Re: semaphore not initialized - Question on how to implement
At 09:04 PM 12/17/2003, David Watson wrote: I'm trying to run freeradius on an OS X machine and I have been reading threads relating to issues people have had over the years when receiving a message saying: ERROR: Failed to initialize semaphore: Function not implemented Running radiusd -X works fine on OS X but doing rc.radiusd start or just radiusd gives the error. I'm guessing that the -X parameter gives realtime logging information probably doesn't use semaphores as it may only be a single thread. -X is shorthand for several options, one of which causes the server to run in single-threaded mode. If you want normal operation with debugging messages, use ( -x -x ) instead. I have downloaded the BSD code for semaphores and copied libsem.a and the associated .h, .c and .o files to the /src/main directory. I've gone into the Makefile and edited the libs line to look like this as per the message at http://www.mail-archive.com/[EMAIL PROTECTED]/ msg04260.html (I think there was a typo in the original message and I interpreted it to really be this). LIBS+= -lradius $(SNMP_LIBS) libsem.a Implementing this change or the alternate one suggested on the above link has not changed the situation. I am not an expert with linking libraries. OS X with developer tools does have a semaphore.h file located in /usr/include. I would guess that there may be a dynamic library somewhere in the OS. Could this be conflicting with the BSD implementation I downloaded? What is the process to get this to link properly? The latest CVS should build on an OSX system, though it gets trickier if you want to use modules such as SQL due to the way OSX handles libraries and linking. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac OS X
At 10:36 AM 12/17/2003, Cris Boisvert wrote: I'm setting up Freeradius on a Mac Running OS x 10.3 with the dev tools installed. The normal ./configure Make Make install Isn't working.. I'm errors.. Does anyone have any additional switches to make this work and save me some aggrivation? It works for me, running with the dev tools on 10.3. You could perhaps try posting the error you are getting. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Ip address assignation
At 08:29 AM 12/16/2003, Alex Rodriguez wrote: There is a way for freeradius to be the one asigning the dynamic ip addresses, instead of the access server assigning them? I am trying to create different groups, with different dynamic ranges of ip addressess, for a project, and i cannot do that on the ascend max. Only the pool assignation is used to be specified using different PRI's or phone number. You can actually. If you put the ip's in different pools on the MAX, you can tell it which pool to pull a dynamic IP from via the Vendor-Specific attribute Ascend-Assign-IP-Pool ( from dictionary.ascend ). See the MAX documentation for how to do this. Anobody knows if there's a way of the radius be in charge of assigning the pool of ips for each group? the rlm_ippool module can allow FreeRADIUS to assign IP's from a pool that it manages. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Success
Title: Message To all, I finall got it, go figure it was a very obvious answer. I simply re-configured FreeRADIUS using ./configure --with-static-modules="sql sql_mysql" command. When I executed a make, it errored out saying it could not find ../modules/rlm_sql_mysql. I simply made a symbolic link to include the rlm_sql_mysql sub-directory in the ../modules/ directory and re-ran make. Everything works great now, thanks! Cordially, Chris DeRamus OCIO VPN Administrator SAIC -Original Message-From: Deramus, Chris Sent: Sunday, December 14, 2003 11:09 PMTo: '[EMAIL PROTECTED]'Subject: RE: MySQL Help! Chris, Thanks for the input, however, when I updated the configure script with your extra code configure would not find lmysqlclient and prompted that I specify the path to the library files by using --with-mysql-lib= When I put in the path to the MySQL library files, it still would not find lmysqlclient. Any other thoughts? If I get it I'll be sure to let you know what it was, thanks so much. Chris DeRamus OCIO VPN Administrator SAIC -Original Message----- From: Chris Parker [mailto:[EMAIL PROTECTED]] Sent: Friday, December 12, 2003 5:14 PM To: [EMAIL PROTECTED] Subject: Re: MySQL Help! At 03:42 PM 12/12/2003, Rob Genovesi wrote: oh boy, I remember kicking this around for ever as well ... My solution was to 1) be sure you have development rpms installed and 2) do not use "--disable-shared" when running configure. I don't know exactly why this changed things, but compiling with shared libraries it was able to find and use all the necessary mysql libs and includes. I installed the following MySQL rpms (Redhat) : MySQL-devel-4.0.16-0 MySQL-shared-compat-4.0.16-0 MySQL-client-4.0.16-0 MySQL-server-4.0.16-0 Aha. Mysql4 changes some stuff. On Solaris we had to change some of the Makefiles manually to get all of the appropriate libs included to build the rlm_mysql driver built. It may be the same on RH as well. Helpfully, MySQL 3 build syntax is not totally workable with MySQL 4 at least as far as FR is concerned. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless! \ Director, Engineering | @ @ | \ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to start/stop/restart FR
Title: RE: How to start/stop/restart FR Ripunjay, I have been running FreeRADIUS successfully for over a year on various versions of Redhat. I simply just copied the radiusd executable into /etc/init.d and created a symbolic link to this file in /etc/rc3.d Each time the machine is restarted or powered on it will then start this process. When I terminate the process I usually just executed a pkill -9 rad which is not the recommended way but it's a bad habit that I have :). Thanks, Chris DeRamus OCIO VPN Administrator SAIC -Original Message- From: Ripunjay Bararia [mailto:[EMAIL PROTECTED]] Sent: Monday, December 15, 2003 2:45 PM To: [EMAIL PROTECTED] Subject: How to start/stop/restart FR hi just had this silly question what is the preferred/normal way to start/stop/restart FR running on a RedHat box with or without init.d scripts Ripunjay Bararia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySQL Help!
Title: RE: MySQL Help! Alan, What file(s) should I run ldd against? Chris DeRamus OCIO VPN Administrator SAIC -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Friday, December 12, 2003 4:44 PM To: [EMAIL PROTECTED] Subject: Re: MySQL Help! Deramus, Chris [EMAIL PROTECTED] wrote: I have checked and verified the LD_LIBRARY_PATH variable, I have updated ld.so.conf as well. I've tried multiple configuration options, including disable-shared. Something isn't adding up. Any suggestions would be most appreciated. Thanks and have a good weekend. 'ldd' should tell you which libraries are needed. Maybe MySQL needs additional libraries, which somehow aren't loaded. I don't know how else to help you. The server core doesn't know *anything* about modules/libraries, other than it asks the system to load them. If that doesn't work, there isn't much else the server can do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySQL Help!
Title: RE: MySQL Help! Chris, Thanks for the input, however, when I updated the configure script with your extra code configure would not find lmysqlclient and prompted that I specify the path to the library files by using --with-mysql-lib= When I put in the path to the MySQL library files, it still would not find lmysqlclient. Any other thoughts? If I get it I'll be sure to let you know what it was, thanks so much. Chris DeRamus OCIO VPN Administrator SAIC -Original Message- From: Chris Parker [mailto:[EMAIL PROTECTED]] Sent: Friday, December 12, 2003 5:14 PM To: [EMAIL PROTECTED] Subject: Re: MySQL Help! At 03:42 PM 12/12/2003, Rob Genovesi wrote: oh boy, I remember kicking this around for ever as well ... My solution was to 1) be sure you have development rpms installed and 2) do not use --disable-shared when running configure. I don't know exactly why this changed things, but compiling with shared libraries it was able to find and use all the necessary mysql libs and includes. I installed the following MySQL rpms (Redhat) : MySQL-devel-4.0.16-0 MySQL-shared-compat-4.0.16-0 MySQL-client-4.0.16-0 MySQL-server-4.0.16-0 Aha. Mysql4 changes some stuff. On Solaris we had to change some of the Makefiles manually to get all of the appropriate libs included to build the rlm_mysql driver built. It may be the same on RH as well. Helpfully, MySQL 3 build syntax is not totally workable with MySQL 4 at least as far as FR is concerned. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless! \ Director, Engineering | @ @ | \ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL
Here's the output from the box, as you can see I have the development package. Any other thoughts? [EMAIL PROTECTED] -rpm -qa | grep mysql mysqlclient9-3.23.22-8 mysql-devel-3.23.58-1.72 mysql-3.23.58-1.72 php-mysql-4.1.2-2.1.6 mysql-server-3.23.58-1.72 mod_auth_mysql-1.11-1 Thanks! Chris DeRamus -Original Message- From: NetNITCO Systems Administration [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: Re: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL On Thu, 2003-12-11 at 16:00, Deramus, Chris wrote: To all -- I recently upgraded my development RADIUS box which was running RedHat 8.0 to RedHat Enterprise Linux 2.1 ES. This was a fresh install which included all Mysql related packages contained on the CD's. It was noted that the Enterprise installation did not contain a Mysql-devel package, I am assuming it is now bundled in with one of the other rpm's. I tested SQL queries from both web applications and command line and everything seemed to be a go so I then configured freeradius. I believe you are mistaken. The current MySQL development package for RHEL ES 2.1 is mysql-devel-3.23.58-1.72. You can grab the package from the RHEL installation media, or, you can download the SRPM from a Red Hat mirror and rebuild the package: ftp://redhat.netnitco.net/pub/mirrors/redhat/updates/enterprise/2.1ES/en/os/ SRPMS/mysql-3.23.58-1.72.src.rpm rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. radiusd.conf[4]: sql: Module instantiation failed. You'll get this until you compile FreeRADIUS with the MySQL development libraries installed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL
I also mis-typed my message. The package that I was talking about was mysql-shared not mysql-devel. I do not think you need mysql-shared though, or do you? Thanks, Chris DeRamus OCIO VPN Administrator SAIC -Original Message- From: NetNITCO Systems Administration [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: Re: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL On Thu, 2003-12-11 at 16:00, Deramus, Chris wrote: To all -- I recently upgraded my development RADIUS box which was running RedHat 8.0 to RedHat Enterprise Linux 2.1 ES. This was a fresh install which included all Mysql related packages contained on the CD's. It was noted that the Enterprise installation did not contain a Mysql-devel package, I am assuming it is now bundled in with one of the other rpm's. I tested SQL queries from both web applications and command line and everything seemed to be a go so I then configured freeradius. I believe you are mistaken. The current MySQL development package for RHEL ES 2.1 is mysql-devel-3.23.58-1.72. You can grab the package from the RHEL installation media, or, you can download the SRPM from a Red Hat mirror and rebuild the package: ftp://redhat.netnitco.net/pub/mirrors/redhat/updates/enterprise/2.1ES/en/os/ SRPMS/mysql-3.23.58-1.72.src.rpm rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. radiusd.conf[4]: sql: Module instantiation failed. You'll get this until you compile FreeRADIUS with the MySQL development libraries installed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Kill -HUP in debug mode eats all CPU
Add the string debug_level = 2 as the last line of radiusd.conf At 11:24 AM 12/12/2003, you wrote: Hello to everyone. As I have seen in a previous post a bug that occasionaly crashed the server when it received a HUP signal has been fixed. After compiling the latest release (0.9.3) on a SUN Ultra 100 (Solaris 8) I noticed that when I start the server in debug mode (radiusd -X) and send it a HUP signal it says that it rereads the configuration files but it eats the CPU resources, does not serve requests and it can't receive any other signal apart from -9. I used gcc 2.95.3. In the previous release when a HUP was received (in debug mode) the server crashed always. Here is part of the output from the first HUP signal --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. Reloading configuration files. reread_config: reading radiusd.conf Config: including file: /export/home/radius/freeradius-0.9.3/BUILD/etc/raddb/proxy.conf Config: including file: /export/home/radius/freeradius-0.9.3/BUILD/etc/raddb/clients.conf Config: including file: /export/home/radius/freeradius-0.9.3/BUILD/etc/raddb/snmp.conf Config: including file: /export/home/radius/freeradius-0.9.3/BUILD/etc/raddb/oraclesql.conf main: prefix = /export/home/radius/freeradius-0.9.3/BUILD main: localstatedir = /export/home/radius/freeradius-0.9.3/BUILD/var main: logdir = /export/home/radius/freeradius-0.9.3/BUILD/var/log/radius main: libdir = /export/home/radius/freeradius-0.9.3/BUILD/lib main: radacctdir = /export/home/radius/freeradius-0.9.3/BUILD/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /export/home/radius/freeradius-0.9.3/BUILD/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /export/home/radius/freeradius-0.9.3/BUILD/var/run/radiusd/radiusd.pid main: user = radius main: group = other main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /export/home/radius/freeradius-0.9.3/BUILD/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = yes proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. For anything else you might need to trace the error let me know. == Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot find a configuration entry for module expr
At 11:25 AM 12/12/2003, Drew Weaver wrote: Anyone know what this is about? ERROR: Cannot find a configuration entry for module expr. All I did was ./configure -with-logdir=/radius/logs -with-radacctdir=/radius/radacct; make; make install;/usr/local/sbin/radiusd -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Using deprecated clients file. Support for this will go away soon. Using deprecated realms file. Support for this will go away soon. ERROR: Cannot find a configuration entry for module expr. Do you have an empty: expr { } in the modules section of your config file? It doesn't contain anything, but it needs to be there, if you have 'expr' in your Instatiate block. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL
Title: RE: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL I have check the FreeRADIUS FAQ and followed the instructions. My ld.so.conf file has been setup correcly and is pointing the respective library dependencies and it still is giving me the same error. I have also attempted ./configure --disable-shared and still no go. I know I do not need mysql-shared, I am honestly stumped. Sorry to keep this thread going, I just can't seem to find much documentation on any extra steps required when running this new distro of RedHat. Thanks, Chris DeRamus -Original Message- From: NetNITCO Systems Administration [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 11, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: Re: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL On Thu, 2003-12-11 at 16:00, Deramus, Chris wrote: To all -- I recently upgraded my development RADIUS box which was running RedHat 8.0 to RedHat Enterprise Linux 2.1 ES. This was a fresh install which included all Mysql related packages contained on the CD's. It was noted that the Enterprise installation did not contain a Mysql-devel package, I am assuming it is now bundled in with one of the other rpm's. I tested SQL queries from both web applications and command line and everything seemed to be a go so I then configured freeradius. I believe you are mistaken. The current MySQL development package for RHEL ES 2.1 is mysql-devel-3.23.58-1.72. You can grab the package from the RHEL installation media, or, you can download the SRPM from a Red Hat mirror and rebuild the package: ftp://redhat.netnitco.net/pub/mirrors/redhat/updates/enterprise/2.1ES/en/os/SRPMS/mysql-3.23.58-1.72.src.rpm rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. radiusd.conf[4]: sql: Module instantiation failed. You'll get this until you compile FreeRADIUS with the MySQL development libraries installed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Help!
