0.9.3 install question
I was still running FR 0.8, and because of yesterday's events, decided to go up to 0.93. I did the ./configure, make, make install dance. FR bombed when I tried to run radius, so I put it in debug mode, and saw messages about problems with the dictionary. Perused the INSTALL file, and saw this note: Note that in this release, the location of the dictionary files has changed, to /usr/local/share/freeradius/dictionary. Please ensure that /etc/raddb/dictionary is THE SAME as ./raddb/dictionary. If not, you will have to copy it over by hand; $ cp ./raddb/dictionary /etc/raddb/dictionary But that note seems to contradict itself. It _seems_ as though it should say please ensure that $prefix/etc/raddb/dictionary is the same as /usr/local/share/freeradius/dictionary. So what is the correct process? What I wound up doing was copying $prefix/share/freeradius/dictionary into $prefix/etc/raddb/dictionary . That got me further along the line, but I still had dictionary errors. I eventually copied $prefix/share/freeradius/dictionary* into $prefix/etc/raddb/ , overwriting everything that existed previously. THAT worked, but I'm wondering if this is the intended procedure, or if I just butchered things badly. Secondly, the INSTALL doc continues on to say that I should delete every dictionary file in $prefix/etc/raddb ; is this still correct? (wouldn't that just get me back to the starting point?) Vincent Giovannone Network Infrastructure Group Information Services Division Rush University Medical Center When I was four I wanted an Action Man armoured personnel carrier. I didn't have any genuine Action Men - my parents couldn't afford them; instead of a professional army I had a ragtag band of Korean and Chinese irregulars whose political commitment, I hoped, made up for their having no knee or elbow joints. -- Mil Millington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 install question
[EMAIL PROTECTED] wrote on 11/21/2003 01:04:25 PM: [EMAIL PROTECTED] wrote: $ cp ./raddb/dictionary /etc/raddb/dictionary But that note seems to contradict itself. It _seems_ as though it should say please ensure that $prefix/etc/raddb/dictionary is the same as /usr/local/share/freeradius/dictionary. No. It says to copy 'raddb/dictionary' from the distribution to $prefix/etc/raddb/dictionary. Ah! Secondly, the INSTALL doc continues on to say that I should delete every dictionary file in $prefix/etc/raddb ; is this still correct? (wouldn't that just get me back to the starting point?) It's correct. See above. You delete the OLD dictionaries, and install the NEW one. The 30-40 others go into blah/share/freeradius/ Gotcha; makes sense now. (And luckily, easy enough to undo.) Works as it should now; thanks! Vincent Giovannone Network Infrastructure Group Information Services Division Rush University Medical Center - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
[EMAIL PROTECTED] wrote on 11/20/2003 02:51:13 PM: Bug reports are nice. Lack of notification is stupid. With that said, 0.9.3 has been released. It's in the normal places: ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz With PGP signature at: ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz.sig It is just 0.9.2 with a bug fixed, and the version number updated. The original reporter threatened to release an exploit when I told him I was unhappy with his lack of notification prior to the public release of the vulnerability information. Blackmail is stupid. As it turns out, however, the problem isn't as bad as it could have been. The bug he reported can cause the server to crash, but is difficult to exploit. Any attack code MUST be in the form of a valid RADIUS packet, which significantly limits the possible exploits. However, there was another bug which the reporter did NOT discover, which causes the server to de-reference a NULL pointer, and thus crash, whenever an Access-Request packet containing a Tunnel-Password attribute is received. Both bugs have been fixed in 0.9.3, and in the CVS head. We recommend that everyone upgrade to 0.9.3 as soon as possible. Do either of these bugs affect (within the best of your ability to guess, of course!) versions of FR prior to 0.9 ? (All other good reasons to upgrade to 0.9 notwithstanding...) Just trying to gauge if I should put this on the do soon pile, or the do right now pile. Vincent Giovannone Network Infrastructure Group Information Services Division Rush University Medical Center (312) 942-4242 When I was four I wanted an Action Man armoured personnel carrier. I didn't have any genuine Action Men - my parents couldn't afford them; instead of a professional army I had a ragtag band of Korean and Chinese irregulars whose political commitment, I hoped, made up for their having no knee or elbow joints. -- Mil Millington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Cisco C2950G (http server problem)
Just goes to show that paid support isn't all that it's cracked up to be. I opened a Cisco TAC case on this kind of issue over a year ago, and had Cisco TAC swear up and DOWN it wasn't possible to authenticate to the http server w/o using TACACS. I didn't believe them at the time,but I didn't really give a flying flip (I was just messing around and don't use http configuration interfaces if I can avoid them), and had wasted enough time so I let the issue drop. Good to know I was right in suspecting the TAC guy was full of s**t. Vincent Giovannone Network Infrastructure Group Information Services Division Rush University Medical Center A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden. -- Mil Millington Ville Leinonen [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/26/2003 12:18 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject Freeradius and Cisco C2950G (http server problem) Hi! I have a little problem with my Cisco switch. I can log in with telnet and freeradius says ok you can log in. But when i try to log in via http freeradius says ok, but cisco would not let me in. I have configure ip http authentication aaa. Here is freeradius log when i try to get in vie http. rad_recv: Access-Request packet from host xx.xx.xx.xx:1812, id=117, length=81 NAS-IP-Address = xx.xx.xx.xx NAS-Port = 2 NAS-Port-Type = Virtual User-Name = zz Calling-Station-Id = xx.xx.xx.xx User-Password = modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop rlm_eap: EAP-Message not found modcall[authorize]: module eap returns noop rlm_realm: No '@' in User-Name = , looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 154 modcall[authorize]: module files returns ok modcall[authorize]: module mschap returns noop radius_xlat: '' rlm_sql (sql): sql_set_user escaped user -- '' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module sql returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [/] (from client radtest port 2 cli xx.xx.xx.xx) Sending Access-Accept of id 117 to xx.xx.xx.xx:1812 Service-Type := NAS-Prompt-User Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 117 with timestamp 3f73cb8e Nothing to do. Sleeping until we see a request. Any suggestion what i do wrong? Best regards, Ville Leinonen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Mysql
1, you're sending formatted text to a mailing list. I know you think that blue color is pretty, but _don't_ do that. 2, you haven't run the server in debug mode to see what it's trying to do (...or not do) 3, you haven't provided any snippet of a configuration. It doesn't work is a pretty broad problem statement. Cut and paste the definition for ONE user (or the default if that's all you're using). Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden. -- Mil Millington L U C A S [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/09/2003 03:43 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject Freeradius + Mysql I'm using Freeradius and have some problems that don't let me sleep..:-) I want to authentificate our users not only by username and passwort, I need to check also NAS-IP-Address or Called-Station-ID. This I need to manage different NAS with one Radius, the users only have to get access to one NAS. But this does not seem to work. Why? The User can everytime login into the NAS, with the correct Checkitem or without them.. The Radius seem to ignore the aditional Checkitems and it makes not sense if they are in the radchecktable or in the radgroupchecktable. Only Username and Password are checked. Wath I'm doing wrong?? Any Idea? Please help me! Lucas Nascimento - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ALERT - GroupShield ticket number OA6738_1062684607_PVDEX01_3 wa s generated
