RE: MRTG graphing from radacct sql data
I second it... Regards, John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Vector Sent: Sunday, November 30, 2003 6:10 PM To: [EMAIL PROTECTED] Subject: Re: MRTG graphing from radacct sql data I'm interestedthanks, vec - Original Message - From: Joe Maimon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, November 30, 2003 3:53 PM Subject: MRTG graphing from radacct sql data Hello all, I have put togetother a couple scripts and a program that allows me to MRTG graph dialup users from the radius accounting sql table. Very unpolished. If anyone is interested in helping me develop/test, please drop me a line. Thanks, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with EAP/TLS config
= 0x5a3081a3310b30090603550406130243413110300e060355040813074f6e746172696f 3111300f0603550407130857617465726c6f6f311d301b060355040a1314546865204261 726f6e2053742e204d6174726978311a3018060355040b13114469676974616c20576f72 6b2053686f70311430120603550403130b4a6f686e204675726d616e311e301c06092a86 4886f70d010901160f6a6f686e406675726d616e2e6e657430819f300d06092a864886f7 0d010101050003818d0030818902818100a9fd3ecf95d14f9ba6949ce368727cb2592964 8cc7ddc63d454d877f7a52a0e43e4beb5c4008c7c3f8733b5afd8a41ff16256c2c491737 d27a EAP-Message = 0xc2615554dd2cbff2ebce2e81c0e188011abe0111fd40b17525ba602ca6941e7bce1832 51b11ed6b9b060e5006a9a1339fc1915bfd033ab5b54451d968dd612014ad7f73cc151d9 0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a86 4886f70d01010405000381810094c61bcb3927b2fab9dca2e0ba87a90d46ed0d87cfb9e5 10af1ab65ca9077cf17377dca0473b4e132fe5a040b46dc873982c52439a584959bb323e 13d1f9fa33015e615e9bc1d865f58c02d62a61a26cadb23a3069cb5a156452459b30405d 7c10f58c8c7b72ebd9f420588f2f645aaf63089286ae7820cafa2c521ce3062f6c160301 0086 EAP-Message = 0x10820080c6f3c75b00bb3e4c3650ef244cc94cc02cf3b219ce51910552dd46648d ce427edf67877678e2c417b0bf296e40e856c7d547e3b56d82c7bc565e731b048ef68253 dafc78cf4c68bf8f3e2dd23b4b88dac1f3bd48dde3fcbb74575e170c5ad2d587225e38e1 8a74eae1e358f89001f777ec741e4d622d5fa28a0ee171cd8e898916030100860f82 0080676a9d694657cfc750f19794175fb37c7c755c82e6c8226f2e5d39766b0756b2f18f 197277cc2ee36afa8ba6de2cc2b151912bf27eb9ce2a1e75636f18539e6c05a65d5616d1 b994c92a797fcfb30ccd454e1039aa7128ab8ac4708a9f9ff272ac6585b8578a5408f012 f3b0 EAP-Message = 0xb471c078bd58d695080828fb9131a8cb388497c014030100010116030100280d5d92d1 412eb3d3bc97cb1bac51d34fc86e72ef8330d2c79dcf0b3611e83638996af62020ef1227 Message-Authenticator = 0xffbad49fddab0937a09d292bb5fef198 modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 rlm_eap: EAP packet type notification id 8 length 1083 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 5 rlm_realm: No '@' in User-Name = jfurman, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 5 users: Matched jfurman at 101 modcall[authorize]: module files returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 5 rlm_eap: EAP packet type notification id 8 length 1083 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: Length Included rlm_eap_tls: TLS 1.0 Handshake [length 02e3], Certificate -- verify error:num=18:self signed certificate chain-depth=0, error=18 -- User-Name = jfurman -- BUF-Name = John Furman -- subject = /C=CA/ST=Ontario/L=Waterloo/O=The Baron St. Matrix/OU=Digital Work Shop/CN=John Furman/[EMAIL PROTECTED] -- issuer = /C=CA/ST=Ontario/L=Waterloo/O=The Baron St. Matrix/OU=Digital Work Shop/CN=John Furman/[EMAIL PROTECTED] -- verify return:0 rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap_tls: SSL_read Error 14485:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:1987: Error code is . 5 Error in SSL . 5 modcall[authenticate]: module eap returns ok for request 5 modcall: group authenticate returns ok for request 5 Login OK: [jfurman] (from client gandalf-SMC port 0) Sending Access-Challenge of id 8 to 172.28.1.2:32806 EAP-Message = 0x010900110d8715030100020230 Message-Authenticator = 0x State = 0xaa06941ccbefba80f1610a7bcbb13e3cb524c43ff671c9a40334808de0326a4aec127e b6 Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 172.28.1.2:32807, id=9, length=182 User-Name = jfurman NAS-IP-Address = 172.28.1.2 Called-Station-Id = 00-04-E2-7A-E3-3F:photonic Calling-Station-Id = 00-90-4B-16-66-0A NAS-Identifier = gandalf-wl NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0xaa06941ccbefba80f1610a7bcbb13e3cb524c43ff671c9a40334808de0326a4aec127e b6 EAP-Message = 0x020900060d00 Message-Authenticator = 0x445e8e2c362db6017d01e367d2e66b2f modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 rlm_eap: EAP packet type notification id 9 length 6 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 6 rlm_realm: No '@' in User-Name = jfurman, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 users: Matched jfurman at 101 modcall[authorize]: module files returns ok for request 6 modcall: group authorize returns updated for request 6
RE: Multiple realm authentication with FreeRADIUS back to Active Directory?
I'm sorry, I should have been more specific. I have multiple Cisco access servers (AS5300/AS5350/AS5400) and some are in one pool of users, some are in another, and some are in still another. I think about 5 different pools. So kind of imagine a tree of sorts. The leaves/branches are the Cisco AS servers, they go back and authenticate to a Linux server with Free Radius. The Linux/FreeRADIUS server then ultimately authenticates the users back to an AD server. But the different pools need different policies, etc. for connect time, and so forth. Does this make it clearer? I apologize if I was too confusing before. Or is there a way to get away from multiple realms given my situation? Oh, and I need to have separate accounting logs for each pool also. Meaning, I can't have everything accounted into the same file. Each pool would need to have separate accounting logs. Would it make sense to authenticate to the AD via RADIUS as well? Or just use LDAP? I'm curious, why won't chap work? I really don't care if MS-CHAP breaks, we have never supported it here in the past. But it strikes me as odd that it would break CHAP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Wednesday, November 19, 2003 11:12 AM To: [EMAIL PROTECTED] Subject: Re: Multiple realm authentication with FreeRADIUS back to Active Directory? Heiden, John [EMAIL PROTECTED] wrote: I am assuming I need to somehow have FreeRADIUS add a realm to the incoming information first, then pass that back to the Active Directory server? Are you using FreeRADIUS to put the users into different realms, or are the users logging in with different realms? You said you need multiple realms, but you haven't said *why*. Second, what is the best way to authenticate to an AD? FreeRADIUS can use it as an LDAP server, but CHAP MS-CHAP won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple realm authentication with FreeRADIUS back to Active Directory?
The idea is that the only place where pool membership would be defined is in the AD. The problem is that each pool needs to be independent, and sometimes users move between pools. And the only place (that they want to keep track of ) membership is in the AD. That kind of sucks about CHAP. OH well, not my problem then. I am pretty sure that AD does RADIUS. Or am I thinking of the OS under AD? (2000?) John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Wednesday, November 19, 2003 12:13 PM To: [EMAIL PROTECTED] Subject: Re: Multiple realm authentication with FreeRADIUS back to Active Directory? Heiden, John [EMAIL PROTECTED] wrote: So kind of imagine a tree of sorts. The leaves/branches are the Cisco AS servers, they go back and authenticate to a Linux server with Free Radius. The Linux/FreeRADIUS server then ultimately authenticates the users back to an AD server. But the different pools need different policies, etc. for connect time, and so forth. That's nice. How do you tell which pool a user is in? Does this make it clearer? I apologize if I was too confusing before. Or is there a way to get away from multiple realms given my situation? Oh, and I need to have separate accounting logs for each pool also. Meaning, I can't have everything accounted into the same file. Each pool would need to have separate accounting logs. FreeRADIUS can do that, once you figure out how to separate the users into pools. Would it make sense to authenticate to the AD via RADIUS as well? Or just use LDAP? Active Directory doesn't do RADIUS. I'm curious, why won't chap work? I really don't care if MS-CHAP breaks, we have never supported it here in the past. But it strikes me as odd that it would break CHAP. Blame Active Directory. It won't let FreeRADIUS have access to the plain-text passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: cisco authorization through freeradius
Greetings. I have an Cisco as5300 that I am using for Dial customers. The customer connects, the authentication comes through, but then at the authorization level the connection gets dropped by the nas.. Are there any suggested attributes to put into radgroupreply for ISDN dial in customers to the Cisco 5300 or do I have an incorrect setting on the Nas.. Here is a snapshot of what I have for the cisco config: aaa new-model aaa authentication login default local aaa authentication ppp default group radius aaa authorization network default group radius if-authenticated aaa accounting delay-start interface Serial0:23 ip unnumbered Ethernet0 encapsulation ppp dialer-group 1 isdn switch-type primary-ni isdn tei-negotiation first-call isdn incoming-voice modem peer default ip address pool DIAL6_POOL ppp authentication pap chap interface Group-Async1 ip unnumbered Ethernet0 encapsulation ppp ip tcp header-compression passive no ip mroute-cache async mode interactive peer default ip address pool DIAL6_POOL ppp authentication chap pap group-range 1 96 RADIUS:radgroupreply contains: | 1 | dialerrouter | Session-Timeout| 28800 | == | NULL | 5 | dialerrouter | Idle-Timeout | 1200| == | NULL | | 8 | dialerrouter | Service-Type | Framed-User | == | NULL | | 9 | dialerrouter | Framed-Protocol| PPP | == | NULL | | 10 | dialerrouter | Auth-Type | Local | == | NULL | RADIUS:radcheckcontains diallerouter for the user All modem dial up customers work just fine, but ISDN dial in fails as indicated above. Can anyone shed some pointers on this. I still haven't figured it out.. Regards, John Hengstler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple realm authentication with FreeRADIUS back to Active Directory?
Hi Folks, I have been using FreeRADIUS for a while now, but with a pretty simple configuration. Now I have been asked to do some more on a different server. Here's the scoop, I need to have a number of Cisco Access Servers authenticate to a Linux server with FreeRADIUS. The tricks are 1) need to have about 5 different realms, and 2) need to have the FreeRADIUS server mostly just act as a pass through back to an (Micro$oft) Active Directory server which does the real authentication. The FreeRADIUS server would do the accounting as well as preventing mulitple logins. I am assuming I need to somehow have FreeRADIUS add a realm to the incoming information first, then pass that back to the Active Directory server? Second, what is the best way to authenticate to an AD? Has anyone done this before? Can anyone point me in the right direction? I have the Hassell book here, but it seems like the book is extremely out of date with FreeRADIUS already, etc. It seems like the book should already have a new edition out. Anyway, any help or advice would be EXTREMELY appreciated! I need to get a prototype up and running very soon. Thanks! John Heiden Network Engineer The University of Toledo Toledo, OH 43606 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Incorrect logins - incorrect
On Tue, 14 Oct 2003, VCI Help Desk wrote: Bill, Hi, I switched to FreeRadius about a week ago and just noticed these errors in my radius.log file. I see where Radius has rejected a customers authentication because it says the password is wrong or the shell doesn't exist. But I have checked these usernames and passwords and shells and they are correct. The customer usually gets on invalid login and then it works fine. It almost seems as though FreeRadius's rlm_unix file is parsing the passwd file wrong. I do not use shadow passwords. Any ideas what could be causing this? Thu Oct 9 19:37:22 2003 : Auth: rlm_unix: [alicehill]: invalid shell [/home/ctaksch:/bin/false] Is /bin/false listed as a valid shell? I am not sure how freeradius handles this, but most apps want it listed as a shell. Do you see this error with other users who have a valid shell? HTH John McKinney - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cross-compiler freeradius to arm
Looks like you're trying to link against an existing library on your x86 build machine i.e. in /usr/lib You need to ensure you include the library path for your ARM libraries check the documentation for the cross-compiler re: PATH setup make sure there's a libltdl.so in your ARM tool chain as well From: °ê¨} [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: cross-compiler freeradius to arm Date: Wed, 1 Oct 2003 16:29:32 +0800 Dear all: I want to cross compiler freeradius to a arm platform,but i have some problems. Below is my method and problems: 1.i use ./configure to generate Make.inc and libltool and other files. 2.i change some parameter in Make.inc: CC = arm-linux-gcc LIBS = -lresolv -lpthread #-lnsl i mark #-lnsl because arm-linux-gcc can't find -lnsl. [EMAIL PROTECTED] leo]# arm-linux-ld -lnsl arm-linux-ld: cannot find -lnsl 3.i change some parameter in libtool AR=/home/leo/opt/toolchain/arm/gcc-3.2/toolchain/bin/arm-linux-ar LD=/home/leo/opt/toolchain/arm/gcc-3.2/toolchain/bin/arm-linux-ld NM=/home/leo/opt/toolchain/arm/gcc-3.2/toolchain/bin/arm-linux-nm -B AS=/home/leo/opt/toolchain/arm/gcc-3.2/toolchain/bin/arm-linux-as # Compile-time system search path for libraries sys_lib_search_path_spec=/home/leo/opt/toolchain/arm/gcc-3.2/toolchain/lib # Run-time system search path for libraries sys_lib_dlsearch_path_spec=/home/leo/opt/toolchain/arm/gcc-3.2/toolchain/lib 4.then i keyin make to makefile,but i see the error message: arm-linux-gcc .libs/radiusdS.o -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -W all -D_GNU_SOURCE -DNDEBUG -I../include -o .libs/radiusd radiusd.o files.o util. o acct.o nas.o log.o valuepair.o version.o proxy.o exec.o auth.o timestr.o conff ile.o modules.o modcall.o session.o xlat.o threads.o smux.o radius_snmp.o client .o request_list.o mainconfig.o -Wl,--export-dynamic -L/home/leo/freeradius-0.9. 0/src/lib -lcrypt -lresolv -lpthread /home/leo/freeradius-0.9.0/src/lib/.libs/li bradius.so /usr/lib/libltdl.so -ldl -Wl,--rpath -Wl,/usr/local/lib -Wl,--rpath - Wl,/usr/lib /usr/lib/libltdl.so: could not read symbols: Invalid operation collect2: ld returned 1 exit status gmake[4]: *** [radiusd] Error 1 gmake[4]: Leaving directory `/home/leo/freeradius-0.9.0/src/main' gmake[3]: *** [common] Error 1 gmake[3]: Leaving directory `/home/leo/freeradius-0.9.0/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/home/leo/freeradius-0.9.0/src' gmake[1]: *** [common] Error 1 gmake[1]: Leaving directory `/home/leo/freeradius-0.9.0' make: *** [all] Error 2 i think i have already compile all c files to .o files ok.. but the radius need some dynamic link files.. like libltdl.so. i use file to see libltdl.so [EMAIL PROTECTED] /]# cd usr/lib [EMAIL PROTECTED] lib]# file libltdl.so libltdl.so: symbolic link to libltdl.so.3.1.0 [EMAIL PROTECTED] lib]# file libltdl.so.3.1.0 libltdl.so.3.1.0: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), not stripped i know the libltdl.so must in ARM not Intel 80386, but idon't know how to fix it... anyone can help me??? thank you for your help~~ Leo _ Get Hotmail on your mobile phone http://www.msn.co.uk/msnmobile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
works with a ppphint, but how to insert this into my proxy for someone?
