/authentication and for accounting purposes. http://www.mastersoft-group.com/download Oh yes, its free >:-) As opiniões formuladas neste e-mail são de caráter exclusivamente pessoal. Minha opinião não necessariamente representa a opinião do meu Moto Grupo nem da empresa onde trabalho. Mene Sakkhet ur-seveh Alexandre Ganso - Diretor Steel Goose Moto Group 6, 7 e 8 de setembro - Aniversario 10 anos Steel Goose - Ouro Branco - MG 500 Four Vermelha [EMAIL PROTECTED] ICQ# 3778773 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setting up FreeRadius for CHAP and PAP Authentication
Did you put in: usernameAuth-Type := Local, Password := password Fall-Through = Yes Or: testuserAuth-Type := Local, Password := testuser'spassword Fall-Through = Yes Also, run radius in debug mode (radiusd -d) as give us the complete output. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Cory Taylor" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 11, 2002 5:12 PM Subject: Re: setting up FreeRadius for CHAP and PAP Authentication > I have added this into the Radius Userfiles and I am still getting the same > following error: > > Tue Jun 11 02:00:16 2002 : Auth: Login incorrect: [[EMAIL PROTECTED]] > (from nas dca-bwsc-03 port 3499 cli ##) > Tue Jun 11 02:00:21 2002 : Auth: rlm_unix: Attribute "User-Password" is > required for authentication. Cannot use "CHAP-Password". > > I have looked in every resource I have but still am unable to find anything > to point to this. > > Thanks, > > C Taylor > - Original Message - > From: "Andrew Tait" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, June 10, 2002 11:52 PM > Subject: Re: setting up FreeRadius for CHAP and PAP Authentication > > > > To do CHAP authentication, FreeRadius needs the password to be stored in > > CLEAR TEXT on the server. > > > > It looks like you are trying to autheticate againt > /etc/passwd|/etc/shadow. > > The passwords stored there are encrypted, and cannot be used to do CHAP > > authentication. > > > > Try putting the following in your users file: > > > > usernameAuth-Type := Local, Password := password > > Fall-Through = Yes > > > > Andrew Tait > > System Administrator > > Country NetLink Pty, Ltd > > E-Mail: [EMAIL PROTECTED] > > WWW: http://www.cnl.com.au > > 30 Bank St Cobram, VIC 3644, Australia > > Ph: +61 (03) 58 711 000 > > Fax: +61 (03) 58 711 874 > > > > "It's the smell! If there is such a thing." Agent Smith - The Matrix > > > > - Original Message - > > From: "Cory Taylor" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Tuesday, June 11, 2002 2:43 PM > > Subject: setting up FreeRadius for CHAP and PAP Authentication > > > > > > > I am trying to setup FreeRadius to do CHAP and PAP authentication. I am > > > having no success. > > > > > > I get the following error message in the log file when > > > attempting to connect through Dial-Up: > > > > > > Auth: rlm_unix: Attribute "User-Password" is required for > authentication. > > > Cannot use "CHAP-Password". > > > Auth: Login incorrect: [[EMAIL PROTECTED]/] (from nas > > > global1 port 3264 ) > > > > > > > > > How do I setup Radius to accept CHAP/PAP Authentications?? > > > > > > > > > > > > Thanks, > > > > > > Cory > > > > > > - > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setting up FreeRadius for CHAP and PAP Authentication
To do CHAP authentication, FreeRadius needs the password to be stored in CLEAR TEXT on the server. It looks like you are trying to autheticate againt /etc/passwd|/etc/shadow. The passwords stored there are encrypted, and cannot be used to do CHAP authentication. Try putting the following in your users file: usernameAuth-Type := Local, Password := password Fall-Through = Yes Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Cory Taylor" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 11, 2002 2:43 PM Subject: setting up FreeRadius for CHAP and PAP Authentication > I am trying to setup FreeRadius to do CHAP and PAP authentication. I am > having no success. > > I get the following error message in the log file when > attempting to connect through Dial-Up: > > Auth: rlm_unix: Attribute "User-Password" is required for authentication. > Cannot use "CHAP-Password". > Auth: Login incorrect: [[EMAIL PROTECTED]/] (from nas > global1 port 3264 ) > > > How do I setup Radius to accept CHAP/PAP Authentications?? > > > > Thanks, > > Cory > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Security
http://www.untruth.org/~josh/security/radius/radius-auth.html For those interested in finding out how easy. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Gary Barnden" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 15, 2002 2:33 PM Subject: Re: Security > Andrew, > > Pretty easy actually, easier than one would think > > Regards > > G. > > > At 02:28 PM 15/05/2002 +1000, you wrote: > >Hi All, > > > >Quick question. > > > >Lets say that someone has the ability to sniff traffic between our NAS and > >radius server. > > > >What are the chances of them finding out the shared secrets, or actual > >usernames and passwords? > > > >Andrew Tait > >System Administrator > >Country NetLink Pty, Ltd > >E-Mail: [EMAIL PROTECTED] > >WWW: http://www.cnl.com.au > >30 Bank St Cobram, VIC 3644, Australia > >Ph: +61 (03) 58 711 000 > >Fax: +61 (03) 58 711 874 > > > >"It's the smell! If there is such a thing." Agent Smith - The Matrix > > > > > >- > >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Security
Hi All, Quick question. Lets say that someone has the ability to sniff traffic between our NAS and radius server. What are the chances of them finding out the shared secrets, or actual usernames and passwords? Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any way to do CHAP with md5'ed passes?
