Re: conflicting packet problem

[Simon Allard]

   The question is, does freeradius treat each nas in the /24 as being
  different so it knows that the ID is different even though the ID is
  the same for another NAS in the /24. Or does it assume its the same?

   The shared secrets are looked up via the 'clients.conf' file, which
 has a netmask.   Duplicate requests are found by comparing source IP
 addresses.

So if I have 100 NAS's behind a proxy, since the source is the same for
all of the NAS's does it compare NAS-IP-Address or does it use the IP of
the proxy?


What is the most common cause for conflicting packet's and are there any
easy fixes?

I am using freeradius 0.9.0 with LDAP on a dual 2Ghz mahine. I have 3 of
these load balanced behind a L4 Switch. I am even getting dupulate records
with accounting which is odd because all its doing is writing the
accounting record straight to the disk.






Simon Allard (Senior Tool Monkey)
IHUG
Ph (09) 358-5067   Email: [EMAIL PROTECTED]

I'm out of my mind right now, but feel free to leave a message.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

conflicting packet problem

[Simon Allard]

I am seeing alot of these in my logs. I am running freeradius 0.9.0 on
Linux.

Thu Dec 18 16:33:48 2003 : Error: Dropping conflicting packet from client
ihug-phone:1646 - ID: 122 due to unfinished request 514640
Thu Dec 18 16:34:54 2003 : Error: Dropping conflicting packet from client
ihug-phone:1646 - ID: 122 due to unfinished request 514640
Thu Dec 18 16:36:15 2003 : Error: Dropping conflicting packet from client
ihug-phone:1646 - ID: 122 due to unfinished request 514640
Thu Dec 18 16:37:49 2003 : Error: Dropping conflicting packet from client
ihug-phone:1646 - ID: 122 due to unfinished request 514640

As you can see they all from the same client. The client happens to be a
/24 network. The question is, does freeradius treat each nas in the /24 as
being different so it knows that the ID is different even though the ID is
the same for another NAS in the /24. Or does it assume its the same?

I am losing alot of radius records because of this. So any ideas on what
could be causing these would be great.

max_request_time = 30
delete_blocked_requests = no (Is this safe to turn to yes yet)
max_requests = 51200 (I have about 200 NAS's).

Thanks.


Simon Allard (Senior Tool Monkey)
IHUG
Ph (09) 358-5067   Email: [EMAIL PROTECTED]

I'm out of my mind right now, but feel free to leave a message.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

US Stock Market: AZAA - Military Aircraft Related Stock...foster

[Jimmie Simon]

US Stock Market - UP On the NEWS...AZAA

BREAKING NEWS - TUCSON, Ariz.--(BUSINESS WIRE)--Arizona Aircraft Spares, Inc. (OTCBB: 
AZAA) - one of the leading military aircraft spare parts manufacturers - announces it 
has signed a letter of commitment with Wolfe and Turner Investments to obtain a 6 
million dollar non-equity asset-backed loan. The loan would have a ten-year term with 
a 25-year amortization schedule. AZAA is currently completing the due diligence phase 
and anticipates that funding will occur prior to December 1, 2003.

Despite the current boost in government military spending, aircraft used by the US Air 
Force and other armed forces are now older than ever—23 years on average.  B-52's are 
older than their pilots, with no plans to build new bombers for the next 10 years.  
Result: Aging aircraft require ever-increasing amounts of expensive maintenance, 
repairs and replacement parts.

Arizona Aircraft Spares' market potential is measured in billions of dollars. The 
company works directly with the U.S. Government and other international world 
governments. The proposed U.S. military budget alone is 399.1 billion-dollars, of 
which twenty-five percent is allocated for spare parts and ground support systems.

Arizona Aircraft Spares focuses exclusively on manufacturing military aircraft spare 
parts. The majority of the company's business comes from the U.S. Government – the 
Army, Navy and Air Force branches of the U.S. Military. Working with the U.S. Military 
represents the least cash intensive growth strategy for the company, as the government 
systematically pays within 30 days after the company has shipped the product. 
Furthermore, Arizona Aircraft Spares is eligible for the “Progressive Payment” program 
whereby the company can collect upwards of 80% of the contract's total value prior to 
completion of the contract.

AZAA has worked with over 20 international governments and continues to maintain 
international clients apart from the U.S. Government. All other orders are required to 
put an upfront deposit on all contracts awarded. Arizona Aircraft Spares as a public 
company can take full advantage of the opportunities in the international markets with 
enhanced liquidity to execute larger international projects.

Arizona Aircraft Spares, Inc. works primarily with the U.S. Government, focusing 
exclusively on the Army, Navy and Air Force branches of the U.S. Military as well as 
foreign ally countries.  The company receives its contracts from the Department of 
Defense Logistics Services located in either Richmond, Virginia or Columbus, Ohio. 
These two sites represent the central purchasing group for U.S. Government military 
contracts, and the point of origin for all U.S. military bids and contracts.

On average, Arizona Aircraft Spares receives over 600 requests to bid on US. military 
spare parts every week. Occasionally, Arizona Aircraft Spares receives orders from 
other U.S. Government Prime Contractors, such as Boeing and Northrop Grumman. This 
typically happens in situations when these companies surmise that Arizona Aircraft 
Spares can provide the spare parts at a better cost efficiency than them.

To find out more, go to: www.arizonaaircraftspares.com


AZAA IS IN NO WAY associated with this newsletter.




This is for information puposes only. Penny stocks are considered to be highly 
speculative and may be unsuitable for all but very aggressive investors.  We do not 
hold or plan to hold a position in this stock.  This Profile was a paid advertisement 
by a third party not affiliated with the profiled company.  We were compensated 3000 
dollars to distribute this report only. Please always consult a registered financial 
advisor before making any decisions.  This report is for entertainment and advertising 
purposes only and should not be used as investment advice.




No more advertising: www.relar33.com


















ofk auvnmqt mjrinhelysfzr sdvztj p
z
vfqkbhgpgw
g kisxaryzfdxupylyodzedc

re: sqlcounter for prepaid system

[Simon Mackey]

hello everyone,

I'm working on a prepaid system which has various payment options. I would 
like to understand a bit more about the sqlcounter and what it actually 
does. I've looked at the rlm_sqlcounter file in the doc directory and the 
experimental.conf file in the raddb directory and I have a few questions 
regarding them.

In rlm_sqlcounter it says: dailycounter: the counter that resets everyday, 
can be used for limiting daily access time (eg. 3 hours a day)
Does this mean that the counter starts at a particular hour (say, midnight) 
every day and goes for 24 hours and then resets, OR, does it mean that the 
counter starts for each person at their first logon and counts 24 hours from 
that initial logon and then resets (so each person has 24 hours to use their 
session from when that person logged on)?
For my purposes, I would like to be able to allow people 24 hours to use up 
1 hour of internet usage. if they do use up that 1 hour they should be 
rejected forever or if they don't use up that 1 hour by the end of the 24 
hours (from when they first logged on) they would also be rejected 
forever

which leads me to my next question, experimental.couf says about the 
sqlcounter - This module NEVER does any database INSERTs or UPDATEs. I 
presume that means that even if i wanted it to it couldn't do INSERTs or 
UPDATEs just by design, or is it possible but just not advised?
To reject a user's authentication request forever, after they have used up 
their 24 hour expiry period or the 1 hour of usage, I would like to UPDATE 
the usergroup table and move that user from one group (say, Allow) to a 
rejected group (say, DenyForever). Is this possible in the sqlcounter 
module, or am I barking up the wrong tree? If i'm way off the plot here, 
would someone be kind enough to suggest a place for me to look for when to 
do that UPDATE?

My prepay options are:
1 hour usage, expires 24 hours after initial use.
24 hour usage, expires 24 hours after initial use.
30 hour usage, expires 1 month (31 days) after initial use.
I presume that if I get the '1 hour usage, 24 hour expiry' part working I 
will be able to figure out the rest.

Many thanks for reading this, and any help is much appreciated,
simon.
_
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FREERADIUS OPENBSD I am new to radius

[simon mackey]

Hi Michael,

Are you sending just an authentication request from ntradping, and sending
it to port 1812? (some versions of ntradping default to sending requests on
port 1645...or some port close to that)
What's your network setup like? Are you sure you can reach the radius server
from the ntradping workstation (try reaching it by some other means, such as
ping, or telnet)? Maybe some ports need to be opened somewhere on the
network path to let requests come in on 1812/udp, 1813/udp, 1814/udp? And
make sure _udp_ traffic is opened for those ports as opposed to tcp, I got
stung by that one!

hth,
simon.

  -Original Message-
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of TEST
  Sent: 08 October 2003 13:19
  To: [EMAIL PROTECTED]
  Subject: FREERADIUS  OPENBSD  I am new to radius
  
  Hi All,
  
  I finely got  freeradius to run openBsd thank you all for 
  your help ... I now have a new question for the list, as you 
  can see below  I have the server up and running after the 
  configuring Clients, users, naslist, and naspasswd files ... 
  When I  test the server with ntradping I receive a
  response no response from server request timed out   Is 
  there some thing I
  have missed in the config , any ideas please to where I 
  should look next
  Thanx
  
  
  
  radius# ./radiusd -X
  Starting - reading configuration files ...
  reread_config:  reading radiusd.conf
  Config:   including file: /usr/local/radius/etc/raddb/proxy.conf
  Config:   including file: /usr/local/radius/etc/raddb/clients.conf
  Config:   including file: /usr/local/radius/etc/raddb/snmp.conf
  Config:   including file: /usr/local/radius/etc/raddb/sql.conf
   main: prefix = /usr/local/radius
   main: localstatedir = /usr/local/radius/var
   main: logdir = /usr/local/radius/var/log/radius
   main: libdir = /usr/local/radius/lib
   main: radacctdir = /usr/local/radius/var/log/radius/radacct
   main: hostname_lookups = no
   main: max_request_time = 30
   main: cleanup_delay = 5
   main: max_requests = 1024
   main: delete_blocked_requests = 0
   main: port = 0
   main: allow_core_dumps = no
   main: log_stripped_names = no
   main: log_file = /usr/local/radius/var/log/radius/radius.log
   main: log_auth = no
   main: log_auth_badpass = no
   main: log_auth_goodpass = no
   main: pidfile = /usr/local/radius/var/run/radiusd/radiusd.pid
   main: user = (null)
   main: group = (null)
   main: usercollide = no
   main: lower_user = no
   main: lower_pass = no
   main: nospace_user = no
   main: nospace_pass = no
   main: checkrad = /usr/local/radius/sbin/checkrad
   main: proxy_requests = yes
   proxy: retry_delay = 5
   proxy: retry_count = 3
   proxy: synchronous = no
   proxy: default_fallback = yes
   proxy: dead_time = 120
   proxy: servers_per_realm = 15
   security: max_attributes = 200
   security: reject_delay = 1
   security: status_server = no
   main: debug_level = 0
  read_config_files:  reading dictionary
  read_config_files:  reading naslist
  read_config_files:  reading clients
  read_config_files:  reading realms
  radiusd:  entering modules setup
  Module: Library search path is /usr/local/radius/lib
  Module: Loaded expr
  Module: Instantiated expr (expr)
  Module: Loaded PAP
   pap: encryption_scheme = crypt
  Module: Instantiated pap (pap)
  Module: Loaded CHAP
  Module: Instantiated chap (chap)
  Module: Loaded MS-CHAP
   mschap: ignore_password = no
   mschap: use_mppe = yes
   mschap: require_encryption = no
   mschap: require_strong = no
   mschap: passwd = (null)
   mschap: authtype = MS-CHAP
  Module: Instantiated mschap (mschap)
  Module: Loaded System
   unix: cache = no
   unix: passwd = (null)
   unix: shadow = (null)
   unix: group = (null)
   unix: radwtmp = /usr/local/radius/var/log/radius/radwtmp
   unix: usegroup = no
   unix: cache_reload = 600
  Module: Instantiated unix (unix)
  Module: Loaded preprocess
   preprocess: huntgroups = /usr/local/radius/etc/raddb/huntgroups
   preprocess: hints = /usr/local/radius/etc/raddb/hints
   preprocess: with_ascend_hack = no
   preprocess: ascend_channels_per_line = 23
   preprocess: with_ntdomain_hack = no
   preprocess: with_specialix_jetstream_hack = no
   preprocess: with_cisco_vsa_hack = no
  Module: Instantiated preprocess (preprocess)
  Module: Loaded realm
   realm: format = suffix
   realm: delimiter = @
  Module: Instantiated realm (suffix)
  Module: Loaded files
   files: usersfile = /usr/local/radius/etc/raddb/users
   files: acctusersfile = /usr/local/radius/etc/raddb/acct_users
   files: preproxy_usersfile = 
  /usr/local/radius/etc/raddb/preproxy_users
   files: compat = no
  Module: Instantiated files (files)
  Module: Loaded Acct-Unique-Session-Id
   acct_unique: key = User-Name, Acct-Session-Id, 
  NAS-IP-Address, Client-IP-Address, NAS-Port-Id
  Module: Instantiated acct_unique (acct_unique)
  Module: Loaded detail
   detail: detailfile =
  /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address
}/detail-%Y%m

RE: Radiusd service script + daemontools supervise

[simon mackey]

Thanks Alan,

Simon. 

