Re: Reply-Message
--On 21 November 2002 16:50 +0200 Remus Anca <[EMAIL PROTECTED]> wrote: did succeed someone in 'put' messages, send by freeradius with Reply-Message attribute, on windows screen? i know it's a windows problem, but how can i trick it? thx. i think this is very useful for all ISP admin's -- Remus I don't think any of the actual Windows PPP stacks support this, i.e. it's not going to work :( I can't see any way you can work around it either, if it's not support by the client - it's not supported :-( [And how many ISP's wish it was supported? :)] -Kp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: after hours shared secret bug
--On 21 November 2002 09:40 +0200 Angelos Karageorgiou <[EMAIL PROTECTED]> wrote: Has anyone noticed freeradius giving errors for accounting packets with "Invalid shared secrets"? Yes, we have that problem here... We're running FreeRADIUS 0.8, we have it 'talking' to three other companies / sites... Two of them work fine for both Auth, and Accouting. One remote system runs RADIATOR, the other two I don't know what they run, and can't find out [simply because, in their wisdom, they won't tell us]. For the third - auth works fine, accounting always shows "Invalid Signature". The people running the third system are not brilliantly helpful. They insist they've thoroughly checked their side, and they are signing the packets with the same shared secret as the Auth packets (which work fine). Sometimes , mostly under heavy load, both radiuses nag about "invalid shared secret" which goes away after a while. Ours always does this with no regard to load, but to only 1 out of 3 systems. Interestingly, the people using RADITOR also talk to the 3rd problem site, and don't have the same problem with it (and we can talk to that RADIATOR site fine). I have not been able to pinpoint the problem, yet I will try to tcpdump and grab the raw data, I was just wondering if anyone has seen this behaviour in the wild. I've got tcpdump's here - I'm not sure (because of the way the secrets work) that you can do anything with them, other than tell whether or not the packet was signed with the one you have (i.e. you can't tell what secret was used to sign a packet, only that it does or doesn't match yours). Be interesting to know if you could run this test outside FreeRADIUS (i.e. "Heres a packet, does it have a valid signature?"). Theres another guy on the list at the moment, who also has problems with "Invalid Signature" - but he's also battling port number problems as well... -Kp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No. of MySQL connectons?
--On 25 October 2002 11:40 +0300 Kostas Kalevras <[EMAIL PROTECTED]> wrote: With that in mind, a limit of 100 connections seems to be a little high? - I'm just checking 100 isn't an outrageous number for max_servers of 32, and with the loading on the system. Having more sql connections than threads will not gain you much, each thread will use just one sql connection at a time. There is a bug which has been fixed in the current cvs which most probably is the reason of your server crashes. So try upgrading to the latest cvs. I didn't think it would - hence the check :) - I'll go checkout the cvs version, Thanks & Regards, -Karl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No. of MySQL connectons?
Hi All, I'm running FreeRADIUS 0.7.1 under FreeBSD 4.6. I'm also using MySQL as a source for the radius details. Recently, the server has kept dieing at random points in the day - which we tracked down to it running out of mysql socket connections. So, we doubled the number of connections it could have (from admitadly the default 10 to 20). It still ran out, so we doubled it again to 40, it still ran out - so, we've now set it to 100. Does anyone have any recomendations for a value for this? [I can hear the cries of 'how busy is the server?' :)] - the server handles about 20-30 thousand auth requests a day, according to some quick checks, it's peak 'rate' seem to be about 5 requests a second. radiusd.conf now sets max_requests to 1024, max_servers = 32, min_spare_servers = 3 and max_spare_servers = 10. With that in mind, a limit of 100 connections seems to be a little high? - I'm just checking 100 isn't an outrageous number for max_servers of 32, and with the loading on the system. -Karl Pielorz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Vendor-Specific reply? - editing the dictionary files - theright thing to do? - solved
--On 28 August 2002 08:00 -0500 "McNutt, Justin M." <[EMAIL PROTECTED]> wrote: >> Thinking I was doing the right thing - I edited the >> dictionary.cisco and >> commented out the Attribute #26 already in there >> ("h323-call-origin") - >> which I renamed as 'tdxtest'. > > I'm not sure about your second question, but we certainly have had no > troubles editing the dictionary files. You might send your additions to > Alan and/or the maintainers of the dictionaries (they may list themselves > in the file header) so you don't have to edit things every time you > reinstall. Just a quick note to say this was resolved. It wasn't FreeRADIUS messing things up, or failing to perform - it was basically confusing documentation from the 3rd party... > Yes. > > There = indicates direction "over there" > Their = indicates possession "their system" (see above) > They're = contraction of "they are" As a consolation, I'll try to correct my abuse of there/their/they're in the future :) Regards, -Karl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vendor-Specific reply? - editing the dictionary files - the rightthing to do?