Correct. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Mattt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 15, 2002 11:58 AM Subject: Any way to do CHAP with md5'ed passes? > Hi list, > > We store our users' passes ias md5 digests. Am I correct in assuming > that (in the absence of _any_ plaintext ones) we can't do CHAP at all, > no matter what? > > -- > Cheers, > Mattt. [EMAIL PROTECTED] > Network and Tech Guy,ICQ: 117539757 > Expressnet. www.expressnet.net.au > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radgrep program
Hi All. As you probably all know, searching through radius detail files can be a tedious task. I hope this makes you lives a little easier. It probably isn't the best perl program ever written, but I'm sure some of you will find it useful. This program is licensed under the GPL, so feel free to modify it and send any improvements back to me. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix # Radgrep v1.00 # Radgrep is to radius detail files what exigrep is to exim mainlog files. # Don't run with scissors. # Copyright © 2002 Andrew Tait. All rights reserved. # Last modifed 26th April 2002. # E-mail: [EMAIL PROTECTED] # WWW: http://www.arduous.net/projects/radgrep/ # # This program is designed to accept radius detail files from STDIN and # either display a record if $pattern appears in it. You can use this to # find all records that belong to a particular user, IP address, etc. # # #This program is free software; you can redistribute it and/or modify #it under the terms of the GNU General Public License as published by #the Free Software Foundation; either version 2 of the License, or #(at your option) any later version. # #This program is distributed in the hope that it will be useful, #but WITHOUT ANY WARRANTY; without even the implied warranty of #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #GNU General Public License for more details. # #You should have received a copy of the GNU General Public License #along with this program; if not, write to the Free Software #Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. $pattern; $reverse = "false"; $rdup = "false"; $acctsessionid; $username; $timestamp; while ($arg = shift(@ARGV)) { if ($pattern ne "") {die "Unexpected argument $arg.\n";} if ($arg eq "-v") {$reverse = "true";} elsif ($arg eq "--help") { print "Usage: radgrep [-v] pattern\n"; print "Options\n"; print " -v Invert pattern matching\n"; print " -d Remove duplicate entries\n"; print " --help Display this help and exit\n"; exit 0; } elsif ($arg eq "-d") {$rdup = "true";} else {$pattern = $arg;} } while ($radline = <>) { $radentry = $radentry.$radline; if ($radline eq "\n") { ($temp1,$temp2) = split(/Acct-Session-Id = "/,$radentry); ($acctsessionid,$temp3) = split(/\"/,$temp2); ($temp1,$temp2) = split(/User-Name = "/,$radentry); ($username,$temp3) = split(/\"/,$temp2); ($temp1,$temp2) = split(/Timestamp = /,$radentry); ($timestamp,$temp3) = split(/\n/,$temp2); $key=join($acctsessionid,$username,$timestamp); if ($sessions{$key}) { #print STDERR "Duplicate entry $key\n"; #Duplicate entry, ignore if ($rdup eq "true") { $radentry = ""; next; } } $sessions{$key}=1; if ($radentry =~ /$pattern/) { if($reverse eq "false") {print STDOUT $radentry} } else { if ($reverse eq "true") {print STDOUT $radentry} } $radentry = ""; } } if (!($radentry eq "")) { #radius fragment left, better process that too! ($temp1,$temp2) = split(/Acct-Session-Id = "/,$radentry); ($acctsessionid,$temp3) = split(/\"/,$temp2); ($temp1,$temp2) = split(/User-Name = "/,$radentry); ($username,$temp3) = split(/\"/,$temp2); ($temp1,$temp2) = split(/Timestamp = /,$radentry); ($timestamp,$temp3) = split(/\n/,$temp2); $key=join($acctsessionid,$username,$timestamp); if ($sessions{$key}) { #print STDERR "Duplicate entry $key\n"; #Duplicate entry, ignore if ($rdup eq "true")
Re: Ericsson Tigris and FreeRadius
Yes, its a bug in the tigris. Put this in your users file. ACC_DEFAULT Password = "radiussecret" Framed-Protocol = PPP, Service-Type = Framed-User, Framed-IP-Address = 255.255.255.254, Framed-Compression = Van-Jacobson-TCP-IP Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Chris Parker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 23, 2002 12:10 AM Subject: Re: Ericsson Tigris and FreeRadius > At 06:36 PM 4/22/2002 +0800, Patrick Chan wrote: > > >Dear all, > > > >I am using Ericsson Tigris and FreeRadius 0.5 > > > >I have set the clients, users and proxy.conf > >proxy.conf is as follows: > >realm domain1 { > > type= radius > > authhost= LOCAL > > accthost= LOCAL > >} > > > >I don't know why the username is always "ACC_DEFAULT" > >when debug mode is enabled. And authentication is never successful. > > Because that is how the NAS is sending it. It's a problem with the NAS, > not with the server. > > -Chris > > -- > \\\|||/// \ StarNet Inc. \Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- >\ Wholesale Internet Services - http://www.megapop.net > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho question
I have found and reported this bug before. radwho does not read /etc/raddb/radiusd.conf for the location of the radutmp/radwtmp files. He has the files in /var/radius instead of /var/log/. http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=radiusd-freeradius&repeatme rged=yes Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 17, 2002 8:27 AM Subject: Re: radwho question > Lee W <[EMAIL PROTECTED]> wrote: > > The radius is running as user nobody, but I'm logged in as root and I set > > the radutmp file to 777 just for testing. That log is under /var/radius and > > its set to 777 as well just for testing :-) I checked my config file all > > looks good. For the most part its default config. > > Hmm... there may be another problem here. It looks like there's a > bug in the radutmp module. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian FreeRADIUS package and Woody
