Re: Freeradius 0.9.3 with mysql
--On Thursday, December 11, 2003 01:40:40 PM -0500 Alan DeKok <[EMAIL PROTECTED]> wrote: Graeme Hinchliffe <[EMAIL PROTECTED]> wrote: Will a HUP force a reload of the config? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Were you able to address the occasional server crash in response to the HUP? -- Daniel Monjar IS Manager, Technical Services bioMérieux, Inc. Durham, NC US - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco VPN 3000 experience
Do you use group functions, or is everyone in the base group?
Thanks,
Dan
-Original Message-
From: Tom Miller [mailto:[EMAIL PROTECTED]
Sent: Wed 11/19/2003 4:14 PM
To: [EMAIL PROTECTED]
Cc:
Subject: Re: Cisco VPN 3000 experience
I have two 3005s and a 3015 that authenticate users via Freeradius. It just
works right out of the box. I'm using our central LDAP directory that already
contains user authentication info.
-Tom
On Wed, Nov 19, 2003 at 03:46:18PM -0500, Dan Didier wrote:
> Hi list,
>
> I was wondering what peoples experiences have been with using FreeRadius
> with the cisco VPN 3000 concentrator.
>
> Are there any documents outlining this?
>
> Thanks,
> Dan
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Tom Miller, System Administrator | 5700 SW 34th St. Suite 1235
Info Tech, Inc.| Gainesville, FL 32608
| (352)381-4400 Voice
[EMAIL PROTECTED] | (352)381- Fax
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<>
Cisco VPN 3000 experience
Hi list, I was wondering what peoples experiences have been with using FreeRadius with the cisco VPN 3000 concentrator. Are there any documents outlining this? Thanks, Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius on TRU64 UNIX 5.1B
Hm...can't use the default compiler off of Tru64? I hate having to install another compiler. At 11:03 AM 11/13/2003, Lars Evensen wrote: Yes, I managed to get it to compile in the end :) The solution to this problem is : Compile using GCC 2.95.2, with gnumake. You also need to compile OpenLdap and BerkleyDB (if ldap support is wanted, which it was in my case) Regards Lars Evensen On Mon, 10 Nov 2003, Dan O'Reilly wrote: > I'm trying to get freeradius running on a Tru64 system (NEE: Digital > UNIX) 5.1B. THe problem: it doesn't compile properly. Sorry I can't > be more succinct at this time, but I'm having a system problem & can't > get the recompile started for a few hours. In the meantime, has anybody > successfully done this to version .92? > > Thanks! > > -- > +-------++ > | Dan O'Reilly | "There are 10 types of people in this | > | Principal Engineer| world: those who understand binary | > | Process Software | and those who don't."| > | http://www.process.com|| > +---++ > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- +---++ | Dan O'Reilly | "There are 10 types of people in this | | Principal Engineer| world: those who understand binary | | Process Software | and those who don't."| | http://www.process.com|| +---++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius on TRU64 UNIX 5.1B
I'm trying to get freeradius running on a Tru64 system (NEE: Digital UNIX) 5.1B. THe problem: it doesn't compile properly. Sorry I can't be more succinct at this time, but I'm having a system problem & can't get the recompile started for a few hours. In the meantime, has anybody successfully done this to version .92? Thanks! -- +---+--------+ | Dan O'Reilly | "There are 10 types of people in this | | Principal Engineer| world: those who understand binary | | Process Software | and those who don't."| | http://www.process.com|| +---++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius (current) caching RSA ACE/Server requests
Right, I was kinda figuring I could do it if I wrote it myself, just wanted to see if it had already been done by someone else who was willing to share. It's that whole re-inventing the wheel thing ;) Thanks. Dan On Mon, 2003-07-28 at 13:24, Alan DeKok wrote: > Dan Geist <[EMAIL PROTECTED]> wrote: > > I know I can use the relay functions of freeradius to redirect to the > > ACE/Server, but does anyone know of any functionality to cache > > authenticated username/PASSCODE responses (on a minute by minute or > > adjustable basis) to get around RSA's "security" feature and only ask > > the RSA server if the cache is empty or has "expired"? > > Write a script on the server, or a new module. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Dan Geist | [EMAIL PROTECTED] | (404)269-6822 Network Security Engineer | Data Engineering | Cox Communications - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius (current) caching RSA ACE/Server requests
Greets, all. I'm in the process of setting up a distributed system with SecurID tokens for my auth attributes. RSA provides a rudimentary radius server built into the ACE/Server (5.1) product, but it uses the one-time-token system such that once you use an auth token, you can't login anywhere else till that token expires (in this case, up to one minute later). I know I can use the relay functions of freeradius to redirect to the ACE/Server, but does anyone know of any functionality to cache authenticated username/PASSCODE responses (on a minute by minute or adjustable basis) to get around RSA's "security" feature and only ask the RSA server if the cache is empty or has "expired"? Thanks. Dan -- Dan Geist | [EMAIL PROTECTED] | (404)269-6822 Network Security Engineer | Data Engineering | Cox Communications - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Squid with Freeradius
>From what I know, squid will NOT be a transparent proxy AND an
authenticating proxy at the same time. But your email almost sounded
like you had one network you wanted to allow access transparently
without authenticating, and another network which you wanted to allow
access only when authenticated (which can't be transparent). I believe
this could be done with the proper squid proxy restriction settings.
But you'd have to try it out to find out for sure.
- Dan
On Wed, 2003-06-04 at 15:35, Wei Ming Long wrote:
Hi Dan,
Excellent! It is great to know that you are using Squid with Freeradius,
that's exactly what I want to do too. I want Squid to authenticate the http
requests using Freeradius and I also want Squid to perform transparent
proxying so that users from another network do not have to change their
network settings like proxy-server etc.
>>> [EMAIL PROTECTED] 06/04/03 11:48AM >>>
We're using squid with freeradius as the authentication "engine". As
far as I know, you can't have a transparent + authenticating proxy. If
it's authenticating, then it has to be non-transparent.
It's actually very easy. You just need to set up the Squid ACL's right
(so that it requires auth). Then you set Squid's external
authentication helper. We're using a simple (40 lines) PERL script
which does the authentication. It uses a PERL radius module. I'm not
even sure where I got the script. I think I got it off of Squid's
site. If you can't find it, let me know, and I can e-mail it to you.
The system works great for us.
- Dan
On Wed, 2003-06-04 at 11:32, Wei Ming Long wrote:
Hi everyone,
I would like to use the proxy server Squid to perform transparent
proxying
and to authenticate http requests with Freeradius and was wondering if
anyone
has done it and would appreciate it if you could provide
details(configuration
files) of how to setup Squid and Freeradius to do just that.
Thanks.
