Re: Auth-type=Accept
21-Jan-03 at 16:57, leaobicalho ([EMAIL PROTECTED]) wrote : > When I use Auth-type=Accept, i dont > need say password, authentic only by > login. But always radius client send > `login` in format STRING and not > encrypted. > > I think that Password are encypted. > Then, How i authentic only by Password? Read up about possible authentication methods that your NAS supports, and work out which one will encrypt passwords. If you authenticate only by password, how do you track users? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS under Cygwin
21-Jan-03 at 09:07, Amiri ( IranData.com ) ([EMAIL PROTECTED]) wrote : > Does any one know how is the performance of the cygwin version of freeradius? > Does it work well? There's no reason to assume it won't work reasonably, but it won't run as fast as on a platform for which it will natively compile. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Password Files
21-Jan-03 at 18:00, Craig ([EMAIL PROTECTED]) wrote : > I have been trying to get > > [EMAIL PROTECTED] to authenticated from /etc/shadow1 > [EMAIL PROTECTED] to authenticated from /etc/shadow2 > > for a while but don't know how. Does freeradius allow this? Surely multiple > password files/databases/locations would be supported, since many ISP's with > resellers would want this. You read up on realms and maybe using something like MySQL/LDAP rather than shadow files? (I bet you could do it with shadow files though) -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP addresses from FreeRadius questions
20-Jan-03 at 21:51, Li Lin ([EMAIL PROTECTED]) wrote : > I am setting up the dynamic IP addresses from FreeRadius and I have some > questions as follows. > > 1. I included the rlm_ippool into the Makefile and put dbm in the users > file. >I do not know why I still get the following an error message as follow. > > "/usr/local/etc/raddb/users[101]: Parse error (reply) for entry > userSecret1Name: Unknown attribute Pool-Name > Errors reading /usr/local/etc/raddb/users " This means line 101 of your users file has an error. Pool-Name is not a valid attribute. In fact, it means exactly what it says in the error message. > 2. Could you check my users, radiusd.conf files to see anything > missing/incorrect for the dynamic IP Radius addressing? Get it working without this first. > 3. I also included the run time messages, could you please help me to take a > look whether all modules have been installed properly? There's just not the time in a day for me (or anyone else) to check your configuration in its raw verbose format like that. Get things working in stages, never ask so many questions at once, walk before you run. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[OT] Re: Dialup_admin
20-Jan-03 at 16:55, System Administrator ([EMAIL PROTECTED]) wrote : > using apache 2.0 seems to be different setup > then what I am used to Apache2 + PHP is still in experimental IIRC It may not work as expected. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: SQL Authorization / Authentication
20-Jan-03 at 13:36, Shannon Johnson ([EMAIL PROTECTED]) wrote : > I have the MySQL database set up with a test account (username test, > password test). When I run "radiusd -xxp 1645" and try "radtest test > test localhost:1645 0 testing", it gives me a bunch of stuff, but the > part that stands out is the following: > > radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE > Username = '' ORDER BY id' I'm taking a stab at this - I have MySQL working here with FreeRadius 0.7.1 (haven't upgraded: still in R&D) You certainly have a problem in that the username is not getting to the SQL module:- I get output like this radius_xlat: 'test' sql_set_user: escaped user --> 'test' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER BY id' then get an accept/reject based on the password, which I store as a Crypt-Password so it's not in plaintext. > >From what I can tell, it's not passing the username (or password, for > that matter) to the SQL database. Would that be a correct assumption? If > so, do you have any suggestions on what to do to fix? > I used the howto at:- http://www.frontios.com/freeradius.html I'm not sure how your config is, or why the username isn't getting passed to the SQL query, maybe check your sql.conf file I have (around line 70) sql_user_name = "%{User-Name}" and in queries below authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE STRCMP(Use rname, '%{SQL-User-Name}') = 0 ORDER BY id" So check that SQL-User-Name is OK, and verify the SQL queries too. Hope this helps, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: re: rlm_sql errors
17-Jan-03 at 13:42, Shannon Johnson ([EMAIL PROTECTED]) wrote : > > Nick, > I tried that... what I don't know is WHAT libraries it's looking for. > Rather than saying "it's looking for the mysql libraries", which I > already know, can you list the file names? > > > > Here is what I use on a debian machine. Just change the paths to match > your > > file locations. > > > >./configure --localstatedir=/var --sysconfdir=/etc --with-thread-pool > > --with-mysql-include-dir=/usr/include/mysql/ > --with-mysql-lib-dir=/usr/lib/ > > --with-mysql-dir=/usr/bin/ > > > I've already done this. I've also tried including the --disable-shared > option, which was mentioned in the all-mighty FAQ... didn't work. I have:- /usr/lib/mysql (files like libmysqlclient.a are in there) /var/lib/mysql (files like mysql.sock are there, plus the dbs in subdirectories) /usr/include/mysql (files like mysql.h are there) And I have mysqld in /usr/sbin Your mileage may vary. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: re: rlm_sql errors
17-Jan-03 at 12:11, Shannon Johnson ([EMAIL PROTECTED]) wrote : > From: Simon White <[EMAIL PROTECTED]> > > >> Fri Jan 17 11:14:36 2003 : Error: rlm_sql (sql): Could not link driver > >> rlm_sql_mysql: file not found > >> > >> Fri Jan 17 11:14:36 2003 : Error: rlm_sql (sql): Make sure it (and all > >> its dependent libraries!) are in the search path of your system's ld. > >> > >> Fri Jan 17 11:14:36 2003 : Error: radiusd.conf[14]: sql: Module > >> instantiation failed. > >> > >> Exactly which libraries does it need? I bought the Radius book from > >> O'Reilly, and there isn't anything of use in there... I tried adding > >> /usr/local/lib to the /etc/ld.so.conf and running ldconfig, but that > >> didn't work (do I need to recompile freeradius afterwards?). I also > >> tried compiling freeradius using the -disable-sharing flag, but that > >> didn't work either. I have freeradius 0.8.1 and mysql 3.23.54a (bench, > >> client, server, and devel). If anyone has any ideas on what I should > >> try, or if you could provide a list of exactly which libraries it needs > >> to find, I can link them manually...? > > > Did you pass the options to configure in order to enable mysql at > > compile time? > > Which options should I pass? I install all the MySQL parts (including devel) > to their default places... the configuring and the compiling don't give me > any errors, so I'm assuming it found mysql and enabled support for it. It is possibly enabled by default in the freeradius compile, but only if that can find the libraries and stuff. You can specify them manually:- --with-mysql-include-dir=DIR Directory where the MySQL includes may be found --with-mysql-lib-dir=DIR Directory where the MySQL libraries may be found --with-mysql-dir=DIR Base directory where MySQL is installed (libs are usually foo.o files, already compiled binaries) (includes are usually foo.c and foo.h files, source code) For relevant other info, look here (starting from the path into which the tarball was extracted) src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql raddb/sql.conf doc/README -and- http://www.frontios.com/freeradius.html Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql errors
17-Jan-03 at 11:24, Shannon Johnson ([EMAIL PROTECTED]) wrote : > Fri Jan 17 11:14:36 2003 : Error: rlm_sql (sql): Could not link driver > rlm_sql_mysql: file not found > > Fri Jan 17 11:14:36 2003 : Error: rlm_sql (sql): Make sure it (and all > its dependent libraries!) are in the search path of your system's ld. > > Fri Jan 17 11:14:36 2003 : Error: radiusd.conf[14]: sql: Module > instantiation failed. > > Exactly which libraries does it need? I bought the Radius book from > O'Reilly, and there isn't anything of use in there... I tried adding > /usr/local/lib to the /etc/ld.so.conf and running ldconfig, but that > didn't work (do I need to recompile freeradius afterwards?). I also > tried compiling freeradius using the -disable-sharing flag, but that > didn't work either. I have freeradius 0.8.1 and mysql 3.23.54a (bench, > client, server, and devel). If anyone has any ideas on what I should > try, or if you could provide a list of exactly which libraries it needs > to find, I can link them manually...? Did you pass the options to configure in order to enable mysql at compile time? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
10-Jan-03 at 10:12, g ([EMAIL PROTECTED]) wrote : > EVERYTHING SEEMS TO BE OK EXCEPT WRITING THE RADUTMP AND RADWTMP FILES Reasons why files aren't written, general: - Permissions are wrong on the directories in which the files should be created - Configuration files aren't being told to write the file - Files already exist which can't be appended because ownership is wrong - The files are being written, but you're looking in the wrong place Let us know that none of the above apply, and we will be willing to help again. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and oracle
On Tue, 7 Jan 2003, Alex Zhang wrote: > Hi, > > Following is my radius.log Did you read it, or blindly post it? > auth bind: Address already in use > There appears to be another RADIUS server already running on the authenticatio > n port UDP 1812. Isn't this already enough of a hint for you? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_mysql not installing
03-Jan-03 at 21:19, Robert Canary ([EMAIL PROTECTED]) wrote : > Okay I think I found the problem why I am not talking to the MySql. > > Apparently the the make install never installed the rlm_sql_mysql file. Did you provide the correct arguments to the configure script? Since you don't provide those in your email, we can't tell. hint: configure --help for the options, and check README where it says --with-mysql-include-dir=DIR Directory where the MySQL includes may be found --with-mysql-lib-dir=DIR Directory where the MySQL libraries may be found --with-mysql-dir=DIR Base directory where MySQL is installed Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Scyld-Beowulf 2 server cluster on RH Linux 8.x with Raid + Hotspare + IC-Radius/FreeRadius + MySQL latest versions.
