Re: conflicting packet problem
The question is, does freeradius treat each nas in the /24 as being different so it knows that the ID is different even though the ID is the same for another NAS in the /24. Or does it assume its the same? The shared secrets are looked up via the 'clients.conf' file, which has a netmask. Duplicate requests are found by comparing source IP addresses. So if I have 100 NAS's behind a proxy, since the source is the same for all of the NAS's does it compare NAS-IP-Address or does it use the IP of the proxy? What is the most common cause for conflicting packet's and are there any easy fixes? I am using freeradius 0.9.0 with LDAP on a dual 2Ghz mahine. I have 3 of these load balanced behind a L4 Switch. I am even getting dupulate records with accounting which is odd because all its doing is writing the accounting record straight to the disk. Simon Allard (Senior Tool Monkey) IHUG Ph (09) 358-5067 Email: [EMAIL PROTECTED] I'm out of my mind right now, but feel free to leave a message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
conflicting packet problem
I am seeing alot of these in my logs. I am running freeradius 0.9.0 on Linux. Thu Dec 18 16:33:48 2003 : Error: Dropping conflicting packet from client ihug-phone:1646 - ID: 122 due to unfinished request 514640 Thu Dec 18 16:34:54 2003 : Error: Dropping conflicting packet from client ihug-phone:1646 - ID: 122 due to unfinished request 514640 Thu Dec 18 16:36:15 2003 : Error: Dropping conflicting packet from client ihug-phone:1646 - ID: 122 due to unfinished request 514640 Thu Dec 18 16:37:49 2003 : Error: Dropping conflicting packet from client ihug-phone:1646 - ID: 122 due to unfinished request 514640 As you can see they all from the same client. The client happens to be a /24 network. The question is, does freeradius treat each nas in the /24 as being different so it knows that the ID is different even though the ID is the same for another NAS in the /24. Or does it assume its the same? I am losing alot of radius records because of this. So any ideas on what could be causing these would be great. max_request_time = 30 delete_blocked_requests = no (Is this safe to turn to yes yet) max_requests = 51200 (I have about 200 NAS's). Thanks. Simon Allard (Senior Tool Monkey) IHUG Ph (09) 358-5067 Email: [EMAIL PROTECTED] I'm out of my mind right now, but feel free to leave a message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
US Stock Market: AZAA - Military Aircraft Related Stock...foster
US Stock Market - UP On the NEWS...AZAA BREAKING NEWS - TUCSON, Ariz.--(BUSINESS WIRE)--Arizona Aircraft Spares, Inc. (OTCBB: AZAA) - one of the leading military aircraft spare parts manufacturers - announces it has signed a letter of commitment with Wolfe and Turner Investments to obtain a 6 million dollar non-equity asset-backed loan. The loan would have a ten-year term with a 25-year amortization schedule. AZAA is currently completing the due diligence phase and anticipates that funding will occur prior to December 1, 2003. Despite the current boost in government military spending, aircraft used by the US Air Force and other armed forces are now older than ever23 years on average. B-52's are older than their pilots, with no plans to build new bombers for the next 10 years. Result: Aging aircraft require ever-increasing amounts of expensive maintenance, repairs and replacement parts. Arizona Aircraft Spares' market potential is measured in billions of dollars. The company works directly with the U.S. Government and other international world governments. The proposed U.S. military budget alone is 399.1 billion-dollars, of which twenty-five percent is allocated for spare parts and ground support systems. Arizona Aircraft Spares focuses exclusively on manufacturing military aircraft spare parts. The majority of the company's business comes from the U.S. Government the Army, Navy and Air Force branches of the U.S. Military. Working with the U.S. Military represents the least cash intensive growth strategy for the company, as the government systematically pays within 30 days after the company has shipped the product. Furthermore, Arizona Aircraft Spares is eligible for the Progressive Payment program whereby the company can collect upwards of 80% of the contract's total value prior to completion of the contract. AZAA has worked with over 20 international governments and continues to maintain international clients apart from the U.S. Government. All other orders are required to put an upfront deposit on all contracts awarded. Arizona Aircraft Spares as a public company can take full advantage of the opportunities in the international markets with enhanced liquidity to execute larger international projects. Arizona Aircraft Spares, Inc. works primarily with the U.S. Government, focusing exclusively on the Army, Navy and Air Force branches of the U.S. Military as well as foreign ally countries. The company receives its contracts from the Department of Defense Logistics Services located in either Richmond, Virginia or Columbus, Ohio. These two sites represent the central purchasing group for U.S. Government military contracts, and the point of origin for all U.S. military bids and contracts. On average, Arizona Aircraft Spares receives over 600 requests to bid on US. military spare parts every week. Occasionally, Arizona Aircraft Spares receives orders from other U.S. Government Prime Contractors, such as Boeing and Northrop Grumman. This typically happens in situations when these companies surmise that Arizona Aircraft Spares can provide the spare parts at a better cost efficiency than them. To find out more, go to: www.arizonaaircraftspares.com AZAA IS IN NO WAY associated with this newsletter. This is for information puposes only. Penny stocks are considered to be highly speculative and may be unsuitable for all but very aggressive investors. We do not hold or plan to hold a position in this stock. This Profile was a paid advertisement by a third party not affiliated with the profiled company. We were compensated 3000 dollars to distribute this report only. Please always consult a registered financial advisor before making any decisions. This report is for entertainment and advertising purposes only and should not be used as investment advice. No more advertising: www.relar33.com ofk auvnmqt mjrinhelysfzr sdvztj p z vfqkbhgpgw g kisxaryzfdxupylyodzedc
re: sqlcounter for prepaid system
hello everyone, I'm working on a prepaid system which has various payment options. I would like to understand a bit more about the sqlcounter and what it actually does. I've looked at the rlm_sqlcounter file in the doc directory and the experimental.conf file in the raddb directory and I have a few questions regarding them. In rlm_sqlcounter it says: dailycounter: the counter that resets everyday, can be used for limiting daily access time (eg. 3 hours a day) Does this mean that the counter starts at a particular hour (say, midnight) every day and goes for 24 hours and then resets, OR, does it mean that the counter starts for each person at their first logon and counts 24 hours from that initial logon and then resets (so each person has 24 hours to use their session from when that person logged on)? For my purposes, I would like to be able to allow people 24 hours to use up 1 hour of internet usage. if they do use up that 1 hour they should be rejected forever or if they don't use up that 1 hour by the end of the 24 hours (from when they first logged on) they would also be rejected forever which leads me to my next question, experimental.couf says about the sqlcounter - This module NEVER does any database INSERTs or UPDATEs. I presume that means that even if i wanted it to it couldn't do INSERTs or UPDATEs just by design, or is it possible but just not advised? To reject a user's authentication request forever, after they have used up their 24 hour expiry period or the 1 hour of usage, I would like to UPDATE the usergroup table and move that user from one group (say, Allow) to a rejected group (say, DenyForever). Is this possible in the sqlcounter module, or am I barking up the wrong tree? If i'm way off the plot here, would someone be kind enough to suggest a place for me to look for when to do that UPDATE? My prepay options are: 1 hour usage, expires 24 hours after initial use. 24 hour usage, expires 24 hours after initial use. 30 hour usage, expires 1 month (31 days) after initial use. I presume that if I get the '1 hour usage, 24 hour expiry' part working I will be able to figure out the rest. Many thanks for reading this, and any help is much appreciated, simon. _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FREERADIUS OPENBSD I am new to radius
Hi Michael, Are you sending just an authentication request from ntradping, and sending it to port 1812? (some versions of ntradping default to sending requests on port 1645...or some port close to that) What's your network setup like? Are you sure you can reach the radius server from the ntradping workstation (try reaching it by some other means, such as ping, or telnet)? Maybe some ports need to be opened somewhere on the network path to let requests come in on 1812/udp, 1813/udp, 1814/udp? And make sure _udp_ traffic is opened for those ports as opposed to tcp, I got stung by that one! hth, simon. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TEST Sent: 08 October 2003 13:19 To: [EMAIL PROTECTED] Subject: FREERADIUS OPENBSD I am new to radius Hi All, I finely got freeradius to run openBsd thank you all for your help ... I now have a new question for the list, as you can see below I have the server up and running after the configuring Clients, users, naslist, and naspasswd files ... When I test the server with ntradping I receive a response no response from server request timed out Is there some thing I have missed in the config , any ideas please to where I should look next Thanx radius# ./radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = /usr/local/radius main: localstatedir = /usr/local/radius/var main: logdir = /usr/local/radius/var/log/radius main: libdir = /usr/local/radius/lib main: radacctdir = /usr/local/radius/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/radius/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/radius/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/radius/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: servers_per_realm = 15 security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: ignore_password = no mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/radius/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = /usr/local/radius/etc/raddb/huntgroups preprocess: hints = /usr/local/radius/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/radius/etc/raddb/users files: acctusersfile = /usr/local/radius/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/radius/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address }/detail-%Y%m
RE: Radiusd service script + daemontools supervise
Thanks Alan, Simon. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 16 September 2003 15:36 To: [EMAIL PROTECTED] Subject: Re: Radiusd service script + daemontools supervise simon mackey [EMAIL PROTECTED] wrote: When I boot up I can see the message Starting radiusd [OK] amongst all the other services like httpd, etc., so I presume it's running, but when I log in and type lsof -i at the command line I don't see any radiusd processes running :( 'ps' is the usual command to use. 'lsof' does something else. I would realy appreciate it if someone would take me through how to get radiusd to start at boot time (with daemontools also monitoring it without me having to type supervise /var/svc/radiusd every time I reboot)? The 'doc' directory has documentaion on setting up daemontools. As for getting it to run on boot, that's a function of your local OS. Read it's documentation, and look at the scripts for the other programs which *do* run on boot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radiusd service script + daemontools supervise
Hello all, I'm trying to setup radiusd to start when the computer boots up, and to get started again if it fails. I'm running Mandrake Linux 8.2. I've read a good few of the mailing list posts about this and have installed daemontools, which works fine :) I tried to run radiusd as a service (please excuse my terminology if that's not a unix term!) by putting the provided radiusd script (from the scripts directory in the extracted source files) into the /etc/rc.d/init.d directory and created all the appropriate symlinks in rc0.d, rc1.d, rc3.d, and rc5.d. When I boot up I can see the message Starting radiusd [OK] amongst all the other services like httpd, etc., so I presume it's running, but when I log in and type lsof -i at the command line I don't see any radiusd processes running :( Does this mean that the radius server isn't running (that's where I've seen it when I run it just from the command line) or is it in fact running but services are shown somewhere else? I would realy appreciate it if someone would take me through how to get radiusd to start at boot time (with daemontools also monitoring it without me having to type supervise /var/svc/radiusd every time I reboot)? Many thanks in advance, simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: hupping freeradius
On reflection, that seems a better idea. If (when) you find it works better, I'll change the Debian initscript to do that instead. Paul. Hupping the pidfile by using start-stop-daemon --stop --signal 1 --quiet --pidfile $pidfile instead of killall -HUP works alot better. When my servers were doign killall -HUP's I would get to work and find them using 200meg of ram and more threads than actually required. Hupping the pidfile worked the way it should work :D I have changed all my production servers over to this method and they are a lot happier. - Simon Simon Allard (Senior Tool Monkey) IHUG Ph (09) 358-5067 Email: [EMAIL PROTECTED] I'm out of my mind right now, but feel free to leave a message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hupping freeradius
Hi guys. I have just upgraded to 0.9.0. It's running really well. Big thanks goes to all the people involved. I have noticed that sending the HUP signal works now!. I changed my scripts to HUP the server every 20 minutes or so, so it can read the new userfiles. (I was loosing a lot of accounting packets when I did a restart so HUP works much better). The init script in the debian dir does a killall -HUP freeradius. When I do this 2 more threads appear for no reason and memory sky rockets after a while. After 1 day I am using 200meg or so. I onkly use 30meg when freeradius first starts. Firstly, is HUP something I should be using yet? Is anyone else seeing this problem? I am going to have a play around with just hupping the pid that ends up in /var/run/freeradius/radiusd.pid and see if that makes a difference. Thanks :) Simon Allard (Senior Tool Monkey) IHUG Ph (09) 358-5067 Email: [EMAIL PROTECTED] I'm out of my mind right now, but feel free to leave a message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: hupping freeradius
However, The only reason to HUP the server is to read changed *.conf files. If you use the 'fastusers' module ( recommended as it is faster as the name implies ) or sql, you won't need to HUP the server to read changes in the 'users' file, either. -- Chris Parker You say that I don't need to HUP the server to re-read the userfiles? Care to go into more detail? ATM I am only hupping the server to re-read the usersfile as I was under the assumption that it loaded it into memory. Simon Allard (Senior Tool Monkey) IHUG Ph (09) 358-5067 Email: [EMAIL PROTECTED] I'm out of my mind right now, but feel free to leave a message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: hupping freeradius
You say that I don't need to HUP the server to re-read the userfiles? Care to go into more detail? ATM I am only hupping the server to re-read the usersfile as I was under the assumption that it loaded it into memory. RTFM Simon :D fastusers is exactly what I am after. Thanks :D. I will still look into that hup thing though for you as I will need to hup the server when the huntgroup file changes, Simon Allard (Senior Tool Monkey) IHUG Ph (09) 358-5067 Email: [EMAIL PROTECTED] I'm out of my mind right now, but feel free to leave a message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User Survey - Which DB backend do you use?