Best regards
Matthew
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
- Dan Perik
Computer Services Department
Lapilo Center
New Tribes Mission - PNG
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
- Dan Perik
Computer Services Department
Lapilo Center
New Tribes Mission - PNG
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Squid with Freeradius
We're using squid with freeradius as the authentication "engine". As far as I know, you can't have a transparent + authenticating proxy. If it's authenticating, then it has to be non-transparent. It's actually very easy. You just need to set up the Squid ACL's right (so that it requires auth). Then you set Squid's external authentication helper. We're using a simple (40 lines) PERL script which does the authentication. It uses a PERL radius module. I'm not even sure where I got the script. I think I got it off of Squid's site. If you can't find it, let me know, and I can e-mail it to you. The system works great for us. - Dan On Wed, 2003-06-04 at 11:32, Wei Ming Long wrote: Hi everyone, I would like to use the proxy server Squid to perform transparent proxying and to authenticate http requests with Freeradius and was wondering if anyone has done it and would appreciate it if you could provide details(configuration files) of how to setup Squid and Freeradius to do just that. Thanks. Best regards Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: gnoring request from unknown client
Title: RE: gnoring request from unknown client
Thankis Chris,
But I have 10.119.33.184 as well, which doesn't help:
And clients itself should be enough (although obsolete).
client 10.119.33.184 {
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 32 characters in length.
#
secret = comverse
}
-Original Message-
From: Chris Brotsos [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 03, 2003 7:44 PM
To: [EMAIL PROTECTED]
Subject: Re: gnoring request from unknown client
At 10:31 AM 4/3/2003, you wrote:
>Hi,
>I'm using freeradius 0.8.1.
>I try activating it from actually two types of clients (which worked
>successfully against other RADIUS servers).
>And keep getting server errors of the form:
>
>Ignoring request from unknown client 10.119.33.184:3458
>
>The client (IP) is configure in both: clients & clients conf.
Just use clients.conf .
>10.119.33.184 comverse
>
>&
>
>client 10.119.33.61 {
>
> #
> # The shared secret use to "encrypt" and "sign" packets between
> # the NAS and FreeRADIUS. You MUST change this secret from the
> # default, otherwise it's not a secret any more!
> #
> # The secret can be any string, up to 32 characters in length.
> #
> secret = comverse
>}
>
>Does any one have an idea ?
Yes, you have 10.119.33.61 instead of 10.119.33.184 in clients.conf.
Chris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
gnoring request from unknown client
Title: gnoring request from unknown client
Hi,
I'm using freeradius 0.8.1.
I try activating it from actually two types of clients (which worked successfully against other RADIUS servers).
And keep getting server errors of the form:
Ignoring request from unknown client 10.119.33.184:3458
The client (IP) is configure in both: clients & clients conf.
10.119.33.184 comverse
&
client 10.119.33.61 {
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 32 characters in length.
#
secret = comverse
}
What seems fishy is that the (random) port number is attached to the ip. Purhaps the combination : is treated as the client and is thus not found in the config files ?
Does any one have an idea ?
Thanks for your help.
Danny Rosenstein.
Comverse Ltd.
Re: [OT] what billing software do you suggest?
Kevin Bonner <[EMAIL PROTECTED]> wrote: > > We use the BillMax billing software. Currently, we have scripts setup > to push a passwd file out to our radius servers, but we are working > toward sendin= g updates to a mysql database. I can also heartily recommend BillMax. It isn't cheap, but it's stable and flexible. The drawback with a lot of ISP administration packages (especially, paradoxically, some the the free ones) is that they're one-size-fits-all, mandating particular RADIUS server software, mail software, etc. BillMax is more complicated to set up, but if you have the necessary competence in-house, it will work with anything you're using. It comes with a source license, too, so any customizations that you can't do with the various *_hook scripts can be done by modifying the source. It runs from a MySQL database, so if you know MySQL, you're already well on your way to understanding it. We've used it to administer users with FreeRADIUS with an LDAP backend, and also ICRADIUS with a MySQL backend. Both worked very well. (Note -- I don't work for them; just a satisfied customer.) Dan Debertin -- ++ Dan Debertin ++ Systems Administrator ++ BIS/Bitstream ++ [EMAIL PROTECTED] ++ (612)642-8528 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgraded to RADIUS 0.8.1 and receiving The 'op' field for attribute xxxx is NULL, or non-existent
I have found the problem. I had data in radgroupreply which contain NULL for the op field. I just added = to the op field and voila. The problem is now solved. Thanks for your assistance and hopefully this may address someone else's problem. Best Regards, Dan Bell LondonLink Networks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Upgraded to RADIUS 0.8.1 and receiving The 'op' field for attribute xxxx is NULL, or non-existent
I have just upgraded to 0.8.1 from 0.4 and everything is working fine, however, my log files state The 'op' field for attribute is NULL, or non-existent etc. etc. I deliver all settings from the users file. This server only blocks banned users via callcheck. I authenticate any username and password and the settings are delivered from the users file. I've modified the schema to reflect the NOT NULL for op, but the problem is still occurring. I am not having any problems operationally as the requests are serviced normally and users log in just fine, but I would like to eliminate the errors. Must I move these defaults into a radgroupreply, update my schema or what? Thanks for your help. Best Regards, Dan Bell LondonLink Networks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cant unsubscribe
I went to the website, put my password in, it said I was unsubscribed, but I am still getting emails. I can't use the email feature because it says I'm not subscribed. and the website says I'm not subscribed now. but I still get emails. help Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: unsubscribe
It also says to mailto: etc Dan. On Thu, 16 Jan 2003, Brian Johnson wrote: > Amazing... > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > Obviously, Dan is not a reader. :) > > - Brian J. > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of Dan > > Sent: Thursday, January 16, 2003 11:26 AM > > To: [EMAIL PROTECTED] > > Subject: unsubscribe > > > > > > unsubscribe > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco av-pairs rear their ugly heads
I see this issue isn't going away. I ask for help, people point me at Cisco. Cisco is useless, their search engine is the worst thing I've ever seen in my life. and what little documentation they do have on av-pairs is next to worthless. or downright wrong. to see the av-pairs in the log you must turn on an extra feature in your cisco config. its: radius-server vsa accounting you may need the word "send" in there somewhere, depending on your version of IOS, etc etc etc and then most of the time it doesn't show properly unless you're running full debug mode (to screen not file). and nowhere are the commands listed. Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
understanding MIBs (simultaneous use with cisco's)
Well I got our AS5200s simultaneous use to work finally. Now the problem is the cisco 7500 we have for DSL. checkrad (running full debug mode on radius) shows "no response" it looks like the MIBs are wrong. so in this case I have two questions: 1. how do I find the correct MIBs? (yes, I could run SNMPwalk, but I have no idea what I'm doing with that) 2. once I do have them, how do I put them into checkrad without wrecking the other cisco stuff (since they are both cisco) I may (or may not) actually have a MIB string for the 7500, I don't undestand what this stuff means, so I don't know what to do with it while on the topic of MIBs, can anyone tell me what this means or what it could be used for: 1.3.6.1.4.1.9.10.19.1.1.4.0:public@usernas2 I think this is the MIB for the IP pool on an AS500, which means it could be used to keep track of how many users are online. Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
possible bug in free radius 0.78 ?
