Re: Lost-Carrier
Lost carrier is almost always a problem between the NAS and the user. The line's dropped and the NAS is sending the appropriate accounting information to the server. On Fri, Dec 05, 2003, Rohaizam Abu Bakar wrote: > > A few of my users complaint that they have been disconnected after a > few minutes get authenticated.. I've search the detail file and from > it, record for these users having the same "Acct-Session-Time" for all > their attempt to get connected. Each user will have same > Acct-Session-Time for all his attempts. And "Acct-Terminate-Cause" > has value "Lost-Carrier". What caused this problem ?? Is it link > problem between NAS and user or NAS and RADIUS ?? or is that anything > to do in timeout setting ?? > > > > Acct-Session-Time = 120 > Acct-Input-Octets = 334 > Acct-Output-Octets = 340 > Acct-Input-Packets = 21 > Acct-Output-Packets = 21 > Acct-Terminate-Cause = Lost-Carrier > > > > Using Freeradius 0.9.3 with FB 4.8 configured with LDAP module. > > > > And weird this is that when switching to my very old RADIUS (Ascend).. > All the problematic user having no more problem > > > > --haizam -- Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``Virtually everything is under federal control nowadays except the federal budget.'' -- Herman E. Talmadge, 1975 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with RLM MYSQL
On Wed, Dec 03, 2003, Breuer Nicolas - BelCenter.com wrote: > > Hello > > I have a big prob.. > > I would like to use the rlm sql mysql module.. > My os is redhat 9 and i can't install and use this module.. I just ran into this last week when building freeradius under the OpenPKG.org packaging system. If your mysql headers and libraries aren't in /usr/local/include and /usr/local/lib or similar standard locations or aren't installed at all, you probably have to do a couple of things: :19: warning: macro `..' not defined 1. You may need to install the mysql-devel RPM on your RH system if they headers and libraries aren't there (I'm not very familiar with RH RPM structures, currently using SuSE, formerly Caldera Linux). 2. You may have to add a couple of options to your configure: ./configure \ --with-mysql-include-dir=path_to_mysql_headers \ --with-mysql-lib-dir=path_to_mysql_libraries \ ... The base ./configure script doesn't give the options for mysql or postgresql, and probably some others. I found them by running ``./configure --help'' in the appropriate directories. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Systems, Inc. UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``The who nation is interested that the best use shall be made of these [new] territories. We want them for the homes of free white people'' -- Abraham Lincoln, Octobe 16, 1854 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
On Thu, Nov 20, 2003, Alan DeKok wrote: > Bug reports are nice. Lack of notification is stupid. I'm running into a problem building 0.9.3 with MySQL support on FreeBSD 4.8 and on SuSE 9.0 Professional Linux. The problem is that the test for libmysqlclient fails with an undefined reference to compress and uncompress. It appears that the configure.in file should have $old_LIBS after the -lmysqlclient to pick up the -lz that's found earlier in configure. On FreeBSD this build was not able to find the ``floor'' function in the math libraries until I added ``-lm'' to LIBS before starting the build. Looking at the src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.in file, I would think that $mysql_lib_dir should be at the beginning of the list of directories to check rather than the end. The mysql configuration succeeds with the attached patch. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Systems, Inc. UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ If you think health care is expensive now, wait until you see what it coses when it's free -- P.J. O'Rourke diff -uNr /csoft/RPM/TMP/freeradius-0.9.3.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure ./src/modules/rlm_sql/drivers/rlm_sql_mysql/configure --- /csoft/RPM/TMP/freeradius-0.9.3.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure 2003-09-04 11:14:18.0 -0400 +++ ./src/modules/rlm_sql/drivers/rlm_sql_mysql/configure 2003-11-26 16:10:33.0 -0500 @@ -978,8 +978,8 @@ old_LIBS="$LIBS" - for try in /usr/lib /usr/lib/mysql /usr/local/lib/mysql /usr/local/mysql/lib/mysql $mysql_lib_dir; do - LIBS="$old_LIBS -L$try -lmysqlclient" + for try in $mysql_lib_dir /usr/lib /usr/lib/mysql /usr/local/lib/mysql /usr/local/mysql/lib/mysql; do + LIBS="$old_LIBS -L$try -lmysqlclient $old_LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* - MYSQL_LIBS="-L$try -lmysqlclient" + MYSQL_LIBS="-L$try -lmysqlclient $old_LIBS" else echo "configure: failed program was:" >&5 cat conftest.