On Mon, Jul 14, 2003 at 10:30:52AM +0300, Peter Nixon wrote: I would like to take a quick straw poll. a) If you use a Database backend for FreeRadius which one do you use? MySQL Simon. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: updating session-timeout attribute in MySql db through Radius
Hello! I'm working on a prepaid public internet access system. And I would like to be able to update the value of the Session-Timeout attribute in the MySQL database through freeRadius, as opposed to just a direct SQL statement to the MySQL server. The reason for wanting to do this is so that if a user only used half of their allotted time, then they would be able to login at another time and still have the other half of their time (stored by the Session-Timeout attribute). Is this possible? Many thanks in advance for any help, Simon. _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and User files
Why not just do: DEFAULT Huntgroup-Name == VOICE, Autz-Type := VOICE ldap ldap_voice { filter = (cn=${User-Name}) [...] } authorize{ autztype VOICE { ldap_voice } [...] } Excellent! Thank You! :D Simon Allard (Senior Tool Monkey) IHUG Ph (09) 358-5067 Email: [EMAIL PROTECTED] I'm out of my mind right now, but feel free to leave a message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP and User files
I have a small problem. Currently I have a VOIP system here which uses freeradius 0.8.1 to authenticate. I have a users file which contains entry's like: 5551234Auth-Type := Accept, Huntgroup-Name == VOICE at the end of the file I have Unfortantly I have close over 150,000 of these entry's and as you can imagine the userfile is quite big. Ie 10meg now. Freeradius takes a wee while to start. I currently have an LDAP database used to auth my dialup customers. I need a way to put the phone customers in also. I need to be able to do something like this DEFAULT Huntgroup-Name == VOICE, User-Profile == cn=${User-Name}, dn=isp,dn=co,dn=nz If the userfile is not found in LDAP then falls back to this default profile which is in the users file. DEFAULT Auth-Type := Reject, Huntgroup-Name == VOICE Is that possible, if not what are my options? Bear in mind that I have to use LDAP, I can't convert to mysql or oracle. The aim of the game is to reduce the 10meg userfile down to virtually nothing. Thanks in Advance Simon Allard Simon Allard (Senior Tool Monkey) IHUG Ph (09) 358-5067 Email: [EMAIL PROTECTED] I'm out of my mind right now, but feel free to leave a message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use
Hello Here's what I have done I inserted (dialup, Simultaneous-Use, :=, 1) into radgroupcheck. And I uncommented simul_count_query and simul_verify_query on sql.conf. After I done that I when I looked at the radius.log.And it seemed that it's catching multiple logins. But it turns out that radius is denying dialup users,even though login is not multiple login. When I looked at simul_count_query,it looked like this query just count the number of records that have AcctStopTime is 0 for a certain user. So I searched our radacct table and found almost 12 records that have 0 as AcctStopTime.(Most of them are dial-up customers). And It looked like most of dial-up customers have at least one records with 0 as AcctStopTime. So I want to know is that . The reason why dial-up customers couldn't login when I uncommented simul_count_query and simul_verify_query is because dial-up users have records with 0 as AcctStopTime and the way simul_count_query works? Am I correct? If not can someone help me out? Thanks in advance Simon _ Simon Son New Zealand Online Tech Ltd. Level2 , 10 Northcroft St Takapuna Auckland Ph:09-488-9001 Fax:09-489-8324 Mobile:021-267-2697 _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
questions about sql
Hello I was checking sql.conf and wondering what simul_count_query and simul_verify_query do If a return value of simul_count_query of a user is more than one(say 3), does this means this user has 3 simultaneous sessions? Regards SImon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions about checkrad
Hi Alan I think what you said in this reply is the situation I am in. So if I can't use checkrad, Can you suggest what I should do to make Simultaneous-Use work I set radiusd.conf like this # Accounting. Log to detail file, and to the radwtmp file, and maintain # radutmp. accounting { acct_unique detail sql } # Session database, used for checking Simultaneous-Use. The radutmp module # handles this session { sql } Regards, Simon Message: 3 From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] .Subject: Re: questions about checkrad Date: Tue, 18 Mar 2003 08:13:05 -0500 Reply-To: [EMAIL PROTECTED] Ed H [EMAIL PROTECTED] wrote: If I have an NAS box proxying to me, then how do I use Simultaneous-Use in a MySQL setup? Does it use checkrad? NAS boxes don't do proxying. If a RADIUS server proxies requests to you, then 99 times out of 10, you don't have access to their NAS equipment, so you can't use checkrad. Alan DeKok. _ Simon Son Level2 , 10 Northcroft St Takapuna Auckland Ph:09-488-9001 Fax:09-489-8324 Mobile:021-267-2697 _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions about checkrad
Thanks Alan I just want to ask one more thing though. You said If checkrad can't be run (nastype is other), then the information in radutmp is believed, and enforces Simultaneous-Use. I use sql for session,So I was wondering if above statment is applied to sql as well. Regards Simon Message: 2 From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: questions about checkrad Date: Tue, 18 Mar 2003 13:06:58 -0500 Reply-To: [EMAIL PROTECTED] Simon Son [EMAIL PROTECTED] wrote: I think what you said in this reply is the situation I am in. So if I can't use checkrad, Can you suggest what I should do to make Simultaneous-Use work If checkrad can't be run (nastype is other), then the information in radutmp is believed, and enforces Simultaneous-Use. I set radiusd.conf like this ... That's nice, but what happens when you send packets to the server? Grab the current CVS snapshot. It should give more information as to what's happening during Simultaneous-Use checking. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
questions about checkrad
Hello All I am trying to make simultaneous use work. It seems that checkrad is the script that check multiple logins. The compnay I work for uses bigger ISP's access service And from what I gather their radius server is configured to proxy request on.So all the authentication request are sent to out radius to handle. what I want to know is this . When I tried to run checkrad manually ,checkrad gives out following output. checkrad nas_type nas_ip nas_port login session_id Can anyone tell me what do I put as nas_type? Their radius server is run on Sun boxes.But I can't find any thing about Sun as nas type. Do I ask them to give me info about what nas they actually use(from what I gather ,Cisco and USR hyperarc(for dialup) are used NAS) and put them into naslist? Regards. Simon .+-wËmmäzm§ÿëyv+¸?+-??m
questions about checkrad
Hello All I am trying to make simultaneous use work. It seems that checkrad is the script that check multiple logins. The compnay I work for uses bigger ISP's access service And from what I gather their radius server is configured to proxy request on.So all the authentication request are sent to out radius to handle. what I want to know is this . When I tried to run checkrad manually ,checkrad gives out following output. checkrad nas_type nas_ip nas_port login session_id Can anyone tell me what do I put as nas_type? Their radius server is run on Sun boxes.But I can't find any thing about Sun as nas type. Do I ask them to give me info about what nas they actually use(from what I gather ,Cisco and USR hyperarc(for dialup) are used NAS) and put them into naslist? Regards. Simon _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connect problem
On Thu, Mar 13, 2003 at 10:08:46AM +0100, Nils Rønhovde wrote: Regrettably a snoop on my MySQL-server reveals that the mysql module uses the default mysql port: radius-server - mysql-server TCP D=3306 S=52117 Rst Seq=4288337583 Len=0 Win=24820 Has anyone tried using a non-standard port? I'm using FR 0.8.1 from the download page. Hmm, the mysql module seems to ignore the port that's passed to it via the configuration files. I've included an (untested) one line fix against current cvs that should help. It applies to 0.8.1 also. Does this help? -- Simon diff -urN radiusd.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/sql_mysql.c radiusd/src/modules/rlm_sql/drivers/rlm_sql_mysql/sql_mysql.c --- radiusd.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/sql_mysql.c 2003-03-13 11:20:22.0 +0100 +++ radiusd/src/modules/rlm_sql/drivers/rlm_sql_mysql/sql_mysql.c 2003-03-13 11:22:31.0 +0100 @@ -61,7 +61,7 @@ mysql_init((mysql_sock-conn)); if (!(mysql_sock-sock = mysql_real_connect((mysql_sock-conn), config-sql_server, config-sql_login, config-sql_password, - config-sql_db, 0, NULL, CLIENT_FOUND_ROWS))) { + config-sql_db, atoi(config-sql_port), NULL, CLIENT_FOUND_ROWS))) { radlog(L_ERR, rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:%s, config-sql_login, config-sql_server, config-sql_db); radlog(L_ERR, rlm_sql_mysql: Mysql error '%s', mysql_error(mysql_sock-conn)); mysql_sock-sock = NULL; - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + SQL + MD5
On Thu, Mar 13, 2003 at 05:21:24AM -, Jeremy Brown wrote: So, after all this rambling, I guess my question is: Is there anyway to get the server to md5 hash the password before doing the MySQL query? I believe this would solve all my problems. Try: modules { [stuff] pap md5 { encryption_scheme = md5 } [stuff] } authenticate { authtype MD5 { md5 } } And set auth-type := MD5 in your sql tables. That should work. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + SQL + MD5
On Thu, Mar 13, 2003 at 02:59:54PM +0200, Vasili G. Yanov wrote: This doesn't work. S authenticate { S authtype MD5 { S md5 S } S } S And set auth-type := MD5 in your sql tables. S That should work. Why? I just tested it locally and it worked fine. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + SQL + MD5
On Thu, Mar 13, 2003 at 04:21:26PM +0200, Vasili G. Yanov wrote: Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 127.0.0.1:1048, id=219, length=64 User-Name = vasili User-Password = xxx Service-Type = Framed-User NAS-IP-Address = xxx.yyy.zzz.aaa NAS-Port = 0 [...] rlm_sql (sql): Pairs do not match for user [vasili] rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns notfound Like the server says, the pairs sent to server don't match what's in your sql tables. Do you have anything in radcheck/radgroupcheck associated with the user vasili that isn't included in the request? -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checking radiusd with cron