Would someone please add GroupShield for Exchange into the spam filter? This is getting a little annoying. (assanine.com. :) ) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden. -- Mil Millington GroupShield for Exchange (PVDEX01) [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/04/2003 09:10 AM Please respond to [EMAIL PROTECTED] To '[EMAIL PROTECTED]' [EMAIL PROTECTED] cc Subject ALERT - GroupShield ticket number OA6738_1062684607_PVDEX01_3 wa s generated Action Taken: The attachment was quarantined from the message and replaced with a text file informing the recipient of the action taken. To: [EMAIL PROTECTED] [EMAIL PROTECTED] From: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: -1530368000,29586124 Subject: Thank you! Attachment Details:- Attachment Name: your_document.pif File: your_document.pif Infected? No Repaired? No Blocked? Yes Deleted? No Virus Name: attavr6z.dat Description: Binary data
Re: Inflex scan report [0827085833389]
[EMAIL PROTECTED] wrote on 08/27/2003 05:34:18 AM: whilst its nice to see what virus checkers certain companies use, could virus-ridden/infected Windows users on this list PLEASE sort out your machines. Want to ask for tomorrow's winning lottery numbers while you're at it? :) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden. -- Mil Millington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VSAs, like 'cisco-avpair'
It's in the documentation, 'cuz I figured out how to do it. Anyway, here's an example from my users file: crapuser Auth-Type := Local, Password == this_password_sucks Reply-Message = Hello, your password sucks, by the way., cisco-avpair = shell:priv-lvl=1, service-type = login-user Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden. -- Mil Millington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius vrs Cisco RADIUS
[EMAIL PROTECTED] wrote on 08/19/2003 04:21:20 AM: If you need paid support (It's busted and I need it fixed RIGHT NOW!!), then you're obviously SOL running freeradius. (Don't misinterpret this; the FR team does a bang up job. BUT they're NOT obligated to do _anything_ if something in FR doesn't quite work right.) Can I put that paragraph in the FAQ? Feel free. :) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden. -- Mil Millington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco 1200 - radius authetication?
[EMAIL PROTECTED] wrote on 08/08/2003 07:07:11 PM: First, I apologize for my naiveness. I thought I could get this working fairly easily, but that was three days ago; I'm becoming a little desperate now. If someone could point me to either a How To or FAQ on configuring the Cisco Aironet 1200 to authenticate with the FreeRaduis software I would be greatly indebted to you. Actually the easy part was configuring FreeRaduis software and using radtest locally and from another UNIX host to see whether the configuration files were correct. That doesn't seem to be the problem. The problem I have is the simple window configurations for the Cisco Aironet 1200. Even though I've explicitly put the IP in the Authenticator Configuration field, typed my shared secret and tried EAP configuration (and other for the pure fun of it), I never connected/authenticated to the radius server. My radiusd mode (radiusd -s -X) is always just in the Ready to process requests. Sorry again for such ignorance. All I want to see is an attempted connection and then I can figure out the EAP/LEAP stuff later. Need a little bit more info; which version of the 1200 are you using, the VxWorst (1220) version, or the IOS (1230) version? Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center (312) 942-4242 A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden. -- Mil Millington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco ACLs, blocking W32.Blaster.Worm
Not sure how you'd send this via radius attributes (never tried to do that), but if you want to protect your users from getting infected, apply this list outbound to their interface. If you want to prevent them from infecting others (along with doing any MS mapping of drives, or tftp'ing, etc.) then apply it inbound to that same interface. (No, I haven't flipped inbound and outbound; Cisco ACLs are from the POV of the access device.) access-list 199 deny udp any any eq tftp log access-list 199 deny tcp any any eq 135 log access-list 199 deny udp any any eq 135 log access-list 199 deny tcp any any eq 139 log access-list 199 deny udp any any eq netbios-ss log access-list 199 deny tcp any any eq 445 log access-list 199 deny udp any any eq 445 log access-list 199 deny tcp any any eq log access-list 199 deny udp any any eq log (obviously, I'm using access list 199 here) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden. -- Mil Millington Robert Tarrall [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/12/2003 12:18 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject Cisco ACLs, blocking W32.Blaster.Worm Hi all - haven't seen anyone mention this in the archives for the last day or so; I hope I'm not rehashing something that's already been discussed. Our dialup users who have not yet patched their systems with the recent MS security update are now finding that their machines get shut down whenever they connect to the Internet; this makes it somewhat difficult for them to d/l the latest security patch. Fix I've applied locally has been to add the following to our users file: DEFAULT Service-Type == Framed-User Cisco-AVpair += ip:inacl#5=deny tcp any any eq , Cisco-AVPair += ip:inacl#10=deny tcp any any eq 135, Cisco-AVPair += ip:inacl#15=deny udp any any eq 69, Cisco-AVPair += ip:inacl#98=permit icmp any any, Cisco-AVPair += ip:inacl#99=permit ip any any, Fall-Through = Yes This probably denies more than is necessary, and I don't have any confirmation yet that it works. If someone more clueful than I in the ways of Cisco ACLs and/or this particular worm can help refine this a bit I'd appreciate it... just whacked it together in an hour based on stuff found on the net so it may be completely wrong. And if not, maybe the above is a useful starting point for other folks in the same boat as us. -Robert Tarrall.- Unix System/Network Admin E.Central/Neighborhood Link - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius?????what device and OS compatible with them???
I've used a toaster with radius. (a VSA determines how brown, cow now... :) ) Other items I've seen using radius are a waffle iron, high quality golf clubs, an electric train set, a disposable shaver, a gumball machine, a satellite television receiver, a box of facial tissues and a foam dome. (Foam dome: one of those hats that holds two cans of beer on your head with two straws.) Oh yes, most of these devices were using HomeOS'03 version 1.0 beta. (Basically, rebranded windows 3.0.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden. -- Mil Millington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new users recognized without restarting radiusd
[EMAIL PROTECTED] wrote on 07/28/2003 07:55:54 AM: Is there any way a user file can be edited and new users can be accepted as valid logins without having to restart radiusd? Nope. To do that, you need to use an authentication mechanism that doesn't use the users file, such as LDAP or SQL. Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden. -- Mil Millington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP350 series - Freeradius authentication warning.