At 03:42 PM 12/12/2003, Rob Genovesi wrote: oh boy, I remember kicking this around for ever as well ... My solution was to 1) be sure you have development rpms installed and 2) do not use --disable-shared when running configure. I don't know exactly why this changed things, but compiling with shared libraries it was able to find and use all the necessary mysql libs and includes. I installed the following MySQL rpms (Redhat) : MySQL-devel-4.0.16-0 MySQL-shared-compat-4.0.16-0 MySQL-client-4.0.16-0 MySQL-server-4.0.16-0 Aha. Mysql4 changes some stuff. On Solaris we had to change some of the Makefiles manually to get all of the appropriate libs included to build the rlm_mysql driver built. It may be the same on RH as well. Helpfully, MySQL 3 build syntax is not totally workable with MySQL 4 at least as far as FR is concerned. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Help!
At 04:14 PM 12/12/2003, Chris Parker wrote: At 03:42 PM 12/12/2003, Rob Genovesi wrote: oh boy, I remember kicking this around for ever as well ... My solution was to 1) be sure you have development rpms installed and 2) do not use --disable-shared when running configure. I don't know exactly why this changed things, but compiling with shared libraries it was able to find and use all the necessary mysql libs and includes. I installed the following MySQL rpms (Redhat) : MySQL-devel-4.0.16-0 MySQL-shared-compat-4.0.16-0 MySQL-client-4.0.16-0 MySQL-server-4.0.16-0 Aha. Mysql4 changes some stuff. On Solaris we had to change some of the Makefiles manually to get all of the appropriate libs included to build the rlm_mysql driver built. It may be the same on RH as well. Helpfully, MySQL 3 build syntax is not totally workable with MySQL 4 at least as far as FR is concerned. Following up my own post, here are the changes we had to make to the 'configure' in 'src/modules/rlm_sql/drivers/rlm_mysql', around line 900. LIBS=$LIBS -lz to LIBS=$LIBS -lsocket -lnsl -lm -lz In other words, we added the '-lsocket -lnsl -lm' libraries, as there are needed for the compilation to complete. Hope this helps, -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL
Title: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL To all -- I recently upgraded my development RADIUS box which was running RedHat 8.0 to RedHat Enterprise Linux 2.1 ES. This was a fresh install which included all Mysql related packages contained on the CD's. It was noted that the Enterprise installation did not contain a Mysql-devel package, I am assuming it is now bundled in with one of the other rpm's. I tested SQL queries from both web applications and command line and everything seemed to be a go so I then configured freeradius. I used the following configure line: ./configure --with-mysql-include-dir=/usr/include/mysql --with-mysql-dir=/usr/lib/mysql --with-mysql I configured the flat configuration files including radiusd.conf to match my desired configuration. SQL is setup like so: --- Pasted from radiusd.conf --- $INCLUDE ${confdir}/sql.conf $INCLUDE ${confdir}/sql2.conf authorize { # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. # # It also adds a Client-IP-Address attribute to the request. autztype sql1 { sql } autztype sql2 { sql2 } accounting { detail acctype sql1 { sql } acctype sql2 { sql2 } radutmp My sql.conf and sql2.conf files repesctively called the driver rlm_sql_mysql. Upon launching radiusd with debugging turned on I get the following message: rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. radiusd.conf[4]: sql: Module instantiation failed. I have re-configured the sql_mysql module multiple times, even as a static module and no luck. I am wondering if this has to do with differences in the way MySQL is setup in the Enterprise 2.1 ES distro? Any light that you can shed on this issue would be greatly appreciated. Thanks and have a great day, Chris DeRamus
Re: Multiple values for the same integer-attribute in one RADIUS reply???
At 05:02 PM 12/10/2003, [EMAIL PROTECTED] wrote: Hello everybody, Yesterday I ran into deep problems trying to configure freeradius 0.9.0 for so called authenticated switch access (asa) which is a feature of alcatel (formerly xylan) lan switches enabling them to query a radius server for user authentication. My users file looks like: ... user2 Auth-Type := Local, User-Password == testpw Alcatel-Access-Priv= Alcatel-Read-Priv, Alcatel-Access-Priv= Alcatel-Write-Priv, Alcatel-Access-Priv= Alcatel-Admin-Priv ... See the docs, man users, the list archives from the last few days. You need the += attribute to add mutile attributes of the same type to a reply. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: filtering attributes in proxy
At 11:59 PM 12/8/2003, denz wrote: but when I start the server I get this message ant the end, and server exits. Module: Instantiated attr_filter (attr_filter) radiusd.conf: attr_filter modules aren't allowed in 'pre-proxy' sections -- they have no such method. shrug Edit the source code for attr_filter to include a pre-proxy section. This is done in the latest CVS for post-proxy. I've got a patch we've used internally for pre-proxy. I'll commit it today. Has it been commited to cvs ? I just downloaded. Couldn't see the preproxy method in rlm_attr_filter. I'd appreciate it very much right now. No, I'm still working on cleaning the patch up, as well as adding accounting methods for the module. I'll post to the list when it is in CVS, which should hopefully be later today. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Weird issue regarding authentification...
At 02:51 PM 12/8/2003, m0bius wrote: Hello people, I had a pretty good working configuration for the past month using FreeRadius with mySQL and Dialup Admin. However yesterday we had an enormous power failure and after some hours on running on the UPS the radius server was down. Today, at the morning however the server was up and running successfully. However at some point while I was tampering with some vendor specific attributes for our Lucents hell broke free. From that point on I can not seem to get any user authentificated. I am constantly getting the error: rlm_sql (sql): No matching entry in the database for request from user [exuser]. I should point out that the database seems intact, (actually the sql queries done my radius are repeated by me successfully) and all tables and contents exist. If you run the queries printed in debug output, what do you get returned? Note to login to mysql as the same user that Radius uses ala: mysql -u RADIUS_USER -p DBNAME -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CDMD and GPRS
At 03:06 PM 12/5/2003, [EMAIL PROTECTED] wrote: Hello: Does free radius support management and monitorization of wireless data service across CDMA and GPRS. FreeRADIUS supports Radius. If there are implemenations of equipment to manage CDMA and GPRS services that can talk to a Radius server, then the answer is yes. Radius is connection agnostic. It doesn't care. It is up to the AP/NAS/etc. to support the connection method/protocol/technology. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and IPASS
At 09:39 AM 12/4/2003, Bart Van Daal wrote: Hello Freeradius Users, just a small question: Do I need to configure anything special to proxy to an Ipass netserver? this is my entry in the proxy.conf realm IPASS { type= radius authhost= 12.34.56.78:1645 accthost= 12.34.56.78:1646 secret = ipassecret nostrip } This should work. I don't think they do anything differently with respect to Radius. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: filtering attributes in proxy
At 10:43 AM 12/4/2003, Alan DeKok wrote: denz [EMAIL PROTECTED] wrote: but when I start the server I get this message ant the end, and server exits. Module: Instantiated attr_filter (attr_filter) radiusd.conf: attr_filter modules aren't allowed in 'pre-proxy' sections -- they have no such method. shrug Edit the source code for attr_filter to include a pre-proxy section. This is done in the latest CVS for post-proxy. I've got a patch we've used internally for pre-proxy. I'll commit it today. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting Subnet Access
At 01:14 PM 12/4/2003, Frank Everitt wrote: Hi ... I'm new to this list as well as freeradius. I've installed 0.9.3 and have been trying to figure out how to restrict access to various framed networks. I was led to believe that freeradius was capable of doing this but I haven't found anything about this capability in the docs nor scripts. In a nut shell, this is what I would like to do. A. Enable the radius server to accept all NAS requests from certain subnets (e.g. 192.168.1.0/26, 192.168.1.128/26) and reject all of the others. Any insight would be greatly appreciated. If the server isn't configured with an explicit client configuration, it won't respond to the request. If you instead are trying to get it to send an immediate auth-reject to certain NAS, then you could create a 'Huntgroups' configuration to place the NAS you want to reject in a named Huntgroup. The put something similar to the following in your 'users' config: DEFAULT Huntgroup == BADNAS, Auth-Type := Reject Fall-Through = No If what you are trying to do is neither of the above, please clarify what you want to do. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting Subnet Access
At 01:14 PM 12/4/2003, you wrote: Hi ... I'm new to this list as well as freeradius. I've installed 0.9.3 and have been trying to figure out how to restrict access to various framed networks. I was led to believe that freeradius was capable of doing this but I haven't found anything about this capability in the docs nor scripts. In a nut shell, this is what I would like to do. A. Enable the radius server to accept all NAS requests from certain subnets (e.g. 192.168.1.0/26, 192.168.1.128/26) and reject all of the others. Any insight would be greatly appreciated. From /path/to/src/radiusd/raddb/clients.conf: # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # #client 192.168.0.0/24 { # secret = testing123-1 # shortname = private-network-1 #} # #client 192.168.0.0/16 { # secret = testing123-2 # shortname = private-network-2 #} So, list your networks and no other clients. FreeRADIUS will only accept requests from the clients listed in clients.conf. HTH, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and SAMBA
At 05:06 PM 12/3/2003, [EMAIL PROTECTED] wrote: Is it possible to have FreeRadius authenticate against a SAMBA 3.x implementation? rlm_smb ? I don't know how widely used this module is, but it should do what you are looking for. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Start packet question
At 12:27 PM 12/2/2003, Brian Clarkson wrote: so i've read through the O'Reilly _Radius_ book, the FAQ for FreeRADIUS, and browsed the list's archive, but i still i have a relatively basic question that just needs some clarification. Accounting-Start packets are sent by the client ( which could be either the NAS or the end-user in the case of wireless auth, which is what i'm doing ). No, it will be the NAS, it will not be the end-user. if a NAS hasn't implemented the full AAA architecture ( i.e. only supports RADIUS for authentication but not for accounting ), then the only way to get the Accounting-Request packet is to hae the end-user send it ( which is, IMHO, an unreliable method ), correct? No. The Radius Server will only accept AAA from known 'clients'. This will be the device or process that talks to the Radius server ( either a NAS, AP, or other ). It will *not* be the end-user. If the NAS/AP doesn't send it, you don't get it. is there some kind of way around this, like faking an Accounting-Start in the radgroupreply table ( in MySQL )? Yes. Look at the 'radzap' program. It functions by sending a spoofed 'Stop' packet to the server. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Start packet question
At 12:46 PM 12/2/2003, Brian Clarkson wrote: Chris Parker wrote: At 12:27 PM 12/2/2003, Brian Clarkson wrote: Accounting-Start packets are sent by the client ( which could be either the NAS or the end-user in the case of wireless auth, which is what i'm doing ). No, it will be the NAS, it will not be the end-user. that's what i thought ... but the 'client' definition almost makes it sound as any client though the chain of clients could send the packet. No, the chain of communication can't be side-stepped. End-user can talk to NAS can talk to Radius Server. Beyond the immediate clients, there is no chain of trust or state that would allow End-user - Radius server direct communication. If the NAS/AP doesn't send it, you don't get it. is there some kind of way around this, like faking an Accounting-Start in the radgroupreply table ( in MySQL )? Yes. Look at the 'radzap' program. It functions by sending a spoofed 'Stop' packet to the server. i fail to understand how a spoofed 'stop' packet will actually start the accounting process. but this hits another issue i was having. my test user sucessfully authenticated but hasn't been 'kicked off' the network -- even though i've restarted the radius server *and* rebooted the NAS. ( a Buffalo AP in this case ). would the user not be disconnected because of the lack of stop packet? I was simply pointing that out as you asked how to fake an Accounting Start packet. That program sends an Accounting Stop. It is a trivial modification to make it send a different packet type. Is there a particular problem you are trying to solve? It might be better to spell out your problem, and listen to the proposed solutions than trying to jump straight to a solution as the one you see may not be perhaps the 'best' for your particular problem. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: tunneling
