RE: Airport Extreme , WPA Enterprise and LEAP
My mistake, thanks for clarifying Andreas. I'm just jumping into all this and it's been a lot to take in in a very short period of time. Ideally I was after the encryption of WPA and the simple yet secure user authentication offered by LEAP and freeradius without the complications of cert management. As you point out though, they are mutually exclusive. Anyhow, thanks again for all the help, it's much appreciated. Sean. -Original Message- From: Andreas Wolf [mailto:[EMAIL PROTECTED] Sent: December 4, 2003 3:50 PM To: [EMAIL PROTECTED] Subject: Re: Airport Extreme , WPA Enterprise and LEAP On Dec 4, 2003, at 1:31 PM, Sean Page wrote: > Ah, well, that's surprising. All the documentation and config screens > seem > to indicate that LEAP is supported. No, if you read the documentations you'll find that LEAP is not supported in WPA and LEAP (it cannot work as WPA and LEAP are inherently incompatible). Even without WPA, LEAP is not supported on the Base Station side, ie. it only works with Cisco Access Points (LEAP is a Cisco thing). What is supported is to use LEAP on the MacOS X _client_ with a third party access point that supports LEAP. Anyway, if you have WPA, why bother with a proprietary protocol? -Andreas > I hadn't really wanted to muck about > with certs and cert management, but, what the heck. This looks like a > great > how-to, I'll give it a shot tonight and see how it works out. > Thanks Andreas, much appreciated! > > Sean. > > -Original Message- > From: Andreas Wolf [mailto:[EMAIL PROTECTED] > Sent: December 3, 2003 5:08 PM > To: [EMAIL PROTECTED] > Subject: Re: Airport Extreme , WPA Enterprise and LEAP > > > On Dec 3, 2003, at 3:20 PM, Sean Page wrote: > >> Hi, >> >> First of all let me start with the standard "I am new to RADIUS, be >> patient >> with me" disclaimer. :) >> I'm trying to get WPA Enterprise LEAP support running using Aiport >> Extreme, >> FreeRADIUS v0.9.2 on FreeBSD 4.9p1 > > WPA Enterprise does not support LEAP, at least not with AirPort > Extreme. > >> When I try to authenticate, the wireless client machine times out and >> no >> authentication occurs. >> It looks to me like the radius server is behaving properly, but I >> might be >> blindly missing something, perhaps someone can give me a hand. > > AirPort Extreme's WPA implementation supports the following EAP types: > TLS, TTLS and PEAP. > So I don't know if you depend on WPA Enterprise or LEAP. If you need > LEAP then > I think you need a different Access Point (NAS). > If you need WPA Enterprise then you can find an example WPA Enterprise > configuration > of freeRADIUS at: > > http://homepage.mac.com/andreaswolf/public/wpaeap.html#radiusd.conf > > It also contains info on how to configure your AirPort Extreme. > > -Andreas > >> Second question, do I need to manually set a timeout on the radius >> server >> for key expiry? >> Any help would be greatly appreciated. >> >> Thanks >> Sean. >> >> Clients.conf: >> >> client 192.168.0.250 { >> secret = X >> shortname = AirWolf >> nastype = other >> } >> >> >> In radiusd.conf >> >> Pam is commented out >> default_eap_type = leap >> Md5 is commented out >> Passwd and ldap support also commented out. >> Proxy disabled >> >> Users is simply: >> >> thewolf User-Password == "testing" >> >> Output from radius d -X is as follows: >> >> Starting - reading configuration files ... >> reread_config: reading radiusd.conf >> Config: including file: /usr/local/etc/raddb/clients.conf >> Config: including file: /usr/local/etc/raddb/snmp.conf >> Config: including file: /usr/local/etc/raddb/sql.conf >> main: prefix = "/usr/local" >> main: localstatedir = "/var" >> main: logdir = "/var/log" >> main: libdir = "/usr/local/lib" >> main: radacctdir = "/var/log/radacct" >> main: hostname_lookups = no >> main: max_request_time = 30 >> main: cleanup_delay = 5 >> main: max_requests = 1024 >> main: delete_blocked_requests = 0 >> main: port = 0 >> main: allow_core_dumps = no >> main: log_stripped_names = no >> main: log_file = "/var/log/radius.log" >> main: log_auth = no >> main: log_auth_badpass = no >> main: log_auth_goodpass = no >> main: pidfile = "/var/run/radiusd/radiusd.pid" >> main: bind_address = 192.