[EMAIL PROTECTED] wrote on 07/14/2003 10:02:37 AM: I have a linux server with Freeradius. The access point (AP) is a Cisco AP350 Series. I configured all the files, and seems to be working using radtest. When I use my laptop to try to reach the network, the AP drops a warning message like: (Warning): No MAC-Authentication response for Station 00022d0bea39 from server 10.4.132.24 Both the server and the AP are in the same network, and the ping response from the server to the AP is ok. But when I run the radius server with full debug options (-xxyz -l stdout) it does not show any message related to the request from the AP. Is that normal? Should not the server show at least the request from the AP, even if I have an error on the configuration files? Check to make sure you've specified a radius port # on the AP. Cisco defaults to 1645, while FR defaults to 1812. (yes, you should see FR say _something_ in debug mode. Since it isn't, you can conclude that FR isn't even seeing the packet.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden. -- Mil Millington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: UNKNOWN NAS
[EMAIL PROTECTED] wrote on 07/14/2003 12:04:30 PM: Hi, I have a problem using Freeradius 0.5. The Radius server is working ok, but when the authentication occurs in the radius log file I see UNKNOWN NAS. The login occurs OK Ex: Auth: Login OK: [login/password] (from nas UNKNOWN-NAS port 9) Is there a kind of parameter that solve this problem ? http://www.mail-archive.com/[EMAIL PROTECTED]/msg04201.html Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden. -- Mil Millington â²~®Þþé®ÞIÚÿ0~·§bºÊ+ùb²ßî±êì
Re: Cisco AP350 series - Freeradius authentication warning.
[EMAIL PROTECTED] wrote on 07/14/2003 01:04:37 PM: I think the problem is the AP configuration too, but since it is on service right now, and it is set for MAC address authentication, it is suppossed to send the request to the FR when the MAC is not found in its database. Casually perusing the 350 docs, it appears as though what you're trying to do _should_ be possible with the 350. Then again, the 350's run that awful VxWorst operating system, so who knows. ;) Do you think that maybe that setting (I mean forward requests to the FR) should work right? Can the authentication be shared between the AP and th FR? or is it an exclusive job for just one, the FR or the AP? So should I try to disable the MAC authentication at the AP just to see if that works? I'd try that, but that basically means you're taking the AP out of service for a while. (You're kind of stuck between a rock and a hard place here.) Why can't you just take all the MAC addresses that are on the access points, put them in FR, and then have the AP _only_ check FR? Wouldn't that eliminate an unnecessary layer of uncertainty? Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden. -- Mil Millington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: UNKNOWN NAS
[EMAIL PROTECTED] wrote on 07/14/2003 03:21:46 PM: Hi Vincent if I understood the problem continues ... If I'm mistaken please tell me what did you do. Did you do the upgrade ? It was a bug in the release version of 0.5. A CVS snapshot fixed it, but if you want to go the least distance from 0.4, then I'd go to 0.6. (Not debating _why_ you'd want to do that, though.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden. -- Mil Millington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
buggy NAS list?
Is anyone keeping track of buggy NASes, possibly for a known issues list? If not, here's one for the archives in case anyone else bumps into it... Device: Cisco 3550 switch OS: IOS 12.1(11)EA1 Problem: Switch was reconfigured to a different IP address, then reports original IP address as its NAS-IP-Address. Solution: Reboot switch freeradius in debug mode showed the following: rad_recv: Access-Request packet from host 172.18.8.13:1812, id=44, length=79 NAS-IP-Address = 172.18.8.11 NAS-Port = 2 NAS-Port-Type = Virtual User-Name = (doesn't matter) Calling-Station-Id = (doesn't matter) (password line deleted) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Dereferencing the .NET pointer reveals its value to be NULL. -- TheRegister.co.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have to be missing something REALLY simple...
I have two production freeradius 0.8.1 boxes running under redhat 7. We've decided to upgrade the freeradius servers to new hardware and redhat 8. I downloaded fr 0.8.1 to the new machines, did a ./configure --with-snmp=no --with-threads=yes --prefix=(some directory on the machine), then a make, then a make install. (all as root) Then I copied over my existing config files (clients.conf, and users... pretty simple config, eh??) to the new machine, and started up radiusd. It runs and authenticates, but for some reason on the new machine it will only launch _one_ thread when run as a daemon. I HAVE to be missing something simple here, but for the life of me I can't figure out what it is. Configure doesn't complain about any missing thread libraries, and running with full debug ( -X ), I don't see anything enlightening. Any ideas? I'm stumped, but it sure feels like I missed something simple! Thanks! Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Dereferencing the .NET pointer reveals its value to be NULL. -- TheRegister.co.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have to be missing something REALLY simple...(correction)
Correction -- we're moving to RedHat 9, not RedHat 8. Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Dereferencing the .NET pointer reveals its value to be NULL. -- TheRegister.co.uk [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/08/2003 02:23 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject I have to be missing something REALLY simple... I have two production freeradius 0.8.1 boxes running under redhat 7. We've decided to upgrade the freeradius servers to new hardware and redhat 8. I downloaded fr 0.8.1 to the new machines, did a ./configure --with-snmp=no --with-threads=yes --prefix=(some directory on the machine), then a make, then a make install. (all as root) Then I copied over my existing config files (clients.conf, and users... pretty simple config, eh??) to the new machine, and started up radiusd. It runs and authenticates, but for some reason on the new machine it will only launch _one_ thread when run as a daemon. I HAVE to be missing something simple here, but for the life of me I can't figure out what it is. Configure doesn't complain about any missing thread libraries, and running with full debug ( -X ), I don't see anything enlightening. Any ideas? I'm stumped, but it sure feels like I missed something simple! Thanks! Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Dereferencing the .NET pointer reveals its value to be NULL. -- TheRegister.co.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have to be missing something REALLY simple...