03-Jan-03 at 17:54, Marnix Petrarca ([EMAIL PROTECTED]) wrote : > First of all, I have Freeradius latest version working with MySQL latest > version. > > The plan is to run a 2-server fail-over config running as a primary daemon > either FreeRadius or IC-Radius, which processes I plan to manage with the > cluster software from scyld. If it can be done I do not know - but the docs > suggest it may. The Radius will obviously do accounting and Authorisation / > Authentication for Radius clients coming from our link, and I will have a > MySQL database on both servers that will replicate the data involved. > > Can this be done, clustering with any version of Radius (Open-Sourced) > I have to test everything, so I hope the feedback may be of value. Usually a cluster shares storage space and is more akin to a multi-processor single machine than anything else, so there's no reason FreeRadius won't work in that kind of setup, with one or more MySQL servers replicating data and used as fallbacks. See the configurable_failover file in the docs/ directory of the tarball. That should get you everything you can reasonably digest before you actually get the cluster working. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Solaris Issue
02-Jan-03 at 23:42, Gene Parks ([EMAIL PROTECTED]) wrote : > On Solaris you will waste your time trying to find out where the problem > is. I had 2 Solaris servers with the exact same software load. One > would compile and run FreeRadius the other pretty much said to forget > it. They were both X-1's. So this is the way to get it to work and not > have any trouble what so ever. Install Suse 7.3 for sparc on the two > servers. Then compile and install freeradius. You will be home free > and never have a bit of problems out of them.. Hehe... 2 Solaris servers become 2 Linux servers... Just goes to show how portability can be a headache. We switched all our old Sun boxes to Linux too, since installing newer Solaris versions will kill them. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-ID in accounting start request
31-Dec-02 at 10:18, Tim D. McCracken ([EMAIL PROTECTED]) wrote : > > t 04:06 PM 12/31/2002 +0100, =?iso-8859-2?Q?Mariusz_Bo=BFewicz?= wrote: > > > > >- Original Message - > > >From: "Alan DeKok" <[EMAIL PROTECTED]> > > > > > > > > > > "m&m's" <[EMAIL PROTECTED]> wrote: > > > > > Is any posibility to enter Calling-Station-Id field into > > detail file? > > > > > > > > Why wouldn't it be? > > >Ok. The possibility is... hehe, but not in my Radius server > > detail file. So > > >what should I do to enter this field to detail file ? > > > > Make sure the NAS sends it? You *have* done this already right? Running > > the server in debugging mode to see what it receives from the NAS? > > > > Unfortunately the 'rlm_magic' module has not been written, so if the NAS > > doesn't send it, the server can't log it. Patches welcome of course. :) > > > > -Chris > > Note: I have completed rlm_magic module and am currently working > on the rlm_clairvoyance module. Not only will it do everything you > want, regardless of the available data, it will read your mind so that > no manual configuration is required! :) Now, be careful. If that module works well, you might want to patent it :) don't GPL such a rare pearl. Happy New Year to the list. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AcctInputOctets > 2GB bug
30-Dec-02 at 17:36, Klaus Heck ([EMAIL PROTECTED]) wrote : > There's a error whenever the AcctInputOctets or AcctOutputOctets exceed > 2GB. Note that the NAS internal counter does not wrap around for values > lower than 4GB. > The problem was that the database script > modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql defines these > attributes to be of type int(12) which reaches its limit at exactly > 2*1024*1024*1024 (2GB). Just change the script to use bigint(12) instead > and this problem is fixed :-) http://lists.cistron.nl/archives/freeradius-users/2002/12/frm00021.html This was discussed earlier this month. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another type of counter
30-Dec-02 at 09:17, m&m's ([EMAIL PROTECTED]) wrote : > Hi > In my country there are two types of payment periods in telephony. In the > first of them (it is between 8:00am and 10:00pm)we pay for each 3 minutes > (for example 0,08$). In second period (it is between 10:00pm and 8:00am) we > pay for each 6 minutes also 0,08$. Is any possibility to summarize time of > session for each period separately? > Any ideas? You need a Radius accounting log analyzer, not a Radius server. You can allow authentication only between certain times under FreeRadius, using the correct attributes. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
27-Dec-02 at 16:38, nopadol ([EMAIL PROTECTED]) wrote : > I have problem about Freeradius0.7 that started for 1 day. I got message > > rlm_ldap: - authorize > rlm_ldap: performing user authorization for x > radius_xlat: '(uid=x)' > radius_xlat: 'ou=people,dc=xx,dc=xx,dc=xx,o=internet' > rlm_ldap: All ldap connections are in use > modcall[authorize]: module "ldap" returns fail > modcall: group authorize returns fail > > what 's happen? Give me suggestion please... Your LDAP server is either keeping too many connections open for too long, or is handling too many connections at a time. Tune your LDAP server to handle more connections, or do something to limit the number of connections necessary - probably upgrading to the latest Freeradius will help too. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: installing radius
26-Dec-02 at 15:42, Anil Garg ([EMAIL PROTECTED]) wrote : > hi. > i am a newbie to radius. > i have to install radius server on a free bsd machine. > > about the server i fouldnt the following documenttaion(and the package to > download): > --- > bash$ tar zxvf freeradius-[version].tar.gz > bash$ ./configure > bash$ make > bash$ su - root > bash# make install > -- > > but after i complete this..from where should i install client? i have a make > a model where radius server authenticates the client.(i have to install > server and client both) > plz give some pointers. Why does this sound like a homework assignment to me? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how the FreeRadius connect the PPPOE-server(RA-PPPOE)
26-Dec-02 at 04:44, allans ([EMAIL PROTECTED]) wrote : > hello, >I have set up a PPPOE-Server??and it can check the username >and password by Pap-secret??what I don't know to do is how >to make the freeRadius work with my PPPOE-server.Please >help me,and I am a college student,this study about >PPPOE-server and Radius System is my homework,please help >me for detail,thank you very much! Best wish! Learning is about doing things yourself, not asking others to do it for you. How to ask Questions the Smart Way, by Eric S. Raymond. Including before you ask, when you ask, how to interpret answers, and on not reacting like a loser -- http://www.tuxedo.org/~esr/faqs/smart-questions.html Getting through college requires work. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS and SSH
25-Dec-02 at 11:31, Puchkov S.N. ([EMAIL PROTECTED]) wrote : > i solve a problem with using radius > to auth pop & smtp users in RedHat > require : > 1) cyrus-imap > 2) cyrus-sasl > 3)make your own pam_unix module > general idea: in account stage i assign uid,guid,shell and etc. > from template user (i added it to passwd) > so now i don't need to add users in local machine > p.s.: 3) is already done in FreeBSD by the such way > > I guess it's a good idea to have one passwd file > to auth pop,smtp,www,ppp users %-) I wouldn't want one password for all those services myself. But then, I can remember many passwords, unlike some of my clients. OpenLDAP and/or MySQL would be my tools of choice for a single password everywhere, and I'd get Radius to authenticate users against that. Each to his own, of course. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize/authenticate confusion in FR?
24-Dec-02 at 17:50, Scott Bartlett ([EMAIL PROTECTED]) wrote : > > Alan, > Alan, > > Despite trying to be constructive and give some input, especially with > respect to helping out newbies who may not necessarily be UNIX > programmers or gurus... > > ... I got the answer I expected from you: crude, insulting, inaccurate > and dismissive. Thanks. Hey guys, it's Christmas. I think we all have something to offer to the RADIUS community by showing a united front here. Let's not diss each other in public. Alan is perhaps a little jaded because of the time he's spent on this list listening to crap, and time is a precious resource that few of us have much of. I think when we sort the wheat from the chaff we're on the same side here. Have a great time with family & friends, and a couple of virtual beers on me, and in the New Year let's see if you can't update those pages, Alan get a dose of positive karma, and I'll maybe even get around to doing some doc work myself. Merry Christmas! -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize/authenticate confusion in FR?
24-Dec-02 at 10:38, Alan DeKok ([EMAIL PROTECTED]) wrote : > Great. You've re-designed the server to do exactly what it's doing > now, but with the names changed. > > How exaclty does that help? Hi Alan, I'm going to jump in here, and I want first to say that your help in the forum and with the project is great stuff, and we all owe you a debt. There is a lot of newbie-ism in the mailing list, and a lot of things which you nevertheless take the time to reply to, even with your sometimes acerbic wit ;-) Now, I know that things are not as bad or unclear as they seem from this thread / mailing list in general. Indeed, I managed to get everything up and running with MySQL by reading the right documentation. However, there is an argument to make (I think) things a little clearer. 1) If the documentation can be improved, then let's improve it. Some windows users expect just a step-by-step manual to get going. - The only people who can be bothered to write this kind of dull technical stuff are those who are paid to do it... - O'Reilly mention FreeRadius in their Radius book, but it's an old version Conclusion - see below 2) If there is a case (as often there is) for a RTFM, then perhaps we can start pointing people to the relevant filename(s). 3) If the terminology is what most screws people up, then let's either - Change it, as suggested by this thread, but on democratic terms from experienced users - Add a lexicon or quick reference Now, the interesting thing for me is to get wider use of OpenSource to stop people using commercial crap which eats up bandwidth unnecessarily. I managed to read the documentation OK and had no issues with it. It is clear, but maybe approaching from a different angle might help. I certainly DO NOT expect you to do this, Alan. I am calling for the community at large to perhaps take some time to dig up their notes and write up a couple of installs, so that these references can be made available. I certainly try to put my money where my mouth is. Over the holiday period I might not get the time, but some time soon, I will be putting up a site with support for what I consider to be good Linux / FreeOS stuff, and FreeRADIUS is in that group. Best regards and a Merry Christmas, Mr DeKok. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: spamassassin [was: Re: Uluslararasý Ýþ Fýrsatý]
24-Dec-02 at 15:34, Miquel van Smoorenburg ([EMAIL PROTECTED]) wrote : > In article <[EMAIL PROTECTED]>, > Aþkýn Çakýr <[EMAIL PROTECTED]> wrote: > >X-Spam-Status: No, hits=4.9 required=5.0 > > tests=CTYPE_JUST_HTML,FORGED_YAHOO_RCVD,HTML_FONT_COLOR_NAME, > > HTML_WITH_BGCOLOR,LINES_OF_YELLING,MIME_EXCESSIVE_QP, > > MIME_LONG_LINE_QP,SPAM_PHRASE_00_01,USER_AGENT_OE > > version=2.43 > >X-Spam-Level: > > Okay, I said I would not have time to include the spamassassin headers > in the mails to this list but I did find some time over the weekend. > > I'm lowering the required_hits setting from 5.0 to 4.0, that should > catch a bit more spam. Nice one! Merry Christmas. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RPM for freeRADIUS
24-Dec-02 at 08:44, Brian Johnson ([EMAIL PROTECTED]) wrote : > This is needed for a package distribution system I am using. I will > eventually spend the time and learn how to create RPMs for future > releases, but I currently just need to plug one in and have very little > time. What suggests that we have the time either? I think that it would be a good time for you right now to make the time to learn RPM if it's the foundation for a package system you are devising. Whilst I indeed think your request is fair to a point - suggesting that we might have more time to create an RPM than you is going a little far. If I'm not mistaken, whipping together a specific binary package for a platform that is "given" i.e. RH7.2, should not be hard, but you will have to compile from source whatever happens. RPM packages are little more than a tarball with an index as to where each file needs to be installed, and a few checksums. Please contact me off list if you want to further this debate. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize/authenticate confusion in FR?