RE: Airport Extreme , WPA Enterprise and LEAP
Ah, well, that's surprising. All the documentation and config screens seem to indicate that LEAP is supported. I hadn't really wanted to muck about with certs and cert management, but, what the heck. This looks like a great how-to, I'll give it a shot tonight and see how it works out. Thanks Andreas, much appreciated! Sean. -Original Message- From: Andreas Wolf [mailto:[EMAIL PROTECTED] Sent: December 3, 2003 5:08 PM To: [EMAIL PROTECTED] Subject: Re: Airport Extreme , WPA Enterprise and LEAP On Dec 3, 2003, at 3:20 PM, Sean Page wrote: > Hi, > > First of all let me start with the standard "I am new to RADIUS, be > patient > with me" disclaimer. :) > I'm trying to get WPA Enterprise LEAP support running using Aiport > Extreme, > FreeRADIUS v0.9.2 on FreeBSD 4.9p1 WPA Enterprise does not support LEAP, at least not with AirPort Extreme. > When I try to authenticate, the wireless client machine times out and > no > authentication occurs. > It looks to me like the radius server is behaving properly, but I > might be > blindly missing something, perhaps someone can give me a hand. AirPort Extreme's WPA implementation supports the following EAP types: TLS, TTLS and PEAP. So I don't know if you depend on WPA Enterprise or LEAP. If you need LEAP then I think you need a different Access Point (NAS). If you need WPA Enterprise then you can find an example WPA Enterprise configuration of freeRADIUS at: http://homepage.mac.com/andreaswolf/public/wpaeap.html#radiusd.conf It also contains info on how to configure your AirPort Extreme. -Andreas > Second question, do I need to manually set a timeout on the radius > server > for key expiry? > Any help would be greatly appreciated. > > Thanks > Sean. > > Clients.conf: > > client 192.168.0.250 { > secret = X > shortname = AirWolf > nastype = other > } > > > In radiusd.conf > > Pam is commented out > default_eap_type = leap > Md5 is commented out > Passwd and ldap support also commented out. > Proxy disabled > > Users is simply: > > thewolf User-Password == "testing" > > Output from radius d -X is as follows: > > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /usr/local/etc/raddb/clients.conf > Config: including file: /usr/local/etc/raddb/snmp.conf > Config: including file: /usr/local/etc/raddb/sql.conf > main: prefix = "/usr/local" > main: localstatedir = "/var" > main: logdir = "/var/log" > main: libdir = "/usr/local/lib" > main: radacctdir = "/var/log/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = "/var/log/radius.log" > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/var/run/radiusd/radiusd.pid" > main: bind_address = 192.168.0.1 IP address [192.168.0.1] > main: user = "(null)" > main: group = "(null)" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/local/sbin/checkrad" > main: proxy_requests = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > main: debug_level = 0 > read_config_files: reading dictionary > read_config_files: reading naslist > Using deprecated naslist file. Support for this will go away soon. > read_config_files: reading clients > Using deprecated clients file. Support for this will go away soon. > read_config_files: reading realms > Using deprecated realms file. Support for this will go away soon. > radiusd: entering modules setup > Module: Library search path is /usr/local/lib > Module: Loaded expr > Module: Instantiated expr (expr) > Module: Loaded PAP > pap: encryption_scheme = "crypt" > Module: Instantiated pap (pap) > Module: Loaded CHAP > Module: Instantiated chap (chap) > Module: Loaded MS-CHAP > mschap: use_mppe = yes > mschap: require_encryption = no > mschap: require_strong = no > mschap: passwd = "(null)" > mschap: authtype = "MS-CHAP" > Module: Instantiated mschap (mschap) > Module: Loaded System > unix: cache = no > unix: passwd = "(null)" > unix: shadow = &
Airport Extreme , WPA Enterprise and LEAP