[EMAIL PROTECTED] wrote on 07/08/2003 02:42:28 PM: At 02:23 PM 7/8/2003 -0500, [EMAIL PROTECTED] wrote: Then I copied over my existing config files (clients.conf, and users... pretty simple config, eh??) to the new machine, and started up radiusd. It runs and authenticates, but for some reason on the new machine it will only launch _one_ thread when run as a daemon. How are you determining that it only launches one thread? ps -aef (tsunami is currently running working system, tidalwave is the rebuilt system...) [EMAIL PROTECTED] vgiovann]$ ps -aef | grep radiusd root 4154 1 0 Jul07 ?00:00:00 /opt/local/radius/sbin/radiusd root 4155 4154 0 Jul07 ?00:00:00 /opt/local/radius/sbin/radiusd root 4156 4155 0 Jul07 ?00:00:00 /opt/local/radius/sbin/radiusd root 4157 4155 0 Jul07 ?00:00:00 /opt/local/radius/sbin/radiusd root 4158 4155 0 Jul07 ?00:00:00 /opt/local/radius/sbin/radiusd root 4159 4155 0 Jul07 ?00:00:00 /opt/local/radius/sbin/radiusd root 4160 4155 0 Jul07 ?00:00:00 /opt/local/radius/sbin/radiusd vgiovann 7942 7919 0 14:45 pts/200:00:00 grep radiusd [EMAIL PROTECTED] vgiovann]# /opt/local/radius/sbin/radiusd Tue Jul 8 14:44:34 2003 : Info: Starting - reading configuration files ... [EMAIL PROTECTED] vgiovann]# ps -aef | grep radiusd root 29320 1 0 14:44 ?00:00:00 /opt/local/radius/sbin/radiusd root 29328 29296 0 14:44 pts/100:00:00 grep radiusd I HAVE to be missing something simple here, but for the life of me I can't figure out what it is. Configure doesn't complain about any missing thread libraries, and running with full debug ( -X ), I don't see anything enlightening. -X is a combination of multiple args. One of which puts it in singlethreaded mode. d'oh!... :) A better combination if you want to debug threadedness, is to run the server with one or more -x ( lowercase! ) flags. This enables debugging messages, without disabling threads. Ok, second try. /opt/local/radius/sbin/radiusd -fxxyz (snip) Initializing the thread pool... thread: start_servers = 5 thread: max_servers = 32 thread: min_spare_servers = 3 thread: max_spare_servers = 10 thread: max_requests_per_server = 0 thread: cleanup_delay = 5 Thread 1 waiting to be assigned a request Thread spawned new child 1. Total threads in pool: 1 Thread 2 waiting to be assigned a request Thread spawned new child 2. Total threads in pool: 2 Thread 3 waiting to be assigned a request Thread spawned new child 3. Total threads in pool: 3 Thread 4 waiting to be assigned a request Thread spawned new child 4. Total threads in pool: 4 Thread 5 waiting to be assigned a request Thread spawned new child 5. Total threads in pool: 5 (snip) So why don't I see the processes when I do a ps? (Am I correct in reading that they're not really running?) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Dereferencing the .NET pointer reveals its value to be NULL. -- TheRegister.co.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unique WEP's without LEAP
[EMAIL PROTECTED] wrote on 06/12/2003 09:53:20 AM: In a nutshell, can a Cisco Aironet 350 Access Point accept a per- user WEP key from Freeradius (and can Freeradius serve it one)? Well, you're trying to re-invent EAP without actually using EAP. Can't get there from here; if you want the security of per user rotating WEP keys, you _have_ to do some form of eap (leap, peap, eap-tls, etc.). Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center (312) 942-4242 Dereferencing the .NET pointer reveals its value to be NULL. -- TheRegister.co.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius cannot start
[EMAIL PROTECTED] wrote on 06/02/2003 12:27:58 PM: Dear sir When I try to start the radius service, the message: radiusd -f Mon Jun 2 12:33:30 2003 : Info: Starting - reading configuration files ... File size limit exceeded is showing; does anyone can tell what does it means, because I cannot find the solution It means your configuration file is too large. Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Dereferencing the .NET pointer reveals its value to be NULL. -- TheRegister.co.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Garbase from terminal server / freeradius crashes?
When I had my terminal servers misconfigured (in my case, they were looking for XON/OFF flow control that wasn't there), I had nearly the same results. Check your terminal server config. If you want to test it, how about unplugging your terminal servers for a while and seeing if radius stops dying? (seriously) Although it's almost assuredly a bug that should be addressed (processes dying are _never_ a good thing), might want to get the ball rolling that way. Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia Brendon Colby [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/28/2003 01:27 PM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:Garbase from terminal server / freeradius crashes? Greetings, I wrote in a while back about garbage in our logs from our routers. The terminal servers are logging in to the device causing this garbage to show up in the radius logs. For example: Fri Feb 28 13:16:38 2003 : Auth: Login incorrect: [5)55)AiMM]=Ii] (from client network-backbone port 1) Fri Feb 28 13:16:38 2003 : Auth: Login incorrect: [9Q%] (from client network-backbone port 1) Fri Feb 28 13:16:38 2003 : Auth: Login incorrect: [ap-vxr#] (from client corporate-network port 11) So this is a known issue with the terminal servers logging in to the devices. Our network engineers are aware of this problem but do not know how to fix it. My question is, would this sort of constant stream of garbage hitting our RADIUS server cause freeradius to just die with no warning or errors? This is what happens and I cannot seem to find a reason why. The process just seems to die at random. We're running 0.8.1. Also, if anyone has any pointers on fixing this issue with all Cisco equipment please let me know. Thanks. -- Brendon Colby Systems Administrator Midcontinent Communications - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:Free Radius and Inter Access Point Protocol (IAPP - 802.11f)
Yes, it does. Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia Mohit Bajpai [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/26/2003 04:40 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Subject:Re:Free Radius and Inter Access Point Protocol (IAPP - 802.11f) Hi, Thanks for the reply.I have one more question.I would like to know whether freeRADIUS supports Wireless LAN(IEEE 802.11b) authorization and authentication like EAP /802.1X , ESSID registration and things like that. Please reply. Thanks and Regards, Mohit - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: run free radius in linux8.0
Start by READING THE DOCUMENTATION THAT COMES WITH IT. (wow, tough answer!) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia hossein sorati [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/16/03 06:02 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:run free radius in linux8.0 how run freeradius in linux8.0 and create user account and show menu freeradius? tankyou. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS response from incorrect interface
So (and I'm reading in between the lines here), it seems as if you already have two servers, A and B, configured using some sort of clustering so that if A fails, B picks up A's address virtually, and vice-versa. If so, then I think you're making the problem harder than it is. Typically, most software that does RADIUS will accept a primary and a backup, and is within the client's control which server they decide to talk to. (i.e. you might be making a problem when in fact none really exists!) I would pose that question to your telco; chances are it will automatically fail over to the backup if the primary is unavailable. Additionally, most layer 7 load balancers also have a provision for determining if the end node is not available and automatically routing traffic to the other available node(s). I would also query your telco on this possibility. (In other words, the way I see it, you shouldn't need to any of this virtual IP jazz, because it should already be accounted for in the radius clients themselves!) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia Paul Jenner [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/07/2003 10:33 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:RE: RADIUS response from incorrect interface Hi all. Thanks for so many replies so quickly. I totally take on board the comments about UDP responses on the same IP not being trivial and probably not being worth it to implement. However its worth pointing out for the record why its useful here. The situation here is that the RADIUS requests come from load-balanced upstream telco proxies who require two IPs for the RADIUS servers for both resilience and load-balancing. Normally these would be serviced by two physical servers with two real IPs but, when one server is not available, the other can take over by taking the IP as a virtual interface. There are a lot of arguments about whether this is a sensible thing to do etc. however this is what I am trying to implement (and it works for UDP DNS requests with ISC bind). Thanks for all the help on this - I think for now I'll look for a solution outside of the RADIUS software (translation on firewalls etc. most likely) as this appears the correct place to do this kind of thing, Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Weird log entries