At 02:14 AM 12/1/2003, you wrote: Chris, How we gonna map below entry (with TAG) in ldap.attrmap?? and how the entry in LDAP will be?? Haizam, I'm not familiar with LDAP configuration. Chris radiusTunnelPassword : radiusTunnelMediumType : radiusTunnelType : radiusTunnelServerEndpoint: Tunnel-Password:0 = , Tunnel-Medium-Type:0 = IP, Tunnel-Type:0 = L2TP, Tunnel-Server-Endpoint:0 = xxx.xxx.xxx.xxx --haizam - Original Message - From: Chris Brotsos [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 9:40 PM Subject: Re: tunneling From dictionary.tunnel... ATTRIBUTE Tunnel-Type 64 integer has_tag what is mean by has_tag?? I'm currently working on RADIUS - MPLS-VPN project, and from example given by cisco.. Some of attributes needed for doing L2TP tunnelling are as below: Tunnel-Type = :1:L2TP Tunnel-Medium-Type = :1:IP Tunnel-Server-Endpoint = :1:172.21.9.13 So what is :1 from :1:L2TP means ?? The :1 is the tag, and the has_tag portion of the dictionary definition you refer to above informs the RADIUS software that it should expect (or append when necessary) certain characters as part of the attribute. From the RFCs included in the 'rfc' sub-directory of the 'doc' directory of the FreeRADIUS source code: Tag The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same tunnel. Valid values for this field are 0x01 through 0x1F, inclusive. If the value of the Tag field is greater than 0x00 and less than or equal to 0x1F, it SHOULD be interpreted as indicating which tunnel (of several alternatives) this attribute pertains; otherwise, the Tag field SHOULD be ignored. The tags mean nothing to the RADIUS server itself; the definition above is explaining how the NAS is going to use/interpret the Tag. As well, I'm not sure which RADIUS server that syntax (e.g. Tunnel-Type = :1:L2TP) is correct for, but for FreeRADIUS the attributes should be configured as follows: Tunnel-Password:0 = , Tunnel-Medium-Type:0 = IP, Tunnel-Type:0 = L2TP, Tunnel-Server-Endpoint:0 = xxx.xxx.xxx.xxx HTH, Chris Brotsos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radiusd process stopped
At 01:51 PM 12/1/2003, Guillermo Delmastro wrote: Hi list I am using freradius 0-7 on a BSDi BSD/OS4.3. It works fine, but last week I got this: You must upgrade. 0.7 is very old now, and no longer supported. Get the lastest version from http://www.freeradius.org/ -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: tunneling
At 08:20 PM 12/1/2003, Rohaizam Abu Bakar wrote: anybody familiar with LDAP entry those with TAG can help me?? FreeRADIUS natively prints in the format of: ATTR : TAG = VALUE When running in debugging mode, etc. However it parses in two modes, the native mode shown above, and the Merit mode shown here: ATTR = :TAG:VALUE ex: Tunnel-Password = :0:toomanysecrets So you can enode the tag on either the Attribute, or the Value. In your case, you'll probably want to use the Merit syntax and store the TAG with the Value. Unless you are returning multiple tunnel profiles, it is best to use a TAG of 0. Hope this helps, -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAPv2 + LDAP
you could include the samba schema in the ldap server using the ntPassword attribute for password. Use smbencrypt [string] to generate a NT Hash for testing. On samba site you should find more about automating this step in ldap-pdc docs. Better than nothing.. Thanks, I will try that, but that kind of defeats my original setup which was to use exsiting usernames and passwords. Generating new NT passwords for thousands of people is a bit too much. Thanks for the response. I just did this for my orginazation, and I included it into our yearly required password change setup. I also made a web 'enabler' page, where people could authenticate and have their NT password inserted into LDAP without doing a change password. I figured that within a year everyone will be in there, and we have the ability to populate it before that as well. Chris [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CA.all script failing
Hello, I'm trying to set up freeradius to use EAP-TLS, using the CA.all script included with the distribution to generate the necessary server and client certificates. I'm using the CVS snapshot from 11/20/2003, with openssl 0.9.7c. openssl is installed in /usr/local/ssl, and I'm running the script from the /usr/local/ssl/certs directory. Here's the output I get at the end at the step where the server cert is generated: Certificate is to be certified until Nov 24 00:42:41 2004 GMT (365 days) Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 + openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -pa ssin pass:whatever -passout pass:whatever No certificate matches private key + openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:whatever -passout pass:w hatever 23242:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:14 0: + openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der unable to load certificate 23243:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRU STED CERTIFICATE + echo -e '\n\t\t##\n' ## And here is the state of the certs directory: -rwxr-xr-x1 root staff3119 Nov 21 17:52 CA.all -rw-r--r--1 root staff9304 Nov 24 19:43 CA_output -rw-r--r--1 root staff 689 Nov 24 19:42 cert-clt.der -rw-r--r--1 root staff1709 Nov 24 19:42 cert-clt.p12 -rw-r--r--1 root staff2389 Nov 24 19:42 cert-clt.pem -rw-r--r--1 root staff 0 Nov 24 19:42 cert-srv.p12 -rw-r--r--1 root staff 0 Nov 24 19:42 cert-srv.pem drwxr-sr-x6 root staff4096 Nov 24 19:42 demoCA -rw-r--r--1 root staff 0 Nov 24 19:42 newcert.pem -rw-r--r--1 root staff1667 Nov 24 19:42 newreq.pem -rw-r--r--1 root staff 906 Nov 24 19:42 root.der -rw-r--r--1 root staff1925 Nov 24 19:42 root.p12 -rw-r--r--1 root staff2681 Nov 24 19:42 root.pem -rw-r--r--1 root staff 148 Nov 21 18:29 xpextensions Can someone take a look at this and possible tell me if I'm doing anything wrong? I scripted the entre output of CA.all, so I can send as an attachment if requested. Thanks, -Chris pgp0.pgp Description: PGP signature
Re: Authenticating users without a password..
At 10:01 AM 11/21/2003, Stephen Fulton wrote: Hi all, I forgot my RADIUS book, otherwise I'd look it up. I've Google'd without success. When I add a user without a password, I get this error message: Auth: Login incorrect: [a-test/no User-Password attribute] (from client 10.100.5.10 port 0) If I have the Password AV pair there, but without a password in the Value field, it still fails. When a password is put in the Value field, it works. Thoughts? Auth-Type := Accept? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Foundry command authorization help
At 11:23 AM 11/21/2003, Dave Mussulman wrote: First, the Foundry dictionary file that comes with FreeRADIUS doesn't have those attributes, so you'll need to edit it. What you need to add is pretty straightforward in Foundry's docs. (I'll submit my dictionary file to the project when I'm sure it's got everything; I just added some stuff for their management software yesterday.) Patch please? Or list of the AV's? If no one reports it, it won't get included in later versions either. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
At 11:18 AM 11/21/2003, Bill Campbell wrote: On Fri, Nov 21, 2003, Alan DeKok wrote: Oliver Graf [EMAIL PROTECTED] wrote: With that said, 0.9.3 has been released. It's in the normal places: I submitted a security report and a new package ebuild to the gentoo ( http://gentoo.org/ ) community. Thanks. This just re-iterates my beleif that RADIUS servers should on private networks, far away from any possible source of malicious packets. Either that, or packet filters that restrict the hosts that can access the radius servers. Wouldn't work in this case, since packets are UDP a packet with spoofed source of a valid client will pass the filter. :\ All you'd need to DOS a radius server is a valid client IP. The RADIUS protocol makes it very hard to enforce additional restrictions, as the packet format is all in cleartext ( excepting certain Password attributes ) with no validation or signing. The Message-Authenticator value would serve this purpose, however it is not required, and as such doesn't help in this case, either, and won't until or unless it is made mandatory. That would then break old clients/servers that don't support Message-Authenticator. http://www.freeradius.org/rfc/rfc2869.html#Message-Authenticator The light at the end of the tunnel is that is *was* made mandatory for any packet with EAP-Message attributes. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
At 12:26 PM 11/21/2003, Bill Campbell wrote: On Fri, Nov 21, 2003, Chris Parker wrote: At 11:18 AM 11/21/2003, Bill Campbell wrote: On Fri, Nov 21, 2003, Alan DeKok wrote: Oliver Graf [EMAIL PROTECTED] wrote: With that said, 0.9.3 has been released. It's in the normal places: I submitted a security report and a new package ebuild to the gentoo ( http://gentoo.org/ ) community. Thanks. This just re-iterates my beleif that RADIUS servers should on private networks, far away from any possible source of malicious packets. Either that, or packet filters that restrict the hosts that can access the radius servers. Wouldn't work in this case, since packets are UDP a packet with spoofed source of a valid client will pass the filter. :\ All you'd need to DOS a radius server is a valid client IP. The RADIUS protocol makes it very hard to enforce additional restrictions, as the packet format is all in cleartext ( excepting certain Password attributes ) with no validation or signing. It's kinda hard to have the radius server on a private network if it's doing authentication for wholesale dialup connections :-). Yes. Kinda a problem there. However, an Auth-Req from a proxy target will not match the clients list and will be discarded. You could run a private network between the NAS and the Radius, but then Radius running on multihomed systems has always been interesting. Certainly doable though, given enough time. IPSec is another tool that could help. Or they're running Nortel (Bay) Annex boxes which use broken MD5 hashes, and Nortel makes it difficult to get updated software. That's a problem with Nortel. If the rest of the world can figure out how to do Radius securely and safely, we shouldn't compromise the whole for the few that can't figure out how to follow the RFC's. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What goes in acct_users a seg fault
At 12:39 PM 11/21/2003, Greg G wrote: I'm trying to figure out what goes into the acct_users. I had thought it was user entries like those in the users file, but that doesn't seem to really be the case. It appears to be getting parsed the same way (based on 'My-Key' entries that get rejected). However, at run-time, that doesn't appear to be the case. In fact, I get a seg-fault. Huh? You are making things more difficult for yourself than need be. In most cases you won't need to put anything in acct-users. rad_recv: Accounting-Request packet from host xxx.xxx.xxx.xxx:36538, id=167, length=27 User-Name = test1 modcall: entering group preacct for request 0 http://www.freeradius.org/rfc/rfc2866.html#Accounting-Request Any attribute valid in a RADIUS Access-Request or Access-Accept packet is valid in a RADIUS Accounting-Request packet, except that the following attributes MUST NOT be present in an Accounting- Request: User-Password, CHAP-Password, Reply-Message, State. Either NAS-IP-Address or NAS-Identifier MUST be present in a RADIUS Accounting-Request. It SHOULD contain a NAS-Port or NAS- Port-Type attribute or both unless the service does not involve a port or the NAS does not distinguish among its ports. So, the packet being sent is an invaled accounting packet, as it doesn't contain NAS-IP-Address or NAS-Identifier. Nor a session-id. That being said, the server shouldn't seg-fault in that instance. It should reject the packet as invalid and not try to process it further. We'll look into this and correct the behaviour. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 093 Crashes with unknown tokens