I've just set it up and it seems to completely ignore the "groups" check whether the user is a member of the group primary or secondary, or the user is only a member of that one group, freeradius ignores it. I created a unix group called nodial, which is supposed to be for email only accounts, but freeradius lets them log in any how. I checked the logs, and free radius is completely ignoring the group check line in the users file, and is instead logging them in under the default entry at the bottom of the users file. has 0.80 fixed this or am I missing something in using unix groups file with the group check in the users file ? Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: limiting DSL users bandwidth
Yes, likely its the "T" version ISO (from what I've been reading off cisco's site. but I'll try both Dan. On Thu, 14 Nov 2002, Kevin Bonner wrote: > We use IOS 12.2(4)T3 currently. Use radtest on your radius box to make sure > all reply items are being sent as expected. That's about all I can think of > to try since the items are never seen by the cisco. > > Kevin > > On Thursday 14 November 2002 15:19, Dan wrote: > > I did that. total debugging on radius and looking at the logs, > > and even debug on the cisco. > > far as I can tell the cisco never sees this. > > doesnt show up in the debugs or logs anywhere... > > > > tried += as well, and := and == just to see, none of that worked. > > I'm wondering if it needs a special IOS version like a "T" version. > > We use 12.2(6) right now. plain ip plus sec56, not the service provider > > version or anything. > > > > any suggestions ? > > > > Dan > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: limiting DSL users bandwidth
I did that. total debugging on radius and looking at the logs, and even debug on the cisco. far as I can tell the cisco never sees this. doesnt show up in the debugs or logs anywhere... tried += as well, and := and == just to see, none of that worked. I'm wondering if it needs a special IOS version like a "T" version. We use 12.2(6) right now. plain ip plus sec56, not the service provider version or anything. any suggestions ? Dan. On Thu, 14 Nov 2002, Kevin Bonner wrote: > On Wednesday 13 November 2002 14:31, Dan wrote: > > testuserAuth-Type := System > > Framed-Ip-Address = > > Cisco-AVPair = "lcp:interface-config=rate-limit output 128000 32000 >64000 > > conform-action transmit exceed-action drop" > > This is basically what we use to set limits on some customers. Enable as much > radius debugging on the cisco as possible and look at the cisco logs to see > what it is doing with this setting. > > Kevin Bonner > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
limiting DSL users bandwidth
I can't seem to figure out how to do this. the users are dynamic DSL users (get their IP from the router ip pool). I've tried absolutely everything I can, I've read the docs, faqs, archives (as much as I can), and vendor websites. Is there any way to limit the amount of bandwidth available to a user through radius? We use cisco 7507 router for our DSL connectivity, and yes, I've tried all the Cisco-AVPair configs I can find, and none of them seem to work. running radiusd in full debug I dont even see it sending this back to the user. and the user is not limited at all. I thought I'd try a very simple config like this: testuser Auth-Type := System Framed-Ip-Address = Cisco-AVPair = "lcp:interface-config=rate-limit output 128000 32000 64000 conform-action transmit exceed-action drop" there's no sign of this during debug. I have also tried the very long config examples from Cisco's site, but those don't have any effect either. Can anyone show me an example that does work ? or how to get this working another way? I've tried this with Merit, Cistron, and freeradius (if that matters a hill of beans) aaa vsa send accounting is turned on, on the router Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
groups not working in user file
I just copied the configuration over from cistron to freeradius (making necessary modifications) and we can't get group checking to work in the user file. this is freeradius 0.71, I've even tried the default samples in the users file, such as: DEFAULT Group == ''disabled", Auth-Type := Reject Reply-Message = "Account Disabled" Nothing matches this, although it should... I have tried a user with a primary group "disabled" and secondary group "disabled"... nothing works. Everything comes through like this: modcall: group authorize returns ok Why isn't the user matching the group check ? Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP: compare_check_items and password_attribute don't mix
My first-born for a life without CHAP.
I have LDAP working with both PAP and CHAP, as long as
compare_check_items is turned off. This is what happens with a CHAP
authentication attempt without compare_check_items:
rlm_chap: Adding Auth-Type = CHAP
modcall[authorize]: module "chap" returns ok
modcall[authorize]: module "files" returns notfound
rlm_ldap: - authorize
rlm_ldap: performing user authorization for myraduser
radius_xlat: '(uid=myraduser)'
radius_xlat: 'ou=people,dc=nodewarrior,dc=org'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: setting TLS mode to 4
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=people,dc=nodewarrior,dc=org, with filter
(uid=myraduser)
rlm_ldap: Added password grunk in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusClearTextPassword as User-Password, value grunk & op=11
Adding check item 2, value grunk
rlm_ldap: looking for reply items in directory...
rlm_ldap: user myraduser authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
modcall: entering group authtype
..etc. The authentication succeeds, anyway.
This is with compare_check_items turned on. Some of the debugging
output may not look familiar; I have added a few DEBUG() lines.
rlm_chap: Adding Auth-Type = CHAP
modcall[authorize]: module "chap" returns ok
modcall[authorize]: module "files" returns notfound
rlm_ldap: - authorize
rlm_ldap: performing user authorization for myraduser
radius_xlat: '(uid=myraduser)'
radius_xlat: 'ou=people,dc=nodewarrior,dc=org'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: setting TLS mode to 4
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=people,dc=nodewarrior,dc=org, with filter
(uid=myraduser)
rlm_ldap: Added password grunk in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusClearTextPassword as User-Password, value grunk & op=11
rlm_ldap: Adding check item 2, value grunk
rlm_ldap: looking for reply items in directory...
rlm_ldap: (ldap) attr 1000, value CHAP
rlm_ldap: (ldap) attr 2, value grunk
rlm_ldap: (request) attr 3, value
rlm_ldap: (request) attr 1, value myraduser
rlm_ldap: (request) attr 1053, value uid=myraduser,ou=people,dc=nodewarrior,dc=org
paircmp: comparing check 1000
rlm_ldap: Pairs do not match. Rejecting user.
As you can see, it looks like it's complaining because there's no
Auth-Type = CHAP in the request. It works with PAP because rlm_pap
doesn't add Auth-Type, and rlm_ldap doesn't add it until after paircmp
is called.
By my reading, the lack of attribute 2 in the request shouldn't be an
issue. Given that Auth-Type should never appear in a packet, doesn't
it make sense to ignore it as well?