You wouldn't happen to have that router's console port connected to some sort of terminal server, would you? If so, it's possible that the terminal server is resetting that port (for _whatever_ reason), and then things are going haywire from there. (Just a thought.) Also would help to know a little more info (like WHAT KIND OF A ROUTER IS IT?). Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia Brendon Colby [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/03/2003 08:54 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:Weird log entries Good morning, In my radius.log, I am see strange log entries. After a few week radius crashes as well and I'm curious if this has something to do with it. Mon Feb 3 08:44:49 2003 : Auth: Login incorrect: [p-vxr#] (from client corporate-network port 11) Mon Feb 3 08:44:49 2003 : Auth: Login incorrect: [port1-vxr = Console to vxr-wtn connected on port1] (from client network-backbone-loopback port 0) Notice the [p-vxr#]. That's the prompt for the router of course. Why is that getting sent back? Also, I see the login banner is getting sent back as well on a Login incorrect entry. I am constantly getting hit with log entries like this with all sorts of fragments in the [] section. I'm using freeradius 0.8. One other thing - I like grouping subnets in the clients.conf file. Is there a way to get RADIUS to log the actual hostname of the client rather than the group name (corporate-network or network-backbone etc.)? Thanks -- Brendon Colby Systems Administrator Midcontinent Communications - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Load balancing over two freeRADIUS Server
Most load balancers (ex: foundry and extreme switches) have various methods of hashing whether a connection goes to machine A or B (or C or D or ...). I was originally going to suggest changing the default hashing algorithm to something other than the default. Many load balancers' (except Cisco) by default run a hash on [Orig IP + Orig Socket + Dest IP + Dest Socket]. In order to ensure that (for example) your authentication requests and accounting go to the same server, you'd have to change the hashing method to be just [Orig IP]. However, that's a bad fit since typically the IP address of your NAS doesn't change, and/or the number of NASes is (relatively) low. Each individual NAS would always be going to the same server all the time. If I were you, I'd save the money on a load balancer and hand configure NAS A to go to radius server A, NAS B to go to server B, NAS C to go to A, NAS D to go to B, etc. (Of course, you'd want NAS A to contact server B as a secondary, in case either one of your radius servers dies. But it should prefer A.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia Chesi Maurizio [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/03/2003 02:06 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Continanza Biagio [EMAIL PROTECTED], Beligni Davide [EMAIL PROTECTED] Subject:FW: Load balancing over two freeRADIUS Server We have been asked to put a load balancer to distribuite the load between two radius servers. The architecture will encompasses a hardware load balancer in front of 2 freeRADIUS servers. We are wondering if this may cause a problem being the possibility that, for example an access-request may be managed by a server and, in case of challenge, the response access-request containing the response to the challenge may be managed by the other radius server. Thank you for any suggestion. Maurizio Chesi NETikos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Weird log entries
It sounds as though the configuration on the terminal server isn't quite right. I had similar loads of crap show up in my logs when I was figuring out how to wire mine up. :) Off the top of my head, make sure the device and the terminal server agree on connection parameters (CTS/DTS, XON/XOFF, etc.) and DON'T accept connections from the router (i.e. connections are only made from the terminal server to the device, not bidirectionally). (That's a good idea anyway, since if someone compromises the router, you don't want them to be able to hop on your out of band network. Never heard of this happening, but it's theoretically possible.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia Brendon Colby [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/03/2003 09:13 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:Re: Weird log entries On Mon, Feb 03, 2003 at 08:55:47AM -0600, [EMAIL PROTECTED] wrote: You wouldn't happen to have that router's console port connected to some sort of terminal server, would you? If so, it's possible that the terminal server is resetting that port (for _whatever_ reason), and then things are going haywire from there. (Just a thought.) Ah yes, we have most most of our routers connected to out of band routers. What can I do to stop this? I'm upgrading to 0.8.1 now just in case. Also would help to know a little more info (like WHAT KIND OF A ROUTER IS IT?). Two of them that I've been able to determine are Cisco 7206VXRs running IOS 12.1(8a)E. Maybe those are the only two that are generating all those errors. I can't tell exactly what router / device is doing what since RADIUS is reporting just the subnet group. -- Brendon Colby Systems Administrator Midcontinent Communications - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication using RSA/SecurID ACE-Server
Unfortunately, no, there is no plug in so that freeradius can directly authenticate against an ACE server. I have been in contact with RSA on this issue. RSA's response was basically, 'We've never heard of freeradius, so piss off.' I even offered to write the freeradius plug in. RSA's reply was that if I wrote a plug in, that I'd be in violation of the RSA licensing agreement if I were to give the code back to the freeradius project for distribution. So the long and the short of it is this: IF YOU WANT FREERADIUS TO SUPPORT SECURID --EVER--, CONTACT YOUR RSA REP (if you need an address to contact let me know) AND DEMAND THEY SUPPORT IT! (Then _maybe_ they'll let me write a plugin that doesn't violate the licensing agreement. Maybe.) - What you _can_ do in the interim is proxy against the piss poor radius server built into ACE, but that's a sub-sub-sub optimal solution. Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia Frank Sackewitz [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/2003 02:23 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:Radius authentication using RSA/SecurID ACE-Server Hello Folks! I´m planning to use a Radius-Server for the Authentication/Accounting of my VPN-Users. Is there a plugin for an ACE-Server, so the Radius-Server asks the ACE to authenticate the user? -- Bye Frank Sackewitz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RSA security server token authentication
No, it does not. (Unfortunately.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia Choudary Asad Mumtaz [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/21/03 06:24 PM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:RSA security server token authentication Hi All, Does freeradius support token authentication from rsa security server? Your help will be greatly appreciated. Thank you. Choudary. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RSA security server token authentication
Actually, that you _can_ do. I personally detest the radius server that is built into ACE and refuse to use it in any manner, either as the target of a proxy or as the direct client target. But there's no reason why you _couldn't_ do exactly what you describe with FR and and an ACE server. Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia Choudary Asad Mumtaz [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/21/03 09:35 PM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:Re: RSA security server token authentication Hi Vincent and Alan, Thank you very much for your quick response. I was under the impression that by turning on the proxy requests feature, it could send requests to the rsa security server. As freeradius doesn't has this feature, does someone has another free solution to the problem :). Thank you. Choudary. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ScanMail Message: To Recipient Match eManager setting and take action.