24-Dec-02 at 10:27, Scott Bartlett ([EMAIL PROTECTED]) wrote : > > maybe the section /should/ be called "preprocess" or > > "check_auth_method" or something... > > Sorry... is that as in 'check authentication method' or 'check > authorization method' (or, for us Brits, 'check authorisation > method')... Well it kinda allows both - it's clear enough for me :) I would prefer authorisation too, but everywhere in the config so far it's US English so better stay with it. I'm a Brit too, even if I am stuck in Morocco for Christmas :') > Heh... [snip rather long disclaimer] > Any views or opinions presented are solely those of the author > and do not necessarily represent those of BTA Ltd. Is all that is needed for mailing lists. Lose the rest when posting here if possible. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize/authenticate confusion in FR?
24-Dec-02 at 02:16, Frank Cusack ([EMAIL PROTECTED]) wrote : > On Tue, Dec 24, 2002 at 09:46:31AM +0000, Simon White wrote: > > It's just more complex than your average model of just authenticate then > > authorize... > > That's being generous. It's not that it's more complex really, it's that > FR is commingling authorize and authenticate, in large part due to certain ^ What a wonderful word - never heard it before, although it made sense - and upon checking I find it is syntactically correct English. > design weaknesses^Wdecisions of the RADIUS protocol itself. Well that's true. A lot of people forget what RADIUS stands for on this list. For the record:- Remote Authentication Dial In User Service i.e. NOT for SSH, telnet, etc. Cisco probably started that by allowing you to use Radius for logging into routers. > > maybe the section /should/ be called "preprocess" or > > "check_auth_method" or something... > > preprocess is already used, but check_auth_method doesn't sound TOO shabby > to me. Well it's time for me to start commingling Christmas and my work schedule. With a bit of luck I'll be out of the office a little early today. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_sql - authentication support
24-Dec-02 at 09:43, Miquel van Smoorenburg ([EMAIL PROTECTED]) wrote : > In article <[EMAIL PROTECTED]>, > Simon White <[EMAIL PROTECTED]> wrote: > >24-Dec-02 at 00:06, Roy Hooper ([EMAIL PROTECTED]) wrote : > >> > >> begin 644 freeradius-mod_sql_authenticate.patch > >> M+2TM(&9R965R861I=7,M,"XX+C$N;W)I9R]D;V,O >> M(#$S(#$Q.C`W.C4Q(#(P,#(**RLK(&9R965R861I=7,M,"XX+C$O9&]C+W)L > > > >Did Outlook Express 6 mung this attachment into binary or something? > >It's not MIME compliant as far as my MUA is concerned, anyway... > > That's uuencode, a standard from the eighties that nobody really > uses anymore .. Why is OE6 using it? Jeez, I haven't seen uuencode for so long that I didn't recognise it as such... > except Outlook has still support for it. So do many other MUAs but they only use it to *read* incoming mail ! > Worse, > any line in the body of the message that starts with 'begin ' makes > outlook think there's an attachment there. Which can be a problem > if you use it by accident. > > Microsoft simply tells you to scrap the word "begin" from the > English language. Really, see: > http://support.microsoft.com/default.aspx?scid=KB;en-us;q265230 OMG! WORKAROUND To workaround this problem: * Do not start messages with the word "begin" followed by two * spaces. * Use only one space between the word "begin" and the following * data. * Capitalize the word "begin" so that it is reads "Begin." * Use a different word such as "start" or "commence." Merry Christmas ! Commence your festivities ;-) -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize/authenticate confusion in FR?
24-Dec-02 at 09:35, Scott Bartlett ([EMAIL PROTECTED]) wrote : > For example, it says: "Authorization is a process of obtaining > information about the user from external source (file, database or > LDAP), and checking that the information in request is enough to > authenticate user. > The authentication method is decided during the authorization phase. > ". These lines don't gell with me at all. Especially as 'aaa' > stands for 'Authentication, Authorization and Accounting' and not > 'Authorization, Authentication, and Accounting'... :-) Well.. you're right and wrong. FreeRADIUS allows people to authenticate via several different mechanisms from the same master daemon process (radiusd), so it has to check each available mechanism to find out which one authorises the user (if any) before authenticating him against the correct mechanism So it's :- - check all available authentication mechanisms as defined - establish which will authenticate this user (actually preprocessing - hints -> realms -> users), although this *is* called authorization in the config file radiusd.conf - authenticate against mechanism (authentication) - possibly fall back to another on auth fail (fallback) - then supply, on successful authentication, the radius attribute results (login authorization)->(accounting) It's just more complex than your average model of just authenticate then authorize... maybe the section /should/ be called "preprocess" or "check_auth_method" or something... -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_sql - authentication support
24-Dec-02 at 00:06, Roy Hooper ([EMAIL PROTECTED]) wrote : > Attached is a patch to 0.8.1 to provide rlm_sql with the ability to do > authentication. This allows other modules to ask for Auth-Type := SQL, > including the SQL Authorization module, allowing, for example, a MySQL > database to perform authorization and an Oracle database to do the final > authentication. > Happy Holidays, > Roy > > begin 644 freeradius-mod_sql_authenticate.patch > M+2TM(&9R965R861I=7,M,"XX+C$N;W)I9R]D;V,O M(#$S(#$Q.C`W.C4Q(#(P,#(**RLK(&9R965R861I=7,M,"XX+C$O9&]C+W)L [snip] Did Outlook Express 6 mung this attachment into binary or something? It's not MIME compliant as far as my MUA is concerned, anyway... Happy Christmas, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 + Proxy...
20-Dec-02 at 17:39, Tamer Demir ([EMAIL PROTECTED]) wrote : > At 05:23 PM 12/20/2002, you wrote: > >20-Dec-02 at 17:23, Tamer Demir ([EMAIL PROTECTED]) wrote : > >> I know it looks strange but, In an scenario like this: you are a big > >> company and you have a contract with many smaller companies with their > >own > >> realms. The users which are in this small companies may connect to the > >> Internet by using other small companies' NASes. And in order to solve the > >> accounting conflict between the small companies the big company wants all > >> the data about the authenticating users from all other small companies. > >Big > >> company just will act as a referee. > >> > >> Is this somehow possible by using proxy option in FreeRADIUS, if yes how? > > > >Either all your radius servers are proxies to the big company's radius > >server(s) or you use something like radrelay and just use the accounting > >information (which contains the detail you need) you don't need the > >actual packets that are sent to the user, just the accounting info. > > Unfortunately, What if big company wants all the detailed informations and > also the small companies want all the detailed info too, like MAC address > of the users, the beginning and end time of the connection and the small > company name that the wireless user connected. They get all that, have you looked at an accounting record? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 + Proxy...
20-Dec-02 at 17:23, Tamer Demir ([EMAIL PROTECTED]) wrote : > I know it looks strange but, In an scenario like this: you are a big > company and you have a contract with many smaller companies with their own > realms. The users which are in this small companies may connect to the > Internet by using other small companies' NASes. And in order to solve the > accounting conflict between the small companies the big company wants all > the data about the authenticating users from all other small companies. Big > company just will act as a referee. > > Is this somehow possible by using proxy option in FreeRADIUS, if yes how? Either all your radius servers are proxies to the big company's radius server(s) or you use something like radrelay and just use the accounting information (which contains the detail you need) you don't need the actual packets that are sent to the user, just the accounting info. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Are you smarter than George W. Bush?
20-Dec-02 at 13:41, Simon ([EMAIL PROTECTED]) wrote : > On Fri, Dec 20, 2002 at 11:10:12AM +0000, Simon White wrote: > > 20-Dec-02 at 01:32, Miquel van Smoorenburg ([EMAIL PROTECTED]) wrote : > > > This has come up before. And before. And before. Ech time I explained > > > the policy that the lists that I run have. Yes, spam/virus filtering > > > is done, quite extensively. No, it's not perfect. If you know a > > > perfect spam filter please tell me (and I'll get rich with it). > > > > SpamAssassin isn't bad. You could be harsh with it, for this list. > > http://lists.cistron.nl/archives/freeradius-devel/2002/10/msg00107.html Thanks. Is there a difference in score between average regular posts and those spams which slip through? Could the threshold be lowered? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Are you smarter than George W. Bush?
On Fri, Dec 20, 2002 at 11:10:12AM +, Simon White wrote: > 20-Dec-02 at 01:32, Miquel van Smoorenburg ([EMAIL PROTECTED]) wrote : > > This has come up before. And before. And before. Ech time I explained > > the policy that the lists that I run have. Yes, spam/virus filtering > > is done, quite extensively. No, it's not perfect. If you know a > > perfect spam filter please tell me (and I'll get rich with it). > > SpamAssassin isn't bad. You could be harsh with it, for this list. http://lists.cistron.nl/archives/freeradius-devel/2002/10/msg00107.html -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Are you smarter than George W. Bush?
20-Dec-02 at 01:32, Miquel van Smoorenburg ([EMAIL PROTECTED]) wrote : > In article <000c01c2a787$49a440c0$ad15a8c0@nvcisplt01>, > Brian Johnson <[EMAIL PROTECTED]> wrote: > >How about simply denying messages from non-subscribers like EVER ONE of > >my other lists do. :) > > This has come up before. And before. And before. Ech time I explained > the policy that the lists that I run have. Yes, spam/virus filtering > is done, quite extensively. No, it's not perfect. If you know a > perfect spam filter please tell me (and I'll get rich with it). SpamAssassin isn't bad. You could be harsh with it, for this list. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius HELP!
19-Dec-02 at 20:43, Dwayne Carter ([EMAIL PROTECTED]) wrote : > This is strange. I can login locally but I cannot dialup? HELP! > rlm_realm: Proxying request from user NetConnect to realm > 4netconnect.net > rlm_realm: Adding Realm = "4netconnect.net" > rlm_realm: Authentication realm is LOCAL. > rlm_realm: auth_port is not set. proxy cancelled Did you read the line immediately above? > modcall[authorize]: module "suffix" returns noop > modcall[authorize]: module "files" returns notfound > modcall: group authorize returns ok > auth: No authenticate method (Auth-Type) configuration found for the > request: Rejecting the user Did you read the line immediately above? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any Credit Auto Loans! Free App, No commitment!
17-Dec-02 at 15:45, Instant Car Loan ([EMAIL PROTECTED]) wrote : > > If you believe this is spam, go here: > >http://xbrd.com/uce.php?m=BRD_12354815&[EMAIL PROTECTED]&uid=6234413 > = Can someone else tell me if they saw THEIR IP in the submitting IP complainer field? Can the list manager PLEASE stop allowing non subscribers to post? Thanks. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to store password?
19-Dec-02 at 16:39, [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote : > The last thing Simon, > where is the doc "Auth Type System"? I can't find it. I meant that in the docs, you will see references to those terms. So while reading the docs (INSTALL, README, etc) then look out for those terms. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to store password?
