0.9.3 install question

[Vincent_Giovannone]

I was still running FR 0.8, and because of yesterday's events, decided to 
go up to 0.93.  I did the ./configure, make, make install dance.  FR 
bombed when I tried to run radius, so I put it in debug mode, and saw 
messages about problems with the dictionary.

Perused the INSTALL file, and saw this note:

  Note that in this release, the location of the dictionary files has
changed, to /usr/local/share/freeradius/dictionary.  Please ensure
that /etc/raddb/dictionary is THE SAME as ./raddb/dictionary.  If not,
you will have to copy it over by hand;

$ cp ./raddb/dictionary /etc/raddb/dictionary

But that note seems to contradict itself.  It _seems_ as though it should 
say please ensure that $prefix/etc/raddb/dictionary is the same as 
/usr/local/share/freeradius/dictionary.

So what is the correct process?  What I wound up doing was copying 
$prefix/share/freeradius/dictionary into $prefix/etc/raddb/dictionary . 
That got me further along the line, but I still had dictionary errors.  I 
eventually copied $prefix/share/freeradius/dictionary* into 
$prefix/etc/raddb/ , overwriting everything that existed previously.

THAT worked, but I'm wondering if this is the intended procedure, or if I 
just butchered things badly.

Secondly, the INSTALL doc continues on to say that I should delete every 
dictionary file in $prefix/etc/raddb ; is this still correct?  (wouldn't 
that just get me back to the starting point?)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush University Medical Center

When I was four I wanted an Action Man armoured personnel carrier. I 
didn't have any genuine Action Men - my parents couldn't afford them; 
instead of a professional army I had a ragtag band of Korean and Chinese 
irregulars whose political commitment, I hoped, made up for their having 
no knee or elbow joints. 
-- Mil Millington


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 install question

[Vincent_Giovannone]

[EMAIL PROTECTED] wrote on 11/21/2003 01:04:25 PM:

 [EMAIL PROTECTED] wrote:
  $ cp ./raddb/dictionary /etc/raddb/dictionary
 
  But that note seems to contradict itself.  It _seems_ as though it 
should 
  say please ensure that $prefix/etc/raddb/dictionary is the same as 
  /usr/local/share/freeradius/dictionary.
 
   No.  It says to copy 'raddb/dictionary' from the distribution to
 $prefix/etc/raddb/dictionary.

Ah!

  Secondly, the INSTALL doc continues on to say that I should delete 
every 
  dictionary file in $prefix/etc/raddb ; is this still correct? 
(wouldn't 
  that just get me back to the starting point?)
 
   It's correct.  See above.
 
   You delete the OLD dictionaries, and install the NEW one.  The 30-40
 others go into blah/share/freeradius/

Gotcha; makes sense now.  (And luckily, easy enough to undo.)  Works as it 
should now; thanks!

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush University Medical Center


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

[Vincent_Giovannone]

[EMAIL PROTECTED] wrote on 11/20/2003 02:51:13 PM:

   Bug reports are nice.  Lack of notification is stupid.
 
   With that said, 0.9.3 has been released.  It's in the normal places:
 
 ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz
 
   With PGP signature at:
 
 ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz.sig
 
   It is just 0.9.2 with a bug fixed, and the version number updated.
 
 
   The original reporter threatened to release an exploit when I told
 him I was unhappy with his lack of notification prior to the public
 release of the vulnerability information.  Blackmail is stupid.
 
   As it turns out, however, the problem isn't as bad as it could have
 been.  The bug he reported can cause the server to crash, but is
 difficult to exploit.  Any attack code MUST be in the form of a valid
 RADIUS packet, which significantly limits the possible exploits.
 
   However, there was another bug which the reporter did NOT discover,
 which causes the server to de-reference a NULL pointer, and thus
 crash, whenever an Access-Request packet containing a Tunnel-Password
 attribute is received.
 
   Both bugs have been fixed in 0.9.3, and in the CVS head.
 
   We recommend that everyone upgrade to 0.9.3 as soon as possible.

Do either of these bugs affect (within the best of your ability to guess, 
of course!) versions of FR prior to 0.9 ?  (All other good reasons to 
upgrade to 0.9 notwithstanding...)

Just trying to gauge if I should put this on the do soon pile, or the 
do right now pile.

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush University Medical Center
(312) 942-4242

When I was four I wanted an Action Man armoured personnel carrier. I 
didn't have any genuine Action Men - my parents couldn't afford them; 
instead of a professional army I had a ragtag band of Korean and Chinese 
irregulars whose political commitment, I hoped, made up for their having 
no knee or elbow joints. 
-- Mil Millington


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius and Cisco C2950G (http server problem)

[Vincent_Giovannone]

Just goes to show that paid support isn't all that it's cracked up to be.

I opened a Cisco TAC case on this kind of issue over a year ago, and had 
Cisco TAC swear up and DOWN it wasn't possible to authenticate to the http 
server w/o using TACACS. 

I didn't believe them at the time,but I didn't really give a flying flip 
(I was just messing around and don't use http configuration interfaces if 
I can avoid them), and had wasted enough time so I let the issue drop. 
Good to know I was right in suspecting the TAC guy was full of s**t.

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush University Medical Center

A four-year-old will very quickly get over news of the death of Santa if 
told that it was due to his fully loaded sleigh crashing in the back 
garden. 
-- Mil Millington





Ville Leinonen [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
09/26/2003 12:18 AM
Please respond to
[EMAIL PROTECTED]


To
[EMAIL PROTECTED]
cc

Subject
Freeradius and Cisco C2950G (http server problem)






Hi!

I have a little problem with my Cisco switch. I can log in with telnet and
freeradius says ok you can log in.
But when i try to log in via http freeradius says ok, but cisco would not
let me in. I have configure ip http authentication aaa.
Here is freeradius log when i try to get in vie http.

rad_recv: Access-Request packet from host xx.xx.xx.xx:1812, id=117,
length=81
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 2
NAS-Port-Type = Virtual
User-Name = zz
Calling-Station-Id = xx.xx.xx.xx
User-Password = 
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
  modcall[authorize]: module chap returns noop
rlm_eap: EAP-Message not found
  modcall[authorize]: module eap returns noop
rlm_realm: No '@' in User-Name = , looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop
users: Matched DEFAULT at 154
  modcall[authorize]: module files returns ok
  modcall[authorize]: module mschap returns noop
radius_xlat:  ''
rlm_sql (sql): sql_set_user escaped user -- ''
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = '' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '' ORDER BY id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = '' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 0
  modcall[authorize]: module sql returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [/] (from client radtest port 2 cli xx.xx.xx.xx)
Sending Access-Accept of id 117 to xx.xx.xx.xx:1812
Service-Type := NAS-Prompt-User
Finished request 9
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 9 ID 117 with timestamp 3f73cb8e
Nothing to do.  Sleeping until we see a request.


Any suggestion what i do wrong?

Best regards,

Ville Leinonen




- 
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + Mysql

[Vincent_Giovannone]

1, you're sending formatted text to a mailing list.  I know you think that 
blue color is pretty, but _don't_ do that.
2, you haven't run the server in debug mode to see what it's trying to do 
(...or not do)
3, you haven't provided any snippet of a configuration.  It doesn't work 
is a pretty broad problem statement.  Cut and paste the definition for ONE 
user (or the default if that's all you're using).

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

A four-year-old will very quickly get over news of the death of Santa if 
told that it was due to his fully loaded sleigh crashing in the back 
garden. 
-- Mil Millington





L U C A S [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
09/09/2003 03:43 PM
Please respond to
[EMAIL PROTECTED]


To
[EMAIL PROTECTED]
cc

Subject
Freeradius + Mysql






I'm using Freeradius and have some problems that don't let me sleep..:-) 
 

I want to authentificate our users not only by username and passwort, I 
need 
to check also NAS-IP-Address or Called-Station-ID. 
This I need to manage different NAS with one Radius, the users only have 
to get access to one NAS. 
 

But this does not seem to work. Why? 
 

The User can everytime login into the NAS, with the correct Checkitem or 
without them.. The Radius seem to ignore the aditional Checkitems and it 
makes not sense if they are in the radchecktable or in the 
radgroupchecktable. Only Username and Password are checked. 
 

Wath I'm doing wrong?? Any Idea? 
 