I got one too, and it appeared to come from inside my domain also. Apparently, the machine that is receiving the mail appends its address. (i.e. @rush.edu was not appended, but the machine's full name was appended.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia Simon White [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/19/2002 05:33 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:Re: ScanMail Message: To Recipient Match eManager setting and take action. 19-Dec-02 at 06:09, [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote : eManager Notification * The following mail was blocked since it contains sensitive content. Source mailbox: [EMAIL PROTECTED] Destination mailbox(es): [EMAIL PROTECTED] Rule/Policy: Sexually Explicit Action: Quarantine to D:\Program Files\Trend\SMCF\Quarantine\2002-12-19\06-09-04.2728 Content filter has detected a sensitive e-mail. *** End of message * If anyone can shed some light on this message, I'd be interested. I don't dig why it appears to be from [EMAIL PROTECTED] when our mail server is nowhere at all in the headers and we're not running eManager anyway. Was the mail sent as Administrator and my MTA adds my domain? What did others on the list get? Isn't it time to block non-subscribers? Cheers, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User Configuartion Help and Interesting Scenario
You do NOT need to use a database to cause freeradius to re-read its users file. You simply have to sigHUP it. Also, the reply-message packet is not guaranteed. Well, let me say that better. It's guaranteed that Freeradius will send it if you specify it. It is NOT guaranteed what the NAS will do with it. (Some NASes will ignore it, many will show it to the user.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia Chris Brotsos [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 11/27/2002 07:39 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:Re: User Configuartion Help and Interesting Scenario Alan, At 11:38 PM 11/27/2002 +1100, you wrote: Dear all, I have just installed radius 0.8 on my redhat 7.2 box. Being a total newbie I just wanted to know two things... 1) Firstly how do I add new users and then without restarting make radius reread the users file? Is there a configuration switch to allow me to do that? If it isnt possible, can i set up a database and do it that way? I just need to know how to dynamically add new users without restarting the radius server. Yes, you will need to use a database. 2) Is it possible for radius to also send back a string (password) back to the client instead of just accept-accept. Or will I have to set up another machine or program to do that? I am a little unsure of what you mean here, but I think you are referring to the use of a Reply-Message attribute that can be added to the user's profile to send back a string with your Access-Accept packet. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Telnet auth against Cisco Router
Looks like you're trying to bring over a users file from a different radius server. Here's what a working entry looks like: someuser Auth-Type := Local, Password == userpassword, NAS-IP-Address==127.0.0.3 Reply-Message = [myserver] Howdy!, cisco-avpair = shell:priv-lvl=1 Obviously, that example also is good for ONLY nas 127.0.0.3, but it should give you a running start. (You should leave that cisco-avpair in there; if you don't have it, you can crash Catalyst 5000 series switches running radius on login.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia Thomas Linden [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 11/15/2002 05:47 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:Telnet auth against Cisco Router Hello folks, I successfully installed the freeradius server (version 0.7.1). I configured a cisco router for authenticating telnet access against the radius server. So far, I've got them talking together, but the radius rejects my auth request. here is the entry of my users file: DEFAULT Auth-Type := Local Fall-Through = 1 scip Auth-Type = Local, User-Password = sack, Service-Type = Login-User, Login-Service = Telnet (that means, I don't want to use /etc/passwd or the like, the password has to be in the users file). Now if I telnet to the cisco, the radius server (started with -X) states: rad_recv: Access-Request packet from host 192.168.yyy.yyy:1645, id=39, length=106 User-Name = scip User-Password = \313\336\337\231:\335$2\241_\242\252\326\333W NAS-Port = 3 Cisco-AVPair = interface=tty3 NAS-Port-Type = Virtual Calling-Station-Id = 192.168.***.*** Service-Type = Login-User NAS-IP-Address = 192.168.yyy.yyy modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop rlm_realm: Looking up realm NULL for User-Name = scip rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 215 users: Matched scip at 218 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user Login incorrect (No password configured for the user): [scip/sack] (from client routers port 3 cli 192.168.***.***) auth: Failed to validate the user. Login incorrect: [scip/sack] (from client routers port 3 cli 192.168.***.***) Here is, what I see on the cisco side: 20:54:06: RADIUS/ENCODE(0024): ask Username: 20:54:06: RADIUS/ENCODE(0024): send packet; GET_USER bb03# 20:54:08: RADIUS/ENCODE(0024): ask Password: 20:54:08: RADIUS/ENCODE(0024): send packet; GET_PASSWORD 20:54:09: RADIUS/ENCODE(0024): acct_session_id: 36 20:54:09: RADIUS(0024): sending 20:54:09: RADIUS: Send to unknown id 40 192.168.xxx.xxx:1812, Access-Request, len 106 20:54:09: RADIUS: authenticator 68 7C D8 7B 7C AF 3B 96 - 39 73 88 10 E1 3A 5E 8D 20:54:09: RADIUS: User-Name [1] 6 scip 20:54:09: RADIUS: User-Password [2] 18 * 20:54:09: RADIUS: NAS-Port[5] 6 3 20:54:09: RADIUS: Vendor, Cisco [26] 22 20:54:09: RADIUS: Cisco AVpair [1] 16 interface=tty3 20:54:09: RADIUS: NAS-Port-Type [61] 6 Virtual [5] bb03# 20:54:09: RADIUS: Calling-Station-Id [31] 16 192.168.***.*** 20:54:09: RADIUS: Service-Type[6] 6 Login [1] 20:54:09: RADIUS: NAS-IP-Address [4] 6 192.168.yyy.yyy bb03# 20:54:11: RADIUS: Received from id 40 192.168.xxx.xxx:1812, Access-Reject, len 20 20:54:11: RADIUS: authenticator 8B CF FB C9 C3 5D 00 B0 - DF BD 52 66 0A 08 C7 02 20:54:11: RADIUS: Received from id 24 20:54:11: RADIUS/DECODE: parse response short packet; IGNORE my question: how can I get freeradius to let me telnet into the cisco router? why does it claim that there is no password set, although it's defined in the users file? thanks in advance, Tom -- Thomas Linden [EMAIL PROTECTED], I Z B Informatik-Zentrum Muenchen-Frankfurt a.M. GmbH Co.KG, Internet Service Providing OE532 Tel:089/2171-27998, Fax:089/2171-27995, http://www.izb.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ScanMail Message: To Recipient Match eManager setting and take action.
We could always send a bunch of actual swears to [EMAIL PROTECTED] and see what happens. :) That has to be the first filter I've seen that considers freeradius a dirty word. Figures, it's a MS product. Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia Gene Parks [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/29/2002 10:10 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:RE: ScanMail Message: To Recipient Match eManager setting and take action. Somebody want to tell me what idiot is polluting the mailing list with this stupid filter? If you want to filter you own stuff, GREAT! Just don't tell us about because WE DON'T CARE. Gene Parks VIP Direct -Original Message- From: System Attendant [mailto:EXCHANGE-SA;nrtc.org] Sent: Tuesday, October 29, 2002 10:31 AM To: '[EMAIL PROTECTED]' Subject: ScanMail Message: To Recipient Match eManager setting and take action. eManager Notification * The following mail was blocked since it contains sensitive content. Source mailbox: [EMAIL PROTECTED] Destination mailbox(es): [EMAIL PROTECTED] Rule/Policy: Profanity Action: Quarantine to C:\Program Files\Trend\SMCF\Quarantine\2002-10-29\10-31-13.40921 Content filter has detected an e-mail that contains profanity *** End of message * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Anyone running freeradius with SecurID?
I know it's been mentioned before that SecurIDs could be used as an external (to freeradius) authenticator. Is anyone out there currently running this kind of config? (I'd rather not reinvent the wheel if someone has gone through the pain.) Thanks! Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Anyone running freeradius with SecurID?