Hi Chad, I can certainly understand that. Packaging software that is in a "perpetual alpha-state" must be a challenge. Especially with the strict standard the debian "stable" has. I have no problem with using the packages from sid. And I thank you for all the effort you have put into maintaining the packages so far. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Chad Miller" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, April 11, 2002 1:53 AM Subject: Debian FreeRADIUS package and Woody > Hi, all. I've decided to withdraw the radiusd-freeradius* packages from > Debian Woody (the upcoming release). If history is any indicator, any > snapshot of the tree I take will need a signifigant patch not long after > it's taken. Debian's standards are too high, and administrative software > (and authentication in particular) is too important for me to allow that. > > It will remain in Sid (unstable), of course, in hopes we'll be ready for > Woody+1. I'll still keep the debian/ directory up-to-date, so builds from > CVS should be possible with minimal changes. > > - chad > > -- > Chad Miller <[EMAIL PROTECTED]> > http://www.advogato.org/person/cmiller/> > ``Having a smoking section in a restaurant is > like having a peeing section in a pool.'' > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: re:
Just about any OS can us CHAP. It is a standard. Forgive me if any of the following is wrong, but it should be enough to explain the difference between CHAP/PAP. PAP: Plain-test Authentication Protocol The password is set from the dialup computer to the NAS in Plain-text. It is the sent to the radius server in plain text, and as such, it can log the actually password if it is incorrect. CHAP: Challange Handshack Authentication Protocol The password in encrypted in the dialup PC, and the encrypted password along with the encryption key is sent to the NAS (It never knows the real password). The NAS sends the encrypted password and key to the radius server. The radius server, which has a local copy of the password stored in clear text, read's the real password and encypt's it with the key provided by the dial-up PC. It then compares the two encyrped passwords to see if they match. Windows NT/2000/XP are the most common users of CHAP authentication. You need to set them to "use unsecured password". Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "info@GoldenIT" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 09, 2002 3:34 PM Subject: re: > If i can't see the passwords that means i have half the knowledge to trouble > shoot customers Login problems. Which isn't goodany idea which OS use > CHAP passwords. > thanks > iq > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I test the server?
There should be a radtest program. Look into that. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "chen jin" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 09, 2002 11:34 AM Subject: How can I test the server? > I have installed and run the server ,but by using which tools can I test > whether the server is running well? thanks~~ > > _ > Ãâ·ÑÏÂÔØ MSN Explorer£ºhttp://explorer.msn.com/lccn/intl.asp¡£ > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 0.5 and Debian 3.0
Hi All, The radiusd-freeradius packages have been REMOVED from Debian testing/woody, because of the severe bugs (http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=radiusd-freeradius&repeatm erged=yes) outstanding, and the fact that the debian package is outdated (0.4) If freeradius is going to be in the Debian distribution, now is the time to get it in there. Woody is getting close to release (1st May is probable date). Quote from www.freeradius.org: "including several developers of the Debian GNU/Linux operating system". Perhaps some of these developers would be kind enough to package 0.5 for us debian users? I would be more that willing to help test any packages. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius not working under firewall
May I suggest you put this at the top if the ipchains rules: ipchains -A input -p udp -s 192.168.5.2/32 -d 192.168.5.3 1614:1615 -j RETURN Which says that if the backet is from the NAS, destined for the Radius server on the radius ports, to stop processing the rest of the firewall rules. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Dr. Muhammad Masroor Ali" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, April 08, 2002 1:06 AM Subject: Re: Freeradius not working under firewall > Can not thank the responder enough for the quick response. > DNS works in > the machine, as is evidenced by success of nslookup, host > commands and successful browsing. > > I am attaching the ipchain output. > > 192.168.5.2 is the NAS, 192.168.5.3 is the radius server. > > > Chain input (policy ACCEPT): > target prot opt source > destination ports > ACCEPT all -- anywhere > anywhere n/a > ACCEPT tcp !y anywhere > 192.168.5.0/24any -> any > DENY all -- 10.0.0.0/8 > 192.168.5.0/24n/a > DENY all -- 127.0.0.0/8 > 192.168.5.0/24n/a > DENY all -- 172.16.0.0/12 > 192.168.5.0/24n/a > DENY all -- 192.168.0.0/16 > 192.168.5.0/24n/a > DENY tcp l- anywhere > 192.168.5.0/24any -> > 31337 > DENY udp l- anywhere > 192.168.5.0/24any -> > 31337 > DENY tcp l- anywhere > 192.168.5.0/24any -> > 12345:12346 > DENY udp l- anywhere > 192.168.5.0/24any -> > 12345:12346 > DENY tcp l- anywhere > 192.168.5.0/24any -> > ingreslock > DENY tcp l- anywhere > 192.168.5.0/24any -> > 27665 > DENY udp l- anywhere > 192.168.5.0/24any -> > 27444 > DENY udp l- anywhere > 192.168.5.0/24any -> > 31335 > DENY all -- BASE-ADDRESS.MCAST.NET/8 > anywhere n/a > DENY all -- anywhere > BASE-ADDRESS.MCAST.NET/8 n/a > DENY all -- 203.190.34.0/24 > anywhere n/a > DENY udp -- anywhere > anywhere any -> > bootps:bootpc > ACCEPT tcp -- 192.168.5.0/24 > 192.168.5.0/24any -> http > REJECT tcp -- anywhere > 192.168.5.0/24any -> auth > REJECT udp -- anywhere > 192.168.5.0/24any -> auth > DENY tcp -- anywhere > anywhere any -> > netbios-ns:netbios-ssn > DENY udp -- anywhere > anywhere any -> > netbios-ns:netbios-ssn > REJECT udp -- anywhere > anywhere any -> > router > DENY tcp l- anywhere > anywhere any -> nfs > DENY udp l- anywhere > anywhere any -> nfs > DENY tcp -- anywhere > anywhere any -> > cvsup:6003 > DENY udp -- anywhere > anywhere any -> > cvsup:6003 > ACCEPT tcp -- 192.168.5.2 > anywhere any -> > radius > ACCEPT udp -- 192.168.5.2 > anywhere any -> > radius > ACCEPT tcp -- 192.168.5.2 > anywhere any -> > radius-acct > ACCEPT udp -- 192.168.5.2 > anywhere any -> > radius-acct > ACCEPT icmp -- anywhere > 192.168.5.0/24any -> any > ACCEPT tcp -- anywhere > 192.168.5.0/24any -> > 1023:65535 > ACCEPT udp -- anywhere > 192.168.5.0/24any -> > 1023:65535 > DENY all l- anywhere > anywhere n/a > Chain forward (policy DENY): > Chain output (policy ACCEPT): > target prot opt source > destination ports > ACCEPT all -- anywhere > anywhere n/a > ACCEPT icmp -- 192.168.5.0/24 > anywhere any -> any > ACCEPT all -- anywhere > anywhere n/a > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius can not read shadow file, permissions changes automatically
> Hi All, > This is very frustating for us. We are running radiusd (through > radwatch) with user radius and group radius. Since radiusd must > be able to read the shadow file, we have created a new user > radius and group radius, and have manually changed the > permissions of shadow file which looks as follows: > > -rw-r-1 root radius How about adding radius to the root group: /etc/group root:x:0:radius > But what is happening, yesterday at 4:23PM, and today at 11:33AM > the permissions were snatched away, making streams of invalid > logins and beeping our beepers from a team of unhappy users. The > file permissions goes back to original state, that is: > > -rw---1 root root OK, so my first suggestion wont help in that case. My RedHat knowledge is limited, I'm a Debian man. Debian's default for /etc/shadow is -rw-r-, so my trick above would work. > We have checked everything (we think), crontab etc, but nothing > can be found. Please help us. What would modify the shadow file? Adding/deleteing users and changing passwords. I can't think of anything else. May I suggest testing these three. The seamingly randomness at these times suggests it being triggered by a user changing there password, or something similar. > We have even tried chaging permission from linuxconf (fools, but > you should have seen our frustated faces), only to get the same > result. > > We are running freeradius 0.4 (Reply-Message does not seem to > work in 0.5, but that is another issue) in RedHat 7.1. > > Thanks in advance, and please, we do not want to run radiusd as > root, that is a security issue, is not it? Of course. freeradius prior to version 4 has a remote exploit, running software as root is always a risk, connected your computer to the internet is always a risk :-) However, if you use ipchains/iptables to block incoming data on your radius ports unless the packet is from you NAS, then that will greatly improve security. How about chrooting your radius installation, and have a script copy /etc/shadow (and other needed files) to /chroot/freeradius/etc/shadow and set appropriate permissions so that radius can read the chroot'd /etc/shadow Or perhaps changing these lines in radiusd.conf passwd = /etc/passwd shadow = /etc/shadow group = /etc/group to point to copies these files, again with needed permissions. As of yet I haven't tested that, however it is on my todo list (along with 2^10 other things). > -- > The steady state of disks is full. > -- Ken Thompson > > Dr. Muhammad Masroor Ali > Associate Professor and Associate Director > Institute of Information and Communication Technology > Bangladesh University of Engineering and Technology > Dhaka-1000, Bangladesh > Phone: 880 2 966 5602 (Office), 880 2 966 5700 (Residence) > Fax: 880 2 966 5602, 880 2 861 3046, 880 2 861 3026 Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Welcome to the "Freeradius-Users" mailing list
It looks to me like FreeRadius is recieveing and processing the radius requests, its just the answer isn't getting back to the radtest program, which is very strange as they are both on the one machine. I would check your firewall rules to make sure its not blocking it. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Michael S. McCollough" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, March 18, 2002 3:24 PM Subject: RE: Welcome to the "Freeradius-Users" mailing list > I am having trouble with radiusd. I am using Freeradius 0.4 (0.5 came out > just a couple of days after I downloaded this so rather than update, I would > like to get 0.4 working properly first then update). I am authenticating off > an LDAP directory and it connects and authenticates (sometimes). When I > issue a test with the radtest command (only one request) you can see that it > retries a few times before getting an answer. On the radiusd side, I can see > that it recognizes the initial request as it is issues and continues to > scroll stuff (for lack of a technical term) by on the screen. After the > access-accept is seen it continues connecting to the ldap directory over and > over again before finally sleeping. Subsequent tests with radtest timeout > with no response. I need to have this server up and working by Monday so if > anyone can help, it will be much appreciated. LDAP directory is working fine > and quickly with sendmail/pop3 and local system auth for other servers so I > do not belieive it is an LDAP problem. > > All I want radius to do is authenticate username/password from the ldap > directory. I do not want to store radius configs/attributes in directory > yet, I will hit that as the next logical step. > > Thanks in advance for your help > Michael > > > The radtest command: > > [root@radius root]# radtest michaelm.mebtel.net apassword localhost 1812 > testing123 > Sending Access-Request of id 137 to 127.0.0.1:1812 > User-Name = "michaelm.mebtel.net" > Password = "8\332{a\302\027\234\373\336\371((\373D\242E" > NAS-IP-Address = radius.uchub.com > NAS-Port-Id = "1812" > Sending Access-Request of id 137 to 127.0.0.1 > User-Name = "michaelm.mebtel.net" > Password = "8\332{a\302\027\234\373\336\371((\373D\242E" > NAS-IP-Address = radius.uchub.com > NAS-Port-Id = "1812" > Sending Access-Request of id 137 to 127.0.0.1 > User-Name = "michaelm.mebtel.net" > Password = "8\332{a\302\027\234\373\336\371((\373D\242E" > NAS-IP-Address = radius.uchub.com > NAS-Port-Id = "1812" > Sending Access-Request of id 137 to 127.0.0.1 > User-Name = "michaelm.mebtel.net" > Password = "8\332{a\302\027\234\373\336\371((\373D\242E" > NAS-IP-Address = radius.uchub.com > NAS-Port-Id = "1812" > Sending Access-Request of id 137 to 127.0.0.1 > User-Name = "michaelm.mebtel.net" > Password = "8\332{a\302\027\234\373\336\371((\373D\242E" > NAS-IP-Address = radius.uchub.com > NAS-Port-Id = "1812" > Sending Access-Request of id 137 to 127.0.0.1 > User-Name = "michaelm.mebtel.net" > Password = "8\332{a\302\027\234\373\336\371((\373D\242E" > NAS-IP-Address = radius.uchub.com > NAS-Port-Id = "1812" > Sending Access-Request of id 137 to 127.0.0.1 > User-Name = "michaelm.mebtel.net" > Password = "8\332{a\302\027\234\373\336\371((\373D\242E" > NAS-IP-Address = radius.uchub.com > NAS-Port-Id = "1812" > rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=137, length=20 > > Radius Server Output: > [root@radius raddb]# radiusd -a /var/log -X > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /usr/local/etc/raddb/proxy.conf > Config: including file: /usr/local/etc/raddb/clients.conf > Config: including file: /usr/local/etc/raddb/snmp.conf > Config: including file: /usr/local/etc/raddb/sql.conf > main: prefix = "/usr/local" > main: localstatedir = "/usr/local/var" > main: logdir = "/usr/local/var/log/radius" > main: libdir = "/usr/local/lib" > main: radacctdir = "/usr/local/v
Re: /etc/passwd / System auth not working
Change it to cache = yes. There is a bug in the non-caching code. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Thomas Keitel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 13, 2002 12:23 PM Subject: Re: /etc/passwd / System auth not working > Hello Again, > > Everything in the config is stock except for: > > # > # Cache /etc/passwd, /etc/shadow, and /etc/group > # > # The default is to NOT cache them. However, caching > them can > # speed up system authentications by a substantial amount. > # > # allowed values: {no, yes} > cache = no > # Reload the cache every 600 seconds (10mins). 0 to disable. > cache_reload = 600 > > # > # Define the locations of the normal passwd, shadow, and > # group files. > # > # 'shadow' is commented out by default, because not all > # systems have shadow passwords. > # > passwd = /etc/passwd > shadow = /etc/master.passwd > group = /etc/group > > > # > # Where the 'wtmp' file is located. > # This will be moved to it's own module soon.. > # > radwtmp = ${logdir}/radwtmp > } > > Switched to running radius as root, but is there a way to use system > auth w/o this? Perhaps running as username radius? > > Thanks, > > Tom > > > > > Roy Hooper wrote: > > >Are you running the server as root? > >Are you running without passwd and shadow set in the unix configuration > >block? > > > >Why don't you post your config file, and then I'll peruse the code to see > >what might be getting in the way if it is not a config error. > > > >-- > >Roy Hooper > >Project Manager & Senior UNIX Consultant > >Decisive Technologies Inc. > > > > > >- Original Message - > >From: "Thomas Keitel" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Tuesday, March 12, 2002 6:14 PM > >Subject: /etc/passwd / System auth not working > > > > > >Hello All, > > > >New to the list. I have the faq and googled this to tears but, I have > >having a hard time getting freeradius .4 to correctly auth users against > >the FreeBSD 4.5 passwd file. The password is correct and I am at a loss. > > > >Thanks, > > > >Tom > > > >radius.log: > > > >Message:Auth: rlm_unix : [jdoe]: invalid password > >Message:Auth: Login incorrect: [jdoe/jdspw] (from nas UNKOWN-NAS port 1) > > > > > >radiusd debug: > > > >modcall: entering group authorize > > modcall[authorize]: module "preprocess" returns ok > > modcall[authorize]: module "suffix" returns ok > >users: Matched DEFAULT at 145 > > modcall[authorize]: module "files" returns ok > >modcall: group authorize returns ok > > rad_check_password: Found Auth-Type System > >auth: type "System" > >modcall: entering group authenticate > >rlm_unix: [jdoe]: invalid password > > modcall[authenticate]: module "unix" returns reject > >modcall: group authenticate returns reject > >auth: Failed to validate the user. > > > > > > > > > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > > > > > > > > >- > >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing validity of users files.
