Re[6]: decode passwort by rlm_perl
> Michael Chernyakhovsky <[EMAIL PROTECTED]> wrote: >> You can not to remember "YWJyYWNhZGFicmE=" for 10 seconds to decode >> this latter, but "abracadabra" can ;) >> I understand, that it's no matter how to keep plain password - encoded >> or not, but CASUAL OBSERVER can't remember encoded password while >> looks on monitor. > So why the heck is a casual observer looking at the encrypted > passwords? What's wrong with your system? Why doesn't it have proper > security and file permissions? system is good, permissions is right. I work not in isolated room. It's POSSIBLE somebody can stay near me and can see some of output on my monitor. i don't want allow hi could see absolutely plain passwords. So, password encoding is just for this. Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: decode passwort by rlm_perl
I agree, Alan. this is no difference when somebody have FULL access to files. I just want to hide password from casual observer who can see for a moment this file. It's like qualcomm popper saves passwords in gdb-file. passwords are just xor'ed there. >> MS-CHAP an similar auth-methods require to know users plain passwords. >> i want to keep passwords in file and load it by rlm_passwd. All works >> good. but for more security i think keep it crypted. > Don't bother. It doesn't make any difference. > How are you going to decrypt the passwords? The key is going to > have to go somewhere, and having a key plus encrypted passwords is no > different than having plain-text passwords. It's no matter - RC4 or elementary XOR. Even 'QWxhbg' (base64 without '=' padding) looks less readable then 'Alan' ;) Now i know how to load crypted password - i need use other attribute for this. After decryption perl have to add User-Password attribute to Check-Items. It works. Thank you. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
decode passwort by rlm_perl
Hi!
Two questions.
MS-CHAP an similar auth-methods require to know users plain passwords.
i want to keep passwords in file and load it by rlm_passwd. All works
good. but for more security i think keep it crypted.
module mschap wants to see decrypted (plain) password.
IMHO, this is good idea to decrypt password by rlm_perl. I can use any
method to encrypt-decrypt password. But.
when rlm_perl renews attibutes values it use pairmove function, which
ignore all new values for User-Password and Crypt-Password.
there is no more suitable attributes in dictionary. I can create
individual attribute and use them, but it is not very good - i have
to check dictionaries after each update.
How to decode Password more suitable?
second question.
Where to insert decoding code?
rlm_perl have both autorize and authenticate methods to handle
radius's calling.
IMHO authenticate is better place.
when i try to insert perl to authenticate section i can make it by 2
ways.
first :
authenticate {
perl
authtype MS-CHAP {
mschap
}
}
In this case perl is not executed.
when i try
authenticate {
authtype MS-CHAP {
perl
mschap
}
}
perl executed, but mschap ignored :(
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
perl. what is differs?
I try to use perl.
I am confused
in sub authorize i write for debuging something like
sub authorize
{
...
print_attrs(%RAD_REQUEST, %RAD_REPLY, %RAD_CHECK);
deb_print ("walk on hash RAD_REQUEST");
for $k (keys %RAD_REQUEST) {
deb_print ("$k = $RAD_REQUEST{$k} ");
}
return $retval;
}
deb_print is
sub deb_print {
print "radius.pl: ", @_,"\n";
}
i use arguments in print_attrs
sub print_attrs {
my(%REQUEST, %REPLY, %CHECK) = @_;
logging("RAD_REQUEST: ===");
for (keys %REQUEST) {
deb_print("$_ = $REQUEST{$_} ");
}
logging("RAD_REPLY: ===");
for (keys %REPLY) {
deb_print("$_ = $REPLY{$_} ");
}
logging("RAD_CHECK: ===");
for (keys %CHECK) {
deb_print("$_ = $CHECK{$_} ");
}
}
output is:
radius.pl: RAD_REQUEST: ===
radius.pl: Service-Type = Framed-User
radius.pl: Auth-Type = MS-CHAP
radius.pl: Calling-Station-Id = 192.168.0.2
radius.pl: MS-CHAP-Challenge = 0x71d56b9f34d89e3db8fba365beb64b08
radius.pl: Client-IP-Address = 192.168.0.12
radius.pl: Framed-Protocol = PPP
radius.pl: User-Name = mmike
radius.pl: User-Password = mike
radius.pl: MS-CHAP2-Response = 0x0100e7814331bd36eafd3cfd1a646fbd3ac2000
0769c73a6a9107f13152e660efc401eafeea5e6e3aec5c18f
radius.pl: Connect-Info = 1524
radius.pl: NAS-Port = 0
radius.pl: NAS-IP-Address = 192.168.0.12
radius.pl: RAD_REPLY: ===
radius.pl: RAD_CHECK: ===
radius.pl: walk on hash RAD_REQUEST
radius.pl: Service-Type = Framed-User
radius.pl: Calling-Station-Id = 192.168.0.2
radius.pl: MS-CHAP-Challenge = 0x71d56b9f34d89e3db8fba365beb64b08
radius.pl: Client-IP-Address = 192.168.0.12
radius.pl: Framed-Protocol = PPP
radius.pl: User-Name = mmike
radius.pl: MS-CHAP2-Response = 0x0100e7814331bd36eafd3cfd1a646fbd3ac2000
0769c73a6a9107f13152e660efc401eafeea5e6e3aec5c18f
radius.pl: Connect-Info = 1524
radius.pl: NAS-Port = 0
radius.pl: NAS-IP-Address = 192.168.0.12
output from print_attrs looks like no attributes in RAD_CHECK both User-Password
and Auth-Type in RAD_REQUEST. but in really they in RAD_CHECK.