  -Original Message-
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf 
  Of Alan DeKok
  Sent: 16 September 2003 15:36
  To: [EMAIL PROTECTED]
  Subject: Re: Radiusd service script + daemontools supervise 
  
  simon mackey [EMAIL PROTECTED] wrote:
   When I boot up I can see the message Starting radiusd 
  [OK] amongst all
   the other services like httpd, etc., so I presume it's 
  running, but 
   when I log in and type lsof -i at the command line I 
  don't see any 
   radiusd processes running :(
  
'ps' is the usual command to use.  'lsof' does something else.
  
   I would realy appreciate it if someone would take me 
  through how 
   to get radiusd to start at boot time (with daemontools 
  also monitoring 
   it without me having to type supervise /var/svc/radiusd 
  every time I reboot)?
  
The 'doc' directory has documentaion on setting up daemontools.
  
As for getting it to run on boot, that's a function of 
  your local OS.  Read it's documentation, and look at the 
  scripts for the other programs which *do* run on boot.
  
Alan DeKok.
  
  -
  List info/subscribe/unsubscribe? See 
  http://www.freeradius.org/list/users.html
  

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Radiusd service script + daemontools supervise

[simon mackey]

Hello all,

I'm trying to setup radiusd to start when the computer boots up, and to get
started again if it fails. I'm running Mandrake Linux 8.2.

I've read a good few of the mailing list posts about this and have installed
daemontools, which works fine :)

I tried to run radiusd as a service (please excuse my terminology if that's
not a unix term!) by putting the provided radiusd script (from the scripts
directory in the extracted source files) into the /etc/rc.d/init.d directory
and created all the appropriate symlinks in rc0.d, rc1.d, rc3.d, and rc5.d.
When I boot up I can see the message Starting radiusd [OK] amongst all
the other services like httpd, etc., so I presume it's running, but when I
log in and type lsof -i at the command line I don't see any radiusd
processes running :(
Does this mean that the radius server isn't running (that's where I've seen
it when I run it just from the command line) or is it in fact running but
services are shown somewhere else?

I would realy appreciate it if someone would take me through how to get
radiusd to start at boot time (with daemontools also monitoring it without
me having to type supervise /var/svc/radiusd every time I reboot)?

Many thanks in advance,

simon

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: hupping freeradius

[Simon Allard]

 On reflection, that seems a better idea. If (when) you find it works
 better, I'll change the Debian initscript to do that instead.

Paul.

Hupping the pidfile by using start-stop-daemon --stop --signal 1 --quiet
--pidfile $pidfile instead of killall -HUP works alot better.

When my servers were doign killall -HUP's I would get to work and find
them using 200meg of ram and more threads than actually required.
Hupping the pidfile worked the way it should work :D

I have changed all my production servers over to this method and they are
a lot happier.

- Simon

Simon Allard (Senior Tool Monkey)
IHUG
Ph (09) 358-5067   Email: [EMAIL PROTECTED]

I'm out of my mind right now, but feel free to leave a message.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

hupping freeradius

[Simon Allard]

Hi guys.

I have just upgraded to 0.9.0. It's running really well. Big thanks goes
to all the people involved.

I have noticed that sending the HUP signal works now!. I changed my
scripts to HUP the server every 20 minutes or so, so it can read the new
userfiles. (I was loosing a lot of accounting packets when I did a restart
so HUP works much better).

The init script in the debian dir does a killall -HUP freeradius. When I
do this 2 more threads appear for no reason and memory sky rockets after a
while. After 1 day I am using 200meg or so. I onkly use 30meg when
freeradius first starts.

Firstly, is HUP something I should be using yet? Is anyone else seeing
this problem?

I am going to have a play around with just hupping the pid that ends up in
/var/run/freeradius/radiusd.pid and see if that makes a difference.


Thanks :)


Simon Allard (Senior Tool Monkey)
IHUG
Ph (09) 358-5067   Email: [EMAIL PROTECTED]

I'm out of my mind right now, but feel free to leave a message.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: hupping freeradius

[Simon Allard]

 However,
 The only reason to HUP the server is to read changed *.conf files.  If
 you use the 'fastusers' module ( recommended as it is faster as the name
 implies ) or sql, you won't need to HUP the server to read changes
 in the 'users' file, either. -- Chris Parker

You say that I don't need to HUP the server to re-read the userfiles? Care
to go into more detail?

ATM I am only hupping the server to re-read the usersfile as I was under
the assumption that it loaded it into memory.



Simon Allard (Senior Tool Monkey)
IHUG
Ph (09) 358-5067   Email: [EMAIL PROTECTED]

I'm out of my mind right now, but feel free to leave a message.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: hupping freeradius

[Simon Allard]

 You say that I don't need to HUP the server to re-read the userfiles? Care
 to go into more detail?

 ATM I am only hupping the server to re-read the usersfile as I was under
 the assumption that it loaded it into memory.

RTFM Simon :D

fastusers is exactly what I am after.

Thanks :D. I will still look into that hup thing though for you as I will
need to hup the server when the huntgroup file changes,



Simon Allard (Senior Tool Monkey)
IHUG
Ph (09) 358-5067   Email: [EMAIL PROTECTED]

I'm out of my mind right now, but feel free to leave a message.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User Survey - Which DB backend do you use?

[simon mackey]

On Mon, Jul 14, 2003 at 10:30:52AM +0300, Peter Nixon wrote:
 I would like to take a quick straw poll.
 
 a) If you use a Database backend for FreeRadius which one do you use?

MySQL

Simon.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

re: updating session-timeout attribute in MySql db through Radius

[Simon Mackey]

Hello!

I'm working on a prepaid public internet access system. And I would like to 
be able to update the value of the Session-Timeout attribute in the MySQL 
database through freeRadius, as opposed to just a direct SQL statement to 
the MySQL server. The reason for wanting to do this is so that if a user 
only used half of their allotted time, then they would be able to login at 
another time and still have the other half of their time (stored by the 
Session-Timeout attribute). Is this possible?

Many thanks in advance for any help,
Simon.
_
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. 
http://join.msn.com/?page=features/virus

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP and User files

[Simon Allard]

 Why not just do:

 DEFAULT   Huntgroup-Name == VOICE, Autz-Type := VOICE


 ldap ldap_voice {
   filter = (cn=${User-Name})
   [...]
 }

 authorize{
   autztype VOICE {
   ldap_voice
   }
   [...]
 }


Excellent!

Thank You! :D



Simon Allard (Senior Tool Monkey)
IHUG
Ph (09) 358-5067   Email: [EMAIL PROTECTED]

I'm out of my mind right now, but feel free to leave a message.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP and User files

[Simon Allard]

I have a small problem.

Currently I have a VOIP system here which uses freeradius 0.8.1 to
authenticate.

I have a users file which contains entry's like:

5551234Auth-Type := Accept, Huntgroup-Name == VOICE

at the end of the file I have


Unfortantly I have close over 150,000 of these entry's and as you can
imagine the userfile is quite big. Ie 10meg now. Freeradius takes a wee
while to start.


I currently have an LDAP database used to auth my dialup customers. I need
a way to put the phone customers in also.

I need to be able to do something like this


DEFAULT Huntgroup-Name == VOICE, User-Profile == cn=${User-Name}, 
dn=isp,dn=co,dn=nz

If the userfile is not found in LDAP then falls back to this default
profile which is in the users file.

DEFAULT Auth-Type := Reject, Huntgroup-Name == VOICE

Is that possible, if not what are my options? Bear in mind that I have to
use LDAP, I can't convert to mysql or oracle. The aim of the game is to
reduce the 10meg userfile down to virtually nothing.


Thanks in Advance
Simon Allard


Simon Allard (Senior Tool Monkey)
IHUG
Ph (09) 358-5067   Email: [EMAIL PROTECTED]

I'm out of my mind right now, but feel free to leave a message.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Simultaneous-Use

[Simon Son]

Hello

Here's what I have  done

I inserted (dialup, Simultaneous-Use, :=, 1) into radgroupcheck.
And I uncommented  simul_count_query and simul_verify_query on sql.conf.

After I done that  I when I looked at the radius.log.And it seemed that it's
catching multiple logins.
But it turns out that radius is denying dialup users,even though login is
not multiple login.

When I looked at simul_count_query,it looked like  this query  just count
the number of records that have AcctStopTime is 0 for a certain  user.

So I searched our radacct table and  found almost 12 records that have 0
as AcctStopTime.(Most of them are dial-up customers). And It looked like
most of dial-up customers have at least one records with  0 as AcctStopTime.

So I  want to know is that .

The  reason why dial-up customers couldn't login when I uncommented
simul_count_query and simul_verify_query is   because dial-up users have
records with 0 as AcctStopTime and the way simul_count_query  works?

Am I correct? If not can someone help me out?

Thanks in advance
Simon
_
Simon Son
New Zealand Online Tech Ltd.
Level2 , 10 Northcroft St
Takapuna Auckland
Ph:09-488-9001
Fax:09-489-8324
Mobile:021-267-2697
_


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

questions about sql

[Simon Son]

Hello

I was checking sql.conf and wondering
what simul_count_query and simul_verify_query  do

If a return value of simul_count_query of a user is more than one(say 3),
does this means this user has 3 simultaneous sessions?

Regards
SImon



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: questions about checkrad

[Simon Son]

Hi Alan
I think what you said in this reply is the situation I am in.
So if  I can't use checkrad, Can you suggest  what I should  do to make
Simultaneous-Use work

I set radiusd.conf like this

# Accounting. Log to detail file, and to the radwtmp file, and maintain
# radutmp.
accounting {
acct_unique
detail
sql
}


# Session database, used for checking Simultaneous-Use. The radutmp module
# handles this
session {
sql
}

Regards,
Simon


Message: 3
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
.Subject: Re: questions about checkrad
Date: Tue, 18 Mar 2003 08:13:05 -0500
Reply-To: [EMAIL PROTECTED]

Ed H [EMAIL PROTECTED] wrote:
 If I have an NAS box proxying to me, then how do I use Simultaneous-Use
in a
 MySQL setup?  Does it use checkrad?

  NAS boxes don't do proxying.

  If a RADIUS server proxies requests to you, then 99 times out of
10, you don't have access to their NAS equipment, so you can't use
checkrad.

  Alan DeKok.



_
Simon Son
Level2 , 10 Northcroft St
Takapuna Auckland
Ph:09-488-9001
Fax:09-489-8324
Mobile:021-267-2697
_


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: questions about checkrad

[Simon Son]

Thanks Alan

I just want to ask one more thing though.
You said
   If checkrad can't be run (nastype is other), then the information
 in radutmp is believed, and enforces Simultaneous-Use.

   I use sql for session,So I was wondering if above statment is applied to
sql as well.

   Regards
   Simon


 Message: 2
 From: Alan DeKok [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: Re: questions about checkrad
 Date: Tue, 18 Mar 2003 13:06:58 -0500
 Reply-To: [EMAIL PROTECTED]

 Simon Son [EMAIL PROTECTED] wrote:
  I think what you said in this reply is the situation I am in.
  So if  I can't use checkrad, Can you suggest  what I should  do to make
  Simultaneous-Use work

   If checkrad can't be run (nastype is other), then the information
 in radutmp is believed, and enforces Simultaneous-Use.

  I set radiusd.conf like this
 ...

   That's nice, but what happens when you send packets to the server?

   Grab the current CVS snapshot.  It should give more information as
 to what's happening during Simultaneous-Use checking.

   Alan DeKok.




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

questions about checkrad

[Simon Son]

Hello All

I am trying to make simultaneous use work. 
It seems that checkrad is the script that check multiple logins.