Doh, read the FAQ properly Andrew!! Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix 5.9 How do I check the configuration before sending a HUP to the server? Some administrators have automated scripts to update the radius servers configuration files. The server can then be signalled via a HUP signal to re-read the configuration files. The problem with this approach is that any syntax errors in the configuration file may cause your main radius server to die! No one wants this to happen so there should be some process of checking the configuration files prior to re-starting the server. For versions prior to 1.6.4, you can use the following script: ftp://ftp.freeradius.org/pub/radius/contrib/check-radiusd-config.sh With 1.6.4 and later, you can simply use radiusd -C to check the configuration. It will print the status and exit with a zero exit status if everything is fine or with a non-zero exit status if errors were found in the configuration. In the example script in the paragraph above this has already been used. - Original Message - From: "Andrew Tait" <[EMAIL PROTECTED]> To: "FreeRadius" <[EMAIL PROTECTED]> Sent: Wednesday, March 06, 2002 4:08 PM Subject: Testing validity of users files. > Hi All, > > We recently changed to FreeRadius from Cistron a few weeks ago for our main > authentication server. > > We have our main users file which is essentially static, and then several > more files, (eg, users.chap) included which change constantly. > > With Cistron, if there was an error in the users.chap files, it would simply > ignore that entire file, and continues on. This way, only the users that > dial our CHAP only dial-in server are effected (we mainly use PAP). > > FreeRadius however, just dies!! > > The latest Cistron also has an option to check that the users files are > valid (I'm not sure of the command as we are still running the debian stable > package 1.6.1 (soon to be retired), but I know it exists). > > Is there anyway with freeradius that I can test that the users files are > valid, before actually reload radius? > > Andrew Tait > System Administrator > Country NetLink Pty, Ltd > E-Mail: [EMAIL PROTECTED] > WWW: http://www.cnl.com.au > 30 Bank St Cobram, VIC 3644, Australia > Ph: +61 (03) 58 711 000 > Fax: +61 (03) 58 711 874 > > "It's the smell! If there is such a thing." Agent Smith - The Matrix > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Testing validity of users files.
Hi All, We recently changed to FreeRadius from Cistron a few weeks ago for our main authentication server. We have our main users file which is essentially static, and then several more files, (eg, users.chap) included which change constantly. With Cistron, if there was an error in the users.chap files, it would simply ignore that entire file, and continues on. This way, only the users that dial our CHAP only dial-in server are effected (we mainly use PAP). FreeRadius however, just dies!! The latest Cistron also has an option to check that the users files are valid (I'm not sure of the command as we are still running the debian stable package 1.6.1 (soon to be retired), but I know it exists). Is there anyway with freeradius that I can test that the users files are valid, before actually reload radius? Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: What happened to CHAP?
This doesn't look good. [/usr/local/etc/raddb/users]:2 WARNING! Changing 'Password =' to 'Password ==' ? May I suggest something like this in your users file: bobAuth-Type := Local, Password := bob Fall-Through = Yes Also, once you actually run radtest, there should be more info from radiusd -X after: Listening on IP address *, ports 1645/udp and 1646/udp, with proxy on 1647/udp. Ready to process requests. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Darkshot" <[EMAIL PROTECTED]> To: "Andrew Tait" <[EMAIL PROTECTED]> Sent: Tuesday, February 26, 2002 2:44 PM Subject: Re[2]: What happened to CHAP? > > > Try running freeradius in debug mode (radiusd -X), and send us the output, > > as well as the output of radtest (including all the arguments you are > > passing it it, eg "radtest bob bob 1 127.0.0.1 testing123" > > Thanks. I appreciate the help. Here's the output from "bob bob" > > # radtest bob bob localhost 0 testing123 > Sending Access-Request of id 74 to 127.0.0.1:1645 > User-Name = "bob" > Password = "\264\223\313 \000\371\343\347\3472\026*\033j\342Z" > NAS-IP-Address = annwn > NAS-Port-Id = "0" > rad_recv: Access-Reject packet from host 127.0.0.1:1645, id=74, length=20 > > Here's the "bob" radius entry: > > bob Password = "bob" > Reply-Message = "Hello, bob" > > > Here's what one of my my "normal" radius entries looks like: > > darkshot Auth-Type := Local, Password == "example" > (I've also used: > darkshot Password = "example" ) > > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-Routing = None, > Ascend-Assign-IP-Pool = 1, > Ascend-Data-Filter = "ip in forward dstip 216.228.96.0/20", > Ascend-Data-Filter = "ip in drop tcp dstport = 25", > Ascend-Data-Filter = "ip in forward" > > > BTW, the clients and clients.conf files are both correct as far as I > know. The "clients" file has been working on my antique radius (ascend > 1.6) for hell and ever. > > > And here's the output from radiusd -X: > > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /usr/local/etc/raddb/proxy.conf > Config: including file: /usr/local/etc/raddb/clients.conf > Config: including file: /usr/local/etc/raddb/snmp.conf > Config: including file: /usr/local/etc/raddb/sql.conf > main: prefix = "/usr/local" > main: localstatedir = "/usr/local/var" > main: logdir = "/usr/local/var/log/radius" > main: libdir = "/usr/local/lib" > main: radacctdir = "/usr/local/var/log/radius/radacct" > main: hostname_lookups = no > read_config_files: reading dictionary > read_config_files: reading clients > read_config_files: reading realms > read_config_files: reading naslist > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/usr/local/var/run/radiusd.pid" > main: user = "root" > main: group = "root" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: proxy_requests = yes > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: dead_time = 120 > main: debug_level = 0 > read_config_files: entering modules setup > Module: Library search path is /usr/local/lib > Module: Loaded System > unix: cache = no > unix: passwd = "/etc/passwd" > unix: shadow = "(null)" > unix: group = "/etc/group" > unix: radwtmp = "/usr/local/var/log/radius/radwtmp" > unix: usegroup = no > unix: cache_reload = 600 > Module: Instantiated unix (unix) > Module: Loaded preprocess > preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" > preprocess: hints = "/usr/local/etc/raddb/hi
Re: What happened to CHAP?