$ac_ext >&5 diff -uNr /csoft/RPM/TMP/freeradius-0.9.3.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.in ./src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.in --- /csoft/RPM/TMP/freeradius-0.9.3.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.in 2001-07-11 16:38:09.0 -0400 +++ ./src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.in2003-11-26 16:10:55.0 -0500 @@ -70,10 +70,10 @@ dnlAC_LOCATE_DIR(mysql_lib_dir,[libmysqlclient.so]) dnlAC_LOCATE_DIR(mysql_lib_dir,[libmysqlclient.a]) - for try in /usr/lib /usr/lib/mysql /usr/local/lib/mysql /usr/local/mysql/lib/mysql $mysql_lib_dir; do - LIBS="$old_LIBS -L$try -lmysqlclient" + for try in $mysql_lib_dir /usr/lib /usr/lib/mysql /usr/local/lib/mysql /usr/local/mysql/lib/mysql; do + LIBS="$old_LIBS -L$try -lmysqlclient $old_LIBS" AC_TRY_LINK([extern char mysql_init();], [mysql_init()], - MYSQL_LIBS="-L$try -lmysqlclient", + MYSQL_LIBS="-L$try -lmysqlclient $old_LIBS", MYSQL_LIBS= ) if test "x$MYSQL_LIBS" != "x"; then
Re: 0.9.3 has been released
On Fri, Nov 21, 2003, Alan DeKok wrote: >Bill Campbell <[EMAIL PROTECTED]> wrote: >> > For uint8_t arrays, The 'sizeof' the array is the number of elements. >> >> OK. While that may be the case for uint8_t, it seems to me that good >> coding practice is to use sizeof here and not depend on knowledge of the >> internal size of the elements. > > The problem is that the fields are defined in relation to the >protocol: 16 octets. sizeof() is a C programming construct, and thus >there may be padding in a struct. We do not want that padding to >affect the programs ability to generate or parse 16 octet fields. Perhaps it would be good to put some comments in radius.c explaining this, and be consistent in its use. This could save some head scratching in the future, particularly if somebody (like me) who's not all that familiar with the code is looking at it. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``Never blame a legislative body for not doing something. When they do nothing, that don't hurt anybody. When they do something is when they become dangerous.'' Will Rogers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
On Fri, Nov 21, 2003, Alan DeKok wrote: >Bill Campbell <[EMAIL PROTECTED]> wrote: >> On a related security note, the src/lib/radius.c program has several >> references to msg_auth_vector and calc_auth_vector starting around line >> 1108 with several memcpy and memcmp operations, some of which refer use >> sizeof(calc_auth_vector) for the length, others with AUTH_VECTOR_LEN. >> Given that msg_auth_vector is an array of uint8_t size AUTH_VECTOR_LEN, I >> doubt these lengths would be same. > > Huh? Why? > > For uint8_t arrays, The 'sizeof' the array is the number of elements. OK. While that may be the case for uint8_t, it seems to me that good coding practice is to use sizeof here and not depend on knowledge of the internal size of the elements. I may be a bit paranoid about this, because I've been know to shoot myself in the feet as a result of structure padding and such. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all.'' -- H. L. Mencken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
On Fri, Nov 21, 2003, Chris Parker wrote: >At 11:18 AM 11/21/2003, Bill Campbell wrote: >>On Fri, Nov 21, 2003, Alan DeKok wrote: >>>Oliver Graf <[EMAIL PROTECTED]> wrote: >>>> > With that said, 0.9.3 has been released. It's in the normal places: >>>> >>>> I submitted a security report and a new package ebuild to the gentoo >>>> ( http://gentoo.org/ ) community. >>> >>> Thanks. This just re-iterates my beleif that RADIUS servers should >>>on private networks, far away from any possible source of malicious >>>packets. >> >>Either that, or packet filters that restrict the hosts that can >>access the radius servers. > >Wouldn't work in this case, since packets are UDP a packet with spoofed >source of a valid client will pass the filter. :\ All you'd need to >DOS a radius server is a valid client IP. The RADIUS protocol makes >it very hard to enforce additional restrictions, as the packet format >is all in cleartext ( excepting certain Password attributes ) with >no validation or signing. It's kinda hard to have the radius server on a private network if it's doing authentication for wholesale dialup connections :-). >The Message-Authenticator value would serve this purpose, however >it is not required, and as such doesn't help in this case, either, >and won't until or unless it is made mandatory. That would then >break old clients/servers that don't support Message-Authenticator. > >http://www.freeradius.org/rfc/rfc2869.html#Message-Authenticator Or they're running Nortel (Bay) Annex boxes which use broken MD5 hashes, and Nortel makes it difficult to get updated software. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``No matter how much I may exaggerate it, it must have a certain amount of truth...Now rumor travels fast but it don't stay put as long as truth'' Will Rogers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
On Fri, Nov 21, 2003, Alan DeKok wrote: >Oliver Graf <[EMAIL PROTECTED]> wrote: >> > With that said, 0.9.3 has been released. It's in the normal places: >> >> I submitted a security report and a new package ebuild to the gentoo >> ( http://gentoo.org/ ) community. > > Thanks. This just re-iterates my beleif that RADIUS servers should >on private networks, far away from any possible source of malicious >packets. Either that, or packet filters that restrict the hosts that can access the radius servers. On a related security note, the src/lib/radius.c program has several references to msg_auth_vector and calc_auth_vector starting around line 1108 with several memcpy and memcmp operations, some of which refer use sizeof(calc_auth_vector) for the length, others with AUTH_VECTOR_LEN. Given that msg_auth_vector is an array of uint8_t size AUTH_VECTOR_LEN, I doubt these lengths would be same. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Systems, Inc. UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``The meek shall inherit the Earth, the rest of us will go to the stars...'' -Dr. Isaac Asimov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Operating System Question
On Thu, Jun 06, 2002 at 12:00:58PM +1000, Matthew Wallis wrote: > >Problem with building on MacOS X at the moment appears to be getting >it working with OS X's ld. > >Keeps building static libraries, when we really want dynamic. If you can >figure out how dynamic libraries work on OS X, you may need to patch the >make file so that it can be built correctly. Look at the documentation on libtool here. There are some fairly strange features under OS X when building static libraries. This site has quite a bit of good info on OS X porting. There's also a very active developer's mailing list running out of apple.com. http://fink.sourceforge.net/doc/porting/libtool.php Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ When I hear a man applauded by the mob I always feel a pang of pity for him. All he has to do to be hissed is to live long enough. -- H.L. Mencken, ``Minority Report'' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users -> ldap conversion
On Mon, May 20, 2002 at 03:16:37PM -0700, J.J.Bailey wrote: >Hello, > >With freeradius-0.5, I'm using the users file to create IP pools and >assign them to ascend max terminal servers, and assigning users to the >pools when they login. > ... >I'm trying to convert to LDAP and see no equivalent functionality. >Which tree should I be barking up? There's a pretty reasonable set of migration tools, and lots of documentation on LDAP authentication on the padl.com site. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``We maintain that the very foundation of our way of life is what we call free enterprise,'' said Cash McCall, "but when one of our citizens show enough free enterprise to pile up a little of that profit, we do our best to make him feel that he ought to be ashamed of himself." -- Cameron Hawley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Security