I am proxying auth from my server (freeradius, .8.1) to another server
(cistron radius) and when running radtest, I can only get correct
answers if I add the '1' to radtest to turn the Framed-Protocol = PPP on
How do I insert that into a auth request on the regular proxy? Or,
should I just have the other server correct itself in some manner?
Examples of my radtesting are below, names are changed to protect the
guilty.
THIS ONE FAILS:
$ radtest [EMAIL PROTECTED] userpass localhost 1 testing123
Sending Access-Request of id 142 to 127.0.0.1:1812
User-Name = [EMAIL PROTECTED]
User-Password = e\024c\311\221cN\226\245\302HO\261\n+a
NAS-IP-Address = auth-1.myhost.com
NAS-Port = 1
Re-sending Access-Request of id 142 to 127.0.0.1:1812
User-Name = [EMAIL PROTECTED]
User-Password = e\024c\311\221cN\226\245\302HO\261\n+a
NAS-IP-Address = auth-1.myhost.com
NAS-Port = 1
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=142,
length=20
THIS ONE WORKS
$ radtest [EMAIL PROTECTED] userpass localhost 1 testing123 1
Sending Access-Request of id 186 to 127.0.0.1:1812
User-Name = [EMAIL PROTECTED]
User-Password = \035~\275RG\314Y9\327\2607\276;D\371\016
NAS-IP-Address = auth-1.myhost.com
NAS-Port = 1
Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=186,
length=56
Framed-IP-Netmask = 255.255.255.0
Framed-MTU = 576
Session-Timeout = 14400
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
My proxy stanza for this looks something like:
realm domain.net {
type= radius
authhost= 192.168.1.1:1812
accthost= 192.168.1.1:1813
secret = supersecret
nostrip
}
Thank you.
j
--
==
+ It's simply not | John Keimel+
+ RFC1149 compliant!| [EMAIL PROTECTED]+
+ | http://www.keimel.com +
==
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP and CHAP
Dennis, Insulting one of the main developers probably won't score you a lot of points or get you much help in this forum. Be that as it may there are an abundance of RADIUS packages out there that have wonderful technical support from the company you BUY IT FROM. How much support do you think you're ENTITLED to from a FREE package? My advice: Buy a product from a company that will help you get it working. J. Dennis (NNEX Tech. Support) wrote: Okay, let me spell it out, we're using a national dial-up company for numbers all over the US. This I have stated before. Some of the dial-up servers they are using require PAP authentication, others require CHAP authentication. This I have also stated before. Thus, there are DIAL-UP NUMBERS that are PAP and DIAL-UP NUMBERS that are CHAP. When we dial into a DIAL-UP NUMBER that has PAP authentication, it authenticates just fine. When we dial into a DIAL-UP NUMBER that has CHAP authentication, we cannot authenticate. As I asked before, what information do you want/need to help me with this problem??? Do you want to see user files, do you want to see config files, WHAT??? We tried all this with Cistron radius, it wouldn't work. We were told that there is much more information and support for freeRadius. So, we're trying to get freeRadius set up but we're having the same exact problem with freeRadius as with Cistron. As I can see, we were misinformed as to the amount of support available with freeRadius. The only person answering anything is a sarcastic idiot that is having problems with simple words like What would help in the diagnosis? Alan, if you don't want to help, that's fine. I won't be upset. Alan DeKok wrote: Dennis (NNEX Tech. Support) [EMAIL PROTECTED] wrote: I have dialed pap numbers and it authenticates just fine, but every time I dial into chap, it says no password. sigh Please use standard terminology. Using vague and misleading terminology leads only to confusion. Let's de-construct what you said: - there is no such thing as PAP numbers Your ISP may have configured certain lines to use PAP, but that's a local issue, and has nothing to do with pap numbers. No one else understands what you mean when you say pap numbers. It's not a phrase anyone uses. - similarly, you don't dial into chap - it says ... I presume you mean FreeRADIUS. I can't figure out what else it could be, but you've taken great care to not mention any real-world details, so it could be the moon, for all I know. - it says no password. If it is FreeRADIUS, then no, it doesn't. It says no User-Password, which is very different. In fact, one would *expect* it to say no User-Password when you do CHAP authentication, because there honestly IS NO User-Password attribute in the packet. The summary is that you've just wasted my time and yours, because you were unwilling to describe what was going on, and because you were unwilling to run the server in debugging mode and *read* the output, in order to figure out the problem. I'll bet money as to what the problem is, but in the tradition of dribbling out bits and pieces of useless information, I won't say what it is in this message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MESSAGE
THANK SADDAM! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 18, 2003 4:28 PM To: [EMAIL PROTECTED] Subject: MESSAGE FROM THE DESK OF DR WILLIAMS COLE EMAIL:[EMAIL PROTECTED] ATT:Sir/Madam I feel very sorry to interrupt your peace since you are not expecting to receive any mail from me. However, I was obliged to do so due to the importance and urgency of the message. I crave your indulgence, and want to reassure you that I mean well and that it is only for our mutual good. So please do not be embarrassed or suspicious. My name is Dr. Williams Cole; I am a social worker with an international Non-Governmental/Voluntary organization based in Switzerland. I am the Accounts/ Project Director in-charge of South America regional representation. Our organization, through the local NGO'S and other Agencies and in partnership with the United Nations High Commission for Refugees, UNHCR, UNESCO, etc works and sponsors development projects and social services in some third world/ developing countries, assistance and re-settlement of victims of natural disaster, civil wars and Refugees, displaced/oppressed children and minority people around the world. I am just back from Iraq where in the cause of performing our duties we found a huge amount of cash in an abandoned house, I reached an agreement with the members of my team whom are UN officials (two in number) and we agreed to keep this money to ourselves and they moved the box out of Iraq to Amsterdam (with their immunity as UN officials they are not searched at borders or airports). Now, I am in need of a reliable and trustworthy person or company overseas whom I can confidently work with since my work does not permit me to own a foreign bank account or any personal business until retirement, I have the honor to confide this information in you and to request for your pleasure to assist to receive and secure the money in your account, pending our retirement from service. Please understand that my approach to you is based only on my positive reasoning and on the belief that you will not disappoint or betray me at last. The amount is fairly huge and we have agreed that on completion of the deal, you will retain some reasonable percentage of the money as a compensation for your assistance. By any standard, the money is cool and legal and therefore quite safe and secure for all of us, however to consider our official positions, reputation and integrity, especially, the opportunities in the business itself, it is very necessary that all due care be taken so that we do not miss the opportunity due to carelessness. You are therefore expected and advised to display high degree of maturity, responsibility and understanding in handling this information. There would be a meeting in Europe where we moved the money to, for further discussions and to consummate the transaction at once. I will give you all the details in my next mail when you have indicated your interest and commitment to work with me. Always remember that this is the highest confidence and trust any person can repose on the other, especially when it is considered that we did not know ourselves before. I hope you will honor me too. NOTE: I know there may be scams and junk mails flying here and there on the Internet but certainly, this is not one. Please do not fail to understand that in spite of all that, opportunities of this kind still abound. If you have ever wished or prayed for something good to come your way, now I urge you to take this message seriously and with an open mind. You could never know. This may be an answer to your prayers. So please give it a benefit of doubt, and with good faith and trust join me and I am assuring you now that you will never be disappointed. Please reply urgently and furnish your TELEPHONE AND FAX NUMBERS, for further details. you can reply me on the below email address([EMAIL PROTECTED]) Treat as strictly confidential. Best regards, Dr. Williams Cole. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+mysql prepaid (block time)
rlm_sqlcounter is what you need to use in radius.conf look at counter section also look at sqlcounter.conf I'm sure there are some topics in the mail archive as well (but I wouldn't swear to it) From: Scott [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: freeradius+mysql prepaid (block time) Date: Tue, 26 Aug 2003 00:41:54 -0400 I have freeradius running and authenticating/accounting via mysql. Very slick. I can see the accounting showing up in mysql with an accurate AcctSessionTime. Is there a way to keep a running total of these times per user and authenticate not only on the basis of password but also on the value of the total connection time? I've searched the web and found some references to some python hacks but not really come across anything concrete. Thanks! Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Tired of 56k? Get a FREE BT Broadband connection http://www.msn.co.uk/specials/btbroadband - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter
From: "Scott" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: <[EMAIL PROTECTED]> Subject: rlm_sqlcounter Date: Tue, 26 Aug 2003 11:54:43 -0400 Redhat8, freeradius 0.9.0 I can't get rlm_sqlcounter to work. I've read the docs carefully and performed all the steps. ./configure --with-experimental-modules During the configure process I see the following; configuring in src/modules/rlm_sqlcounter I've created the sqlcounter.conf file and added the proper lines into radiusd.conf I added some data into radcheck When I start up radiusd it dies with this output; radiusd.conf[2] Failed to link to module 'rlm_sqlcounter': file not found check that /usr/local/lib (or where ever you install the modules) contains rlm_sqlcounter.so If it isn't there it hasn't built correctly I noticed that the configure file in the rlm_sqlcounter directory was not executable and changed that. If I comment the module and accounting startements from radiusd.conf radiusd starts up and authenticates/accounts with mysql perfectly. I've read everything I can find on this and I still can't get it working. Thanks for any help, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Get your hands on designer bargains for less - click here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ericsson tigris and freeradius
It's irrelevent just ignore it. Its just the dialup connection saying Can I have this address - since it was the last one I had. and the Tigris is saying No! - I'm giving you a new one -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gustavo Lozano Sent: Friday, 1 August 2003 1:08 PM To: [EMAIL PROTECTED] Subject: ericsson tigris and freeradius Hello. Does anybody have a Tigris with freeradius? I am having the next trap in the console: *** TRAP from local agent at 31-Jul-2003 18:54:26 uptime 2 Days, 04:10:05 *** Invalid source address xxx.xxx.xxx.xxx from interface D213 Sometimes happens when the user is dialing from a computer with one modem and a NIC, in that case the xxx.xxx.xxx.xxx is the ip address of the NIC, but some other times the xxx.xxx.xxx.xxx is one Ip Address of the Pool being assigned... Well, may be this is not the place but I cannot find anything in the web.. Rgds -- Gustavo Lozano [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need Help with SNMP
***Wonders who p**sed in Steven's cheerios this morning At 07:02 AM 7/31/03, you wrote: What Mr. DeKok means is... He's a giant jerk and thinks he's too important to answer your questions, so he has to make snide remarks questioning your intelligence to make himself feel all nerdy and stuff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Access Levels
On Wed, 30 Jul 2003, Robert LaGrasse wrote: Someone had an sample posted the other day. I don't recall the exact syntax, but you could start with something like this. When you define the user in the users file I believe you will use this as a reply item. I have not tried sending vendor specific attributes to a cisco, so maybe someone else can provide a little more information. Hope this helps. cisco-avpair= shell:priv-lvl=15 John McKinney Hi All: I didn't see this in the FAQ, but I'm sure someone has done this before: I want to set the server up to authenticate/authorize telnet access against the local linux user database. I need one group of users to have regular old login access, and the other to have priviledge level (15) access. If there is an example of this somewhere, just point the way. I'm a newbie here, so please be gentle :) Thanks in advance for your help. -B - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with MAC based authentication
Hello all, We're using Cisco Aironet 1200's, and wanted to implement MAC authentication. I have successfully gotten it working with entries in the users file in Freeradius .9. However, when I tried to change it over to authenticate against a MySQL database, I've run into some problems. I'm using the standard schemata for the database, but I'm not clear as to what to put in which fields. The AP is successfully sending the mac address as the username/password to the Radius server. I'm also using the standard queries included with Freeradius. Here is the output from the radius server: Snip rad_recv: Access-Request packet from host 10.10.19.60:1645, id=64, length=119 User-Name = 00e063500e6a User-Password = 00e063500e6a Called-Station-Id = 000d.28dd.6391 Calling-Station-Id = 00e0.6350.0e6a NAS-Port-Type = Virtual NAS-Port = 279 NAS-IP-Address = 10.10.19.60 NAS-Identifier = ap_maclellan529 rad_lowerpair: User-Name now '00e063500e6a' rad_lowerpair: User-Password now '00e063500e6a' modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop rlm_eap: EAP-Message not found modcall[authorize]: module eap returns noop rlm_realm: No '@' in User-Name = 00e063500e6a, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 153 modcall[authorize]: module files returns ok modcall[authorize]: module mschap returns noop radius_xlat: '00e063500e6a' rlm_sql (sql): sql_set_user escaped user -- '00e063500e6a' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00e063500e6a' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00e063500e6a' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00e063500e6a' ORDER BY id' rlm_sql: unknown attribute static rlm_sql (sql): Error getting data from database radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00e063500e6a' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module sql returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns notfound modcall: group authenticate returns notfound auth: Failed to validate the user. Login incorrect: [00e063500e6a/00e063500e6a] (from client student-aps port 279 cli 00e0.6350.0e6a) End Snip If anybody could give me an idea of where I should enter the username/password into the database, it would be most helpful. I haven't been successful in finding the document that outlines this (perhaps I'm not looking in the right place). Also, in terms of features... In the response from the Freeradius server, can I give the Access Point an IP address to pass to the client (as well as subnet mask, dns servers, etc)? Does the client pick this up just like it's coming from a DHCP server? Thanks for your help, John Tracy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius with MAC based authentication
Thank you very much, Alan. It works! It was right under my nose all along... -John -Original Message- From: Alan DeKok [SMTP:[EMAIL PROTECTED] Sent: Monday, July 28, 2003 10:18 AM To: [EMAIL PROTECTED] Subject: Re: Freeradius with MAC based authentication Tracy, John [EMAIL PROTECTED] wrote: We're using Cisco Aironet 1200's, and wanted to implement MAC authentication. I have successfully gotten it working with entries in the users file in Freeradius .9. However, when I tried to change it over to authenticate against a MySQL database, I've run into some problems. The explanation as to what the server is doing, and why it's failing, is in the debug log you posted to the list. users: Matched DEFAULT at 153 modcall[authorize]: module files returns ok modcall: group authorize returns ok ... rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns notfound Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy.conf and sending 'Framed-User = PPP for one realm
I've got radiusd: FreeRADIUS Version 0.8.1, for host i686-pc-linux-gnu, built on Jun 24 2003 at 13:00:04 for which I'm proxying several different realms to several different other servers. On one of the realms, I can get radtest to work correctly if I append the 'ppp hints' bit to the radtest. Of course, radtest isn't a dialup connection. These connects seem to fail. Another admin who is proxying connections to me (yes, I'm passing them on second hand) tells me that You'll have to add Framed-Protocol = PPP somewhere up on your stream. He's able to kludge it on his end to add this, but I need to be able to have my servers be able to insert this as well. He isn't running FreeRadius (I told him to eat his keyboard :) so he's not sure how I can add this and neither am I. I'm under the impression that I only have one place to add the hint into the stream, that's in my proxy.conf. I'd like to think that I can put the word 'hints' in the stanza for this realm and it would look at my hints file for info, but I can't figure out what I should have in the stanza in the hints file. Unfortunately, the mail archive for this list brings up lots of hints when searching for what I've been seeking 'proxy.conf' and 'hints' and 'Framed-User' and 'ppp' and various permutations of that. That tends to bring up lots of hints. Now, I'm only looking to insert the hint (ppp?) into this one realm without affecting all the others. I have no control over the server I'm proxying to, so it has to be me to insert the hint into the request. I'd appreciate any pointers to info on this particular problem, or suggestions on better search terms to try in the mail archive. Or even someone's comments on I had the same problem and I... kind of stuff. TIA, j -- == + It's simply not | John Keimel+ + RFC1149 compliant!| [EMAIL PROTECTED]+ + | http://www.keimel.com + == - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco accounting attribute
Greetings, Does anybody know why this accounting attribute would be listed this way coming from a cisco. Connect-Info = \320\272\254J721670\000\000\000\000\000\000\000\000\000\000\000 Regards, John Hengstler
RE: unsubscribe
DP, Probably a waste of bandwidth, I've sent him 4 emails offlist with explicit instructions (cut and pasted from the freeradius site). I don't think he's reading any of his mail. Go figure. J. At 12:54 PM 7/3/03, you wrote: Do us all a favour and visit http://lists.cistron.nl/mailman/listinfo/freeradius-users and unsubscribe there. If you had read the emails that you were receiving, you would have noted the handy HTML link at the bottom of EVERY list email that says, quite plainly, List info/subscribe/unsubscribe DP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mendez, Luis Sent: Thursday, July 03, 2003 10:20 AM To: [EMAIL PROTECTED] Subject: unsubscribe unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I know if SQL module is loaded?