Here are the relevant parts of my (embryonic, testing-only) config:
modules {
# /etc/raddb/users is empty...
files {
usersfile = ${confdir}/users
compat = no
}
chap {
}
pap {
encryption_scheme = crypt
}
ldap {
server = "localhost"
basedn = "ou=people,dc=nodewarrior,dc=org"
filter = "(uid=%u)"
password_attribute = "radiusClearTextPassword"
compare_check_items = yes
dictionary_mapping = ${raddbdir}/ldap.attrmap
}
}
authorize {
chap
files
ldap
}
authenticate {
authtype CHAP {
chap
}
authtype LDAP {
ldap
}
}
Thanks,
Dan
--
/^Dan Debertin$/
[EMAIL PROTECTED] | Did I sleep a little too late,
www.nodewarrior.org | or am I awake?--Byrne
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with certain usernames under 0.7.1
Perfect! It is working now. thanks Anyone on the list running Freeradius under Tru64? On Tue, Oct 01, 2002 at 06:10:05PM -0700, Frank Cusack wrote: > On Tue, Oct 01, 2002 at 08:48:39PM -0400, Dan Monjar wrote: > > the users. The odd thing is the users that fail all have a username that > > begins with S, C, or P. No other users fail and all of the users with [SCP] > > as the first char fail. Running the server with '-xxyz -l stdout' and > > trying 10 "bad" users gives the logfile attached. It looks like, for > > whatever reason, the server is dropping S, C, or P before trying to do a > > match. In other words, SMITHP1 becomes MITHP1 before the lookup is done. > > > > Any suggestions? > > The server is doing what you told it to. > > /etc/raddb/hints > > /fc > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with certain usernames under 0.7.1
I've compiled and install 0.7.1 under Compaq Tru64 5.1 and under Redhat Linux 7.3. I have 902 users configured in the users file. The server runs and authenticates (checked with radtest from another system) for all but 62 of the users. The odd thing is the users that fail all have a username that begins with S, C, or P. No other users fail and all of the users with [SCP] as the first char fail. Running the server with '-xxyz -l stdout' and trying 10 "bad" users gives the logfile attached. It looks like, for whatever reason, the server is dropping S, C, or P before trying to do a match. In other words, SMITHP1 becomes MITHP1 before the lookup is done. Any suggestions? -- Dan Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no read_config_files: reading dictionary read_config_files: reading clients read_config_files: reading realms read_config_files: reading naslist main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 security: max_attributes = 200 security: reject_delay = 1 main: debug_level = 0 read_config_files: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded System unix: cache = yes unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 HASH: Reinitializing hash structures and lists for caching... HASH: user root found in hashtable bucket 11726 HASH: user bin found in hashtable bucket 86651 HASH: user daemon found in hashtable bucket 11668 HASH: user adm found in hashtable bucket 26466 HASH: user lp found in hashtable bucket 54068 HASH: user sync found in hashtable bucket 42895 HASH: user shutdown found in hashtable bucket 71746 HASH: user halt found in hashtable bucket 7481 HASH: user mail found in hashtable bucket 79471 HASH: user news found in hashtable bucket 5375 HASH: user uucp found in hashtable bucket 38541 HASH: user operator found in hashtable bucket 21748 HASH: user games found in hashtable bucket 47657 HASH: user gopher found in hashtable bucket 47357 HASH: user ftp found in hashtable bucket 56226 HASH: user nobody found in hashtable bucket 99723 HASH: user vcsa found in hashtable bucket 25959 HASH: user mailnull found in hashtable bucket 78086 HASH: user rpm found in hashtable bucket 72383 HASH: user wnn found in hashtable bucket 59815 HASH: user ntp found in hashtable bucket 21418 HASH: user rpc found in hashtable bucket 72373 HASH: user xfs found in hashtable bucket 17213 HASH: user gdm found in hashtable bucket 50360 HASH: user rpcuser found in hashtable bucket 552 HASH: user nfsnobody found in hashtable bucket 51830 HASH: user nscd found in hashtable bucket 36306 HASH: user ident found in hashtable bucket 40304 HASH: user radvd found in hashtable bucket 66743 HASH: user pcap found in hashtable bucket 55326 HASH: user postfix found in hashtable bucket 23093 HASH: Stored 31 entries from /etc/passwd HASH: Stored 41 entries from /etc/group Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/
radrelay good start, what about the primary server?
I am so happy to see that radrelay has been ported over to FreeRADIUS. This is a great help for managing multiple radius servers with a single SQL-enabled accounting server. There is still a weakness though, unless someone can point out the solution that I'm overlooking. My primary RADIUS server is attached to the database. When my SQL server becomes unavailable, FreeRADIUS shuts itself down and the backup radius server is left to fend for itself. In an old patched up version of Cistron I used to use, if the SQL server would disappear, radiusd would log the accounting requests and apply them when it came back up. This is sort of what radrelay does, except as far as I can see, it doesn't prevent the primary radius server from dying when MySQL goes away. Before I go off and reinvent the wheel, can anyone tell me if the functionality we used to use with Cistron either exists within FreeRADIUS, or is possible with radrelay? Thank you. -- Dan Roberts, Systems EngineerVoice 800.656.GWIS GWIS Internet Solutions Fax330.656.5440 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client Implementation
If you're looking for something to act as a PC-based NAS, check out portslave at sourceforge. - Dan On Fri, 2002-05-31 at 17:11, Tay Shwu Ying wrote: > Hi all, > > I am a new user in FreeRadius and I would like to enquire if there is any > sample FreeRadius client implementation that I can adopt? > I know that radtest is just a script file. > > Wish to get some sample code for Radius Client if possible. > > Thank you & wish to get some positive response soon. :P > > ShwuYing > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two RADIUS servers on the same box
Is it possible to run two RADIUS servers on the same box (i.e. one RADIUS server serving port 1645 and another daemon serving port 1812)? Thanks, Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile errors Version 0.5 on Redhat 7.1
Under RedHat 7.0 I had to "./configure --without-rlm_x99_token" to get it to compile. Under RedHat 7.2 it compiled fine without need to configure out the "rlm_x99_token" module. From the looks of it, rlm_x99_token is pretty obscure. I know I didn't need it. Hope that helps. - Dan On Sat, 2002-04-06 at 04:46, [EMAIL PROTECTED] wrote: > > I've upgraded to newest redhat 7.1 gcc and the newest 7.1 cpp > still getting errors when compiling. > here is the error > > gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG > -I../../include -I/usr/include -c x99_pwe.c -o x99_pwe.o > x99_pwe.c:36:25: openssl/md4.h: No such file or directory > gmake[6]: *** [x99_pwe.o] Error 1 > gmake[6]: Leaving directory `/root/code/freeradius-0.5/src/modules/rlm_x99_token > ' > gmake[5]: *** [common] Error 1 > gmake[5]: Leaving directory `/root/code/freeradius-0.5/src/modules' > gmake[4]: *** [all] Error 2 > gmake[4]: Leaving directory `/root/code/freeradius-0.5/src/modules' > gmake[3]: *** [common] Error 1 > gmake[3]: Leaving directory `/root/code/freeradius-0.5/src' > gmake[2]: *** [all] Error 2 > gmake[2]: Leaving directory `/root/code/freeradius-0.5/src' > gmake[1]: *** [common] Error 1 > gmake[1]: Leaving directory `/root/code/freeradius-0.5' > make: *** [all] Error 2 > > i thought that the x99 support wasn't a big deal but when i do a make install it > doesn't copy the program to the correct location. > > > any thoughts? > > Ryan > > Ryan Cayton > Technical Analyst > Horine and Associates, LLC. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd pidfile