Hi, First of all let me start with the standard "I am new to RADIUS, be patient with me" disclaimer. :) I'm trying to get WPA Enterprise LEAP support running using Aiport Extreme, FreeRADIUS v0.9.2 on FreeBSD 4.9p1 When I try to authenticate, the wireless client machine times out and no authentication occurs. It looks to me like the radius server is behaving properly, but I might be blindly missing something, perhaps someone can give me a hand. Second question, do I need to manually set a timeout on the radius server for key expiry? Any help would be greatly appreciated. Thanks Sean. Clients.conf: client 192.168.0.250 { secret = X shortname = AirWolf nastype = other } In radiusd.conf Pam is commented out default_eap_type = leap Md5 is commented out Passwd and ldap support also commented out. Proxy disabled Users is simply: thewolf User-Password == "testing" Output from radius d -X is as follows: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: bind_address = 192.168.0.1 IP address [192.168.0.1] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "leap" eap: timer_expire = 60 rlm_eap: Loaded and initialized the type leap Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radutmp" radutmp: username = "%{User-Name}&q
Re: seeking a tool to graph radius logs
[EMAIL PROTECTED] wrote: Try mrtg... It allows you to issue one command that produces a number I use radwho -r | grep (server IP) | wc -l... This number is filed and I have the script run every five minutes. MRTG is the way to go... interesting idea However, we would also like a calendar style output (wish I knew the real name for this style of chart). It has the hours along the top and each user as a row. The columns are colored in boxes so you can see trends where say the 11 - 2 period everyone is on. The mrtg idea is great for seeing how many people use it, how much data they transfer, etc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
seeking a tool to graph radius logs
We would like to have a graph of our Radius log which displays the hours people use the server. Is anyone aware of any (preferably open source) tools that generate graphs from Radius logs? My initial google searches have not turned up much. radius + graph has lots of mis-hits. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating with mpd, MSCHAPv2
Damian Gerow wrote: If I change the mpd configuration to use PAP instead of CHAP, I get authentication success, but then there's some weirdness going on on the mpd side of things that I'm also trying to figure out. Even though rlm_chap complains about not being able to find a proper Chap-Password attribute, I can see the MS-CHAP-Challenge and -Response right in the packet debug. as I was told recently, you can't get there from here. There is currently no way to authenticate via CHAP against a Windows domain from Linux. Alan explains this in the thread I started last week. The best possibility I have found is using a radius relay and a Windows based radius server like Internet Authentication Service which comes with win2k server. Haven't tried to get it to work yet, but it is the most likely way to get it working. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with freeradius 0.9.0, Active Directory, and MS-CHAPv2
Paul Hampson wrote: Yet, somehow, IAS does CHAP against AD. Is anyone willing to bet *against* the idea that Microsoft has one API for customers, and another, better API for themselves? So surely you could proxy CHAP requests to IAS, and authenticate other requests using the superior powers of FreeRADIUS. You'd end up with a post-proxy section that looks a lot like your post-auth section. I'm probably terribly terribly wrong here, but to my mind you _should_ be able to. After all, MS _have_ supplied a RADIUS interface to the passwords on the server, which seems an improvement over having to write the W32API authentication calls yourself. In my case I am ONLY using Radius for our VPN and do not really expect this to change. While I would like to use freeradius it does not make much sense to do so. For others your suggestion probably makes more sense. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with freeradius 0.9.0, Active Directory, and MS-CHAPv2