Please help me! 
Lucas Nascimento
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ALERT - GroupShield ticket number OA6738_1062684607_PVDEX01_3 wa s generated

[Vincent_Giovannone]

Would someone please add GroupShield for Exchange into the spam filter? 
This is getting a little annoying.  (assanine.com.   :) )

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

A four-year-old will very quickly get over news of the death of Santa if 
told that it was due to his fully loaded sleigh crashing in the back 
garden. 
-- Mil Millington





GroupShield for Exchange (PVDEX01) [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
09/04/2003 09:10 AM
Please respond to
[EMAIL PROTECTED]


To
'[EMAIL PROTECTED]' [EMAIL PROTECTED]
cc

Subject
ALERT -  GroupShield ticket number OA6738_1062684607_PVDEX01_3 wa   s 
generated






Action Taken:
The attachment was quarantined from the message and replaced with a text
file informing the recipient of the action taken.

To:
[EMAIL PROTECTED] [EMAIL PROTECTED]

From:
[EMAIL PROTECTED] [EMAIL PROTECTED]

Sent:
-1530368000,29586124

Subject:
Thank you!

Attachment Details:-

Attachment Name: your_document.pif
File: your_document.pif
Infected? No
Repaired? No
Blocked? Yes
Deleted? No
Virus Name: 



 



attavr6z.dat
Description: Binary data

Re: Inflex scan report [0827085833389]

[Vincent_Giovannone]

[EMAIL PROTECTED] wrote on 08/27/2003 05:34:18 AM:

 whilst its nice to see what virus checkers certain companies use, could
 virus-ridden/infected Windows users on this list PLEASE sort out 
 your machines.

Want to ask for tomorrow's winning lottery numbers while you're at it?  :)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

A four-year-old will very quickly get over news of the death of Santa if 
told that it was due to his fully loaded sleigh crashing in the back 
garden. 
-- Mil Millington


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco VSAs, like 'cisco-avpair'

[Vincent_Giovannone]

It's in the documentation, 'cuz I figured out how to do it.  Anyway, 
here's an example from my users file:

crapuser   Auth-Type := Local, Password == this_password_sucks
Reply-Message = Hello, your password sucks, by the way.,
cisco-avpair = shell:priv-lvl=1,
service-type = login-user

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

A four-year-old will very quickly get over news of the death of Santa if 
told that it was due to his fully loaded sleigh crashing in the back 
garden. 
-- Mil Millington



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius vrs Cisco RADIUS

[Vincent_Giovannone]

[EMAIL PROTECTED] wrote on 08/19/2003 04:21:20 AM:

  If you need paid support (It's busted and I need it fixed RIGHT 
NOW!!), 
  then you're obviously SOL running freeradius.  (Don't misinterpret 
this; 
  the FR team does a bang up job.  BUT they're NOT obligated to do 
  _anything_ if something in FR doesn't quite work right.)
 
   Can I put that paragraph in the FAQ?

Feel free.  :)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

A four-year-old will very quickly get over news of the death of Santa if 
told that it was due to his fully loaded sleigh crashing in the back 
garden. 
-- Mil Millington

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco 1200 - radius authetication?

[Vincent_Giovannone]

[EMAIL PROTECTED] wrote on 08/08/2003 07:07:11 PM:

 First, I apologize for my naiveness. I thought I could get this
 working fairly easily, but that was three days ago; I'm becoming a
 little desperate now.
 
 If someone could point me to either a How To or FAQ on configuring the
 Cisco Aironet 1200 to authenticate with the FreeRaduis software I
 would be greatly indebted to you.
 
 Actually the easy part was configuring FreeRaduis software and using
 radtest locally and from another UNIX host to see whether the
 configuration files were correct. That doesn't seem to be the problem.
 
 The problem I have is the simple window configurations for the Cisco
 Aironet 1200. Even though I've explicitly put the IP in the
 Authenticator Configuration field, typed my shared secret and tried
 EAP configuration (and other for the pure fun of it), I never
 connected/authenticated to the radius server. My radiusd mode (radiusd
 -s -X) is always just in the Ready to process requests.
 
 Sorry again for such ignorance. All I want to see is an attempted
 connection and then I can figure out the EAP/LEAP stuff later.

Need a little bit more info; which version of the 1200 are you using, the 
VxWorst (1220) version, or the IOS (1230) version?

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
(312) 942-4242

A four-year-old will very quickly get over news of the death of Santa if 
told that it was due to his fully loaded sleigh crashing in the back 
garden. 
-- Mil Millington


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco ACLs, blocking W32.Blaster.Worm

[Vincent_Giovannone]

Not sure how you'd send this via radius attributes (never tried to do 
that), but if you want to protect your users from getting infected, apply 
this list outbound to their interface.  If you want to prevent them from 
infecting others (along with doing any MS mapping of drives, or tftp'ing, 
etc.) then apply it inbound to that same interface.  (No, I haven't 
flipped inbound and outbound; Cisco ACLs are from the POV of the access 
device.)

access-list 199 deny   udp any any eq tftp log
access-list 199 deny   tcp any any eq 135 log
access-list 199 deny   udp any any eq 135 log
access-list 199 deny   tcp any any eq 139 log
access-list 199 deny   udp any any eq netbios-ss log
access-list 199 deny   tcp any any eq 445 log
access-list 199 deny   udp any any eq 445 log
access-list 199 deny   tcp any any eq  log
access-list 199 deny   udp any any eq  log

(obviously, I'm using access list 199 here)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

A four-year-old will very quickly get over news of the death of Santa if 
told that it was due to his fully loaded sleigh crashing in the back 
garden. 
-- Mil Millington





Robert Tarrall [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
08/12/2003 12:18 PM
Please respond to
[EMAIL PROTECTED]


To
[EMAIL PROTECTED]
cc

Subject
Cisco ACLs, blocking W32.Blaster.Worm







Hi all - haven't seen anyone mention this in the archives for the last
day or so; I hope I'm not rehashing something that's already been 
discussed.

Our dialup users who have not yet patched their systems with the recent
MS security update are now finding that their machines get shut down
whenever they connect to the Internet; this makes it somewhat difficult
for them to d/l the latest security patch.

Fix I've applied locally has been to add the following to our users file:

   DEFAULT Service-Type == Framed-User
Cisco-AVpair += ip:inacl#5=deny tcp any any eq ,
Cisco-AVPair += ip:inacl#10=deny tcp any any eq 135,
Cisco-AVPair += ip:inacl#15=deny udp any any eq 69,
Cisco-AVPair += ip:inacl#98=permit icmp any any,
Cisco-AVPair += ip:inacl#99=permit ip any any,
Fall-Through = Yes

This probably denies more than is necessary, and I don't have any
confirmation yet that it works.  If someone more clueful than I in the
ways of Cisco ACLs and/or this particular worm can help refine this a
bit I'd appreciate it... just whacked it together in an hour based on
stuff found on the net so it may be completely wrong.

And if not, maybe the above is a useful starting point for other folks
in the same boat as us.

   -Robert Tarrall.-
   Unix System/Network Admin
   E.Central/Neighborhood Link

- 
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius?????what device and OS compatible with them???

[Vincent_Giovannone]

I've used a toaster with radius.  (a VSA determines how brown, cow now...
:) )  Other items I've seen using radius are a waffle iron, high quality
golf clubs, an electric train set, a disposable shaver, a gumball machine,
a satellite television receiver, a box of facial tissues and a foam dome.

(Foam dome:  one of those hats that holds two cans of beer on your head
with two straws.)

Oh yes, most of these devices were using HomeOS'03 version 1.0 beta.
(Basically, rebranded windows 3.0.)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

A four-year-old will very quickly get over news of the death of Santa if
told that it was due to his fully loaded sleigh crashing in the back
garden.
-- Mil Millington




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: new users recognized without restarting radiusd

[Vincent_Giovannone]

[EMAIL PROTECTED] wrote on 07/28/2003 07:55:54 AM:

 Is there any way a user file can be edited and new users can be 
 accepted as valid logins without having to restart radiusd?

Nope.  To do that, you need to use an authentication mechanism that 
doesn't use the users file, such as LDAP or SQL.

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

A four-year-old will very quickly get over news of the death of Santa if 
told that it was due to his fully loaded sleigh crashing in the back 
garden. 
-- Mil Millington



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco AP350 series - Freeradius authentication warning.

[Vincent_Giovannone]

[EMAIL PROTECTED] wrote on 07/14/2003 10:02:37 AM:

 I have a linux server with Freeradius. The access point (AP) is a Cisco
 AP350 Series.
 
 I configured all the files, and seems to be working using radtest.
 