Unfortunately, I've actually looked at the radius server built in, and it's _really_ scary. (I'd _almost_ rather run no authentication than that radius server!) It's very similar to their support of LDAP They import the whole ldap tree once, and wow! they support LDAP! No, not really... Thanks, though. Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia Gene Parks [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/28/2002 10:15 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:RE: Anyone running freeradius with SecurID? SecurID has it's own radius server built in. You can proxy to it or just point your clients straight at it. Gene Parks VIP Direct - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring request from unknown client
Two possible scenarios: 1) You don't have this client defined in your clients.conf file. 2) Someone is sending you radius requests you don't know about. Go whack 'em. (Note that 1 doesn't preclude 2 from happening. :) ) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/20/2002 10:33 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:Ignoring request from unknown client Hi I am running radiusd in debugging mode radiusd -fxxyz -p 1812 Returns these results: (ip's *'d out) rad_recv: Access-Request packet from host ***.**.16.64:4610, id=0, length=61 Ignoring request from unknown client ***.**.16.64:4610 Any suggestions? Need more info? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to use it locally(LAN)
RADIUS is an authentication mechanism. It doesn't know (or care about) the type of link (LAN/WAN/MAN) it travels across. Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Pinball is a way of life. My way! Bala [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/10/2002 01:04 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:Is it possible to use it locally(LAN) Hi All, I am new to this list and Radius software, is it possible configure RADIUS for LAN environment?, if so, what additional/supporting softwares needed? Thnx, Bala. __ Yahoo! - We Remember 9-11: A tribute to the more than 3,000 lives lost http://dir.remember.yahoo.com/tribute - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS book from O'Reilly
This might be a dumb question, but... I'd like to buy the book and have my company pay for it. (Read: fill out a PO, go through the whole purchasing thing, blah blah blah...) Any way for FR to get the kickback then? (I'd imagine not, but figured I'd ask anyway.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Pinball is a way of life. My way! Jonathan Hassell [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/30/2002 03:07 PM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:RE: RADIUS book from O'Reilly And I just happen to be the author of said O'Reilly book, and I monitor this list frequently. I haven't had time to contribute much during the past few months, though. At any rate, please feel free to ask any questions about the book to me personally, or call me stupid, and I'll do my best to respond appropriately. (No, I won't hold it against you for calling me stupid.) If you do decide to purchase the book, please do so through the FreeRADIUS site. There is a real potential for a decent chunk of change to become available to support the development of this project. Thanks for your support! Jonathan Hassell [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 30, 2002 2:01 PM To: [EMAIL PROTECTED] Subject: RADIUS book from O'Reilly A RADIUS book from O'Reilly has been announced, and it's on Amazon. See: http://www.freeradius.org/related/ I've taken the liberty of signing up for an 'Amazon associates' program, so if you're thinking about buying the book, please us the link, and some $$ will be contributed to FreeRADIUS. Since there is currently no legal entity called FreeRADIUS, I've signed up for the Amazon Associates program under my name. If the incoming $$ are sufficient, it may be worth legally registering FreeRADIUS as a non-profit entity. In any case, the moneys received from the associates program will go to fostering the development of the server. I will be posting periodic summaries of the $$, and request for comment as to where/how the money should be spent. If, in fact, the link makes money. :) In the interests of transparency, I was a technical reviewer of the book, and saw it in pre-publication draft. It isn't perfect, but it's better than the nearly complete lack of documentation that comes with the server today. It also explains in greater detail the why and the how of the RADIUS protocol, and may answer many initial questions someone may have about the RADIUS protocol, and the FreeRADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: specify shadow passwd file
Do you have to configure the Radius server before you run the deamon? Nah; you can run the daemon any old time. Don't bother configuring it or reading the config or documentation files. They're there just to pad the download. You don't even have to bother compiling or untaring it to disk; just pipe the tar output to gcc and it'll run right in place! Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Pinball is a way of life. My way! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 0.5 complaining about UNKNOWN-NAS (that was previously working)
Note: certain parts of this email have been munged for confidentiality reasons. (i.e. IP addresses, login names, and passwords have been scrambled.) I recently upgraded my primary RADIUS server from freeradius 0.3 to 0.5. Now, however, I'm getting strange entries in my radius.log file: Tue Mar 19 10:57:29 2002 : Auth: Login OK: [someguy] (from nas UNKNOWN-NAS port 2 cli 144.74.x.y) I have at least four different NASes that are defined with shortnames in clients.conf that now generate similar log lines in radius.log. Devices are from multiple manufacturers (primarily Cisco and Marconi). None of the configurations for any of these NASes have changed; only freeradius has been upgraded from 0.3 to 0.5 . (clients.conf was also not changed going from 0.3 to 0.5.) So I'm pretty stumped as to why freeradius is all of a sudden calling these unknown nases, but still allowing them to authenticate. I threw the server into debug mode, and obtained the following (as an example)... Maybe it can help. Anyone have any ideas here? --- Walking the entire request list --- Cleaning up request 0 ID 105 with timestamp 3c98a291 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 144.74.m.N:1645, id=106, length=79 NAS-IP-Address = 144.74.m.N--- 144.74.m.N matches the IP in above line, and also what's in clients.conf NAS-Port = 2 NAS-Port-Type = Virtual User-Name = someguy Calling-Station-Id = 144.74.x.y Password = (deleted) modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module suffix returns ok users: Matched DEFAULT at 71 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns ok modcall: group authenticate returns ok radius_xlat: '[primary_radius_server] Hello, someguy' Login OK: [someguy] (from nas UNKNOWN-NAS port 2 cli 144.74.x.y) Sending Access-Accept of id 106 to 144.74.m.N:1645 Reply-Message = [primary_radius_server] Hello, someguy Cisco-AVPair = shell:priv-lvl=x Service-Type = Login-User Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 106 with timestamp 3c98a2ae Nothing to do. Sleeping until we see a request. If there's anything else that would be handy in debuging, let me know and I'll grab it! :) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center (312) 942-4242 Monday is the term used to signify the eighth day of my work week. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: List of RADIUS attributes is now available
The attribute names are sorted alphabetically, and are cross-referenced to the RFC's It should not be possible to quickly discover what an attribute means, what it does, and where it's defined Well, if it's not possible, why'd you bring it to our attention? :) [Yes, fully aware of the typo!] Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St Luke's Medical Center (312) 942-4242 Monday is the term used to signify the eighth day of my work week 1 - List info/subscribe/unsubscribe? See http://wwwfreeradiusorg/list/usershtml
Re: user interface
Great, now I have to go kavetch at the linux folks. :) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center (312) 942-4242 Monday is the term used to signify the eighth day of my work week. Tarquin Douglass \(Astronet Internet Access\) [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/03/02 02:14 PM Please respond to freeradius-users To:[EMAIL PROTECTED] cc: Subject:Re: user interface G, I did not realise that it was yours, I got it off a QOD from a Linux box I set-up and thought that it was perfect for me. anyway, it is good to see that someone else is also dedicated to work, work, work... :( Monday is the term used to signify the eighth day of my work week. Regards Tarquin Douglass Astronet Internet Access Office: (031) 3094760 Home: (031) 2692954 Cel: (083) 5557890 _ http://www.astronet.co.za - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, March 03, 2002 7:05 PM Subject: Re: user interface You have to wonder how original his product will be when he rips off the signature of someone on the same group lock, stock, and barrel, even including the quotes! I'll shut up now... :) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center (312) 942-4242 Monday is the term used to signify the eighth day of my work week. Tarquin Douglass \(Astronet Internet Access\) [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/02/02 06:28 PM Please respond to freeradius-users To:[EMAIL PROTECTED] cc: Subject:Re: user interface ___ This EMail has been scanned by Astronet/IONet VIRUS scan Server and found to be clear of all known VIRUSES in my definition files. ___ Yes I have and it is called AstroAdmin. A final beta release of this software will be ready very soon. It includes many features like billing, AAA accounting, network monitor, webmail and support tickets as well as an online signup. Monday is the term used to signify the eighth day of my work week. Regards Tarquin Douglass Astronet Internet Access Office: (031) 3094760 Home: (031) 2692954 Cel: (083) 5557890 _ http://www.astronet.co.za - Original Message - From: George [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, March 03, 2002 12:53 AM Subject: user interface Has anyone developed a user interface for freeradius so that subscribers could check their own online times? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [List-Error] Doubled up messages..