On Tue, Mar 11, 2003 at 09:24:02AM -0500, Thomas S. Crum - AAA Web Solution, Inc. wrote: This may seem like an oversimplified approach, but can someone please comment. I've noticed that when radius dies, it usually kills all of its processes with it. Some have written a cron that checks first and then restarts etc. I wrote a cron that every minute just runs /usr/local/sbin/radiusd, if radiusd is running it will fail because it cannot bind the port. If not, it will start radiusd. Try reading doc/supervise-radiusd.txt . -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeadius and LDAP unix sockets
I had a look though the LDAP docs and I couldn't see anything obvious. Is there a way to specify the use of a URI rather than a hostname? I want to be able to use ldapi:// to it uses the unix socket rather than the tcp socket. Its quite a lot faster! Is that possible with the current code base or do I need to get my hands dirty and give in a patch? - Simon Simon Allard (Senior Tool Monkey) IHUG Ph (09) 358-5067 Email: [EMAIL PROTECTED] I'm out of my mind right now, but feel free to leave a message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication error
Hello Our service provider tried to move our dialup to new LNS(from Cisco to 3com) But when our customers tried to access us afterdial up has cut over to different LNS, dial users are getting access reject instead of the standard access accept to their authentication requests After latest cut over attempt.our provider send me a log. But since I am new to radius,I don't know what to do. Because a guy who set up the radius suddenly left the company.And he didn't leave any documentation. We use radius and mysql for AAA. I am wondering is this problem happens because of 3com forward different attributes than Cisco one? ### Proxy action of an accepted request ### Relaying access request with id 177 (now 726) from c0a8fb4b (ipa1-r28-0.ipnet.telecom.co.nz) to Proxy-Action = "" [flags = 0x00010400] NAS-IP-Address = 192.168.7.1 [flags = 0x00014500] NAS-Port = 136 [flags = 0x00014500] Cisco-NAS-Port = "Virtual-Access136" [flags = 0x00014400] NAS-Port-Type = Virtual [flags = 0x00014500] User-Name = "jjcharisma" [flags = 0x00014500] Called-Station-Id = "0870907500" [flags = 0x00014500] Calling-Station-Id = "78399400" [flags = 0x00014500] Service-Type = Framed [flags = 0x00014A00] Framed-Protocol = PPP [flags = 0x00014A00] User-Id = "jjcharisma" [flags = 0x00010400] NAS-Identifier = "192.168.7.1" [flags = 0x00014500] User-Realm = "ipa1-n20-9e2" [flags = 0x00010400] Proxy-State = "0" [flags = 0x00014000] rad_2rad_recv: received reply accept to RADIUS request 726/214 Framed-Protocol = PPP [flags = 0x00014A00] Service-Type = Framed [flags = 0x00014A00] Idle-Timeout = 1800 [flags = 0x00014A00] Proxy-State = "0" [flags = 0x00014000] Proxy action of a rejected request Relaying access request with id 196 (now 43592) from c0a80728 (ipa1-n20-9e2.ipnet.telecom.co.nz) Proxy-Action = "" [flags = 0x00010400] User-Name = "jjcharisma" [flags = 0x00014500] NAS-IP-Address = 192.168.7.40 [flags = 0x00014500] NAS-Identifier = "192.168.7.40" [flags = 0x00014500] NAS-Port = 961 [flags = 0x00014500] Acct-Session-Id = "33884695" [flags = 0x00014500] USR-Interface-Index = 827 [flags = 0x00014600] USR-NAS-Supports-Tags = 0 [flags = 0x4600] Service-Type = Framed [flags = 0x00014A00] Framed-Protocol = PPP [flags = 0x00014A00] USR-Chassis-Call-Slot = 26 [flags = 0x00014400] USR-Chassis-Call-Span = 1 [flags = 0x00014400] USR-Chassis-Call-Channel = 1074 [flags = 0x00014400] USR-Connect-Speed = NONE [flags = 0x00014400] Calling-Station-Id = "98130199" [flags = 0x00014500] Called-Station-Id = "0870907500" [flags = 0x00014500] NAS-Port-Type = Async [flags = 0x00014500] User-Id = "jjcharisma" [flags = 0x00010400] User-Realm = "ipa1-n20-9e2" [flags = 0x00010400] Proxy-State = "0" [flags = 0x00014000] rad_2rad_recv: received reply reject to RADIUS request 43592/72 Proxy-State = "0" [flags = 0x00014000] Accepted message was given by Cisco and Rejected message was given by 3Com . I am really confused why this is happening.As far as I know ,onlyID and password are checked for authentication. Thanks in advance Simon
Authentication error with Dialup
Hello All Sorry about the giberish mail I sent before.Hope this one will be ok. Our service provider tried to move our dialup to new LNS(from Cisco to 3com) But when our customers tried to access us after dial up has cut over to different LNS, dial users are getting access reject instead of the standard access accept to their authentication requests After latest cut over attempt.our provider send me a log. But since I am new to radius,I don't know what to do. Because a guy who set up the radius suddenly left the company.And he didn't leave any documentation. We use radius and mysql for AAA. I am wondering is this problem happens because of 3com forward different attributes than Cisco one? ### Proxy action of an accepted request ### Relaying access request with id 177 (now 726) from c0a8fb4b (ipa1-r28-0.ipnet.telecom.co.nz) to Proxy-Action = AUTHENTICATE [flags = 0x00010400] NAS-IP-Address = 192.168.7.1 [flags = 0x00014500] NAS-Port = 136 [flags = 0x00014500] Cisco-NAS-Port = Virtual-Access136 [flags = 0x00014400] NAS-Port-Type = Virtual [flags = 0x00014500] User-Name = jjcharisma [flags = 0x00014500] Called-Station-Id = 0870907500 [flags = 0x00014500] Calling-Station-Id = 78399400 [flags = 0x00014500] Service-Type = Framed [flags = 0x00014A00] Framed-Protocol = PPP [flags = 0x00014A00] User-Id = jjcharisma [flags = 0x00010400] NAS-Identifier = 192.168.7.1 [flags = 0x00014500] User-Realm = ipa1-n20-9e2 [flags = 0x00010400] Proxy-State = 0 [flags = 0x00014000] rad_2rad_recv: received reply accept to RADIUS request 726/214 Framed-Protocol = PPP [flags = 0x00014A00] Service-Type = Framed [flags = 0x00014A00] Idle-Timeout = 1800 [flags = 0x00014A00] Proxy-State = 0 [flags = 0x00014000] Proxy action of a rejected request Relaying access request with id 196 (now 43592) from c0a80728 (ipa1-n20-9e2.ipne t.telecom.co.nz) Proxy-Action = AUTHENTICATE [flags = 0x00010400] User-Name = jjcharisma [flags = 0x00014500] NAS-IP-Address = 192.168.7.40 [flags = 0x00014500] NAS-Identifier = 192.168.7.40 [flags = 0x00014500] NAS-Port = 961 [flags = 0x00014500] Acct-Session-Id = 33884695 [flags = 0x00014500] USR-Interface-Index = 827 [flags = 0x00014600] USR-NAS-Supports-Tags = 0 [flags = 0x4600] Service-Type = Framed [flags = 0x00014A00] Framed-Protocol = PPP [flags = 0x00014A00] USR-Chassis-Call-Slot = 26 [flags = 0x00014400] USR-Chassis-Call-Span = 1 [flags = 0x00014400] USR-Chassis-Call-Channel = 1074 [flags = 0x00014400] USR-Connect-Speed = NONE [flags = 0x00014400] Calling-Station-Id = 98130199 [flags = 0x00014500] Called-Station-Id = 0870907500 [flags = 0x00014500] NAS-Port-Type = Async [flags = 0x00014500] User-Id = jjcharisma [flags = 0x00010400] User-Realm = ipa1-n20-9e2 [flags = 0x00010400] Proxy-State = 0 [flags = 0x00014000] rad_2rad_recv: received reply reject to RADIUS request 43592/72 Proxy-State = 0 [flags = 0x00014000] Accepted message was given by Cisco and Rejected message was given by 3Com . I am really confused why this is happening.As far as I know ,only ID and password are checked for authentication. Thanks in advance Simon ~?I0~b+b
Authentication Problem with Dialup
Hello All Sorry about the giberish mail I sent before.I don't know why that happened Hope this one will be ok. Our service provider tried to move our dialup to new LNS(from Cisco to 3com) But when our customers tried to access us after dial up has cut over to different LNS, dial users are getting access reject instead of the standard access accept to their authentication requests After latest cut over attempt.our provider send me a log. But since I am new to radius,I don't know what to do. Because a guy who set up the radius suddenly left the company.And he didn't leave any documentation. We use radius and mysql for AAA. I am wondering is this problem happens because of 3com forward different attributes than Cisco one? ### Proxy action of an accepted request ### Relaying access request with id 177 (now 726) from c0a8fb4b (ipa1-r28-0.ipnet.telecom.co.nz) to Proxy-Action = AUTHENTICATE [flags = 0x00010400] NAS-IP-Address = 192.168.7.1 [flags = 0x00014500] NAS-Port = 136 [flags = 0x00014500] Cisco-NAS-Port = Virtual-Access136 [flags = 0x00014400] NAS-Port-Type = Virtual [flags = 0x00014500] User-Name = jjcharisma [flags = 0x00014500] Called-Station-Id = 0870907500 [flags = 0x00014500] Calling-Station-Id = 78399400 [flags = 0x00014500] Service-Type = Framed [flags = 0x00014A00] Framed-Protocol = PPP [flags = 0x00014A00] User-Id = jjcharisma [flags = 0x00010400] NAS-Identifier = 192.168.7.1 [flags = 0x00014500] User-Realm = ipa1-n20-9e2 [flags = 0x00010400] Proxy-State = 0 [flags = 0x00014000] rad_2rad_recv: received reply accept to RADIUS request 726/214 Framed-Protocol = PPP [flags = 0x00014A00] Service-Type = Framed [flags = 0x00014A00] Idle-Timeout = 1800 [flags = 0x00014A00] Proxy-State = 0 [flags = 0x00014000] Proxy action of a rejected request Relaying access request with id 196 (now 43592) from c0a80728 (ipa1-n20-9e2.ipne t.telecom.co.nz) Proxy-Action = AUTHENTICATE [flags = 0x00010400] User-Name = jjcharisma [flags = 0x00014500] NAS-IP-Address = 192.168.7.40 [flags = 0x00014500] NAS-Identifier = 192.168.7.40 [flags = 0x00014500] NAS-Port = 961 [flags = 0x00014500] Acct-Session-Id = 33884695 [flags = 0x00014500] USR-Interface-Index = 827 [flags = 0x00014600] USR-NAS-Supports-Tags = 0 [flags = 0x4600] Service-Type = Framed [flags = 0x00014A00] Framed-Protocol = PPP [flags = 0x00014A00] USR-Chassis-Call-Slot = 26 [flags = 0x00014400] USR-Chassis-Call-Span = 1 [flags = 0x00014400] USR-Chassis-Call-Channel = 1074 [flags = 0x00014400] USR-Connect-Speed = NONE [flags = 0x00014400] Calling-Station-Id = 98130199 [flags = 0x00014500] Called-Station-Id = 0870907500 [flags = 0x00014500] NAS-Port-Type = Async [flags = 0x00014500] User-Id = jjcharisma [flags = 0x00010400] User-Realm = ipa1-n20-9e2 [flags = 0x00010400] Proxy-State = 0 [flags = 0x00014000] rad_2rad_recv: received reply reject to RADIUS request 43592/72 Proxy-State = 0 [flags = 0x00014000] Accepted message was given by Cisco and Rejected message was given by 3Com . I am really confused why this is happening.As far as I know ,only ID and password are checked for authentication. Thanks in advance Simon .+-wËmmäzm§ÿëyv+¸?+-??m
Re: Storing Plain text passwords in MySQL?