when i not use arguments in print_attrs
sub print_attrs {
#my(%REQUEST, %REPLY, %CHECK) = @_;
.
}
then i have follow output
radius.pl: RAD_REQUEST: ===
radius.pl: Service-Type = Framed-User
radius.pl: Calling-Station-Id = 192.168.0.2
radius.pl: MS-CHAP-Challenge = 0x71d56b9f34d89e3db8fba365beb64b08
radius.pl: Client-IP-Address = 192.168.0.12
radius.pl: Framed-Protocol = PPP
radius.pl: User-Name = mmike
radius.pl: MS-CHAP2-Response = 0x0100e7814331bd36eafd3cfd1a646fbd3ac2000
0769c73a6a9107f13152e660efc401eafeea5e6e3aec5c18f
radius.pl: Connect-Info = 1524
radius.pl: NAS-Port = 0
radius.pl: NAS-IP-Address = 192.168.0.12
radius.pl: RAD_REPLY: ===
radius.pl: RAD_CHECK: ===
radius.pl: User-Password = mike
radius.pl: Auth-Type = MS-CHAP
radius.pl: walk on hash RAD_REQUEST
radius.pl: Service-Type = Framed-User
radius.pl: Calling-Station-Id = 192.168.0.2
radius.pl: MS-CHAP-Challenge = 0x71d56b9f34d89e3db8fba365beb64b08
radius.pl: Client-IP-Address = 192.168.0.12
radius.pl: Framed-Protocol = PPP
radius.pl: User-Name = mmike
radius.pl: MS-CHAP2-Response = 0x0100e7814331bd36eafd3cfd1a646fbd3ac2000
0769c73a6a9107f13152e660efc401eafeea5e6e3aec5c18f
radius.pl: Connect-Info = 1524
radius.pl: NAS-Port = 0
radius.pl: NAS-IP-Address = 192.168.0.12
Looks good - both User-Password and Auth-Type in RAD_CHECK in
print_attrs and in walk on hash.
what is the reason of such different behaviour?
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
offer about rad_malloc. (bugs in rlm_passwd)
Today i have tried to define why rlm_passwd make segmentation fault. there are bug in allocation hash-table for pointers . There no memset after allocations. so all pointers are garbage. There are another unknown bugs in rlm_passwd. I don't know where. Tomorrow i'll find it. But today i offer to change rad_malloc. Adding line memset(ptr, 0, size); before return ptr; in function rad_malloc() is good, IMHO. It's make code more secure. If no, say why. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[5]: rlm_perl cause fall out to core
Hi! > On _2003-06-18 at 13:55, Michael Chernyakhovsky wrote: >> Just now i try recompile my perl with USE_ITHREADS. >> no results. radiusd fault after kill -HUP. >> > Send output from radiusd -xxx or -X perl -V and gdb trace >> Mike. I'm really sorry. I was mistaken :( perl looks good. troubles seams in rlm_passwd. I have found out bug when i began to use rlm_perl. in the same time appear first message about " rlm_perl cause fall out to core" Today i have very much experiences to define causes of segmentation faults. I exclude all modules in reverse order i use it. i was mistaken also because radiusd run with -X options does not output any debug messages after kill -HUP :(. It's looks like hunged. And please forgive me again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: rlm_perl cause fall out to core
No results :( it segmentation faults. It seems my perl (slackware 9.0, perl 5.8.0) is built without -Duseithreads flag there are /*#define USE_ITHREADS/ **/ line in my /usr/lib/perl5/5.8.0/i386-linux/CORE/config.h Also, as i noticed, perl_destruct and perl_free does not execute anywhere. perl_destruct executed when USE_ITHREADS defined. Although when i try to add perl_destruct/perl_free radius fault anyway :( Mike. > On _ 2003-06-17 at 21:55, [EMAIL PROTECTED] wrote: >> > Hi. I have a problem with rlm_perl on version 0.8.1 (under FreeBSD 5.1 Release). >> > After starting radiusd with -xyz I've got segmentation fault. >> > What I do wrong? >> >> I confirm the problem. >> >> My radiusd (latest snapshot) works fine until it got -HUP signal. >> After kill -HUP it works until first request or next -HUP signal. >> > Use rlm_perl from cvs or get a patch from > http://redguy.orbitel.bg/~alien/ > version in 0.8.1 is unstable and probably broken. (That's why it is in > testing section ) so don't use it. Instead of this grab the latest cvs > and try it. >> without rlm_perl all looks stable. >> >> linux 2.4.20-SMP, slackware 9.0. >> perl, v5.8.0 built for i386-linux. >> >> Mike. >> >> >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl cause fall out to core