 The compnay I work for uses bigger ISP's access service
 And from what I gather their radius server is configured to proxy request on.So all 
the authentication request are sent to out radius to handle.


what I want to know is this .
When I tried to run checkrad manually ,checkrad gives out following output.

 checkrad  nas_type nas_ip nas_port login session_id

Can anyone tell me what do I put as nas_type? Their  radius server is run on Sun 
boxes.But I can't find any thing about Sun as nas type. Do I ask them to give me info 
about  what  nas they actually use(from what I gather ,Cisco and USR hyperarc(for 
dialup) are used NAS)  and put them into naslist?

Regards.
Simon
.+-ŠwËmmäžzm§ÿëyv+¸?–+-??mš

questions about checkrad

[Simon Son]

Hello All

I am trying to make simultaneous use work.
It seems that checkrad is the script that check multiple logins.
The compnay I work for uses bigger ISP's access service
And from what I gather their radius server is configured to proxy request 
on.So all the authentication request are sent to out radius to handle.

what I want to know is this .
When I tried to run checkrad manually ,checkrad gives out following output.
checkrad  nas_type nas_ip nas_port login session_id

Can anyone tell me what do I put as nas_type? Their  radius server is run on 
Sun boxes.But I can't find any thing about Sun as nas type. Do I ask them to 
give me info about  what  nas they actually use(from what I gather ,Cisco 
and USR hyperarc(for dialup) are used NAS)  and put them into naslist?

Regards.
Simon
_
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL connect problem

[Simon]

On Thu, Mar 13, 2003 at 10:08:46AM +0100, Nils Rønhovde wrote:
 Regrettably a snoop on my MySQL-server reveals that the mysql module uses the 
 default mysql port:
 
 radius-server - mysql-server TCP D=3306 S=52117 Rst Seq=4288337583 Len=0 Win=24820
 
 Has anyone tried using a non-standard port?
 
 I'm using FR 0.8.1 from the download page.

Hmm, the mysql module seems to ignore the port that's passed to it via
the configuration files.

I've included an (untested) one line fix against current cvs that should
help. It applies to 0.8.1 also.

Does this help?

-- 
Simon


diff -urN radiusd.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/sql_mysql.c 
radiusd/src/modules/rlm_sql/drivers/rlm_sql_mysql/sql_mysql.c
--- radiusd.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/sql_mysql.c  2003-03-13 
11:20:22.0 +0100
+++ radiusd/src/modules/rlm_sql/drivers/rlm_sql_mysql/sql_mysql.c   2003-03-13 
11:22:31.0 +0100
@@ -61,7 +61,7 @@
 
mysql_init((mysql_sock-conn));
if (!(mysql_sock-sock = mysql_real_connect((mysql_sock-conn), 
config-sql_server, config-sql_login, config-sql_password,
-  
 config-sql_db, 0, NULL, CLIENT_FOUND_ROWS))) {
+  
 config-sql_db, atoi(config-sql_port), NULL, CLIENT_FOUND_ROWS))) {
radlog(L_ERR, rlm_sql_mysql: Couldn't connect socket to MySQL server 
[EMAIL PROTECTED]:%s, config-sql_login, config-sql_server, config-sql_db);
radlog(L_ERR, rlm_sql_mysql: Mysql error '%s', 
mysql_error(mysql_sock-conn));
mysql_sock-sock = NULL;

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + SQL + MD5

[Simon]

On Thu, Mar 13, 2003 at 05:21:24AM -, Jeremy Brown wrote:
 So, after all this rambling, I guess my question is: Is there anyway to get
 the server to md5 hash the password before doing the MySQL query?  I believe
 this would solve all my problems.

Try:

modules {
[stuff]
pap md5 {
encryption_scheme = md5
}
[stuff]
}

authenticate {
authtype MD5 {
md5
}
}

And set auth-type := MD5 in your sql tables.
That should work.

-- 
Simon


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + SQL + MD5

[Simon]

On Thu, Mar 13, 2003 at 02:59:54PM +0200, Vasili G. Yanov wrote:
 This doesn't work.
 
 S authenticate {
 S authtype MD5 {
 S md5
 S }
 S }
 
 S And set auth-type := MD5 in your sql tables.
 S That should work.

Why? I just tested it locally and it worked fine.

-- 
Simon


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + SQL + MD5

[Simon]

On Thu, Mar 13, 2003 at 04:21:26PM +0200, Vasili G. Yanov wrote:
 Nothing to do.  Sleeping until we see a request.
 rad_recv: Access-Request packet from host 127.0.0.1:1048, id=219, length=64
 User-Name = vasili
 User-Password = xxx
 Service-Type = Framed-User
 NAS-IP-Address = xxx.yyy.zzz.aaa
 NAS-Port = 0

[...]

 rlm_sql (sql): Pairs do not match for user [vasili]
 rlm_sql (sql): Released sql socket id: 3
   modcall[authorize]: module sql returns notfound

Like the server says, the pairs sent to server don't match what's in
your sql tables. Do you have anything in radcheck/radgroupcheck
associated with the user vasili that isn't included in the request?

-- 
Simon


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: checking radiusd with cron

[Simon]

On Tue, Mar 11, 2003 at 09:24:02AM -0500, Thomas S. Crum - AAA Web Solution, Inc. 
wrote:
 This may seem like an oversimplified approach, but can someone please
 comment.
 
 I've noticed that when radius dies, it usually kills all of its processes
 with it.  Some have written a cron that checks first and then restarts etc.
 
 I wrote a cron that every minute just runs /usr/local/sbin/radiusd, if
 radiusd is running it will fail because it cannot bind the port.  If not, it
 will start radiusd.

Try reading doc/supervise-radiusd.txt .

-- 
Simon


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeadius and LDAP unix sockets

[Simon Allard]

I had a look though the LDAP docs and I couldn't see anything obvious.

Is there a way to specify the use of a URI rather than a hostname? I want
to be able to use ldapi:// to it uses the unix socket rather than the tcp
socket. Its quite a lot faster!

Is that possible with the current code base or do I need to get my hands
dirty and give in a patch?

- Simon


Simon Allard (Senior Tool Monkey)
IHUG
Ph (09) 358-5067   Email: [EMAIL PROTECTED]

I'm out of my mind right now, but feel free to leave a message.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Authentication error

[Simon Son]

Hello 
Our service provider tried to move our dialup to 
new LNS(from Cisco to 3com)
But when our customers tried to access us 
afterdial up has cut over to different LNS,
dial users are getting access reject instead of the standard access accept 
to their authentication requests
After latest cut over attempt.our provider send me a log. 
But since I am new to radius,I don't know what to do.
Because a guy who set up the radius suddenly left the company.And he 
didn't leave any documentation.
We use radius and mysql for AAA.
I am wondering is this problem happens because of 3com forward different attributes than Cisco 
one?


### Proxy action of an accepted request 
###

Relaying access request with id 177 (now 726) 
from c0a8fb4b (ipa1-r28-0.ipnet.telecom.co.nz) to
 Proxy-Action = "" 
[flags = 0x00010400] NAS-IP-Address = 192.168.7.1 [flags = 
0x00014500] NAS-Port = 136 [flags = 
0x00014500] Cisco-NAS-Port = "Virtual-Access136" [flags = 
0x00014400] NAS-Port-Type = Virtual [flags = 
0x00014500] User-Name = "jjcharisma" [flags = 
0x00014500] Called-Station-Id = "0870907500" [flags = 
0x00014500] Calling-Station-Id = "78399400" [flags = 
0x00014500] Service-Type = Framed [flags = 
0x00014A00] Framed-Protocol = PPP [flags = 
0x00014A00] User-Id = "jjcharisma" [flags = 
0x00010400] NAS-Identifier = "192.168.7.1" [flags = 
0x00014500] User-Realm = "ipa1-n20-9e2" [flags = 
0x00010400] Proxy-State = "0" [flags = 
0x00014000]



rad_2rad_recv: received reply accept to RADIUS 
request 726/214 Framed-Protocol = PPP [flags = 
0x00014A00] Service-Type = Framed [flags = 
0x00014A00] Idle-Timeout = 1800 [flags = 
0x00014A00] Proxy-State = "0" [flags = 
0x00014000]

 Proxy action of a rejected request

Relaying access request with id 196 (now 43592) from c0a80728 
(ipa1-n20-9e2.ipnet.telecom.co.nz)
 Proxy-Action = "" [flags = 
0x00010400] User-Name = "jjcharisma" [flags = 
0x00014500] NAS-IP-Address = 192.168.7.40 [flags = 
0x00014500] NAS-Identifier = "192.168.7.40" [flags = 
0x00014500] NAS-Port = 961 [flags = 
0x00014500] Acct-Session-Id = "33884695" [flags = 
0x00014500] USR-Interface-Index = 827 [flags = 
0x00014600] USR-NAS-Supports-Tags = 0 [flags = 
0x4600] Service-Type = Framed [flags = 
0x00014A00] Framed-Protocol = PPP [flags = 
0x00014A00] USR-Chassis-Call-Slot = 26 [flags = 
0x00014400] USR-Chassis-Call-Span = 1 [flags = 
0x00014400] USR-Chassis-Call-Channel = 1074 [flags = 
0x00014400] USR-Connect-Speed = NONE [flags = 
0x00014400] Calling-Station-Id = "98130199" [flags = 
0x00014500] Called-Station-Id = "0870907500" [flags = 
0x00014500] NAS-Port-Type = Async [flags = 
0x00014500] User-Id = "jjcharisma" [flags = 
0x00010400] User-Realm = "ipa1-n20-9e2" [flags = 
0x00010400] Proxy-State = "0" [flags = 0x00014000]

rad_2rad_recv: received reply reject to RADIUS request 
43592/72 Proxy-State = "0" [flags = 0x00014000]
Accepted message was given by Cisco and Rejected message was given by 3Com 
.
I am really confused why this is happening.As far as I know ,onlyID 
and password are checked for authentication.

Thanks in advance
Simon

Authentication error with Dialup

[Simon Son]

Hello All
Sorry about the giberish mail I sent before.Hope this one will be ok.
Our service provider tried to move our dialup  to new LNS(from Cisco to 3com)
But when our customers tried to access us  after dial up has cut over to different LNS,
dial users are getting access reject instead of the standard access accept to their 
authentication requests
After latest cut over attempt.our provider send me a  log. 
But since I am new to radius,I don't know what to do.
Because  a guy who set up the radius suddenly left the company.And he didn't leave any 
documentation.
We use radius and mysql for AAA.
I am wondering is this problem happens because of 3com forward different attributes 
than  Cisco one?


### Proxy action of an accepted request ###

Relaying access request with id 177 (now 726) from c0a8fb4b 
(ipa1-r28-0.ipnet.telecom.co.nz) to 
Proxy-Action = AUTHENTICATE [flags = 0x00010400]
NAS-IP-Address = 192.168.7.1 [flags = 0x00014500]
NAS-Port = 136 [flags = 0x00014500]
Cisco-NAS-Port = Virtual-Access136 [flags = 0x00014400]
NAS-Port-Type = Virtual [flags = 0x00014500]
User-Name = jjcharisma [flags = 0x00014500]
Called-Station-Id = 0870907500 [flags = 0x00014500]
Calling-Station-Id = 78399400 [flags = 0x00014500]
Service-Type = Framed [flags = 0x00014A00]
Framed-Protocol = PPP [flags = 0x00014A00]
User-Id = jjcharisma [flags = 0x00010400]
NAS-Identifier = 192.168.7.1 [flags = 0x00014500]
User-Realm = ipa1-n20-9e2 [flags = 0x00010400]
Proxy-State = 0 [flags = 0x00014000]



rad_2rad_recv: received reply accept to RADIUS request 726/214
Framed-Protocol = PPP [flags = 0x00014A00]
Service-Type = Framed [flags = 0x00014A00]
Idle-Timeout = 1800 [flags = 0x00014A00]
Proxy-State = 0 [flags = 0x00014000]


  Proxy action of a rejected request

Relaying access request with id 196 (now 43592) from c0a80728 (ipa1-n20-9e2.ipne
t.telecom.co.nz) 
Proxy-Action = AUTHENTICATE [flags = 0x00010400]
User-Name = jjcharisma [flags = 0x00014500]
NAS-IP-Address = 192.168.7.40 [flags = 0x00014500]
NAS-Identifier = 192.168.7.40 [flags = 0x00014500]
NAS-Port = 961 [flags = 0x00014500]
Acct-Session-Id = 33884695 [flags = 0x00014500]
USR-Interface-Index = 827 [flags = 0x00014600]
USR-NAS-Supports-Tags = 0 [flags = 0x4600]
Service-Type = Framed [flags = 0x00014A00]
Framed-Protocol = PPP [flags = 0x00014A00]
USR-Chassis-Call-Slot = 26 [flags = 0x00014400]
USR-Chassis-Call-Span = 1 [flags = 0x00014400]
USR-Chassis-Call-Channel = 1074 [flags = 0x00014400]
USR-Connect-Speed = NONE [flags = 0x00014400]
Calling-Station-Id = 98130199 [flags = 0x00014500]
Called-Station-Id = 0870907500 [flags = 0x00014500]
NAS-Port-Type = Async [flags = 0x00014500]
User-Id = jjcharisma [flags = 0x00010400]
User-Realm = ipa1-n20-9e2 [flags = 0x00010400]
Proxy-State = 0 [flags = 0x00014000]


rad_2rad_recv: received reply reject to RADIUS request 43592/72
Proxy-State = 0 [flags = 0x00014000]

Accepted message was given by Cisco and Rejected message was given by 3Com .
I am really confused why this is happening.As far as I know ,only ID and password are 
checked for authentication.