 When I use my laptop to try to reach the network, the AP drops a warning
 message like:
 
 (Warning): No MAC-Authentication response for Station 00022d0bea39 from
 server 10.4.132.24
 
 Both the server and the AP are in the same network, and the ping
 response from the server to the AP is ok. But when I run the radius
 server with full debug options (-xxyz -l stdout) it does not show any
 message related to the request from the AP. Is that normal? Should not 
the
 server show at least the request from the AP, even if I have an error on
 the configuration files?

Check to make sure you've specified a radius port # on the AP.  Cisco 
defaults to 1645, while FR defaults to 1812.

(yes, you should see FR say _something_ in debug mode.  Since it isn't, 
you can conclude that FR isn't even seeing the packet.)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

A four-year-old will very quickly get over news of the death of Santa if 
told that it was due to his fully loaded sleigh crashing in the back 
garden. 
-- Mil Millington


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: UNKNOWN NAS

[Vincent_Giovannone]

[EMAIL PROTECTED] wrote on 07/14/2003 12:04:30 PM:

 Hi, I have a problem using Freeradius 0.5. The Radius server is 
 working ok, but when the authentication occurs in the radius log 
 file I see UNKNOWN NAS. The login occurs OK   Ex: Auth: Login OK: 
 [login/password] (from nas UNKNOWN-NAS port 9)
 
 Is there a kind of parameter  that solve this problem ? 

http://www.mail-archive.com/[EMAIL PROTECTED]/msg04201.html

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

A four-year-old will very quickly get over news of the death of Santa if 
told that it was due to his fully loaded sleigh crashing in the back 
garden. 
-- Mil Millington 
â²~®Þþé®ÞIÚÿ0~·ž­§bºÊ+ƒùb²ßî±êì†

Re: Cisco AP350 series - Freeradius authentication warning.

[Vincent_Giovannone]

[EMAIL PROTECTED] wrote on 07/14/2003 01:04:37 PM:

 I think the problem is the AP configuration too, but since it is on
 service right now, and it is set for MAC address authentication, it is
 suppossed to send the request to the FR when the MAC is not found in its
 database.

Casually perusing the 350 docs, it appears as though what you're trying to 
do _should_ be possible with the 350.

Then again, the 350's run that awful VxWorst operating system, so who 
knows.  ;)
 
 Do you think that maybe that setting (I mean forward requests to the FR)
 should work right? Can the authentication be shared between the AP and 
th
 FR? or is it an exclusive job for just one, the FR or the AP? So should 
I
 try to disable the MAC authentication at the AP just to see if that 
works?

I'd try that, but that basically means you're taking the AP out of service 
for a while.  (You're kind of stuck between a rock and a hard place here.)

Why can't you just take all the MAC addresses that are on the access 
points, put them in FR, and then have the AP _only_ check FR?  Wouldn't 
that eliminate an unnecessary layer of uncertainty?

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

A four-year-old will very quickly get over news of the death of Santa if 
told that it was due to his fully loaded sleigh crashing in the back 
garden. 
-- Mil Millington


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RES: UNKNOWN NAS

[Vincent_Giovannone]

[EMAIL PROTECTED] wrote on 07/14/2003 03:21:46 PM:

 Hi Vincent if I understood the problem continues ... If I'm mistaken
 please tell me what did you do.
 Did you do the upgrade ?

It was a bug in the release version of 0.5.  A CVS snapshot fixed it, but 
if you want to go the least distance from 0.4, then I'd go to 0.6.  (Not 
debating _why_ you'd want to do that, though.)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

A four-year-old will very quickly get over news of the death of Santa if 
told that it was due to his fully loaded sleigh crashing in the back 
garden. 
-- Mil Millington


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

buggy NAS list?

[Vincent_Giovannone]

Is anyone keeping track of buggy NASes, possibly for a known issues 
list?

If not, here's one for the archives in case anyone else bumps into it...



Device:  Cisco 3550 switch
OS:  IOS  12.1(11)EA1
Problem:  Switch was reconfigured to a different IP address, then reports 
original IP address as its NAS-IP-Address.
Solution:  Reboot switch


freeradius in debug mode showed the following:

rad_recv: Access-Request packet from host 172.18.8.13:1812, id=44, 
length=79
NAS-IP-Address = 172.18.8.11
NAS-Port = 2
NAS-Port-Type = Virtual
User-Name = (doesn't matter)
Calling-Station-Id = (doesn't matter)
(password line deleted)



Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

Dereferencing the .NET pointer reveals its value to be NULL. 
-- TheRegister.co.uk


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

I have to be missing something REALLY simple...

[Vincent_Giovannone]

I have two production freeradius 0.8.1 boxes running under redhat 7. We've 
decided to upgrade the freeradius servers to new hardware and redhat 8. 

I downloaded fr 0.8.1 to the new machines, did a ./configure 
--with-snmp=no --with-threads=yes --prefix=(some directory on the 
machine), then a make, then a make install.  (all as root)

Then I copied over my existing config files (clients.conf, and users... 
pretty simple config, eh??) to the new machine, and started up radiusd. It 
runs and authenticates, but for some reason on the new machine it will 
only launch _one_ thread when run as a daemon.

I HAVE to be missing something simple here, but for the life of me I can't 
figure out what it is.  Configure doesn't complain about any missing 
thread libraries, and running with full debug ( -X ), I don't see anything 
enlightening.

Any ideas?  I'm stumped, but it sure feels like I missed something simple!

Thanks!

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

Dereferencing the .NET pointer reveals its value to be NULL. 
-- TheRegister.co.uk


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: I have to be missing something REALLY simple...(correction)

[Vincent_Giovannone]

Correction -- we're moving to RedHat 9, not RedHat 8.

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

Dereferencing the .NET pointer reveals its value to be NULL. 
-- TheRegister.co.uk





[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
07/08/2003 02:23 PM
Please respond to
[EMAIL PROTECTED]


To
[EMAIL PROTECTED]
cc

Subject
I have to be missing something REALLY simple...






I have two production freeradius 0.8.1 boxes running under redhat 7. We've 

decided to upgrade the freeradius servers to new hardware and redhat 8. 

I downloaded fr 0.8.1 to the new machines, did a ./configure 
--with-snmp=no --with-threads=yes --prefix=(some directory on the 
machine), then a make, then a make install.  (all as root)

Then I copied over my existing config files (clients.conf, and users... 
pretty simple config, eh??) to the new machine, and started up radiusd. It 

runs and authenticates, but for some reason on the new machine it will 
only launch _one_ thread when run as a daemon.

I HAVE to be missing something simple here, but for the life of me I can't 

figure out what it is.  Configure doesn't complain about any missing 
thread libraries, and running with full debug ( -X ), I don't see anything 

enlightening.

Any ideas?  I'm stumped, but it sure feels like I missed something simple!

Thanks!

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

Dereferencing the .NET pointer reveals its value to be NULL. 
-- TheRegister.co.uk


- 
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: I have to be missing something REALLY simple...

[Vincent_Giovannone]

[EMAIL PROTECTED] wrote on 07/08/2003 02:42:28 PM:

 At 02:23 PM 7/8/2003 -0500, [EMAIL PROTECTED] wrote:
 Then I copied over my existing config files (clients.conf, and users...
 pretty simple config, eh??) to the new machine, and started up radiusd. 
It
 runs and authenticates, but for some reason on the new machine it will
 only launch _one_ thread when run as a daemon.
 
 How are you determining that it only launches one thread?

ps -aef  (tsunami is currently running working system, tidalwave is the 
rebuilt system...)

[EMAIL PROTECTED] vgiovann]$ ps -aef | grep radiusd
root  4154 1  0 Jul07 ?00:00:00 
/opt/local/radius/sbin/radiusd
root  4155  4154  0 Jul07 ?00:00:00 
/opt/local/radius/sbin/radiusd
root  4156  4155  0 Jul07 ?00:00:00 
/opt/local/radius/sbin/radiusd
root  4157  4155  0 Jul07 ?00:00:00 
/opt/local/radius/sbin/radiusd
root  4158  4155  0 Jul07 ?00:00:00 
/opt/local/radius/sbin/radiusd
root  4159  4155  0 Jul07 ?00:00:00 
/opt/local/radius/sbin/radiusd
root  4160  4155  0 Jul07 ?00:00:00 
/opt/local/radius/sbin/radiusd
vgiovann  7942  7919  0 14:45 pts/200:00:00 grep radiusd


[EMAIL PROTECTED] vgiovann]# /opt/local/radius/sbin/radiusd
Tue Jul  8 14:44:34 2003 : Info: Starting - reading configuration files 
...
[EMAIL PROTECTED] vgiovann]# ps -aef | grep radiusd
root 29320 1  0 14:44 ?00:00:00 
/opt/local/radius/sbin/radiusd
root 29328 29296  0 14:44 pts/100:00:00 grep radiusd


 I HAVE to be missing something simple here, but for the life of me I 
can't
 figure out what it is.  Configure doesn't complain about any missing
 thread libraries, and running with full debug ( -X ), I don't see 
anything
 enlightening.
 