19-Dec-02 at 16:01, [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote : > 19-Dec-02 at 14:42, [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote : > > Hello, > > > > I'm using a sun sparc with freeradius 0.7.1 server in md5 authentication. > > > > I'd like to know where I must store user's username and password in > > this server to make the right procedure for setup authentication > > mechanism. Maybe in "users" file? > > Yes, the users file is a good start. Try debugging with nothing complex > at all, then start playing with configs. > > You can only put plaintext passwords in the users file AFAIK, for md5 > use PAM authentication / Auth-Type System > > > Thanks Simon for yor help, but I'm moving first steps in the world of this kind of >server. So could you explain what do you mean when you say "Try debugging with >nothing complex > at all, then start playing with configs." ? > And where is the users file AFAIK ? AFAIK = As Far As I Know :) What I mean is read through the simple setup docs, and test this first. Get the server working with the minimum, default configuration. When reading the docs pay particular attention to "Auth Type System" because this is probably what you want to use (the system MD5 passwords) Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to store password?
19-Dec-02 at 14:42, [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote : > Hello, > > I'm using a sun sparc with freeradius 0.7.1 server in md5 authentication. > > I'd like to know where I must store user's username and password in > this server to make the right procedure for setup authentication > mechanism. Maybe in "users" file? Yes, the users file is a good start. Try debugging with nothing complex at all, then start playing with configs. You can only put plaintext passwords in the users file AFAIK, for md5 use PAM authentication / Auth-Type System -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ScanMail Message: To Recipient Match eManager setting and take action.
19-Dec-02 at 19:53, Peter Santiago ([EMAIL PROTECTED]) wrote : > Simon... > > I got one too... and I'm definitely not using eManager... Hmm Weird > Second time I got this kind of email... It's not just me then. Your domain was appended to Administrator also, so this is a problem outside our networks. Simply limiting only subscriber posts would help enormously. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ScanMail Message: To Recipient Match eManager setting and take action.
19-Dec-02 at 06:09, [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote : > eManager Notification * > > The following mail was blocked since it contains sensitive content. > > Source mailbox: [EMAIL PROTECTED] > Destination mailbox(es): [EMAIL PROTECTED] > Rule/Policy: Sexually Explicit > Action: Quarantine to D:\Program Files\Trend\SMCF\Quarantine\2002-12-19\06-09-04.2728 > > Content filter has detected a sensitive e-mail. > > *** End of message * If anyone can shed some light on this message, I'd be interested. I don't dig why it appears to be from "[EMAIL PROTECTED]" when our mail server is nowhere at all in the headers and we're not running eManager anyway. Was the mail sent as and my MTA adds my domain? What did others on the list get? Isn't it time to block non-subscribers? Cheers, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user usage
19-Dec-02 at 10:30, Angelos Karageorgiou ([EMAIL PROTECTED]) wrote : > Craig Witter wrote: > > >I was wondering if anyone has found a way that users can go to a > >website, enter their username, and see a history of their logins. I?ve > >seen commercial software that does this before. Anyone seen an open > >source version? Possible a cgi script? > > There is no ready made package availlable but you can > > use radiusreport and then grep for the username on the user's login page. Try this: http://www.tummy.com/Software/radiuscontext Not bad. Will create an index with all users total times over the period contained in the "detail" file, and a page PER USER with more detail on their usage. I just tried it yesterday, works very nicely. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS and SSH
18-Dec-02 at 15:58, Puchkov S.N. ([EMAIL PROTECTED]) wrote : > from my point of view > it's better to have one programm > to authorize all kind of requests > > ofcourse you can > use ldap+freeradius ... If you already have an authentication layer (PAM) that can talk to LDAP, why the insistence on radius in the first place? Jeez, radius is there to send attributes back to a NAS, not for SSH! -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS and SSH
18-Dec-02 at 14:10, Puchkov S.N. ([EMAIL PROTECTED]) wrote : > if am not mistaken > it's impossible to do it :-( > pam stages : > auth - pass ok > account - error > session -ok > password - ok > so > radius cannot provide all necessary information : > uid,guid,home directory, limits and etc Why use Radius, a tool for dial-up authentication (OK, you can do other stuff with it) when you have LDAP for this kind of thing anyway? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS and SSH
18-Dec-02 at 05:41, Patrick Paradis ([EMAIL PROTECTED]) wrote : > I have FreeRadius 0.8 installed on RH 8. > > I have Openssh installed on 30 servers IRIX 6.5, I want to centralize > the users in one location. > > Users are for support issues and uses SSH (tty login) to login to the > servers. > > Is they're a way to have ssh authenticate with radius without > duplicating all users account ? This is a question to ask SSH lists first. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Usage Statistics?
18-Dec-02 at 01:09, Benjamin Smith ([EMAIL PROTECTED]) wrote : > Hi > > What solutions are there out there that provide reports on Dial-up usage? > (EG: time spent online, phone numbers dialed from, etc) > There's a thing called radreport which is an old PERL script but still works. Don't know of other tools, we have a custom SQL import which generates online hours, etc. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql accounting
18-Dec-02 at 12:59, Malakhov Alexander ([EMAIL PROTECTED]) wrote : > hello! (sorry for my english) > I have a problem: > my NAS (portslave) sending to freeradius accounting packet with > calling-station-id = +21234567, and stored it normally into logfile and > radutmp. BUT into sql table radacct is stores as =2B21234567 > asks: how TURN OFF this quoting? where this quoting performed? =2B is Unicode, for + Is your DB using Unicode internally? I doubt it's freeradius doing the conversion... -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with radrelay
On Mon, Dec 16, 2002 at 10:03:26AM +1100, Iq wrote: > > Hi everyone, >Need a little help with radrelay. I have two NAS boxes (a > portmaster and Ascend). Both of them authenticate customers from two radius > servers (radius-0.8). One primary and other secondary. I want to run > radrelay. My questions are > as it says in doc/radrelay > 1. radrelay -S secret_file detail-combined > what is a secret file, what should it contain and how do we write it ? > where it says server, which server is that is it the primary server IP > (localhost) or secondary server IP ? > My detail-combined is getting created. >From the radrelay manpage: -S secret_file Read remote server secret from file, the file should contain nothing other then the plain-text secret. doc/radrelay is slightly out of date, use -r instead of above. I'll send a patch with some updates for doc/radrelay, -n should be mentioned in there to. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Webpage redirect
On Wed, 11 Dec 2002, Chris Parker wrote: > At 04:59 PM 12/11/2002 -0300, Fernando Teodoro wrote: > >Yet, my problem remains: not all my customers should fall in this system - > >they will (or will not) fit in this rule according some criteria - and the > >Radius is my first choice, since everybody's must dial-in and auth in > >Radius. If I let anyone auth in Radius and force anyone to authenticate in > >browser to access the web, it will be a great pain for regular customers > >(90% of the total users); this is the pattern used by free-ISP in Brazil, > >and it makes this services so boring. > > > >Most important, you answered my main question: there's no way to redirect > >clients homepage with any of Radius features, right? Radius "talks" only > >with RAS, and not with the end-user. So, any solution will require web-proxy > >redirecting. No other way? > > There is no specific way via RADIUS directly to make this happen as > routing policy it outside the scope of RADIUS. > > *HOWEVER* RADIUS can be used to communicate policy routing decisions > to the NAS if the NAS supports it. It's a feature of the NAS, not > of RADIUS. > > You can setup Policy Based Routing on Cisco NAS for example, triggered > by a Cisco-VSA attribute you return. You could selectively return > the VSA trigger with Group attributes on your RADIUS server. > > So, to answer you question, it does not require a web-proxy system. It > depends on your NAS choice and the capabilties of that NAS. Of course, if prepaid people dial a different number, and your NAS supports passing that number (Called-Station-ID)? you can use this as a criterion for filtering requests to assign a different IP subnet, for example, and other complex hacks, but I'm too much of a newbie to tell you if it will work, you'll have to look into it -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS not authing via SQL
10-Dec-02 at 11:29, JP Hindin ([EMAIL PROTECTED]) wrote : > On Tue, 10 Dec 2002, Simon White wrote: > > 09-Dec-02 at 17:03, JP Hindin ([EMAIL PROTECTED]) wrote : > > > > The command I'm using to test: > > > [jphindin@server bin]$ ./radtest testuser testpass localhost 66 *password* > > The syntax is: > > radtest user passwd radius-server[:port] nas-port-id secret > > secret is not password, but the shared secret. > > I'm aware of this, it was perhaps a bad word choice on my part. I _am_ > using the client shared secret in place of *password*. FYI Database radius - table radcheck running on localhost SQL-query SQL-query : [Edit] SELECT * FROM `radcheck` LIMIT 0, 30 id UserName Attribute Value op Edit Delete 1 simon Crypt-Password GkTfS3XVFwvDQ NULL Cheers, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS not authing via SQL
10-Dec-02 at 11:29, JP Hindin ([EMAIL PROTECTED]) wrote : > On Tue, 10 Dec 2002, Simon White wrote: > > 09-Dec-02 at 17:03, JP Hindin ([EMAIL PROTECTED]) wrote : > > > > The command I'm using to test: > > > [jphindin@server bin]$ ./radtest testuser testpass localhost 66 *password* > > The syntax is: > > radtest user passwd radius-server[:port] nas-port-id secret > > secret is not password, but the shared secret. > > I'm aware of this, it was perhaps a bad word choice on my part. I _am_ > using the client shared secret in place of *password*. > Looking at your output, looks similar to mine. However - I switched from cleartext to crypt() passwords by setting that type in MySQL and it worked. Can't remember too much else though, sorry :s -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: set up question
09-Dec-02 at 22:59, Bill ([EMAIL PROTECTED]) wrote : > Hello! > > I have a question. I have a Cisco AS5200. It was suggested that I > place the public IP's into the AS5200, however there are provisions in > freeradius to do this also. Which is the correct way, put the Public IP's > into the RAS or the radius? I'd use the RAS personally. Usually easier that way. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS not authing via SQL
09-Dec-02 at 17:03, JP Hindin ([EMAIL PROTECTED]) wrote : > > Greetings; > I've been trying to make FR auth using its SQL module (through MySQL to be > specific) and am having no luck whatsoever. > I've thoroughly consulted the frontios.com/freeradius.html > documentation and just can't seem to make this work. > I swear, if someone helps me work this out, I'll write the freakin' > FreeRADIUS SQL auth documentation myself, 'cos this is bugging me. > The command I'm using to test: > [jphindin@server bin]$ ./radtest testuser testpass localhost 66 *password* The syntax is: radtest user passwd radius-server[:port] nas-port-id secret secret is not password, but the shared secret. So you need to declare localhost as a NAS in clients, and use the shared secret. # Host Shared secret localhost testing123 So in your example $ ./radtest testuser testpass localhost 0 testing123 I use 0 as the nas-port-id, indeed you can put any figure for testing I believe. Cheers, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Just plain problems
06-Dec-02 at 16:55, troy white ([EMAIL PROTECTED]) wrote : > I am really starting to think this is usless crap. Look, there are plenty of people using FreeRadius successfully. I got it set up with MySQL and I have never configured a radius server before. It wasn't too hard. Please, don't make posts like this. They don't help anyone. Free software is provided by dedicated people like Alan DeKok and they don't need statements like that on a mailing list, they must be encouraged. Indeed, he has tried to help. Think about your problems. Read all the docs. Think again, then post follow ups with correct error reports. Anyone who is interested in commercial support could email me privately, if I can have an SSH to your box I might get time to look at it. I am not an expert, but I don't like seeing blanket "this is crap" statements, and I reckon I could get it working. I won't be available until Monday afternoon (I'm on GMT). [aside] How to ask Questions the Smart Way, by Eric S. Raymond. Including before you ask, when you ask, how to interpret answers, and on not reacting like a loser -- http://www.tuxedo.org/~esr/faqs/smart-questions.html Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems compiling
05-Dec-02 at 08:06, [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote : > I thought you might like to know the solution. First a little history. > > I did not want to use the port that came with FreeBSD because it was > version 0.7. So I had downloaded version 0.8 from the FreeRadius site. It > compiled OK until I tried to compile the dbm module. > > To solve the problem I just went back to the ports version 0.7 and compiled > it. The FreeBSD ports collection is very much "plug and play". If a > dependency is missing, 9 times out of 10 it knows how to solve the > problem. It turns out that the dbm library is not loaded with the standard > build of FreeBSD, but the port of FreeRadius knows how to find and install > that library. > > So after I compiled the 0.7 version, I was able to compile the rlm_dbm > modules. I just won't run the make install for the 0.7 version. > > Anyway, thanks for your help. > You're welcome. The first theory was therefore right - the libraries weren't on the system in source form, I guess. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems compiling
> At 09:47 AM 12/5/2002 +, you wrote: > > >Looks like you don't have the db libraries, or the configure script > >hasn't been told where to find them, or your db libraries are not > >compatible with those that freeradius needs. 05-Dec-02 at 07:24, [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote : > I have the stock libraries that came with FreeBSD and have installed > everything using the defaults as to the placement of the libraries. Do you > have any idea where I can get the db libraries? Well, it might just be you have to point the configure script to where the libraries are --with-rlm-FOO-lib-dir=DIR Directory to look for library files used by module FOO --with-rlm-FOO-include-dir=DIR Directory to look for include files used by module FOO if you're sure that the configure script is looking in the right place, then it's not compatible with the libraries, or can't find the source files (just the object files) for those libraries, and so can't compile against them. Other than that, we're getting beyond my (limited) knowledge of how libraries interact with freeradius, since I'm not using DB libraries but rather MySQL with Freeradius. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (2) Can LDAP be used to authenticate /etc/passwd ?