> Hi. I have a problem with rlm_perl on version 0.8.1 (under FreeBSD 5.1 Release). > After starting radiusd with -xyz I've got segmentation fault. > What I do wrong? I confirm the problem. My radiusd (latest snapshot) works fine until it got -HUP signal. After kill -HUP it works until first request or next -HUP signal. without rlm_perl all looks stable. linux 2.4.20-SMP, slackware 9.0. perl, v5.8.0 built for i386-linux. Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: rlm_acct_unique possible bug
Hi!
> Really didn't notice that, happened couple of times, wonder why pppd
> sends 2 acct-starts and sometimes with different session IDs.
> Sorry to report this as it ain't a bug then, and thanks for the fast
> reply.
Yes, problem in pppd's radius plug-in.
Acct-Session-Id generated as
strncpy(rstate.session_id, rc_mksid(), sizeof(rstate.session_id));
in radius_acct_start() function.
rc_mksid defined in /pppd/plugins/radius/radiusclient/lib/util.c as
rc_mksid (void)
{
static char buf[14];
sprintf (buf, "%08lX%04X", (unsigned long int) time (NULL), (unsigned int) get
pid ());
}
i.e. when radius server don't answer to Acct-Start request pppd
repeat it and generate another request Acct-Start, i.e. execute
radius_acct_start() one more.
so, i think, it's right to move line
strncpy(rstate.session_id, rc_mksid(), sizeof(rstate.session_id));
from radius_acct_start() function to radius_init(), so rc_mksid()
will called once.
Mike.
> On Tue, 2003-06-17 at 14:54, Chris Parker wrote:
>> At 02:24 PM 6/17/2003 +0100, Manuel Sousa wrote:
>> >Hi, all
>> >
>> >I've been using freeradius and noticed that sometimes the
>> >Acct-Unique-Session-ID gave me different values for the same inputs.
>> >A partial output of radiusd -X is:
>> >
>> >rlm_acct_unique: Hashing 'Acct-Session-Id = "3EEF21621014",User-Name =
>> >"noc"'
>> >rlm_acct_unique: Acct-Unique-Session-ID = "889e46aba4217ad4".
>> >
>> >rlm_acct_unique: Hashing 'Acct-Session-Id = "3EEF21631014",User-Name =
>> >"noc"'
>> >rlm_acct_unique: Acct-Unique-Session-ID = "6836c775ae8a6c48".
>> >
>> >Wonder if anyone else experienced the same problem. I'm using
>> >freeradius-0.8.1.
>>
>> Look closer at the Acct-Session-Id, particulary the 8th position. Your
>> first line has a '2', your second line has a '3'. They are not the same,
>> hence the hash result is not the same.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
move AVP from config list to packet list. HOW?
Hi! as i understand rlm_files module don't use any avp from config list to check items while parse users-file. It's so? imagine, some module insert certain avp to config-list. i want to check this avp against some value in my users-file. but i can't :( So I need to move this attribute-value-pair from config attributes list to packet list before rlm_files module. how can i do this? Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: rlm_passwd
Friday, September 27, 2002, 9:26:16 PM Alan wrote:
> You shouldn't use Group-Name, as that attribute is already used for
> Unix groups. Over-loading it with two different meanings will make it
> NOT work.
> Pick another name: My-Group, or something like that. If necessary,
> add that attribute to the dictionary.