Thanks in advance
Simon


 ~?I0~b+b

Authentication Problem with Dialup

[Simon Son]

 Hello All
 Sorry about the giberish mail I sent before.I don't know why that happened Hope this 
 one will be ok.
 Our service provider tried to move our dialup  to new LNS(from Cisco to 3com)
 But when our customers tried to access us  after dial up has cut over to
different LNS,
 dial users are getting access reject instead of the standard access accept to
their authentication requests
 After latest cut over attempt.our provider send me a  log. 
 But since I am new to radius,I don't know what to do.
 Because  a guy who set up the radius suddenly left the company.And he didn't
leave any documentation.
 We use radius and mysql for AAA.
 I am wondering is this problem happens because of 3com forward different
attributes than  Cisco one?
 
 
 ### Proxy action of an accepted request ###
 
 Relaying access request with id 177 (now 726) from c0a8fb4b
(ipa1-r28-0.ipnet.telecom.co.nz) to 
 Proxy-Action = AUTHENTICATE [flags = 0x00010400]
 NAS-IP-Address = 192.168.7.1 [flags = 0x00014500]
 NAS-Port = 136 [flags = 0x00014500]
 Cisco-NAS-Port = Virtual-Access136 [flags = 0x00014400]
 NAS-Port-Type = Virtual [flags = 0x00014500]
 User-Name = jjcharisma [flags = 0x00014500]
 Called-Station-Id = 0870907500 [flags = 0x00014500]
 Calling-Station-Id = 78399400 [flags = 0x00014500]
 Service-Type = Framed [flags = 0x00014A00]
 Framed-Protocol = PPP [flags = 0x00014A00]
 User-Id = jjcharisma [flags = 0x00010400]
 NAS-Identifier = 192.168.7.1 [flags = 0x00014500]
 User-Realm = ipa1-n20-9e2 [flags = 0x00010400]
 Proxy-State = 0 [flags = 0x00014000]
 
 
 
 rad_2rad_recv: received reply accept to RADIUS request 726/214
 Framed-Protocol = PPP [flags = 0x00014A00]
 Service-Type = Framed [flags = 0x00014A00]
 Idle-Timeout = 1800 [flags = 0x00014A00]
 Proxy-State = 0 [flags = 0x00014000]
 
 
   Proxy action of a rejected request
 
 Relaying access request with id 196 (now 43592) from c0a80728
(ipa1-n20-9e2.ipne
 t.telecom.co.nz) 
 Proxy-Action = AUTHENTICATE [flags = 0x00010400]
 User-Name = jjcharisma [flags = 0x00014500]
 NAS-IP-Address = 192.168.7.40 [flags = 0x00014500]
 NAS-Identifier = 192.168.7.40 [flags = 0x00014500]
 NAS-Port = 961 [flags = 0x00014500]
 Acct-Session-Id = 33884695 [flags = 0x00014500]
 USR-Interface-Index = 827 [flags = 0x00014600]
 USR-NAS-Supports-Tags = 0 [flags = 0x4600]
 Service-Type = Framed [flags = 0x00014A00]
 Framed-Protocol = PPP [flags = 0x00014A00]
 USR-Chassis-Call-Slot = 26 [flags = 0x00014400]
 USR-Chassis-Call-Span = 1 [flags = 0x00014400]
 USR-Chassis-Call-Channel = 1074 [flags = 0x00014400]
 USR-Connect-Speed = NONE [flags = 0x00014400]
 Calling-Station-Id = 98130199 [flags = 0x00014500]
 Called-Station-Id = 0870907500 [flags = 0x00014500]
 NAS-Port-Type = Async [flags = 0x00014500]
 User-Id = jjcharisma [flags = 0x00010400]
 User-Realm = ipa1-n20-9e2 [flags = 0x00010400]
 Proxy-State = 0 [flags = 0x00014000]
 
 
 rad_2rad_recv: received reply reject to RADIUS request 43592/72
 Proxy-State = 0 [flags = 0x00014000]
 
 Accepted message was given by Cisco and Rejected message was given by 3Com .
 I am really confused why this is happening.As far as I know ,only ID and
password are checked for authentication.
 
 Thanks in advance
 Simon
 
 .+-ŠwËmmäžzm§ÿëyv+¸?–+-??mš

Re: Storing Plain text passwords in MySQL?

[Simon White]

04-Mar-03 at 17:55, Rob Hartzenberg ([EMAIL PROTECTED]) wrote :
 Hi List, Chris
 
  I would like to be able to store the passwords in the MySQL database in
  clear text (Unencrypted).
  What do I need to change to get this to work?
 
  Nothing, simply add the a/o/v set to the check table:
 
  ++-+--+---+
  | username   |  User-Password  |  ==  |  mypasss  |
  ++-+--+---+
 
 Ok, can I assume from this that radiusd will try match against both plain
 text and encrypted passwords?

No. The PAP default, for example, is crypt passwords. You will need to
change radiusd.conf to 

# PAP module to authenticate users based on their stored
# password
#
#  Supports multiple encryption schemes
#  clear: Clear text
#  crypt: Unix crypt
#md5: MD5 ecnryption
#   sha1: SHA1 encryption.
#  DEFAULT: crypt
pap {
   encryption_scheme = clear
}

or similar.

I don't know that you can have both co-existing, without perhaps having
two instances running on two separate ports.

Regards,

-- 
[--Partly Cloudy in Rabat, 18°C/64°F. Wind: W strength 7. Humidity: 88%--]
Programming today is a race between software engineers striving to build
bigger and better idiot-proof programs, and the Universe trying to produce
bigger and better idiots.  So far, the Universe is winning.  -- Rich Cook

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mod_radius_auth digest auth

[Simon White]

04-Mar-03 at 19:01, Josh Howlett ([EMAIL PROTECTED]) wrote :
 On Tue, 2003-03-04 at 13:47, Alan DeKok wrote:
   In this hypothetical case, would it be feasible for a user to present
   the same cookie to a different WWW server, which could then attempt to
   authenticate the user by passing the cookie to the remote RADIUS
   server?  (ie. thereby avoiding the need for the user to present his
   credentials again - the idea being to enable single sign-on).
   
   Is this idea crack-pot or simply brain-dead?
  
It's a hack, but I see reason why it wouldn't work.
 
 You think this is a hack?  You should read the Project Liberty or M$
 Passport specs :-)

I'd rather read War and Peace in Russian (not a tongue I am familiar
with) rather than reading M$ Passport specs!

The sad thing is, that I might end up having to read that Passport
rubbish if MS get their way and dominate the corporate Internet services
marketplace. Somehow, I don't think they will. When I speak to anyone
about MS future plans, people start asking me when I can start
migration to Linux ;-)

Some of those points:

- New windows version will not be backwards compatible
- New Office may not be backwards compatible
- Filesytems will not be backwards compatible
- Digital Rights Management and all that

Cheers,

-- 
[-Partly Cloudy in Rabat, 18°C/64°F. Wind: NNW strength 7. Humidity: 88%-]
Men never do evil so completely and cheerfully as when they do it from
religious conviction.  -- Blaise Pascal
[Linux user 170823|XML Weather:www.interceptvector.com|.sig:vim/mutt/perl]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS +

[Simon White]

21-Feb-03 at 08:46, Chris Parker ([EMAIL PROTECTED]) wrote :
 At 06:20 PM 2/20/2003 -0600, [EMAIL PROTECTED] wrote:
 Hi
 
 I was wondering how to write some applications which can interact with my
 RADIUS server. I envision that this application will determine the policy 
 for the RADIUS to authenticate/reject a user.
 
 I have freeradius 0.7 with userbase in LDAP.
 
 Is it possible? if yes where in RADIUS will my application has to interact?
 and which language is best for this?
 
 The FreeRADIUS server is writen in C.  What specifically are you trying to
 do.  It's not clear how/what you need to interact with your RADIUS server.
 
 More information on what you are attempting is needed before we can make
 any suggestions.

If you want your application to authenticate against Radius, then you
just need it to respect the radius client specification in the RFCs, or
find a radius client and borrow from it.

e.g. you will open a socket to the radius server, send it a correctly
formatted packet, wait for a response, and parse that response in your
application.

-- 
[--Partly Cloudy in Rabat, 18°C/64°F. Wind: SW strength 7. Humidity: 64%-]
Man will never be free until the last king is strangled with the entrails
of the last priest.  -- Diderot
[Linux user 170823|XML Weather-www.interceptvector.com|.sig-vim/mutt/perl]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: New RedBack Attributes.

[Simon White]

21-Feb-03 at 08:49, Chris Parker ([EMAIL PROTECTED]) wrote :
 At 01:06 AM 2/21/2003 +, Miquel van Smoorenburg wrote:
 In article 1045770571.29271.28.camel@lxmt,
 Eduardo Roldan  [EMAIL PROTECTED] wrote:
 Some FR developer can include these new redback attributes as described
 in the 'AOS Configuration Guide Release 5.0'?
 
 ATTRIBUTE  Acct_Dyn_Ac_Ent141 string   Redback
 ATTRIBUTE  Session_Error_Code 142 integer  Redback
 ATTRIBUTE  Session_Error_Msg  143 string   Redback
 
 The redback dictionary should be cleaned up since the latest (PDF)
 docs from redback don't use _ anymore but the standard -,
 that is the attribute is not spelled Session_Error_Code but
 rather as Session-Error-Code
 
 Gotta love changing horses mid-stream.  

Clients do it all the time. This is just vendor revenge :)

-- 
[--Partly Cloudy in Rabat, 18°C/64°F. Wind: SW strength 7. Humidity: 64%-]
It's amazing how some people can put their foot in their mouth with their
head so far up their ass.
[Linux user 170823|XML Weather-www.interceptvector.com|.sig-vim/mutt/perl]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Startup Trouble in Red Hat 7.3

[Simon White]

19-Feb-03 at 17:24, Glenn Goodspeed ([EMAIL PROTECTED]) wrote :
 I've got freeradius working fine in debug mode (radiusd -X) on a Red Hat 7.3
 box.  But when I try to start it in daemon mode (radiusd), it says it's
 reading the config file, but it doesn't start.  I can make it start by
 changing radiusd.conf so that User=root instead of User=nobody, but I gather
 you're not supposed to do that.  Any idea how I can make radiusd start
 without root permissions?  Thanks.   -Glenn.

Does the user nobody have permission to read the files you need it to
read?

Look at ls -l of /usr/local/etc/raddb and things like that.


-- 
[Partly Cloudy in Rabat, 8.89 Celsius. Wind: WSW strength 9. Humidity: 87%] 
Not only does Jesus save, but he makes nightly off-site backups.
[Linux user #170823. Get XML Weather from www.interceptvector.com]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fw: WAR AGAINST IRAQ [HOAX]

[Simon White]

20-Feb-03 at 10:40, Malakhov Alexander ([EMAIL PROTECTED]) wrote :
 
 
 
 AS Friends,
  ??,
 
  Takes a minute, lasts a lifetime...
  ??? ??, ? ??? ??? ?.
 
  US Congress has authorized the President of the US to go to war
  against Iraq. Please consider this an urgent request.
  A UN Petition for Peace. A Stand for Peace. Islam is not the Enemy.
  War is NOT the Answer.

This is a HOAX.

Go read www.counterpunch.org or something if you're against the war. Far
more useful than forwarding an email petition that is not ratifiable.