05-Dec-02 at 20:23, Sarick ([EMAIL PROTECTED]) wrote : > Hi Hecker, > I do know that EAP-MD5 is only capable of authenticating with plain text > info. > And now I know that to authenticate with the accounts on Linux server will > need additional database setup for users. > It is impossible to obtain user info from original Linux server. By copying /etc/passwd and /etc/shadow onto another machine with the same password hash mechanism, you can have the users on another system. Otherwise, you can get the usernames from the /etc/passwd file and you have to recreate passwords. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems compiling
04-Dec-02 at 19:27, [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote : > Trying to compile the rlm_dbm section of 0.8. When executing ./configure > while in the modules/rlm_dbm directory I get the following output. The > machine is FreeBSD version 4.6.2. > > Thanks to anyone who can help. > > creating cache ./config.cache > checking for gcc... gcc > checking whether the C compiler (gcc ) works... yes > checking whether the C compiler (gcc ) is a cross-compiler... no > checking whether we are using GNU C... yes > checking whether gcc accepts -g... yes > checking how to run the C preprocessor... gcc -E > checking for ndbm.h... yes > checking for dbm_open in -lndbm... no > checking for dbm_open in -lgdbm... no > configure: warning: FAILURE: rlm_dbm requires: (libndbm or libgdm). > configure: warning: silently not building rlm_dbm. > updating cache ./config.cache > creating ./config.status > creating Makefile Looks like you don't have the db libraries, or the configure script hasn't been told where to find them, or your db libraries are not compatible with those that freeradius needs. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can LDAP be used to authenticate /etc/passwd ?
04-Dec-02 at 20:23, jmc_cs ([EMAIL PROTECTED]) wrote : > > > Hi Simon, > - Original Message ----- > From: "Simon White" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, December 04, 2002 7:23 PM > Subject: Re: Can LDAP be used to authenticate /etc/passwd ? > > > > 04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : > > > Hi all, > > > Can the LDAP be used to authenticate a user whose username and password > is > > > stored in /etc/passwd?? > > > > How is the LDAP server going to read the username in /etc/passwd? > > > > Passwords are not stored in /etc/passwd, just usernames. > > Passwords are usually in /etc/shadow, YMMV > yes. My question is, can I use LDAP to authenticate the users who having the > accounts on Linux , with EAP-MD5 authentication? > That is, to read the usernames from /etc/passwd and passwords from > /etc/shadow. > How? You can't. You can store the hashes that are in shadow in LDAP probably. I think, however, that your approach is probably wrong. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can LDAP be used to authenticate /etc/passwd ?
04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : > Hi all, > Can the LDAP be used to authenticate a user whose username and password is > stored in /etc/passwd?? How is the LDAP server going to read the username in /etc/passwd? Passwords are not stored in /etc/passwd, just usernames. Passwords are usually in /etc/shadow, YMMV -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to add a user
03-Dec-02 at 16:24, Maurizio Martinoli ([EMAIL PROTECTED]) wrote : > can anyone tell me how to add a user in freeradius? > thank you There is no way you're going to get an answer to this kind of question. RTFM. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: broadband account
02-Dec-02 at 09:24, Brian Johnson ([EMAIL PROTECTED]) wrote : > If you are storing the data in a DB, you prolly need to modify the field > type to accept a larger number. Otherwise, I'm not sure. :( > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of > > Steve Cole > > Sent: Tuesday, December 03, 2002 9:14 AM > > To: [EMAIL PROTECTED] > > Subject: broadband account > > > > > > How are people doing broadband accounting using freeradius? Is there > > support for an AcctOutputOctets value of larger than 2GB? I'm having > > this problem with another radius product and am looking at > > freeradius as > > a replacement, but 3.5Mbps DSL lines easily eat up 2GB worth > > of data in > > no time flat, and radius is dropping everything after 2GB at present. This depends on the NAS. If it doesn't supply radius with the correct value, then the accounting will be wrong. I'm not sure this is a limitation of freeradius or the NAS/DHCP server that authenticates through radius. Is the NAS sending correct values to radius, which radius is dropping? I think freeradius uses an integer value, I don't know how many bytes that allows in standard C code... I am not a C programmer. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with dialup_admin
> What do you mean by that? I 've added support for the register_globals magic in > the latest version. Other than that I don't think there are any secrets about > making dialup_admin work with Apache. For people who have experience of admin'ing apache, that's certainly true. However, I had to download the php/mysql RPM, install, restart apache, edit httpd.conf and set an alias, etc. There was no documentation to help with that (unless, as I said, I've missed something). I have no great problem doing this, but the only reason I'm doing it in the first place is to help out someone who couldn't do it himself. I thought having a readme file might help, but if you feel that's not necessary I won't do it :-} -- Simon Burns - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with dialup_admin
I was about to write to describe a problem with the dialup_admin scripts, but (as can happen) describing the problem helped me work out what was going on. However, there is a slight glitch with the accounting.php3 script, on line 108. It reads: http://www.freeradius.org/list/users.html
Re: ERROR 2002: Can't connect to local MySQL server through socket '/ var/lib/mysql/mysql.sock' (111)
27-Nov-02 at 19:28, Vijay Reddy ([EMAIL PROTECTED]) wrote : > Hi, > I have just installed freeradius 0.8 on Linux. How can we connect the mysql > server running on different machine,what changes are required to make mysql > client contact the server running on different machine,always i am getting > > ERROR 2002: Can't connect to local MySQL server through socket > '/var/lib/mysql/mysql.sock' (111) > This is a MySQL problem; in any case, you need to look at sql.conf driver = "rlm_sql_mysql" # Connect info server = "hostname/IP address" login = "root" # or a better username who has access to the radius DB password = "yourpassword" Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP bind problem
25-Nov-02 at 09:21, Samuel T Patterson ([EMAIL PROTECTED]) wrote : > Greetings, > > I have just begun testing a FreeRADIUS install in my environment and a > having a weird problem that I cannot find in the mail archives. I am > using LDAP to authenticate but have a problem running radius in > "daemonized" mode. I can run "radius -s" and everything is peachy... I get > a LDAP bind and authenticate just fine. If I run it without the "-s" flag, > the connection to the LDAP server fails. > > Doing a snoop, I found that without the "-s" flag the server would send a > syn packet and then without waiting for a response, immediately send a > reset. > > I tried running in debug mode, but there were no messages to be found > besides "Error: rlm_ldap: (re)connection attempt failed". I am running > this on a Solaris 8 machine, with FreeRADIUS version 0.7.1. > > Any ideas about how to fix this would be greatly appreciated. Thanks! I think starting with 0.8 instead would probably be the first approach... -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Replication of accounting to more than one radius server.
25-Nov-02 at 15:24, kenw ([EMAIL PROTECTED]) wrote : > Please give me a hint of where in the doc. > > I looked through the doc and couldn't find it. > > Thanks, > Ken > > > Simon White wrote: > >25-Nov-02 at 15:16, kenw ([EMAIL PROTECTED]) wrote : > > > >>How can I replicate the accounting to more that one radius server? > >> > >>I've tried a number of ways (example below), but only one server seems > >>to see the accounting. > >> > >>DEFAULT Called-Station-Id == "7017" Replicate-To-Realm := "test.com" > >>DEFAULT Called-Station-Id == "7017" Replicate-To-Realm := "test2.com" > > > > > >This is in the docs /freeradius-0.8/doc/radrelay Or if that's not the same on your system, grep for radrelay in the docs folder. You should find it reasonably well documented. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Replication of accounting to more than one radius server.