I noticed some discussion on this about 3 weeks back. I've just upgraded to FreeRadius 0.5 on a RH 7.0 server. It's working great. I noticed that it puts this in the log when I start it: Mon Mar 25 12:07:49 2002 : Error: Failed writing process id to file /var/run/radiusd.pid: Permission denied In the radiusd.conf file, I have the user/group for radius to run at as freerad/freerad. If I "touch /var/run/radiusd.pid" and "chown freerad.freerad /var/run/radiusd.pid", FreeRadius will write the pid to the file. But when I stop (or restart) FreeRadius, the pidfile is deleted and then can't be recreated. So it seems FreeRadius is dropping root before it tries to write the pid file. Does this matter? It seems to throw off the RedHat init script a bit, but other than that it seems to not be a problem. I wonder about log rotation later on, or anything other such thing that might bite me later. Any comments? Thanks, - Dan -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Could not link driver rlm_sql_mysql: file not found
First off, please accept my apologies I have searched and searched the mailing list and can not find the answer to my problem, but I see an awful lot of questions on this point. I have setup up FreeRadius 0.5 by the following command: ./configure --localstatedir=/var --sysconfdir=/etc --with-mysql-include-dir= /usr/local/psa/mysql/include/mysql --with-mysql-lib-dir=/usr/local/psa/mysql /lib/mysql --with-mysql-dir=/usr/local/psa/mysql less /etc/ld.so.conf /usr/kerberos/lib /usr/local/psa/mysql/lib/mysql /usr/local/lib /usr/lib and I have ldconfig with these additions. If I recompile the rlm_sql_mysql in its directory I get the following. make *** Warning: This library needs some functionality provided by -lmysqlclient. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have. *** Warning: libtool could not satisfy all declared inter-library *** dependencies of module rlm_sql_mysql. Therefore, libtool will create *** a static module, that should work as long as the dlopening *** application is linked with the -dlopen flag. I get this same message on the full config. What am I doing wrong? Thank you. Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL can't authenticate after 0.4 -> 0.5 upgrade
Hello,
I've been testing out the 0.5 release. But now it seems to not let me
auth to sql. I've looked over the messages to the list over the last
bit, and noticed others with the same problem. The "answers" didn't
seem clear to me, so perhaps I can beg some more help.
Under 0.4 I had
(in radiusd.conf):
authenticate {
authtype LDAPORSQL {
group {
sql {
fail = 1
notfound = 2
noop = return
ok = return
updated = return
reject = 3
userlock = return
invalid = return
handled = return
notfound = return
}
ldap {
fail = 1
notfound = 2
noop = return
ok = return
updated = return
reject = 3
userlock = return
invalid = return
handled = return
notfound = return
}
}
}
}
(in users):
DEFAULTAuth-Type := LDAPORSQL
Fall-Through = 1
This would allow me to auth to either LDAP or SQL. But in 0.5, ""SQL"
modules aren't allowed in 'authenticate' sections -- they have no such
method."
How do I do what I want to do now? What should I put in my
"authenticate" section of radiusd.conf (if sql can't be there any
more)? What should I put in my "users" file?
Thanks,
Dan
--
- Dan Perik
Computer Services Department
Lapilo Center
New Tribes Mission - PNG
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap patch
I just got the snapshot and see your fix. Thank you. I thought of using a "goto", but having drilled into me that if you can use something else, do it, I choose to restructure. Perhaps this is one of those exceptions where a "goto" is the cleanest way. Thanks for your work. - Dan Perik On Mon, 2002-03-18 at 20:38, Kostas Kalevras wrote: > On 18 Mar 2002, Dan Perik wrote: > > > > > As promised, here's the patch I threw together for the rlm_ldap module > > to solve the problem of failed auth when the LDAP server disconnects the > > idle connection. > > > > Basically, I took the ldap_connect code out of the perform_search > > function into it's own "search_connect" function. Then, if > > ldap_search_st returns LDAP_SERVER_DOWN, it sets inst->bound to 0, does > > search_connect to try to reconnect to the server, and tries the > > ldap_search_st one more time. > > > > Again, my understanding of all this stuff is very limited. For all I > > know I created a vast memory leak that will rot your hard drive and > > cause your business to go bankrupt. > > > > - Dan > > > > > > -- > > - Dan Perik > > Computer Services Department > > Lapilo Center > > New Tribes Mission - PNG > > > > Bug fixed in cvs. The fix was a little different than your patch but > anyway thanks for the bug note. > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED]National Technical University of Athens, Greece > Work Phone: +30 10 7721861 > 'Go back to the shadow' Gandalf > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap patch
As promised, here's the patch I threw together for the rlm_ldap module
to solve the problem of failed auth when the LDAP server disconnects the
idle connection.
Basically, I took the ldap_connect code out of the perform_search
function into it's own "search_connect" function. Then, if
ldap_search_st returns LDAP_SERVER_DOWN, it sets inst->bound to 0, does
search_connect to try to reconnect to the server, and tries the
ldap_search_st one more time.
Again, my understanding of all this stuff is very limited. For all I
know I created a vast memory leak that will rot your hard drive and
cause your business to go bankrupt.
- Dan
--
- Dan Perik
Computer Services Department
Lapilo Center
New Tribes Mission - PNG
157a158,160
> /* By Dan Perik */
> static int search_connect( void *instance, int res );
>
313a317
> int search_result = 0;
317,323c321
< DEBUG2("rlm_ldap: attempting LDAP reconnection");
< if (inst->ld){
< DEBUG2("rlm_ldap: closing existing LDAP connection");
< ldap_unbind_s(inst->ld);
< }
< if ((inst->ld = ldap_connect(instance, inst->login, inst->password, 0,
&res)) == NULL) {
< radlog(L_ERR, "rlm_ldap: (re)connection attempt failed");
---
> if( !search_connect( inst, res ) ) {
326d323
< inst->bound = 1;
329c326,341
< switch (ldap_search_st(inst->ld, search_basedn, scope, filter, attrs, 0,
&(inst->timeout), result)) {
---
> /* Do LDAP search */
> search_result = ldap_search_st(inst->ld, search_basedn, scope, filter, attrs,
>0, &(inst->timeout), result);
> /* If server is down, it may have disconnected */
> if ( search_result == LDAP_SERVER_DOWN ) {
> DEBUG("rlm_ldap: ldap server connection down, attempting
>reconnection");
> /* So unbind it, and try to reconnect */
> inst->bound = 0;
> if( !search_connect( inst, res ) ) {
> return (RLM_MODULE_FAIL);
> }
>
> /* Now do our search again, if it fails again, then don't try anymore
>*/
> search_result = ldap_search_st(inst->ld, search_basedn, scope, filter,
>attrs, 0, &(inst->timeout), result);
> }
>
> switch ( search_result ) {
335c347
< radlog(L_ERR, "rlm_ldap: ldap_search() failed: %s",
ldap_err2string(ldap_errno));
---
> radlog(L_ERR, "rlm_ldap: ldap_search() failed: %i, %s", ldap_errno,
>ldap_err2string(ldap_errno));
346a359,377
> }
>
> /*
> * search_connect(). Connect to the LDAP server for searches
> * returns true if successful, false if not.