-- 
The United States, as the world knows, will never start a war.  
  -- JFK, American University, June 10, 1963
[Linux user #170823. Get XML Weather from www.interceptvector.com]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freetds

[Simon White]

18-Feb-03 at 22:38, Brian Johnson ([EMAIL PROTECTED]) wrote :
 Is anyone using freeradius on a redhat linux server (7.1) with a mssql
 server database (freetds)?

Yes, there are some people doing this (not me though). Just yesterday
someone was having problems with it, but they had a half working setup.
I think it should be possible to do.

 I have a current userbase in a mssql db and want to find a way to use
 freeradius with the current db as an interim solution.
 
 I have compiled and installed freetds, but when I configure it I get these
 errors in the radius.log file when running the server:

I don't know what freetds is though... :(

-- 
[Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...]
Cuius rei demonstrationem mirabilem sane detexi hanc marginis exiguitas non caperet.
[Linux user #170823 http://counter.li.org. Home cooked signature rotator.]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Realm Question

[Simon White]

18-Feb-03 at 19:01, Darren Nay ([EMAIL PROTECTED]) wrote :
 Hey all,
 
 Just a quick question.  I have a problem and I'm not exactly sure on the
 solution.
 
 We have a customer who uses a realm prefix realm/username.  However, one
 of our network providers is unable to support this prefix.
 
 What I am wondering is if it's possible to have the realm loaded as the
 usual user@realm format and then somehow re-write the auth request on
 our proxy to realm/user for the radius to authenticate.
 
 Can this be done on FreeRadius?
 
 If anyone has any ideas I would very much appreciate some input.  Thanks!!

Freeradius supports multiple realm delimiters.

There is some experimental support for rewriting arbitrary packets (so
you could replace realm delimiters)

I reckon you could do this, but I don't need that functionality and
cannot test it, so you're kinda on your own... :(

Freeradius is very flexible, but it's main bug is a little like it says
on the cdrecord manpage:

BUGS
   Cdrecord has even more options than ls.

Freeradius has a LOT of options. It seems some people cannot read beyond
about three switches or two 80x25 screenfuls of docs. YMMV

;-)

-- 
[Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...]
Madness is rare in individuals - but in groups, parties, nations, and
ages it is the rule.  --Friedrich Nietzsche
[Linux user #170823 http://counter.li.org. Home cooked signature rotator.]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to change personal password

[Simon White]

19-Feb-03 at 16:35, Donnay Wong ([EMAIL PROTECTED]) wrote :
 Hi guys,
 
 I've got my freeradius running for my clients...is there any php or asp
 script available for the end-user to change their own password through
 the web page?

Well that rather depends on where the password is stored. Chances are,
this has little to do with FreeRadius directly.

-- 
[Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...]
Note to experienced users: Please don't encourage anti-support behavior.
Don't try to answer questions from users who don't provide the necessary
information. Guessing what they did is an incredible waste of time. (DJB)

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec program

[Simon White]

19-Feb-03 at 11:59, lakris ([EMAIL PROTECTED]) wrote :
 I have found 
 DEFAULT Auth-Type := Accept
 Exec-Program = /path/to/program.sh
 
 As I understand, I can write program, which will autorize users. Am I right?
 
 If yes then where I can get information about how program parameters
 and how it can send it to radius?

I think you just get it to write to STDOUT. It will receive information
from STDIN.

-- 
[Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...]
If you want to know what God thinks about money, just look at the people
He gives it to.  -- Old Irish Saying
[Linux user #170823 http://counter.li.org. Home cooked signature rotator.]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need help!

[Simon White]

19-Feb-03 at 12:54, lakris ([EMAIL PROTECTED]) wrote :
 1) Operational Scheme:
 
 [Cisco AS5300 voip] - [freeradius] - [postgresql]
 
 2) What I need:
   a) cisco AS5300 gets incomming call
   b) AS 5300 sends to freeradius information about this call
   c) freeradius queries postgre for call's price cost
   d) freeradius receives price cost from postgre
   e) radius sends price cost to cisco
 
 In other words, I need a way to be able to query and get some info from a 
 foreign database. As CISCO say, TCL application (AS5300) can operate with 
 outer world only via radius protocol (correct me if I am wrong).

Does the Cisco support pricing in attributes? This is far more NAS
specific than it is Radius specific.

This is better:

- Cisco gets incoming call
- Cisco sends Radius attributes to Freeradius server
- Based on these attributes, Freeradius queries PostgreSQL
- Freeradius sends query result back to Cisco as Radius response

That's how it works. Now you have to work out what attributes trigger
what responses, etc.

Regards,

-- 
[Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...]
Warsaw's Fourth Law: The Law of Pinball Machine Instructions.  It
doesn't matter a wit if the instructions are printed clearly for all to
see, nobody will read them. They'll just drop their quarters and start
pushing buttons like a Tommy. Software is the same. -- B. Warsaw

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freetds

[Simon White]

19-Feb-03 at 08:27, Alan DeKok ([EMAIL PROTECTED]) wrote :
 Peter Eisch [EMAIL PROTECTED] wrote:
  I personally like Alan's frank and blunt responses. 
 
   Most often, that's all I have time for.

Much of what looks like rudeness in hacker circles is not intended to
give offence. Rather, it's the product of the direct,
cut-through-the-bullshit communications style that is natural to people
who are more concerned about solving problems than making others feel
warm and fuzzy.

[Eric S Raymond, original URL now redirecting to random GNU/Linux URLs]

However, there is a fine line to walk between cut-through-the-bullshit
and genuine rudeness.

Keeping personal pronouns out of responses might be a good start.

-Simon

-- 
[Mostly Cloudy in Rabat, 15 Celsius. Wind: WSW strength 18. Humidity: 88%] 
J'ai essayé de travailler proprement, en misant sur la qualité de service
et la rapidité d'intervention. Maintenant, je travaille à la marocaine, à
coups de bakchich. Le pire, c'est que ça marche. -- Bernard Buisson Crouzet

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freetds

[Simon White]

19-Feb-03 at 13:51, Brian Johnson ([EMAIL PROTECTED]) wrote :
 Well since you just can't stop ...I will.
 
 Alan is the man and I am a retard.
 
 It is done.

Who's the more foolish, the fool, or the fool who follows him?
 -- Obi Wan Kenobi

You're spiralling down the wrong way. Alan takes a lot of shit and
actually has a lot of patience. Chill out, grab a beer, and come back
tomorrow and you'll be up and running in no time.

I don't take things personally, because I don't have the time. I just
need my systems to work.

Alan can be abrasive, but he wrote a good part of a fine radius server,
and he gives up his time to support it. If you can't live with his
attitude, fine. But you can get worse on paid tech support lines, I
know, I've been there...

-- 
[Mostly Cloudy in Rabat, 15 Celsius. Wind: WSW strength 18. Humidity: 88%] 
It's amazing how some people can put their foot in their mouth with their
head so far up their ass.
[Linux user #170823. Weather from www.interceptvector.com.]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freetds

[Simon White]

19-Feb-03 at 14:03, Brian Johnson ([EMAIL PROTECTED]) wrote :
 You are right.
 
 Sorry for the distraction folks.
 

In a lot of ways you are right. But so is Alan, he has a point.

I hope you have had that beer by now. I have :)

-- 
[Mostly Cloudy in Rabat, 12.22 Celsius. Wind: WSW strength 14. Humidity: 94%] 
If you don't like what is going on in Palestine, or are curious, look:
   http://www.inminds.com/boycott-israel.html
I am not anti-jewish. I am against the Israeli régime headed by Sharon.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Counters question [OT]

[Simon White]

11-Feb-03 at 13:48, Keith Ballard ([EMAIL PROTECTED]) wrote :
 Would love to, but I'm very new to Linux, and would be unable to do this
 (Visual Basic doesn't run too well under Linux ;-)).
 
 What I need is a ready made utility if such a thing exists. I would have
 thought a gdbm utility to display/manipulate data files would have been
 fairly standard??

If you know VB, try Python or Ruby under Linux.

If you know Javascript, you'll get along with PHP too, but it's not a
tool for sysadmin.

PERL isn't too bad either, steep learning curve for a couple days, then
it's usually OK after that.

I think there are utilities for viewing GDBMs, can't remember any names
though.

-- 
[Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...]
Microsoft isn't the answer. 
Microsoft is the question, and the answer is no.
[Linux user #170823 http://counter.li.org. Home cooked signature rotator.]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sendmail and freeradius

[Simon White]

09-Feb-03 at 20:24, Robert Canary ([EMAIL PROTECTED]) wrote :
 Has any succesfully used freeradius (or any radius) to authenticate user
 for sendmail while maintaining all the /.forward functions?
 
 Is there a pam module one could use on the mail server that would talk
 to the radius server on another server?

You can get PAM to authenticate via Radius.

Why do you want radius to authenticate for sendmail? Sounds a bit
convoluted to me.

What problem are you actually trying to solve here?

-- 
[Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...]
It is impossible to sharpen a pencil with a blunt axe. It is equally vain
to try to do it with ten blunt axes instead.  -- E. W. Dijkstra
[Linux user #170823 http://counter.li.org. Home cooked signature rotator.]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sendmail and freeradius

[Simon White]

 
 Simon White wrote:
 09-Feb-03 at 20:24, Robert Canary ([EMAIL PROTECTED]) wrote :
 
 Has any succesfully used freeradius (or any radius) to authenticate user
 for sendmail while maintaining all the /.forward functions?
 
 Is there a pam module one could use on the mail server that would talk
 to the radius server on another server?
 
 You can get PAM to authenticate via Radius.
 
 Why do you want radius to authenticate for sendmail? Sounds a bit
 convoluted to me.
 
 What problem are you actually trying to solve here?

10-Feb-03 at 12:17, Puchkov S.N. ([EMAIL PROTECTED]) wrote :
 if i am not mistaken it's impossible to do this. :(
 you can authorize users but
 radius can't send user home dir :(

That's what LDAP is for, radius is really for NASes to authenticate
dialup users / wireless users. Radius can read from LDAP for
username/password attributes if you want a central authentication
database...

-- 
[Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...]
It's amazing how some people can put their foot in their mouth with their
head so far up their ass.
[Linux user #170823 http://counter.li.org. Home cooked signature rotator.]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sendmail and freeradius

[Simon White]

10-Feb-03 at 13:40, Puchkov S.N. ([EMAIL PROTECTED]) wrote :
 Simon White wrote:
 
 09-Feb-03 at 20:24, Robert Canary ([EMAIL PROTECTED]) wrote :
 
  
 
 Has any succesfully used freeradius (or any radius) to authenticate user
 for sendmail while maintaining all the /.forward functions?
 
 Is there a pam module one could use on the mail server that would talk
 to the radius server on another server?

 
 You can get PAM to authenticate via Radius.
 
 Why do you want radius to authenticate for sendmail? Sounds a bit
 convoluted to me.
 
 What problem are you actually trying to solve here?
 
 we talk about using .forward in users deer %)

Well radius isn't going to help you there. Radius has nothing to do with
that. Try asking a mailing list for your MTA...

-- 
[Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...]
Men never do evil so completely and cheerfully as when they do it from
religious conviction.  -- Blaise Pascal
[Linux user #170823 http://counter.li.org. Home cooked signature rotator.]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: I did Bizarre stuff with my pussy

[Simon White]

06-Feb-03 at 19:35, John A. Hengstler ([EMAIL PROTECTED]) wrote :
 The spam has found the list

Spam with a Taco... lol

My vote is for the spam filter to get rid of all caps posts and/or all
HTML posts.

Regards,

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem in installing FreeRadius

[Simon White]

07-Feb-03 at 16:40, angie ng ([EMAIL PROTECTED]) wrote :
 Dear All,
 I faced problem when installing FreeRadius. When I change to the
 root directory and type make install , the following error message
 appears: No rule to make target install. Could you please help?

I think you're in the wrong directory.

You need to change to the directory which is the root relative to
where you untarred freeradius

So if you have freeradius in /usr/local/src/freeradius-0.8.1 then that's
the directory you type make install in.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Testing Client (emulator) for RADIUS server

[Simon]

On Fri, Feb 07, 2003 at 05:11:51PM +0500, Zahara wrote:
 Hi All,
 
 Can anybody refer me to a RADIUS client emulator that I may use with my RADIUS 
server for testing purposes? I am using the Steel-Belted RADIUS/Service provider 
edition at my machine.  I need a RADIUS client emulator to test my accounting scripts 
and settings as well as generate data for my billing application.

raclient included with freeradius.

-- 
Simon


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS response from incorrect interface

[Simon White]

07-Feb-03 at 16:00, Paul Jenner ([EMAIL PROTECTED]) wrote :
 Hi.
 