 -X is a combination of multiple args.  One of which puts it in 
singlethreaded
 mode.

d'oh!...  :)

 A better combination if you want to debug threadedness, is to run the
 server with one or more -x ( lowercase! ) flags.  This enables debugging
 messages, without disabling threads.

Ok, second try.  /opt/local/radius/sbin/radiusd -fxxyz 

(snip)
Initializing the thread pool...
 thread: start_servers = 5
 thread: max_servers = 32
 thread: min_spare_servers = 3
 thread: max_spare_servers = 10
 thread: max_requests_per_server = 0
 thread: cleanup_delay = 5
Thread 1 waiting to be assigned a request
Thread spawned new child 1. Total threads in pool: 1
Thread 2 waiting to be assigned a request
Thread spawned new child 2. Total threads in pool: 2
Thread 3 waiting to be assigned a request
Thread spawned new child 3. Total threads in pool: 3
Thread 4 waiting to be assigned a request
Thread spawned new child 4. Total threads in pool: 4
Thread 5 waiting to be assigned a request
Thread spawned new child 5. Total threads in pool: 5
(snip)

So why don't I see the processes when I do a ps?  (Am I correct in reading 
that they're not really running?)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

Dereferencing the .NET pointer reveals its value to be NULL. 
-- TheRegister.co.uk


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unique WEP's without LEAP

[Vincent_Giovannone]

[EMAIL PROTECTED] wrote on 06/12/2003 09:53:20 AM:

 In a nutshell, can a Cisco Aironet 350 Access Point accept a per-
 user WEP key from Freeradius (and can Freeradius serve it one)?

Well, you're trying to re-invent EAP without actually using EAP.  Can't 
get there from here; if you want the security of per user rotating WEP 
keys, you _have_ to do some form of eap (leap, peap, eap-tls, etc.).
 
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
(312) 942-4242

Dereferencing the .NET pointer reveals its value to be NULL. 
-- TheRegister.co.uk



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius cannot start

[Vincent_Giovannone]

[EMAIL PROTECTED] wrote on 06/02/2003 12:27:58 PM:

 Dear sir
 
 When I try to start the radius service, the message:
 
 radiusd -f
 Mon Jun  2 12:33:30 2003 : Info: Starting - reading configuration files
 ...
 File size limit exceeded
 
 is showing; does anyone can tell what does it means, because I cannot
 find the solution

It means your configuration file is too large.

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

Dereferencing the .NET pointer reveals its value to be NULL. 
-- TheRegister.co.uk


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Garbase from terminal server / freeradius crashes?

[Vincent_Giovannone]

When I had my terminal servers misconfigured (in my case, they were 
looking for XON/OFF flow control that wasn't there), I had nearly the same 
results.  Check your terminal server config. 

If you want to test it, how about unplugging your terminal servers for a 
while and seeing if radius stops dying?  (seriously)  Although it's almost 
assuredly a bug that should be addressed (processes dying are _never_ a 
good thing), might want to get the ball rolling that way.

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

So for the IT Manager Role, you want someone who's absolute crap, looks 
reasonable on paper, and won't cause too much trouble. ...  Well I don't 
have any MCSEs on my books at the moment, but I could call around.-- 
Simon Travaglia





Brendon Colby [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
02/28/2003 01:27 PM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:Garbase from terminal server / freeradius crashes?


Greetings,

I wrote in a while back about garbage in our logs from our routers. The 
terminal servers are logging in to the device causing this garbage to show 
up 
in the radius logs. For example:

Fri Feb 28 13:16:38 2003 : Auth: Login incorrect: [5)55)AiMM]=Ii] (from 
client 
network-backbone port 1)
Fri Feb 28 13:16:38 2003 : Auth: Login incorrect: [9Q%] (from client 
network-backbone port 1)
Fri Feb 28 13:16:38 2003 : Auth: Login incorrect: [ap-vxr#] (from client 
corporate-network port 11)

So this is a known issue with the terminal servers logging in to the 
devices. 
Our network engineers are aware of this problem but do not know how to fix 

it.

My question is, would this sort of constant stream of garbage hitting our 
RADIUS server cause freeradius to just die with no warning or errors? This 
is 
what happens and I cannot seem to find a reason why. The process just 
seems 
to die at random. We're running 0.8.1.

Also, if anyone has any pointers on fixing this issue with all Cisco 
equipment 
please let me know.

Thanks.

-- 
Brendon Colby
Systems Administrator
Midcontinent Communications


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re:Free Radius and Inter Access Point Protocol (IAPP - 802.11f)

[Vincent_Giovannone]

Yes, it does.

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

So for the IT Manager Role, you want someone who's absolute crap, looks 
reasonable on paper, and won't cause too much trouble. ...  Well I don't 
have any MCSEs on my books at the moment, but I could call around.-- 
Simon Travaglia





Mohit Bajpai [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
02/26/2003 04:40 AM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: [EMAIL PROTECTED]
Subject:Re:Free Radius and Inter Access Point Protocol (IAPP - 802.11f)


Hi,
Thanks for the reply.I have one more question.I would like to 
know whether freeRADIUS supports Wireless LAN(IEEE 802.11b) authorization 
and authentication like EAP /802.1X , ESSID registration and things like 
that.
Please reply.
 
Thanks and Regards,
Mohit



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: run free radius in linux8.0

[Vincent_Giovannone]

Start by READING THE DOCUMENTATION THAT COMES WITH IT.  (wow, tough 
answer!)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

So for the IT Manager Role, you want someone who's absolute crap, looks 
reasonable on paper, and won't cause too much trouble. ...  Well I don't 
have any MCSEs on my books at the moment, but I could call around.-- 
Simon Travaglia





hossein sorati [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
02/16/03 06:02 AM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:run free radius in linux8.0


how run freeradius in linux8.0 and  create user account and show menu 
freeradius?
tankyou.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RADIUS response from incorrect interface

[Vincent_Giovannone]

So (and I'm reading in between the lines here), it seems as if you already 
have two servers, A and B, configured using some sort of clustering so 
that if A fails, B picks up A's address virtually, and vice-versa.

If so, then I think you're making the problem harder than it is. 
Typically, most software that does RADIUS will accept a primary and a 
backup, and is within the client's control which server they decide to 
talk to.  (i.e. you might be making a problem when in fact none really 
exists!)  I would pose that question to your telco; chances are it will 
automatically fail over to the backup if the primary is unavailable.

Additionally, most layer 7 load balancers also have a provision for 
determining if the end node is not available and automatically routing 
traffic to the other available node(s).  I would also query your telco on 
this possibility.

(In other words, the way I see it, you shouldn't need to any of this 
virtual IP jazz, because it should already be accounted for in the radius 
clients themselves!)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

So for the IT Manager Role, you want someone who's absolute crap, looks 
reasonable on paper, and won't cause too much trouble. ...  Well I don't 
have any MCSEs on my books at the moment, but I could call around.-- 
Simon Travaglia





Paul Jenner [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
02/07/2003 10:33 AM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:RE: RADIUS response from incorrect interface


Hi all.

Thanks for so many replies so quickly. I totally take on board the
comments about UDP responses on the same IP not being trivial and
probably not being worth it to implement.

However its worth pointing out for the record why its useful here.

The situation here is that the RADIUS requests come from load-balanced
upstream telco proxies who require two IPs for the RADIUS servers for
both resilience and load-balancing. Normally these would be serviced by
two physical servers with two real IPs but, when one server is not
available, the other can take over by taking the IP as a virtual
interface.

There are a lot of arguments about whether this is a sensible thing to
do etc. however this is what I am trying to implement (and it works for
UDP DNS requests with ISC bind).

Thanks for all the help on this - I think for now I'll look for a
solution outside of the RADIUS software (translation on firewalls etc.
most likely) as this appears the correct place to do this kind of thing,

Paul

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Weird log entries

[Vincent_Giovannone]

You wouldn't happen to have that router's console port connected to some 
sort of terminal server, would you?  If so, it's possible that the 
terminal server is resetting that port (for _whatever_ reason), and then 
things are going haywire from there.  (Just a thought.)

Also would help to know a little more info (like WHAT KIND OF A ROUTER IS 
IT?).