It does not work anyway :(
passwd raddb_group {
filename = /etc/raddb/group
format = "My-Group:::*,User-Name"
hashsize = 50
ignorenislike = yes
allowmultiplekeys = no
}
my users:
--
10:DEFAULT My-Group == "slow", Pool-Name := "ippool-1-slow"
11: Fall-Through = 1
12:
13:DEFAULT My-Group == "fast", Pool-Name := "ippool-1-fast"
14: Fall-Through = 1
15:
...
28:
29:DEFAULT Service-Type == Framed-User
30: Framed-MTU = 1500,
31: Exec-Program-Wait = "/etc/raddb/scripts/radauth",
32: Service-Type = Framed-User
---
radiusd -xx output is:
.
rlm_passwd: Added My-Group: fast
modcall[authorize]: module "raddb_group" returns ok
modcall[authorize]: module "mschap" returns ok
users: Matched DEFAULT at 29
modcall[authorize]: module "files" returns ok
.
My-Group set to fast.
i guess match have to be at 13 and 29, but matched at 29 only :(
What's wrong?
Mike.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: rlm_passwd
> You shouldn't use Group-Name, as that attribute is already used for > Unix groups. Over-loading it with two different meanings will make it > NOT work. > Pick another name: My-Group, or something like that. If necessary, > add that attribute to the dictionary. Thank you! Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_passwd
in doc/rlm_passwd we read:
If the request contains a User-Name attribute with value 'vlad', and
thepasswdfile (/etc/group) contains following record:
wheel:*:0:root,vlad,test Group-Name attribute will be added to
configuration items list with value of "wheel".
where and how I can use configuration items in users file?
i try something like:
radiusd.conf:
--
passwd raddb_group {
filename = /etc/raddb/group
format = "Group-Name:::*,User-Name"
hashsize = 50
ignorenislike = yes
allowmultiplekeys = no
}
authorize {
...
raddb_group
...
}
--
users:
--
1: DEFAULT Group-Name == "slow" Pool-Name := "slowpool"
2: Fall-Through = 1
3:
4: DEFAULT Service-Type == Framed-User
5:Framed-MTU = 1500,
6:Exec-Program-Wait = "/etc/raddb/scripts/radauth",
7:Service-Type = Framed-User
--
but
rlm_passwd: Added Group: fast
modcall[authorize]: module "raddb_group" returns ok
...
users: Matched DEFAULT at 4
modcall[authorize]: module "files" returns ok
so configuration item is not checked in users.
How i can use such items for check?
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users lookup and another question
Hi! My users authenticated with mschap module. All users separated on 2 groups: "fast", and "slow". They all can dial to one of many NAS. Framed-IP-Address depend on NAS-IP-Address and user group. I plan to user ippool module for Framed-IP-Address assigning. So I need in general "NAS-quantity" X "group-quantity" pools. My question is How radius can assign ippool? I try to make this via users-file as shown below. there is my /etc/raddb/users: 1: user0 User-Category := "fast" 2: Fall-Through = 1 3: 4: user1 User-Category := "fast" 5:Fall-Through = 1 6: 7: user2 User-Category := "slow" 8:Fall-Through = 1 9: 10:DEFAULT User-Category == "slow", Pool-Name := "ippool-1-slow" 11: Fall-Through = 1 12: 13:DEFAULT User-Category == "fast", Pool-Name := "ippool-1-fast" 14: Fall-Through = 1 15: 16:DEFAULT Service-Type == Framed-User 17: Framed-MTU = 1500, 18: Service-Type = Framed-User debug output is: Thread 1 handling request 0, (1 handled so far) Service-Type = Framed-User Framed-Protocol = PPP User-Name = "user1" MS-CHAP-Challenge = MS-CHAP2-Response = .. NAS-IP-Address = 192.168.0.5 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_passwd: Added User-Password: password-of-user1 rlm_passwd: Added Group-Name: fast rlm_passwd: Adding Auth-Type: MS-CHAP modcall[authorize]: module "raddb_userlist" returns ok modcall[authorize]: module "mschap" returns ok users: Matched user1 at 4 users: Matched DEFAULT at 16 I think there have to be match at 13 line. But it isn't so. Why? How slow will work such check with 500 users in /etc/raddb/users file? Each user will described by 2 lines like: user0 User-Category := "fast" Fall-Through = 1 My other way was to create group-like file with format groupname:::username module rlm_unix can set Group attribute in appropriate value. but it does not called in authenticate section because auth-type is MS-CHAP after mschap module call in authorize section. Can i force calling rlm_unix module in authenticate section when Auth-Type == "MS-CHAP" ? Thanks in advance! Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: ippool bug or config problem?