25-Nov-02 at 15:16, kenw ([EMAIL PROTECTED]) wrote : > How can I replicate the accounting to more that one radius server? > > I've tried a number of ways (example below), but only one server seems > to see the accounting. > > DEFAULT Called-Station-Id == "7017" Replicate-To-Realm := "test.com" > DEFAULT Called-Station-Id == "7017" Replicate-To-Realm := "test2.com" This is in the docs -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: system architecture
25-Nov-02 at 12:26, Artur Hecker ([EMAIL PROTECTED]) wrote : > except, to remain at the same example: that's like putting the > 2-seat-cessna into a 747 jumbo flying it across the ocean to the NY and > "decapsulating" it overthere. of course, you could say that your cessna > made the distance... It's going further than that. It's using the controls of the cessna to pilot the 747, missing out on all the extra safety and navigational facilities of the 747 into the bargain as you fly across the ocean, and hacking in wires to cameras that show you some meters in the 747 cockpit without being able to check if someone is hitching a ride in the main 747 seating area... Sorry for poor joke. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: R: R: system architecture
25-Nov-02 at 12:04, Maurizio Martinoli ([EMAIL PROTECTED]) wrote : > i am only talking about the authentication, i am not talking about the > transferred data, don't worry. > If the AP works just as a HUB what kind of machine should i have between > the AP and the RADIUS? Depends on the AP, no? Doesn't your vendor have a solution? You still haven't told us who the vendor is. You could put a dhcp server which only gives IPs to mac addresses (but then you're not authenticating to username/password but just mac address which can be spoofed). Maybe a dhcp server exists that will authenticate via Radius and then give an IP, checking mac address as well. But really you also need key exchanges to be sure that the client can be allowed. Maybe Radius isn't the best solution. Most of all, be more specific about your setup and what you are trying to acheive. I'm not an expert on wireless so I'm not going to say any more, for risk of being totally wrong. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: R: system architecture
25-Nov-02 at 11:51, Maurizio Martinoli ([EMAIL PROTECTED]) wrote : > well if my AP does not support RADIUS then there should be a middle > machine that takes the packets from the AP, encapsulate them in RADIUS > format and sends them to the RADIUS server. > What i don't understand is what kind of software this machine should > have. > Could you tell me? Eh? You're missing the point of authentication I think. You are surely not going to authenticate EVERY packet via Radius are you? You usually use authentication to determine whether someone even gets an IP to be able to use the network in the first place, you can't send every packet through some kind of approval server...! -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: system architecture
25-Nov-02 at 11:12, Maurizio Martinoli ([EMAIL PROTECTED]) wrote : > I know that RADIUS is an authentication mechanism, what i don't > understand is that if my AP does not support RADIUS (so it works just as > a hub) who sends the RADIUS queries to the RADIUS server? There must be > another machine between the AP and the RADIUS, am i right? What kind of > machine should this be? If your AP doesn't support Radius, then you need something else to authenticate your users. I can't see how you can acheive this easily without some kind of Firewall with Authentication type thing. Your AP vendor may have an authentication firmware / plugin / separate box thing. That is not for the list to know since you haven't told us who the vendor is or what AP you're using. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: system architecture
25-Nov-02 at 10:57, Maurizio Martinoli ([EMAIL PROTECTED]) wrote : > AP is the access point, and i am talking about wireless. > What i don't understand is who communicates from one side with the AP > and the other with the RADIUS server How do you do authentication now? I think you need to read up on authentication in general. Radius is an authentication protocol. There are lots of questions to the list about EAP/TLS and wireless authentication. Basically, your access point has to support authentication via Radius. Freeradius is a daemon that will check user/password combinations via existing mechanisms (LDAP, SQL, PAM) or via it's own users file. - If you access point doesn't support Radius, then what authentication does it use? - Can you make this authentication mechanism query a Radius server? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: system architecture
25-Nov-02 at 10:49, Maurizio Martinoli ([EMAIL PROTECTED]) wrote : > Hi everyb ody, i am new to all this so i apologize if my questions are > dumb :-) > > I would like to understand how the architecture of the whole system is. > I understood it should be something like this: > Client --( )--- AP --- X -- RADIUS > Where X is something that encapsulate the packets from the AP into > RADIUS format and sends them to the RADIUS server. > But what is exactly X? Can anyone tell me? If by AP you mean Access Point, and you're talking wireless, then maybe... but then maybe not. Radius is an authentication mechanism. We are not psychic. Please be clearer about why you are asking the question and what you are trying to acheive. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using MYSQL for accounting only
21-Nov-02 at 10:09, Mike Denka ([EMAIL PROTECTED]) wrote : > > No problem for me except that I wouldn't see any reason to burn the > resources to run both methods if one was sufficient. Redundancy, especially if you're relying on accounting to actually bill your customers... -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default Gateway
20-Nov-02 at 15:24, Jeremy Parr ([EMAIL PROTECTED]) wrote : > Deleting the old gateway sounds like a bug. > > Maybe you could assign an IP address to the TC that is on the same subnet as > the old gateway, delete the old gateway, and then change the ip address > back. The default gateway has to be on the same subnet as the NAS anyway, that's for sure... -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DNS for freeradius.org
20-Nov-02 at 11:10, Alan DeKok ([EMAIL PROTECTED]) wrote : > It appears I should move to a different registrar for DNS. I've > consistently received invoices a day (if that) before the domains > expire, and which are dated two months previously. > > As of Monday, I had paid their invoices, and had checked that the > domains existed, and used the correct name servers. Today, name > lookups return 'host not found'. 'whois' says that the domain exists, > and has the correct information, and doesn't have it listed as > 'inactive'. > > I've just called and "politely" asked them to fix the problem, so I > hope that it should be back on-line soon. Until then, please bear > with me, as I go quietly scream in a corner... Who is your registrar? I might recommend www.gandi.fr -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Administrator@mtds.com: ScanMail Message: To Recipient Match eManager setting and take action.]
It would appear spammers are forging addresses and sending to the list from those addresses, no? - Forwarded message from [EMAIL PROTECTED] - > Date: Tue, 19 Nov 2002 10:17:26 -0500 > From: <[EMAIL PROTECTED]> > Subject: ScanMail Message: To Recipient Match eManager setting and take action. > To: <[EMAIL PROTECTED]> > X-Mailer: Microsoft CDO for Exchange 2000 > > eManager Notification * > > The following mail was blocked since it contains sensitive content. > > Source mailbox: [EMAIL PROTECTED] > Destination mailbox(es): [EMAIL PROTECTED] > Rule/Policy: Sexually Explicit > Action: Quarantine to D:\Program >Files\Trend\SMCF\Quarantine\2002-11-19\10-17-26.61138 > > Content filter has detected a sensitive e-mail. > > *** End of message * > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - End forwarded message - -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 0.6 + RH8.0: only one process
18-Nov-02 at 11:00, Ruslan Spivak ([EMAIL PROTECTED]) wrote : > Hello freeradius-users, > > Recently I had RH7.2 with freeradius 0.6 and there was about 10 > process in the system, after installing RH8.0 and starting radius I > can see only 1 process, what's wrong with that? I think now it can't > handle parallel request. Configuration? Are you allowing it to spawn children? What command line do you use to launch it? Without more info, we'd have to be psychic -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 0.7 - Daemon
18-Nov-02 at 09:22, [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote : > ** Your attention is drawn to the note at the end of this message. ** ** Disclaimers have no place on mailing lists ** > > Dear All, > > I manage to get Freeradius 0.7 to work with OpenLDAP 2.1.4. Luckily, I can > start radiusd in debug mode (radiusd -X) and everything is working fine. > The server can authenticate users stored in LDAP server. There is no error > message in log file. However, when I start the server in daemon mode > (radiusd), the server exit immediately and an error message like the > following is found in the log. > > ERROR: MASTER EXIT ON SIGNAL (11) > > I suspect the problem is due to dynamic library link and so I re-compiled > freeradiusd with "disable-shared" but I still have the same problem. I had this error in the opposite sense: it would work as a daemon but not in debug: what port are you running the server on? You will probably be best off upgrading to a nightly CVS snapshot / latest CVS, because bugs like this are probably resolved already. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file cuases error
15-Nov-02 at 12:01, Alex Zhang ([EMAIL PROTECTED]) wrote : > Hi, > FR 0.7.1 > SuSE linux 7.3 > Oracle DB 9i R2 > > When I use 'radiusd start', it reports: > > radiusd: Unexpected character `:' (0x3a) > radiusd: /etc/raddb/users[154]: Parse error (check) for entry DEFAULT > > Why? It can't parse the users file, line 154. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can not compile freeradius-07 on solaris 7
14-Nov-02 at 14:06, j p ([EMAIL PROTECTED]) wrote : > It?s the error: > /usr/ccs/bin/as: "/var/tmp/ccFWncKj.s", line 860: error: unknown opcode ".subsection" > /usr/ccs/bin/as: "/var/tmp/ccFWncKj.s", line 860: error: statement syntax > /usr/ccs/bin/as: "/var/tmp/ccFWncKj.s", line 869: error: unknown opcode ".previous" > /usr/ccs/bin/as: "/var/tmp/ccFWncKj.s", line 869: error: statement syntax > make[4]: *** [print.o] Error 1 Solaris as can be funny; I have seen evidence of this elsewhere. Have you tried gcc/gas in place of cc/as? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange problem, HiperARC & FreeRADIUS & MacRADIUS
14-Nov-02 at 11:46, Alan DeKok ([EMAIL PROTECTED]) wrote : > Adam Moffett <[EMAIL PROTECTED]> wrote: > > At first everything seemed to be working, but then we discovered this > > very strange thing. Authentication requests from our 3Com Total > > Control unit (HiperARC V4.2.32) in which the username started with a > > Capitol "S" would get the "S" stripped out when they were sent to > > MacRADIUS. > > raddb/hints Hints looks for capital S or P by default to denote a specific type of user profile (Slip, PPP)... you'll have to take them out of the file. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Q. My RADIUS server not logs
14-Nov-02 at 14:41, Hilmi Hilmiev ([EMAIL PROTECTED]) wrote : > Basically my question is: Which way is simple way to get any record in > RADIUS logs without dial-up access? radclient is probably what you need. You have to construct a file with a "packet" to send, e.g.: ===authcheck=== (filename) User-Name = user Password = pass ===acctcheck=== (filename) Acct-Session-Id = "123456" User-Name = "user" NAS-IP-Address = 10.0.2.4 NAS-Port = 45 NAS-Port-Type = ISDN Acct-Status-Type = Start Acct-Authentic = RADIUS Calling-Station-Id = "123456789" Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 192.168.0.1 Acct-Delay-Time = 0 then run cat acctcheck | radclient radiusserver:port acct or similar (radcheck --help gives you syntax) Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius server not accounting, and dumping core...