04-Mar-03 at 17:55, Rob Hartzenberg ([EMAIL PROTECTED]) wrote : Hi List, Chris I would like to be able to store the passwords in the MySQL database in clear text (Unencrypted). What do I need to change to get this to work? Nothing, simply add the a/o/v set to the check table: ++-+--+---+ | username | User-Password | == | mypasss | ++-+--+---+ Ok, can I assume from this that radiusd will try match against both plain text and encrypted passwords? No. The PAP default, for example, is crypt passwords. You will need to change radiusd.conf to # PAP module to authenticate users based on their stored # password # # Supports multiple encryption schemes # clear: Clear text # crypt: Unix crypt #md5: MD5 ecnryption # sha1: SHA1 encryption. # DEFAULT: crypt pap { encryption_scheme = clear } or similar. I don't know that you can have both co-existing, without perhaps having two instances running on two separate ports. Regards, -- [--Partly Cloudy in Rabat, 18°C/64°F. Wind: W strength 7. Humidity: 88%--] Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -- Rich Cook - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_radius_auth digest auth
04-Mar-03 at 19:01, Josh Howlett ([EMAIL PROTECTED]) wrote : On Tue, 2003-03-04 at 13:47, Alan DeKok wrote: In this hypothetical case, would it be feasible for a user to present the same cookie to a different WWW server, which could then attempt to authenticate the user by passing the cookie to the remote RADIUS server? (ie. thereby avoiding the need for the user to present his credentials again - the idea being to enable single sign-on). Is this idea crack-pot or simply brain-dead? It's a hack, but I see reason why it wouldn't work. You think this is a hack? You should read the Project Liberty or M$ Passport specs :-) I'd rather read War and Peace in Russian (not a tongue I am familiar with) rather than reading M$ Passport specs! The sad thing is, that I might end up having to read that Passport rubbish if MS get their way and dominate the corporate Internet services marketplace. Somehow, I don't think they will. When I speak to anyone about MS future plans, people start asking me when I can start migration to Linux ;-) Some of those points: - New windows version will not be backwards compatible - New Office may not be backwards compatible - Filesytems will not be backwards compatible - Digital Rights Management and all that Cheers, -- [-Partly Cloudy in Rabat, 18°C/64°F. Wind: NNW strength 7. Humidity: 88%-] Men never do evil so completely and cheerfully as when they do it from religious conviction. -- Blaise Pascal [Linux user 170823|XML Weather:www.interceptvector.com|.sig:vim/mutt/perl] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS +
21-Feb-03 at 08:46, Chris Parker ([EMAIL PROTECTED]) wrote : At 06:20 PM 2/20/2003 -0600, [EMAIL PROTECTED] wrote: Hi I was wondering how to write some applications which can interact with my RADIUS server. I envision that this application will determine the policy for the RADIUS to authenticate/reject a user. I have freeradius 0.7 with userbase in LDAP. Is it possible? if yes where in RADIUS will my application has to interact? and which language is best for this? The FreeRADIUS server is writen in C. What specifically are you trying to do. It's not clear how/what you need to interact with your RADIUS server. More information on what you are attempting is needed before we can make any suggestions. If you want your application to authenticate against Radius, then you just need it to respect the radius client specification in the RFCs, or find a radius client and borrow from it. e.g. you will open a socket to the radius server, send it a correctly formatted packet, wait for a response, and parse that response in your application. -- [--Partly Cloudy in Rabat, 18°C/64°F. Wind: SW strength 7. Humidity: 64%-] Man will never be free until the last king is strangled with the entrails of the last priest. -- Diderot [Linux user 170823|XML Weather-www.interceptvector.com|.sig-vim/mutt/perl] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New RedBack Attributes.
21-Feb-03 at 08:49, Chris Parker ([EMAIL PROTECTED]) wrote : At 01:06 AM 2/21/2003 +, Miquel van Smoorenburg wrote: In article 1045770571.29271.28.camel@lxmt, Eduardo Roldan [EMAIL PROTECTED] wrote: Some FR developer can include these new redback attributes as described in the 'AOS Configuration Guide Release 5.0'? ATTRIBUTE Acct_Dyn_Ac_Ent141 string Redback ATTRIBUTE Session_Error_Code 142 integer Redback ATTRIBUTE Session_Error_Msg 143 string Redback The redback dictionary should be cleaned up since the latest (PDF) docs from redback don't use _ anymore but the standard -, that is the attribute is not spelled Session_Error_Code but rather as Session-Error-Code Gotta love changing horses mid-stream. Clients do it all the time. This is just vendor revenge :) -- [--Partly Cloudy in Rabat, 18°C/64°F. Wind: SW strength 7. Humidity: 64%-] It's amazing how some people can put their foot in their mouth with their head so far up their ass. [Linux user 170823|XML Weather-www.interceptvector.com|.sig-vim/mutt/perl] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Startup Trouble in Red Hat 7.3
19-Feb-03 at 17:24, Glenn Goodspeed ([EMAIL PROTECTED]) wrote : I've got freeradius working fine in debug mode (radiusd -X) on a Red Hat 7.3 box. But when I try to start it in daemon mode (radiusd), it says it's reading the config file, but it doesn't start. I can make it start by changing radiusd.conf so that User=root instead of User=nobody, but I gather you're not supposed to do that. Any idea how I can make radiusd start without root permissions? Thanks. -Glenn. Does the user nobody have permission to read the files you need it to read? Look at ls -l of /usr/local/etc/raddb and things like that. -- [Partly Cloudy in Rabat, 8.89 Celsius. Wind: WSW strength 9. Humidity: 87%] Not only does Jesus save, but he makes nightly off-site backups. [Linux user #170823. Get XML Weather from www.interceptvector.com] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: WAR AGAINST IRAQ [HOAX]
20-Feb-03 at 10:40, Malakhov Alexander ([EMAIL PROTECTED]) wrote : AS Friends, ??, Takes a minute, lasts a lifetime... ??? ??, ? ??? ??? ?. US Congress has authorized the President of the US to go to war against Iraq. Please consider this an urgent request. A UN Petition for Peace. A Stand for Peace. Islam is not the Enemy. War is NOT the Answer. This is a HOAX. Go read www.counterpunch.org or something if you're against the war. Far more useful than forwarding an email petition that is not ratifiable. -- The United States, as the world knows, will never start a war. -- JFK, American University, June 10, 1963 [Linux user #170823. Get XML Weather from www.interceptvector.com] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freetds
18-Feb-03 at 22:38, Brian Johnson ([EMAIL PROTECTED]) wrote : Is anyone using freeradius on a redhat linux server (7.1) with a mssql server database (freetds)? Yes, there are some people doing this (not me though). Just yesterday someone was having problems with it, but they had a half working setup. I think it should be possible to do. I have a current userbase in a mssql db and want to find a way to use freeradius with the current db as an interim solution. I have compiled and installed freetds, but when I configure it I get these errors in the radius.log file when running the server: I don't know what freetds is though... :( -- [Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...] Cuius rei demonstrationem mirabilem sane detexi hanc marginis exiguitas non caperet. [Linux user #170823 http://counter.li.org. Home cooked signature rotator.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm Question
18-Feb-03 at 19:01, Darren Nay ([EMAIL PROTECTED]) wrote : Hey all, Just a quick question. I have a problem and I'm not exactly sure on the solution. We have a customer who uses a realm prefix realm/username. However, one of our network providers is unable to support this prefix. What I am wondering is if it's possible to have the realm loaded as the usual user@realm format and then somehow re-write the auth request on our proxy to realm/user for the radius to authenticate. Can this be done on FreeRadius? If anyone has any ideas I would very much appreciate some input. Thanks!! Freeradius supports multiple realm delimiters. There is some experimental support for rewriting arbitrary packets (so you could replace realm delimiters) I reckon you could do this, but I don't need that functionality and cannot test it, so you're kinda on your own... :( Freeradius is very flexible, but it's main bug is a little like it says on the cdrecord manpage: BUGS Cdrecord has even more options than ls. Freeradius has a LOT of options. It seems some people cannot read beyond about three switches or two 80x25 screenfuls of docs. YMMV ;-) -- [Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...] Madness is rare in individuals - but in groups, parties, nations, and ages it is the rule. --Friedrich Nietzsche [Linux user #170823 http://counter.li.org. Home cooked signature rotator.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to change personal password
19-Feb-03 at 16:35, Donnay Wong ([EMAIL PROTECTED]) wrote : Hi guys, I've got my freeradius running for my clients...is there any php or asp script available for the end-user to change their own password through the web page? Well that rather depends on where the password is stored. Chances are, this has little to do with FreeRadius directly. -- [Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...] Note to experienced users: Please don't encourage anti-support behavior. Don't try to answer questions from users who don't provide the necessary information. Guessing what they did is an incredible waste of time. (DJB) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec program
19-Feb-03 at 11:59, lakris ([EMAIL PROTECTED]) wrote : I have found DEFAULT Auth-Type := Accept Exec-Program = /path/to/program.sh As I understand, I can write program, which will autorize users. Am I right? If yes then where I can get information about how program parameters and how it can send it to radius? I think you just get it to write to STDOUT. It will receive information from STDIN. -- [Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...] If you want to know what God thinks about money, just look at the people He gives it to. -- Old Irish Saying [Linux user #170823 http://counter.li.org. Home cooked signature rotator.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help!