Tuesday, September 24, 2002, 7:29:03 PM, [EMAIL PROTECTED] wrote: > On Tue, 24 Sep 2002 [EMAIL PROTECTED] wrote: >> >> ippool assign the same ip address for two different users. >> May be my config is broken? >> When i use large pool (1-254), i have the same bug after restarting >> radiusd. >> - Now I try send auth packet with radclient (user >mmike): >> >> Thread 1 handling request 0, (1 handled so far) >> Service-Type = Framed-User >> Framed-Protocol = PPP >> User-Name = "mmike" >> MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565 >> MS-CHAP2-Response = >0x01002bbf1007dc607b833af3cdd279ece38b2284ae758753dd9cd3e78d98dfcdde06a8db899b56543336 >> NAS-IP-Address = 192.168.0.5 >> NAS-Port = 0 > All Access-Requests contain the same NAS/Port pair. rlm_ippool will consider the > corresponding ip allocated stale and will free it. As a result it will get > reallocated to another user. Whith large pool (1-254) ippool returns differ ip for the same requests. (old db-files removed) Auth-request: Service-Type = Framed-User Framed-Protocol = PPP User-Name = "mmike" MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565 MS-CHAP2-Response = 0x01002bbf1007dc607b833af3cdd279ece38b2284ae758753dd9cd3e78d98dfcdde06a8db899b56543336 NAS-IP-Address = 192.168.0.5 NAS-Port = 0 # radiusd -xx | grep ippool ippool: session-db = "/etc/raddb/pools/db.pool-1-fast" ippool: ip-index = "/etc/raddb/pools/db.pool-1-fast.idx" ippool: range-start = 192.168.5.1 IP address [192.168.5.1] ippool: range-stop = 192.168.5.254 IP address [192.168.5.254] ippool: netmask = 255.255.255.0 IP address [255.255.255.0] ippool: cache-size = 800 rlm_ippool: Initializing database Module: Instantiated ippool (ippool-1-fast) REQUEST #1 rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.55 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module "ippool-1-fast" returns ok REQUEST #2 rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: Found a stale entry for ip/port: 192.168.5.55/0 rlm_ippool: num: 0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.217 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module "ippool-1-fast" returns ok REQUEST #3 rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: Found a stale entry for ip/port: 192.168.5.217/0 rlm_ippool: num: 0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.92 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module "ippool-1-fast" returns ok REQUEST #4 rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: Found a stale entry for ip/port: 192.168.5.92/0 rlm_ippool: num: 0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.233 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module "ippool-1-fast" returns ok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippool bug or config problem?
ippool assign the same ip address for two different users.
May be my config is broken?
When i use large pool (1-254), i have the same bug after restarting
radiusd.
- radiusd.conf
modules {
ippool ippool-1-fast {
range-start = 192.168.5.1
range-stop = 192.168.5.6
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/pools/db.pool-1-fast
ip-index = ${raddbdir}/pools/db.pool-1-fast.idx
}
}
accounting {
detail
unix
radutmp
ippool-1-fast
}
post-auth {
ippool-1-fast
}
- end of radiusd.conf
- users
DEFAULT NAS-IP-Address == "192.168.0.5", Service-Type == Framed-User, Pool-Name :=
"ippool-1-fast"
Framed-MTU = 1500,
Service-Type = Framed-User,
Fall-Through = 1
- end of users
Now run radiusd:
root@vpn:/etc/raddb# radiusd -xx
Starting - reading configuration files ...
...
Module: Loaded IPPOOL
ippool: session-db = "/etc/raddb/pools/db.pool-1-fast"
ippool: ip-index = "/etc/raddb/pools/db.pool-1-fast.idx"
ippool: range-start = 192.168.5.1 IP address [192.168.5.1]
ippool: range-stop = 192.168.5.6 IP address [192.168.5.6]
ippool: netmask = 255.255.255.0 IP address [255.255.255.0]
ippool: cache-size = 800
rlm_ippool: Initializing database
Module: Instantiated ippool (ippool-1-fast)
Initializing the thread pool...
thread: start_servers = 5
thread: max_servers = 32
thread: min_spare_servers = 3
thread: max_spare_servers = 10
thread: max_requests_per_server = 0
thread: cleanup_delay = 5
Ready to process requests.