Glad you figured it out on your ownI was going to have to tell you
to look down the barrel..J.
At 04:17 PM 6/26/03, you wrote:
The file doc/module_interface explains this pretty good.
Sorry for the noises.
-Original Message-
From: Alex Chen [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 26, 2003 4:10 PM
To: '[EMAIL PROTECTED]'
Subject: RE: How do I know if SQL module is loaded?
Never mind, I think I got it. It seems that the
modules section defines module attributes and alias and
any sections below that references a module will
cause that module being instantiated and loaded, am I correct?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Alex Chen
Sent: Thursday, June 26, 2003 4:03 PM
To: [EMAIL PROTECTED]
Subject: How do I know if SQL module is loaded?
I am trying to build FreeRadius 0.8.1 to use MySQL DB on RH LINUX 8.0 .
Previously I did not install MySQL header file package so rlm_sql_mysql was
not even built.
After I installed that and did a clean rebuild, that module was built and
put under
/usr/local/lib. But when I started radiusd with the '-X' flag, I still did
not see a message
saying the SQL module was loaded, although the sql was in the modules
section.
The file radiusd.conf has the following entry for SQL:
modules {
pap {...}
chap {...}
pam {...}
unix {...}
files {...}
$INCLUDE ${confdir}/sql.conf
...
}
If I added 'sql' in the 'instantiate' section, then the SQL module were
loaded fine.
But there was only two modules, expr and sql, in that section.
What determines which module will be instantiated?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
John M. Luker
www.flexpop.net
877.562.5128 voice
503.517.8866 voice
503.517.8868 fax
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Almost working after upgrade 0.3-0.8.1
Ok, so something went really bad wrong with my freeradius-0.3 today so I
used the FreeBSD port to update my server to 0.8.1
My setup is virtually the same as described at
http://www.frontios.com/freeradius.html and used to be exactly as
described on http://my.lostinfo.com/files_other/radius/ .
After installing the port, then editing the new configuration files (I
moved all the prior files before upgrading), then updating my database
schema to match the new 'op' column as well as the new lengths for the
existing columns, things are looking *almost* there.
I still can not authenticate users. Below I've attached my debug output
along with the configuration output from starting the server in
debugging mode. The SQL queries report as failing in the debug, but they
seem to return just fine for me.
I guess the ultimate problem is:
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
I guess if I understood the auth {} section more I might be able to
figure it out, but I don't.
I'd really appreciate any help provided. This one has me stumped!
John Straiton
[EMAIL PROTECTED]
Clickcom, Inc
704-365-9970x101
The 3 queries described in the debug output return these results for
this username user.
===
1) SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'username' ORDER BY id;
+-+--+---+++
| id | UserName | Attribute | Value | op |
+-+--+---+++
| 417 | username | Password | password | == |
+-+--+---+++
2) SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou
pcheck.Val
ue,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'username' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id;
+++---+---++
| id | GroupName | Attribute | Value | op |
+++---+---++
| 4 | isdnstatic | Auth-Type | Local | := |
+++---+---++
3) SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou
preply.Val
ue,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = 'username' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id;
++++-++
| id | GroupName | Attribute | Value | op |
++++-++
| 23 | isdnstatic | User-Service-Type | Framed-User | := |
| 24 | isdnstatic | Framed-Protocol| PPP | := |
| 25 | isdnstatic | Framed-Compression | Van-Jacobsen-TCP-IP | := |
| 26 | isdnstatic | Framed-MTU | 1500| := |
| 27 | isdnstatic | Idle-Timeout | 1800| := |
| 28 | isdnstatic | Port-Limit | 2 | := |
++++-++
FULL OUTPUT FROM DEBUG
===
rad_recv: Access-Request packet from host my_access_concentrator:1026,
id=45, length=78
User-Name = username
User-Password = password
NAS-IP-Address = 216.189.16.7
NAS-Port = 26
NAS-Port-Type = ISDN
Service-Type = Framed-User
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module chap returns noop
modcall[authorize]: module mschap returns notfound
rlm_realm: No '@' in User-Name = username, looking up realm NULL
rlm_realm: Found realm DEFAULT
rlm_realm: Adding Stripped-User-Name = username
rlm_realm: Proxying request from user appliedr to realm DEFAULT
rlm_realm: Adding Realm = DEFAULT
rlm_realm: Authentication realm is LOCAL.
rlm_realm: auth_port is not set. proxy cancelled
modcall[authorize]: module suffix returns noop
radius_xlat: 'username'
rlm_sql (sql): sql_set_user escaped user -- 'username'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'username' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'username' ORDER BY id
rlm_sql (sql): User username not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou
pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'username' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou
pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'username
Unique WEP's without LEAP
Greetings all, In a nutshell, can a Cisco Aironet 350 Access Point accept a per-user WEP key from Freeradius (and can Freeradius serve it one)? We're beginning the process of installing a wireless LAN on our college campus. We'd like to have something more secure than wide open, but not something that will require the use of VPN's or IPSec or LEAP. Weighing all of our options, the best solution we arrived at would be a combination MAC address authentication and unique WEP keys for each client. We're going to be using Cisco Aironet 350 access points. I've already found out how to setup MAC address authentication with Freeradius. However, I'm not very clear on the possibility/ability to serve out unique predetermined WEP keys for each user. If anybody could shed some light on the feasibility of the following scenario, I'd appreciate it: Client A boots up her Windows 98 computer with a wireless NIC. The access point grabs the MAC address, authenticates her against the radius server and allows/denies data transmission. Can we go one step further and when the access point sees Client A's MAC address, the radius server tells the Cisco access point to use a particular WEP key with that user. Condition: That user knows that WEP key in advance and has already entered it into her workstation's configuration... So from an administrative standpoint, it will be somewhat tedious as each user will have a unique wep key we provide in advance. But from a security standpoint, at least for the passive sniffer, it makes it very difficult because each client's traffic is encrypted with a unique WEP. Also, even though MAC addresses can be spoofed, you must know a working, authorized MAC address and have a matching WEP key to even begin to transfer data. Anyone heard/doing anything similiar? I'm not even sure if it's possible. We wanted to stay away from proprietary solutions like LEAP because it doesn't work with everybody... and being a school a bit of openness is okay. Thanks, John Tracy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unique WEP's without LEAP
Hi, I'm actually wanting the per-user WEP key to stay static accross a user's sessions. So I want per-user weps, but not rotating them. Does this make any sense? Thanks, John [EMAIL PROTECTED] wrote on 06/12/2003 09:53:20 AM: In a nutshell, can a Cisco Aironet 350 Access Point accept a per- user WEP key from Freeradius (and can Freeradius serve it one)? Well, you're trying to re-invent EAP without actually using EAP. Can't get there from here; if you want the security of per user rotating WEP keys, you _have_ to do some form of eap (leap, peap, eap-tls, etc.). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unique WEP's without LEAP
I'm actually wanting the per-user WEP key to stay static accross a user's sessions. So I want per-user weps, but not rotating them. Does this make any sense? Thanks, John no, because you want the wep key(s) to be created/delivered by freeradius at least once. from this point on, it does not make any difference if you do it daily or only once in a lifetime. Actually I don't want Freeradius to create the keys or deliver the WEP keys to the end user. The end user will have already entered in her unique WEP key manually. Free- radius just needs to authenticate based on MAC, and tell the access point which WEP key to use when talking with that client. All of the WEPs would be created in advance, and entered into the client's configuration and into a database/file which is readable by Freeradius. -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error reading USR dictionary
On Mon, 9 Jun 2003, Read, Jared wrote: Jared, I noticed the same problem over the week-end. I commented out that dictionary, along with several other, in the mail dictionary file. I was upgrading from 0.8.1, I think. It was also on a RH 7.3 system. Seems to be doing fine now. John -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have installed the latest CVS and I get this error everytime I run check-radiusd-config: Errors reading dictionary:dict_init:/usr/local/etc/raddb/dictionary.usr[55] invalid keyword ATTRIB_NMC. It just doesn't like the USR dictionary. Can I configure so as not to use just the USR dict. or do I have to configure to not use any dictionaries? This is installed on a RedHat 7.3 system. Thanks in advance. Jared -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com iQA/AwUBPuTHP/DMLuwqbiWYEQIzTQCg6BlTHrDNjhA8fu2x0jUKpO6m4XMAnjKL GaU+bpfp1mcPsWUUcUi6J/iY =V82j -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting file
Hugu, I don't know for sure, but I think it's hermetically sealed in a mayonnaise jar on Funk Wagner's doorstep since Noon todayno one knows the contents of that envelope. grin Sorry, I couldn't help it...it's over 90 here in Portland today and we're all a little giddy. J. At 04:04 PM 6/5/03, you wrote: Can someone tell me where the freeradius keep the accounting data. Thanks in advance Hugo John M. Luker www.flexpop.net
Re: accounting file
Sorry, that should have been Funk Wagnalls. Am fining myself $5 for making stupid error while trying to be a smarta**. All fines are donated to The Leukemia Lymphoma Society (seriously). J. At 04:25 PM 6/5/03, you wrote: Hugu, I don't know for sure, but I think it's hermetically sealed in a mayonnaise jar on Funk Wagner's doorstep since Noon todayno one knows the contents of that envelope. grin Sorry, I couldn't help it...it's over 90 here in Portland today and we're all a little giddy. J. At 04:04 PM 6/5/03, you wrote: Can someone tell me where the freeradius keep the accounting data. Thanks in advance Hugo John M. Luker www.flexpop.net
Re: Problem in starting radius with sqlcounter
You mention you added sqlcounter.conf to radius.conf
did you add it like this :
modules {
. all the other modules
$INCLUDE ${confdir}/sqlcounter.conf
}
This configuration works for me
From: Eric [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Problem in starting radius with sqlcounter
Date: Sat, 15 Mar 2003 16:50:15 +0500
I'm compiled freeradius-snapshot-2003-03-13 with experimental modules
support.
I create sqlcounter.conf file and include it to radiusd.conf
#sqlcounter.conf
noresetcounter {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{%k}'
}
dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sqlcca3
key = User-Name
reset = daily
query = SELECT SUM(AcctSessionTime - MAX((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b'
}
monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sqlcca3
key = User-Name
reset = monthly
query = SELECT SUM(AcctSessionTime - MAX((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b'
}
weeklycounter {
counter-name = Weekly-Session-Time
check-name = Max-Weekly-Session
sqlmod-inst = sqlcca3
key = User-Name
reset = 1w
query = SELECT SUM(AcctSessionTime - MAX((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b'
}
alltimecounter {
counter-name = All-Time
check-name = Max-All-Time
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT UNIX_TIMESTAMP() -
MIN(UNIX_TIMESTAMP(AcctStartTime)) FROM radacct WHERE UserName='%{%k}'
}
octetcounter {
counter-name = Max-User-Octets
check-name = Max-Octets
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT SUM(AcctOutputOctets) -
SUM(AcctInputOctets)
FROM radacct WHERE UserName='%{%k}'
}
authorize section of radiusd.conf##
authorize {
suffix
sql
files
noresetcounter
dailycounter
monthlycounter
weeklycounter
alltimecounter
octetcounter
}
radius debug
.
..
Module: Instantiated pap (pap)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/radius/users
files: acctusersfile = /etc/radius/acct_users
files: preproxy_usersfile = /etc/radius/preproxy_users
files: compat = no
Module: Instantiated files (files)
radiusd.conf[1] Failed to link to module 'rlm_noresetcounter': file not
found
why???