 I am seeing an issue with freeradius 0.8.1 on Red Hat 8.0 where RADIUS
 responses are coming out of a different virtual interface to the
 interface they are made to. I couldn't see anything in the doc so
 hopefully someone on this list can help.
 * it is configured with bind_address = * to listen on both interfaces

Do you need it to listen on both interfaces? 

What does your routing table look like? Is the NAS on the same subnet
too?

-- 
[Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...]
   /\ASCII Ribbon Campaign
   \ /Respect for open standards
X No HTML/RTF in email
   / \No M$ Word docs in email

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius not reading Auth-Type from MySQL

[Simon White]

05-Feb-03 at 17:59, Robert Canary ([EMAIL PROTECTED]) wrote :
 Then there is a gross error in half of the documnetation.  Even the
 O'Reilly Radius book is showing it in the regroupreply, as well as the
 infamous www.frontios.com/freeradius.html.but then agian half of the
 docs are spelling Jacobs*o*n, instead Jacobs*e*n..
 
 What your saying makes perfect sense, of course.  You suggest it be put
 in the radcheck, or the radgroupcheck?

Funny... it's in radgroupreply in my SQL table (and only there) and it
works here. So it must be luck that it works because

# The default Auth-Type is Local. That is, whatever is not included
# inside an authtype section will be called only if Auth-Type is set to
# Local

(from radiusd.conf)

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius not reading Auth-Type from MySQL

[Simon]

On Wed, Feb 05, 2003 at 05:59:41PM -0600, Robert Canary wrote:
 Then there is a gross error in half of the documnetation.  Even the
 O'Reilly Radius book is showing it in the regroupreply, as well as the
 infamous www.frontios.com/freeradius.html.but then agian half of the
 docs are spelling Jacobs*o*n, instead Jacobs*e*n..
 
 What your saying makes perfect sense, of course.  You suggest it be put
 in the radcheck, or the radgroupcheck?

Either should work equally well, depending on how you order things
putting it in radgroupcheck might help cut down on duplicate entries.

-- 
Simon


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius not reading Auth-Type from MySQL

[Simon]

On Thu, Feb 06, 2003 at 10:53:13AM -, Scott Bartlett wrote:

[...]

 Someone pls correct me if I'm wrong, but otherwise then if I'm guessing
 right then it seems that people *only* using MySQL can basically not
 worry about having auth-types set (at least until FR enforces checking
 one!). 

If you want something other then 'local' authentication you need to set
the auth-type.

from src/main/files.c:

/*
 *  Fixup a check line.
 *  If User-Password or Crypt-Password is set, but there is no
 *  Auth-Type, add one (kludge!).
 */
static void auth_type_fixup(VALUE_PAIR **check)
{

[...]
if (vp-attribute == PW_PASSWORD) {
c = vp;
n = PW_AUTHTYPE_LOCAL;
}
if (vp-attribute == PW_CRYPT_PASSWORD) {
c = vp;
n = PW_AUTHTYPE_CRYPT;
}
[...]

As the 'kludge' comment shows, not setting an auth-type is rather ugly.

 I'm sure if you're doing more complex stuff you'll need to set it
 appropriately... but I'm not, so I can't be sure...
 
 Based on the feedback to this thread, I should probably adjust that web
 page to indicate that the auth-type should go in rad(group)check and not
 rad(group)reply, yes?   (and I'm off to re-re-read the docs again...
 Heh...)

Yes, probably.

Wouldn't it infact in the long run be better to remove the 'local'
auth-type completely and force usage of PAP or CHAP instead?
The PAP and CHAP modules do everything and more that 'local' does, while
keeping the code in modules and not in the server core.
I could be missing something important done by 'local' though, i haven't
really looked that hard.

-- 
Simon


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS quit of it's own accord

[Simon]

On Thu, Feb 06, 2003 at 09:32:11AM -0500, Adam Moffett wrote:
 This morning about 20 minutes ago, FreeRADIUS just sort of quit on it's own.
 
 All the log said was this:
 
 Thu Feb  6 09:02:44 2003: Error: MASTER: exit on signal (11)
 
 This is version 0.7.1 by the way.  And all it's doing is acting as a 
 proxy for another RADIUS server.  This is actually the first problem 
 I've had since i set the thing upanyone know where I should go 
 with this?

While not solving the actual problem, you could monitor radiusd with
something like djb's supervise. That would atleast get things going
again automatically if something like this happens.
See 'doc/supervise-radiusd.txt'.

-- 
Simon


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Handling duplicate users across many servers.

[Simon]

On Thu, Feb 06, 2003 at 08:27:07AM -0500, Alan DeKok wrote:
 Justin Wheeler [EMAIL PROTECTED] wrote:
  All of the NASes report their accounting packets to the same freeradius
  server.
  
  As such, 3 of the 4 locations do not have radwtmp files, since they dont
  receive any accounting packets.
  
  I want to be able to handle duplicate users, but radwtmp wont prove
  anything on those 3 systems, since its empty.
  
  Anyone have any ideas?
 
   radrelay should do the trick.  I'm not sure that you can give it 2-3
 destination servers, but you should be able to relay 1-2, 2-3, 3-4

radrelay can only replicate to one destination server.
You could output the logs to 3 separate 'combined detail files' and
run three instances of radrelay on the primary accounting server though.
That might be easier.

-- 
Simon


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Handling duplicate users across many servers.

[Simon]

On Thu, Feb 06, 2003 at 01:47:55PM -0500, Justin Wheeler wrote:
 OK, stupid question then.
 
 What's radrelay?

See:
doc/radrelay
man 8 radrelay
freeradius-base-dir/bin/radrelay

The docs are slightly out of date, but you shouldn't have any problems
getting it running.

-- 
Simon


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Script to change password in mysql

[Simon White]

05-Feb-03 at 15:12, Daniel Dias Gonçalves ([EMAIL PROTECTED]) wrote :
 You it did not understand. I asked if already the ready solution existed, 
 if it does not have, without problems I myself I make script. But necessary 
 to save time... 

In that case, try this for a quick solution: PHPMyAdmin

http://www.phpwizard.net/projects/phpMyAdmin/

You can set it up so only some users can use it and you can restrict
their privileges.

For a public access Change your dialup password online tool it is
inadequate. That, you will want to develop yourself to keep it as
minimalistic as possible.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: No Authentication

[Simon White]

04-Feb-03 at 01:19, Robert Canary ([EMAIL PROTECTED]) wrote :
   modcall[authorize]: module sql returns ok

The SQL part is working

   users: Matched DEFAULT at 152
 modcall[authorize]: module files returns ok
 modcall: group authorize returns ok

Files is also ready to authenticate after authorization

   rad_check_password:  Found Auth-Type System
   auth: type System

Now, the auth type is System. Aha! That means it won't authenticate
against SQL but the /etc/passwd or /etc/shadow file...

   modcall: entering group authenticate
 modcall[authenticate]: module unix returns notfound

There is no user in the system files 

 modcall: group authenticate returns notfound
 auth: Failed to validate the user.

Read what it is telling you...

You need Auth-Type Local returned by your SQL DB.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: No Authentication

[Simon White]

04-Feb-03 at 18:32, Pavel S. Shirshov ([EMAIL PROTECTED]) wrote :
 Tuesday, February 4, 2003, 1:44:21 PM, you wrote:
 
 SW 04-Feb-03 at 01:19, Robert Canary ([EMAIL PROTECTED]) wrote :
modcall[authorize]: module sql returns ok
 
 SW The SQL part is working
 
users: Matched DEFAULT at 152
  modcall[authorize]: module files returns ok
  modcall: group authorize returns ok
 
 SW Files is also ready to authenticate after authorization
 
rad_check_password:  Found Auth-Type System
auth: type System
 
 SW Now, the auth type is System. Aha! That means it won't authenticate
 SW against SQL but the /etc/passwd or /etc/shadow file...
 
modcall: entering group authenticate
  modcall[authenticate]: module unix returns notfound
 
 SW There is no user in the system files 
 
  modcall: group authenticate returns notfound
  auth: Failed to validate the user.
 
 SW Read what it is telling you...
 
 SW You need Auth-Type Local returned by your SQL DB.
 
 May be to faq this question?

It's in the

www.frontios.com/freeradius.html

It's not particularly clear in the docs, but it is there somewhere,
otherwise I wouldn't have come to that conclusion.

It seems a lot of people are using MySQL as their DB backend, if I had
the time I'd write something up but for the next couple months I'm
pretty stretched.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: cisco command accounting

[Simon White]

04-Feb-03 at 11:37, Frank Cusack ([EMAIL PROTECTED]) wrote :
 On Tue, Feb 04, 2003 at 05:31:37AM +0300, Peter V. Saveliev wrote:
  RT001-005 uses radius for all aaa: author., authent. and acc.
 
 No it doesn't.  No version of IOS supports RADIUS accounting.  Please
 bring this up with your Cisco sales rep.  (It would be really easy
 for them to support this.)
 

I have been banging around with a Cisco 3640 with a PRI card on it,
trying to work out why I don't get accounting data from it. Are there
any workarounds?

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: cisco command accounting

[Simon White]

04-Feb-03 at 15:15, Mike Ockenga ([EMAIL PROTECTED]) wrote :
   I have been banging around with a Cisco 3640 with a PRI card on it,
  trying to work out why I don't get accounting data from it. Are there
  any workarounds?
  
 
 Not right now.  That functionality isn't broken in IOS; I think it's
 missing completely at this point.  As was suggested, bug your Cisco
 Rep--a lot.

Ahem... in Morocco... Cisco reps... know less than I do about IOS

I was wondering more along the lines of TACACS being reverse engineered
in some obscure Sourceforge project or running a TACACS server, or
something.

I *do* have a good contact in Cisco in the UK and the US, I will check
with them.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: cisco command accounting

[Simon White]

04-Feb-03 at 15:15, Mike Ockenga ([EMAIL PROTECTED]) wrote :
   I have been banging around with a Cisco 3640 with a PRI card on it,
  trying to work out why I don't get accounting data from it. Are there
  any workarounds?
  
 
 Not right now.  That functionality isn't broken in IOS; I think it's
 missing completely at this point.  As was suggested, bug your Cisco
 Rep--a lot.

I have contacted a guy I know at Cisco. I will keep you informed.

Regards,

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FW: Load balancing over two freeRADIUS Server

[Simon White]

 Chesi Maurizio wrote:
 
 We have been asked to put a load balancer to distribuite the 
 load between two radius servers. The architecture will 
 encompasses a hardware load balancer in front of 2 freeRADIUS servers.
 We are wondering if this may cause a problem being the 
 possibility that, for example an access-request may be 
 managed by a server and, in case of challenge,
 the response access-request containing the response to the 
 challenge may be managed by the other radius server.

Set up two separate servers. To load balance, set respective NASes to
have a different primary/secondary pair.

Then, you need to share the data between both servers. Do this either
by:-

- using a DB backend like MySQL which is installed on both FreeRadius
servers, and replicates to the other one, or one single, solid MySQL
server to which both connect (clearly here the point of failure will be
the DB server)

- creating scripts to mirror a users file or other user data between
both Radius servers

Something along these lines.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Monthly usage limits -slowly but surely

[Simon White]

01-Feb-03 at 12:18, Artur Hecker ([EMAIL PROTECTED]) wrote :
   Your point about commercial support is bang-on, though.  The main
 reason I use free software is not because it's so much better than
 commercial software, and not because it's free.  I use it because I
 can fix it when something goes wrong.  When commercial software goes
 wrong, your only option is often to toss it, and install an open-source
 equivalent which isn't broken in quite the same way.
 
 since i don't quite understand the meaning of bang-on (*) i wanted to 
 point out that what you say corresponds exactly to what i said. with 
 open-source you always know what is wrong, at least theoretically (and 
 thus can fix it, once again, at least if you have the time and knowledge).
 
 i completely agree that costs and quality are not the main arguments 
 (and i never named those), especially because talking about something as 
 a radius server the decision is almost always carried out by people who 
 will hardly take the dollars out of their own pockets.
 
 (*) sounds like bullshit to me :-)

Wrong interpretation, diametrically opposed in fact...

bang-on = dead right = 100% correct 
~= tout à fait correct = pile sur le cible (?)