Thread 5 waiting to be assigned a request
rad_recv: Access-Request packet from host 192.168.0.5:1026, id=70, length=133
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Nothing to do. Sleeping until we see a request.
- Now I try send auth packet with radclient (user
mmike):
Thread 1 handling request 0, (1 handled so far)
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "mmike"
MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565
MS-CHAP2-Response =
0x01002bbf1007dc607b833af3cdd279ece38b2284ae758753dd9cd3e78d98dfcdde06a8db899b56543336
NAS-IP-Address = 192.168.0.5
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_passwd: Added User-Password: mike
rlm_passwd: Added Group: fast
rlm_passwd: Adding Auth-Type: MS-CHAP
modcall[authorize]: module "raddb_userlist" returns ok
modcall[authorize]: module "mschap" returns ok
rlm_realm: No '@' in User-Name = "mmike", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 201
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group authenticate
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module "mschap" returns ok
modcall: group authenticate returns ok
Login OK: [mmike] (from client 192.168.0.5 port 0)
modcall: entering group post-auth
rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0
rlm_ippool: num: 1
rlm_ippool: Allocated ip 192.168.5.3 to client on nas 192.168.0.5,port 0
modcall[post-auth]: module "ippool-1-fast" returns ok
modcall: group post-auth returns ok
Sending Access-Accept of id 70 to 192.168.0.5:1026
Framed-MTU = 1500
Service-Type = Framed-User
MS-CHAP2-Success = 0x01533d453742313241354342463337383533443044383236383
73933463331363332363844463839414236
MS-MPPE-Recv-Key = 0xe3464568c260d4f054599eac8c270f89762624d03837024c13e
53c392029a3ca21c2
MS-MPPE-Send-Key = 0xe345be695620746dcc14948143420d08d333dd86889a5a66f9a
1e084b1c5a4b6d723
MS-MPPE-Encryption-Policy = 0x0002
MS-MPPE-Encryption-Types = 0x0004
Framed-IP-Address = 192.168.5.3
OK ip assigned 192.168.5.3
Now I try to connect with pppd+radiusclient (user mmmike)
Nothing to do. Sleeping until we see a request.
Thread 1 handling request 5, (2 handled so far)
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "mmmike"
MS-CHAP-Challenge = 0x35a4ce64ebf19fc25af6921225399273
MS-CHAP2-Response = 0x010068295ca3c0f2c063e229225a129b53df00
00405f88f247c0d22d083286a7123eb6cc61415f5401ad09fc
NAS-IP-Address = 192.168.0.5
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_passwd: Added User-Password: mike
rlm_passwd: Added Group: fast
rlm_passwd: Adding Auth-Type: MS-CHAP
modcall[authorize]: modu
Re[3]: Group reject. Group* attribute bug in users file?
> Dear [EMAIL PROTECTED],
> Group-Name == "slow"
> checks for Group-Name attribute in check list (that is list of
> attributes received in RADIUS request).
> format = "*User-Name:User-Password:Group-Name"
> adds Group-Name attribute to config items list. So there will never be
> Group-Name in check list. Changing Group-Name to Group will give no
> result.
Can I move attribute from config items list to check list?
Or how i can check config attribute?
> I can change rlm_passwd to be able to add something to replay attributes
> list. In this case you will be able to directly add Pool-Name from
> passwd file to RADIUS reply.
No. this is bad idea to add Pool-Name to Reply.
Imagine, I have 2 NASes with 2 ip-pool for each
(ippool-1-fast, ippool-1-slow for 1-st NAS and ippool-2-fast, ippool-2-slow for 2-ns
NAS).
So we have 4 different ip-pools.
User can connect to any of NASes.
rlm_passwd returns slow or fast for the user.
If user from slow group connected to NAS#1, Pool-Name have to
changed to ippool-1-slow. If user connected to NAS#1, then
Pool-Name := ippool-2-slow.
Can you explain me how I can make such choice?
mmr>> I have similar problem. I try group-based authenticate.
mmr>> in radius.conf:
mmr>> passwd raddb_userlist {
mmr>> filename = /etc/raddb/userlist
mmr>> format = "*User-Name:User-Password:Group-Name"
mmr>> authtype = MS-CHAP
mmr>> hashsize = 1000
mmr>> ignorenislike = no
mmr>> allowmultiplekeys = no
mmr>> }
mmr>> in /etc/raddb/userlist:
mmr>> mmike:mike:fast
mmr>> users file (with line numbers):
mmr>> 185:DEFAULT Group-Name == "slow", Pool-Name := "ippool-1-slow"
mmr>> 186:Fall-Through = Yes
mmr>> 187:
mmr>> 188:DEFAULT Group-Name == "fast", Pool-Name := "ippool-1-fast"
mmr>> 189:Fall-Through = Yes
mmr>> 190:
mmr>> 191:DEFAULT Service-Type == Framed-User
mmr>> 192:Framed-MTU = 1500,
mmr>> 193:Service-Type = Framed-User,
mmr>> 194:Fall-Through = Yes
mmr>> now i run radiusd:
mmr>> # radiusd -xx
mmr>> ...