Alan DeKok wrote: Sean Perry <[EMAIL PROTECTED]> wrote: Not with CHAP. AD doesn't allow you to look at the users clear-text passwords, so CHAP is impossible. I have solved this in other cases by using the password to rebind as the user. If the bind fails the password is incorrect. What I have not seen is a way to get the password out of CHAP. Is this a viable solution?? No. As I had said above, it's impossible. Thanks Alan. When I started this project it looked like all of the pieces were there. Now the next person will be able to find this thread and know about the issues. Looks like I am going to try the IAS authentication approach and see how it works. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with freeradius 0.9.0, Active Directory, and MS-CHAPv2
Alan DeKok wrote: Sean Perry <[EMAIL PROTECTED]> wrote: I am trying to setup a Linux VPN. Most of the pieces are now in place. I am trying to authenticate against radius which in turn will authenticate against our existing Active Directory server. People have done this. To a certain extent, AD is just another LDAP server. yeah, I have it working in other applications like apache so I know it can be done. Looking through the archives I see several people try but no real responses. Ron Wahler claims to have Active Directory working but he was not using chap. Is this possible? Not with CHAP. AD doesn't allow you to look at the users clear-text passwords, so CHAP is impossible. I have solved this in other cases by using the password to rebind as the user. If the bind fails the password is incorrect. What I have not seen is a way to get the password out of CHAP. Is this a viable solution?? Yet, somehow, IAS does CHAP against AD. Is anyone willing to bet *against* the idea that Microsoft has one API for customers, and another, better API for themselves? it is not entirely unreasonable to believe they have a CHAP --> Kerberos interface. But I agree with you, they definately make life harder for the rest of us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help with freeradius 0.9.0, Active Directory, and MS-CHAPv2
I am trying to setup a Linux VPN. Most of the pieces are now in place. I am trying to authenticate against radius which in turn will authenticate against our existing Active Directory server. Looking through the archives I see several people try but no real responses. Ron Wahler claims to have Active Directory working but he was not using chap. Is this possible? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with radiusclient plugin from pppd 2.4.2b3
Alan DeKok wrote: Sean Perry <[EMAIL PROTECTED]> wrote: Problem 1) the radiusclient will not compile out of the box for me. I have hand hacked my makefile so it compiles all of the .c files into the .so. The default makefile blows up trying to run autoheader. That's what 'configure' is for. The *developer* is supposed to run autoheader & autoconf, to create 'configure'. The average user should NEVER run 'autoheader'. Which is what confused me. It has a configure script, which runs and then the make process tries to run it again. The m4 files apparently are too far out of date for recent aclocal and friends so I could not easily fix them. Problem 2) ok, so I got it compiled. Now when I try to connect pppd segfaults. I can not figure out a way to diagnose this. I tried replacing pppd with this: ulimit -c unlimited /usr/sbin/pppd.real $@ exit $? but I still did not get a core. Run pppd by hand, inside of gdb. PPPd is probably changing UID's, in which case the kernel won't allow it to core dump. I was trying to setup a pptp config with poptop, not sure how to test the pppd by hand. Do you have any pointers? Other websites, howtos, etc welcomed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with radiusclient plugin from pppd 2.4.2b3
I am trying to setup pptp to use pppd 2.4.2b3 and radius authentication. Currently I am using RH8, but I am not tied to it, RH9 is a possibility if things "just work". Problem 1) the radiusclient will not compile out of the box for me. I have hand hacked my makefile so it compiles all of the .c files into the .so. The default makefile blows up trying to run autoheader. (I know, not freeradius's fault, but maybe one of you has seen it) Problem 2) ok, so I got it compiled. Now when I try to connect pppd segfaults. I can not figure out a way to diagnose this. I tried replacing pppd with this: ulimit -c unlimited /usr/sbin/pppd.real $@ exit $? but I still did not get a core. Problem 2b) I thought maybe the radius plugin was a bad idea so I grabbed the pam radius module. However I can not get pppd to start because it wants pap/chap info and what not. All of this info should be coming from ldap (Active Directory) via PAM. The plus side is I had no problem getting freeradius built and setup (-: Using radtest I can login with my active directory account which is part of why I watned radius in the first place. The other is logging. Sorry if this is too far off topic the archives had other people seeking pppd + radius help. If you know a better list, please tell me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linux Support
