Foundry command authorization help
Title: Foundry command authorization help I am having some issues with command authorization. Foundry has a Foundry-Command-String attribute and suspect I am just a chucklehead :-) Syntax should be Foundry-Command-String = configure terminal, Foundry-Command-String = int ethernet 20, Foundry-Command-String = speed-duplex *, or Foundry-Command-String = configure terminal, int ethernet 20, speed-duplex *, I have tried both but am suspecting that Foundry does not support what I think they do :-) They have authorization levels 0,4 and 5. But in the cli you can only enter one. I am used to Cisco where you can have multiple ones hence my despair. If anyone has been here before any tips would be greatly appreciated. Ted DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
Re: Can't get freeradius-0.9.3 compiled on Redhat 9
Title: Re: Can't get freeradius-0.9.3 compiled on Redhat 9 Want me to email you the rpms I built? Ted On Fri, 2003-11-21 at 10:21, Sebastiaan Mangoentinojo wrote: Hi, I spend the better half of the day trying to compile Freeradius on Redhat 9 (I'm going to use it for test purposes), but I'm stuck at the moment. I get the following ./configure warnings: configure: warning: silently not building rlm_eap_tls. configure: warning: FAILURE: rlm_eap_tls requires: (openssl/ssl.h). configure: warning: the comm_err library isn't found! configure: warning: silently not building rlm_krb5. configure: warning: FAILURE: rlm_krb5 requires: krb5. configure: warning: silently not building rlm_ldap. configure: warning: FAILURE: rlm_ldap requires: liblber. configure: warning: silently not building rlm_pam. configure: warning: FAILURE: rlm_pam requires: libpam. configure: warning: iodbc headers not found. Use --with-iodbc-include-dir=path. configure: warning: sql submodule 'iodbc' disabled configure: warning: silently not building rlm_sql_postgresql. configure: warning: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: warning: oracle headers not found. Use --with-oracle-home-dir=path. configure: warning: sql submodule 'oracle' disabled configure: warning: unixODBC headers not found. Use --with-unixodbc-include-dir=path. configure: warning: sql submodule 'unixodbc' disabled configure: warning: silently not building rlm_x99_token. configure: warning: FAILURE: rlm_x99_token requires: des_cbc_encrypt. ssl.h is in /usr/include/openssl on my system. I tried to use ./configure with --with-openssl-inc=/usr/include en /usr/include/openssl etc. but with no luck. Openssl on my system is RPM based on my system. I can't easly remove it because it has a whole lot of dependencies with other RPM's I need (I know RPM's suck sometimes). Any tips? Cheers, Seb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
Re: Can't get freeradius-0.9.3 compiled on Redhat 9
Title: Re: Can't get freeradius-0.9.3 compiled on Redhat 9 download freeradius-0.9.3.tar.gz tar xvfz freeradius-0.9.3.tar.gz cp freeradius-0.9.3.tar.gz /usr/src redhat/SOURCES rpmbuild -ba freeradius-0.9.3/redhat/freeradius.spec If that doesn't work you probably don't have some development library installed. rpm -q --whatprovides /usr/include/openssl/des_old.h should return openssl-devel-0.9.7a-20 yum update openssl-devel up2date openssl-devel I will email you the rpms if this does not work for you. Ted On Fri, 2003-11-21 at 11:54, [EMAIL PROTECTED] wrote: Could you post the rpm file as well as the steps you used to create the rpm? I have been playing around with trying to build an rpm and have not had much success. dave - Original Message - From: Kaczmarek, Thaddeus To: [EMAIL PROTECTED] Sent: Friday, November 21, 2003 10:40 AM Subject: Re: Can't get freeradius-0.9.3 compiled on Redhat 9 Want me to email you the rpms I built? Ted On Fri, 2003-11-21 at 10:21, Sebastiaan Mangoentinojo wrote: Hi, I spend the better half of the day trying to compile Freeradius on Redhat 9 (I'm going to use it for test purposes), but I'm stuck at the moment. I get the following ./configure warnings: configure: warning: silently not building rlm_eap_tls. configure: warning: FAILURE: rlm_eap_tls requires: (openssl/ssl.h). configure: warning: the comm_err library isn't found! configure: warning: silently not building rlm_krb5. configure: warning: FAILURE: rlm_krb5 requires: krb5. configure: warning: silently not building rlm_ldap. configure: warning: FAILURE: rlm_ldap requires: liblber. configure: warning: silently not building rlm_pam. configure: warning: FAILURE: rlm_pam requires: libpam. configure: warning: iodbc headers not found. Use --with-iodbc-include-dir=path. configure: warning: sql submodule 'iodbc' disabled configure: warning: silently not building rlm_sql_postgresql. configure: warning: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: warning: oracle headers not found. Use --with-oracle-home-dir=path. configure: warning: sql submodule 'oracle' disabled configure: warning: unixODBC headers not found. Use --with-unixodbc-include-dir=path. configure: warning: sql submodule 'unixodbc' disabled configure: warning: silently not building rlm_x99_token. configure: warning: FAILURE: rlm_x99_token requires: des_cbc_encrypt. ssl.h is in /usr/include/openssl on my system. I tried to use ./configure with --with-openssl-inc=/usr/include en /usr/include/openssl etc. but with no luck. Openssl on my system is RPM based on my system. I can't easly remove it because it has a whole lot of dependencies with other RPM's I need (I know RPM's suck sometimes). Any tips? Cheers, Seb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications. DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