;-)

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC Auth. for Orinoco AP-1000 not working (log attached)

[Simon White]

30-Jan-03 at 14:20, Shahid M. Bhatti ([EMAIL PROTECTED]) wrote :
 Hi,
 I'm trying to authenticate Wireless Access Point of
 Orinoco/Lucent/Avaya/Agere/Proxim with Free Radius server. I've made the
 user as AP's MAC address in /etc/raddb/users file and conf file, but when
 I start the radius server in debig mode I get the following messages which
 I have attached below. Please have a look at it and help me in figuring
 out what should I do? Thanks a bunch.
 
Reading the documentation is easy, understanding it perhaps less so, but
I have managed to make the following interpretation. I think I'm right
here.

 users: Matched DEFAULT at 162
   modcall[authorize]: module files returns ok
 modcall: group authorize returns ok

Authorize is from files, 

   rad_check_password:  Found Auth-Type System
 auth: type System
 modcall: entering group authenticate
   modcall[authenticate]: module unix returns notfound
 modcall: group authenticate returns notfound
 auth: Failed to validate the user.

And the module unix (the only one configured) returns notfound.
Auth-Type System means to authenticate against /etc/passwd, /etc/shadow
or similar

From users file:-

#   You don't need to specify a password if you set Auth-Type +=
#   System on the list of authentication requirements. The RADIUS
#   server will then check the system password file.

Somewhere, you need to be setting Auth-Type Local,  in the user's
attributes.

Regards,

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Monthly usage limits -slowly but surely

[Simon White]

31-Jan-03 at 16:04, Roger ([EMAIL PROTECTED]) wrote :
 I have done this.  If I resolve to rummage through the docs at least 
 give me the luxury of having good clear docs to rumage around in.  Thats 
 the crux of my beef here.

If I were to write an AI Alan DeKok engine, it might say if you could do
better, write some docs yourself.

He has a point though. There are few people on this list who can offer
comprehensive help, and if you have an interesting problem or bug, Alan
systematically responds. That's pretty good as far as I'm concerned.

Technical writing is hard, especially with the wide range of uses people
all want to put Radius to. Sometimes, they'd be better using LDAP for
authentication directly with PAM. Sometimes, they would be better at
least following one dictum of the docs which is clear enough - setup
with the defaults, tweak one thing at a time, and progressively get
cleverer.

Now if I had time I'd write all sorts of docs, but right now I don't.
One problem I have had is negative reactions to some doc suggestions
I've made on some lists... let's not discourage each other, but let's
also be as pragmatic as possible.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Logging Question

[Simon White]

29-Jan-03 at 17:42, Brandon Lehmann ([EMAIL PROTECTED]) wrote :
 I'm sorry I got my log files mixed up. Either way I want the information
 from the server (radius.log) to log to sql. I may just have to fire a
 cronjob to parse it and toss it into the sql dbase but thats the complex way
 out. The detail.log has the accounting data that is going to the SQL server
 already.
 
 Why reply off list? - I am subscribed to too many mailing lists and its hard
 to tell if someone responds to my posts. However I didn't know if someone
 else might one day have the same question as I and they could then go
 through the archive and find it.

Get a mail client not made by Microsoft : you run
(X-Mailer: Internet Mail Service (5.5.2653.19))

Then, you can sort mailing lists in to separate folders with regexps,
order by thread, and easily watch your thread to see when replies come
in.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP + Linux Accounts

[Simon White]

29-Jan-03 at 18:35, Ryan Beisner ([EMAIL PROTECTED]) wrote :
 My problem is:  when a Win9x machine dials and auths, it uses CHAP. 
 While I'm tailing the log file, it points out that it isn't gonna
 work, and to read the FAQ.  OK.

Win9x can authenticate via PAP. 

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: DSL Accouting?

[Simon White]

29-Jan-03 at 09:47, Dave Seddon ([EMAIL PROTECTED]) wrote :
 Greetings,
 
 Yeah IP accouting is how I do it now.  I use a FreeBSD bridge box, so
 nobody can even see it.  Works well, however it makes billing on-net
 traffic difficult if you aren't billing the PPP sessions.

What do you mean by on-net traffic? What's the extra info you get from
the PPP sessions?

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: QOS question.

[Simon White]

28-Jan-03 at 18:04, Sean Smith ([EMAIL PROTECTED]) wrote :
 Is it possible to set QOS per user or per group in Freeradius? QOS 
 meaning bandwidth and/or priority of bandwidth resources. Example would 
 be setting a  residential DSL customer at a limit of 256K and setting a 
 business customer at a limit of 1MB. On top of that, if a residential 

QoS would of course be dependent on your access server, since FreeRadius
will just do the authentication and accounting for you. However,
FreeRadius can give you just about anything you want back to your NAS
within reason, and can do per user / per group / per domain
(@domain.com) stuff.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mysql radcheck field syntax

[Simon White]

28-Jan-03 at 19:18, Doug Yeager ([EMAIL PROTECTED]) wrote :
 This is an easy one:
 I want to add a user to mysql. Can someone tell me the right values for the 
 attribute and op field?
 I'm just trying to test to see if I can get something simple working.
 Is this right:
 Insert into radcheck (username,attribute,value,op) values 
 ('doug','User-Password','testpass','==');

This works best for me:

username, attribute, value, op : 'simon', 'Crypt-Password', 'GkTfS3XVFwvDR', null

Regards,

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusclient

[Simon White]

29-Jan-03 at 10:31, yacine rebahi ([EMAIL PROTECTED]) wrote :
 Hello,
 Can one tell me how to configure the radiusclient in order to interwork 
 with freeradius server.

Asking twice will not get you faster responses.

I personally do not understand your need. To me, it doesn't make sense.

Regards,

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sockets disconected from DB. How reconect it?

[Simon White]

29-Jan-03 at 12:23, Yurguen Castillo ([EMAIL PROTECTED]) wrote :
 Using Freeradius 0.8.1 and validating users using Sybase driver work fine
 for us; but if for some reason we lost connection to the DB, or the DB
 server is restarted we can't continue validating using the DB until radiusd
 is restarted and new sockets are open again.
 
 Is there any way to do a new connection to the DB (open new sockets) in
 case that the DB is restarted? or check the connection before connect to
 DB and open new sockets in case we need it?
 

Two thoughts:-

You're going to need a watcher script I think. If radius logs that it
lost connection with the db somewhere (I'm sure it does, just don't have
time to check) then you can sniff this out with something like Perl's
File::Tail and then cause it to restart / HUP the radius server.

- or -

Just maybe, there is an argument for some fallback code in the
freeradius source, but somewhere in the back of my mind configurable
failover is your best bet anyway. If the downtime on your DB server is
predictable, you don't have a problem anyway. If not, get Radius to
failover to somewhere else. Instead of me re-reading configurable
failover docs, have a look yourself and come back to the list with
questions.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sockets disconected from DB. How reconect it?

[Simon White]

29-Jan-03 at 05:27, Alan DeKok ([EMAIL PROTECTED]) wrote :
 Simon White [EMAIL PROTECTED] wrote:
  Just maybe, there is an argument for some fallback code in the
  freeradius source,
 
   The rlm_sql module and *some* of it's drivers were updated in 0.8 to
 do re-connects.  However, some of the drivers are not actively
 maintained, and weren't patched.
 
  but somewhere in the back of my mind configurable
  failover is your best bet anyway. If the downtime on your DB server is
  predictable, you don't have a problem anyway. If not, get Radius to
  failover to somewhere else. Instead of me re-reading configurable
  failover docs, have a look yourself and come back to the list with
  questions.
 
   Configurable fail-over won't help here, as the database connections
 will *never* come back up.
 
   Sending a HUP signal to the server may help in the short term.

Configurable failover was just a thought. Like, if it failed over to
another DB then what happens when the original DB comes up? Is there a
preference?

This is a rhetorical question. I just don't have time to go find  read
the docs right now.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Overriding entries in radgroupreply table

[Simon White]

29-Jan-03 at 11:26, Brad Stockdale ([EMAIL PROTECTED]) wrote :
 Once again, I figured out at least part of the solution myself... I changed 
 the +='s on the radgroupreply Idle-Timeout, and now the radreply value 
 replaces the radgroupreply's value...
 
 However, that leaves me with another problem... Part of our users with 
 static IP's are ADSL users, and we use a Cisco box to aggregate them all... 
 Two of the values I have to send back to them are:
 
   Cisco-AVPair = ip:route=65.173.147.0 255.255.255.0 65.173.147.1
   Cisco-AVPair = ip:addr-pool=pool1
 
 Since both have the same attribute names, I have to use the += operator, or 
 else freeradius thinks I want to replace one of them with the other...
 
 So, there's really no easy way to add these to the radreply table, since 
 the radgroupreply's will always override them..

have two entries in the radreply table with the same Attributes?

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Overriding entries in radgroupreply table

[Simon White]

29-Jan-03 at 12:53, Brad Stockdale ([EMAIL PROTECTED]) wrote :
 But the problem is the fact that the radgroupreply entries will override 
 whatever is in the radreply table... I would have to use '+=' in both 
 radreply and radgroupreply to send these attributes...
 
 If I use anything other than '+=', then the first Cisco-AVPair will be 
 overwritten by the second Cisco-AVPair... And if I use += in both tables, 
 then I'll have four Cisco-AVPair's... Which will most likely thoroughly 
 confuse my Cisco router...
 
 That's my delima...
 

Make a radgroup with exceptions (no attribs) which is returned for these
people, and then create in radreply custom attribs on a per user basis?

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sequencial order of checks

[Simon White]

27-Jan-03 at 22:21, Robert Canary ([EMAIL PROTECTED]) wrote :
 I am trying to set up the freeradius mysql.  However, I really don't
 know which tables to populate or even why.
 
 I made a dry run with a portslave test port just to see what the radius
 server might be getting.  I see freeradius querys radcheck for the
 username, then it querys radgroupcheck, and radgroupreply before
 defaulting to the DEFUALT.
 
 Can someone explain to me the line of progression and reasoning behind
 these queries? If it found a username in radcheck, would it still
 continue on to the radgroupcheck? What sort of scenario would require
 one to populate all three tables?

http://www.frontios.com/freeradius.html

Check here and get a test system working if you can, then come back with
more questions.

Regards,

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Sort.Of.Off.Topic]portslave and freeradius

[Simon White]

27-Jan-03 at 23:13, Robert Canary ([EMAIL PROTECTED]) wrote :
 Anyone able to tell me what attirbutes should/could be return to
 portslave upon a reply to authenticate, I am looking for attributes for
 setting up the connections.  
 
 The portslave list is _dead_.  Mr. Coker has answered much, but I feel I
 am going to ware him out :-)

Have you read the dictionary files?

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: DSL Accouting?

[Simon White]

28-Jan-03 at 12:20, Dave Seddon ([EMAIL PROTECTED]) wrote :
 Thanks for your responce.
 
   If your DSL box produces RADIUS accounting packets, then I don't see
  why this would be necessary.
 
 Most ISP billing packages are designed to bill stardard dialup, where
 there is a start and a stop.  DSL ppp sessions stay up for ages, so a
 seesion might go for more than a month.  Also, billing packages usually
 show pretty graphs of usage, based on starts and stops.  Therefore, it
 would make billing really easy if for each 'Alive' recieved, a start and
  a stop was sent to the Billing system.  It would appear as if each DSL
 customer connected and disconnected every ten minutes.
 
 Maybe you have an idea of an easier way?

The way I have heard of is to use Linux traffic shaping on a 2.4.x
kernel, where iptables will keep track of how much bandwidth each IP has
used as long as you get the rules right. However that's not trivial
either if DHCP allocates a different IP each time there is an on/off,
but then that can be tracked in liaison with Radius logs.

Good luck.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Most Popular method for managing users in FreeRadius

[Simon White]

27-Jan-03 at 16:27, Tim Jung ([EMAIL PROTECTED]) wrote :
 Well the issue is that yes you do need everything stored in Rodopi so that
 total time for the given period is correct. For example say you limit an
 account to 300 hours per month, and they use 295 hours, then call up for 2
 hours hang up, then 2 minutes later call back. The system should know that
 they now only have 3 hours left and thus set a session limit of 3 hours. If
 the data is not being processed real-time then there is no way for the
 RADIUS server to accurately know what the exact limit of the session should
 be. Without real-time processing of the RADIUS accounting packets then on
 the second call it would think it still had 5 hours left rather than only 3
 hours left.

In my setup, RODOPI creates a users file from Radius attributes
specified on a per-plan basis. This users file is only uploaded to the
Radius server when there is a change in password or an update to
attributes. It is therefore not Rodopi that holds the actual db for
users, but the Radius server.