19-Feb-03 at 12:54, lakris ([EMAIL PROTECTED]) wrote : 1) Operational Scheme: [Cisco AS5300 voip] - [freeradius] - [postgresql] 2) What I need: a) cisco AS5300 gets incomming call b) AS 5300 sends to freeradius information about this call c) freeradius queries postgre for call's price cost d) freeradius receives price cost from postgre e) radius sends price cost to cisco In other words, I need a way to be able to query and get some info from a foreign database. As CISCO say, TCL application (AS5300) can operate with outer world only via radius protocol (correct me if I am wrong). Does the Cisco support pricing in attributes? This is far more NAS specific than it is Radius specific. This is better: - Cisco gets incoming call - Cisco sends Radius attributes to Freeradius server - Based on these attributes, Freeradius queries PostgreSQL - Freeradius sends query result back to Cisco as Radius response That's how it works. Now you have to work out what attributes trigger what responses, etc. Regards, -- [Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...] Warsaw's Fourth Law: The Law of Pinball Machine Instructions. It doesn't matter a wit if the instructions are printed clearly for all to see, nobody will read them. They'll just drop their quarters and start pushing buttons like a Tommy. Software is the same. -- B. Warsaw - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freetds
19-Feb-03 at 08:27, Alan DeKok ([EMAIL PROTECTED]) wrote : Peter Eisch [EMAIL PROTECTED] wrote: I personally like Alan's frank and blunt responses. Most often, that's all I have time for. Much of what looks like rudeness in hacker circles is not intended to give offence. Rather, it's the product of the direct, cut-through-the-bullshit communications style that is natural to people who are more concerned about solving problems than making others feel warm and fuzzy. [Eric S Raymond, original URL now redirecting to random GNU/Linux URLs] However, there is a fine line to walk between cut-through-the-bullshit and genuine rudeness. Keeping personal pronouns out of responses might be a good start. -Simon -- [Mostly Cloudy in Rabat, 15 Celsius. Wind: WSW strength 18. Humidity: 88%] J'ai essayé de travailler proprement, en misant sur la qualité de service et la rapidité d'intervention. Maintenant, je travaille à la marocaine, à coups de bakchich. Le pire, c'est que ça marche. -- Bernard Buisson Crouzet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freetds
19-Feb-03 at 13:51, Brian Johnson ([EMAIL PROTECTED]) wrote : Well since you just can't stop ...I will. Alan is the man and I am a retard. It is done. Who's the more foolish, the fool, or the fool who follows him? -- Obi Wan Kenobi You're spiralling down the wrong way. Alan takes a lot of shit and actually has a lot of patience. Chill out, grab a beer, and come back tomorrow and you'll be up and running in no time. I don't take things personally, because I don't have the time. I just need my systems to work. Alan can be abrasive, but he wrote a good part of a fine radius server, and he gives up his time to support it. If you can't live with his attitude, fine. But you can get worse on paid tech support lines, I know, I've been there... -- [Mostly Cloudy in Rabat, 15 Celsius. Wind: WSW strength 18. Humidity: 88%] It's amazing how some people can put their foot in their mouth with their head so far up their ass. [Linux user #170823. Weather from www.interceptvector.com.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freetds
19-Feb-03 at 14:03, Brian Johnson ([EMAIL PROTECTED]) wrote : You are right. Sorry for the distraction folks. In a lot of ways you are right. But so is Alan, he has a point. I hope you have had that beer by now. I have :) -- [Mostly Cloudy in Rabat, 12.22 Celsius. Wind: WSW strength 14. Humidity: 94%] If you don't like what is going on in Palestine, or are curious, look: http://www.inminds.com/boycott-israel.html I am not anti-jewish. I am against the Israeli régime headed by Sharon. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Counters question [OT]
11-Feb-03 at 13:48, Keith Ballard ([EMAIL PROTECTED]) wrote : Would love to, but I'm very new to Linux, and would be unable to do this (Visual Basic doesn't run too well under Linux ;-)). What I need is a ready made utility if such a thing exists. I would have thought a gdbm utility to display/manipulate data files would have been fairly standard?? If you know VB, try Python or Ruby under Linux. If you know Javascript, you'll get along with PHP too, but it's not a tool for sysadmin. PERL isn't too bad either, steep learning curve for a couple days, then it's usually OK after that. I think there are utilities for viewing GDBMs, can't remember any names though. -- [Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...] Microsoft isn't the answer. Microsoft is the question, and the answer is no. [Linux user #170823 http://counter.li.org. Home cooked signature rotator.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sendmail and freeradius
09-Feb-03 at 20:24, Robert Canary ([EMAIL PROTECTED]) wrote : Has any succesfully used freeradius (or any radius) to authenticate user for sendmail while maintaining all the /.forward functions? Is there a pam module one could use on the mail server that would talk to the radius server on another server? You can get PAM to authenticate via Radius. Why do you want radius to authenticate for sendmail? Sounds a bit convoluted to me. What problem are you actually trying to solve here? -- [Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...] It is impossible to sharpen a pencil with a blunt axe. It is equally vain to try to do it with ten blunt axes instead. -- E. W. Dijkstra [Linux user #170823 http://counter.li.org. Home cooked signature rotator.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sendmail and freeradius
Simon White wrote: 09-Feb-03 at 20:24, Robert Canary ([EMAIL PROTECTED]) wrote : Has any succesfully used freeradius (or any radius) to authenticate user for sendmail while maintaining all the /.forward functions? Is there a pam module one could use on the mail server that would talk to the radius server on another server? You can get PAM to authenticate via Radius. Why do you want radius to authenticate for sendmail? Sounds a bit convoluted to me. What problem are you actually trying to solve here? 10-Feb-03 at 12:17, Puchkov S.N. ([EMAIL PROTECTED]) wrote : if i am not mistaken it's impossible to do this. :( you can authorize users but radius can't send user home dir :( That's what LDAP is for, radius is really for NASes to authenticate dialup users / wireless users. Radius can read from LDAP for username/password attributes if you want a central authentication database... -- [Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...] It's amazing how some people can put their foot in their mouth with their head so far up their ass. [Linux user #170823 http://counter.li.org. Home cooked signature rotator.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sendmail and freeradius
10-Feb-03 at 13:40, Puchkov S.N. ([EMAIL PROTECTED]) wrote : Simon White wrote: 09-Feb-03 at 20:24, Robert Canary ([EMAIL PROTECTED]) wrote : Has any succesfully used freeradius (or any radius) to authenticate user for sendmail while maintaining all the /.forward functions? Is there a pam module one could use on the mail server that would talk to the radius server on another server? You can get PAM to authenticate via Radius. Why do you want radius to authenticate for sendmail? Sounds a bit convoluted to me. What problem are you actually trying to solve here? we talk about using .forward in users deer %) Well radius isn't going to help you there. Radius has nothing to do with that. Try asking a mailing list for your MTA... -- [Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...] Men never do evil so completely and cheerfully as when they do it from religious conviction. -- Blaise Pascal [Linux user #170823 http://counter.li.org. Home cooked signature rotator.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I did Bizarre stuff with my pussy
06-Feb-03 at 19:35, John A. Hengstler ([EMAIL PROTECTED]) wrote : The spam has found the list Spam with a Taco... lol My vote is for the spam filter to get rid of all caps posts and/or all HTML posts. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem in installing FreeRadius
07-Feb-03 at 16:40, angie ng ([EMAIL PROTECTED]) wrote : Dear All, I faced problem when installing FreeRadius. When I change to the root directory and type make install , the following error message appears: No rule to make target install. Could you please help? I think you're in the wrong directory. You need to change to the directory which is the root relative to where you untarred freeradius So if you have freeradius in /usr/local/src/freeradius-0.8.1 then that's the directory you type make install in. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing Client (emulator) for RADIUS server
On Fri, Feb 07, 2003 at 05:11:51PM +0500, Zahara wrote: Hi All, Can anybody refer me to a RADIUS client emulator that I may use with my RADIUS server for testing purposes? I am using the Steel-Belted RADIUS/Service provider edition at my machine. I need a RADIUS client emulator to test my accounting scripts and settings as well as generate data for my billing application. raclient included with freeradius. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS response from incorrect interface
07-Feb-03 at 16:00, Paul Jenner ([EMAIL PROTECTED]) wrote : Hi. I am seeing an issue with freeradius 0.8.1 on Red Hat 8.0 where RADIUS responses are coming out of a different virtual interface to the interface they are made to. I couldn't see anything in the doc so hopefully someone on this list can help. * it is configured with bind_address = * to listen on both interfaces Do you need it to listen on both interfaces? What does your routing table look like? Is the NAS on the same subnet too? -- [Simon White. vim/mutt. [EMAIL PROTECTED] Folding@home no log script yet...] /\ASCII Ribbon Campaign \ /Respect for open standards X No HTML/RTF in email / \No M$ Word docs in email - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
05-Feb-03 at 17:59, Robert Canary ([EMAIL PROTECTED]) wrote : Then there is a gross error in half of the documnetation. Even the O'Reilly Radius book is showing it in the regroupreply, as well as the infamous www.frontios.com/freeradius.html.but then agian half of the docs are spelling Jacobs*o*n, instead Jacobs*e*n.. What your saying makes perfect sense, of course. You suggest it be put in the radcheck, or the radgroupcheck? Funny... it's in radgroupreply in my SQL table (and only there) and it works here. So it must be luck that it works because # The default Auth-Type is Local. That is, whatever is not included # inside an authtype section will be called only if Auth-Type is set to # Local (from radiusd.conf) -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
On Wed, Feb 05, 2003 at 05:59:41PM -0600, Robert Canary wrote: Then there is a gross error in half of the documnetation. Even the O'Reilly Radius book is showing it in the regroupreply, as well as the infamous www.frontios.com/freeradius.html.but then agian half of the docs are spelling Jacobs*o*n, instead Jacobs*e*n.. What your saying makes perfect sense, of course. You suggest it be put in the radcheck, or the radgroupcheck? Either should work equally well, depending on how you order things putting it in radgroupcheck might help cut down on duplicate entries. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
On Thu, Feb 06, 2003 at 10:53:13AM -, Scott Bartlett wrote: [...] Someone pls correct me if I'm wrong, but otherwise then if I'm guessing right then it seems that people *only* using MySQL can basically not worry about having auth-types set (at least until FR enforces checking one!). If you want something other then 'local' authentication you need to set the auth-type. from src/main/files.c: /* * Fixup a check line. * If User-Password or Crypt-Password is set, but there is no * Auth-Type, add one (kludge!). */ static void auth_type_fixup(VALUE_PAIR **check) { [...] if (vp-attribute == PW_PASSWORD) { c = vp; n = PW_AUTHTYPE_LOCAL; } if (vp-attribute == PW_CRYPT_PASSWORD) { c = vp; n = PW_AUTHTYPE_CRYPT; } [...] As the 'kludge' comment shows, not setting an auth-type is rather ugly. I'm sure if you're doing more complex stuff you'll need to set it appropriately... but I'm not, so I can't be sure... Based on the feedback to this thread, I should probably adjust that web page to indicate that the auth-type should go in rad(group)check and not rad(group)reply, yes? (and I'm off to re-re-read the docs again... Heh...) Yes, probably. Wouldn't it infact in the long run be better to remove the 'local' auth-type completely and force usage of PAP or CHAP instead? The PAP and CHAP modules do everything and more that 'local' does, while keeping the code in modules and not in the server core. I could be missing something important done by 'local' though, i haven't really looked that hard. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS quit of it's own accord
On Thu, Feb 06, 2003 at 09:32:11AM -0500, Adam Moffett wrote: This morning about 20 minutes ago, FreeRADIUS just sort of quit on it's own. All the log said was this: Thu Feb 6 09:02:44 2003: Error: MASTER: exit on signal (11) This is version 0.7.1 by the way. And all it's doing is acting as a proxy for another RADIUS server. This is actually the first problem I've had since i set the thing upanyone know where I should go with this? While not solving the actual problem, you could monitor radiusd with something like djb's supervise. That would atleast get things going again automatically if something like this happens. See 'doc/supervise-radiusd.txt'. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Handling duplicate users across many servers.