> */
> static int search_connect( void *instance, int res ) {
> ldap_instance *inst = instance;
> DEBUG2("rlm_ldap: attempting LDAP reconnection");
> if (inst->ld){
> DEBUG2("rlm_ldap: closing existing LDAP connection");
> ldap_unbind_s(inst->ld);
> }
> if ((inst->ld = ldap_connect(instance, inst->login, inst->password, 0, &res))
>== NULL) {
> radlog(L_ERR, "rlm_ldap: (re)connection attempt failed");
> return 0; /* false = error */
> }
> inst->bound = 1;
> return -1; /* true = error */
LDAP connection timeout problems
Hello, I'm using FreeRadius 0.1, which I "scabbed" (I wouldn't use the word "patched") to get around the FreeRadius server crashing when the LDAP server closed the connection. I remember throwing that out to the list, and it was considered a bug and all. It was reported to be fixed, etc. Well, I'm testing out v. 0.4. I know it's high time to upgrade. But I'm running into almost the same problem. The problem happens after FreeRadius has connected to the server. It seems FreeRadius keeps the connection alive. But after 5 minutes, the LDAP server disconnects the idle connection. The next time FreeRadius tries to authenticate against the LDAP server, it sees the connection is closed, and fails. It doesn't try to reopen the connection. Now, the next time it tries to auth against LDAP after this, it will reconnect properly. Here's a log from the LDAP server side of the connection showing the first auth and the disconnect after 5 minutes. 14:37:57.81 4 LDAP-20971([192.168.0.170]) searching(sub) 'cn=ntm.org.pg' 14:37:57.81 4 LDAP-20971([192.168.0.170]) searching where (|(uid=_)(uid=dan_perik)) 14:37:57.81 4 LDAP-20971([192.168.0.170]) searching for (uid objectclass ) 14:37:57.83 4 LDAP-20971([192.168.0.170]) 'uid=dan_perik,cn=ntm.org.pg' retrieved 14:37:57.83 2 LDAP-20971([192.168.0.170]) search finished 14:37:57.83 4 LDAP-20973([192.168.0.170]) got connection on [192.168.0.150], port 10389 14:37:57.84 4 LDAP-20973([192.168.0.170]) Logged in as uid=dan_perik,cn=ntm.org.pg. authType=0 14:37:57.84 4 LDAP-20973([192.168.0.170]) disconnecting 14:37:57.84 4 LDAP-20973([192.168.0.170]) closing connection 14:37:57.84 4 LDAP-20973([192.168.0.170]) releasing stream notice 5 minutes pass. 14:42:57.84 3 LDAP-20971([192.168.0.170]) read failed. Error Code=read time-out 14:42:57.84 4 LDAP-20971([192.168.0.170]) closing connection 14:42:57.84 4 LDAP-20971([192.168.0.170]) releasing stream After this, I use radclient to send an auth request, and this is what I get. There's nothing on the LDAP server side to show that FreeRadius tried to open a new connection. rad_recv: Access-Request packet from host 127.0.0.1:33478, id=39, length=49 User-Name = "dan_perik" Password = "" rlm_sql: Reserving sql socket id: 2 rlm_sql: Released sql socket id: 2 rlm_sql_authenticate: no rows returned from query (no such user) rlm_ldap: - authenticate rlm_ldap: login attempt by "dan_perik" with password "" rlm_ldap: ldap_search() failed: Can't contact LDAP server Login incorrect: [dan_perik/] (from nas local port 0) Sending Access-Reject of id 39 to 127.0.0.1:33478 Again, immediately after this, I can do another auth, and rlm_ldap makes the connection to the LDAP server and it works fine. So the problem only shows up for the first auth AFTER the LDAP server dropped the connection. So basically (correct me if I'm wrong) this looks like a bug in the FreeRadius rlm_ldap module. What are the chances of getting it fixed? I'm working on a patch, by my C is extremely rusty. It's not something I use every day as an systems/network admin. For the time being I can use configurable_failover so that if the first try to the ldap module doesn't work, then I'd try again to the same module, in which case it will reconnect properly. - Dan -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Are 2 different auth types allowed
On Tue, 2002-03-12 at 09:36, Dan Perik wrote:
> On Tue, 2002-03-12 at 01:29, Alan DeKok wrote:
> > Dan Perik <[EMAIL PROTECTED]> wrote:
> > > Now, I'd like to extend that and allow FreeRadius to also try SQL
> > > auth. So it would try LDAP first, and if the user isn't found (or
> > > even on a bad password), I would like FreeRadius to then try to auth
> > > against sql. Is this possible, and if so how?
> >
> > See 'doc/configurable_failover'
> >
> > Alan DeKok.
>
> Excellent. Works beautifully. Thank you.
>
> - Dan
Before I start, I'm using FreeRadius 0.4 on RH 7.2, kernel 2.4.9.
Actually, it didn't work beautifully (using a "redundant" block). The
LDAP worked, but the SQL didn't. Since I was pointed in the right
direction, I figured I'd hack on it to figure out why not. Well, I just
(finally) got it working. I thought if anyone else would like to do
something similar, they could benefit from my findings.
First, I had trouble getting sql authentication working. Come to find
out, I turned sqltrace = yes in sql.conf. But since I didn't initially
create and change owner ship of the default sqltracefile, the sql module
would silently fail when doing authentication.
Then, according to the configurable_failover docs, I could use
"redundant" to group sql and ldap together. But "redundant" is for two
data stores that have the same user data in it (or so I understand). I
want to have two user data stores, one LDAP (CommuniGate Pro mail
server), and the other SQL (MySQL specifically). The problem is that
the first "module" would fail. According to configurable_failover, a
failure returned from the whole "redundant" group, so I needed to
specifically specify the actions required from each return. I include
that section from the authentication "group" here. Notice that "reject"
is not return, but rather "3". This was the key change to get this to
work.:
authtype LDAPORSQL {
group {
sql {
fail = 1
notfound = 2
noop = return
ok = return
updated = return
reject = 3
userlock = return
invalid = return
handled = return
notfound = return
}
ldap {
fail = 1
notfound = 2
noop = return
ok = return
updated = return
reject = 3
userlock = return
invalid = return
handled = return
notfound = return
}
}
}
Now, I can authenticate to a user found in LDAP *or* SQL. And it seems
to work very well.
Thank you to the FreeRadius developers. A very good product.