mmr>> modcall: entering group authorize
mmr>> modcall[authorize]: module "preprocess" returns ok
mmr>> rlm_passwd: Added User-Password: mike
mmr>> rlm_passwd: Added Group-Name: fast < Group-Name attribute added with
value "fast"
mmr>> rlm_passwd: Adding Auth-Type: MS-CHAP
mmr>>
mmr>> users: Matched DEFAULT at 191
mmr>> modcall[authorize]: module "files" returns ok
mmr>> ...
mmr>> MATCH found at line 191 only. Hm.. what about line 188?!!!
mmr>> I try use "Group" attr instead "Group-Name". Result is the same.
mmr>> Its like a bug?
>>> I have install freeradius 0.7.1 on slackware 8.0 with shadow password
>>> Installation was ok and basic functions are working.
>>> I have experience problems wen i try to deny access to one of the groups
>>> on the radius server
>>> Following instruction did not help.
>>> I try :
>>> DEFAULT Group == "users" , Auth-Type :=Reject
>>> DEFAULT Group == users , Auth-Type :=Reject
>>> DEFAULT Group == "users" , Auth-Type =Reject
>>> DEFAULT Group == users , Auth-Type =Reject
>>> And more before:
>>> DEFAULT Auth-Type := System
>>> but nothing work.
>>> User marcin , group users was always able to authenticate.
>>> This is a debug of the auth process:
>>>
>>> rad_recv: Access-Request packet from host 216.168.1.38:4751, id=131,
>>> length=81
>>> NAS-IP-Address = 216.168.1.38
>>> Calling-Station-Id = "204.251.93.250"
>>> User-Name = "marcin?X0040;hostplus.net"
>>> User-Password = "\274\252\2162\275\rS+\305F.\240\007Ia"
>>> modcall: entering group authorize
>>> modcall[authorize]: module "preprocess" returns ok
>>> rlm_realm: Looking up realm hostplus.net for User-Name =
>>> "marcin?X0040;hostplus.net"
>>> rlm_realm: Found realm hostplus.net
>>> rlm_realm: Adding Stripped-User-Name = "marcin"
>>> rlm_realm: Proxying request from user marcin to realm hostplus.net
>>> rlm_realm: Adding Realm = "hostplus.net"
>>> rlm_realm: Authentication realm is LOCAL.
>>> rlm_realm: auth_port is not set. proxy cancelled
>>> modcall[authorize]: module "suffix" returns noop
>>> users: Matched DEFAULT at 6
>>> modcall[authorize]: module "files" returns ok
>>> modcall: group authorize returns ok
>>> rad_check_password: Found Auth-Type System
>>> auth: type "System"
>>> modcall: entering group authenticate
>>> modcall[authenticate]: module "unix" returns ok
>>> modcall: group authenticate returns ok
>>> Login OK: [marcin?X0040;hostplus.net] (from client supernews port 0 cli
>>> 204.251.93.250)
>>> Sending Access-Accept of id 131 to 216.168.1.38:4751
>>> Finished request 4
>>> Going to the next request
>>>
>>> And one more thing.
>>> Will i be able to limit access based on
>>> Called-Station-id ?
>>> If so what would be a process to set this up?
>>>
>>>
>>>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group reject. Group* attribute bug in users file?
I have similar problem. I try group-based authenticate.
in radius.conf:
passwd raddb_userlist {
filename = /etc/raddb/userlist
format = "*User-Name:User-Password:Group-Name"
authtype = MS-CHAP
hashsize = 1000
ignorenislike = no
allowmultiplekeys = no
}
in /etc/raddb/userlist:
mmike:mike:fast
users file (with line numbers):
185:DEFAULT Group-Name == "slow", Pool-Name := "ippool-1-slow"
186:Fall-Through = Yes
187:
188:DEFAULT Group-Name == "fast", Pool-Name := "ippool-1-fast"
189:Fall-Through = Yes
190:
191:DEFAULT Service-Type == Framed-User
192:Framed-MTU = 1500,
193:Service-Type = Framed-User,
194:Fall-Through = Yes
now i run radiusd:
# radiusd -xx
...