On Thu, Feb 06, 2003 at 08:27:07AM -0500, Alan DeKok wrote: Justin Wheeler [EMAIL PROTECTED] wrote: All of the NASes report their accounting packets to the same freeradius server. As such, 3 of the 4 locations do not have radwtmp files, since they dont receive any accounting packets. I want to be able to handle duplicate users, but radwtmp wont prove anything on those 3 systems, since its empty. Anyone have any ideas? radrelay should do the trick. I'm not sure that you can give it 2-3 destination servers, but you should be able to relay 1-2, 2-3, 3-4 radrelay can only replicate to one destination server. You could output the logs to 3 separate 'combined detail files' and run three instances of radrelay on the primary accounting server though. That might be easier. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Handling duplicate users across many servers.
On Thu, Feb 06, 2003 at 01:47:55PM -0500, Justin Wheeler wrote: OK, stupid question then. What's radrelay? See: doc/radrelay man 8 radrelay freeradius-base-dir/bin/radrelay The docs are slightly out of date, but you shouldn't have any problems getting it running. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Script to change password in mysql
05-Feb-03 at 15:12, Daniel Dias Gonçalves ([EMAIL PROTECTED]) wrote : You it did not understand. I asked if already the ready solution existed, if it does not have, without problems I myself I make script. But necessary to save time... In that case, try this for a quick solution: PHPMyAdmin http://www.phpwizard.net/projects/phpMyAdmin/ You can set it up so only some users can use it and you can restrict their privileges. For a public access Change your dialup password online tool it is inadequate. That, you will want to develop yourself to keep it as minimalistic as possible. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Authentication
04-Feb-03 at 01:19, Robert Canary ([EMAIL PROTECTED]) wrote : modcall[authorize]: module sql returns ok The SQL part is working users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok modcall: group authorize returns ok Files is also ready to authenticate after authorization rad_check_password: Found Auth-Type System auth: type System Now, the auth type is System. Aha! That means it won't authenticate against SQL but the /etc/passwd or /etc/shadow file... modcall: entering group authenticate modcall[authenticate]: module unix returns notfound There is no user in the system files modcall: group authenticate returns notfound auth: Failed to validate the user. Read what it is telling you... You need Auth-Type Local returned by your SQL DB. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Authentication
04-Feb-03 at 18:32, Pavel S. Shirshov ([EMAIL PROTECTED]) wrote : Tuesday, February 4, 2003, 1:44:21 PM, you wrote: SW 04-Feb-03 at 01:19, Robert Canary ([EMAIL PROTECTED]) wrote : modcall[authorize]: module sql returns ok SW The SQL part is working users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok modcall: group authorize returns ok SW Files is also ready to authenticate after authorization rad_check_password: Found Auth-Type System auth: type System SW Now, the auth type is System. Aha! That means it won't authenticate SW against SQL but the /etc/passwd or /etc/shadow file... modcall: entering group authenticate modcall[authenticate]: module unix returns notfound SW There is no user in the system files modcall: group authenticate returns notfound auth: Failed to validate the user. SW Read what it is telling you... SW You need Auth-Type Local returned by your SQL DB. May be to faq this question? It's in the www.frontios.com/freeradius.html It's not particularly clear in the docs, but it is there somewhere, otherwise I wouldn't have come to that conclusion. It seems a lot of people are using MySQL as their DB backend, if I had the time I'd write something up but for the next couple months I'm pretty stretched. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco command accounting
04-Feb-03 at 11:37, Frank Cusack ([EMAIL PROTECTED]) wrote : On Tue, Feb 04, 2003 at 05:31:37AM +0300, Peter V. Saveliev wrote: RT001-005 uses radius for all aaa: author., authent. and acc. No it doesn't. No version of IOS supports RADIUS accounting. Please bring this up with your Cisco sales rep. (It would be really easy for them to support this.) I have been banging around with a Cisco 3640 with a PRI card on it, trying to work out why I don't get accounting data from it. Are there any workarounds? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco command accounting
04-Feb-03 at 15:15, Mike Ockenga ([EMAIL PROTECTED]) wrote : I have been banging around with a Cisco 3640 with a PRI card on it, trying to work out why I don't get accounting data from it. Are there any workarounds? Not right now. That functionality isn't broken in IOS; I think it's missing completely at this point. As was suggested, bug your Cisco Rep--a lot. Ahem... in Morocco... Cisco reps... know less than I do about IOS I was wondering more along the lines of TACACS being reverse engineered in some obscure Sourceforge project or running a TACACS server, or something. I *do* have a good contact in Cisco in the UK and the US, I will check with them. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco command accounting
04-Feb-03 at 15:15, Mike Ockenga ([EMAIL PROTECTED]) wrote : I have been banging around with a Cisco 3640 with a PRI card on it, trying to work out why I don't get accounting data from it. Are there any workarounds? Not right now. That functionality isn't broken in IOS; I think it's missing completely at this point. As was suggested, bug your Cisco Rep--a lot. I have contacted a guy I know at Cisco. I will keep you informed. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Load balancing over two freeRADIUS Server
Chesi Maurizio wrote: We have been asked to put a load balancer to distribuite the load between two radius servers. The architecture will encompasses a hardware load balancer in front of 2 freeRADIUS servers. We are wondering if this may cause a problem being the possibility that, for example an access-request may be managed by a server and, in case of challenge, the response access-request containing the response to the challenge may be managed by the other radius server. Set up two separate servers. To load balance, set respective NASes to have a different primary/secondary pair. Then, you need to share the data between both servers. Do this either by:- - using a DB backend like MySQL which is installed on both FreeRadius servers, and replicates to the other one, or one single, solid MySQL server to which both connect (clearly here the point of failure will be the DB server) - creating scripts to mirror a users file or other user data between both Radius servers Something along these lines. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Monthly usage limits -slowly but surely
01-Feb-03 at 12:18, Artur Hecker ([EMAIL PROTECTED]) wrote : Your point about commercial support is bang-on, though. The main reason I use free software is not because it's so much better than commercial software, and not because it's free. I use it because I can fix it when something goes wrong. When commercial software goes wrong, your only option is often to toss it, and install an open-source equivalent which isn't broken in quite the same way. since i don't quite understand the meaning of bang-on (*) i wanted to point out that what you say corresponds exactly to what i said. with open-source you always know what is wrong, at least theoretically (and thus can fix it, once again, at least if you have the time and knowledge). i completely agree that costs and quality are not the main arguments (and i never named those), especially because talking about something as a radius server the decision is almost always carried out by people who will hardly take the dollars out of their own pockets. (*) sounds like bullshit to me :-) Wrong interpretation, diametrically opposed in fact... bang-on = dead right = 100% correct ~= tout à fait correct = pile sur le cible (?) ;-) -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth. for Orinoco AP-1000 not working (log attached)
30-Jan-03 at 14:20, Shahid M. Bhatti ([EMAIL PROTECTED]) wrote : Hi, I'm trying to authenticate Wireless Access Point of Orinoco/Lucent/Avaya/Agere/Proxim with Free Radius server. I've made the user as AP's MAC address in /etc/raddb/users file and conf file, but when I start the radius server in debig mode I get the following messages which I have attached below. Please have a look at it and help me in figuring out what should I do? Thanks a bunch. Reading the documentation is easy, understanding it perhaps less so, but I have managed to make the following interpretation. I think I'm right here. users: Matched DEFAULT at 162 modcall[authorize]: module files returns ok modcall: group authorize returns ok Authorize is from files, rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns notfound modcall: group authenticate returns notfound auth: Failed to validate the user. And the module unix (the only one configured) returns notfound. Auth-Type System means to authenticate against /etc/passwd, /etc/shadow or similar From users file:- # You don't need to specify a password if you set Auth-Type += # System on the list of authentication requirements. The RADIUS # server will then check the system password file. Somewhere, you need to be setting Auth-Type Local, in the user's attributes. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Monthly usage limits -slowly but surely
31-Jan-03 at 16:04, Roger ([EMAIL PROTECTED]) wrote : I have done this. If I resolve to rummage through the docs at least give me the luxury of having good clear docs to rumage around in. Thats the crux of my beef here. If I were to write an AI Alan DeKok engine, it might say if you could do better, write some docs yourself. He has a point though. There are few people on this list who can offer comprehensive help, and if you have an interesting problem or bug, Alan systematically responds. That's pretty good as far as I'm concerned. Technical writing is hard, especially with the wide range of uses people all want to put Radius to. Sometimes, they'd be better using LDAP for authentication directly with PAM. Sometimes, they would be better at least following one dictum of the docs which is clear enough - setup with the defaults, tweak one thing at a time, and progressively get cleverer. Now if I had time I'd write all sorts of docs, but right now I don't. One problem I have had is negative reactions to some doc suggestions I've made on some lists... let's not discourage each other, but let's also be as pragmatic as possible. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Question
29-Jan-03 at 17:42, Brandon Lehmann ([EMAIL PROTECTED]) wrote : I'm sorry I got my log files mixed up. Either way I want the information from the server (radius.log) to log to sql. I may just have to fire a cronjob to parse it and toss it into the sql dbase but thats the complex way out. The detail.log has the accounting data that is going to the SQL server already. Why reply off list? - I am subscribed to too many mailing lists and its hard to tell if someone responds to my posts. However I didn't know if someone else might one day have the same question as I and they could then go through the archive and find it. Get a mail client not made by Microsoft : you run (X-Mailer: Internet Mail Service (5.5.2653.19)) Then, you can sort mailing lists in to separate folders with regexps, order by thread, and easily watch your thread to see when replies come in. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP + Linux Accounts
29-Jan-03 at 18:35, Ryan Beisner ([EMAIL PROTECTED]) wrote : My problem is: when a Win9x machine dials and auths, it uses CHAP. While I'm tailing the log file, it points out that it isn't gonna work, and to read the FAQ. OK. Win9x can authenticate via PAP. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DSL Accouting?