At 12:42 PM 11/21/2003, Greg G wrote: Alan DeKok wrote: Greg G mailto:[EMAIL PROTECTED][EMAIL PROTECTED] wrote: Here's what I get from FR 0.93 /usr/local/etc/raddb/users[9]: Parse error (reply) for entry 007gold: Unknown attribute My-Key Errors reading /usr/local/etc/raddb/users radiusd.conf[921]: files: Module instantiation failed. And then back to a prompt. That's bad since I won't always be able to watch the radiusd start up. So... it doesn't crash. It gives an error, which tells you what went wrong, and why. What, exactly is unclear about the error message? Nothing is unclear about it. I would prefer that the daemon not fail out if there's a data error in one of the files. It should report that error to a log and continue on. Otherwise, it becomes a fairly trivial task to crash out the daemon. Our users file is fairly dynamic and if someone makes a typo putting in a new entry, I don't want the whole system coming down. Sorry, I prefer my failures to be deterministic. I don't want the server carrying on and running with a partial config and doing something un- expected. Garbage in/Garbage out. If you are concerned with making typos, you may want to look at the 'dialup-admin' package, which allows you to easily manage an SQL database rather than a flat users file. Your chances of making a typo would then be greatly reduced imho, and if you did typo on one entry for a user, it would not affect any other users. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What goes in acct_users a seg fault
At 01:11 PM 11/21/2003, Greg G wrote: Chris Parker wrote: So, the packet being sent is an invalid accounting packet, as it doesn't contain NAS-IP-Address or NAS-Identifier. Nor a session-id. Now that's strange, because this packet is being sent from radclient. I thought I had seen it work in 092 with the default acct_users, but it's seg faulting in 093 either way. echo User-Name = test1 | radclient radiusserver.mydomain.net acct a_secret radclient sends what you tell it to send. If you tell it to send an invalid accounting packet ( since you aren't including one of the manadatory attributes ), it will do so. If you want to send a valid accounting packet, add more attributes to your call to radclient. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
newbie alert Freeradius, EAP-TTLS, and OpenSSL questions
Hello, I'm trying to set up a radius server here in my office to permit WLAN usage, and I really feel like I'm coming up against my limits of understanding on the technologies involved. I've successfully compiled yesterday's CVS release which include EAP-TTLS support, but I'm running into some serious issues (most likely due to lack of clue on my part) getting it working. The server is a Debian testing install, with openssl compiled from source. The base station is a Linksys WRT-54G, although I haven't gotten to the point were I think there's a problem there. Here's my list of questions: 1. EAP-TTLS is dependent on EAP-TLS, which requires a server cert. So far, I've been unable to successfully create a cert that freeradius likes. In the radiusd.conf file, there's an certificate_file argument, along with a CA_file argument. My understanding of the reason for this is that with EAP-TLS, authentication is done by certs alone - the user must have the server cert's public key loaded, and the user must present a public key signed by the CA. But with TTLS, the client cert does not appear to be a requirement. Does that mean I can use a self-signed cert and not worry about the CA_file, or do I still need to create both? And if so, does anyone have a working openssl recipe to create these? So far I've been unsuccessful in creating anything other than a self-signed key. 2. I think I'm missing some understanding when it comes to the differences between authentication protocols (pap, mschap, etc) and authentication mechanisms (users file, smbpasswd, sql, pam, etc). My ideal scenario is for TTLS to use PAM (which authenticates based on md5 hashes in /etc/shadow), allowing anyone with an account on the server running radiusd to connect to the WLAN, but I'm not quite sure how the auth protocol interacts with auth-types. I have DEFAULT Auth-Type := Pam in my users file; do I need to do anything further depending on the auth protocol I use inside the ESP-TTLS tunnel (pap, chap, etc)? 3. I'm really, really in the dark when it comes to the key distribution mechanism. with EAP-TTLS and WPA, what system actually generates and distributes the WPA key? Does the radius server handle that, or does it only negotate access and let the base station generate a random key? Is there a knob in the config I need to set up for this? Thank you in advance for your patience. I'm sure I'll have more questions later. Thanks, -Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie alert Freeradius, EAP-TTLS, and OpenSSL questions
See scripts/CA.all Ran this, and it appears that everything worked right up until the end, when I got these errors: Certificate is to be certified until Nov 20 23:34:06 2004 GMT (365 days) Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 + openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin pass:whatever -passout pass:whatever No certificate matches private key + openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:whatever -passout pass:whatever 23118:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: + openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der unable to load certificate 23119:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE + echo -e '\n\t\t##\n' ## tino:/usr/local/ssl/certs# Any idea what's happening? This is OpenSSL 0.9.7c. -C 2. I think I'm missing some understanding when it comes to the differences between authentication protocols (pap, mschap, etc) and authentication mechanisms (users file, smbpasswd, sql, pam, etc). My ideal scenario is for TTLS to use PAM (which authenticates based on md5 hashes in /etc/shadow), Huh? Why not just use 'System' authentication? I have DEFAULT Auth-Type := Pam in my users file; do I need to do anything further depending on the auth protocol I use inside the ESP-TTLS tunnel (pap, chap, etc)? CHAP won't work with passwords from /etc/passwd. See the FAQ. 3. I'm really, really in the dark when it comes to the key distribution mechanism. with EAP-TTLS and WPA, what system actually generates and distributes the WPA key? Does the radius server handle that, Yes. Is there a knob in the config I need to set up for this? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html pgp0.pgp Description: PGP signature
Re: FreeRADIUS 0.9.2 Tunnel-Password attribute Handling Vulnerability
At 07:32 AM 11/20/2003, S-Quadra Security Research^WSpammers wrote: Topic: FreeRADIUS 0.9.2 Tunnel-Password attribute Handling Vulnerability Severity: Average Release date: 20 Nov 2003 1. DESCRIPTION The FreeRADIUS Server (http://www.freeradius.org) is a high-performance and highly configurable GPL'd free RADIUS server. There exists a security vulnerability in FreeRADIUS up to 0.9.2, which may allow an attacker to mount a Denial of Service attack or possibly execute an arbitrary code (unproved). 2. DETAILS Access-Request packet with a malformed Tunnel-Password attribute triggers the invocation of memcpy() with a negative third argument, thereby causing radiusd to crash. Below is the snip of vulnerable code from src/lib/radius.c: To exploit this vulnerability attacker does not need to know NAS (Network Access Server) secret as the NAS's IP address can be easily spoofed. The code execution was unproved, but still remains possible. Right, so you have no sample code, nor much of an understanding how radius works, apparently. 3. FIX INFORMATION S-Quadra alerted FreeRADIUS team to this issue on 20th November 2003. Uhhh, that's not fix in my book. And it would have been better to post to the -devel list, rather than -users, since *gasp* the developers are more likely to be found on the *deverlopers* list. Oh, but then you couldn't have broadcast your not so cleverly disguised solicitation for business. My bad. 5. ABOUT It's unique, creative and innovative - just like the security services we bring to our clients. Go hawk for customers somewhere else, please. KTHX. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reject auth after exec
At 12:44 PM 11/20/2003, Rob Genovesi wrote: I tried this one earlier Non-zero exit code seems to return an Exec module failed message and then does not seem a valid reponse to the Radius client. Exec-Program: returned: 255 rlm_exec (getstatus): External script failed What does the module 'return'? Can you include some of the radius debug that includes the call to this module? Have you tried having the program print 'Auth-Type := Reject' to stdout? In this case getstatus was a simple shell script that did nothing but exit 255. I would prefer to exit with a valid radius response including a Reply-Message. You can configure the server where to place the 'reply' from the program in one of the following data lists: # # The attributes which are placed into the # environment variables for the program. # # Allowed values are: # # request attributes from the request # config attributes from the configuration items list # reply attributes from the reply # proxy-request attributes from the proxy request # proxy-reply attributes from the proxy reply # # Note that some attributes may not exist at some # stages. e.g. There may be no proxy-reply # attributes if this module is used in the # 'authorize' section. # input_pairs = request # # Where to place the output attributes (if any) from # the executed program. The values allowed, and the # restrictions as to availability, are the same as # for the input_pairs. # output_pairs = reply So, by default, it will place the reply pairs into the reply, you may want it to go to config or request, in order to affect the accept or reject status. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: tunneling
From dictionary.tunnel... ATTRIBUTE Tunnel-Type 64 integer has_tag what is mean by has_tag?? I'm currently working on RADIUS - MPLS-VPN project, and from example given by cisco.. Some of attributes needed for doing L2TP tunnelling are as below: Tunnel-Type = :1:L2TP Tunnel-Medium-Type = :1:IP Tunnel-Server-Endpoint = :1:172.21.9.13 So what is :1 from :1:L2TP means ?? The :1 is the tag, and the has_tag portion of the dictionary definition you refer to above informs the RADIUS software that it should expect (or append when necessary) certain characters as part of the attribute. From the RFCs included in the 'rfc' sub-directory of the 'doc' directory of the FreeRADIUS source code: Tag The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same tunnel. Valid values for this field are 0x01 through 0x1F, inclusive. If the value of the Tag field is greater than 0x00 and less than or equal to 0x1F, it SHOULD be interpreted as indicating which tunnel (of several alternatives) this attribute pertains; otherwise, the Tag field SHOULD be ignored. The tags mean nothing to the RADIUS server itself; the definition above is explaining how the NAS is going to use/interpret the Tag. As well, I'm not sure which RADIUS server that syntax (e.g. Tunnel-Type = :1:L2TP) is correct for, but for FreeRADIUS the attributes should be configured as follows: Tunnel-Password:0 = , Tunnel-Medium-Type:0 = IP, Tunnel-Type:0 = L2TP, Tunnel-Server-Endpoint:0 = xxx.xxx.xxx.xxx HTH, Chris Brotsos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can this be done first time user
At 03:28 PM 11/19/2003, Michael Shanafelt wrote: Hello everyone, I've never used FreeRadius before. I think I successfully installed it on RedHat and it seems to start up OK. I added my windows XP IP address in the clients file along with a key; added the same IP address, short name, and portslave as the type; and uncommented out the 3 lines in the radiusd.conf file for password, shadow, and group. I'm using a utility on my XP box called NTRadPing Test Utility to see if the radius server responds. So far, I'm not getting any responses, just the no response from server error. This is my first time messing with a RADIUS server. Does anyone see a step that I missed? Run the server in debugging mode: radiusd -x -x -x to see what the server is doing. Try using the 'radtest' utility that comes with FreeRADIUS. Make sure radius is listening on the same ports you are sending to. A common problem is for one side to be using 1645/1646 and the other side to be using 1812/1813. ( Historically, radius used 1645/1646, but then was found to be in conflict on the assigned ports, and moved to 18 Also, the reason I'm doing this is to build a list of MAC addresses that are allowed to associate with our several wireless access points. Right now, each one has a static list of valid MAC addresses, and when we get a new employee, we have to go to each one and enter the MAC address. From what I read, a RADIUS server can be set up so that we can centralize this list. Is this a correct assumption? Yes. Depending on the AP, the MAC addresses are sent as the User-Name. The best thing to do, IMHO is to get one of the AP's pointed at the FR server, and run radius in debug mode so that you can see what the AP is sending to the Radius server. From there, you should be able to figure out what entries you'll need to add in the 'users' file to authenticate the users. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Documentation Suggestion