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

So for the IT Manager Role, you want someone who's absolute crap, looks 
reasonable on paper, and won't cause too much trouble. ...  Well I don't 
have any MCSEs on my books at the moment, but I could call around.-- 
Simon Travaglia





Brendon Colby [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
02/03/2003 08:54 AM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:Weird log entries


Good morning,

In my radius.log, I am see strange log entries. After a few week radius
crashes as well and I'm curious if this has something to do with it.

Mon Feb  3 08:44:49 2003 : Auth: Login incorrect: [p-vxr#] (from client
corporate-network port 11)
Mon Feb  3 08:44:49 2003 : Auth: Login incorrect: [port1-vxr = Console
to vxr-wtn connected on port1] (from client network-backbone-loopback
port 0)


Notice the [p-vxr#]. That's the prompt for the router of course. Why is
that getting sent back? Also, I see the login banner is getting sent
back as well on a Login incorrect entry. I am constantly getting hit 
with log entries like this with all sorts of fragments in the [] section.

I'm using freeradius 0.8.

One other thing - I like grouping subnets in the clients.conf file. Is
there a way to get RADIUS to log the actual hostname of the client
rather than the group name (corporate-network or network-backbone etc.)?


Thanks

-- 
Brendon Colby
Systems Administrator
Midcontinent Communications

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FW: Load balancing over two freeRADIUS Server

[Vincent_Giovannone]

Most load balancers (ex:  foundry and extreme switches) have various 
methods of hashing whether a connection goes to machine A or B (or C or D 
or ...).  I was originally going to suggest changing the default hashing 
algorithm to something other than the default.  Many load balancers' 
(except Cisco) by default run a hash on [Orig IP + Orig Socket + Dest IP + 
Dest Socket].  In order to ensure that (for example) your authentication 
requests and accounting go to the same server, you'd have to change the 
hashing method to be just [Orig IP].

However, that's a bad fit since typically the IP address of your NAS 
doesn't change, and/or the number of NASes is (relatively) low.  Each 
individual NAS would always be going to the same server all the time.

If I were you, I'd save the money on a load balancer and hand configure 
NAS A to go to radius server A, NAS B to go to server B, NAS C to go to A, 
NAS D to go to B, etc.  (Of course, you'd want NAS A to contact server B 
as a secondary, in case either one of your radius servers dies.  But it 
should prefer A.)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

So for the IT Manager Role, you want someone who's absolute crap, looks 
reasonable on paper, and won't cause too much trouble. ...  Well I don't 
have any MCSEs on my books at the moment, but I could call around.-- 
Simon Travaglia





Chesi Maurizio [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
02/03/2003 02:06 AM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: Continanza Biagio [EMAIL PROTECTED], Beligni Davide 
[EMAIL PROTECTED]
Subject:FW: Load balancing over two freeRADIUS Server


We have been asked to put a load balancer to distribuite the 
load between two radius servers. The architecture will 
encompasses a hardware load balancer in front of 2 freeRADIUS servers.
We are wondering if this may cause a problem being the 
possibility that, for example an access-request may be 
managed by a server and, in case of challenge,
the response access-request containing the response to the 
challenge may be managed by the other radius server.
Thank you for any suggestion.


Maurizio Chesi
NETikos


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Weird log entries

[Vincent_Giovannone]

It sounds as though the configuration on the terminal server isn't quite 
right.  I had similar loads of crap show up in my logs when I was figuring 
out how to wire mine up.  :)

Off the top of my head, make sure the device and the terminal server agree 
on connection parameters (CTS/DTS, XON/XOFF, etc.) and DON'T accept 
connections from the router (i.e. connections are only made from the 
terminal server to the device, not bidirectionally).  (That's a good idea 
anyway, since if someone compromises the router, you don't want them to be 
able to hop on your out of band network.  Never heard of this happening, 
but it's theoretically possible.)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

So for the IT Manager Role, you want someone who's absolute crap, looks 
reasonable on paper, and won't cause too much trouble. ...  Well I don't 
have any MCSEs on my books at the moment, but I could call around.-- 
Simon Travaglia





Brendon Colby [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
02/03/2003 09:13 AM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:Re: Weird log entries


On Mon, Feb 03, 2003 at 08:55:47AM -0600, [EMAIL PROTECTED] 
wrote:
 You wouldn't happen to have that router's console port connected to some 

 sort of terminal server, would you?  If so, it's possible that the 
 terminal server is resetting that port (for _whatever_ reason), and then 

 things are going haywire from there.  (Just a thought.)

Ah yes, we have most most of our routers connected to out of band
routers. What can I do to stop this? I'm upgrading to 0.8.1 now just in
case.

 Also would help to know a little more info (like WHAT KIND OF A ROUTER 
IS 
 IT?).

Two of them that I've been able to determine are Cisco 7206VXRs running 
IOS 12.1(8a)E. Maybe those are the only two that are generating all
those errors. I can't tell exactly what router / device is doing what
since RADIUS is reporting just the subnet group.

-- 
Brendon Colby
Systems Administrator
Midcontinent Communications

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius authentication using RSA/SecurID ACE-Server

[Vincent_Giovannone]

Unfortunately, no, there is no plug in so that freeradius can directly 
authenticate against an ACE server.

I have been in contact with RSA on this issue.  RSA's response was 
basically, 'We've never heard of freeradius, so piss off.'  I even offered 
to write the freeradius plug in.  RSA's reply was that if I wrote a plug 
in, that I'd be in violation of the RSA licensing agreement if I were to 
give the code back to the freeradius project for distribution.

So the long and the short of it is this:  IF YOU WANT FREERADIUS TO 
SUPPORT SECURID --EVER--, CONTACT YOUR RSA REP (if you need an address 
to contact let me know) AND DEMAND THEY SUPPORT IT!  (Then _maybe_ they'll 
let me write a plugin that doesn't violate the licensing agreement. 
Maybe.)

-

What you _can_ do in the interim is proxy against the piss poor radius 
server built into ACE, but that's a sub-sub-sub optimal solution.

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

So for the IT Manager Role, you want someone who's absolute crap, looks 
reasonable on paper, and won't cause too much trouble. ...  Well I don't 
have any MCSEs on my books at the moment, but I could call around.-- 
Simon Travaglia





Frank Sackewitz [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/30/2003 02:23 AM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:Radius authentication using RSA/SecurID ACE-Server



Hello Folks! 

I´m planning to use a Radius-Server for the Authentication/Accounting of 
my VPN-Users. 

Is there a plugin for an ACE-Server, so the Radius-Server asks the ACE to 
authenticate the user?

-- 
Bye

Frank Sackewitz



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RSA security server token authentication

[Vincent_Giovannone]

No, it does not.  (Unfortunately.)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

So for the IT Manager Role, you want someone who's absolute crap, looks 
reasonable on paper, and won't cause too much trouble. ...  Well I don't 
have any MCSEs on my books at the moment, but I could call around.-- 
Simon Travaglia





Choudary Asad Mumtaz [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/21/03 06:24 PM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:RSA security server token authentication


Hi All,
Does freeradius support token authentication from rsa security 
server? Your help will be greatly appreciated.
Thank you.
Choudary.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RSA security server token authentication

[Vincent_Giovannone]

Actually, that you _can_ do.  I personally detest the radius server that 
is built into ACE and refuse to use it in any manner, either as the target 
of a proxy or as the direct client target.  But there's no reason why you 
_couldn't_ do exactly what you describe with FR and and an ACE server.

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

So for the IT Manager Role, you want someone who's absolute crap, looks 
reasonable on paper, and won't cause too much trouble. ...  Well I don't 
have any MCSEs on my books at the moment, but I could call around.-- 
Simon Travaglia





Choudary Asad Mumtaz [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/21/03 09:35 PM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:Re: RSA security server token authentication


Hi Vincent and Alan,
Thank you very much for your quick response. I was 
under the impression that by turning on the proxy requests feature, it 
could send requests to the rsa security server. As freeradius doesn't has 
this feature, does someone has another free solution to the problem :). 
Thank you.
Choudary.




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ScanMail Message: To Recipient Match eManager setting and take action.

[Vincent_Giovannone]

I got one too, and it appeared to come from inside my domain also. 
Apparently, the machine that is receiving the mail appends its address. 
(i.e. @rush.edu was not appended, but the machine's full name was 
appended.)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

So for the IT Manager Role, you want someone who's absolute crap, looks 
reasonable on paper, and won't cause too much trouble. ...  Well I don't 
have any MCSEs on my books at the moment, but I could call around.-- 
Simon Travaglia





Simon White [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
12/19/2002 05:33 AM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:Re: ScanMail Message: To Recipient Match eManager setting and 
take action.