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_
MSN Messenger - fast, easy and FREE! http://messenger.msn.co.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PIX VPN Radius attributes
Jérôme, as far as I am aware this is not possible using a PIX with certificates and vpngroups (my implementation). If you find out otherwise I would really appreciate it if you could forward any information. I know this definately can't be done if you use vpngroups and certificates - any solution will need to be without either certs (phase 1 authentication) or vpngroups or both. I would dearly love to be wrong if someone knows of a way this can be done. Regards, John. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jerome hebert Sent: Wednesday, March 05, 2003 5:49 AM To: [EMAIL PROTECTED] Subject: PIX VPN Radius attributes Hi, On a Cisco PIX Firewall, I'm using the Cisco VPN client to provide VPN access. Below is an extract of the configuration: ip local pool vpnxpool 192.168.172.10-192.168.172.200 access-list vpn-access permit ip x.x.x.x x.x.x.x 192.168.172.0 255.255.255.0 vpngroup vpnx address-pool vpnxpool vpngroup vpnx dns-server x.x.x.x vpngroup vpnx wins-server x.x.x.x vpngroup vpnx default-domain xx vpngroup vpnx idle-time 1800 vpngroup vpnx password x vpngroup vpnx split-tunnel vpn-access I'm using Freeradius to authenticate the users. Does anybody knows how I can have FreeRadius to return to the PIX the following vpngroup attributes: address-pool, dns-server, wins-server, default-domain, split-tunnel so that I can have differents users profile in the same vpngroup ? What attributes the Radius server should return to the PIX ? What are the Radius attributes supported by the PIX ? Regards, Jérôme. _ Envie de discuter en live avec vos amis ? Télécharger MSN Messenger http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql authorization
I am trying to use mysql to authorize users. It seems that they are authorized but never get through because the system looks at the /etc/passwd file. Attached is the -X output. rad_recv: Access-Request packet from host 192.168.1.100:1880, id=17, length=46 User-Name = fred33 User-Password = fred33 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns notfound rlm_realm: No '@' in User-Name = fred33, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok radius_xlat: 'fred33' rlm_sql (sql): sql_set_user escaped user -- 'fred33' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'fred33' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'fred33' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'fred33' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'fred33' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module sql returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns notfound modcall: group authenticate returns notfound auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 17 to 192.168.1.100:1880 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 17 with timestamp 3e5f2092 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration of prepaid cards
Hi Eric,
I'm not sure if this is what you're looking for or if it's the best way to
do it but the following setup allows a user to authenticate for a
predetermined time
from first usage. i.e. if I set the time period to be 24hrs then a scratch
card is valid for 24hrs from first usage.
in radcheck mysql table
Max-All-Session := 86400
sqlcounter.conf contains:
sqlcounter noresetsqlcounter {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT
UNIX_TIMESTAMP()-UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE
UserName='%{%k}' ORDER BY AcctStartTime LIMIT 1
}
From: Eric [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Expiration of prepaid cards
Date: Fri, 21 Feb 2003 09:41:02 +0500
Hello,
I need to make special prepaid cards, which will expire after 2 month of
usage.
Can anyone to help me to write this module for sqlcounter?
Thanks!!!
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_
MSN Messenger - fast, easy and FREE! http://messenger.msn.co.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS response from incorrect interface
Is that prophesy or cynicism?Not that you're wrong... we'd ask for that.g John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Alan DeKok Sent: Monday, February 10, 2003 3:35 AM To: [EMAIL PROTECTED] Subject: Re: RADIUS response from incorrect interface Jason Haar [EMAIL PROTECTED] wrote: On Sat, Feb 08, 2003 at 01:47:28PM +, Miquel van Smoorenburg wrote: [...stuff on how complex it is to bind to 1 interface deleted] Why not just run two instances of radiusd - one on each address? They can point to the same auth system - just the logfiles have to be different... I can understand people wanting the *same* radius server to listen on 2 interfaces, and respond correctly from those interfaces. Running one server which listens on 2 interfaces is a reasonable solution. If that's implemented, then I'll bet the next request will be for the ability to run one server, which does different things, based on which interface received the request. The response to that will be NO. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Invalid reply digest error
On 04-Feb-2003 at 16:30:36 Alan DeKok wrote: John Horne [EMAIL PROTECTED] wrote: By stopping radius on one server I can see (using radiusd -xx) that the users are being authenticated on the other server and that a reply is being sent back. However on the local server the log file is showing Feb 4 18:42:51 fred pppd[1784]: rc_send_server: no reply from RADIUS server localhost:1812 Feb 4 18:42:51 fred pppd[1784]: rc_check_reply: received invalid reply digest from RADIUS server Your shared secret is wrong. There really isn't much else. Doh!! Silly me :-) The pppd radius plugin has a 'servers' file which specifies which radius servers, and their shared secret, to contact. Freeradius has the 'clients.conf' file to specify who can contact the local server and the secret to be used. I was mis-reading the clients.conf file as a sort of servers file and hence had the wrong secrets for the wrong servers (they were all the wrong way round). Easy to fix; silly mistake; very happy its all working now and I can relax over the weekend :-) Thanks, John. John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] PGP key available from public key servers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS response from incorrect interface
I had the same problem earlier this year. I have failover virtual addresses on n-servers. In my failover scripts I start the radiusd process. The radiusd process only runs on the current production server at any given time. I stopped trying to have radiusd bound to * in the config. It just doesn't work - or at least does not guarantee that you get your reply back from the interface you expect. All my radius processes work with AUTH and ACCT tables on replicated databases anyway. My radiusd are cheap frontend processors to back end systems. With the cost of sparc5s on ebay these days.. it has not been hard to find cheap reliable hardware that you can use for both load balancing and redundancy yourself. But bind on * should work too.. and the reply should come from the address for the interface the request was sent to. It just doesn't, and I did not have the time at the time to see why in the code. I just smiled and restarted the radiusd process in the failover scripts. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Paul Jenner Sent: Friday, February 07, 2003 10:34 AM To: [EMAIL PROTECTED] Subject: RE: RADIUS response from incorrect interface Hi all. Thanks for so many replies so quickly. I totally take on board the comments about UDP responses on the same IP not being trivial and probably not being worth it to implement. However its worth pointing out for the record why its useful here. The situation here is that the RADIUS requests come from load-balanced upstream telco proxies who require two IPs for the RADIUS servers for both resilience and load-balancing. Normally these would be serviced by two physical servers with two real IPs but, when one server is not available, the other can take over by taking the IP as a virtual interface. There are a lot of arguments about whether this is a sensible thing to do etc. however this is what I am trying to implement (and it works for UDP DNS requests with ISC bind). Thanks for all the help on this - I think for now I'll look for a solution outside of the RADIUS software (translation on firewalls etc. most likely) as this appears the correct place to do this kind of thing, Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html attachment: winmail.dat
RE: I did Bizarre stuff with my pussy
Title: Untitled Document Great The spam has found the list :) John Hengstler -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of samanthaSent: Thursday, February 06, 2003 5:58 PMTo: [EMAIL PROTECTED]Subject: I did Bizarre stuff with my pussy OK GUYS I HAVE FINALLY EVEN SHOCKED MY SELFI HOPE I DIDN'T RUIN MY COOTER FOR EVERLAST NIGHT MY NEW BOYFRIEND GOT HIS ENTIRE FIST IN MY LOVE TACOPEDRO THE TACO EATER WOULD HAVE BEEN OFFENDED.WE FILMED THE ENTIRE THING...HOT SAUCE AND GUACAMOLE AND ALL...I CAN LET YOU IN FOR 1 DAY TO CHECK THIS WEIRD SHIT OUT FOR FREE BEFORE WE HAVE TO CHARGE YA.I KINDA LIKED IT.HUMAN TACOCARLA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Invalid reply digest error
Hello, I have two redhat 8 linux servers running freeradius 0.8.1, with pppd (2.4.2b1) using the radius plugin. Each server is configured such that if the local radius server fails then the other one is used by the radius plugin. By stopping radius on one server I can see (using radiusd -xx) that the users are being authenticated on the other server and that a reply is being sent back. However on the local server the log file is showing Feb 4 18:42:51 fred pppd[1784]: rc_send_server: no reply from RADIUS server localhost:1812 Feb 4 18:42:51 fred pppd[1784]: rc_check_reply: received invalid reply digest from RADIUS server Feb 4 18:42:51 fred pppd[1784]: CHAP peer authentication failed for Google has little about the 'invalid reply digest' but it seems to generally be due to a mismatch in the shared secrets. I have, however, checked and rechecked the secrets in the freeradius clients.conf file and the pppd /etc/radiusclient/servers file. I have also completely changed the secrets, for testing, to a simple name like 'fred'. Not too much chance of getting it wrong :-) However, I still get the same error message. Anyone any thoughts about this, or what I can try next? Thanks, John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] PGP key available from public key servers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
limiting users to a time frame/window
Using Freeradius 0.8.1 with mySQL for auth+acct. This might be more of a general radius question. Is there a way to limit a users account to a fixed period i.e. 24hrs from first successful authentication request ? I'm trying to setup a demo. environment that would allow a user to use a temporary account for a fixed time period e.g. 24hr. Note: The clock should start ticking only once the 1st successfull authentication takes place. Any help/suggestions would be greatly appreciated john Zurowski _ Stay in touch with MSN Messenger http://messenger.msn.co.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: limiting users to a time frame/window
Just to add: The only method I can see is to launch an external-executable script/prog. (on authentication) to check if timeframe exceeded. Just wondering if there's a tidier way ? From: john zurowski [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: limiting users to a time frame/window Date: Sun, 02 Feb 2003 17:06:27 + Using Freeradius 0.8.1 with mySQL for auth+acct. This might be more of a general radius question. Is there a way to limit a users account to a fixed period i.e. 24hrs from first successful authentication request ? I'm trying to setup a demo. environment that would allow a user to use a temporary account for a fixed time period e.g. 24hr. Note: The clock should start ticking only once the 1st successfull authentication takes place. Any help/suggestions would be greatly appreciated john Zurowski _ Stay in touch with MSN Messenger http://messenger.msn.co.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Overloaded with spam? With MSN 8, you can filter it out http://join.msn.com/?page=features/junkmailpgmarket=en-gbXAPID=32DI=1059 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: limiting users to a time frame/window
Thanks Alan I should've been a bit more careful about reading the radiusd.conf. From: Alan DeKok [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: limiting users to a time frame/window Date: Sun, 02 Feb 2003 09:20:37 -0500 john zurowski [EMAIL PROTECTED] wrote: The only method I can see is to launch an external-executable script/prog. (on authentication) to check if timeframe exceeded. Just wondering if there's a tidier way ? The counter module does exactly this. Just tell it to never reset the numbers. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ It's fast, it's easy and it's free. Get MSN Messenger today! http://messenger.msn.co.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-MPPE-Enc/Types set by default in rlm_mschap?
On 31-Jan-2003 at 16:06:22 3APA3A wrote: Can you send FreeRADIUS logs for the session which was started with MPPE but without MS-MPPE-Encryption-Policy/MS-MPPE-Encryption-Types? Apologies, my mistake. The users listed in the 'users' file DO have the MPPE encryption and types keys added as the code indicates. The DEFAULT entry does not do mschap authentication but goes off to the realms/proxy server stuff which is configured to authenticate a user by using a Microsoft IAS server. It is those entries which do not have the MPPE encryption/types added to the reply. However that is expected since it is not the mschap module doing the authentication. Hence for it all to work nicely, specific users in the 'users' file do not need to have the MPPE encryption/types added to their reply, but the DEFAULT entry does. Sorry for the hassle, but I'm glad the solution was nice and easy :-) John. John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] PGP key available from public key servers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems building Freeradius with MySQL support
I've been using Freeradius with the users file without any problems for a while now. I've decided to upgrade to using MySQL to maintain the users/accounting database I've tried building freeradius using the following ./configure without any luck. ./configure --with-rlm-mysql-lib-dir=/usr/local/mysql/lib/ --with-rlm-mysql-include-dir=/usr/local/mysql/include/ and ./configure --with-mysql-lib-dir=/usr/local/mysql/lib/ --with-mysql-include-dir=/usr/local/mysql/include/ I'm using freeradius.0.8.1 MySQL 3.23.54 after doing a make looking in : src/modules/rlm_sql/drivers/rlm_sql_mysql no object files are being generated although a Makefile is created It would be greatly appreciated if someone could point me at a how-to to resolve this issue. As I know that its something that I'm not doing right - just can't figure out what it is. Thanks in advance --- John Zurowski _ Overloaded with spam? With MSN 8, you can filter it out http://join.msn.com/?page=features/junkmailpgmarket=en-gbXAPID=32DI=1059 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems building Freeradius with MySQL support
Should have added Building on PC under RedHat 7.3 From: john zurowski [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Problems building Freeradius with MySQL support Date: Tue, 28 Jan 2003 11:06:03 + I've been using Freeradius with the users file without any problems for a while now. I've decided to upgrade to using MySQL to maintain the users/accounting database I've tried building freeradius using the following ./configure without any luck. ./configure --with-rlm-mysql-lib-dir=/usr/local/mysql/lib/ --with-rlm-mysql-include-dir=/usr/local/mysql/include/ and ./configure --with-mysql-lib-dir=/usr/local/mysql/lib/ --with-mysql-include-dir=/usr/local/mysql/include/ I'm using freeradius.0.8.1 MySQL 3.23.54 after doing a make looking in : src/modules/rlm_sql/drivers/rlm_sql_mysql no object files are being generated although a Makefile is created It would be greatly appreciated if someone could point me at a how-to to resolve this issue. As I know that its something that I'm not doing right - just can't figure out what it is. Thanks in advance --- John Zurowski _ Overloaded with spam? With MSN 8, you can filter it out http://join.msn.com/?page=features/junkmailpgmarket=en-gbXAPID=32DI=1059 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Worried what your kids see online? Protect them better with MSN 8 http://join.msn.com/?page=features/parentalpgmarket=en-gbXAPID=186DI=1059 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems building Freeradius with MySQL support
Problem fixed The original installation for mysql was from a binary tar ball. It worked fine once I'd followed the installation steps i.e. mysql would allow me to talk to the database. However this setup didn't build freeradius with the mysql extensions. I subsequently downloaded the appropriate rpms for mySQL, installed them and then the freeradius ./configure worked fine. htmlDIV DIV P/P PA href=http://www.zurowski.btinternet.co.uk;John Zurowski/A/P P/P/DIV/DIV/html From: Ossama Suleiman [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Problems building Freeradius with MySQL support Date: Tue, 28 Jan 2003 13:26:57 +0200 _ MSN Messenger - fast, easy and FREE! http://messenger.msn.co.uk ---BeginMessage--- hi john, "ABSOLUTELY MAKE SURE you have the mysql-devel (headers and libraries) package installed with your MySQL, otherwise freeradius won't compile with MySQL support properly. Many people seem to miss having this." you can also check http://www.frontios.com/freeradius.html great site, great help hope that helps Regards Ossama john zurowski wrote: I've been using Freeradius with the users file without any problems for a while now. I've decided to upgrade to using MySQL to maintain the users/accounting database I've tried building freeradius using the following ./configure without any luck. ./configure --with-rlm-mysql-lib-dir=/usr/local/mysql/lib/ --with-rlm-mysql-include-dir=/usr/local/mysql/include/ and ./configure --with-mysql-lib-dir=/usr/local/mysql/lib/ --with-mysql-include-dir=/usr/local/mysql/include/ I'm using freeradius.0.8.1 MySQL 3.23.54 after doing a "make" looking in : src/modules/rlm_sql/drivers/rlm_sql_mysql no object files are being generated although a Makefile is created It would be greatly appreciated if someone could point me at a how-to to resolve this issue. As I know that its something that I'm not doing right - just can't figure out what it is. Thanks in advance --- John Zurowski _ Overloaded with spam? With MSN 8, you can filter it out http://join.msn.com/?page=features/junkmailpgmarket=en-gbXAPID=32DI=1059 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ---End Message---
RE: X-Ascend Atributes?