At 11:31 AM 11/18/2003, Tim Snape wrote: Has anyone considered approaching Tim O'Reilly to do a dedicated FreeRadius book. The existing Radius title is ok as far as it goes and the two freeradius chapters are a plus but IMO it does not go far enough. I would have thought that FreeRadius deserves to have it's own creature. Since Jonathon Hassels book features a molusc, I'd suggest an octopus (a higher order marine species). He ( Jonathon ) is on the list ( or was in the past ). I'm sure as FR approaches 1.0 it would be worth considering a Rev 2 on the Radius book. Right now it is still in a semi flux state, so it would be worth waiting a bit longer before updating the book, IMHO. There is a lot of stuff that FR does now that it didn't then, particularly in the LEAP/PEAP/TLS area that could serve to be covered, as many people are starting to use RADIUS to provide authentication for the LAN and WLAN environments. I for one would cetainly be willing to assist with an update/addition to the book. :) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OSX Installation Using Mysql
At 12:56 PM 11/18/2003, Andreas Wolf wrote: On Nov 18, 2003, at 8:09 AM, Alan DeKok wrote: Andreas Wolf [EMAIL PROTECTED] wrote: see http://homepage.mac.com/andreaswolf/public/freeradius_installer.html for the diffs. The modifications are minor. I'm not sure why patch #1 is necessary. Which C files have problems with the sha1.h file? a lot of people have reported a parser error before mk when compiling snapshots from last week. I found the same thing. 'uint8_t' did not seem to be defined when it parsed sha1.h. Maybe it's fixed now, haven't tried newer snapshots. Patch #3 was addressed (I thought) by changes to ttls.c on Nov. 6. I saw your check-in but I still got an error (Diameter Attribute overflows packet!). However, by examining the tunneled attributes the data seemed to be correct. I think 'data_len' needs to be adjusted when the padding (rounding up to the nearest 4 byte boundary) is in effect. I think in this case 'data_len length' is true. I can work with you directly if you need access to a MacOS X machine. I don't know how I could give you access to the supplicant, though. I can play with it, I've got a panther box here. Let me take a look and see what I can dig up. What options are you passing to ./configure? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OSX Installation Using Mysql
At 12:56 PM 11/18/2003, Andreas Wolf wrote: On Nov 18, 2003, at 8:09 AM, Alan DeKok wrote: Andreas Wolf [EMAIL PROTECTED] wrote: see http://homepage.mac.com/andreaswolf/public/freeradius_installer.html for the diffs. The modifications are minor. I'm not sure why patch #1 is necessary. Which C files have problems with the sha1.h file? a lot of people have reported a parser error before mk when compiling snapshots from last week. I found the same thing. 'uint8_t' did not seem to be defined when it parsed sha1.h. Maybe it's fixed now, haven't tried newer snapshots. Nope, current CVS load pukes at line 34 of src/include/sha1.h: /* * FIPS 186-2 PRF based upon SHA1. */ extern void fips186_2prf(uint8_t mk[20], uint8_t finalkey[160]); -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Documentation Suggestion
At 02:14 PM 11/18/2003, Anson Rinesmith wrote: What's the best online place for documentation of actual FR? I for one still don't know what the difference is between := and == in my sql database This is explained in pretty good detail in 'doc/rlm_sql', which is part of the source distribution. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OSX Installation Using Mysql
At 02:41 PM 11/18/2003, Alan DeKok wrote: Chris Parker [EMAIL PROTECTED] wrote: Nope, current CVS load pukes at line 34 of src/include/sha1.h: Ok, but which C file? src/lib/sha1.c:12 Everything which uses sha1.h SHOULD include sys/types.h, first. And it does include sys/types.h on line 10. Seems OSX doesn't have 'uint8_t' defined. It *does* however seem to have 'u_int8_t' defined. Changing uint8_t to u_int8_t passed compilation without errors. uint8_t is defined in ISO/IEC 9899:1990. u_int8_t is not. Thanks Apple. :) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OSX Installation Using Mysql
At 04:16 PM 11/18/2003, Alan DeKok wrote: Chris Parker [EMAIL PROTECTED] wrote: And it does include sys/types.h on line 10. Seems OSX doesn't have 'uint8_t' defined. It *does* however seem to have 'u_int8_t' defined. See: src/include/autoconf.h If uint8_t isn't defined, that header file defines it. So sha1.c probably doesn't include autoconf.h. types OK, that should fix it. Try 'cvs update src/lib/sha1.c' Nope. Same error. And I've verified sha1.c is including autconf.h. config.log seem to indicate it passed the check. Digging further, it appears the test program includes stdint.h, which 'sha1.c' doesn't. I've been told that stdint.h defines uint8_t on OS X. So it looks like sha1.c should include: #ifdef HAVE_STDINT_H #include stdint.h #endif -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS-Header ID disabled during processing?
At 12:04 PM 11/17/2003, Enrico Starke wrote: Hi everyone, i need to know if the NAS blocks a REQUEST-ID for the time of processing this request por is it possible that 2 identical ids are used from one NAS at the same time for different REQUESTs. Request-ID is 1 octet. It can/will roll-over pretty quickly, especially on the dense NAS you have today. For this reason there are other methods used to identify distinct radius packets from the same NAS, such as the 16 octet Request-Authenticator, which is per the RFC uniquely generated for each distinct session. Additionally, the RFC says this about the Indentifier field: http://www.freeradius.org/rfc/rfc2865.html Section 3. Packet Format Identifier The Identifier field is one octet, and aids in matching requests and replies. The RADIUS server can detect a duplicate request if it has the same client source IP address and source UDP port and Identifier within a short span of time. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco authorization through freeradius
At 12:28 PM 11/17/2003, Glen wrote: I am having trouble getting freeradius to return values to my cisco box. My goal is to be able to capture this data through tcl on the cisco. I can authenticate a call using information from radcheck, but the corresponding values (h323-credit-time) in radreply are not being sent. radreply ++--+--++---+ | id | UserName | Attribute| op | Value | ++--+--++---+ | 11 | 12345| h323-credit-time | = | 10| ++--+--++---+ Is this a valid attribute? Or is this need to be encapsulated in a Cisco-VSA attriubte ala: id UserName Attributeop Value 11 12345Cisco-VSA=h323-credit-time=10 -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco authorization through freeradius
At 12:56 PM 11/17/2003, Glen wrote: I tried this configuration as recommended, to no avail. id UserName Attributeop Value 11 12345Cisco-VSA=h323-credit-time=10 Maybe I'm missing something; I'm expecting the value to show up in the debug output on either the cisco or the radius (-X). Or at least in the response from the radtest utility. radiusd -x -x -x will show you the sql queries being executed. What happens when you run them by hand? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco authorization through freeradius
At 01:58 PM 11/17/2003, Glen wrote: Fantabulous! I looked in dictionary.cisco, saw Cisco-AVPair as the attribute name. It seems everything I read about how VSA AV-Pairs is starting to click. For those finding this message in a search, the following works in FreeRadius v0.91: id UserName Attributeop Value 11 12345Cisco-AVPair =h323-credit-time=10 Ahh, that's what I get for trusting my memory rather than checking the dictionary. Glad it pointed you in the correct direction. :) Thank you very much Chris! You are welcome. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Status...
At 09:31 AM 11/13/2003, Jeff Murphy wrote: On Mon, 2003-11-10 at 09:47, Alan DeKok wrote: Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Hopefully in 1.0 release, rlm_ldap can work... as an aside, i'm emailed the list twice regarding rlm_sql's apparent inability to work with huntgroups. i'm willing to do the work myself to add the functionality, but i want to confirm that my diagnosis is correct before spending time on it. is there someone who is specifically responsible for maintenance of rlm_sql? alan? I'm listed as the maintainer on bugs.freeradius.org. So I guess that is me. :) What isn't working wrt to huntgroups and sql? A quick summary/example would be appreciated. I apologize for not responding to your earlier posts. Since this is more a -devel question, it might be better to move the request over to that list since this is more of -devel topic. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Status...
At 10:26 AM 11/13/2003, Chris Parker wrote: At 09:31 AM 11/13/2003, Jeff Murphy wrote: On Mon, 2003-11-10 at 09:47, Alan DeKok wrote: Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Hopefully in 1.0 release, rlm_ldap can work... as an aside, i'm emailed the list twice regarding rlm_sql's apparent inability to work with huntgroups. i'm willing to do the work myself to add the functionality, but i want to confirm that my diagnosis is correct before spending time on it. is there someone who is specifically responsible for maintenance of rlm_sql? alan? I'm listed as the maintainer on bugs.freeradius.org. So I guess that is me. Oops, I lied. Kostas is listed as the primary maintainer for the rlm_sql module. But several of the developers would be able to review the problem. Carry on, nothing to see here. :) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Developing RADIUS applications
At 11:41 AM 11/13/2003, German Viera wrote: HI I would like to develop my own RADIUS application, acting as a radius server. I would like to know if there is come library of freeradius or somone has already develped something similar (for accounting ) that could help me in the developement process. The FreeRADIUS core routines are put into a 'libradius' library, which the server calls to perform the functions. You can look at ./src/lib/ to see what radius functions are in the lib. What are you needing to create a new RADIUS server application for that the current server cannot perform? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL NAS-IP restriction by negative match
At 01:23 PM 11/13/2003, Peter LaForest wrote: Hello All, Using 0.9.1 with MySQL. I have found an abundance of documentation about enforcing restrictions using positive NAS-IP matches. This works fine, ie: radgroupcheck id GroupName Attribute Value Op 1 testNAS-IP 10.10.10.10 == will only allow logons from members of group test from the NAS at 10.10.10.10. But what if I want to allow test users to logon to any NAS-IP BUT 10.10.10.10? I have used VOP RADIUS and I can use !10.10.10.10 as a value to mean NOT 10.10.10.10. Is there similar syntax for freeRADIUS? You should review the ./doc/rlm_sql file for more information on what you can use for the different 'Op' values. -- snip -- != Attribute != Value As a check item, matches if the given attribute is in the request, AND does not have the given value. Not allowed as a reply item. -- snip -- I believe that will be what you want. There are others as well, including regular expresion Operators that you can use. You should also ensure that your 'Attribute' is a valid FreeRADIUS attribute. NAS-IP is not in the stock dictionary. NAS-IP-Address is, and is probably what you meant. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add Delete Modify Users
At 04:06 PM 11/13/2003, Sanjiv Thakor wrote: I am new to using this Radius Server so please bear with me. When I change a user's password in the users file or make some other change to the user's profile like change the Auth-Type from PAP to CHAP or something I have to restart the radius server. Is there a more dynamic way to do this? Thanks in advance. You could send the server a HUP signal ( kill -HUP 12345 ). Or you could run 'fastusers' which will periodically reread the 'users' file. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What is the best Flavor of Linux to use with FreeRadius?
At 10:02 AM 11/6/2003, Kristina Pfaff-Harris wrote: On Thu, 6 Nov 2003, Michael Melanson wrote: I am new to linux as well as free radius. I am involved in a project to create an open network architechure. I envision radius and eap to accomplish this Please advise what is the best Linux to use with free radius Hi. I really agree with Thor Spruyt who said that you should install some distributions and see which one you feel most comfortable with. RedHat is going to more of a high-priced subscription version, so you may want to try out its free version, Fedora (http://fedora.redhat.com/) if your budget is a concern. Novell just bought SuSE Linux, so I'm not sure how that's going to pan out, support and price-wise. My favorite is Debian for various reasons including ease of install/upgrade and stability, but really, try out several, read the documentation, and see which one you like best. My 2 cents worth, is take a look at Slackware. :) You might also consider trying OpenBSD or FreeBSD instead of a Linux distribution. There are some thread issues on Free/Open BSD at the moment I believe so you might not get the best performance out of FreeRADIUS on those systems. The latest FreeBSD release adds some previously missing functions to FreeBSD ( namely a working threadsafe get(host|name)by*_r() ). The work to add that to the configure/build process has not been done yet however. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: What is the best Flavor of Linux to use with FreeRadius?