Hi All, We're happily using FreeRADIUS under FreeBSD - recently, I've been asked to setup a vendor-specific reply for some of our users. I've been asked to send a Vendor 0x9 (Cisco) Attribute #26 Type 0x1 reply, with a specific value which the remote system will use. Thinking I was doing the right thing - I edited the dictionary.cisco and commented out the Attribute #26 already in there ("h323-call-origin") - which I renamed as 'tdxtest'. Is the correct (or one correct?) way to do things? - How do I (or do I need) to specify the "Attribute Type" of 0x1 - I have a hunch this is what the 'string' bit does. In the RADIUS reply we send, I now include an attribute called 'tdxtest' - with the value they require, and I've told FreeRADIUS that the NAS it's talking to is 'cisco' (in the clients.conf by specifying "vendor = cisco" for their IP's). The remote side say they get a Vendor 0x9 (Cisco) attribute #26 - but they're system says it's a bad attribute. Anyone got any pointers / suggestions? Regards, -Karl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD 4.6R / freeradius 0.6 - 'Bus Error'? (sorry, flakeydetails)
--On 18 July 2002 11:03 -0400 Alan DeKok <[EMAIL PROTECTED]> wrote: > Karl Pielorz <[EMAIL PROTECTED]> wrote: >> rlm_sql: Reserving sql socket id: 29 >> rlm_sql: Released sql socket id: 29 >> Bus error > > Hmm... that doesn't sound good. Maybe the memory on the system is > dying? The systems got ECC throughout (It's an HP Netserver) - so I don't think it could be the memory (It's set to halt on ECC error AFAIK). > Nope. If it's a software bug, I'd suggest upgrading to the latest > CVS snapshot. I'll try the latest CVS and see what happens... Weird thing is it's been working fine for a few weeks - though it is getting very busy now (I had to up the number of MySQL connections from 5 to 20) -Karl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeBSD 4.6R / freeradius 0.6 - 'Bus Error'? (sorry, flakeydetails)
Hi All, Sorry to be so flakey on details (As I'm now kicking myself for leaving out KTRACE support on the machine :) I've had a FreeRADIUS 0.6 server running under FreeBSD 4.6R since the day 0.6 was relased. All of a sudden this morning, the server keeps quitting after a very short amount of time. Running it from the command line with -x shows: " Annex-Wan-Number = 2 Annex-Logical-Channel-Number = 28 Called-Station-Id = "314" Calling-Station-Id = "xx" X-Ascend-PPP-Async-Map = 0xf31eef846933149b0fded0a8b1954716 rlm_sql: Reserving sql socket id: 29 rlm_sql: Released sql socket id: 29 Bus error " This happens after the first one or two queries have been processed. Stepping back to the previous 0.5 daemon running on the machine, it seems fine. Whilst I'm waiting for an oppertunity to reboot the machine with KTRACE support et'al (and figure out why I'm not getting a coredump) - anyone have any pointers - or seen similar? Regards, -Karl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
'OR' comparison for Attributes
Hi All, I have a FreeRADIUS (0.6) server, hooked up with MySQL. In the various tables, I have a Group Check, which basically says: " Called-Station-Id == 0123456789 Auth-Type := Local Simultaneous-Use := 1 " This works fine, but is it possible to do the quivalent of: "Calling-Station-Id == 0123456789 -or- Calling-Station-Id == 0234567891" i.e. if The calling station ID is one value OR another value? Regards, -Karl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 0.6 - Escaping '/' for SQL?
Hi All, I just went from FreeRADIUS 0.5 to 0.6, only to find all my users being rejected... A quick run in debug mode & looking at the changelog/cvs - I found that the '/' character in our usernames was being escaped into a 'mime encoded' equivalent. I'll confess to not knowing if '/' is special to SQL servers or not - but this change broke our previously working FreeRADIUS 0.5/MySQL 3.23.49 setup. Simply adding '/' into the strchr() call in rlm_sql.c / sql_escape_func() did the trick (the attached patch does this). I've posted this more as a 'in case it bites you' thing, rather than a 'I think this should be comitted/fixed' thing - as our use of '/' in usernames could be dodgy in the first place :) Regards, -Karl freeradius-0.6.patch Description: Binary data
Re: Freeradius 0.5 w/MySQL & MD5 passwords?
--On 30 May 2002 15:29 +0300 Kostas Kalevras <[EMAIL PROTECTED]> wrote: > The op field should be set to ':=' I foolishly thought that the 'op' field defaulted to ':=' :( Switching them all to ':=' has fixed the problem (As a Pascal programmer I shall hang my head in shame :) Thanks for the help, it now appears to work fine :) Regards, -Karl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 0.5 w/MySQL & MD5 passwords?