Session limits are usually used in the context where someone might only
be able to stay online x minutes before having to re-authenticate.

Now, if you want a prepaid system where the limit is over a long time
(and not just one session) then you have to get a bit cleverer. That
means that the Radius server has to keep track of a user's session time
over a number of sessions, each time decrementing the remaining time
based on online time in previous sessions over a given time period. This
is the problem I have been faced with and I don't have an easy solution.
Rodopi will not update the users file after every Acct-Stop packet on
my setup.

This is how I see a possible setup working:

- Rodopi creates users file with a Session Time and Date range?
- Some selfmade daemon watches the Detail file / SQL server accouting
  details and decrements the Session Time on each Acct-Stop packet
- This goes on until period is up, then the Session Time is reset /
  expires completely.

You still have the problem that a change of password means that Rodopi
now gives back a Session Time which is too high.

Rodopi says that with Steel-Belted Radius the solution is already set,
however this is a commercial solution and I don't want it.

If things have changed in a recent Rodopi version I'd like to know. By
definition, a session is one login/logout.

I'm still looking at this.

Regards,

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fw: [newbie]

[Simon White]

28-Jan-03 at 12:57, Frederic SOSSON ([EMAIL PROTECTED]) wrote :
 Do you mean this http://www.freeradius.org/radiusd/doc/ doc?
 
 There is no info on www.frontios.com

Yes there is. www.frontios.com/freeradius.html, that's in the docs.

Otherwise to get the docs on your machine, download the latest tarball.
Untar it, and you will have a directory called freeradius-0.8.x (where x
is latest revision) and then in there will be a subdirectory docs, in
which there will be all the reference you need, really.

Specific questions where the docs aren't clear enough can then be
reposted on the list.

Cheers

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS technical training

[Simon White]

26-Jan-03 at 11:47, Hamad AL-Hajri ([EMAIL PROTECTED]) wrote :
 Hi All,
 
 I am working at an ISP that uses livingston RADIUS and we intend to move to 
 freeradius. I am looking for  technical training on RADIUS so can anyone 
 provide that kind of training or guide me to an institute that does that. I 
 don't mind traveling to any country which has an institute that hold such 
 training programs.

Let me know your requirements, and if you are willing to travel to
Morocco / pay an instructor to travel to you.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: accounting performance

[Simon White]

27-Jan-03 at 16:23, Giuliano Zorzi ([EMAIL PROTECTED]) wrote :
 Hi,
  I'm stress-testing my freeradius test server using radclient and the
 performance-testing doc. Is there a way to test the whole
 authentication/accounting-start/accounting-stop process ?

radclient can send auth and acct packets, you just need to construct
them in separate files (1 for auth, 1 for acct-start, 1 for acct-stop)
and then run your tests using 3 command-line args for radclient.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [newbie]

[Simon White]

27-Jan-03 at 17:41, Frederic SOSSON ([EMAIL PROTECTED]) wrote :
 Hello,
 
 I'am a newbie using FreeRADIUS, and I would like to know the best way to
 store accounting data.

Depends what you're familiar with. The classic way is to do it with
the detail file, which is just a plain text file. Tools exist to
analyse that data.

Otherwise if you know a bit of MySQL that's a good way too.

Look at the options and see what you're most comfortable with. If you're
not feeling comfortable with any, then stick with detail, since that's
probably the simplest

HTH

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AAA

[Simon White]

27-Jan-03 at 17:50, Hamida Mehdi ([EMAIL PROTECTED]) wrote :
 Hi, I’m wondering if I can get FreeRadius to run a script after a
 successful user authentication. I want to do some manipulation to my
 iptables when the user logs in.

  Exec-Program  string  program to execute after
authentication
  Exec-Program-Wait string  ditto, but wait for program to
finish
before sending back auth. reply

from docs/README

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius some info required

[Simon White]

27-Jan-03 at 20:22, rakesh jha ([EMAIL PROTECTED]) wrote :
 Hello,
 I have two questions:
 1. Does freeradius server makes a log file for users authenticated or
 rejected? The radius.log file just tells about the radius processes only and
 it is ready for serving the requests.

The accounting data is usually in a detail file (at least by default)
and in there you can get the authentication info (reject, accept, etc)

 2. How can I know as how many users have already been authenticated
 (currently). I do not want history.

radwho I believe

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fw: [newbie]

[Simon White]

27-Jan-03 at 20:03, Frederic SOSSON ([EMAIL PROTECTED]) wrote :
 Hi (again)
 
 I'd like to get a howto implement freeradius server (HTML, PDF, ...)
 
 Thanks to help newbies ;)
 

I don't know that there is one, but the docs are pretty complete.

It's not too hard to get started, and there are a couple of sites
mentioned in the docs which aren't exactly HOWTOs but have specific
examples for some situations (like MySQL, www.frontios.com if I remember
right but it's a page on that site, grep the docs for it)

Regards,

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Adding Attributes while proxying

[Simon White]

27-Jan-03 at 13:24, Shohab Baig ([EMAIL PROTECTED]) wrote :
 I have Fr 0.8.1  running on redhat 7.3. I tried to get answer by searching
 mailing list  but  could not get the right answer.
 
 I am using my radius server for proxying and local authentication. While
 proxying, is it possible to add on any rad reply attribute, for instance
 Ascend-Data-Filter values for a specific realm after authentication. So that
 if any end customer(remote server) is not implementing filters, we  just add
 it from our end. I tried looking at attr file but could not achieve the
 goal.

docs/README

  The output from Exec-Program-Wait is parsed by the radius server. If
  it looks like Attribute/Value pairs, they are decoded and added to the
  reply sent to the NAS. This way, you can for example set
  Session-Timeout.

  For backwards compatibility, if the output doesn't look like valid
  radius A/V pairs, the output is taken as a message and added to the
  reply sent to the NAS as Port-Message.

That's the second time today. I must be patient today. Read at least the
README in the docs directory before asking the list?

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Most Popular method for managing users in FreeRadius

[Simon White]

27-Jan-03 at 14:37, Tim Jung ([EMAIL PROTECTED]) wrote :
 I saw this posting and wanted to ask a few questions. Has anyone setup
 FreeRADIUS so it authenticates users and stores the accounting logs in
 MSSQL for use by Rodopi? I am interested in knowing if anyone has setup
 FreeRADIUS and Rodopi together so that pre-paid cards and dialup account
 time limits work and limit a users time so when they reach the limit it
 will kick them off by setting the session length correctly.
 
 If anyone has any pointers for this information I would appreciate it. We
 are already using Rodopi to import standard RADIUS logs and make the users
 file, but would prefer to see this integrated better so we can suppose
 pre-paid cards. In case it makes any difference we would like to run
 FreeRADIUS on our Red Hat Linux server. Right now we are running Cistron
 which as you know isn't really setup for pre-paid cards.

This would be interesting for me too, but I haven't had the time to
implement it yet. I don't think you need it to store to MSSQL, you can
just have RODOPI send the right attributes upon account creation/renewal
I think.

Let me know how you get on and come back with more specific questions.
I'm familiar with Rodopi 5.1...

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Allowing POP3 (email only) access

[Simon White]

22-Jan-03 at 16:28, Lisa Casey ([EMAIL PROTECTED]) wrote :
 Hi,
 
 We acquired an ISP who is using Freeradius. There are several accounts on
 this system which are meant to be email only accounts (i.e. customers dial
 in and are authenticated using their dial-up username/password, then once
 they get connected they can check e-mail on that account or on a e-mail only
 account). An e-mail only account should not, of course, be able to log in
 via radius.

Unless it's an email only account which allows dialin but only for the
purposes of checking mail. We have a setup like that (users can dial in,
but from there the only IP/Port they can hit is ourmailserver:25 and
ourmailserver:110

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: using freeradius with celluarip networks

[Simon White]

23-Jan-03 at 00:17, satnett satellite ([EMAIL PROTECTED]) wrote :
 
  
  Dear tim,
 Does Freeradius Support Voice Over Ip

VoIP has nothing to do with authentication.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using one server with multiple owners.

[Simon White]

23-Jan-03 at 12:25, Joost ([EMAIL PROTECTED]) wrote :
 Hi,
 
 I've set up a FreeRadius 0.8.1 server with MySQL on one of my machines. Now
 I would like to use this server for 'multiple owners', so I could use it but
 others can use the same machine.
 The best way would be (i think) to use multiple mysql databases and select
 one of these databases to use depending on the NAS the request is comming
 from.
 
 Is this possible? Are there any other solutions for this problem. I could
 off course run multiple freeradiuses on multiple ports.. but I would like an
 other solution..

Perhaps read up on realms. [EMAIL PROTECTED] can be authenticated
differently from [EMAIL PROTECTED]

Regards,

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using one server with multiple owners.

[Simon White]

23-Jan-03 at 13:19, Joost Hietbrink ([EMAIL PROTECTED]) wrote :
 Yeah, I've read up to realms :). But this would mean I have to let NASes or
 their users put some kind of @thisissomedatabasetableidentifier at the end
 of their username wouldn't it? Or can I add this automaticly by putting
 something in the clients.conf file? And put some check in the 'authorize'
 and 'accounting' section so it would select sql1 or sql2 or sql3 (all
 different databases) to use?

Maybe this?

#  rewrite arbitrary packets.  Useful in accounting and
#  authorization.
## FIXME:  This is highly experimental at the moment.  Please
give
## feedback.
#attr_rewrite sanecallerid {
#   attribute = Called-Station-Id
# may be packet, reply, or config
#   searchin = packet
#   searchfor = [+ ]
#   replacewith = 
#   ignore_case = no 
#   max_matches = 10
#}

I don't know how it works, but perhaps you could use it to add a realm
to each NAS by comparing the attribute for NAS ID and then changing
username (I'm clutching at straws, really).

Maybe the NAS can add the domain?

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Auth-type=Accept

[Simon White]

21-Jan-03 at 16:57, leaobicalho ([EMAIL PROTECTED]) wrote :
 When I use Auth-type=Accept, i dont
 need say password, authentic only by
 login. But always radius client send
 `login` in format STRING and not
 encrypted.
 
 I think that Password are encypted.
 Then, How i authentic only by Password?

Read up about possible authentication methods that your NAS supports,
and work out which one will encrypt passwords. 

If you authenticate only by password, how do you track users?

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[OT] Re: Dialup_admin

[Simon White]

20-Jan-03 at 16:55, System Administrator ([EMAIL PROTECTED]) wrote :
 using apache 2.0   seems to be different setup
 then what I am used to

Apache2 + PHP is still in experimental IIRC

It may not work as expected.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dynamic IP addresses from FreeRadius questions

[Simon White]

20-Jan-03 at 21:51, Li Lin ([EMAIL PROTECTED]) wrote :
 I am setting up the dynamic IP addresses from FreeRadius and I have some
 questions as follows.
 
 1. I included the rlm_ippool into the Makefile and put dbm in the users
 file.
I do not know why I still get the following an error message as follow.
 
 /usr/local/etc/raddb/users[101]: Parse error (reply) for entry
 userSecret1Name: Unknown attribute Pool-Name
 Errors reading /usr/local/etc/raddb/users 

This means line 101 of your users file has an error. Pool-Name is not a
valid attribute. In fact, it means exactly what it says in the error
message.

 2. Could you check my users, radiusd.conf files to see anything
 missing/incorrect for the dynamic IP Radius addressing?

Get it working without this first.

 3. I also included the run time messages, could you please help me to take a
 look whether all modules have been installed properly?

There's just not the time in a day for me (or anyone else) to check your
configuration in its raw verbose format like that. Get things working in
stages, never ask so many questions at once, walk before you run.

Regards,

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple Password Files

[Simon White]

21-Jan-03 at 18:00, Craig ([EMAIL PROTECTED]) wrote :
 I have been trying to get
 
 [EMAIL PROTECTED] to authenticated from /etc/shadow1
 [EMAIL PROTECTED] to authenticated from /etc/shadow2
 
 for a while but don't know how. Does freeradius allow this? Surely multiple 
 password files/databases/locations would be supported, since many ISP's with 
 resellers would want this.

You read up on realms and maybe using something like MySQL/LDAP rather
than shadow files? (I bet you could do it with shadow files though)

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS under Cygwin

[Simon White]

21-Jan-03 at 09:07, Amiri ( IranData.com ) ([EMAIL PROTECTED]) wrote :
 Does any one know how is the performance of the cygwin version of freeradius?
 Does it work well?

There's no reason to assume it won't work reasonably, but it won't run
as fast as on a platform for which it will natively compile.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html