On Wed, May 15, 2002 at 08:58:17AM -0500, Chris Parker wrote: >At 03:18 PM 5/15/2002 +1000, Andrew Tait wrote: >>http://www.untruth.org/~josh/security/radius/radius-auth.html >> >>For those interested in finding out how easy. > >All predicated on the assumption that the attacker has access to the >network traffic between the client ( NAS ) and the radius server. Like >I said before, if an attacker has access to your network in such a manner >there are *lot* of interesting things they can do, cracking radius is >just one of them. :) The attacker doesn't necessarily have to have access to your net if say the radius traffic originates from a dialup wholesaler like megapop. Anybody making NAS boxes that support IPSec tunnelling? Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``Anyone who thinks Microsoft never does anything truly innovative isn't paying attention to the part of the company that pushes the state of its art: Microsoft's legal department.'' --Ed Foster, InfoWorld Gripe Line columnist - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: spam on freeradius mailing list lately
On Mon, Jan 28, 2002 at 10:07:24AM +0530, Basavaraj Bendigeri wrote: >I very much agree with that. Only registered users should be able to >post messages to the list. IHMO, one spam a month hardly warrants the problems making the list postable only by subscribers can cause. I maintain several technical mailing lists, and there are often problems when somebody who's on the list tries to post from a different machine. Don't think I like spam. I was one of the people who originally got the Washington Attorney General's office interested in spam, resulting in one of toughest anti-spam laws in the U.S.. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ The ultimate result of shielding men from the effects of folly is to fill the world with fools. -- Herbert Spencer (1891) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid signature
On Sat, Jan 26, 2002 at 08:02:45AM -1000, Gillou wrote: >> > In debug mode i see these messages :=20 >> > Received Accounting-Request packed from IP with invalid signature! >> > >> > what does it mean ? >> >> Have you read the FAQ? >> >> Alan DeKok. > >Yes I read the FAQ and I can't find anything concerning Accounting packet >with invalid signature In my experience, this has meant that I had the wrong secret for the client attempting to access the server. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ Instead of giving money to found colleges to promote learning, why don't they pass a constitutional amendment prohibiting anybody from learning anything? If it works as good as the Prohibition one did, why, in five years we would have the smartest race of people on earth. -- The Best of Will Rogers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WWW.FREERADIUS.ORG
On Fri, Jan 11, 2002 at 10:22:12AM -0500, Tabor J. Wells wrote: >On Fri, Jan 11, 2002 at 08:50:53AM -0500, >Steve Sobol <[EMAIL PROTECTED]> is thought to have said: > >> I *hope* the freeradius mailing list is only open for posting by >> subscribers. I complained about OpenSSL-Users being wide open >> once and got told "well, that's the way it has to be" and as a result >> I unsubscribed. This list is a great resource and I'd hate to have to >> leave it because non-subscribers are allowed to post, because that >> would vastly increase the amount of spam I receive. > >It's an unfortunate problem, since generally speaking you want the >support-type lists to be as accessable to people who need help as possible. Considering the very low level of spam that gets through to this list, I don't think that the problem needs fixing. Restricting posting to members generally causes more problems than it's worth, particularly if the list is protected using other means. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``During times of universal deceit, telling the truth becomes a revolutionary act.'' --George Orwell - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Patches for Nortel (Bay) Annex
The attached patch to raddb/dictionary.bay has additional attributes for the Annex-RAC R18.0 software. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``Anyone who thinks Microsoft never does anything truly innovative isn't paying attention to the part of the company that pushes the state of its art: Microsoft's legal department.'' --Ed Foster, InfoWorld Gripe Line columnist diff -uNr /vol/rpm/BUILD/freeradius-0.4.1/radiusd/raddb/dictionary.bay ./radiusd/raddb/dictionary.bay --- /vol/rpm/BUILD/freeradius-0.4.1/radiusd/raddb/dictionary.bayTue Apr 10 07:11:37 2001 +++ ./radiusd/raddb/dictionary.bay Mon Jan 7 21:25:10 2002 @@ -47,6 +47,36 @@ ATTRIBUTE Annex-Re-CHAP-Timeout 61 integer ATTRIBUTE Annex-MRRU 62 integer ATTRIBUTE Annex-EDO 63 string +# Larry Smith <[EMAIL PROTECTED]> and Bill Campbell <[EMAIL PROTECTED]> +# Annex R18.0 software +ATTRIBUTE Annex-PPP-Trace-Level 64 integer +ATTRIBUTE Annex-Pre-Input-Octets 