29-Jan-03 at 09:47, Dave Seddon ([EMAIL PROTECTED]) wrote : Greetings, Yeah IP accouting is how I do it now. I use a FreeBSD bridge box, so nobody can even see it. Works well, however it makes billing on-net traffic difficult if you aren't billing the PPP sessions. What do you mean by on-net traffic? What's the extra info you get from the PPP sessions? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: QOS question.
28-Jan-03 at 18:04, Sean Smith ([EMAIL PROTECTED]) wrote : Is it possible to set QOS per user or per group in Freeradius? QOS meaning bandwidth and/or priority of bandwidth resources. Example would be setting a residential DSL customer at a limit of 256K and setting a business customer at a limit of 1MB. On top of that, if a residential QoS would of course be dependent on your access server, since FreeRadius will just do the authentication and accounting for you. However, FreeRadius can give you just about anything you want back to your NAS within reason, and can do per user / per group / per domain (@domain.com) stuff. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql radcheck field syntax
28-Jan-03 at 19:18, Doug Yeager ([EMAIL PROTECTED]) wrote : This is an easy one: I want to add a user to mysql. Can someone tell me the right values for the attribute and op field? I'm just trying to test to see if I can get something simple working. Is this right: Insert into radcheck (username,attribute,value,op) values ('doug','User-Password','testpass','=='); This works best for me: username, attribute, value, op : 'simon', 'Crypt-Password', 'GkTfS3XVFwvDR', null Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusclient
29-Jan-03 at 10:31, yacine rebahi ([EMAIL PROTECTED]) wrote : Hello, Can one tell me how to configure the radiusclient in order to interwork with freeradius server. Asking twice will not get you faster responses. I personally do not understand your need. To me, it doesn't make sense. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sockets disconected from DB. How reconect it?
29-Jan-03 at 12:23, Yurguen Castillo ([EMAIL PROTECTED]) wrote : Using Freeradius 0.8.1 and validating users using Sybase driver work fine for us; but if for some reason we lost connection to the DB, or the DB server is restarted we can't continue validating using the DB until radiusd is restarted and new sockets are open again. Is there any way to do a new connection to the DB (open new sockets) in case that the DB is restarted? or check the connection before connect to DB and open new sockets in case we need it? Two thoughts:- You're going to need a watcher script I think. If radius logs that it lost connection with the db somewhere (I'm sure it does, just don't have time to check) then you can sniff this out with something like Perl's File::Tail and then cause it to restart / HUP the radius server. - or - Just maybe, there is an argument for some fallback code in the freeradius source, but somewhere in the back of my mind configurable failover is your best bet anyway. If the downtime on your DB server is predictable, you don't have a problem anyway. If not, get Radius to failover to somewhere else. Instead of me re-reading configurable failover docs, have a look yourself and come back to the list with questions. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sockets disconected from DB. How reconect it?
29-Jan-03 at 05:27, Alan DeKok ([EMAIL PROTECTED]) wrote : Simon White [EMAIL PROTECTED] wrote: Just maybe, there is an argument for some fallback code in the freeradius source, The rlm_sql module and *some* of it's drivers were updated in 0.8 to do re-connects. However, some of the drivers are not actively maintained, and weren't patched. but somewhere in the back of my mind configurable failover is your best bet anyway. If the downtime on your DB server is predictable, you don't have a problem anyway. If not, get Radius to failover to somewhere else. Instead of me re-reading configurable failover docs, have a look yourself and come back to the list with questions. Configurable fail-over won't help here, as the database connections will *never* come back up. Sending a HUP signal to the server may help in the short term. Configurable failover was just a thought. Like, if it failed over to another DB then what happens when the original DB comes up? Is there a preference? This is a rhetorical question. I just don't have time to go find read the docs right now. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Overriding entries in radgroupreply table
29-Jan-03 at 11:26, Brad Stockdale ([EMAIL PROTECTED]) wrote : Once again, I figured out at least part of the solution myself... I changed the +='s on the radgroupreply Idle-Timeout, and now the radreply value replaces the radgroupreply's value... However, that leaves me with another problem... Part of our users with static IP's are ADSL users, and we use a Cisco box to aggregate them all... Two of the values I have to send back to them are: Cisco-AVPair = ip:route=65.173.147.0 255.255.255.0 65.173.147.1 Cisco-AVPair = ip:addr-pool=pool1 Since both have the same attribute names, I have to use the += operator, or else freeradius thinks I want to replace one of them with the other... So, there's really no easy way to add these to the radreply table, since the radgroupreply's will always override them.. have two entries in the radreply table with the same Attributes? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Overriding entries in radgroupreply table
29-Jan-03 at 12:53, Brad Stockdale ([EMAIL PROTECTED]) wrote : But the problem is the fact that the radgroupreply entries will override whatever is in the radreply table... I would have to use '+=' in both radreply and radgroupreply to send these attributes... If I use anything other than '+=', then the first Cisco-AVPair will be overwritten by the second Cisco-AVPair... And if I use += in both tables, then I'll have four Cisco-AVPair's... Which will most likely thoroughly confuse my Cisco router... That's my delima... Make a radgroup with exceptions (no attribs) which is returned for these people, and then create in radreply custom attribs on a per user basis? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sequencial order of checks
27-Jan-03 at 22:21, Robert Canary ([EMAIL PROTECTED]) wrote : I am trying to set up the freeradius mysql. However, I really don't know which tables to populate or even why. I made a dry run with a portslave test port just to see what the radius server might be getting. I see freeradius querys radcheck for the username, then it querys radgroupcheck, and radgroupreply before defaulting to the DEFUALT. Can someone explain to me the line of progression and reasoning behind these queries? If it found a username in radcheck, would it still continue on to the radgroupcheck? What sort of scenario would require one to populate all three tables? http://www.frontios.com/freeradius.html Check here and get a test system working if you can, then come back with more questions. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Sort.Of.Off.Topic]portslave and freeradius
27-Jan-03 at 23:13, Robert Canary ([EMAIL PROTECTED]) wrote : Anyone able to tell me what attirbutes should/could be return to portslave upon a reply to authenticate, I am looking for attributes for setting up the connections. The portslave list is _dead_. Mr. Coker has answered much, but I feel I am going to ware him out :-) Have you read the dictionary files? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DSL Accouting?