Dont forget that in order for CHAP authentication to work, the password needs to be stored in plain text on the radius server. You cant use CHAP to authenticate against /etc/passwd. Try putting an entry in the users file that has the password specified. Try running freeradius in debug mode (radiusd -X), and send us the output, as well as the output of radtest (including all the arguments you are passing it it, eg "radtest bob bob 1 127.0.0.1 testing123" Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Darkshot" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 26, 2002 1:53 PM Subject: What happened to CHAP? > Sorry if this is in the FAQ, but what I've found in the FAQ so far is > misleading- it mentions a module that I can't find. > > In short, I'm using CHAP on Max 4K and 6K boxes and in trying to get > freeradius to work, I get the: > > Auth: rlm_unix: Attribute "Password" is required for authentication. > Cannot use "CHAP-Password". > > I see in the radiusd.conf that a module is needed, but it looks as if > it must be created from scratch- and the list archive specifically > mentions this "chap module". > > So I'm kind of confused. The version of freeradius I'm running is > freeradius-0.4 and the debug mode shows no problems at all. I've also > tried the "bob bob" entry for radtest- I get this: > > Received Access-Reject packet from 127.0.0.1 with invalid signature! > > Any clues appreciated- I just started working with it tonight, anyway. > > Thanks- > > 'Shot > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring to use shadow passwords
up found in hashtable bucket 3418 HASH: user msql found in hashtable bucket 14409 HASH: user operator found in hashtable bucket 21748 HASH: user list found in hashtable bucket 91138 HASH: user irc found in hashtable bucket 2346 HASH: user gnats found in hashtable bucket 75017 HASH: user nobody found in hashtable bucket 99723 HASH: user andrewt found in hashtable bucket 53363 HASH: user marine found in hashtable bucket 64462 HASH: user ntop found in hashtable bucket 51851 HASH: user freerad found in hashtable bucket 13457 HASH: user mervynj found in hashtable bucket 75613 HASH: user radtest found in hashtable bucket 16015 HASH: user Administrator found in hashtable bucket 86869 HASH: Stored 29 entries from /etc/passwd HASH: Stored 45 entries from /etc/group HASH: user radtest found in hashtable bucket 16015 modcall[authenticate]: module "unix" returns reject modcall: group authenticate returns reject auth: Failed to validate the user. Sending Access-Reject of id 98 to 127.0.0.1:1028 Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 98 with timestamp 3c742166 Nothing to do. Sleeping until we see a request. *** Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 21, 2002 2:58 AM Subject: Re: Configuring to use shadow passwords > "Andrew Tait" <[EMAIL PROTECTED]> wrote: > > I have setup freeradius on another server (actually it was still setup from > > our previous testing). > ... > > The only thing I noticed was: > > > Module: Loaded System > > unix: cache = no > > I'm not sure that the non-caching code in rlm_unix has been well > tested. Enable the caching, and it may work. > > If so, then that there's a bug in the non-caching code. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring to use shadow passwords
ULT at 163 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate rlm_unix: [radtest]: invalid password modcall[authenticate]: module "unix" returns reject modcall: group authenticate returns reject auth: Failed to validate the user. Sending Access-Reject of id 166 to 127.0.0.1:1026 Finished request 0 Going to the next request SMUX connect try 2 Can't connect to SNMP agent with SMUX: Connection refused --- Walking the entire request list --- Waking up in 6 seconds... SMUX connect try 3 Can't connect to SNMP agent with SMUX: Connection refused --- Walking the entire request list --- Cleaning up request 0 ID 166 with timestamp 3c72e309 Nothing to do. Sleeping until we see a request. ** - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, February 20, 2002 2:51 AM Subject: Re: Configuring to use shadow passwords > "Andrew Tait" <[EMAIL PROTECTED]> wrote: > > The fix was to comment out the shadow = /etc/shadow. > > > > No matter what I did I couldn't get it to work, until I decided to go back > > to the default debian config, and try it again. Use the default config it > > worked. After uncommenting the shadow line again, it didn't work. > > Have you read the debug messages to see *why*? The messages will > usually be helpful. > > Were you running the server under the correct uid to read > /etc/shadow? Read the comments in the configuration file around the > 'shadow' item. > > > If there's a bug in the server, then we need to know what it is, and > to fix it. If there's something unclear in the documentation, we need > to fix that, too. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Spam was Training Seminar: Environmental Register
And a subscribe to post. I literally get more spam from the debian mailing lists that everything else combined! Plain HTML would be nice too. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Peter Machell" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, February 20, 2002 9:27 AM Subject: Re: Spam was Training Seminar: Environmental Register > > > I can't even read this but I expect it's spam. > > How to keep it off the list? Reject HTML messages. I believe both > majordomo and mailman offer this feature. > > > > On Tue, 19 Feb 2002, Settec wrote: > > > > > > > >Agooza Police Tower,Nawal St., Third floor, Agooza, Giza, Egypt > >Tel./Fax. +2 (02) 3387527 - +2 (02) 3362040 - +2 (02) 7614343 > >Mobile. +2 (012) 3228395 > >E.mail [EMAIL PROTECTED] Web Page: www.settecltd.com > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring to use shadow passwords