- Dan
--
- Dan Perik
Computer Services Department
Lapilo Center
New Tribes Mission - PNG
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Are 2 different auth types allowed
On Tue, 2002-03-12 at 01:29, Alan DeKok wrote: > Dan Perik <[EMAIL PROTECTED]> wrote: > > Now, I'd like to extend that and allow FreeRadius to also try SQL > > auth. So it would try LDAP first, and if the user isn't found (or > > even on a bad password), I would like FreeRadius to then try to auth > > against sql. Is this possible, and if so how? > > See 'doc/configurable_failover' > > Alan DeKok. Excellent. Works beautifully. Thank you. - Dan -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Are 2 different auth types allowed
Hello, I'm trying to set FreeRadius up to try 2 different type of authentication. I have used the LDAP functionality for well over 1/2 year now. And by the way it's great. It just works! Now, I'd like to extend that and allow FreeRadius to also try SQL auth. So it would try LDAP first, and if the user isn't found (or even on a bad password), I would like FreeRadius to then try to auth against sql. Is this possible, and if so how? I've tried the following, but it would fail with Access-Reject on a user who is in LDAP, but not in sql DEFAULT Auth-Type := LDAP Fall-Through = 1 DEFAULT Auth-Type += sql Fall-Through = 1 Thanks, Dan -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing access-list number from Radius server to Cisco PIX firewall - FreeRadius v0.4
basically, you just need to follow the cisco docs for your software version (you need 6.0 or higher). the only piece of info that's not outlined in the docs is how to pass the access-list back to the pix for each user. for me, all i needed was Reply-Message = "acl=xxx" for each user where xxx is the number of your access list. good luck- dan > I'm trying to set a configuration with a PIX firewall as an authentication > gateway, relying on a freeradius server, which picks up users in a LDAP > directory. > I'd like to be able to : > - pass access-lists numbers according radius groups (based on LDAP groups) > to the PIX, > - assign an dynamic IP adress (to be passed to the PIX ??) choosen on an > adress pool, defined against groups (Radius or LDAP groups), > - and finally, be able to pass to the final client through the PIX > informations such as WINS and DNS servers ... > > Big task, ain't it ? :) > > So, as this has to be completed as soon as possible, any help, suggestions, > comments, or, best of all, config samples really apreciated. > > Thx to all of you, > Pierre. > > > . > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
okeeffe.bestweb.net re-sending all freeradius posts back to list
Hi- okeeffe.bestweb.net is re-sending every message that's been sent to this list in the last week or so. Is there any way that this address can be blocked until they fix thr problem? Thanks- Dan -- Forwarded message -- Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 21194 invoked by uid 1006); 12 Feb 2002 13:18:09 - Received: from [EMAIL PROTECTED] by mx1.gc.ny.otec.com by uid 1003 with qmail-scanner-1.10 (avpdaemon. Clear:0. Processed in 0.179725 secs); 12 Feb 2002 13:18:09 - Received: from unknown (HELO smtp2.cistron.nl) (195.64.68.41) by mx1.hq.ny.otec.com with SMTP; 12 Feb 2002 13:18:09 - Received: from localhost ([127.0.0.1] helo=lwaxana.cistron.net) by smtp2.cistron.nl with esmtp (Exim 3.12 #1 (Debian)) id 16aboD-0003AG-00; Tue, 12 Feb 2002 13:13:17 +0100 Received: from newman2.bestweb.net ([209.94.102.67]) by smtp2.cistron.nl with esmtp (Exim 3.12 #1 (Debian)) id 16aSKi-0002ep-00 for <[EMAIL PROTECTED]>; Tue, 12 Feb 2002 03:06:12 +0100 Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 02AD22328A for <[EMAIL PROTECTED]>; Mon, 11 Feb 2002 21:06:26 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id AB0599EF01; Mon, 11 Feb 2002 21:04:53 -0500 (EST) From: "Alan DeKok" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Freeradius and RSA SecurID Date: Mon, 11 Feb 2002 16:31:51 -0500 Message-Id: <[EMAIL PROTECTED]> Sender: [EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] X-BeenThere: [EMAIL PROTECTED] X-Mailman-Version: 2.0beta5 Precedence: bulk Reply-To: [EMAIL PROTECTED] List-Id: FreeRadius users mailing list Cleo <[EMAIL PROTECTED]> wrote: > You guys are very responsive. This is one of the most > instructive mailing list. That's nice to hear. Many of my posts are responsive because I'm waiting for a 5-minute job to finish in another window, and I can fire off a quick reply. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius Died, restarting...
When I do a ps ax it shows up as: sh /usr/sbin/radwatch /usr/sbin/radiusd -y Dan Houtz -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Juan Carlos Castro y Castro Sent: Tuesday, October 02, 2001 1:59 PM To: [EMAIL PROTECTED] Subject: Re: Radius Died, restarting... Dan Houtz wrote: >I'm getting a "Radius died, restarting..." email about every ten >seconds in root's mail. I assume this is being generated by radwatch. If >I call radiusd directly without using radwatch, it runs perfectly and >never seems to crash, so why is radwatch saying it is crashing? Any >ideas? > What are the command lines you are using? Maybe there's some stray character in the radwatch command line. Can we take a look? -- Juan Carlos Castro y Castro | "Standing up to an evil system is [EMAIL PROTECTED] | exhilarating." -Richard Stallman Rio de Janeiro - Brazil | http://www.vialink.com.br/~jcastro DC4DC #25 | chmod a+x /bin/laden - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Died, restarting...
I'm getting a "Radius died, restarting..." email about every ten seconds in root's mail. I assume this is being generated by radwatch. If I call radiusd directly without using radwatch, it runs perfectly and never seems to crash, so why is radwatch saying it is crashing? Any ideas? Dan Houtz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Group authentication
Greetings, Is it possible to configure FreeRadius to only authenticate system accounts that belong to a specific group? I'd like it to only accounts that belong to group "pppusers" while rejecting accounts belonging to other groups such as "emailusers". Thanks Dan Houtz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication
Im currently testing FreeRadius for a new ISP that Im currently settings up. This is my first time running one with linux. Ive always used NT so this is all new for me. Anyway, Im authenticating against the linux system accounts. The problem I ran into is that I dont want these customers to be able to telnet into the system. To stop this I set their shell to /bin/false. This stops them from telneting in but it also causes FreeRadius to respond with a reject. Am I going about this in the wrong way? Your assistance is appreciated. Thanks, Dan Houtz
Re: Call for 0.3 release.
On Sun, 23 Sep 2001 10:09:11 -0400 [EMAIL PROTECTED] wrote: > "Dan Perik Work" <[EMAIL PROTECTED]> wrote: > > Unless the memory leak in the LDAP module is already > fixed > > (I haven't seen posts saying that it was), that would > seem a > > high priority for me. > > I would agree, however... I'm unable to reproduce it > locally (no > time/ability to set up an ldap server), and there has > been no more > information on the list about the problem. > > i.e. does it leak memory for when doing accounting > only? Does it > leak memory when doing authentication only? Does it leak > when doing > authorization only? > > Any help at narrowing down the scope of the problem > would help. I'm > at a loss for what to do. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html I'll have to look into that. I only use it for authentication. I'm using a self-hacked copy of 0.1. I'll try to do some testing with 0.2 doing LDAP auth to see if it leaks there. That's about all I can test here. Thanks, Dan Perik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pppd + freeradius ?