Woops, I did miss that subtle X- in the dictionary Fixed that.
Now to the variable...
If I use the %{Ascend-Disconnect-Cause:-X-Ascend-Disconnect-Cause}
method to insert the variable, it inserts X-Ascend-Disconnect-Cause as a
string into the table, not the actual contents of the variable, but if I
change it to %{X-Ascend-Disconnect-Cause} it inserts properly.
My only question here is, if there is a mixture of NASes (ie portmasters and
ciscos), the above statement would loose the good AcctTerminateCause
variables. Is that correct???
Thanks for the simple assistance
John Hengstler
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Chris
Parker
Sent: Monday, December 30, 2002 9:21 AM
To: [EMAIL PROTECTED]
Subject: RE: X-Ascend Atributes?
At 09:10 AM 12/30/2002 -0800, John A. Hengstler wrote:
I can live with that for the connect start/stop information, but what about
the acctterminatecause line.
Isn't radius supposed to translate the codes from the dictionary files to
the actual string?
Example,
X-Ascend-Disconnect-Cause = 45
should be translated to :
VALUE Ascend-Disconnect-Cause PPP-Rcv-Terminate-Req 45
No. Note the suble difference in the entries. One is Ascend-*, the other
is X-Ascend-*.
If you want it to translate the numerical value into a string, you'll
need to duplicate the 'Ascend-*' 'VALUE' entries for 'X-Ascend-*'.
So what variable would I change in sql.conf to have this inserted to
acctterminatecause?
The current query looks something like:
AcctStopQuery = Insert into foo ( bar, baz )
values ( %{User-Name}, %{Ascend-Disconnect-Cause} )
If you want to have it log other values you may need to add them like this:
AcctStopQuery = Insert into foo ( bar, baz )
values ( %{User-Name},
%{Ascend-Disconnect-Cause:-X-Ascend-Disconnect-Cause} )
to get it to use 'Ascend-Disconnect-Cause' value to insert, or if it doesn't
exist, to try to use the 'X-Ascend-Disconnect-Cause' value to insert.
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: X-Ascend Atributes?
Chris, thanks. I relooked at that after I sent the email.
All is well
Thanks for the help..
John Hengstler
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Chris
Parker
Sent: Monday, December 30, 2002 9:54 AM
To: [EMAIL PROTECTED]
Subject: RE: X-Ascend Atributes?
At 09:48 AM 12/30/2002 -0800, John A. Hengstler wrote:
Woops, I did miss that subtle X- in the dictionary Fixed that.
Now to the variable...
If I use the %{Ascend-Disconnect-Cause:-X-Ascend-Disconnect-Cause}
method to insert the variable, it inserts X-Ascend-Disconnect-Cause as a
string into the table, not the actual contents of the variable, but if I
change it to %{X-Ascend-Disconnect-Cause} it inserts properly.
Yup, my bad. See 'doc/variables.txt' for a better explanation of how
to do conditional syntax translation for your SQL inserts.
You would need to actually do:
%{Ascend-Disconnect-Cause:-%{X-Ascend-Disconnect-Cause}}
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
X-Ascend Atributes?
Hello, We use 2 different wholesale Dial ISP's that do pass-thru authentication/accounting with our radius server. Both companies are using cisco equipment. Everything seems to work well, except the following: The connection attributes are not getting put inserted into our mysql tables with the rest of the info. ie, the "connectinfo_start", "connectinfo_stop", "acctterminatecause" The following is a STOP detail from the detail log: NAS-Port = 1458 NAS-Port-Type = Async Called-Station-Id = "3608382437" Calling-Station-Id = "3608353229" Acct-Status-Type = Stop Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = "0002BDAF" Framed-Protocol = PPP Framed-IP-Address = 209.63.4.246 X-Ascend-PreSession-Time = 21 X-Ascend-Pre-Input-Octets = 125 X-Ascend-Pre-Output-Octets = 111 X-Ascend-Pre-Input-Packets = 5 X-Ascend-Pre-Output-Packets = 5 Acct-Input-Octets = 183894 Acct-Output-Octets = 10389406 Acct-Input-Packets = 1 Acct-Output-Packets = 19176 Acct-Session-Time = 3723 X-Ascend-Disconnect-Cause = 45 X-Ascend-Data-Rate = 28800 X-Ascend-Xmit-Rate = 33600 Acct-Delay-Time = 0 I see the "X-Ascend" codes, but they aren't getting translated properly? What can I do to have this inserted properly? All of the dictionary files are current including the cisco and ascend files. All other columns in the tables are being translated properly... Regards, John Hengstler
RE: installing radius
I emailed him a couple weeks ago (the maintainer), and haven't received a response yet. Regards John Hengstler -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Vitaliy Karlov Sent: Thursday, December 26, 2002 10:22 PM To: [EMAIL PROTECTED] Subject: Re: installing radius On Fri, Dec 27, 2002 at 04:18:16PM -0800, Matt Peterson wrote: Since you're using FreeBSD, its easier to use the ports collection.. cd /usr/ports/net/freeradius make install Now in ports still Version of FreeRadius is 7.0... Mainteiner: MAINTAINER= [EMAIL PROTECTED] May be anybody know why? -- WBR, Vitaliy Karlov [KV1670-RIPE] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: usage.cgi problems
Hello,
From what I read in the proxy file, after the huntgroups file is processed..
it's off to the realm for proxy.
Here is my issue. Today I have freeradius .8 allowing certain NPANXX from
the Calling-Station-ID Attribute when you come from a tollfree number.
ie:
DEFAULT Called-Station-ID =~ 800|888|866, Calling-Station-ID =~
NPANXX
Fall-Through = No
This works great. We are being merged into another Radius implementation
that does not have the ability to filter on Calling-Station-ID.
I would like to frontend the lesser implementation with freeradius such
that I can filter the Calling-Station-ID as before (to reject any NPANXX not
on the list) and then after processing the user file proceed to proxy (based
on realm) to the lesser implementation.
Currently I :
authorize {
preprocess
files
sql
}
How do I replace sql with the proxy process? Can I do that?
Thanks,
John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looking for dictionary files for mobile VSAs
Is there a RADIUS client which uses 3GPP VSA's? The devices that handle wireless access to the IP world (SGSNs and GGSNs) advertise these VSAs. The 'vendor' is actually 3GPP (id=10415) or cmda2000 (id=5535). For 3GPP, see Appendicies in: ftp://ftp.3gpp.org/specs/2002-06/R1999/29_series/29061-3a0.zip. Regards, JP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Decrypting chap passwords
Does anyone have a code fragment to decrypt a chap password? I need to take the password in plain text, after pulling it from authreq-strvalue to a private routine. john - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looking for dictionary files for mobile VSAs
Hi: I've been looking for dictionary files for 3GPP and CDMA-related VSAs. I've searched over the web and at their sites and have been unable to find them. Just wondering if these exist or if I need to piece them together from their specs and submit a home-grown version. Thanks for any info, JohnP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: fr 0.7 openldap 2.1.4
Hello, I thought I'd follow up on this in case it helps anyone. Basically the problem I saw is that at some point, openldap disabled --enable-crypt as a default option (or else I had somehow enabled it in the past without realizing it). When freeradius went to compare the password, it was comparing the encrypted form against the plain text. Cheers, John On Thu, 19 Sep 2002, John wrote: Hi, I think there may have been some similiar questions posted a few months back, but can't find them currently. I recently upgraded from openldap 2.0.5 to 2.1.4. Upon doing that, when fr 0.7 goes to authenticate a user, it fails with bind as user failed (user/pass error). Things like attribute denies access still work as before, so fr 0.7 is at least able to query ldap. If anyone knows the answer to this, or can point me at previous postings, it would be greatly appreciated. Cheers, John --- John Hogenmiller, kb3dfz Network Engineer Pennswoods.net 877.716.2002 x 529 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help equired for EAP
I'm trying to use Freeradius with a 3com 802.11 Lan AP (8000). It supports EAP-MD5 which is the authentication method I'm attempting to use. However it fails when attempting to autheticate the user. Has anyone used EAP-MD5 with 802.11 AP and Freeradius ? Thanks in advance John Zurowski Get a speedy connection with MSN Broadband. Join now! Click Here - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
fr 0.7 openldap 2.1.4
Hi, I think there may have been some similiar questions posted a few months back, but can't find them currently. I recently upgraded from openldap 2.0.5 to 2.1.4. Upon doing that, when fr 0.7 goes to authenticate a user, it fails with bind as user failed (user/pass error). Things like attribute denies access still work as before, so fr 0.7 is at least able to query ldap. If anyone knows the answer to this, or can point me at previous postings, it would be greatly appreciated. Cheers, John --- John Hogenmiller, kb3dfz Network Engineer Pennswoods.net 877.716.2002 x 529 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
fr 0.7 -- LDAP_OPT_X_TLS
The logs kept annoying me, so I went and and searched through the source
code. and the LDAP_OPT_X_TLS is not defined by start_tls, but rather by
tls_mode, which is not currently a configurable option. It looks like rlm_ldap will
attempt to use LDAPS every time.
Rather than defining tls_mode as no, I added a line to my copy of 0.7 (not a cvs
release) that will allow me to configure this.
Since it's only one line, I'm not going to create a patch for it.
In rlm_ldap.c, goto line 202 where it reads:
static CONF_PARSER module_config[] = {
add this line somewhere in between the brackets (I placed mine at line 214, right
above start_tls).
{tls_mode, PW_TYPE_BOOLEAN, offsetof(ldap_instance,tls_mode), NULL,
no},
Compile and install that module (or do the whole distro if you wish).
This adds the following option to your rlm_ldap section of radiusd.conf:
tls_mode = no # defaults to no
Works like a champ!
Cheers,
John
John [EMAIL PROTECTED] wrote:
Tue Aug 6 10:55:57 2002 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS
option Success
The only setting in radiusd.conf that seems to pertain to this is
start_tls, which I have set to no.
I did a grep for LDAP_OPT_X_TLS in * of the doc and the raddb directory, with
no results, and haven't found anything on the mailling list as of yet.
Did you try looking the the source of the LDAP module? It looks to me like the
LDAP module is setting TLS mode, even if the
config file says to not use TLS. For your purposes, you can ignore this
message. Alan DeKok.
--
John Hogenmiller, kb3dfz
Systems Administrator, Pennswoods.net
877.716.2002 ext 529
---
I ring my temp to see how he's doing in my absence. The phone rings about 50
times before finally being diverted to talking clock. At least I know he's read my
Site Management Bible...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hand out a gateway with IP address
OK I admit it I had not RTFM (Read the flipin manual) The NAS box in question seems very good Cyclades PR4000 however Cyros it internal router operting system does not support thr framed-route command. I shall tell them they should it looks like we will have to purchase some different external routers, as a work around. Thanks for your help. Joe Lewis wrote: I think you understand the system as well as I do. Is this proxy on your system, or is it on the NAS client? If the client is also providing the proxy, you may need to ensure that the client is accepting the information, and that it is being provided. If you are using the configuration file, another suggestion would be to make sure that the value is enclosed in quotes, so that the assigned IP is included as part of the string. (Of course, you've already made sure of that, so why do I bother?) Another option is : start digging on the network, listening for packets. Look for the routing packets, just to see if the information is getting sent. Joe John Adams wrote: Hi I have been a little more sensible and have looked at the RFC I wish the framed route to be something like this 212.60.76.0/24 212.60.76.11 0 The first section is the subnet to route to the second is the gateway I want the dial up PC to work through (My Squid Cache) And I do not understand the last bit the metric so I have tried it with 0 or 1. My problem now is that when I set these for a test users the dial up will not authenticate, where as it does when the user does not have these in their config. Do I need this in Reply and Check or just one? John Joe Lewis wrote: John; I never saw a response. Most people use the term gateway and router interchangeably. This will be the correct assumption, here. Setting the Framed-Route should properly set the gateway or the router. Documentation says that if the Framed-Route is 0.0.0.0 the gateway should be the PC's own IP address. Hope it helps. Joe John Adams wrote: Hi I have bought a load of kit from the UK to an Mid afcian country which has a 2 existing ISPs each with 128k and I am helping someone set up a third with there own 128k. We have made the radius work to authenticate a single 60 Modem Cyclades PR4000 NAS however I chose the option of an X21 card on this box and it makes it difficult to make the authenticated users get a gateway other than the IP assigned. I want to assign a transperent proxy as the gateway. My reading of the FAQ suggests that it is possible to assign IP address using the framed-IP-address and framed-route. Do I undersand this right if I put a default framed-route this will provide the gateway for the authenticated users. Please excuse if I am not asking a sensible question her. However I was due to fly out today (missed that one) The people are nice but the insects are big so I want to go home one day . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
replicate-to-realm - freeRadius 0.7
Hello, I've been having diffculty trying to replicate ALL incoming accounting packets to another remote server. I'm running version 0.7. I basically want all incoming accounting packets (no care about which realm it came from or even if it came from a specific realm) to be replicated to another remote server (tpc-c3-27). So following the instructions from the acct_users file that describers the Repliate-To-Realm attribute, I've made the following modifications to the the config files. acct_users file: DEFAULT NAS-IP-Address == 10.129.3.103, Replicate-To-Realm := tpc-c3-27 realms file: # Realm Remote server [:port] Options # - --- #isp2.com radius.isp2.com nostrip #company.comradius.company.com:1600 #bla.comLOCAL #replicatemeradius2.company.com notrealm tpc-c3-27 10.129.3.102notrealm clients file: # Client Name Key # -- #portmaster1.isp.comtesting123 #portmaster2.isp.comtesting123 #proxyradius.isp2.com TheirKey #localhost testing123 10.129.3.103 secret tpc-c3-27 secret naslist file: # NAS Name Short Name Type # -- #portmaster1.isp.compm1.NY livingston #portmaster2.isp.compm1.LA livingston 10.129.3.103tpc-c3-28portslave #localhost local portslave I have proxying turned on in the radiusd.conf file (as default) and I'm sending packets to the freeRadius server using radclient. This is my radclient config file NAS-IP-Address = 10.129.3.103, NAS-Port-Id = 210, NAS-Port-Type = ISDN, User-Name = addlogin@realmname, Acct-Status-Type = Start, Acct-Authentic = RADIUS, Serv ice-Type = Framed-User, Acct-Session-Id = 00016F16, Framed-Protocol = PPP, Fra med-IP-Address = 216.75.171.100 I'm thinking my above configuration *should* work and replicate the accounting packet I'm sending with radclient to the remote server tpc-c3-27. I do get a response from the 1st radius server when I send the packet out with radclient, but I don't see the packet at the remote server. Basically, I'm running radclient on machine 10.129.3.103 and sending it to my radius server on 10.128.2.53 which I want to replicate the packet to machine tpc-c3-27=10.129.3.102. However, it only seems that the packet gets processed at 10.128.2.53 and is never replicated to 10.129.3.102 and I see no errors (none that I can distinguish as a replication/proxy error) in the log files. any help would be greatly appreciated, thanks, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
echoing RADIUS accounting requests to another ip/port
Hello, I've been reading through some docs on freeRadius but I can't seem to find an answer to my question. I was just wondering if there was a mode/way that the freeRadius accounting server could echo packets to another ip/port (on the same machine or another machine). I know you can configure freeRadius to be on proxy mode but I actually want the freeRadius server to reply to the accounting-request packets (so it is handling the requests normally) AND echo out the accounting-request packets to another ip/port. Is this possible without code modifications but just configuration settings? Is it possible with minor code modifications to echo out the packets received? thanks in advance, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Replicate-To-Realm - does remote server that gets replicated data need to reply?