28-Jan-03 at 12:20, Dave Seddon ([EMAIL PROTECTED]) wrote : Thanks for your responce. If your DSL box produces RADIUS accounting packets, then I don't see why this would be necessary. Most ISP billing packages are designed to bill stardard dialup, where there is a start and a stop. DSL ppp sessions stay up for ages, so a seesion might go for more than a month. Also, billing packages usually show pretty graphs of usage, based on starts and stops. Therefore, it would make billing really easy if for each 'Alive' recieved, a start and a stop was sent to the Billing system. It would appear as if each DSL customer connected and disconnected every ten minutes. Maybe you have an idea of an easier way? The way I have heard of is to use Linux traffic shaping on a 2.4.x kernel, where iptables will keep track of how much bandwidth each IP has used as long as you get the rules right. However that's not trivial either if DHCP allocates a different IP each time there is an on/off, but then that can be tracked in liaison with Radius logs. Good luck. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Most Popular method for managing users in FreeRadius
27-Jan-03 at 16:27, Tim Jung ([EMAIL PROTECTED]) wrote : Well the issue is that yes you do need everything stored in Rodopi so that total time for the given period is correct. For example say you limit an account to 300 hours per month, and they use 295 hours, then call up for 2 hours hang up, then 2 minutes later call back. The system should know that they now only have 3 hours left and thus set a session limit of 3 hours. If the data is not being processed real-time then there is no way for the RADIUS server to accurately know what the exact limit of the session should be. Without real-time processing of the RADIUS accounting packets then on the second call it would think it still had 5 hours left rather than only 3 hours left. In my setup, RODOPI creates a users file from Radius attributes specified on a per-plan basis. This users file is only uploaded to the Radius server when there is a change in password or an update to attributes. It is therefore not Rodopi that holds the actual db for users, but the Radius server. Session limits are usually used in the context where someone might only be able to stay online x minutes before having to re-authenticate. Now, if you want a prepaid system where the limit is over a long time (and not just one session) then you have to get a bit cleverer. That means that the Radius server has to keep track of a user's session time over a number of sessions, each time decrementing the remaining time based on online time in previous sessions over a given time period. This is the problem I have been faced with and I don't have an easy solution. Rodopi will not update the users file after every Acct-Stop packet on my setup. This is how I see a possible setup working: - Rodopi creates users file with a Session Time and Date range? - Some selfmade daemon watches the Detail file / SQL server accouting details and decrements the Session Time on each Acct-Stop packet - This goes on until period is up, then the Session Time is reset / expires completely. You still have the problem that a change of password means that Rodopi now gives back a Session Time which is too high. Rodopi says that with Steel-Belted Radius the solution is already set, however this is a commercial solution and I don't want it. If things have changed in a recent Rodopi version I'd like to know. By definition, a session is one login/logout. I'm still looking at this. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: [newbie]
28-Jan-03 at 12:57, Frederic SOSSON ([EMAIL PROTECTED]) wrote : Do you mean this http://www.freeradius.org/radiusd/doc/ doc? There is no info on www.frontios.com Yes there is. www.frontios.com/freeradius.html, that's in the docs. Otherwise to get the docs on your machine, download the latest tarball. Untar it, and you will have a directory called freeradius-0.8.x (where x is latest revision) and then in there will be a subdirectory docs, in which there will be all the reference you need, really. Specific questions where the docs aren't clear enough can then be reposted on the list. Cheers -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS technical training
26-Jan-03 at 11:47, Hamad AL-Hajri ([EMAIL PROTECTED]) wrote : Hi All, I am working at an ISP that uses livingston RADIUS and we intend to move to freeradius. I am looking for technical training on RADIUS so can anyone provide that kind of training or guide me to an institute that does that. I don't mind traveling to any country which has an institute that hold such training programs. Let me know your requirements, and if you are willing to travel to Morocco / pay an instructor to travel to you. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting performance
27-Jan-03 at 16:23, Giuliano Zorzi ([EMAIL PROTECTED]) wrote : Hi, I'm stress-testing my freeradius test server using radclient and the performance-testing doc. Is there a way to test the whole authentication/accounting-start/accounting-stop process ? radclient can send auth and acct packets, you just need to construct them in separate files (1 for auth, 1 for acct-start, 1 for acct-stop) and then run your tests using 3 command-line args for radclient. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [newbie]
27-Jan-03 at 17:41, Frederic SOSSON ([EMAIL PROTECTED]) wrote : Hello, I'am a newbie using FreeRADIUS, and I would like to know the best way to store accounting data. Depends what you're familiar with. The classic way is to do it with the detail file, which is just a plain text file. Tools exist to analyse that data. Otherwise if you know a bit of MySQL that's a good way too. Look at the options and see what you're most comfortable with. If you're not feeling comfortable with any, then stick with detail, since that's probably the simplest HTH -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AAA
27-Jan-03 at 17:50, Hamida Mehdi ([EMAIL PROTECTED]) wrote : Hi, Im wondering if I can get FreeRadius to run a script after a successful user authentication. I want to do some manipulation to my iptables when the user logs in. Exec-Program string program to execute after authentication Exec-Program-Wait string ditto, but wait for program to finish before sending back auth. reply from docs/README -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius some info required
27-Jan-03 at 20:22, rakesh jha ([EMAIL PROTECTED]) wrote : Hello, I have two questions: 1. Does freeradius server makes a log file for users authenticated or rejected? The radius.log file just tells about the radius processes only and it is ready for serving the requests. The accounting data is usually in a detail file (at least by default) and in there you can get the authentication info (reject, accept, etc) 2. How can I know as how many users have already been authenticated (currently). I do not want history. radwho I believe -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: [newbie]
27-Jan-03 at 20:03, Frederic SOSSON ([EMAIL PROTECTED]) wrote : Hi (again) I'd like to get a howto implement freeradius server (HTML, PDF, ...) Thanks to help newbies ;) I don't know that there is one, but the docs are pretty complete. It's not too hard to get started, and there are a couple of sites mentioned in the docs which aren't exactly HOWTOs but have specific examples for some situations (like MySQL, www.frontios.com if I remember right but it's a page on that site, grep the docs for it) Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding Attributes while proxying
27-Jan-03 at 13:24, Shohab Baig ([EMAIL PROTECTED]) wrote : I have Fr 0.8.1 running on redhat 7.3. I tried to get answer by searching mailing list but could not get the right answer. I am using my radius server for proxying and local authentication. While proxying, is it possible to add on any rad reply attribute, for instance Ascend-Data-Filter values for a specific realm after authentication. So that if any end customer(remote server) is not implementing filters, we just add it from our end. I tried looking at attr file but could not achieve the goal. docs/README The output from Exec-Program-Wait is parsed by the radius server. If it looks like Attribute/Value pairs, they are decoded and added to the reply sent to the NAS. This way, you can for example set Session-Timeout. For backwards compatibility, if the output doesn't look like valid radius A/V pairs, the output is taken as a message and added to the reply sent to the NAS as Port-Message. That's the second time today. I must be patient today. Read at least the README in the docs directory before asking the list? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Most Popular method for managing users in FreeRadius
27-Jan-03 at 14:37, Tim Jung ([EMAIL PROTECTED]) wrote : I saw this posting and wanted to ask a few questions. Has anyone setup FreeRADIUS so it authenticates users and stores the accounting logs in MSSQL for use by Rodopi? I am interested in knowing if anyone has setup FreeRADIUS and Rodopi together so that pre-paid cards and dialup account time limits work and limit a users time so when they reach the limit it will kick them off by setting the session length correctly. If anyone has any pointers for this information I would appreciate it. We are already using Rodopi to import standard RADIUS logs and make the users file, but would prefer to see this integrated better so we can suppose pre-paid cards. In case it makes any difference we would like to run FreeRADIUS on our Red Hat Linux server. Right now we are running Cistron which as you know isn't really setup for pre-paid cards. This would be interesting for me too, but I haven't had the time to implement it yet. I don't think you need it to store to MSSQL, you can just have RODOPI send the right attributes upon account creation/renewal I think. Let me know how you get on and come back with more specific questions. I'm familiar with Rodopi 5.1... -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allowing POP3 (email only) access
22-Jan-03 at 16:28, Lisa Casey ([EMAIL PROTECTED]) wrote : Hi, We acquired an ISP who is using Freeradius. There are several accounts on this system which are meant to be email only accounts (i.e. customers dial in and are authenticated using their dial-up username/password, then once they get connected they can check e-mail on that account or on a e-mail only account). An e-mail only account should not, of course, be able to log in via radius. Unless it's an email only account which allows dialin but only for the purposes of checking mail. We have a setup like that (users can dial in, but from there the only IP/Port they can hit is ourmailserver:25 and ourmailserver:110 -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using freeradius with celluarip networks
23-Jan-03 at 00:17, satnett satellite ([EMAIL PROTECTED]) wrote : Dear tim, Does Freeradius Support Voice Over Ip VoIP has nothing to do with authentication. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using one server with multiple owners.
23-Jan-03 at 12:25, Joost ([EMAIL PROTECTED]) wrote : Hi, I've set up a FreeRadius 0.8.1 server with MySQL on one of my machines. Now I would like to use this server for 'multiple owners', so I could use it but others can use the same machine. The best way would be (i think) to use multiple mysql databases and select one of these databases to use depending on the NAS the request is comming from. Is this possible? Are there any other solutions for this problem. I could off course run multiple freeradiuses on multiple ports.. but I would like an other solution.. Perhaps read up on realms. [EMAIL PROTECTED] can be authenticated differently from [EMAIL PROTECTED] Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using one server with multiple owners.
23-Jan-03 at 13:19, Joost Hietbrink ([EMAIL PROTECTED]) wrote : Yeah, I've read up to realms :). But this would mean I have to let NASes or their users put some kind of @thisissomedatabasetableidentifier at the end of their username wouldn't it? Or can I add this automaticly by putting something in the clients.conf file? And put some check in the 'authorize' and 'accounting' section so it would select sql1 or sql2 or sql3 (all different databases) to use? Maybe this? # rewrite arbitrary packets. Useful in accounting and # authorization. ## FIXME: This is highly experimental at the moment. Please give ## feedback. #attr_rewrite sanecallerid { # attribute = Called-Station-Id # may be packet, reply, or config # searchin = packet # searchfor = [+ ] # replacewith = # ignore_case = no # max_matches = 10 #} I don't know how it works, but perhaps you could use it to add a realm to each NAS by comparing the attribute for NAS ID and then changing username (I'm clutching at straws, really). Maybe the NAS can add the domain? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-type=Accept
21-Jan-03 at 16:57, leaobicalho ([EMAIL PROTECTED]) wrote : When I use Auth-type=Accept, i dont need say password, authentic only by login. But always radius client send `login` in format STRING and not encrypted. I think that Password are encypted. Then, How i authentic only by Password? Read up about possible authentication methods that your NAS supports, and work out which one will encrypt passwords. If you authenticate only by password, how do you track users? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[OT] Re: Dialup_admin
20-Jan-03 at 16:55, System Administrator ([EMAIL PROTECTED]) wrote : using apache 2.0 seems to be different setup then what I am used to Apache2 + PHP is still in experimental IIRC It may not work as expected. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP addresses from FreeRadius questions
20-Jan-03 at 21:51, Li Lin ([EMAIL PROTECTED]) wrote : I am setting up the dynamic IP addresses from FreeRadius and I have some questions as follows. 1. I included the rlm_ippool into the Makefile and put dbm in the users file. I do not know why I still get the following an error message as follow. /usr/local/etc/raddb/users[101]: Parse error (reply) for entry userSecret1Name: Unknown attribute Pool-Name Errors reading /usr/local/etc/raddb/users This means line 101 of your users file has an error. Pool-Name is not a valid attribute. In fact, it means exactly what it says in the error message. 2. Could you check my users, radiusd.conf files to see anything missing/incorrect for the dynamic IP Radius addressing? Get it working without this first. 3. I also included the run time messages, could you please help me to take a look whether all modules have been installed properly? There's just not the time in a day for me (or anyone else) to check your configuration in its raw verbose format like that. Get things working in stages, never ask so many questions at once, walk before you run. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Password Files
21-Jan-03 at 18:00, Craig ([EMAIL PROTECTED]) wrote : I have been trying to get [EMAIL PROTECTED] to authenticated from /etc/shadow1 [EMAIL PROTECTED] to authenticated from /etc/shadow2 for a while but don't know how. Does freeradius allow this? Surely multiple password files/databases/locations would be supported, since many ISP's with resellers would want this. You read up on realms and maybe using something like MySQL/LDAP rather than shadow files? (I bet you could do it with shadow files though) -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS under Cygwin
21-Jan-03 at 09:07, Amiri ( IranData.com ) ([EMAIL PROTECTED]) wrote : Does any one know how is the performance of the cygwin version of freeradius? Does it work well? There's no reason to assume it won't work reasonably, but it won't run as fast as on a platform for which it will natively compile. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html