At 02:44 PM 11/6/2003, Paul Hampson wrote: From: Chris Parker Sent: Friday, 7 November 2003 3:09 AM At 10:02 AM 11/6/2003, Kristina Pfaff-Harris wrote: You might also consider trying OpenBSD or FreeBSD instead of a Linux distribution. There are some thread issues on Free/Open BSD at the moment I believe so you might not get the best performance out of FreeRADIUS on those systems. The latest FreeBSD release adds some previously missing functions to FreeBSD ( namely a working threadsafe get(host|name)by*_r() ). The work to add that to the configure/build process has not been done yet however. Do we have any details on that? I'd love to get at least _some_ version of FreeBSD working thread-safely... http://lists.freebsd.org/pipermail/freebsd-hackers/2003-July/001859.html This was forwarded by a friend who is a FreeBSD advocate when I complained about the lack of thread-safeness ( and cross-platformness ) of the resolver libs on FreeBSD. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP types and TTLS..
Alan DeKok [EMAIL PROTECTED] wrote: Jack J [EMAIL PROTECTED] wrote: Looking at FreeRadius0.9.2 version, also checked the mail archives, I could not find this information, so hoping someone can share some information. a) For TTLS -Client Authentication (inner tunnel realm): 0.9.2 doesn't support TTLS. The main web page makes this clear. Nothing in the 0.9.2 documentation or configuration files would make anyone think it supports TTLS. Not to complain, but since the main webpage says the following: FreeRADIUS includes more than 40 vendor-specific dictionary files. It ships with support for LDAP, MySQL, PostgreSQL, Oracle databases. It supports EAP, with EAP-MD5, EAP-TLS, EAP-TTLS, EAP-PEAP, and Cisco LEAP sub-types. with no qualifiers. It isn't until you read into the news that you learn that -TTLS support is ONLY in the CVS snapshots. Is the info there, yes. Is it clear, no. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
bug...
radius_xlat: Running registered xlat function of module exec for string '/bin/echo Nas-Port-Id = 0' rlm_exec (exec): Executing /bin/echo Nas-Port-Id = 0 radius_xlat: '/bin/echo Nas-Port-Id = 0' Exec-Program: /bin/echo Nas-Port-Id = 0 Exec-Program output: Nas-Port-Id = 0 Exec-Program-Wait: value-pairs: Nas-Port-Id = 0 Segmentation fault (core dumped) I have NAS-Port-Id = `%{exec:/bin/echo Nas-Port-Id = 0}`, in the users file as well. Even though it may be wrong (I'm pretty sure it is), FR shouldn't core IMHO... PS: What would be the 'correct' return from the command? -- me - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy fail-over
At 09:58 PM 10/15/2003, you wrote: I tried to set the Radius server (0.9.1 on Red Hat 9) so it can do proxy. I use the sql module for authentication (mysql). I have two users, [EMAIL PROTECTED]' and 'alex_chen'. in the DB. I setup the proxy.conf like the followings so that if the proxy server 192.168.1.12 fails, it will try to authenticate locally. (Following the sample in proxy.conf for round-robin proxy.) proxy server { synchronous = yes From /path/to/src/radiusd/raddb/proxy.conf: If this [synchrounous] is set to 'No', then we send the retries on our own schedule... If you want to have the server send proxy retries ONLY when the NAS sends its retries to the server, then set this to 'yes', and the other proxy configuration parameters to 0 (zero). So, try setting synchronous to 'no' and see if you still have problems with the failover. HTH, Chris retry_delay = 5 retry_count = 3 dead_time = 120 default_fallback = yes post_proxy_authorize = no } realm myhome.com { type= radius authhost= 192.168.1.12:1812 accthost= 192.168.1.12:1813 secret = testing123 } # # The fail-over server # realm myhome.com { type= radius authhost= LOCAL accthost= LOCAL } But when I run the radius with -X flag, I got the following message: .. Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 User-Name = [EMAIL PROTECTED] User-Password = alextest NAS-IP-Address = 192.168.2.1 NAS-Port = 1 NAS-Port-Id = gateway modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_eap: EAP-Message not found modcall[authorize]: module eap returns noop rlm_realm: Looking up realm myhome.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm myhome.com rlm_realm: Adding Stripped-User-Name = alex_chen rlm_realm: Proxying request from user alex_chen to realm myhome.com rlm_realm: Adding Realm = myhome.com rlm_realm: Preparing to proxy authentication request to realm myhome.com modcall[authorize]: module suffix returns updated radius_xlat: 'alex_chen' ... ... modcall: group authorize returns updated Sending Access-Request of id 1 to 192.168.1.12:1812 User-Name = alex_chen User-Password = alextest NAS-IP-Address = 192.168.2.1 NAS-Port = 1 NAS-Port-Id = gateway Proxy-State = 228 Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 224 with timestamp 3f8de7df Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 On the client side, I got the following message. (I use radclient to send the packets) Sending User-Name = [EMAIL PROTECTED], User-Password = alextest, NAS-IP-Address = 192.168.2.1, NAS-Port = 1, NAS-Port-Id = gateway to /usr/local/bin/radclient -S secret_file
Re: Proxy and No such realm NULL
Josh, I don't really deal with the NULL realm, so I'm not 100% sure of a certain configuration option's actions with said realm, but you might want to try setting 'wake_all_if_all_dead = yes' in the proxy.conf file. Assuming that wake_all_if_all_dead works with the NULL realm, this would at least help you test your hypothesis. HTH, Chris At 10:57 AM 10/16/2003, you wrote: I have a proxy server configured to proxy to the NULL realm. This has worked fine until recently when it has started to silently drop RADIUS requests rather than forward them. The NAS does not recieve any response and so rejects users. My hypothesis is that the RADIUS server it is proxying to becomes unresponsive temporarily, and so the proxy server marks it dead. Thus, when the next RADIUS requests comes along it has no server to proxy it to, thus it returns an error about the realm. Would this hypothesis be consistent with the No such realm NULL error? A possible flaw in this hypothesis is that the dead time is configured at ten minutes (dead_time = 600) yet the server continues to drop RADIUS packets beyond this time. I would be interested in any ideas or suggestions to fix this. many thanks, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnecting a user
At 12:20 PM 10/14/2003, Joshua Ginsberg wrote: Hello - I've perused the archives for awhile, so I know this is decently dealt with, but hopefully my questions are new. snip Does anybody know how VOPRadius does this? Or does anybody know how this Ping of Death works and if FreeRadius can do this? Or does anybody know a simple, non-SNMP way to have a user disconnected? No, if you don't have administrative access on the NAS, then there is no way to disconnect a user. Cisco ( and possibly a few others ) have developed a proprietary method to disconnect users, that works by sending a radius packet to the NAS, rather than an SNMP call. It is not enabled by default, and I do not think that it would work in a proxy-radius/outsourced environment. Your outsourced dialup provider may provide you with a method that would allow you to disconnect users at your request, but it would require more external checks than exist within radius, so it would be outside the scope of what FreeRADIUS ( or any other server ) can do. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnecting a user
At 12:48 PM 10/14/2003, Joshua Ginsberg wrote: First, thank you for responding. No, if you don't have administrative access on the NAS, then there is no way to disconnect a user. I've got to believe it is at least possible, given that VOPRadius can do this somehow. Perhaps I need to be inspecting closer how it does this and work on duplicating the process. It can't. It is simply not possible, unless VOPRadius has administrative access to the NAS. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting trouble + proxy
At 08:18 AM 10/8/2003, Thomas MARCHESSEAU wrote: Hi all, I would like to know if there is a special tricks to have accthost working on freeradius 0.9.1 in proxy mode : My accounting request are not forwarded by the proxy to my radius server . What modules do you have enabled in the 'preacct' stanza of your config? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Weird username proxying bug?
At 10:45 AM 10/8/2003, Josh Howlett wrote: I am using freeradius (0.9) to proxy RADIUS packets. I have run into a possible bug. A username with a Windows domain prepended to the user in the format CC\\username gets proxied in the format C\\username; because the domain is CC the authentication fails: (irrelevant AVs snipped from log) rad_recv: Access-Request packet from host X:39872, id=112, length=153 User-Name = CC\\ujaa003 ... Sending Access-Request of id 4 to 134.219.201.70:1812 User-Name = C\\ujaa003 You haven't removed some of the defaults from the server. IE, the 'hints' file. Try editing the hints file ( or commenting it out of your config from 'radiusd.conf' ). -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Proxy
Allen, You could try to put the following in the users file: DEFAULT Realm =~ \.us$, Proxy-To-Realm += us DEFAULT Realm =~ \.jp$, Proxy-To-Realm += jp In proxy.conf you can put something like: realm us { type= radius authhost= 123.123.234.234:1812 accthost= 123.123.234.234:1813 secret = authkey nostrip } realm jp { type= radius authhost= 123.123.234.235:1812 accthost= 123.123.234.235:1813 secret = authkey nostrip } Chris On Mon, 2003-10-06 at 07:12, Allen Chung wrote: Hello~ I have a question about Proxy. I would like to 1.proxy realms which end with .us to serverATus. 2. proxy realm which end with .jp to serverATjp. What should I define in the proxy.conf ? Thanks a lot ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't log new attribs?
At 05:03 AM 10/7/2003, James Green wrote: Hi all, I've configured a Cisco to send through the Cisco-NAS-Port attribute during an accounting start query and stop query. I can see the attribute appear in our radius log files, but I can't get the new attribute into our mysql database. I added Cisco-NAS-Port as a column to the radacct_start table, and modified sql.conf thus: snip Restarted freeradius, dialled in, got logged in, but no logging occured at all in mysql. Waited a bit, still nothing. Disconnected, edited the file back to original, restarted and then logs came through as normal (data was therefore being lost). Can someone point out what it wrong above, or what I am missing please? Did you run the server in debug mode ( radiusd -x -x ) to see what it was doing? Did anything appear in the log files? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Two static IP's on One PVC
At 02:49 PM 10/2/2003, Ross Reed wrote: The following shows how to give the DSL router a static ip and ROUTE multiple static IPs to the customer staticexample2 Auth-Type = System, NAS-Port-Type = Virtual Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.1.2, Framed-IP-Netmask = 255.255.255.255, Framed-Route = 192.168.1.2/32 0.0.0.0 2, Framed-Route = 192.168.1.3/32 0.0.0.0 2, Framed-Routing = None, Framed-Compression = Van-Jacobsen-TCP-IP I believe you'll actually want to use += for the second 'Framed-Route' a/v pair, so that you get both a/v's sent back to the NAS. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Token pools and Tunnel Authorization.