Can't you use PAM? The pam stuff works, it just wouldnt do quite what I needed to do with it. On Mon, 18 Aug 2003, Adam Carmichael wrote: > One idea (MCSE in training and I prefer FreeBSD *grin*): > > Active Directory uses LDAP. FreeRADIUS can use LDAP data sources can't it? > Failling that, script something up to import LDAP data into MySQL and cron it (or > Scheduled Tasks, ymmv), then get FreeRADIUS to authenticate against MySQL. > > Good luck > > Adam > > > Adam Carmichael > Network Operations Manager > email: [EMAIL PROTECTED] > web: http://www.no1.com.au > icq: 2207644 > > #1 Computer Services, Empowerment Through Internet Communications. > > - Original Message - > From: arniel > To: [EMAIL PROTECTED] > Sent: Monday, August 18, 2003 4:21 PM > Subject: Fw: Linux Support > > > > > > Hi Everyone, > > Good Day! > > Just want to ask how or is it possible using FreeRadius to get my users to > authenticate to the NT Domain Controller(DC)? > > As far as our simulation is concern, our clients are issued client certificate > which is generated from our Linux Server. Client certificates are also installed in > every workstation, without the certification wireless client cant access the > network. So far at this point we made it work but right now we want the clients to > authenticate also to our Domain Controller. This is where we are having our problem, > I am not sure how to instruct my FreeRadius to get or ask some username and password > to the domain controller(DC) for validation. Is there a way FreeRadius and a Domain > Controller could communicate to each other for authentication? Our expected clients > are Windows XP and Windows 2000 Professional. > > Thank you very much in advance and we are awaiting for your favorable reply. > > > Cheers, > > Arniel > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Replicator - PostgreSQL for DB backend
On Wed, 16 Jul 2003, Bernie, CTA wrote: > > We use a modified (well hacked) version of PostgreSQL Replicator > and have experienced no significant problem. Just out of curiosity, I am wondering why postgres looked like a better solution than an ldap based solution. LDAP is supposed to be scalable and replicable, and designed for mostly read-only data which to me is what you were looking for. Don't get me wrong, I can also see where replicable postgres stuff would be nice and I would be interested in it for another project (that quite possibly will never get off the gorund), but the first read through your requirements seemed like it was screaming ldap =) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stored procedure
On Tue, 1 Jul 2003, Truong Manh Cuong wrote: > I have to change to postgresql because I want to update amount of money > into database each time user logout. I use trigger and stored procedure. > How can I do it with mySQL ? I don't think you can with MySQL. > how to rebuild radius that it can deal with another database server? look at: src/modules/rlm_sql/drivers > for > example, my customer want to use MS SQL server instead of postgresSQL or > Oracle. Not sure why you would do this, but thats up to you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Noob: Cant compile files