Re: Foundry command authorization help
Title: Re: Foundry command authorization help They came with both versions I have tried, 0.91 and 0.93. They were in /usr/share/freeradius folder. Ted On Fri, 2003-11-21 at 12:43, Chris Parker wrote: At 11:23 AM 11/21/2003, Dave Mussulman wrote: First, the Foundry dictionary file that comes with FreeRADIUS doesn't have those attributes, so you'll need to edit it. What you need to add is pretty straightforward in Foundry's docs. (I'll submit my dictionary file to the project when I'm sure it's got everything; I just added some stuff for their management software yesterday.) Patch please? Or list of the AV's? If no one reports it, it won't get included in later versions either. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless! \ Director, Engineering | @ @ | \ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
Thanks out to Dave M and examples
Title: Thanks out to Dave M and examples joe-admin Auth-Type := System Acct-Authentic == RADIUS, foundry-privilege-level = 0, foundry-command-exception-flag = 1, Cisco-AVPair = shell:priv-lvl=0 joe-user Auth-Type := System Foundry-Privilege-Level = 0, Foundry-Command-String = config terminal; interface *; speed-duplex *, Foundry-Command-Exception-Flag = 0 Cisco-AVPair = shell:priv-lvl=4 This does what I want, just can't figure out what the hell you do with levels 4 and 5, Foundry cli only allows 1 level. Ted DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
Re: Thanks out to Dave M and examples
Title: Re: Thanks out to Dave M and examples The lower case one is right :-) Ted On Fri, 2003-11-21 at 14:14, Kaczmarek, Thaddeus wrote: joe-admin Auth-Type := System Acct-Authentic == RADIUS, foundry-privilege-level = 0, foundry-command-exception-flag = 1, Cisco-AVPair = shell:priv-lvl=0 joe-user Auth-Type := System Foundry-Privilege-Level = 0, Foundry-Command-String = config terminal; interface *; speed-duplex *, Foundry-Command-Exception-Flag = 0 Cisco-AVPair = shell:priv-lvl=4 This does what I want, just can't figure out what the hell you do with levels 4 and 5, Foundry cli only allows 1 level. Ted DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications. DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
Re: 0.9.3 has been released
Title: Re: 0.9.3 has been released On Redhat 9 upgrading wacked my dictionary entries. I had to redo /ect/raddb/dictionary. Ted On Thu, 2003-11-20 at 16:43, Matthew Schumacher wrote: Alan, Thanks for your hard work... we all appreciate it. Alan DeKok wrote: Bug reports are nice. Lack of notification is stupid. With that said, 0.9.3 has been released. It's in the normal places: ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz With PGP signature at: ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz.sig It is just 0.9.2 with a bug fixed, and the version number updated. The original reporter threatened to release an exploit when I told him I was unhappy with his lack of notification prior to the public release of the vulnerability information. Blackmail is stupid. As it turns out, however, the problem isn't as bad as it could have been. The bug he reported can cause the server to crash, but is difficult to exploit. Any attack code MUST be in the form of a valid RADIUS packet, which significantly limits the possible exploits. However, there was another bug which the reporter did NOT discover, which causes the server to de-reference a NULL pointer, and thus crash, whenever an Access-Request packet containing a Tunnel-Password attribute is received. Both bugs have been fixed in 0.9.3, and in the CVS head. We recommend that everyone upgrade to 0.9.3 as soon as possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
Radius newbie questions
Title: Radius newbie questions I just ordered the radius book, and used to use Funk software a while back. I can get logged in via freeradius but can't seem to figure out how to get foundry-privilege-level == 0 to work. I get logged in with read only permissions. rad_recv: Access-Request packet from host 10.0.5.252:1645, id=93, length=65 User-Name = joeuser User-Password = joepassw0rd Service-Type = NAS-Prompt-User NAS-IP-Address = 10.0.5.252 NAS-Port = 1 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop rlm_eap: EAP-Message not found modcall[authorize]: module eap returns noop rlm_realm: No '@' in User-Name = joeuser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok modcall[authorize]: module mschap returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns ok modcall: group authenticate returns ok Login OK: [joeuser/joepassw0rd] (from client cr1corsw2 port 1) Sending Access-Accept of id 93 to 10.0.5.252:1645 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 93 with timestamp 3fb50e3d Nothing to do. Sleeping until we see a request. This id from users file joeuser Acct-Authentic == RADIUS, Service-Type == NAS-Prompt-User, foundry-privilege-level == 0, foundry-command-string == * Any help would be greatly appreciated :-) Ted DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.