19-Dec-02 at 06:09, [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote 
:
  eManager Notification *
 
 The following mail was blocked since it contains sensitive content.
 
 Source mailbox: [EMAIL PROTECTED]
 Destination mailbox(es): [EMAIL PROTECTED]
 Rule/Policy: Sexually Explicit
 Action: Quarantine to D:\Program 
Files\Trend\SMCF\Quarantine\2002-12-19\06-09-04.2728
 
 Content filter has detected a sensitive e-mail.
 
 *** End of message *

If anyone can shed some light on this message, I'd be interested. I
don't dig why it appears to be from [EMAIL PROTECTED] when our
mail server is nowhere at all in the headers and we're not running
eManager anyway.

Was the mail sent as Administrator and my MTA adds my domain? What did
others on the list get? Isn't it time to block non-subscribers?

Cheers,

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User Configuartion Help and Interesting Scenario

[Vincent_Giovannone]

You do NOT need to use a database to cause freeradius to re-read its users 
file.  You simply have to sigHUP it.

Also, the reply-message packet is not guaranteed.  Well, let me say that 
better.  It's guaranteed that Freeradius will send it if you specify it. 
It is NOT guaranteed what the NAS will do with it.  (Some NASes will 
ignore it, many will show it to the user.)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

So for the IT Manager Role, you want someone who's absolute crap, looks 
reasonable on paper, and won't cause too much trouble. ...  Well I don't 
have any MCSEs on my books at the moment, but I could call around.-- 
Simon Travaglia





Chris Brotsos [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
11/27/2002 07:39 AM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:Re: User Configuartion Help and Interesting Scenario


Alan,

At 11:38 PM 11/27/2002 +1100, you wrote:
Dear all,

I have just installed radius 0.8 on my redhat 7.2 box. Being a total 
newbie I just wanted to know two things...

1) Firstly how do I add new users and then without restarting make radius 

reread the users file? Is there a configuration switch to allow me to do 
that? If it isnt possible, can i set up a database and do it that way? I 
just need to know how to dynamically add new users without restarting the 

radius server.

Yes, you will need to use a database.


2) Is it possible for radius to also send back a string (password) back 
to 
the client instead of just accept-accept. Or will I have to set up 
another 
machine or program to do that?

I am a little unsure of what you mean here, but I think you are referring 
to the use of a Reply-Message attribute that can be added to the user's 
profile to send back a string with your Access-Accept packet.

Chris



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Telnet auth against Cisco Router

[Vincent_Giovannone]

Looks like you're trying to bring over a users file from a different 
radius server.  Here's what a working entry looks like:

someuser Auth-Type := Local, Password == userpassword, 
NAS-IP-Address==127.0.0.3
   Reply-Message = [myserver] Howdy!,
   cisco-avpair = shell:priv-lvl=1

Obviously, that example also is good for ONLY nas 127.0.0.3, but it should 
give you a running start.

(You should leave that cisco-avpair in there; if you don't have it, you 
can crash Catalyst 5000 series switches running radius on login.)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

So for the IT Manager Role, you want someone who's absolute crap, looks 
reasonable on paper, and won't cause too much trouble. ...  Well I don't 
have any MCSEs on my books at the moment, but I could call around.-- 
Simon Travaglia





Thomas Linden [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
11/15/2002 05:47 AM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:Telnet auth against Cisco Router


Hello folks,

I successfully installed the freeradius server (version 0.7.1).

I configured a cisco router for authenticating telnet access against
the radius server. So far, I've got them talking together, but
the radius rejects my auth request.

here is the entry of my users file:

DEFAULT  Auth-Type := Local
 Fall-Through = 1

scip
 Auth-Type = Local,
 User-Password = sack,
 Service-Type = Login-User,
 Login-Service = Telnet

(that means, I don't want to use /etc/passwd or the like,
 the password has to be in the users file).


Now if I telnet to the cisco, the radius server (started
with -X) states:

rad_recv: Access-Request packet from host 192.168.yyy.yyy:1645, id=39, 
length=106
User-Name = scip
User-Password = \313\336\337\231:\335$2\241_\242\252\326\333W
NAS-Port = 3
Cisco-AVPair = interface=tty3
NAS-Port-Type = Virtual
Calling-Station-Id = 192.168.***.***
Service-Type = Login-User
NAS-IP-Address = 192.168.yyy.yyy
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
  modcall[authorize]: module chap returns noop
rlm_realm: Looking up realm NULL for User-Name = scip
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop
users: Matched DEFAULT at 215
users: Matched scip at 218
  modcall[authorize]: module files returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: No password configured for the user
Login incorrect (No password configured for the user): [scip/sack] (from 
client routers port 3 cli 192.168.***.***)
auth: Failed to validate the user.
Login incorrect: [scip/sack] (from client routers port 3 cli 
192.168.***.***)


Here is, what I see on the cisco side:

20:54:06: RADIUS/ENCODE(0024): ask Username: 
20:54:06: RADIUS/ENCODE(0024): send packet; GET_USER
bb03#
20:54:08: RADIUS/ENCODE(0024): ask Password: 
20:54:08: RADIUS/ENCODE(0024): send packet; GET_PASSWORD
20:54:09: RADIUS/ENCODE(0024): acct_session_id: 36
20:54:09: RADIUS(0024): sending
20:54:09: RADIUS: Send to unknown id 40 192.168.xxx.xxx:1812, 
Access-Request, len 106
20:54:09: RADIUS:  authenticator 68 7C D8 7B 7C AF 3B 96 - 39 73 88 10 E1 
3A 5E 8D
20:54:09: RADIUS:  User-Name   [1]   6   scip
20:54:09: RADIUS:  User-Password   [2]   18  *
20:54:09: RADIUS:  NAS-Port[5]   6   3 
20:54:09: RADIUS:  Vendor, Cisco   [26]  22 
20:54:09: RADIUS:   Cisco AVpair   [1]   16  interface=tty3
20:54:09: RADIUS:  NAS-Port-Type   [61]  6   Virtual [5]
bb03#
20:54:09: RADIUS:  Calling-Station-Id  [31]  16  192.168.***.***
20:54:09: RADIUS:  Service-Type[6]   6   Login [1]
20:54:09: RADIUS:  NAS-IP-Address  [4]   6   192.168.yyy.yyy  
bb03#
20:54:11: RADIUS: Received from id 40 192.168.xxx.xxx:1812, Access-Reject, 
len 20
20:54:11: RADIUS:  authenticator 8B CF FB C9 C3 5D 00 B0 - DF BD 52 66 0A 
08 C7 02
20:54:11: RADIUS: Received from id 24
20:54:11: RADIUS/DECODE: parse response short packet; IGNORE


 
my question: how can I get freeradius to let me telnet into the
cisco router? why does it claim that there is no password set,
although it's defined in the users file?


thanks in advance,

Tom

-- 
Thomas Linden [EMAIL PROTECTED],  I Z B  Informatik-Zentrum
Muenchen-Frankfurt a.M. GmbH  Co.KG, Internet Service Providing
OE532 Tel:089/2171-27998, Fax:089/2171-27995,  http://www.izb.de

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: ScanMail Message: To Recipient Match eManager setting and take action.

[Vincent_Giovannone]

We could always send a bunch of actual swears to [EMAIL PROTECTED] and 
see what happens.  :)

That has to be the first filter I've seen that considers freeradius a 
dirty word.  Figures, it's a MS product.

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

So for the IT Manager Role, you want someone who's absolute crap, looks 
reasonable on paper, and won't cause too much trouble. ...  Well I don't 
have any MCSEs on my books at the moment, but I could call around.-- 
Simon Travaglia





Gene Parks [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
10/29/2002 10:10 AM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:RE: ScanMail Message: To Recipient Match eManager setting and 
take action.


Somebody want to tell me what idiot is polluting the mailing list with
this stupid filter?

If you want to filter you own stuff, GREAT!  Just don't tell us about
because WE DON'T CARE.

Gene Parks
VIP Direct


-Original Message-
From: System Attendant [mailto:EXCHANGE-SA;nrtc.org] 
Sent: Tuesday, October 29, 2002 10:31 AM
To: '[EMAIL PROTECTED]'
Subject: ScanMail Message: To Recipient Match eManager setting and take
action.


 eManager Notification *

The following mail was blocked since it contains sensitive content.