At 06:52 PM 10/2/2003, Jack J wrote: Does 0.9.1 have support for token pools and layer 2 tunnel (PPTP, L2TP, ..) authorization ? http://www.freeradius.org/features.html What is the roadmap for RADIUSv2 (DIAMETER) support ? Uhhh, do you even have a clue what you are asking here? What do you think you need this to do? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius send only one Ascend-IP-Pool-Definition
At 07:30 AM 9/26/2003, you wrote: Hi, please help. I want to send more than one IP-Pool-Definition to my ascend box. Freeradius sends only one of them. users-file: pools-Moritz Auth-Type := Local, User-Password ==secret Service-Type = Dialout-Framed-User, Ascend-IP-Pool-Definition = 1 111.111.100.129 70, Ascend-IP-Pool-Definition = 2 111.111.101.0 32 Use += for your operator - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_attr_filter
At 10:50 AM 9/18/2003, Alan DeKok wrote: =?iso-8859-1?Q?Pascal_S=E9guy?= [EMAIL PROTECTED] wrote: I am asking myself how rlm_attr_filter can work since it has only an 'authorize' method called before the realm stuff. Why is this module not called in the post-proxy section ? Because no one has supplied a patch to make it do that. I have one, we use it internally here in 'post-proxy' and it works well. I'll commit that later today, so you can pull it in the latest CVS builds from tomorrow on. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating using LDAP module
At 12:22 PM 9/17/2003, Kostas Kalevras wrote: On Wed, 17 Sep 2003, Vishal Jose wrote: Meanwhile in the server end(I'm adding all the log from server end) $ radiusd -x Please use radiusd -X so that both debug levels are logged To increase the debug level, simply add additional -x ( lower case ), as in 'radiusd -x -x'. The -X ( upper case ) flag has other side effects such as disabling threaded operation which may or may not be intended if you simply need more verbose logging to determine an issue. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postgresql and freeradius accounting problem
At 09:43 AM 9/10/2003, [EMAIL PROTECTED] wrote: hello list, i am just new to this list. i know igor chen is on of those i have seen posting some about postgresql and freeradius. i am having problem with postgresql and freeradius on its accounting. there seems to have no entries when i i try radtest using ntradping. i am using postgresql 7.2.3 and freeradis 0.4 or the latest. my box is on freebsd 4.8. Please consider upgrading, the lastest release is 0.9.1. The version 0.4 is *very* *very* old and have many known bugs and memory leaks which are fixed in the current release. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installation Error
At 10:26 AM 9/10/2003, [EMAIL PROTECTED] wrote: do you have a suggestion to resolve this issue? If you don't need the rlm_mschap module, an easy fix would be to simply rm -rf the src/modules/rlm_mschap directory so that it doesn't build/install it. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postgresql and freeradius accounting problem
At 10:38 AM 9/10/2003, [EMAIL PROTECTED] wrote: sorry i made a mistake, i am using the latest snapshot for freeradius. but still i got errors on accounting. it doesnt insert any on the db when i try to use accounting start. What does the debug output say? ( running the server 'radiusd -x -x' ) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installation Error
At 10:56 AM 9/10/2003, [EMAIL PROTECTED] wrote: well let me ask you if I would need that for a wireless radius server? I have not gotten to to reading how to implement that specifically, I was just concentrating on getting the install complete so I could start the wireless stuff. It depends highly on the wireless authentication that you need to support. Unless it specifically needs MSChap, you may not need it. It is hard to say as there are so many options/methods used by different wireless systems. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postgresql and freeradius accounting problem
At 12:12 PM 9/10/2003, [EMAIL PROTECTED] wrote: here are attached files. Did you read the debug output, your error and the reason for it are explained: rlm_sql_postgresql: query: INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('2836', '3879d6b9c94adcc6', 'boggss', '', '10.10.80.23', '', '', '2003-09-11 00:12:19', '-1', '', '', '', '0', '0', '', '', '', '', '', '', '', '0') rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: affected rows = rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN rlm_sql (sql): failed after re-connect rlm_sql (sql): Couldn't update SQL accounting for START packet - ERROR: pg_atoi: zero-length string You are 'faking' a start record with incomplete information. Send it a real start packet, or one with more complete information. IE, you need to include more information than just: User-Name = boggss Acct-Status-Type = Start Acct-Session-Id = 2836 -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compatibility / feature comparisons?
At 04:54 PM 9/8/2003, Chris Knipe wrote: Lo everyone, Just a bit of a informational question... Feature wise, compatibility wise, management wise... You know.. The full monty.. http://www.freeradius.org/features.html ( needs to have EAP/LEAP added ) http://www.open.com.au/radiator/technical.html FreeRADIUS: Free Software, threaded, written in C Radiator: Commercial Software, non-threaded, written in PERL How does FreeRadius compare against Radiator?? Dunno, you're asking this on a FreeRADIUS list. :) Obviously we're going to be biased. That being said, a multi-threaded c program should outperform a perl program doing the same tasks on an equivalent system. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installation Error
At 12:12 PM 9/9/2003, [EMAIL PROTECTED] wrote: I am a new Linux admin, so pardon my stupid questions. I am trying to install FreeRadius and when I run the Make Install command I get an error that says smbencrypt does not exist followed by smbencrypt-install error 1 What type of system are you attempting to build this on? Also, what is the output of './configure' when you ran it? Without a bit more detail to narrow it down, it sounds to me like you are trying to build/link the 'rlm_smb' module, which unless you specifically are trying to build it, you probably don't need. Do you need the rlm_smb module for what you are doing? Adam Rothenberg Network Technician Palatine High School N. Rohlwing Rd. Palatine, IL 60074 (847) 755-1764 Hey, you are just down the road! ( StarNet is on NW Hwy/First Bank Drive ). -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installation Error
At 12:25 PM 9/9/2003, [EMAIL PROTECTED] wrote: we use you guys for our district dial-in service. keep up the good work! Cool. :) well, as I said I am new at this so I was trying trying to get a basic install working and go from there, but I am trying to setup authentication for a wireless LAN. Currently we don't have any encryption and I am trying to test some ideas and also try to learn some new apps when I am getting paid to. Can you paste a few lines from around where you are getting this error during the build process? That'll help us nail down where in the build process it is failing, then we can start looking into why it isn't working for you. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius crashes while using PAM
At 03:16 PM 9/9/2003, Christophe Dupre wrote: Searching the archives, I saw a mail about a similar problem back in June, but no follow-up... So, here's my problem. I'm running freeradius 0.9.1 (upgraded this morning) on a Solaris 9 machine. Authentication local users works great using rlm_unix, but now we'd like to use LDAP auth through PAM. Why not use LDAP directly? PAM has many issues, including known memory leaks ( in PAM, not FR ). -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compatibility / feature comparisons?
Lo everyone, Just a bit of a informational question... Feature wise, compatibility wise, management wise... You know.. The full monty.. How does FreeRadius compare against Radiator?? -- me - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-auth check of calling-id
Hi Tom, I'm using this on a MaxTNT NAS. Maybe your NAS also supports it. From the MaxTNT: IO-Admin read answer ANSWER-DEFAULTS read IO-Admin set clid-auth-mode ? clid-auth-mode: Specifies how calling line identification (CLID) will be used for incoming call authentication. Enumerated field, values: ignore: Don't require a matching ID. clid-require: The CLID must be valid and match the value in the stored profile. If the profile also requires pap/chap/etc then do that in addition. clid-prefer: Authenticate using the CLID if provided by the telco switch, otherwise fall back to using the encapsulation protocol's authentication. If CLID authentication fails, refuse the call. clid-first: First authenticate using the CLID if provided by the telco switch. If CLID authentication fails, fall back to using the encapsulation protocol's authentication. clid-fallback: Authenticate using the CLID when RADIUS is available, otherwise fallback to using the encapsulation protocol's authentication. dnis-require: The Called # must be valid and match the value in the stored profile. If the profile also requires pap/chap/etc then do that in addition. dnis-pref: Authenticate using the Called # if provided by the telco switch, otherwise fall back to using the encapsulation protocol's authentication. If DNIS authentication fails, refuse the call. dnis-first: First authenticate using the Called # if provided by the telco switch. If Called # authentication fails, fall back to using the encapsulation protocol's authentication. Regards, Chris On Fri, 5 Sep 2003, Tom Myren wrote: Hi I would like to have Freeradius proxy a request to a LDAP server that will check the calling-station-id against a white-list (check to see if we can bill that number). If this results in an accept, then the original request should be proxied to a home radius server. Another possibility would be to proxy the request in parallell and only allow the user if both proxy requests gave an accept response. Can this be done? If so, I will be greatful for any advice. Tom Myren NetCom AS Norway - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ippool feedback from CVS version
Well, it seems I've got it up and running now. I'm running today's cvs-snapshot. Because I'm testing it on a MaxTNT I also got the Ascend-hack set in the config. The results so far aren't very good, I'm ip's aren't freed after calls are closed. In the radacct logging the start and stop records are logged. I'll try to get more info. Regards, Chris On Thu, 2003-08-28 at 15:20, Chris van Meerendonk wrote: Hi Paul, I can install a recent (cvs) version, but I'd like to know how to check This is gonna take some time. I installed rlm_ippool only from cvs (the rest is still 0.9.0 release), but by server is crashing with it. I'll let you know when I have something interesting. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
missing acct attributes
Lo all, I'm doing VPN authentication with Free Radius, and use allot of FreeBSD / PPPD processes to manage the VPNs in regards to actual connectivity. Obviously, freeradius is used for all authentication / accounting, and it is working pretty well... :) I upgraded to .9 a while ago, and somewhere, there was more debug information added to the source. All of a sudden, I saw why certain things that didn't work on .8 didn't work... Unfortunately, after playing extensively with .9, I still can't seem to find a way to fix this.. So here goes. FreeBSD's PPP Process sends this back to the radius server (acct start): rad_recv: Accounting-Request packet from host 192.168.1.1:3969, id=223, length=149 User-Name = [EMAIL PROTECTED] Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 10.255.254.215 Framed-IP-Netmask = 255.255.255.255 NAS-Identifier = my.nas.hostname NAS-Port-Type = Virtual Acct-Status-Type = Start Acct-Session-Id = [EMAIL PROTECTED] Acct-Multi-Session-Id = Acct-Delay-Time = 0 ... This is very interesting, and for many months looked more than fine to me. HOWEVER, Freeradius is now complaining (especially radutmp and rlm_ippool) that there is no NAS-Port-ID specified (which, I can COMPLETELY understand). The problem is, I cannot force PPPD to send this attribute - they are all hard coded by the FreeBSD Developers I have a huntgroup for all my authentication requests coming from these VPN based services, but still, I was unable to specify this acct attribute on a DEFAULT entry anywhere... Tried specifying in the huntgroups files, acct_users, and users file - with no luck. Which, I can also semi understand. So the question really, is how / where can I add a default NAS-Port-ID acct attribute to freeradius, so that the attribute is only added on my specific huntgroup, and only if it is not already specified? The VPN services makes use of virtual ports (as indicated in the acct start packet), so I don't foresee any immediate problems by making all the ports per default 0 or something. The actual port number's not important to me here, what matters, is that rlm_ippool and radutmp works and records the logging information correctly Snippets from the logs... huntgroups: Matched PPTP at 39 users: Matched DEFAULT at 5 modcall[authorize]: module files returns ok ... Login OK: [EMAIL PROTECTED] (from client nasX port 0) modcall: entering group post-auth rlm_ippool: Could not find port information. modcall[post-auth]: module pptp_pool returns noop modcall: group post-auth returns noop Sending Access-Accept of id 134 to 192.168.1.1:4113 ... rad_recv: Accounting-Request packet from host 192.168.1.1:4116, id=63, length=149 huntgroups: Matched PPTP at 39 acct_users: Matched DEFAULT at 28 modcall[preacct]: module files returns ok modcall: group preacct returns ok modcall: entering group accounting rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request, unique ID MAY be inconsistent ... radius_xlat: '[EMAIL PROTECTED]' rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! modcall[accounting]: module radutmp returns noop ... my acct_users looks like: DEFAULT Service-Type == Framed-User, Huntgroup-Name == PPTP NAS-Port == 0 huntgroups: PPTPNAS-IP-Address == 192.168.1.1, NAS-Port-Type = Virtual Framed-Protocol == PPP, Service-Type == Framed-User users: DEFAULT Service-Type == Framed-User, Huntgroup-Name == PPTP NAS-Port == 0, Fall-Through == Yes Thanks, -- me - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ippool feedback from CVS version