65 integer +ATTRIBUTE Annex-Pre-Output-Octets 66 integer +ATTRIBUTE Annex-Pre-Input-Packets 67 integer +ATTRIBUTE Annex-Pre-Output-Packets68 integer +ATTRIBUTE Annex-Connect-Progress 69 integer +ATTRIBUTE Annex-Multicast-Rate-Limit 73 integer +ATTRIBUTE Annex-Maximum-Call-Duration 74 integer +ATTRIBUTE Annex-Multilink-Id 75 integer +ATTRIBUTE Annex-Num-In-Multilink 76 integer +ATTRIBUTE Annex-Logical-Channel-Number81 integer +ATTRIBUTE Annex-Wan-Number82 integer +ATTRIBUTE Annex-Port 83 integer +ATTRIBUTE Annex-Pool-Id 85 integer +ATTRIBUTE Annex-Compression-Protocol 86 string +ATTRIBUTE Annex-Transmitted-Packets 87 integer +ATTRIBUTE Annex-Retransmitted-Packets 88 integer +ATTRIBUTE Annex-Signal-to-Noise-Ratio 89 integer +ATTRIBUTE Annex-Retrain-Requests-Sent 90 integer +ATTRIBUTE Annex-Retrain-Requests-Rcvd 91 integer +ATTRIBUTE Annex-Rate-Reneg-Req-Sent 92 integer +ATTRIBUTE Annex-Rate-Reneg-Req-Rcvd 93 integer +ATTRIBUTE Annex-Begin-Receive-Line-Level 94 integer +ATTRIBUTE Annex-End-Receive-Line-Level95 integer +ATTRIBUTE Annex-Begin-Modulation 96 string +ATTRIBUTE Annex-Error-Correction-Prot 97 string +ATTRIBUTE Annex-End-Modulation98 string +## end lesmith # Bay Router Specific Attributes #
Re: Remote logging
On Thu, Jan 03, 2002 at 05:48:32PM -0800, [EMAIL PROTECTED] wrote: >Hello, > >Has anyone had luck getting Freeradius to send it's logs to a remote server? > >I would like to have all of my radius servers logging to a single >source to make it easier to parse the logs. I have tried to run >'radiusd -l syslog -g local5' and then have the local syslog redirect >the logs to a different server, but the logdir entries in the >radiusd.conf file seem to override the flags. > >Any thoughts? I've thought about this quite a bit, particularly WRT to having secondary radius servers that pick up when the primary's down. The biggest problem I've found is that when I would want to use the forwarding, the proper server wouldn't be working. A robust solution needs to deal with cases where the main server's not working. My solution is to have the primary accounting server run the log rolling commands on the secondary servers using ssh, then parse their backup logs along with the primary server's logs with a perl script that sorts them into time order. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``Anyone who thinks Microsoft never does anything truly innovative isn't paying attention to the part of the company that pushes the state of its art: Microsoft's legal department.'' --Ed Foster, InfoWorld Gripe Line columnist - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decent docs
On Wed, Nov 28, 2001 at 01:42:02PM -0600, Chris Parker wrote: >At 10:35 AM 11/28/2001 -0800, Bill Campbell wrote: ... >>I've got a script that creates normal html, single-document html (easier to >>search and print), and text output from DocBook SGML input. The fact that >>DocBook automatically handles table of contents and the Index makes it far >>more useful than if I had to do all this manually. > >TOC/Indexing automagically could be useful. > >However, in order to use it, I have to learn a whole new markup language. Been there, done that. I've even attempted to put up with emacs to use their sgml mode, but find myself back in old-faithful vi when my frustration level goes over the top (even using emacs vi mode :-). That's also what led me to write my mm2docbook filters so I can write using my normal markup, and convert very quickly. >Irony of ironies, the documentation for JADE ( the editor recommended >on the docbook site ) sucks. I think that jade isn't an editor, but a front-end processor that hides some of the docbook (or other DTD) stuff from the user. I further hide that by wrapping it in some perl and shell scripts that invoke it the way I want to use it. One of the other things that Phil Hughes mentioned when I was talking to him was that he's been using abiword, and that it groks sgml. I don't normally use GUI-anything for writing, but I've downloaded the latest sources, and will be giving it a look shortly. ... >If someone else wants to put it in docbook format and maintain it, feel >free to do so. :) I will most likely be adding freeradius documentation to our general support documentation. This will probably be aimed at the ISP's support people who need to modify the users file for their customer's requirements. Anything that's generally useful, I can make available. -- Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``The Income Tax has made more Liars out of American people than Golf has.'' Will Rogers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decent docs