Source mailbox: [EMAIL PROTECTED]
Destination mailbox(es): [EMAIL PROTECTED]
Rule/Policy: Profanity
Action: Quarantine to C:\Program
Files\Trend\SMCF\Quarantine\2002-10-29\10-31-13.40921

Content filter has detected an e-mail that contains profanity

*** End of message *

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Anyone running freeradius with SecurID?

[Vincent_Giovannone]

I know it's been mentioned before that SecurIDs could be used as an 
external (to freeradius) authenticator.  Is anyone out there currently 
running this kind of config?  (I'd rather not reinvent the wheel if 
someone has gone through the pain.)

Thanks!

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

So for the IT Manager Role, you want someone who's absolute crap, looks 
reasonable on paper, and won't cause too much trouble. ...  Well I don't 
have any MCSEs on my books at the moment, but I could call around.-- 
Simon Travaglia


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Anyone running freeradius with SecurID?

[Vincent_Giovannone]

Unfortunately, I've actually looked at the radius server built in, and 
it's _really_ scary.  (I'd _almost_ rather run no authentication than that 
radius server!)

It's very similar to their support of LDAP They import the whole 
ldap tree once, and wow!  they support LDAP!  No, not really...

Thanks, though.

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

So for the IT Manager Role, you want someone who's absolute crap, looks 
reasonable on paper, and won't cause too much trouble. ...  Well I don't 
have any MCSEs on my books at the moment, but I could call around.-- 
Simon Travaglia





Gene Parks [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
10/28/2002 10:15 AM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:RE: Anyone running freeradius with SecurID?


SecurID has it's own radius server built in.  You can proxy to it or
just point your clients straight at it.

Gene Parks
VIP Direct


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Ignoring request from unknown client

[Vincent_Giovannone]

Two possible scenarios: 

1)  You don't have this client defined in your clients.conf file.

2)  Someone is sending you radius requests you don't know about.  Go whack 
'em.

(Note that 1 doesn't preclude 2 from happening.  :) )

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

So for the IT Manager Role, you want someone who's absolute crap, looks 
reasonable on paper, and won't cause too much trouble. ...  Well I don't 
have any MCSEs on my books at the moment, but I could call around.-- 
Simon Travaglia





[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
09/20/2002 10:33 AM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:Ignoring request from unknown client


Hi
 
I am running radiusd in debugging mode

radiusd -fxxyz -p 1812
 
Returns these results: (ip's *'d out)
rad_recv: Access-Request packet from host ***.**.16.64:4610, id=0, 
length=61
Ignoring request from unknown client ***.**.16.64:4610
 
Any suggestions?
Need more info?
 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Is it possible to use it locally(LAN)

[Vincent_Giovannone]

RADIUS is an authentication mechanism.  It doesn't know (or care about) 
the type of link (LAN/WAN/MAN) it travels across.

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

Pinball is a way of life.  My way!





Bala [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
09/10/2002 01:04 AM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:Is it possible to use it locally(LAN)


Hi All,
   I am new to this list and Radius software,
is it possible configure RADIUS for LAN environment?,
if so, what additional/supporting softwares needed?

Thnx,
Bala. 





__
Yahoo! - We Remember
9-11: A tribute to the more than 3,000 lives lost
http://dir.remember.yahoo.com/tribute

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RADIUS book from O'Reilly

[Vincent_Giovannone]

This might be a dumb question, but...  I'd like to buy the book and have 
my company pay for it.  (Read:  fill out  a PO, go through the whole 
purchasing thing, blah blah blah...)  Any way for FR to get the kickback 
then?  (I'd imagine not, but figured I'd ask anyway.)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

Pinball is a way of life.  My way!






Jonathan Hassell [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
07/30/2002 03:07 PM
Please respond to freeradius-users

 
To: [EMAIL PROTECTED]
cc: 
Subject:RE: RADIUS book from O'Reilly


And I just happen to be the author of said O'Reilly book, and I monitor
this list frequently.  I haven't had time to contribute much during the
past few months, though.  At any rate, please feel free to ask any
questions about the book to me personally, or call me stupid, and I'll
do my best to respond appropriately.  (No, I won't hold it against you
for calling me stupid.)

If you do decide to purchase the book, please do so through the
FreeRADIUS site.  There is a real potential for a decent chunk of change
to become available to support the development of this project. 

Thanks for your support!

Jonathan Hassell
[EMAIL PROTECTED]

-Original Message-
From: Alan DeKok [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, July 30, 2002 2:01 PM
To: [EMAIL PROTECTED]
Subject: RADIUS book from O'Reilly


  A RADIUS book from O'Reilly has been announced, and it's on Amazon.
See:

 http://www.freeradius.org/related/

  I've taken the liberty of signing up for an 'Amazon associates'
program, so if you're thinking about buying the book, please us the
link, and some $$ will be contributed to FreeRADIUS.


  Since there is currently no legal entity called FreeRADIUS, I've
signed up for the Amazon Associates program under my name.  If the
incoming $$ are sufficient, it may be worth legally registering
FreeRADIUS as a non-profit entity.


  In any case, the moneys received from the associates program will go
to fostering the development of the server.  I will be posting periodic
summaries of the $$, and request for comment as to where/how the money
should be spent.

  If, in fact, the link makes money. :)


  In the interests of transparency, I was a technical reviewer of the
book, and saw it in pre-publication draft.  It isn't perfect, but it's
better than the nearly complete lack of documentation that comes with
the server today.  It also explains in greater detail the why and the
how of the RADIUS protocol, and may answer many initial questions
someone may have about the RADIUS protocol, and the FreeRADIUS server.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: specify shadow passwd file

[Vincent_Giovannone]

Do you have to configure the Radius server before you run the deamon?

Nah; you can run the daemon any old time.  Don't bother configuring it or 
reading the config or documentation files.  They're there just to pad the 
download.  You don't even have to bother compiling or untaring it to disk; 
just pipe the tar output to gcc and it'll run right in place!

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

Pinball is a way of life.  My way!


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius 0.5 complaining about UNKNOWN-NAS (that was previously working)

[Vincent_Giovannone]

Note:  certain parts of this email have been munged for confidentiality
reasons.  (i.e. IP addresses, login names, and passwords have been
scrambled.)

I recently upgraded my primary RADIUS server from freeradius 0.3 to 0.5.
Now, however, I'm getting strange entries in my radius.log file:

Tue Mar 19 10:57:29 2002 : Auth: Login OK: [someguy] (from nas UNKNOWN-NAS
port 2 cli 144.74.x.y)

I have at least four different NASes that are defined with shortnames in
clients.conf that now generate similar log lines in radius.log.  Devices
are from multiple manufacturers (primarily Cisco and Marconi).  None of the
configurations for any of these NASes have changed; only freeradius has
been upgraded from 0.3 to 0.5 .  (clients.conf was also not changed going
from 0.3 to 0.5.)

So I'm pretty stumped as to why freeradius is all of a sudden calling these
unknown nases, but still allowing them to authenticate.  I threw the server
into debug mode, and obtained the following (as an example)...  Maybe it
can help.  Anyone have any ideas here?

--- Walking the entire request list ---
Cleaning up request 0 ID 105 with timestamp 3c98a291
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 144.74.m.N:1645, id=106,
length=79
NAS-IP-Address = 144.74.m.N---  144.74.m.N matches the IP
in above line, and also what's in clients.conf
NAS-Port = 2
NAS-Port-Type = Virtual
User-Name = someguy
Calling-Station-Id = 144.74.x.y
Password = (deleted)
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
  modcall[authorize]: module suffix returns ok
users: Matched DEFAULT at 71
  modcall[authorize]: module files returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type System
auth: type System
modcall: entering group authenticate
  modcall[authenticate]: module unix returns ok
modcall: group authenticate returns ok
radius_xlat:  '[primary_radius_server] Hello, someguy'
Login OK: [someguy] (from nas UNKNOWN-NAS port 2 cli 144.74.x.y)
Sending Access-Accept of id 106 to 144.74.m.N:1645
Reply-Message = [primary_radius_server] Hello, someguy
Cisco-AVPair = shell:priv-lvl=x
Service-Type = Login-User
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 106 with timestamp 3c98a2ae
Nothing to do.  Sleeping until we see a request.

If there's anything else that would be handy in debuging, let me know and
I'll grab it!  :)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
(312) 942-4242

Monday is the term used to signify the eighth day of my work week.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: List of RADIUS attributes is now available

[Vincent_Giovannone]

  The attribute names are sorted alphabetically, and are
cross-referenced to the RFC's  It should not be possible to quickly
discover what an attribute means, what it does, and where it's
defined

Well, if it's not possible, why'd you bring it to our attention?  :)

[Yes, fully aware of the typo!]