Hi Paul, I can install a recent (cvs) version, but I'd like to know how to check This is gonna take some time. I installed rlm_ippool only from cvs (the rest is still 0.9.0 release), but by server is crashing with it. I'll let you know when I have something interesting. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool feedback from CVS version
Hi Paul, I can install a recent (cvs) version, but I'd like to know how to check which ip-addresses are assigned according to the radius-server. On the NAS I can check that, just need to know how to compare these. Radius keeps these things in memory, doesn't it? Are there tools for tracking this? Chris On Wed, 2003-08-27 at 10:38, Paul Hampson wrote: I'm looking for feedback from people using a CVS snapshot more recent than Tue Jul 29 18:40:50 2003 UTC and using rlm_ippool. There's an intended bugfix for the problem of ippool entries disappearing on busy servers, but it's not been shown to be correct yet. The version of rlm_ippool.c with the bugfix is 1.23. The reason I ask is that the bugfix is fairly important for 0.9.1 but I don't want to pull code changes in like this one without knowing that they fix the bug. (I'm using the code myself, but my RADIUS server's not busy enough to trigger the bug repeatably.) Someone on this list had a test harness setup I think to fire massive piles of requests at a FreeRADIUS server, and had helped to identify the this bug. I'd _love_ to hear from that person as to whether they can still do that test, and whether the CVS fix works so I can roll it into 0.9.1 assured that it's good. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ippool feedback from CVS version
Wauw, that's fun! I'll try if I can find any bugs... Thanks, Chris On Wed, 2003-08-27 at 14:31, Paul Hampson wrote: From: Chris van Meerendonk Sent: Wednesday, 27 August 2003 7:12 PM I can install a recent (cvs) version, but I'd like to know how to check which ip-addresses are assigned according to the radius-server. On the NAS I can check that, just need to know how to compare these. Radius keeps these things in memory, doesn't it? Are there tools for tracking this? To check the IP pool records, you need ippooltool (available on the 'net, we'd integrate it into FreeRADIUS if the original author would reply to my emails...) You need to stop FreeRADIUS to look at the files Otherwise they'll appear blank due to GDBM file locking. Basically, the problem is that under high load, IP addresses will disappear from the pool. It's not a problem with the NAS, it's purely internal to FreeRADIUS. Basically, the list output from ippooltool gets shorter, but it _should_ stay the same length. Eventually you find you've got half your maximum users, but no IPs to allocate. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and automatic signups
At 07:51 AM 8/26/2003 -0700, Andrew Staples wrote: Freeradius is working well for us, we use mySQL for the userbase, and dialup_admin for the front-end. My question is operational in nature; please lart me if this is way off-topic. I'm sure people have built web front-ends to let customers automatically sign up for services using freeradius, such as dialup. Since we are using sql for the users, it shouldn't be too hard, and we already have code for cc processing. We usually have the customers call us, and we manually enter them into radius. My question is, have any of you found any negatives to on-line, automatic sign up forms that I should be aware of, such as pump-and-dump spammers, drop-box spammers, charge-backs, etc? Any experiences you'd care to share? All that you mention there. I would recommend strongly against allowing users to create accounts without preseting billing information and you running a successful charge against their card ( as you are then open to and *will* be used by pump-and-dump spammers ). The issue related to charge-backs is definitely off-topic for here, but is something you will negotiate between your company and the company that you use to process CC transactions. As to automating a signup process, it works very well, users can get instant gratification, you have less overhead in account setups, etc. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_krb failing on start
I am having an issue with Freeradius not starting up correctly because of this error. I am using the latest CVS snapshot (20030825) on a RedHat 9 box and I do have the krb5 libs installed. ERROR = radiusd.conf[496] Failed to link to module 'rlm_krb5': file not found I am not having any problems during configure...below is the output from the rlm_krb5 section configuring in src/modules/rlm_krb5 running /bin/sh ./configure --with-rlm-krb5-include-dir=/usr/kerberos/include --with-rlm-krb5-lib-dir=/usr/kerberos/lib --enable-ltdl-install --cache-file=../../.././config.cache --srcdir=. loading cache ../../.././config.cache checking for gcc... (cached) gcc checking whether the C compiler (gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs ) works... yes checking whether the C compiler (gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs ) is a cross-compiler... no checking whether we are using GNU C... (cached) yes checking whether gcc accepts -g... (cached) yes checking how to run the C preprocessor... (cached) gcc -E checking for krb5.h... yes checking for krb5_encrypt_data in -lk5crypto... yes checking for DH_new in -lcrypto... yes checking for set_com_err_hook in -lcom_err... yes checking for krb5_init_context in -lkrb5... yes creating ./config.status creating Makefile I have built FR with krb5 support before and had no problems. I have researched and found that this may be a problem with linking the libraries. I have tried changing the ld.so.conf file and some other values but have had no luck. I am unsure on how to get a more detailed output on where exactly radiusd is failing and where it is trying to look for rlm_krb5. Any and all help is greatly appreciated. Chris Akens - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and Cygwin
At 02:53 PM 8/20/2003 -0700, A. Clausen wrote: Alright, I've done as much as I know how (darn little!), but its failing at this point: rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT gcc snip ../modules/rlm_unix/.libs/rlm_unix.a -L/usr/src/freeradius-0.9.0/src/lib -lc rypt -lpthread /usr/src/freeradius-0.9.0/src/lib/.libs/libradius.a .libs/libimp-cygltdl-3.a /usr/src/freeradius-0.9.0/src/lib/.libs/libradius.a(crypt.o)(.text+0x35): In function `lrad_crypt_check': /usr/src/freeradius-0.9.0/src/lib/crypt.c:44: undefined reference to `_crypt' collect2: ld returned 1 exit status I'm at a loss. On my cygwin install, 'nm /usr/lib/libcrypt.a' does show a '_crypt' symbol. What does this show on your system? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and Cygwin
At 04:49 PM 8/19/2003 -0700, A. Clausen wrote: I'm sure you get this question quite a bit, but I was wondering if anyone had successfully compiled FreeRadius under Cygwin, and if so, what modifications were required. I've tried a couple of quick compiles, but so far have been unable to. Yes, as far back as 0.2. The trick was to compile static modules ala: ./configure --disable-shared And also disabling a few of the modules that try to use stuff that cygwin doesn't have. Try disabling shared modules, and then clean up the 'stable' module list to only list the modules you need/want. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication Logging
On Mon, 2003-08-18 at 05:30, Adam Carmichael wrote: Hi All! I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with MySQL4 for logging accounting and retrieving authentication information. I am interested in knowing how to log authentication attempts and even possibly why an attempt failled. I'm using a simple script that reads radius.log and put that in a mysql table that can be accessed by our helpdesk by using a simple php-interface to help people with their dialin problems. Maybe you can do something with it. Succes, Chris The db struct of radproblems is: mysql describe radproblems; +--+--+--+-+-++ | Field| Type | Null | Key | Default | Extra | +--+--+--+-+-++ | RadProblemId | bigint(21) | | PRI | NULL| auto_increment | | UserName | varchar(255) | | MUL | || | Password | varchar(255) | | | || | AuthTime | datetime | | | -00-00 00:00:00 || | Realm| varchar(64) | YES | | || | NASIPAddress | varchar(15) | | | || | CalledStationId | varchar(30) | | | || | CallingStationId | varchar(30) | | MUL | || | TerminateCause | varchar(64) | | | || +--+--+--+-+-++ 9 rows in set (0.00 sec) The import script: cat /usr/local/bin/parse-radiuslog.sh #!/bin/sh # Input format: # Mon Mar 10 11:07:06 2003 : Auth: Login incorrect (rlm_ldap: Bind as user failed): [user/password] (from client nas port 16578 cli 012345678) INFILE=/var/log/freeradius/radius.log TMPFILE=/var/log/freeradius/radius.tmp ADDTOFILE=/var/log/freeradius/radius.parsed SQLTMPFILE=/var/log/freeradius/radius.tmp.sql if [ -f $TMPFILE ] then rm $TMPFILE fi if [ -f $SQLTMPFILE ] then rm $SQLTMPFILE fi mv $INFILE $TMPFILE check=`cat ${TMPFILE} | grep 'Auth: Login incorrect'` if [ -z $check ] then echo ; else cat ${TMPFILE} | grep 'Auth: Login incorrect' | while read LINE; do P1=`echo ${LINE} | sed -e 's/^.*\[\([^/]*\).*$/\1/' -e s/\'/#/g -e s/\/#/g` P2=`echo ${LINE} | sed -e 's/^.*\(\[.*\]\).*$/\1/' -e 's/^.*\/\(.*\)]$/\1/' -e s/\'/#/g -e s/\/#/g` # P1=`echo ${LINE} | sed 's/^.*\(\[.*\]\).*$/\1/'` P3=`echo ${LINE} | awk '{print $5 - $2 - $3 $4}' | sed -e 's/Jan/1/' -e 's/Feb/2/' -e 's/Mar/3/' -e 's/Apr/4/' -e 's/May/5/' -e 's/Jun/6/' -e 's/Jul/7/' -e 's/Aug/8/' -e 's/Sep/10/' -e 's/Oct/10/' -e 's/Nov/11/' -e 's/Dec/12/'` P4=`echo ${LINE} | grep ' cli ' | sed 's/^.*cli \b\([0-9]*\).*$/\1/'` P5=`echo ${LINE} | grep 'rlm_ldap:' | sed 's/^.*rlm_ldap: \([A-Za-z0-9 ] *\).*$/\1/'` echo INSERT INTO radproblems VALUES ('','${P1}','${P2}','${P3}','','',' ','${P4}','${P5}'); | sed 's/\\//' $SQLTMPFILE done mysql -hyour.mysql.host -usqluser -ppassword database $SQLTMPFILE fi cat $TMPFILE $ADDTOFILE For example, if we have a customer who thinks their dialup account is being exploited - they can change their password, and then see if any authentication requests are being made. (Actually, just thinking about it, the user would not need to change their password, they could just see the times at which their logons (or attempted logons) occur). I have made some Google searches on the list already, and I saw a few posts in which Alan DeKok said that it is possible to do this - however the rest of the replies seemed to wonder away from what I had hoped. Thanks in advance Adam Adam Carmichael Network Operations Manager email: [EMAIL PROTECTED] web: http://www.no1.com.au icq: 2207644 #1 Computer Services, Empowerment Through Internet Communications. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: config dns server in users file
At 08:53 AM 8/18/2003, you wrote: Hi all, Any idea with the right syntax is for dns server settings in the users file going through a Cisco NAS Hi Brian, I'm not sure if there is a Cisco-AVPair, but you can use the 'non-standard' flag in your RADIUS server configuration lines in the NAS conf to allow the use of X-Ascend attributes. Once that's done, you use the X-Ascend-Client-Primary-DNS, X-Ascend-Client-Secondary-DNS, and X-Ascend-Client-Assign-DNS attributes to do what you want. HTH, Chris Brotsos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: config dns server in users file
At 11:12 AM 8/18/2003, you wrote: I receive the request via proxy so I am not responding directly. To make use of attribute 26 I have to write vendor-Specific otherwise I get a Parse error Ascend-Client-Primary-DNS = x.x.x.x, Ascend-Client-Secondary-DNS = x.x.x.x These attribute are not in my dictionary. Any more help on this is much appreciated. They are in dictionary.ascend Chris Brotsos -Original Message- From: Brian Foster [mailto:[EMAIL PROTECTED] Sent: 18 August 2003 15:04 To: '[EMAIL PROTECTED]' Subject: RE: config dns server in users file Thanks J I'll try that and get back to you. -Original Message- From: jc [mailto:[EMAIL PROTECTED] Sent: 18 August 2003 15:11 To: '[EMAIL PROTECTED]' Subject: Re: config dns server in users file On Mon, 18 Aug 2003, Brian Foster wrote: Any idea with the right syntax is for dns server settings in the users file going through a Cisco NAS using cisco as5300 for my dial infrastructure (using cistron, instead of freeradius (yes shame on me)) using the default ascend avpairs and works fine Ascend-Client-Primary-DNS = x.x.x.x, Ascend-Client-Secondary-DNS = x.x.x.x, hth j. #include std-disclaimer.h - 'save the trees, send an email' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.newtelsolutions.com ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfualt on group authorize
At 04:39 PM 8/14/2003 -0700, Ryan Castellucci wrote: | Follow the steps described in 'doc/bugs', and post the results here. You | also don't mention what version you are observing this. If it's not 0.9.0 | or the current CVS head, you'll need to upgrade to one of those first, | as there have been sql fixes in those releases. FreeRADIUS 0.9.0, RedHat 8.0, Oracle9i 9.0.1 Does NOT dump core on a crash (I enabled core dumps) Right, so run it inside gdb, ala: bob$ gdb radiusd gdb set args -x -x gdb run then when it crashes: gdb bt -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html