On Wed, Nov 28, 2001 at 11:39:05AM -0600, Chris Parker wrote: ... >I dislike having to install additional things just to read a manual page, >or to edit it. I'm just lazy I guess. :) The whole object of SGML and DocBook is to allow one to maintain a single source from which one can produce html, text, or typeset text. Once converted to html, much of the interesting information is lost (such as the ability to create automatic indexes). I've got a script that creates normal html, single-document html (easier to search and print), and text output from DocBook SGML input. The fact that DocBook automatically handles table of contents and the Index makes it far more useful than if I had to do all this manually. I must admit that I write most of my documentation initially in vi with standard groff ``mm'' macros, and have written an mm2sgml script that does a pretty good job of translating. I find it a lot easier to handle lists and tables this way than writing sgml manually, and I've been doing documentation with the mm macros for the better part of 20 years so I'm more comfortable with it. As an amusing aside, I was talking to Phil Hughes, publisher of Linux Journal, this weekend, reminiscing about the early days of the Seattle Unix Group, where the original board members were etc., and he noted that one of the original board members who worked for Phil's company SSC as a writer is now at Microsoft doing technical writing. Her boss at Microsoft was talking to her, and asked what she was doing that made her five to six times more productive than anybody else on the team. Her reply was that she writes everything with vi, then converts to M$-Word before submitting it. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``Liberty don't work as good in practice as it does in speeches.'' Will Rogers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is 0.4 official?
Is the 0.4 release official now? I haven't seen anything on the mailing list about this (I haven't seen anything on the list at all for several days), but the CVS I pulled yesterday seems to say it is. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ There's no trick to being a humorist when you have the whole government working for you. -- Will Rogers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Progrm ERRORS
On Sat, Nov 03, 2001 at 08:16:42AM +0800, louzhigang wrote: >hello ! > when I using exec-program, DEFUNCT created. why? >REDHAT 6.2 and Oracle8i. I haven't looked at the freeradius code, but this normally happens when the parent process doesn't wait() on it's children so they stay around until the parent terminates. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``Everybody is ignorant, only on different subjects.'' Will Rogers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem authenticating Annex 8000
On Mon, Oct 29, 2001 at 08:11:40PM -0500, Tim Mayo wrote: >Bill, > >All versions of the BAY software prior to 18.0.2 are broken in regards >to the Message-Authenticator. They send a strictly MD5 encoded secret >instead of the encoding required by the RFC. This has been fixed in >18.0.2 and only 18.0.2. Thanks. I guess I have to go through the Annex build stuff again to get erpcd and na current before upgrading the NAS software. In any case, they seem to be working with the Message-Authenticator section disabled. Given that this has also been a problem with Ascend boxes, and maybe other NAS boxes as well, I've been considering adding a field to the client structure that will allow one to disable the Message-Authentication tests on a per-client basis. In looking at the code changes, it seems to me that it would be better to pass a pointer to a radclient object to routines would be better than just passing a pointer to the secret as is now done. This would be a general solution, and later modifications and extensions would require fewer code changes. At a minimum, this would require changes to rad_decode and all references to it. I would think that it would be better to do this for all routines that are using the client secret. Any thoughts on whether this is a Good Idea(tm) and worth pursuing? Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ The difference between science and the fuzzy subjects is that science requires reasoning while those other subjects merely require scholarship. -- Robert Heinlein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Retrieve "user-name" from assigned IP of dial-in users