Hello, From my readings, I think there are two UNIQUE ways to do accounting replication in freeRadius 0.7. Correct if I'm wrong, or if these two ways need to work in conjuction for replication to occur. 1) radrelay will replicate and send accounting info to another remote server but the remote server MUST reply to the accounting packets for radrelay to work properly. Is that correct? what happens if the packet sent by radrelay is not ACK'd (i.e. no accounting response sent back), does it retry and what happens if nothing ever returns? 2) another method of replication is using the Replicate-To-Realm atrtribute in the acct_users file. I can specify to replicate to a realm replicateme which can be found in the realms file as replicateme 192.168.1.1:100 notrealm Now, in this case, is the radiusAccounting server looking or waiting for a response from the remote server (192.168.1.1) that receied the replicatedthe replicated packets (i.e. waiting for an accounting response packet to come back when an accounting request packet is sent?). If so, what happens if the remote server never replies? Also, if no response is required, then I guess the replication is a one-time forward and forget. Is that true? thanks, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hand out a gateway with IP address
Hi I have bought a load of kit from the UK to an Mid afcian country which has a 2 existing ISPs each with 128k and I am helping someone set up a third with there own 128k. We have made the radius work to authenticate a single 60 Modem Cyclades PR4000 NAS however I chose the option of an X21 card on this box and it makes it difficult to make the authenticated users get a gateway other than the IP assigned. I want to assign a transperent proxy as the gateway. My reading of the FAQ suggests that it is possible to assign IP address using the framed-IP-address and framed-route. Do I undersand this right if I put a default framed-route this will provide the gateway for the authenticated users. Please excuse if I am not asking a sensible question her. However I was due to fly out today (missed that one) The people are nice but the insects are big so I want to go home one day . John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hand out a gateway with IP address
Sorry I meant transparent cache using squid as gateway John Adams wrote: Hi I have bought a load of kit from the UK to an Mid afcian country which has a 2 existing ISPs each with 128k and I am helping someone set up a third with there own 128k. We have made the radius work to authenticate a single 60 Modem Cyclades PR4000 NAS however I chose the option of an X21 card on this box and it makes it difficult to make the authenticated users get a gateway other than the IP assigned. I want to assign a transperent proxy as the gateway. My reading of the FAQ suggests that it is possible to assign IP address using the framed-IP-address and framed-route. Do I undersand this right if I put a default framed-route this will provide the gateway for the authenticated users. Please excuse if I am not asking a sensible question her. However I was due to fly out today (missed that one) The people are nice but the insects are big so I want to go home one day . John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Severe Issues with Radius Authentication/MySQL
I can testify that it's not something deeper...or nothing we've seen. Freeradius 0.7 (built from source) and MySQL 3.23.49 (stock Red Hat RPM) under RedHat 7.3 (2.4.18-10 kernel). Running fine for multiple days. Last rehup for clients file config change was a week ago. John Gruber -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joshua Corbin Sent: Thursday, September 05, 2002 7:04 PM To: FreeRadius List Subject: Severe Issues with Radius Authentication/MySQL Greetings, I am having severe problems with FreeRadius. Am running Debian 3.0 w/ MySQL as the backend. The problem is this: Everything will be going along just fine, and then all of a sudden, the Radius server starts telling everyone incorrect login, regardless. The problems occurs sporadically; sometimes there won't be a hitch for 3 days, sometimes it won't last 8 hours. We've been experiencing this problem since we started out using FreeRadius and have tried varius things to fix it but to no avail. I even turned on delayed insert/update for SQL accounting, but that made no difference. I have looked back through the syslogs and mysql logs on both the radius server and the mysql server, but see nothing out of the ordinary. The only symptom is that radius will no long authenticate anyone, even though the server itself keeps chugging along, not even a child exiting. I strongly loath having to cron a radius restart daily or a kill -HUP; especially since I thought freeradius would not have the same annoyances of say livingston radius. Am I just missing something, or is there a deeper problem here? Regards, Joshua Corbin JDWEB Network Administrator - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: CHILD: exit on signal (11)
Just got back from a 2 week sabatical, hoping to pick up where I left off. John [EMAIL PROTECTED] wrote: After running flawlessly for a couple of weeks, suddenly and inexplicably, the radius server started spawning process and reached the maximum default of 32 (continued running), complained about unresponsive child processes, and then died with signal 11. |That's most likely due to a back-end database locking, or a bug in |the server. I would suggest upgrading to 0.7, as it has more bug fixes. Also, |ensure that you've deleted all old 'rlm' modules from the system. The version I am running is 0.7 (I upgraded to .7 from .6 originally before writing into the list). However, I wasn't sure if I had deleted the rlm modules, so I did that yesterday (actually, I did a fresh install), and the problem still persists. I looked through the cvs logs and have not seen any work done to rlm_ldap, or at least nothing as far as bug fixes since 0.7. Reading through the other replies, the symptons are very similiar to the ones seen by Todd Fries in: http://lists.cistron.nl/archives/freeradius-users/2002/08/frm01266.html with the sql module. Any thoughts? -- John Hogenmiller, kb3dfz Systems Administrator, Pennswoods.net 877.716.2002 ext 529 --- Chris then consulted his Friend *snip*, a fellow co worker and he to then thought of making this a success. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication order and regular expressions.
Hello, I have a goal of allowing access via the Called-Station-ID based on the users Group. I am currently using the sql (mysql) module for the Group definition. In my radiusd.conf authorize section I have the sql listed before files ie.. sql files in my users file I have an entry that looks like: DEFAULT Called-Station-ID =~ 800|888|866, Group == tollfree Fall-Through = No The intent is that anyone in the tollfree group according to the sql query be allowed if they have a Called-Station-ID of 800 or 888 or 866. How do I get an attribute populated first by the SQL query that I can use in the expression in the users file? I got the Group attribute from the old users format.. it does not work.. If there is a better way to do this... please let me know. Thanks, John Gruber - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hostname lookups
Hello, Is there any way sort of finite control in doing hostname lookups for freeradius? In cistron, it didn't do hostname lookups and went off the of the clients file. This resulted in logs like this: Thu Jul 18 11:50:37 2002: Auth: Login OK: [username] (from nas dbox/S164) and a detail file like this: /var/log/radacct/dbox/detail With the framed-ip-address recorded in the detail file as such: Framed-Ip-Address = 192.168.0.123 - - - In freeradius, if I turn on hostname lookups, i get FQDNs in my radius.log, detail directories, and the detail file records the Framed-Ip-Address as dialup123.domain.dom. If I turn it off, everything is recorded by the ip address. Is there a method to make the hostname logging occur in the same manner that cistron 1.6.6 did (which appears to have solely used the configuration files). John Hogenmiller, kb3dfz Systems Administrator, Pennswoods.net 877.716.2002 ext 529 --- A Hooloovoo is a super-intelligent shade of the colour blue. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installing Freeradius on Solaris 9 Box
Rudy Leisering wrote: I'm ignorant when it comes to Unix and could use some help. I'm trying to get Freeradius version 0.5 installed. When I run the ./configure I get several error messages that are meaningless to me even after searching the documentation. (i.e.: Could not find CC). Could someone please point me in the direction of the documentation where I can figure out what I'm doing wrong? I suspect that I'm missing something in the path, but don't know what. Thank you, SNIP Rudy, it sounds like you have some more fundemental issues with your solaris 9 install than any issues with Freeradius atm. Seems like you need to get a compiler working properly and your paths setup first, I've emailed you direclty with some pointers as Solaris support is out of the bounds of this newsgroup :) Cheers John -- oJohn Benge - Product Development o o Email: [EMAIL PROTECTED] Mobile: +44 7887796300 thus[tm] Fax: +44 870 051 9983Work: +44 208 371 3739 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS authorization based on group Memebership
3. It is not possible to know exactly how many users can access a particular service. Like, if it was based on group or OU membership, a look at the dial-up group/OU will tell me just how many people can dial into the network. I can also find out who can dialup by looking at the group membership. You can also do searches based on a specific attribute and get the same information, ie ldapsearch -P2 -x -b dc=base,dc=scope radiusDialupAccess=true dn which would return a list of dns of users that have dialup access (depending on how you setup your directory). But it the current implementation, I have to check the attributes of each user to collect the necessary info. Has anybody done an implementation with authorisation based on group membership ? I have setup and had working an implementation based on group membership. Multilink accounts, access denied/approved, notimeout, etc. However, I found that configuration to be resource-intensive. I created a test script that hammered the freeradius server and took my idle processor down below 30%. The same server, same box, same test script, but with ldap attributes only takes the idle processor down to 60% at lowest. I could provide you with example configs, but I think you'd be better off at a setup that takes 30% less cpu time. John Hogenmiller, kb3dfz Systems Administrator, Pennswoods.net 877.716.2002 x 529 --- Anyone could say, What fantastic and expensive items you have! Oh, how I wish they were mine! But I have proven my sincerity by going that extra mile and actually robbing you blind. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap attributes (reject)
Hello, I have a question which I'm sure has been answered many times in the list, but I have been unable to find it. By default, users are authorized and authenticated through ldap. I have a default profile that is used to provide the standard Reply-Items for radius. Therefore, the user's need not be altered for authorization. I want to be able to add an attribute to users who are denied dialup access. I extended the supplied schema file slightly to include a radiusReplyItem attribute, and have added this attribute to the ldif: radiusReplyItem: Auth-Type := Reject in debug mode, freeradius reports: Tue Jun 18 15:14:04 2002 : Debug: rlm_ldap: looking for reply items in directory... Tue Jun 18 15:14:04 2002 : Debug: rlm_ldap: extracted attribute Auth-Type from generic item AuthType := Reject Tue Jun 18 15:14:04 2002 : Debug: rlm_ldap: user johnroam authorized to use remote access I've also setup Packet-Type := Access-Reject which also reported the same. I'm guessing I'm actually barking up the wrong tree. Could someone point me back in teh right direction, perhaps towards an example? Also, one other thing I'll have to setup that I may need help on. In our current setup, we go off of DEFAULTSimultaneous-Use == 1, Called-Station-Id == 8146245132, Ldap-Group == tollfree Service-Type = Framed-User, Framed-Protocol = PPP, Idle-Timeout = 900, Port-Limit = 1 Instead of a group, I'd like to use an attribute instead. Cheers, John John Hogenmiller, kb3dfz Systems Administrator, Pennswoods.net 877.716.2002 x 529 --- Anyone could say, What fantastic and expensive items you have! Oh, how I wish they were mine! But I have proven my sincerity by going that extra mile and actually robbing you blind. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
failover on
Is there an option to have radius appear unavailable if the ldap server is unavailable? In our ldap is unavailable, the radius server will no longer be able to successfuly process authentication requests, and we'd like the NAS to believe radius is down and move on to the next one. Cheers, John John Hogenmiller, kb3dfz Systems Administrator, Pennswoods.net 877.716.2002 x 529 --- Anyone could say, What fantastic and expensive items you have! Oh, how I wish they were mine! But I have proven my sincerity by going that extra mile and actually robbing you blind. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fix for Exec-Program-Wait
Is this the problem that I have been seeing? You mentioned Exec-Program-Wait in prior emails. If so, I'll try this out tonight. cheers, john Quoting Alan DeKok [EMAIL PROTECTED]: I've just committed a fix to the tree which should *hopefully* fix the problem with the server locking up, when using Exec-Program-Wait. If you're using Exec-Program-Wait, and are willing to test the CVS snapshot from tonight, please try it out, and report success/failure to the list. If this change doesn't solve the problem, then there's more work to do. If it DOES solve the problem, then it would help enormously to know that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html John Hogenmiller, kb3dfz Systems Administrator, Pennswoods.net 877.716.2002 x 529 --- Anyone could say, What fantastic and expensive items you have! Oh, how I wish they were mine! But I have proven my sincerity by going that extra mile and actually robbing you blind. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Authentication based on more than just password
Hi, I am a newbie setting up my first RADIUS Server. I have setup FreeRADIUS to authenticate from LDAP. Everything is working well. The only problem is that the NAS receives an Access-Accept packet regardless of the NAS-IP-Address stored in the LDAP directory. My NAS-IP-Address is 192.168.10.2 and the value I have stored for testing purposes under NAS-IP-Address attribute is 10.10.10.10. I am still authenticated even though the NAS-IP-Address is mismatched. I have tried editing the dictionary file and changing NAS-IP-Address from replyItem to checkItem but still no luck. Any help would be much appreciated. John Spanos.