13-Nov-02 at 10:11, Simon White ([EMAIL PROTECTED]) wrote : > I have FreeRADIUS working, with MySQL db and even have tested with a USR > Netserver NAS and it works fine on default port 1812 (which I can set > the NAS to authenticate to)... so I have got somewhere. However there > are two issues I'd like feedback on, if anyone can help. > > 1) Core dumping on port 1645 with debugging on > > -- First of all the version etc > FreeRADIUS Version 0.7.1, for host i686-pc-linux-gnu > gcc-2.96-81 > glibc-2.2.4-24 > kernel-2.4.18 hand rolled > /usr/sbin/mysqld Ver 3.23.49a > > -- Now the lines in my config file that I think make a difference > radiusd.conf > port = 1645 # also tried port = 0 and changed /etc/services > > Now if I start radiusd, it will state "Ready to serve requests" and then > soon after (1-30 seconds) dump core with a segfault. I haven't tried > this with all flags, etc, but with debugging (-xx) on, it dumps core > unless I leave it on port 1812. This isn't handy for testing. I'm > testing it now without debugging and I will get back to you. More on this: FREERadius has not stayed stable all day for me. It has segfaulted/dumped core several times, sometimes while attempting to authenticate to my test RAS, sometimes when just launched Wed Nov 13 15:56:24 2002 : Info: Listening on IP address 194.204.200.53, ports 1645/udp and 1646/udp. Wed Nov 13 15:56:24 2002 : Info: Ready to process requests. Wed Nov 13 15:56:25 2002 : Error: MASTER: exit on signal (11) Wed Nov 13 15:57:27 2002 : Info: Listening on IP address 194.204.200.53, ports 1645/udp and 1646/udp. (no attempt to authenticate) Wed Nov 13 15:57:27 2002 : Info: Ready to process requests. Wed Nov 13 16:01:27 2002 : Error: MASTER: exit on signal (11) (no parameters changed, attempt to auth) Wed Nov 13 16:11:37 2002 : Info: Listening on IP address 194.204.200.53, ports 1645/udp and 1646/udp. Wed Nov 13 16:11:37 2002 : Info: Ready to process requests. Wed Nov 13 16:11:38 2002 : Error: MASTER: exit on signal (11) (and again) At other times it has worked, it will account properly and mysql works fine. I can't get it to stay stable in debug (-xx or -X) mode so I can't tell if something is causing this. What is wrong? Sometimes it will work fine and authenticate me a few times... > 2) Accounting not working > > I'm still not sure on this, since I haven't quite got around to full > testing - my NAS doesn't have an option to set the port for accounting > so I assumed (perhaps incorrectly) that it uses authport+1 as FreeRADIUS > does. However with many tests on port 1812 I didn't seem to get any > accounting, I haven't figured out yet if the packets that came from the > NAS were on the right port (I am still working on this) but to help me > speed things up right now I'd appreciate if anyone has a script handy > that can generate accounting packets for me. Out of interest... this does work now, but only with port 1646... -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius server not accounting, and dumping core...
Hello, I have FreeRADIUS working, with MySQL db and even have tested with a USR Netserver NAS and it works fine on default port 1812 (which I can set the NAS to authenticate to)... so I have got somewhere. However there are two issues I'd like feedback on, if anyone can help. 1) Core dumping on port 1645 with debugging on -- First of all the version etc FreeRADIUS Version 0.7.1, for host i686-pc-linux-gnu gcc-2.96-81 glibc-2.2.4-24 kernel-2.4.18 hand rolled /usr/sbin/mysqld Ver 3.23.49a -- Now the lines in my config file that I think make a difference radiusd.conf port = 1645 # also tried port = 0 and changed /etc/services Now if I start radiusd, it will state "Ready to serve requests" and then soon after (1-30 seconds) dump core with a segfault. I haven't tried this with all flags, etc, but with debugging (-xx) on, it dumps core unless I leave it on port 1812. This isn't handy for testing. I'm testing it now without debugging and I will get back to you. 2) Accounting not working I'm still not sure on this, since I haven't quite got around to full testing - my NAS doesn't have an option to set the port for accounting so I assumed (perhaps incorrectly) that it uses authport+1 as FreeRADIUS does. However with many tests on port 1812 I didn't seem to get any accounting, I haven't figured out yet if the packets that came from the NAS were on the right port (I am still working on this) but to help me speed things up right now I'd appreciate if anyone has a script handy that can generate accounting packets for me. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay help
On Tue, Oct 22, 2002 at 04:16:27PM -0500, Roger wrote: > Thanks for the suggestion Alan. Besides upgrading to newest version, > did you(or anyone else) notice that I was infact calling radrelay correctly? Depending on your setup, yes. Though it might be easier to just use the -n flag. But do what Alan said and upgrade, segfaults have been fixed in radrelay not to long ago, your problem will most likely go away. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay crashes when I try to run it
On Mon, Sep 30, 2002 at 12:30:13PM -0400, Alan DeKok wrote: > Kevin Bonner <[EMAIL PROTECTED]> wrote: > > I had a problem with radrelay where it segfaulted when it reached an > > attribute of the type 'Attr-X', where X is an integer. I could have > > played with the dictionary file(s) to figure out what attribute it > > was, but the information contained was not important to me. > > Creating a patch where it skips all attributes beginning with > > 'Attr-' fixed the problem. I can post the patch if interested. > > I would rather figure out WHY it crashes on those attributes, and > then fix the underlying problem, so that the attributes can be relayed > properly. Blah, radrelay was infact segfaulting on any A/V pair that valuepair.c:userparse was having trouble with due to a stupid bug on my part. Tiny patch included below to fix this. Now radrelay will silently ignore any cruft that may have ended up in the detail file for some reason, which is good. The bad part is that attributes which don't have a dictionary entry when they're added to the detail file (eg. Attr-X = "stuff" mentioned above) will also be ignored since userparse doesn't seem to like those. Is there any easy way included in lib/* to deal with those? If not I'll put something together in radrelay to deal with it. Either way, apply the patch below as a first step please, it will stop the segfaulting. Patch against current cvs version. -- Simon diff -urN --exclude=CVS radiusd.orig/src/main/radrelay.c radiusd/src/main/radrelay.c --- radiusd.orig/src/main/radrelay.c2002-08-26 20:48:37.0 +0200 +++ radiusd/src/main/radrelay.c 2002-10-01 22:26:43.0 +0200 @@ -256,13 +256,7 @@ } if (!skip) { vp = NULL; - /* -* FIXME: We should check that the attribute -* we've read atleast remotely ressembles -* a correct attribute, otherwise we run the -* risk of segfaulting in userparse(). -*/ - if (userparse(buf, &vp) >= 0 && + if (userparse(buf, &vp) > 0 && (vp->attribute < 256 || vp->attribute > 65535) && vp->attribute != PW_VENDOR_SPECIFIC) { - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay crashes when I try to run it
On Wed, Aug 28, 2002 at 11:26:07AM -0400, Mark Hennessy wrote: > I get a segmentation fault each time I try to restart radrelay. I was > able to get it to run initially, but after it died, I would not be able to > restart it. That sounds like it might be hitting some odd accounting record that it's having problems handling. Is there a .work laying around in the same directory as the detailfile you're running radrelay on? If there is could you try removing the .work and re-running radrelay to see if it crashes? If it does work I'd appreciate a copy of the .work to figure out what in it is making radrelay die. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay crashes when I try to run it
On Wed, Aug 28, 2002 at 11:53:53AM -0400, Mark Hennessy wrote: > OK, now when I try to run radrelay with too few parameters, it doesn't > dump core, but it does dump core if I try to run it as a foreground > process with debugging enabled. I can't figure out why it's crashing. > Also, I can't seem to find the core file. Exactly what arguments are you using to start radrelay? Is it dieing as soon as you start it or does it run for a while? What platform? And, like Alan said, a backtrace would help. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay is showing segmentation fault [patch]
On Tue, Aug 13, 2002 at 11:49:56AM -0400, Alan DeKok wrote: > Simon <[EMAIL PROTECTED]> wrote: > > + if (!argv[1]) > > + usage(); > > + if (!strlen(argv[1])) > > + usage(); > > That's *very* bad, as it accesses memory which may not exist. It > would be better to check 'argc' against 'optind', which doesn't access > non-existent elements of arrays. Blah, yeah, sorry, you're obviously correct. It's to hot here to think right now. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay is showing segmentation fault [patch]
On Mon, Aug 12, 2002 at 03:19:24PM +0530, Atanu Das wrote: > Hello FreeRadius Users, > > radrelay program is showing segmentation fault. I followed the procedure as >mentioned in the document of "radrelay" program. > > radrelay -n test > > Segmentation Fault Actually, you didn't follow the procedure described in the radrelay documentation, you didn't supply a detailfile name. You should have done something like: ./radrelay -n test detail-combined The segmentation fault otoh is a stupid bug by me. Patch included against current cvs, some very minor documentation updates are included to. Be good if this could be applied. -- Simon diff -urN --exclude=CVS radiusd.orig/man/man8/radrelay.8 radiusd/man/man8/radrelay.8 --- radiusd.orig/man/man8/radrelay.8Wed Jul 10 10:09:12 2002 +++ radiusd/man/man8/radrelay.8 Tue Aug 13 15:54:17 2002 @@ -13,7 +13,7 @@ .RB [ \-n .IR shortname ] .RB [ \-r -.IR remote-server ] +.IR remote-server[:port] ] .RB [ \-s .IR secret ] .RB [ \-S @@ -49,8 +49,11 @@ this way. Do not use the -r, -s or -S parameters in combination with -n. .IP "\-r \fIremote-server\fP" -The remote server that will be recieving the accounting packets. -The -r parameter can't be used in combination with -n. +The hostname or IP address of the remote server. Optionally a UDP port +can be specified. If no UDP port is specified, it is looked up in +\fI/etc/services\fP. The service name looked for is \fBradacct\fP for +accounting packets. If a service is not found in \fI/etc/services\fP, +1813 is used. The -r parameter can't be used in combination with -n. .IP "\-s \fIsecret\fP" Remote server secret. @@ -62,13 +65,6 @@ .IP \-x Enable debug mode, -x will activate radrelay internal debugging, -xx will also activate librad debugging. - -.IP "server[:port]" -The hostname or IP address of the remote server. Optionally a UDP port -can be specified. If no UDP port is specified, it is looked up in -\fI/etc/services\fP. The service name looked for is \fBradacct\fP for -accounting packets. If a service is not found in \fI/etc/services\fP, -1813 is used. .IP "detailfile" The detail file to use, this will be appended to the base accounting diff -urN --exclude=CVS radiusd.orig/src/main/radrelay.c radiusd/src/main/radrelay.c --- radiusd.orig/src/main/radrelay.cWed Jul 10 10:09:14 2002 +++ radiusd/src/main/radrelay.c Tue Aug 13 15:50:19 2002 @@ -800,6 +800,10 @@ usage(); if (r_args.secret != NULL && shortname != NULL) usage(); + if (!argv[1]) + usage(); + if (!strlen(argv[1])) + usage(); /* * If we've been given a shortname, try to fetch the secret and - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User file entry with realms