On Sun, Oct 28, 2001 at 07:22:55PM +0200, Sotiris P. Christodoulou wrote: >I'm developing a web application for ISPs. The users of this application >will be the dial-in users of the ISP. I need to retrieve the "user-name" >of the dial-in user by using it's assigned IP (I get it from the HTTP >protocol when she/he interacts with my application). Do you know where >this information (in most common ISP configurations and networks) is >logged/kept? I want to install a proxy RADIUS server to get this >information (user-name and the assigned IP-address), but how can I be >sure that the NAS will always send the assigned IP to the RADIUS server? I would probably set up a users entry that called radwho through the ``Exec-Program-Wait'' function, having that program parse the output of radwho to send the output back with Reply-Message. DEFAULT Client-IP-Address == webserver, Password == "somethingspecial" Exec-Program-Wait = "parseprog %u", Fall-Through = no Now if the webserver send a request with User set to its client's IP address and the password somethingspecial, I think it would then pass the client's IP address to parseprog through the %u option. The parseprog might be something like this: #!/bin/sh userip=$1 username=`radwho | awk '$NF ~ /^'$userip'$/{print $1; exit}'` echo "Reply-Message += \"$username\"" # return non-zero which will treat as a login fail exit 1; Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem authenticating Annex 8000
On Fri, Oct 26, 2001 at 05:39:18PM -0400, [EMAIL PROTECTED] wrote: >Bill Campbell <[EMAIL PROTECTED]> wrote: >> I'm having a problem getting an Annex 8000 running software version R16.0 >> to authenticate against freeradius 0.3. This Annex is talking to the >> accounting side fine so the secrets have to agree, but when I try to >> authenticate, I get: >> Received packet from xxx.xxx.xxx.xxx with invalid Message-Authenticator! >> >> This Annex is working against Merit basic radius 3.6. > > Probably because Merit isn't checking the Message-Authenticator. OK. After further checking, I've determined that the secret's OK (no surprise since accounting's working). I played with a few things including setting the calc_auth_vector and msg_auth_vector areas to zero, and changing the length of the memcmp test to AUTH_VECTOR_LEN to be consistent with all the other tests. None of these kept it from coming up with the invalid Message-Authenticator error. My next step was to ifdef out the test entirely which of course got rid of the error message, and authentication now works. My main question now is why is this happening? There's one attribute with a value of 80 in dictionary.bay. I don't see why this would be sent during authentication. #VALUE Annex-Connect-Progress IPXCP-Is-In-Open-State 80 Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``Nobody wants to be called common people, especially common people.'' Will Rogers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem authenticating Annex 8000
On Fri, Oct 26, 2001 at 05:39:18PM -0400, [EMAIL PROTECTED] wrote: >Bill Campbell <[EMAIL PROTECTED]> wrote: >> I'm having a problem getting an Annex 8000 running software version R16.0 >> to authenticate against freeradius 0.3. This Annex is talking to the >> accounting side fine so the secrets have to agree, but when I try to >> authenticate, I get: >> Received packet from xxx.xxx.xxx.xxx with invalid Message-Authenticator! >> >> This Annex is working against Merit basic radius 3.6. > > Probably because Merit isn't checking the Message-Authenticator. > > What's happening is that the Annex is probably sending an Ascend >attribute, which is the same as Message-Authenticator. See 'doc/ascend'. Looking at the source, this appears to be occurring in src/lib/radius.c about line 778 in a switch matching PW_MESSAGE_AUTHENTICATOR. If I read this right, it's saying the the calculated md5 digest isn't the same as the message digest. I would think that the secret's the same since the accounting side's working properly so either the data's corrupt or the md5 digest is calculated differently. I'm digging through the Annex docs to see if there's anything there that might be helpful. >> BTW: I'm working on checkrad, and have added what I think is proper port >> checking. The one in the distribution only checks for an occurrence of the >> login name, but doesn't check the port. I won't know if I have it right >> until I get the authentication side working properly. > > Sounds good. If you have a patch, post it here. This time I'll check it better than my last patch :-). Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ Government spending? I don't know what it's all about. I don't know any more about this thing than an economist does, and, God knows, he doesn't know much. -- Will Rogers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem authenticating Annex 8000