freeradius
Hello, I'm running freeradius-snapshot-20020516, which I have almost 100% working. radtest between the freeradius server and the cistron 1.6.6 look exactly the same, it handles higher loads, it does ldap lookups correctly, and doesn't seem to be crashing (With a full 5400 and 9 5300s, it held up quite well). The problem we discovered during testing is that the NAS (which are cisco 5300 and 5400 routers) are rejecting dial-up customers while freeradius is authenticating them. The customers are getting password authentication errors (windows 691). Our radius logs show the users authenticating correctly, the nas rad st shows that it is receiving the packet back from radius, but the user still gets rejected. --- rad-test against cistron: Service-Type = Framed-User Framed-Protocol = PPP Port-Limit = 1 Idle-Timeout = 1800 --- rad-test against freeradius: Service-Type = Framed-User Framed-Protocol = PPP Port-Limit = 1 Idle-Timeout = 1800 --- Once again, I beseach the help of the list. In my mind, the problem is that the packet sent back is not in a form that the cisco's understand. What should I be looking at next? (I think when I'm done, I could probably write a document of my experiences. ;) John Hogenmiller, kb3dfz Systems Administrator, Pennswoods.net 877.716.2002 x 529 --- Wouldn't the sentence I want to put a hyphen between the words Fish and And and And and Chips in my Fish-And-Chips sign have been clearer if quotation marks had been placed before Fish, and between Fish and and, and and and And, and And and and, and and and And, and And and and, and and and Chips, as well as after Chips? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd timeouts
: Debug: Going to the next request Mon May 13 09:53:41 2002 : Debug: --- Walking the entire request list --- Mon May 13 09:53:41 2002 : Debug: Waking up in 3 seconds... rad_recv: Access-Request packet from host 127.0.0.1:4774, id=106, length=58 Mon May 13 09:53:41 2002 : Info: Sending duplicate authentication reply to clien t 127.0.0.1:4774 - ID: 106 Sending Access-Accept of id 106 to 127.0.0.1 Mon May 13 09:53:41 2002 : Debug: rl_next: returning NULL Mon May 13 09:53:41 2002 : Debug: Waking up in 3 seconds... Mon May 13 09:53:44 2002 : Debug: --- Walking the entire request list --- Mon May 13 09:53:44 2002 : Debug: Cleaning up request 2 ID 106 with timestamp 3c dfc562 Mon May 13 09:53:44 2002 : Debug: Nothing to do. Sleeping until we see a reques t. John Hogenmiller, kb3dfz Systems Administrator, Pennswoods.net 1(877)897-4883 x 592 --- Wouldn't the sentence I want to put a hyphen between the words Fish and And and And and Chips in my Fish-And-Chips sign have been clearer if quotation marks had been placed before Fish, and between Fish and and, and and and And, and And and and, and and and And, and And and and, and and and Chips, as well as after Chips? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: rlm_ldap and group membership
Hello,
This is kind of a long email, but I wanted to give all the information that I think
YOU(tm) will need. Unfortunately I'm on a sort of time-crunch to get this up and
running, so I will try and get as
much information in per message as possible. I imagine I'll probably get the
solution in a 1-line reply ( put the line: use-groups = yes into your config and it
should be good. ;)
Some background info:
We currently are and have been running cistron radius using local
system authentication. Local system authentication in turn goes
through nss_ldap to reach our ldap servers. I am now attempting
to upgrade to freeradius in order to use native ldap capabilities.
Our current configuration (both radius and accounting software) relies
upon groups. For example:
(old cistron style)
DEFAULT Auth-Type = Reject, Group = deletepending
DEFAULT Auth-Type = Reject, Group = emailonly
DEFAULT Auth-Type = System, Group = multilink, Simultaneous-Use = 2
Port-Limit = 2,
Idle-Timeout = 1800
(newer freeradius style)
DEFAULT Group == deletepending, Auth-Type := Reject
I am having trouble configuring freeradius' rlm_ldap module to check for
groups. It does however bind correctly to the ldap server for user
authentication. Down below I detailed my thought process in setting this up, as
well as provided some logs. So far I have read the docs on freeradius.org, and
the freeradius-users freeradius-devel mailing lists (since Aug '99, anything
with ldap in the subject). Most information on the list revolves around defining
the check reply attributes IN ldap as opposed to the users file. This is fine,
and something we may switch over to at some point. However, all of our existing
software relies upon membership in groups, and switching that would be too big
of a task at this time. The upgrade in freeradius will be one of the first steps
along this route.
Please read the following info and see if you can spot what I'm doing wrong.
The configuration looked fairly simple, but I'm obviously missing some crucial
element.
Version Info:
radiusd: FreeRADIUS Version 0.5, for host i686-pc-linux-gnu, built on May 2
2002 at 10:28:59
Here is my ldap configuration section:
ldap {
server = localhost
basedn = dc=domain,dc=dom
filter = (uid=%u)
start_tls = no
ldap_connections_number = 5
password_attribute = userPassword
groupname_attribute = cn
groupmembership_filter = ((objectclass=posixgroup)(memberuid=%u))
timeout = 4
timelimit = 3
net_timeout = 1
}
docs/rlm_ldap provide this query:
# default:
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
Broken down, this is:
(objectClass=GroupOfNames) AND (member=%{Ldap-UserDn})
-or-
(objectClass=GroupOfUniqueNames) AND (uniquemember=%{Ldap-UserDn}))
This query seems to be for a directory with two types of groups
and group members. As our org uses one type, I'm dropping one of
the AND conjunctions along with the corresponding OR disjunction.
Our directory does not have either of those objectclass, we use
objectclass=posixgroup to identify group objects. Also, instead of
uniquemember, we use memberuid. The memberuid doesn't point to the
distinguished name of the uid, just the short uid. So I should want:
(objectclass=posixGroup) AND (memberuid=%u)
Here's an ldif version:
cn=multilink,ou=Group,dc=domain,dc=dom
cn=multilink
userpassword={crypt}x
description=Members have the Port-Limit and Simultaneous-Use RADIUS
parameter set to 2
gidnumber=1025
objectclass=top
objectclass=posixGroup
memberuid=jhogenmiller
Here are some queries performed to show you things working:
# testjth01
# multilink
# This query is what I think freeradius actually wants, in accordance
# with the docs.
[john@server john]]$ ldapsearch -b dc=domain,dc=dom
'((objectclass=posixgroup)(memberuid=testjth01))' cn
cn=multilink,ou=Group,dc=domain,dc=dom
cn=multilink
# testjth01 - search without specifying cn.
# multilink
[john@server john]]$ ldapsearch -b dc=domain,dc=dom
'((objectclass=posixgroup)(memberuid=testjth01))'
cn=multilink,ou=Group,dc=domain,dc=dom
cn=multilink
userpassword={crypt}x
description=Members have the Port-Limit and Simultaneous-Use RADIUS
parameter set to 2
gidnumber=1025
objectclass=top
objectclass=posixGroup
memberuid=jhogenmiller
...
memberuid=testjth01
# testjth02
# multilink, deletepending: deny access
[john@server john]]$ ldapsearch -b dc=domain,dc=dom
'((objectclass=posixgroup)(memberuid=testjth02))' cn
cn=deletepending,ou=Group,dc=domain,dc=dom
cn=deletepending
cn=multilink,ou=Group,dc=domain,dc=dom
cn=multilink
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ok, with all the ldap stuff out of the way, here's what radius does:
(one thing I noticed after some research
Re: Fwd: rlm_ldap and group membership
It was my understanding that this type of check is done in the authorize and the
authenticate sections. However, I checked and sure enough I had the unix
module listed in accounting. I removed this, restarted the server and had the
same results (no ldap/group checks).
Just for fun, I threw ldap into accounting and radiusd promptly yelled at me for
being an idiot.
I have actually been whittling down my modules per section throughout last week
attempting to get this work. It is well within the realm of possibility that I may
have removed a module which could interfere with config-debugging efforts. I
have pasted my config below your quoted message.
BTW, your comment about adding an Ldap-Group attribute both encourages and
disturbs me. What is the status of checking for ldap group membership if
freeradius (0.5)?
Well it most probably will :-)
Do you have the unix module in your accounting section? It is needed for
the
radwtmp file (although that should be on a module of it's own). If yes try
removing it. The unix module has a groupcmp function of it's own which
overrides the one registered by the ldap module.
Alan is it ok if I go on and add an Ldap-Group attribute for ldap group
membership?
--
Kostas Kalevras Network Operations Center
Section configurations. I have removed the colorful comments in order to save
space.
authorize {
ldap
}
authenticate {
ldap {
notfound = RETURN
}
}
preacct {
suffix
files
preprocess
}
accounting {
detail
radutmp
}
session {
radutmp
}
John Hogenmiller, kb3dfz
Systems Administrator, Pennswoods.net
1(877)897-4883 x 592
---
Wouldn't the sentence I want to put a hyphen between the words Fish
and And and And and Chips in my Fish-And-Chips sign have been clearer if
quotation marks had been placed before Fish, and between Fish and and, and
and and And, and And and and, and and and And, and And and and, and and
and Chips, as well as after Chips?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
odd error since switching to an L2TP config
We're using a service that forwards all our calls into our radius server. We've recently switched to an L2TP config where our provider (Verizon) forwards lots of stuff through a Cisco L2TP tunnel. i.e. Verizon owns the access servers and forwards the info out to us. Since we've switched to the L2TP config, we now see an odd thing when people are logging in with a '[EMAIL PROTECTED]' username. If they login with '[EMAIL PROTECTED]' we see something like: Sun Apr 7 13:02:12 2002 : Auth: Login incorrect: [realm.com/cisco] (from nas l2tp port 35 cli 2015790101) Sun Apr 7 13:02:12 2002 : Auth: Login OK: [[EMAIL PROTECTED]] (from nas l2tp port 35 cli 2015790101) Sun Apr 7 13:02:13 2002 : Auth: Login incorrect: [realm.com/cisco] (from nas l2tp port 35 cli 2015790101) For analysis, we'll look at those radius logs as three lines: Line 1 and 3 are duplicates because (I assume) I have my radius server listening on two ip's. That'll change later when the other auth server goes on line. However, I don't understand why I'm GETTING line 1 and 3 in the first place. Why is it giving me 'realm.com/cisco' errors from it? How should I make it stop? Also, users can login fine, we're just gettin spurious logs that are annoying. If a user logs in with only 'username' (which we allow at this time) they can login and there's no odd logs messages. That would look like: Sun Apr 7 12:59:35 2002 : Auth: Login OK: [username] (from nas l2tp port 21 cli 2013830465) Related info: radiusd-freeradius-0.4 linux 2.4.17 radacct_to_mysql Cisco configs are looking something like: aaa new-model ! ! aaa authentication login default local aaa authentication ppp default group radius aaa authorization network default group radius aaa accounting network default start-stop group radius aaa session-id common Phone numbers and domains have been changed to protect the guilty. ;) Any help appreciated. Also, am having trouble finding a way to search the list archives at http://lists.cistron.nl/archives/freeradius-users/2002/04/ - is there a search tool available on that server? John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
General question about experiences with radius pre-authentication packets/support
Hi, I am currently using Freeradius with a USR chassis/quad modems, the quads do not generate any CLI/DNIS pre-auth data so pre-authentication is of no use, however moving to DSP cards isnt far off and I'l like to be prepared for using pre-authentication. Can anybody confirm if they are using pre-auth packets with freeradius?? I would have thought I could setup a user whose name is the DNIS digits? although I dont expect to be able to limit the number of ports(maybe this could be a future feature?) Using: Freeradius 0.4 on Solaris/Sparc 8 02/02. Thanks John -- oJohn Benge - Development o o Email: [EMAIL PROTECTED] Mobile: +44 7887796300 thus[tm] Fax: +44 870 051 Work: +44 208 371 3739 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
Then it doesn't do EAP properly. I have double checked with 3com to confirm they did not microsoft the EAP standard and I am told it is completely compliant with standard EAP. After reviewing the url posted by John Lindsay, I see that Cisco Aironet working with freeradius and I have found a curious item in dump of freeradius. The 3com access point is sending back a response to the challenge but the radius server is getting an error in the rlm_eap modules. The following is a full dump of the transaction: rad_recv: Access-Request packet from host 64.214.69.235:5001, id=29, length=67 EAP-Message = \002\001\000\t\001junk Message-Authenticator = 0x391509740ecb0d9e19fa22520f29ee1a NAS-IP-Address = 192.168.100.170 User-Name = junk Framed-MTU = 1400 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module eap returns updated modcall[authorize]: module suffix returns ok users: Matched junk at 67 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: processing type md5 modcall[authenticate]: module eap returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 29 to 64.214.69.235:5001 EAP-Message = \001\035\000\026\004\020#\237\300j\320\225\376\2639\262\265\340\333F\243 Message-Authenticator = 0x State = 0xd3a5063b0b3c477241aa038a1bd600d50ac8913cf4210ec4828ecd3a5430359074e4689b Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 64.214.69.235:5001, id=30, length=108 EAP-Message = \002\035\000\032\004\020\364\366\257\206F\017@Nb\tV\251.\314\334junk Message-Authenticator = 0x465a58897948e060466ca171349e5911 NAS-IP-Address = 192.168.100.170 User-Name = junk State = 0xd3a5063b0b3c477241aa038a1bd600d50ac8913cf421 Framed-MTU = 1400 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module eap returns updated modcall[authorize]: module suffix returns ok users: Matched junk at 67 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: State verification failed. modcall[authenticate]: module eap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Sending Access-Reject of id 30 to 64.214.69.235:5001 Finished request 1 Going to the next request Waking up in 6 seconds... How can I track down what is causing the failure in the eap module? Eric - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 14, 2002 2:33 PM Subject: Re: 3com Wirless Access Point and FreeRadius Eric John Seneca [EMAIL PROTECTED] wrote: The reason there is not response back is because the 3com access point interprets challenge as a failure. Then it doesn't do EAP properly. Is there any special setting I must define for the user? The access point and client only has one setting which is EAP-MD5. I do not have any DEFAULT setting for EAP. There seems to be setting for SLIP and other protocols in the users file. Am I missing something in the configuration of the radius server? No. The NAS is asking to do EAP, and then complaining when it gets an EAP response. Fix the NAS to do EAP properly. Poking the RADIUS server won't do anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A question regarding radius attribute tagging
Hi, I'm running FreeRadius 0.4 on Sparc/Solaris 8 (latest patches) for some testing i'm conducting with 3Com/Cisco L2TP tunnels - please bear with me i'm a radius newbie and have only been running FR for a week. I have FR up and running nicely, sending back attributes to the nas's in question to setup tunnels. I've heard about a tunnel feature that allows the nas to receive multiple tunnel-endpoint attributes and then load balance the tunnels it builds, i'd like to try this! The nas can cope with receiving multiple tunnel-endpoint attributes, so I presume I can just create a user.conf profile with multiple endpoint attributes like this: USR-Tunnel-Security = none, USR-Tunnel-Type = L2TP, USR-Tunnel-Endpoint = 10.0.0.100, USR-Tunnel-Endpoint = 10.0.0.101, USR-Tunnel-Endpoint = 10.0.0.102, Under Steel Belted Radius multiple attributes are refered to as tagging where the attributes in question are tagged with something like [1] [2] [3] so that SBR can distinguish them - or something like that :) So the big question is, can FreeRadius handle sending back multiple instances of the same attribute with different values? If it can is there anything inparticular that I need to do to set it up or can I just add multiple instances of the attribute as in the example above? And has anyone else ever tried this with FR ?? Kind Regards John -- oJohn Benge - Development o o Email: [EMAIL PROTECTED] Mobile: +44 7887796300 thus[tm] Fax: +44 870 051 Work: +44 208 371 3739 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