--On 30 May 2002 14:12 +0300 Kostas Kalevras <[EMAIL PROTECTED]> wrote: > You should put an entry for Auth-Type in the radgroupcheck table, not in > the radgroupreply. Try seting the Auth-Type to MD5. Use the Password > attribute with an MD5 encrypted password for value. Then in your > radiusd.conf in the authenticate section do the following: > > authenticate { > authtype MD5{ > pap > } > } > > Hope it helps Hi! - Thanks for the reply, I've tried the above, but still no joy :( I removed the 'Auth-Type' row from radgroupreply, and put an entry into radgroupcheck (as can be seen below). The debug output now says: " rad_recv: Access-Request packet from host 196.168.0.1:58099, id=97, length=53 User-Name = "test" User-Password = "\346\022\211|>}\236\264\323e\356\253\203qC\036" NAS-IP-Address = 255.255.255.255 NAS-Port-Id = "1" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok radius_xlat: 'test' sql_escape in: 'test' sql_escape out: 'test' sql_set_user: escaped user --> 'test' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_sql: Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'test' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre ply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: Pairs do not match [test] rlm_sql: Released sql socket id: 4 modcall[authorize]: module "sql" returns notfound modcall: group authorize returns ok auth: No Auth-Type configuration for the request, rejecting the user " The SQL tables so far are populated with: mysql> select * from radcheck; ++--+---+--+--+ | id | UserName | Attribute | Value| op | ++--+---+--+--+ | 1 | test | Password | 098f6bcd4621d373cade4e832627b4f6 | NULL | ++--+---+--+--+ mysql> select * from radgroupcheck; ++---+---+---+--+ | id | GroupName | Attribute | Value | op | ++---+---+---+--+ | 1 | my_group | Auth-Type | MD5 | NULL | ++---+---+---+--+ mysql> select * from radgroupreply; ++---+---+-+--+--+ | id | GroupName | Attribute | Value | op | prio | ++---+---+-+--+--+ | 1 | my_group | Framed-Protocol | PPP | NULL |0 | | 3 | my_group | Framed-IP-Address | 255.255.255.254 | NULL |0 | ++---+---+-+--+--+ mysql> select * from usergroup; ++--+---+ | id | UserName | GroupName | ++--+---+ | 1 | test | my_group | ++--+---+ (all other tables are empty) Pertinant bits of radius.conf are: authorize { preprocess suffix sql } authenticate { authtype MD5{ pap } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 0.5 w/MySQL & MD5 passwords?
Hi All, I've been trying to get FreeRADIUS 0.5-Release to use both MySQL and MD5 passwords... I've gotten enough working to let me use plaintext passwords from the MySQL database, but I'm struggling to get MD5 passwords working. In my radius.conf I've got the following set (I won't post the whole thing unless someone thinks it's really relevant :) pap { enryption_scheme = md5 } authorize { preprocess sql suffix } authenticate { pap } I've got an entry in the radgroupreply table that sets Auth-Type to "System" for my test account. In the radcheck table, if I use the attribute "Password" and give it a plain text password, it works fine. I'm not sure if I should keep using this for MD5, or switch to using 'Crypt-Password' (which sounds more applicable). The debug output below is when I'd put a password in the 'Crypt-Password' field with Crypt-Password set to "MD5('test')". I'm a bit concerned about the "auth: type Crypt" in the output, as being a possible problem :( Thanks for any info / pointers :) -Karl --- Debug output from radiusd says: rad_recv: Access-Request packet from host 192.168.0.1:58060, id=253, length=53 User-Name = "test" User-Password = "\237Q\221\224!\255\tAU\221\354\022t"\277\351" NAS-IP-Address = 255.255.255.255 NAS-Port-Id = "1" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok radius_xlat: 'test' sql_escape in: 'test' sql_escape out: 'test' sql_set_user: escaped user --> 'test' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_sql: Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch eck.Value,radgroupcheck.op FROM ra dgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'test' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre ply.Value,radgroupreply.op FROM ra dgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' radius_xlat: 'SELECT Value,Attribute FROM radcheck WHERE UserName = 'test' AND ( Attribute = 'User-Password' OR Attribute = 'Passwo rd' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC' rlm_sql: Released sql socket id: 4 modcall[authorize]: module "sql" returns ok modcall[authorize]: module "suffix" returns ok modcall: group authorize returns ok auth: type Crypt auth: Failed to validate the user. Login incorrect: [test/test] (from nas UNKNOWN-NAS port 0) Sending Access-Reject of id 253 to 192.168.0.1:58060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html