I'm having a problem getting an Annex 8000 running software version R16.0 to authenticate against freeradius 0.3. This Annex is talking to the accounting side fine so the secrets have to agree, but when I try to authenticate, I get: Received packet from xxx.xxx.xxx.xxx with invalid Message-Authenticator! This Annex is working against Merit basic radius 3.6. I can authenticate against the freeradius server using the Merit radpwtst program so I think it has to be something wierd with what the Annex 8000 is sending. Any ideas? BTW: I'm working on checkrad, and have added what I think is proper port checking. The one in the distribution only checks for an occurrence of the login name, but doesn't check the port. I won't know if I have it right until I get the authentication side working properly. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ My brother sent me a postcard the other day with this big satellite photo of the entire earth on it. On the back it said: ``Wish you were here''. -- Steven Wright - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Patch to log bad shell failures
I just spent quite a while debugging a problem where Unix logins were failing. It turned out to be that /bin/pdksh wasn't in /etc/shells. The attached patch logs this failure to make it a lot easier to identify why logins fail (I did finally learn to use ddd and gdb :-). Actually I don't really care about the shell check since I'm running from a private gdbm hashed password file generated on another machine, and the program that generates this password file has already checked the real /etc/shells file, and disabled the passwords for root and other administrative accounts. This requires a local copy of getpwnam which bypasses the system routines. I've been doing this on Merit radius for several years, and now I have to see how this is going to interact with freeradius and its group checking. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``People from East Germany have found the West so confusing. It's so much easier when you have only one party.'' -- Linus Torvalde, Linux Expo Canada when asked about confusion over many Linux distributions. diff -uNr /usr/src/OpenLinux/BUILD/freeradius-0.3.orig/src/modules/rlm_unix/rlm_unix.c ./src/modules/rlm_unix/rlm_unix.c --- /usr/src/OpenLinux/BUILD/freeradius-0.3.orig/src/modules/rlm_unix/rlm_unix.c Mon Oct 1 11:22:52 2001 +++ ./src/modules/rlm_unix/rlm_unix.c Wed Oct 24 16:58:26 2001 @@ -415,8 +415,11 @@ } } endusershell(); - if (shell == NULL) + if (shell == NULL) { + radlog(L_AUTH, "rlm_unix: [%s]: invalid shell [%s]", + name, pws->pw_shell); return RLM_MODULE_REJECT; + } #endif #if defined(HAVE_GETSPNAM) && !defined(M_UNIX) @@ -461,9 +464,10 @@ * Check encrypted password. */ encpw = crypt(passwd, encrypted_pass); - if (strcmp(encpw, encrypted_pass)) + if (strcmp(encpw, encrypted_pass)) { + radlog(L_AUTH, "rlm_unix: [%s]: invalid password", name); return RLM_MODULE_REJECT; - + } return RLM_MODULE_OK; #endif /* OSFSIA */ #undef inst
Re: ./configure problems
On Thu, Oct 18, 2001 at 03:24:34PM -0500, Joe Hayes wrote: >Could someone please tell me what the following error means, and how to >fix it? > >./configure >creating cache ./config.cache >checking for gcc... no >checking for cc... no >configure: error: no acceptable cc found in $PATH > >Is there a specific directory to put freeradius.tar into before >unarchiving it? > >I have tried several directories but keep having the same error. It's telling you that you don't have a C compiler on your system. For more detail about configure failures, look in the config.log file in the build directory. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``Things in our country run in spite of government. Not by aid of it!'' Will Rogers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html