Try grabbing the latest CVS snapshot. After compiling the CVS snapshot and configuring the /etc/raddb/radius.conf, I still get authentification failure. I sniffed the session traffic and I see the following information 192.168.100.170 - 64.95.221.220 UDP D=1812 S=1812 LEN=75 AND THE RADIUS SERVER RECEIVES THIS MESSAGE IN THE FOLLOWING DEBUG DUMP rad_recv: Access-Request packet from host 64.214.69.230:4916, id=62, length=67 EAP-Message = \002\001\000\t\001junk Message-Authenticator = 0x76874a9715bf9621d54c7074912d6ccc NAS-IP-Address = 192.168.100.170 User-Name = junk Framed-MTU = 1400 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module eap returns updated modcall[authorize]: module suffix returns ok users: Matched junk at 74 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: processing type md5 modcall[authenticate]: module eap returns ok modcall: group authenticate returns ok NOW I ASSUME THE MESSAGE BEING SENT BACK IT MY SECOND PACKET IN THE SNIFFER LOG. 64.95.221.220- 192.168.100.170 UDP D=1812 S=1812 LEN=108 Sending Access-Challenge of id 62 to 64.214.69.230:4916 EAP-Message = \001\000\026\004\020#\237\300j\320\225\376\2639\262\265\340\333F\243 Message-Authenticator = 0x State = 0xa6e15e0f06d3880b882260dbb8e69f2de88c903cf69a33702ce1ec0ba905020673dd8337 Finished request 0 It seems as though the 3com access point interprets this message as an authentification failure and ends the conversation. It also displays an message box authentification failure on the client side. What is the contents of the message being sent back to the 3com access point? Does anyone know a reason the 3com device will interpret the Challenge message as a failure? Eric - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 14, 2002 10:06 AM Subject: Re: 3com Wirless Access Point and FreeRadius Eric John Seneca [EMAIL PROTECTED] wrote: Where do I get the module rlm_eap for freeradius? I get the following message ... It was not included in the tarball for freeradius-0.4. Try grabbing the latest CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A question regarding radius attribute tagging
SNIP Yes. You can use something like this for your users file: tunneluser Auth-Type := Local, Password == foobar Tunnel-Type:1 = L2TP Tunnel-Medium-Type:1 = IP Tunnel-Server-Endpoint:1 = 10.20.30.2 Tunnel-Password:1 = secret Tunnel-Preference:1 = 1 Tunnel-Type:2 = GRE Tunnel-Medium-Type:2 = IP Tunnel-Server-Endpoint:2 = 10.99.98.67 Tunnel-Preference:2 = 2 The :X after the attribute is the 'tag'. The attributes that share a common tag value become a group. The group with the lowest tunnel-pref value is tried first. In the example above, that would be the L2TP tunnel, if the NAS can't do the L2TP tunnel, it will then try the GRE tunnel. SNIP -Chris SNIP Hi Chris, thanks for the help! I'll give it a go right now and take a look at the RFC you mentioned. This may seen a naive question but i only have 5 days worth of radius experience under my belt, when should i/should not use VSA (like the tunnel VSA's in my original post)?? Cheers John -- oJohn Benge - Development o o Email: [EMAIL PROTECTED] Mobile: +44 7887796300 thus[tm] Fax: +44 870 051 Work: +44 208 371 3739 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
Radius Server has sent an Access-Challenge with EAP-MD5 challenge value for which the client should respond back. Based on the response received, Radius Server authenticates the user. The reason there is not response back is because the 3com access point interprets challenge as a failure. Hence the syslog entry for the access point Mar 14 13:49:55 accesspoint 802.1x FSM: Supplicant 00:40:96:48:89:b6 has failed Authentication Mar 14 14:06:05 accesspoint Associated station [ AID = 001, 00:40:96:48:89:b6 ] Mar 14 14:06:10 accesspoint 802.1x FSM: Supplicant 00:40:96:48:89:b6 has failed Authentication Is there any special setting I must define for the user? The access point and client only has one setting which is EAP-MD5. I do not have any DEFAULT setting for EAP. There seems to be setting for SLIP and other protocols in the users file. Am I missing something in the configuration of the radius server? Eric - Original Message - From: Raghu [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 14, 2002 12:05 PM Subject: Re: 3com Wirless Access Point and FreeRadius NOW I ASSUME THE MESSAGE BEING SENT BACK IT MY SECOND PACKET IN THE SNIFFER LOG. 64.95.221.220- 192.168.100.170 UDP D=1812 S=1812 LEN=108 Sending Access-Challenge of id 62 to 64.214.69.230:4916 EAP-Message = \001\000\026\004\020#\237\300j\320\225\376\2639\262\265\340\333F\243 Message-Authenticator = 0x State = 0xa6e15e0f06d3880b882260dbb8e69f2de88c903cf69a33702ce1ec0ba905020673dd8337 Finished request 0 It seems as though the 3com access point interprets this message as an authentification failure and ends the conversation. It also displays an message box authentification failure on the client side. What is the contents of the message being sent back to the 3com access point? Does anyone know a reason the 3com device will interpret the Challenge message as a failure? Radius Server has sent an Access-Challenge with EAP-MD5 challenge value for which the client should respond back. Based on the response received, Radius Server authenticates the user. Since there is no response received, I think there is some misconfiguration either on your AP or client. You might also want to check, what EAP-Types ( like EAP-MD5 ...) are supported by your 3com client AP. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A question regarding radius attribute tagging
Chris Parker wrote: SNIP If there is a standard attribute ( non-VSA ) that does what you want, I highly urge the use of that, over the VSA, as it will be more portable. If there isn't a standard attribute to accomplish it, then you don't have a choice, so you have to use the VSA. I come from a multi-vendor NAS environment, so using the most commonly understood attributes is highly desirable. Example: 'Ascend-Idle-Limit' is a VSA that only works on Ascend NAS. 'Idle-Timeout' does the same thing, and works on all NAS. So, you'd want to use Idle-Timeout, as it's more portable. -Chris Hi, Thanks for the good advice Chris! Cheers John -- oJohn Benge - Development o o Email: [EMAIL PROTECTED] Mobile: +44 7887796300 thus[tm] Fax: +44 870 051 Work: +44 208 371 3739 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
I have found the following URL very useful: http://www.missl.cs.umd.edu/~adam/802/ jsl -- John Lindsay - Engineering Services Manager Internode Professional Access ph +61 8 8223 2999 fx +61 8 8223 1777 31 York St Adelaide, PO BOX 284 Rundle Mall SA 5000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3com Wirless Access Point and FreeRadius
Hi, I am trying to setup a 3com wireless access point to authenticate to a freeradius server. I have installed and configured the freeradius server as well as the access point but when I try to authenticate I get the following error: rad_recv: Access-Request packet from host 64.214.69.235:4859, id=183, length=69 Sending duplicate authentication reply to client 64.214.69.235:4859 - ID: 183 Sending Access-Reject of id 183 to 64.214.69.235 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 28 ID 183 with timestamp 3c8f9220 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 64.214.69.235:4859, id=183, length=69 EAP-Message = \002\004\000\n\001happy Message-Authenticator = 0x8963e751410fdebe8c00bb9310325f6f NAS-IP-Address = 192.168.100.170 User-Name = happy Framed-MTU = 1400 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module suffix returns ok users: Matched happy at 73 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: No Password or CHAP-Password attribute in the request auth: Failed to validate the user. Sending Access-Reject of id 183 to 64.214.69.235:4859 Finished request 30 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... The part that I cannot figure is the phantom password. I am not sure if the 3com client software is sending the password or the /etc/raddb/users file is not setup correct. If anyone has had experience with 3com products in the past any help would be greatly appreciated. Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Getting radlast to report real username
Currently radlast reports 09/01/2002 01:55:35 AutoPPP85.3 192374 609285 How do I configure portslave or Cistron Radius to report the real user name? This is the vanilla install under SuSE 7.2 _ email: [EMAIL PROTECTED] [EMAIL PROTECTED] ph +-61 3 9669 8106 (w) 0418 670 246 (mob) John Stern, High Performance Computing and Communication Centre level 24 150 Lonsdale street, Melbourne, VICTORIA, 3000, AUSTRALIA _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Port 25 filtering
I am running the latest cistron-radius 1.6.4.3 on Redhat 7.0. I have been proxy authorizing several different modem pools for our users. I am about to add qwest modem pools but I need to set up a filter for smtp traffic to only allow relaying accross one smtp server denying all other port 25 relays. Is this possible with cistron? and how do I go about it. Thank You - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and unix Passwords
On Tue, Dec 18, 2001 at 09:38:31AM -0500, Jim Greene wrote: % Can I do the following: % Use LDAP for authentication, by importing my current userbase from % passwd/shadow. These will be crypt'd passwords as I do nto have them inn % clear text. Does anyone have a file to convert these account to LDAP if % this can be done ? Sure, that can be done. Look at PADL's migration tools at http://www.padl.com/tools.html for a good starting point. john -- John Morrissey _o/\ __o [EMAIL PROTECTED]_- \_ / \ \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I setup users file to allow anyone to connect?
On Fri, Dec 14, 2001 at 06:53:44PM +0900, Yuki Okada wrote: % I'm using FreeRadius0.3 on my FreeBSD4.4 Box. % I'm wondering how to setup my radius server to accept any user/password % pair. DEFAULT Auth-Type = Accept john -- John Morrissey _o/\ __o [EMAIL PROTECTED]_- \_ / \ \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Authentication
On Thu, Dec 13, 2001 at 12:48:06PM -0600, Steve Tow wrote: % Having tried unsuccessfully to get this working, I looked at the code as % best as I know how and it looks like the only method of authentication via % LDAP is by trying to bind to the LDAP server with the username and % password given to RADIUS. Is this a correct assessment? That's correct. john -- John Morrissey _o/\ __o [EMAIL PROTECTED]_- \_ / \ \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
port number override when starting FreeRadius
I am sorry to bother everyone. This is probably such an easy question but I have banged my head to many times looking for an answer...Somebody please help me. I need to know if I can override the default port numbers allocated from the /etc/services file. My requirement is simple, have 2 radius servers on one physical server. I understand how to override the directories at time of configure, my only problem I can foresee is that there will be a conflict in binding to port numbers. Thank you in advance to the person who shares the answer. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: Re: Changing RADIUS Passwords]
On 10/25/01 2:05 AM, Chaminda Rathnasinghe wrote: I would like to know how to set bin/false users to change their passwords as you describe below. On Linux, use the '-s' switch with usermod or useradd (or perhaps chuser and adduser on BSD -- syntax may vary). For example, usermod -s /usr/bin/passwd some_user (assuming that passwd is located in /usr/bin on your system). Or, you could just edit the /etc/passwd file and replace /bin/false with /usr/bin/passwd. John Blumel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing RADIUS Passwords
On Tue, 23 Oct 2001 16:39:37 -0400, [EMAIL PROTECTED] wrote: Set their shell on the Unix system to '/bin/passwd', or whatever other password changing tool you want. They can then log in to change their password, and do nothing else. I've played with this and it seems to work ok. How would you evaluate this as a security risk? Theoretically, the worst case is that someone changes the password that they've stolen and I have to reset it but how much should I worry about buffer overflow or other attacks with passwd or replacements as the shell? John Blumel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Changing RADIUS Passwords
Hi, I'm looking into using RADIUS for authentication of remote dial-in and VPN users and, since I'm completely new to RADIUS, I was hoping I could pose a few questions to the list... 1. freeRADIUS is officially listed as beta software but is anyone using it in production and/or do you feel that it is mature and stable enough to do so. 2. We would like to give users the ability to change their passwords and since, as far as I can tell, this is not a built-in feature of freeRADIUS or any other RADIUS server I was wondering what strategies people are using to allow this other than simply using Auth-Type = System and having them telnet to the RADIUS server and change their password. Thanks. John Blumel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Routing to Proxies using DNIS
On Thu, Oct 18, 2001 at 02:08:55AM -0400, Brian Gordon wrote: % I know this issue has been discussed and this is the statement I am using in my users file, and it doesn't seem to be using the realm. If I comment out all other default users I get no auth method etc. I know my proxy is working because if I use NULL in realms, my proxy works authenticates etc. % % DEFAULT Called-Station-Id == 518555, Proxy-To-Realm = westelcom % Fall-Through = No try: DEFAULT Called-Station-Id == 518555, Proxy-To-Realm := westelcom Fall-Through = No john -- John Morrissey _o/\ __o [EMAIL PROTECTED]_- \_ / \ \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
postgres reply information
I have postgres providing the authentication for freeradius but I can't persuade it to pass any information back in the reply packet from the radreply table. Am I missing something really simple? Please can somebody list the salient points for setting up sql to send information back - I have trawled the documentation extensively, but just can't seem to get it right. Yours, John Grange - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Group authentication
Dan, I am trying to get freeradius setup. We are currently using Livingston Radius. They both allow for this as a check item. Something like: DEFAULT Auth-Type = System, Group = login DEFAULT Auth-Type = System, Group = mailusers Make sure you have a group 'login' and also 'mailusers' on the system and that the user belongs to that group. While I don't have the freeradius working yet, I believe this will work fine, if not someone will hopefully correct me. (maybe this is why I'm having trouble with authentication?:)) Hope this helps, John McKinney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dan Houtz Sent: Sunday, September 30, 2001 4:08 PM To: [EMAIL PROTECTED] Subject: Group authentication Greetings, Is it possible to configure FreeRadius to only authenticate system accounts that belong to a specific group? I'd like it to only accounts that belong to group pppusers while rejecting accounts belonging to other groups such as emailusers. Thanks Dan Houtz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
newbie documentation
I'm trying to set freeradius up at the moment and want to use it with postgres. I've got the postgres, passwd standard authentication working fine, but as I know nothing about radius at the moment, I don't know how to assign IP addresses to users as they log in (I need to do a mix of static and dynamic allocation). BTW: The application is for GPRS authentication, so if anyone has any knowledge on this, it would be appreciated. Sorry if I'm being thick and please tell me to RTFM, just tell me where it is and I'll read it. TIA John Grange - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