Check out portslave. - Dan Jorge Minassian wrote: > Hi all !, > Some one knows how to patch pppd-2.4.0, in order to get in running agains > radius ?. > Is it posssible ?. > I need to authenticate VPN users, using radius, instead pap/cap-secrets. > > Thank you fopr any help you can provide me !, > Cheers, > Jorge. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Call for 0.3 release.
Unless the memory leak in the LDAP module is already fixed (I haven't seen posts saying that it was), that would seem a high priority for me. - Dan Perik On Fri, 21 Sep 2001 13:55:23 -0400 <[EMAIL PROTECTED]> wrote: > The list of changes from 0.2 is long. There are a > number of bug > fixes, feature enhancements, and other corrections. It's > been two > months since 0.2 was released. I think it's time for 0.3 > > Are there any critical fixes which MUST go in before > 0.3 is > released? If not, I think I'll tag it, and release it on > Monday. > > > ChangeLog follows: > > > FreeRADIUS 0.3.0 ; urgency=low > > * Increased limit on length of user name read from > /etc/passwd, > to match the maximum allowed by RADIUS. > Bug noted by "Gonzalez B., Fernando" > <[EMAIL PROTECTED]> > * Configurable fail-over when proxying packets. If the > home server doesn't respond to a repeated proxied > request, > it's marked as 'dead', and the next one in the list is > used. > Patch by Eddie Stassen <[EMAIL PROTECTED]> and > <[EMAIL PROTECTED]> > * Pass Access-Challenge attributes through the server, > in > preparation for EAP. > Raghu <[EMAIL PROTECTED]> > * More fixes for RFC compliance on the > Message-Authenticator > Raghu <[EMAIL PROTECTED]> > * Merged OSFC2/OSFSIA authentication patches from > Cistron. > (Bug # 104) The patches are not well tested, however. > * IBM DB2 UDB V7.1 SQL driver, contributed by > Joerg Wendland <[EMAIL PROTECTED]> > * Fix the IP + Port address assignment. > Bug found by "John Padula" > <[EMAIL PROTECTED]> > * Patch to avoid smashing the contents of Ascend binary > filters. > Michael Chernyakhovsky <[EMAIL PROTECTED]> > * Create and Validate Message-Authenticator attribute, > in > preparation for EAP. > * Initialize variables properly in rlm_attr_filter. > Patch from Andriy I Pilipenko <[EMAIL PROTECTED]> > * Renamed RedHat init script from 'radiusd.init' to > 'radiusd'. > This allows it to work properly with the RedHat rc > system. > Patch from Christian Vogel <[EMAIL PROTECTED]> > * Fix the configure script checks for PostgreSQL, so > that > they use the 'test' command properly. > Bug found by Robert Haskins <[EMAIL PROTECTED]> > * Change instances of 'assert' to 'rad_assert', so that > it > can log the error to the standard radius log files. > Patch from Vesselin Atanasov <[EMAIL PROTECTED]> > * Patch to prevent segv when freeing results, from > Tomas Heredia <[EMAIL PROTECTED]> > * Added support for Exec-Program to acct. Bug found by > <[EMAIL PROTECTED]> > * Corrected rlm_files so that raddb/acct_users works > * When doing synchronous proxying, update proxy > next try > entries, so that the server doesn't eat CPU time. > Raghu <[EMAIL PROTECTED]> > * Add primitive dictionary.nomadix > <[EMAIL PROTECTED]> > * Log messages to console, if the logger hasn't been > initialized. <[EMAIL PROTECTED]> > * Log invalid user for proxy rejects, too. > <[EMAIL PROTECTED]> > * Fixed Expiration attribute handling. > * Added code to handle Ascend-Send-Secret and > Ascend-Receive-Secret > * Removed non thread-pool code. If we have threads, we > now force > the use of thread pools. > * Update version number > * correct bug where proxied accounting packets would > never have a > reply sent back to the NAS, or the reply would be sent > twice. > > -- Alan DeKok <[EMAIL PROTECTED]> > > FreeRADIUS Alpha 0.2.0, July 30, 2001. > > * call openlog() again when using PAM, to get the > correct log > facility. > * Update child thread code, to minimize race conditions. > * Make thread pools the default. Using plain child > threads is NOT > recommended. > * Ignore SIGPIPE to get ride of crashes when using ldap. > * Update proxying code to work better. > * Platform independent pthread_cancel()ling > * Fix 'unresponsive child pid' erroneous warning > messages. &g
Re: radiusd and time limit for one day
Thank you all very much for your answer(s). I think that's what I'm looking for. Now to find time to implement it... -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd and time limit for one day
I think I know what he means, because I'd like to do the same thing here. That is, limit someone's dialin time to 1 hour (or whatever) per day. So today he can log in for one hour. Once that hour's up, he has to wait until tomorrow. He'll get another hour tomorrow. And so on. Is that possible, and if so how? - Dan Perik Paul Foxton wrote: > Hi, > > Not 100% surewhat you want to do, but if you mean you want to set the time a > user can log in: yes it is possible, with Login-Time. > > You need to specify this in the first line of your entry for the user in the > users file as follows: > > usernameAuth-Type := local, Password == "password", Login-Time := > "Al0800-0900" > etc... > > This would only allow access between 8 & 9 in the morning on any day of the > week (Al). > > Have a look in the /doc/README file, it tells you your options for what you > can set. > > cheers, > > Paul > > > -Original Message- > > From: Ronald Warner [mailto:[EMAIL PROTECTED]] > > Sent: 23 August 2001 02:54 > > To: [EMAIL PROTECTED] > > Subject: radiusd and time limit for one day > > > > > > time limit is easy to set... However, is it possible to > > limit that time > > limit for a specific period of time. For example, the user can only > > dial-in for only one hour a day. Thanks. > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Advice on a RAS
Hello, I've been happily using FreeRadius for a little over a month now and it's been working great. Great job to you developers, and thank you. We're a small operation way out here, and currenly we only have 3 dial in lines. These have just been served from standard serial port connections to standard modems on a machine running RH 7.0 w/ Portslave. But now we're looking at the possibilities of expanding to 8 or 16+ dial in lines. So I'm looking for advice on a RAS/NAS for purchase to handle these dialup lines. I've briefly investigated, and found that Cisco has their 2500 line of "Access Server Routers", which looks like a standalone device for 4/8/16 "serial" lines. I've also looked at Digi's "Acceleport RAS" line, which looks would basically be 4/8 modems per card. These would get plugged into a PC, and I'd run Portslave on them, of course. Any advice on which way to go with this stuff, or better options. Thanks, Dan Perik -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(Freeradius 0.1 vs. Freeradius 0.2) + LDAP
Hello, I am successfully using Freeradius 0.1 + LDAP (with some of my own bandaid patches to make it work). The original bug I found is reported in the bug tracking system to be fixed. But I have seen some messages on the list saying that LDAP support isn't working correctly in 0.2 So my question is, Is LDAP support working correctly in 0.2? Or should I stick with what works for me here and now, and wait for the (supposed) bugs in 0.2 to be flushed out? Thanks, Dan Perik -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