Yes, sorry. The fix was to comment out the shadow = /etc/shadow. No matter what I did I couldn't get it to work, until I decided to go back to the default debian config, and try it again. Use the default config it worked. After uncommenting the shadow line again, it didn't work. As I said before the server has been running live since thursday/friday. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "IH - Net Admin" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 19, 2002 12:27 PM Subject: Re: Configuring to use shadow passwords > What was the fix? Was it just putting the #shadow back? > > That was the exact same problem we had, but have not been able to resolve > it. > > -Original Message- > From: "Andrew Tait" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Date: Tue, 19 Feb 2002 10:36:21 +1100 > Subject: Re: Configuring to use shadow passwords > > > Hi All, > > > > We recently spent several days trying to track down that problem. > > > > We are running Debian 2.2 potato (stable) which quite a few packages > > pulled > > from woody (testing), w/ shadow passwords. > > > > As per the configuration file, we uncommented the: > > > > # shadow = /etc/shadow > > > > line in the configuration file, which proved to be our mistake. We > > tried > > just about everything else we could to get it working. > > > > Unfortunately I don't have copies of the output from radiusd -X and > > radtest, > > and the server is now live. > > > > However, radtest was saying "Access-Reject packet", and radiusd -X > > mentioned > > something about group authentication and then rlm_unix: invalid > > something. > > > > The problem we were experiencing was the authentication against > > accounts in > > /etc/passwd|/etc/shadow were not working. > > > > We had other accounts where the password was stored in the users file, > > and > > they were working fine. > > > > Andrew Tait > > System Administrator > > Country NetLink Pty, Ltd > > E-Mail: [EMAIL PROTECTED] > > WWW: http://www.cnl.com.au > > 30 Bank St Cobram, VIC 3644, Australia > > Ph: +61 (03) 58 711 000 > > Fax: +61 (03) 58 711 874 > > > > "It's the smell! If there is such a thing." Agent Smith - The Matrix > > > > > > - Original Message - > > From: "Alan DeKok" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Tuesday, February 19, 2002 2:49 AM > > Subject: Re: Configuring to use shadow passwords > > > > > > > "Robert Bess" <[EMAIL PROTECTED]> wrote: > > > > Radius seems to be running. When I run radtest with a username > > that > > > > exists in the /etc/raddb/users file it works if I specify a > > password. > > > > > > > > i.e. bob Password = "bob" > > > > > > > > but not if I try to use a real system user. > > > > > > > > i.e. bob Auth-Type = Unix > > > > > > > > When I do that radtest says: Access-Reject packet from host . > > > > > > Have you run the server in debugging mode to see what's *really* > > > going on? > > > > > > > Is there any other reason my server might be rejecting the users in > > my > > > > system password file? > > > > > > Have you read the FAQ? > > > > > > Alan DeKok. > > > > > > - > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring to use shadow passwords
Hi All, We recently spent several days trying to track down that problem. We are running Debian 2.2 potato (stable) which quite a few packages pulled from woody (testing), w/ shadow passwords. As per the configuration file, we uncommented the: # shadow = /etc/shadow line in the configuration file, which proved to be our mistake. We tried just about everything else we could to get it working. Unfortunately I don't have copies of the output from radiusd -X and radtest, and the server is now live. However, radtest was saying "Access-Reject packet", and radiusd -X mentioned something about group authentication and then rlm_unix: invalid something. The problem we were experiencing was the authentication against accounts in /etc/passwd|/etc/shadow were not working. We had other accounts where the password was stored in the users file, and they were working fine. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 19, 2002 2:49 AM Subject: Re: Configuring to use shadow passwords > "Robert Bess" <[EMAIL PROTECTED]> wrote: > > Radius seems to be running. When I run radtest with a username that > > exists in the /etc/raddb/users file it works if I specify a password. > > > > i.e. bob Password = "bob" > > > > but not if I try to use a real system user. > > > > i.e. bob Auth-Type = Unix > > > > When I do that radtest says: Access-Reject packet from host . > > Have you run the server in debugging mode to see what's *really* > going on? > > > Is there any other reason my server might be rejecting the users in my > > system password file? > > Have you read the FAQ? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho doesn't read /etc/raddb/radiusd.conf for location of rad(u/w)tmp
(Here is a copy of a bug I filed for the debian package, #134539) Package: radiusd-freeradius Version: 0.4-1 The default directory for the radutmp and radwtmp files is /var/log/radiusd-freeradius/ However, we have specified a different directory (/var/log/) to store these files in /etc/raddb/radiusd.conf The radwho program still looks in /var/log/radiusd-freeradius/ for the rad(u/w)tmp files, as indicated by a "strace radwho". A quick fix has been to create symbolic links to the real location of the rad(u/w)tmp files: bugs:/var/log/radiusd-freeradius# ls -al total 7 drwxr-xr-x3 root freerad 1024 Feb 18 16:46 . drwxr-xr-x 15 root root 5120 Feb 18 06:41 .. drwxr-xr-x2 freerad freerad 1024 Dec 14 02:38 radacct lrwxrwxrwx1 root root 10 Feb 18 16:46 radutmp -> ../radutmp lrwxrwxrwx1 root root 10 Feb 18 16:45 radwtmp -> ../radwtmp Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html