Yeah, I'm having that problem with the list also. (receiving double messages all of a sudden.) Although, as I write this, it _seems_ to have stopped. seems. :) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Monday is the term used to signify the eighth day of my work week. Matthew Wallis [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/11/02 08:49 PM Please respond to freeradius-users To:[EMAIL PROTECTED] cc: Subject:[List-Error] Doubled up messages.. Is it just me, or have a few people been recieving copies of old mail? I've recieved a second copy of Alan's reply to the Windows XP PPPoE client bug, and various other freeradius emails in the last 10 minutes. I'm on half a dozen mailing lists, and I'm only getting freeradius-users a second time. Matt. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Paranoid Configuration
If you're paranoid, disconnect the machines' (client server) primary interface from the internet. (Can't hack something you can't get to!) If you're really paranoid? Install second NIC in both the server and the client, run a crossover cable between the two, and use a private IP address space. If that's not good enough, write scripts on both the server and the client that changes the radius key once and hour and re-starts the freeradius daemon. (Suggestion would be something like a securID rotating key. Then again, there are other radius daemons that support Security Dynamics' products directly, so might want to switch to one of them.) If THAT'S not good enough, have only one user machine, one radius client machine, and one radius server and put them all in the same white room with no external links whatsoever. Basically, go Mission Impossible on them; have everyone who needs to get to the information strip searched on entry and exit. Use multiple biometrics and passphrase challenges on entry and exit. Armed guards at the door. You know, the whole nine yards. So how paranoid ARE you, anyway? :) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Monday is the term used to signify the eighth day of my work week. Gary Barnden [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/22/01 06:48 AM Please respond to freeradius-users To:[EMAIL PROTECTED] cc: Subject:Paranoid Configuration Hello all, If one was really paranoid, how would one secure the communication between a radius client and a server? Thanks in advance Gary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring -(Password -attribute)FreeRadius Server
This request seems a bit absurd to me. If you don't want to check the passwords, then why are you running any access control at all? Take off all access control and you'll achieve what you want. (NOT a good idea, but seems to be what you're going after here.) Not only that, but it's the Radius CLIENT that's sending the user password to the server; the freeradius server is not in control of what attributes are sent to it. If you _really_ don't want that information sent to the server, then you need to modify the client. (Good luck, because that would defeat the whole purpose of Radius.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Monday is the term used to signify the eighth day of my work week. Selvam Murugesan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent by: cc: freeradius-users-admin@lists.Subject: Configuring -(Password -attribute)FreeRadius cistron.nl Server 12/07/2001 12:37 AM Please respond to freeradius-users Hi, i have a simple doubt regarding FreeRadius Server Configuration. Is it necessary to have the User-Password Attribute in an Access-Request Packet that we send to the FreeRadius Server? Can we not configure the FreeRadius Server in such a way that it would process a Request without the User-Password attribute? I require this basically to authenticate Requests arising from radius clients authenticating wireless clients. Can anyone shed some light on this Thanks in Advance Selvam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and /etc/shells
What you're trying to do should work; I have several users set up that way (not in shadow or passwd, but only in the freeradius users file). They don't have any shells defined either. Try running freeradius in debug ( /X ) mode; that should give lots of hints as to what's going wrong. Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Monday is the term used to signify the eighth day of my work week. |+--- || Ben | || Hockenhull | || [EMAIL PROTECTED]| || | || | || 08/20/2001 | || 03:20 PM | || Please | || respond to | || freeradius-us| || ers | || | |+--- --| | | | To: [EMAIL PROTECTED] | | cc: (bcc: Vincent Giovannone/Rush/RSH) | | Subject: FreeRadius and /etc/shells| --| I'm migrating from Merit RADIUS to FreeRADIUS 0.2 and I'm running into trouble. On Merit RADIUS, I can set up users who exist only in the /etc/raddb/users file, and not in /etc/passwd, and use local password authentication right in the users file. Trying to do the same thing with FreeRADIUS, I run into authentication problems, and I think that it is due to the fact that the users in question do not exist in /etc/passwd, and thus have no shell to compare to /etc/shells. I read about adding /RADIUSD/ANY/SHELL to /etc/shells, abut that does not seem to have helped. Any ideas? I'm sure this can be done, but I can't seem to find it documented. I don't want to have to add every user to /etc/passwd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius only working in debug mode
I had the same problem when I first fired up freeradius. I was authenticating off of the local shadow file. The problem turned out to be that the username ( / group) listed in the radiusd.conf file did not have permissions to read the shadow password file. (Note that freeradius does NOT launch under the configured username when run in debug mode, which completely masks permissions problems like this one.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Monday is the term used to signify the eighth day of my work week. |+--- || steve | || steve@oceanw| || ide.co.nz | || | || 08/16/2001 | || 08:54 PM | || Please | || respond to | || freeradius-us| || ers | || | |+--- --| | | | To: [EMAIL PROTECTED] | | cc: (bcc: Vincent Giovannone/Rush/RSH) | | Subject: free radius only working in debug mode| --| Hello, I have just install free radius on Solaris 8. The problem I am haveing is that free radius will only authenticate in debug mode. If I start it like this radiusd -xxyz -l stdout works great. But when I start it like this radiusd It starts OK but rejects all users. Has anyone seen this problem before? I can post config's and debug outputs or logfiles etc. if needed. Thank you Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html