It's in the rpms the easiest way to to go back to the installer and install the developer tools. I think most of them are on 2 of the install if you want to poke around for the actual rpms. You will need a lot more than just gcc, you will need autocong, make and a few development libs which makes just installing the whole suite a bit easier. you should be able to re run it on top of what you have. if you select the "upgrade" IIRC (which I may not) On Mon, 30 Jun 2003, Rob Simkins wrote: > I downloaded RedHat Linux 9.0, but it doesn't seem to have GCC, or the > other necessary files for compile. > > Can you tell me which GCC version RH 9.0 is known to work with because I > can't for the life of me find it on their website. > > Thanks for any help, > > Rob > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Alan DeKok > > > > "Rob Simkins" <[EMAIL PROTECTED]> wrote: > > > I am an absolute beginner on Linux but I have unzipped > > FR-0.8.1 into > > > the root directory. > > > > > > My 1st problem: > > > I don't have the appropriate gcc, cc files to compile my server. > > > > > > Can someone please help me out? > > > > Umm... get GCC from the same place you got Linux? > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP+PAM radiusd config
On Sun, 29 Jun 2003, Alan DeKok wrote: > > but i never saw any pam libs being linked in nor can I see pam_sm* > > functions in the code. Maybe I need a different build or a patch, I > > pulled down the current 0.81 > > Reading the output of 'configure' and 'make' is required in > situations like this. Yes, it's thousands of lines of opaque garbage, > but the answer to your questions is in there. That's why it's printed > out. > src/modules/rlm_pam is where all the pam interface code is located. It doesnt use any pam_sm functions at all just the pam_ functions. you should be able to go into that directory and run a make in there and see if it is building correctly, you can run make and make install in that directory and it will put stuff in the right spot for you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP+PAM radiusd config
I configured --with-pam but i dont think that did any good but i did get it working.. you need this in the radius.conf file and you need the other section in the users file. pam { # # The name to use for PAM authentication. # PAM looks in /etc/pam.d/${pam_auth_name} # for it's configuration. # # Note that any Pam-Auth attribute set in the 'users' # file over-rides this one. # pam_auth = radiusd } In users file you need something like this: DEFAULT Auth-Type := Pam pam-auth="radius", Fall-Through = Yes On Sun, 29 Jun 2003, Mark van Kerkwyk wrote: > Hi Sean, thanks for your reply. The bit I was looking for actually was the > radiusd.conf file, which has the correct config for directing > authorization to ldap and authentication to pam. > > I have just been doing some testing and i was wondering why it wasn't > working, after an ldd and truss on the process (I am on solaris8), I > noticed that the pam support isn't in here anyway and the truss showed it > reading the shadow file. > > Am I missing something really obvious here, there isn't a pam option for > configure that I can see, I hope I am not asking a dumb question here, but > how do I build this with PAM support ? It looked like it was checking for > pam .h files but i never saw any pam libs being linked in nor can I see > pam_sm* functions in the code. Maybe I need a different build or a patch, > I pulled down the current 0.81 > > thanks > > Mark > > > > > Sean <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 28/06/2003 23:26 > Please respond to > [EMAIL PROTECTED] > > > To > [EMAIL PROTECTED] > cc > > Subject > Re: LDAP+PAM radiusd config > > > > > > > You just want the pam piece? this needs to be radiusd, the auth-file(?) > parameter piece is broken i think. or at least I didnt get it to work > right.. > The first part (commented) works but it requires a local user, the second > one works without a local user, and you will want to replace the > pam_afs.so module with the pam_krb5.so module. > > [EMAIL PROTECTED] pam.d]# more radiusd > #%PAM-1.0 > ###works but requires a local user > #auth required/lib/security/pam_unix_auth.so shadow nullok > #auth required/lib/security/pam_afs.so > #auth required/lib/security/pam_nologin.so > #accountrequired/lib/security/pam_unix_acct.so > #password required/lib/security/pam_cracklib.so > #password required/lib/security/pam_unix_password.so shadow nullok > use_aut > htok > #sessionrequired/lib/security/pam_unix_session.so > > ## > authrequired/lib/security/pam_mine.so > auth required /lib/security/pam_afs.so > auth required /lib/security/pam_nologin.so > accountrequired /lib/security/pam_permit.so > password required /lib/security/pam_permit.so > password required /lib/security/pam_permit.so > sessionrequired /lib/security/pam_permit.so > > > On Sun, 29 Jun 2003, Mark van Kerkwyk wrote: > > > Hi, does anyone have a working radiusd.conf where both LDAP and PAM are > > being used, LDAP for accounts/groups etc and PAM for auth to another > > source. > > > > In my case case I will store all credentials in LDAP but send all auth > via > > pam_krb5 to our kerberos enrivonment. That way I have no passwords > stored > > or sent in the clear anywhere also. > > > > regards > > > > Mark > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP+PAM radiusd config
You just want the pam piece? this needs to be radiusd, the auth-file(?) parameter piece is broken i think. or at least I didnt get it to work right.. The first part (commented) works but it requires a local user, the second one works without a local user, and you will want to replace the pam_afs.so module with the pam_krb5.so module. [EMAIL PROTECTED] pam.d]# more radiusd #%PAM-1.0 ###works but requires a local user #auth required/lib/security/pam_unix_auth.so shadow nullok #auth required/lib/security/pam_afs.so #auth required/lib/security/pam_nologin.so #accountrequired/lib/security/pam_unix_acct.so #password required/lib/security/pam_cracklib.so #password required/lib/security/pam_unix_password.so shadow nullok use_aut htok #sessionrequired/lib/security/pam_unix_session.so ## authrequired/lib/security/pam_mine.so auth required /lib/security/pam_afs.so auth required /lib/security/pam_nologin.so accountrequired /lib/security/pam_permit.so password required /lib/security/pam_permit.so password required /lib/security/pam_permit.so sessionrequired /lib/security/pam_permit.so On Sun, 29 Jun 2003, Mark van Kerkwyk wrote: > Hi, does anyone have a working radiusd.conf where both LDAP and PAM are > being used, LDAP for accounts/groups etc and PAM for auth to another > source. > > In my case case I will store all credentials in LDAP but send all auth via > pam_krb5 to our kerberos enrivonment. That way I have no passwords stored > or sent in the clear anywhere also. > > regards > > Mark > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Red Hat Linux RPM
A spec file is simply a configuration script for building the binary into an rpm. on late RH systems you do like rpmbuild -ba specfile (i think those are the correct flags.) After you put the tarballgz file in /usr/src/redhat/SOURCES and the spec file in /usr/src/redhat/SPECS In the /usr/src/redhat/RPMS directory you should see your rpm which you can then install. You can edit the spec file and add/delete whatever flags you needs to pass to the configure script if you need to adjust those.. Sean On Tue, 24 Jun 2003, Dave Mason wrote: > Hi, > I just noticed the redhat directory and the spec file inside. What's a > spec file? I checked the FAQ and doc directory but didnt see anything. > I'm guessing it's input to some other tool which could be useful in a > production environment? > > Dave > > Oliver Graf wrote: > > >On Mon, Jun 23, 2003 at 01:23:36PM -0700, Alex Chen wrote: > > > > > >>> If I just run ./configure and make, I am not doing anything special. > >>> > >>> I think most people will just do that. > >> > >> > > > >And the other side around: attached is my spec file. it kills ldap, > >cause I don't need it. And it lists very little deps (rpm will try > >hard to find a few, but they won't be redhat/mandrake/suse compliant, > >I think. > > > >As you can see, this is simply the mandrake freeradius 0.8.1 spec file > >tuned to my needs. > > > >Oliver. > > > > > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM RHOST patch??
Does anyone have a patch that adds the PAM_RHOST credential info to Freeradius? ( pam_radius uses it..but that doesnt help me =)) We are trying to implement freeradius but we need the the RHOST stuff passed via pam so our module can do some authentication based on hostnames and some other information. Honestly this is over my head as far as programming goes, but I do have a quirky pam module i compiled on linux that will pop out the RHOST variable that gets passed to make testing easier. if that helps =) TIA Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
QOS question.