> Simon Allard <[EMAIL PROTECTED]> wrote: > > This is what I want to do. For example a user has a static IP, but this > > time the user doesn't want to have the static IP. So we get him to dial up > > with a realm eg [EMAIL PROTECTED] We want this to hit the default > > profile instead of the allard entry. If the user logs in with just allard > > we want it to hit the allard entry. > > So set up a LOCAL realm, of ihug.co.nz. Then, have different > profiles for people with that realm. > > DEFAULTRealm == "ihug.co.nz", ... >static IP... >NO fall-through > > DEFAULT > Unfortantly its a little more complex than that. (I should of noted this the first time, Sorry). A user can use _any_ realm to bypass the profile. eg they could use ihug.co.nz or freefradius.org if they chose. Unfortantly I am stuck using a legacy hack in the old radius system. So it has to look along the lines of this, but by playing around it doesn't seem to do what I want it to do. DEFAULTRealm == "NULL", ... static IP... NO fall-through DEFAULT Simon Allard (Senior Tool Monkey) IHUG Ph (09) 358-5067 Email: [EMAIL PROTECTED] I'm out of my mind right now, but feel free to leave a message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User file entry with realms
I am having a bit of an issue with user files and realms. This is what I want to do. For example a user has a static IP, but this time the user doesn't want to have the static IP. So we get him to dial up with a realm eg [EMAIL PROTECTED] We want this to hit the default profile instead of the allard entry. If the user logs in with just allard we want it to hit the allard entry. This is what I have got currently which doesn;t do the job. I have tried replacing Suffix with Realm and tried it with Suffix == NULL. allard Auth-Type := LDAP, NAS-Port-Type == Async, Suffix == "NULL" Framed-Protocol = PPP, Service-Type = Framed, Reply-Message = "Welcome NON-Realmed User", Idle-Timeout = 1800 DEFAULT Auth-Type := LDAP, NAS-Port-Type == Async Framed-Protocol = PPP, Service-Type = Framed-User, Reply-Message = "Welcome Realmed User", Idle-Timeout = 1800 Can anyone suggest some ideas? Simon Allard (Senior Tool Monkey) IHUG Ph (09) 358-5067 Email: [EMAIL PROTECTED] I'm out of my mind right now, but feel free to leave a message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ascend dictionary file correction
On Fri, Jul 12, 2002 at 03:59:07PM -0400, Alan DeKok wrote: > "Johnsen, Lasse" <[EMAIL PROTECTED]> wrote: > > According to this file: > > https://support.lucent.com/cgi-bin/gx.cgi/GUIDGX-{6949ce8f-d22f-11d2-a303-00 > > c04f72f8ac}/Live/Product/terminator/General/Documentation/dslradius-710.pdf > > > > I believe something like the following patch should be applied to the > > dictionary.ascend file > > For one, that PDF is only available to people who paid Ascend for > support. You can get to it by using the "general login" thing (no login/password needed), then clicking around like a madman. > The other Ascend documentation I can find shows to me that the > current attributes are correct. No opinion here. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem getting Cisco AS5300 to Auth with free fradius
5 idb type=10 tty=5 > Jun 28 16:59:49.117 NZST: AAA: name=tty5 flags=0x11 type=4 shelf=0 slot=0 > adapter=0 port=5 channel=0 > Jun 28 16:59:49.117 NZST: AAA: parse name=E1 0:22 idb type=-1 tty=-1 > Jun 28 16:59:49.117 NZST: AAA: name=E1 0:22 flags=0x51 type=9 shelf=0 > slot=0 adapter=0 port=0 channel=22 > Jun 28 16:59:49.117 NZST: AAA/MEMORY: create_user (0x621E72CC) user='' > ruser='' port='tty5' rem_addr='async/3038080' authen_type=ASCII > service=LOGIN priv=1 > Jun 28 16:59:49.117 NZST: AAA/AUTHEN/START (427012612): port='tty5' > list='' action=LOGIN service=LOGIN > Jun 28 16:59:49.117 NZST: AAA/AUTHEN/START (427012612): using "default" > list > Jun 28 16:59:49.117 NZST: AAA/AUTHEN/START (427012612): Method=radius > (radius) > Jun 28 16:59:49.117 NZST: AAA/AUTHEN (427012612): status = GETUSER > Jun 28 17:00:20.049 NZST: AAA/AUTHEN/ABORT: (427012612) because Login > timed out. > > > Can anyone see anything obvious? > > Regards > Simon Allard > > Simon Allard (Senior Tool Monkey) > IHUG > Ph (09) 358-5067 Email: [EMAIL PROTECTED] > > I'm out of my mind right now, but feel free to leave a message. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Simon Allard (Senior Tool Monkey) IHUG Ph (09) 358-5067 Email: [EMAIL PROTECTED] I'm out of my mind right now, but feel free to leave a message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem getting Cisco AS5300 to Auth with free fradius
I have a small problem with getting a Cisco AS5300 to Auth using free fradius. The same config file on the Cisco works fine with Merit Basic radius. The user dials up, enters the login and password and it just hangs there. As shown below Welcome to simon.test login:allard Password: % Backup authentication Welcome to simon.test login: % Welcome to simon.test login: timeout expired! % Error in authentication. Welcome to simon.test login: % Welcome to simon.test login: timeout expired! % Error in authentication. NO CARRIER The radius server is defently reciveing the packet and sending an Accept packet back. It just seems like the As5300 is ignoreing the packet. Free radius debug below. (IP's and Password have been changed) rlm_ldap: - authenticate rlm_ldap: login attempt by "allard" with password "PASSWORD" rlm_ldap: user DN: loginName=allard, ou=auth, dc=ihug, dc=co, dc=nz rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as loginName=allard, ou=auth, dc=ihug, dc=co, dc=nz/PASSWORD rlm_ldap: waiting for bind result ... rlm_ldap: user allard authenticated succesfully modcall[authenticate]: module "ldap-local" returns ok modcall: group authtype returns ok radius_xlat: '' radius_xlat: 'Welcome to the Internet Group' radius_xlat: 'Welcome to the Internet Group' radius_xlat: '' Login OK: [allard] (from client ihugcisco-test port 5) Sending Access-Accept of id 6 to 192.168.0.1:1645 Framed-Protocol = PPP Service-Type = Framed-User Reply-Message = "" Reply-Message = "Welcome to the Internet Group" Reply-Message = "Welcome to the Internet Group" Reply-Message = "" Idle-Timeout = 1800 Finished request 11 There is no errors in the radius.log file. Relavent parts of the cisco config are below. The below config file works fine with Merit Radius. aaa new-model aaa session-mib disconnect aaa authentication username-prompt "Welcome to simon.test login:" aaa authentication login default group radius aaa authentication login CONSOLE none aaa authentication login ADMIN group tacacs+ enable aaa authentication login console none aaa authentication ppp default if-needed group radius aaa authorization exec ADMIN group tacacs+ if-authenticated aaa authorization exec console none aaa authorization network default group radius if-authenticated aaa accounting delay-start aaa accounting exec ADMIN wait-start group tacacs+ aaa accounting commands 1 ADMIN stop-only group tacacs+ aaa accounting commands 15 ADMIN stop-only group tacacs+ aaa accounting network default start-stop group radius aaa accounting connection default start-stop group radius radius-server host 192.168.0.2 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server timeout 20 radius-server key PASSWORD radius-server vsa send accounting radius-server vsa send authentication Cisco Debug Jun 28 16:59:47.117 NZST: AAA/AUTHEN (3656183572): status = ERROR Jun 28 16:59:47.117 NZST: AAA/AUTHEN/START (2834581603): port='tty5' list='' action=LOGIN service=LOGIN Jun 28 16:59:47.117 NZST: AAA/AUTHEN/START (2834581603): Restart Jun 28 16:59:47.117 NZST: AAA/AUTHEN/START (2834581603): no methods left to try Jun 28 16:59:47.117 NZST: AAA/AUTHEN (2834581603): status = ERROR Jun 28 16:59:47.117 NZST: AAA/AUTHEN/START (2834581603): failed to authenticate Jun 28 16:59:49.117 NZST: AAA/MEMORY: free_user (0x6223F5F4) user='allard' ruser='' port='tty5' rem_addr='async/3038080' authen_type=ASCII service=LOGIN priv=1 Jun 28 16:59:49.117 NZST: AAA: parse name=tty5 idb type=10 tty=5 Jun 28 16:59:49.117 NZST: AAA: name=tty5 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=5 channel=0 Jun 28 16:59:49.117 NZST: AAA: parse name=E1 0:22 idb type=-1 tty=-1 Jun 28 16:59:49.117 NZST: AAA: name=E1 0:22 flags=0x51 type=9 shelf=0 slot=0 adapter=0 port=0 channel=22 Jun 28 16:59:49.117 NZST: AAA/MEMORY: create_user (0x621E72CC) user='' ruser='' port='tty5' rem_addr='async/3038080' authen_type=ASCII service=LOGIN priv=1 Jun 28 16:59:49.117 NZST: AAA/AUTHEN/START (427012612): port='tty5' list='' action=LOGIN service=LOGIN Jun 28 16:59:49.117 NZST: AAA/AUTHEN/START (427012612): using "default" list Jun 28 16:59:49.117 NZST: AAA/AUTHEN/START (427012612): Method=radius (radius) Jun 28 16:59:49.117 NZST: AAA/AUTHEN (427012612): status = GETUSER Jun 28 17:00:20.049 NZST: AAA/AUTHEN/ABORT: (427012612) because Login timed out. Can anyone see anything obvious? Regards Simon Allard Simon Allard (Senior Tool Monkey) IHUG Ph (09) 358-5067 Email: [EMAIL PROTECTED] I'm out of my mind right now, but feel free to leave a message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
test
Testing, sorry. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: latest rlm_sql need patch
On Mon, Jun 10, 2002 at 11:08:43AM +0400, rust wrote: > Hello freeradius-users, > > Sorry for bad english > > After installing fr20020604 my users with chars '_' in their names got > error on login. > > Looking rlm_sql.c - found new function > > static int sql_escape_func(char *out, int outlen, const char *in) > > if ((in[0] < 32) || > >strchr("@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-", *in) == >NULL) > > In strchr must be added printable symbols '_','/',' ' etc , because > it function change for example login name 'mr_bin' to 'mr=5Fbin' > connect string '33600/ARQ/V34/LAPM/V42BIS' to '33600=2FARQ=2FV34=2FLAPM=2FV42BIS' '_' ':' and ' ' are already added in current cvs, so updating should help. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html