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St Luke's Medical Center
(312) 942-4242

Monday is the term used to signify the eighth day of my work week
1


- 
List info/subscribe/unsubscribe? See http://wwwfreeradiusorg/list/usershtml

Re: user interface

[Vincent_Giovannone]

Great, now I have to go kavetch at the linux folks. :)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
(312) 942-4242

Monday is the term used to signify the eighth day of my work week.








Tarquin Douglass \(Astronet Internet Access\) [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
03/03/02 02:14 PM
Please respond to freeradius-users


To:[EMAIL PROTECTED]
cc:
Subject:Re: user interface


G,

I did not realise that it was yours, I got it off a QOD from a Linux box I set-up and thought that it was perfect for me.

anyway, it is good to see that someone else is also dedicated to work, work, work... :(

Monday is the term used to signify the eighth day of my work week.

Regards

Tarquin Douglass
Astronet Internet Access
Office: (031) 3094760
Home: (031) 2692954
Cel: (083) 5557890
_
http://www.astronet.co.za
- Original Message - 
From: [EMAIL PROTECTED] 
To: [EMAIL PROTECTED] 
Sent: Sunday, March 03, 2002 7:05 PM
Subject: Re: user interface


You have to wonder how original his product will be when he rips off the signature of someone on the same group lock, stock, and barrel, even including the quotes! 

I'll shut up now... :)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
(312) 942-4242

Monday is the term used to signify the eighth day of my work week.






Tarquin Douglass \(Astronet Internet Access\) [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED] 
03/02/02 06:28 PM 
Please respond to freeradius-users 

To:[EMAIL PROTECTED] 
cc: 
Subject:Re: user interface



___
This EMail has been scanned by Astronet/IONet VIRUS scan
Server and found to be clear of all known VIRUSES in my
definition files.
___

Yes I have and it is called AstroAdmin.
A final beta release of this software will be ready very soon.

It includes many features like billing, AAA accounting, network monitor,
webmail and support tickets as well as an online signup.

Monday is the term used to signify the eighth day of my work week.

Regards

Tarquin Douglass
Astronet Internet Access
Office: (031) 3094760
Home: (031) 2692954
Cel: (083) 5557890
_
http://www.astronet.co.za

- Original Message -
From: George [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, March 03, 2002 12:53 AM
Subject: user interface


 Has anyone developed a user interface for freeradius so that subscribers

 could check their own online times?



 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [List-Error] Doubled up messages..

[Vincent_Giovannone]

Yeah, I'm having that problem with the list also. (receiving double messages all of a sudden.) Although, as I write this, it _seems_ to have stopped. seems. :)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

Monday is the term used to signify the eighth day of my work week.








Matthew Wallis [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
02/11/02 08:49 PM
Please respond to freeradius-users


To:[EMAIL PROTECTED]
cc:
Subject:[List-Error] Doubled up messages..


Is it just me, or have a few people been recieving copies of old mail?

I've recieved a second copy of Alan's reply to the Windows XP PPPoE
client bug, and various other freeradius emails in the last 10 minutes.

I'm on half a dozen mailing lists, and I'm only getting freeradius-users
a second time.

Matt.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Paranoid Configuration

[Vincent_Giovannone]

If you're paranoid, disconnect the machines' (client  server) primary interface from the internet. (Can't hack something you can't get to!)

If you're really paranoid? Install second NIC in both the server and the client, run a crossover cable between the two, and use a private IP address space.

If that's not good enough, write scripts on both the server and the client that changes the radius key once and hour and re-starts the freeradius daemon. (Suggestion would be something like a securID rotating key. Then again, there are other radius daemons that support Security Dynamics' products directly, so might want to switch to one of them.)

If THAT'S not good enough, have only one user machine, one radius client machine, and one radius server and put them all in the same white room with no external links whatsoever. Basically, go Mission Impossible on them; have everyone who needs to get to the information strip searched on entry and exit. Use multiple biometrics and passphrase challenges on entry and exit. Armed guards at the door. You know, the whole nine yards.

So how paranoid ARE you, anyway? :)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

Monday is the term used to signify the eighth day of my work week.








Gary Barnden [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
12/22/01 06:48 AM
Please respond to freeradius-users


To:[EMAIL PROTECTED]
cc:
Subject:Paranoid Configuration


Hello all,

If one was really paranoid, how would one secure the communication between 
a radius client and a server?

Thanks in advance

Gary


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Configuring -(Password -attribute)FreeRadius Server

[Vincent_Giovannone]

This request seems a bit absurd to me.  If you don't want to check the
passwords, then why are you running any access control at all?  Take off
all access control and you'll achieve what you want.  (NOT a good idea, but
seems to be what you're going after here.)

Not only that, but it's the Radius CLIENT that's sending the user password
to the server; the freeradius server is not in control of what attributes
are sent to it.  If you _really_ don't want that information sent to the
server, then you need to modify the client.  (Good luck, because that would
defeat the whole purpose of Radius.)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

Monday is the term used to signify the eighth day of my work week.



   

Selvam  Murugesan

[EMAIL PROTECTED]   To: 
[EMAIL PROTECTED] 
Sent by: cc:   

freeradius-users-admin@lists.Subject: Configuring 
-(Password -attribute)FreeRadius 
cistron.nl   Server

   

   

12/07/2001 12:37 AM

Please respond to  

freeradius-users   

   

   






Hi,

   i have a simple doubt regarding FreeRadius Server Configuration.

 Is it necessary to have the User-Password Attribute in an Access-Request
Packet that we send to the FreeRadius Server? Can we not configure the
FreeRadius Server in such a way that it would process a Request without the
User-Password attribute? I require this basically to authenticate Requests
arising from radius clients authenticating wireless clients.
   Can anyone shed some light on this


Thanks in Advance
Selvam




-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius and /etc/shells

[Vincent_Giovannone]

What you're trying to do should work; I have several users set up that way (not
in shadow or passwd, but only in the freeradius users file).  They don't have
any shells defined either.

Try running freeradius in debug ( /X ) mode; that should give lots of hints as
to what's going wrong.

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

Monday is the term used to signify the eighth day of my work week.



|+---
||  Ben  |
||  Hockenhull   |
||  [EMAIL PROTECTED]|
||  |
||   |
||  08/20/2001   |
||  03:20 PM |
||  Please   |
||  respond to   |
||  freeradius-us|
||  ers  |
||   |
|+---
  --|
  |  |
  |   To: [EMAIL PROTECTED]  |
  |   cc: (bcc: Vincent Giovannone/Rush/RSH) |
  |   Subject: FreeRadius and /etc/shells|
  --|




I'm migrating from Merit RADIUS to FreeRADIUS 0.2 and I'm running into
trouble.  On Merit RADIUS, I can set up users who exist only in the
/etc/raddb/users file, and not in /etc/passwd, and use local password
authentication right in the users file.

Trying to do the same thing with FreeRADIUS, I run into authentication
problems, and I think that it is due to the fact that the users in
question do not exist in /etc/passwd, and thus have no shell to compare to
/etc/shells.

I read about adding /RADIUSD/ANY/SHELL to /etc/shells, abut that does not
seem to have helped.  Any ideas?  I'm sure this can be done, but I can't
seem to find it documented.  I don't want to have to add every user to
/etc/passwd.




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: free radius only working in debug mode

[Vincent_Giovannone]

I had the same problem when I first fired up freeradius.  I was authenticating
off of the local shadow file.  The problem turned out to be that the username (
/ group) listed in the radiusd.conf file did not have permissions to read the
shadow password file.  (Note that freeradius does NOT launch under the
configured username when run in debug mode, which completely masks permissions
problems like this one.)

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center

Monday is the term used to signify the eighth day of my work week.



|+---
||  steve  |
||  steve@oceanw|
||  ide.co.nz   |
||   |
||  08/16/2001   |
||  08:54 PM |
||  Please   |
||  respond to   |
||  freeradius-us|
||  ers  |
||   |
|+---
  --|
  |  |
  |   To: [EMAIL PROTECTED]  |
  |   cc: (bcc: Vincent Giovannone/Rush/RSH) |
  |   Subject: free radius only working in debug mode|
  --|






Hello,

I have just install free radius on Solaris 8. The problem I am haveing is
that
free radius will only authenticate in debug mode. If I start it like this
radiusd -xxyz -l stdout works great. But when I start it like this
radiusd It starts OK but rejects all users. Has anyone seen this problem
before? I can post config's and debug outputs or logfiles etc. if needed.

Thank you

Steve


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html