Is it possible to set QOS per user or per group in Freeradius? QOS meaning bandwidth and/or priority of bandwidth resources. Example would be setting a residential DSL customer at a limit of 256K and setting a business customer at a limit of 1MB. On top of that, if a residential customer and business customer were both at 1MB I'd like to set the business customer at a higher priority so in the event of congestion the business customer would get full throughput. I read through the website and didn't see anything about it. I haven't downloaded FR yet so I could'nt look at any documentation. Just wondering if anyone knew if it could be done. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Invalid type when starting radius
> Hmm... yes. > My reaction entirely... minus a few explitives. Suggestions? Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Invalid type when starting radius
<<< [EMAIL PROTECTED] 12/18 1:54p >>> >"Sean Albright" <[EMAIL PROTECTED]> wrote: >> I'm new to radius and having a bit of trouble >installing FreeRadius 8.1 on >> SuSE 8.0. I've looked through the archive and >couldn't come up with a >> solution to my problem... >> >> Configuring, making, and make installing seem >to go off without a hitch, >> but when I start radiusd I get: >> Starting - reading configuration files ... >> dict_init: Invalid type on line 257 >of /etc/raddb/dictionary.ascend > You told 'configure' to build the server >without Ascend binary >attributes, and now you're wondering why the >server complains when it >sees the 'abinary' attributes. > Stop trying to out-think the server. Don't >give it any fancy >configure options if you don't understand their >impact. > Alan DeKok. Sorry for the short reply... bit of a misfire... I ran config with: >./configure --localstatedir=/var --sysconfdir=/etc and no other options... so --with-ascend-binary should have been "yes", the default, right? Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Invalid type when starting radius
But I didn't... I saw that option, but I stuck with the default. The default for --with-ascend-binary is "yes", as far as I can see. Sean <<< [EMAIL PROTECTED] 12/18 1:54p >>> "Sean Albright" <[EMAIL PROTECTED]> wrote: > I'm new to radius and having a bit of trouble installing FreeRadius 8.1 on > SuSE 8.0. I've looked through the archive and couldn't come up with a > solution to my problem... > > Configuring, making, and make installing seem to go off without a hitch, > but when I start radiusd I get: > Starting - reading configuration files ... > dict_init: Invalid type on line 257 of /etc/raddb/dictionary.ascend You told 'configure' to build the server without Ascend binary attributes, and now you're wondering why the server complains when it sees the 'abinary' attributes. Stop trying to out-think the server. Don't give it any fancy configure options if you don't understand their impact. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Invalid type when starting radius
Hi all... I'm new to radius and having a bit of trouble installing FreeRadius 8.1 on SuSE 8.0. I've looked through the archive and couldn't come up with a solution to my problem... Configuring, making, and make installing seem to go off without a hitch, but when I start radiusd I get: Starting - reading configuration files ... dict_init: Invalid type on line 257 of /etc/raddb/dictionary.ascend Any suggestions? Am I just missing something obvious? Thanks. Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limiting the user's time online
I would be interested in this option as well, being the only ISP with v.92 fully operational in the UK we are having to run work arounds for our customers so that they do't get charged for calls, one of these is bouncing the call at 55 mins, but only for certain users! Based either on part cli idetification or user ID. Thanks Sean 1stNet Internet Services Ltd. >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 29/04/02, 16:44:14, Alexandre Strube <[EMAIL PROTECTED]> wrote regarding Re: Limiting the user's time online: > On Sun, 28 Apr 2002 13:18:44 -0500, Erich Zigler wrote: > I've been searching the last months freeradius' users list for this question, and > somewhere on it was told that the actual CVS version has a patch for this. This > is a thing that could be in the release version already. I don't know how to > make this work, as I did't tried install this version yet. But hey, today is monday > and I gotta work, that's what I'll look for today >:-) > >I've been playing with Freeradius for the last couple hours and I have found > >it very robust and a very well written package. However I've trudged through > >the documentation and was unable to find my answer to a specific question. > >Is it possible to limit the total number of hours a user uses online? Such as > >specify 150 hours a user may use a month. If they pass 150 hours, it will no > >longer allow them to login. > >I've read about the Login-Time attribute where you can specify what times they > >can login, but it doesn't allow you to specify a Total Time. > As opiniões formuladas neste e-mail são de caráter > exclusivamente pessoal. Minha opinião não necessariamente > representa a opinião do meu Moto Grupo nem da empresa onde > trabalho. > Mene Sakkhet ur-seveh > Alexandre Ganso - Diretor Steel Goose Moto Group >500 Four Vermelha >[EMAIL PROTECTED] > ICQ# 3778773 > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Newbiee to radius
Hi Guys Sorry for this complete simple question, has anyone got the config files required for using PAM with shadow & encrypted passwords, my RAS server is passing the request to the radius server, but is is getting reject as bad password or username, I am putting this down to the way unix encrypts its passwords. Probably a really simple answer to this but can't see it, a little nudge in the right direction would be great ... Thanks Sean 1stNet Internet Services ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html