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_passwd: Added User-Password: mike
rlm_passwd: Added Group-Name: fast < Group-Name attribute added with value
"fast"
rlm_passwd: Adding Auth-Type: MS-CHAP
users: Matched DEFAULT at 191
modcall[authorize]: module "files" returns ok
...
MATCH found at line 191 only. Hm.. what about line 188?!!!
I try use "Group" attr instead "Group-Name". Result is the same.
Its like a bug?
> I have install freeradius 0.7.1 on slackware 8.0 with shadow password
> Installation was ok and basic functions are working.
> I have experience problems wen i try to deny access to one of the groups
> on the radius server
> Following instruction did not help.
> I try :
> DEFAULT Group == "users" , Auth-Type :=Reject
> DEFAULT Group == users , Auth-Type :=Reject
> DEFAULT Group == "users" , Auth-Type =Reject
> DEFAULT Group == users , Auth-Type =Reject
> And more before:
> DEFAULT Auth-Type := System
> but nothing work.
> User marcin , group users was always able to authenticate.
> This is a debug of the auth process:
>
> rad_recv: Access-Request packet from host 216.168.1.38:4751, id=131,
> length=81
> NAS-IP-Address = 216.168.1.38
> Calling-Station-Id = "204.251.93.250"
> User-Name = "marcin?X0040;hostplus.net"
> User-Password = "\274\252\2162\275\rS+\305F.\240\007Ia"
> modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
> rlm_realm: Looking up realm hostplus.net for User-Name =
> "marcin?X0040;hostplus.net"
> rlm_realm: Found realm hostplus.net
> rlm_realm: Adding Stripped-User-Name = "marcin"
> rlm_realm: Proxying request from user marcin to realm hostplus.net
> rlm_realm: Adding Realm = "hostplus.net"
> rlm_realm: Authentication realm is LOCAL.
> rlm_realm: auth_port is not set. proxy cancelled
> modcall[authorize]: module "suffix" returns noop
> users: Matched DEFAULT at 6
> modcall[authorize]: module "files" returns ok
> modcall: group authorize returns ok
> rad_check_password: Found Auth-Type System
> auth: type "System"
> modcall: entering group authenticate
> modcall[authenticate]: module "unix" returns ok
> modcall: group authenticate returns ok
> Login OK: [marcin?X0040;hostplus.net] (from client supernews port 0 cli
> 204.251.93.250)
> Sending Access-Accept of id 131 to 216.168.1.38:4751
> Finished request 4
> Going to the next request
>
> And one more thing.
> Will i be able to limit access based on
> Called-Station-id ?
> If so what would be a process to set this up?
>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Set for request attribute in Exec-Program-Wait
How to set request attribute in Exec-Program-Wait? For example, I can set poolname like: DEFAULT Service-Type == Framed-User, Pool-Name := "ippool-1" I need set Pool-Name in external script, called on Exec-Program-Wait for use in rlm_ippool. but I can't - Exec-Program-Wait set value-pair Pool-Name in "ippool-1" and rlm_ippool says "Could not find Pool-Name attribute". # radiusd -xx Exec-Program: /etc/raddb/scripts/radauth Exec-Program-Wait: value-pairs: Pool-Name = "ippool-1" Exec-Program: returned: 0 Login OK: [testuser] (from client 192.168.0.5 port 0) modcall: entering group post-auth rlm_ippool: Could not find Pool-Name attribute. modcall[post-auth]: module "ippool-1" returns noop .. I try use ":=" instead "=" in. Result is the same. Can I modify request attribute from Exec-Program-Wait script? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Segmentation fault in rlm_passwd
> --Monday, July 15, 2002, 1:19:53 PM, you wrote to [EMAIL PROTECTED]: mmr>> m_mschap-0.6.so: undefined symbol: md4_calc > There was a problem with dynamic library building. This problem will be > fixed in upcoming 0.6.1 and should be fixed in latest CVS snapshot. mmr>> Program received signal SIGSEGV, Segmentation fault. mmr>> [Switching to Thread 1024 (LWP 12673)] mmr>> 0x401cb79b in passwd_authorize (instance=0x80bb5f0, request=0x80bd910) mmr>> at rlm_passwd.c:425 mmr>> 425 for (key = request->packet->vps; > it looks strange (there is nothing changed since release and nothing on > rlm_passwd.c:425 to cause the segfault). Try to completely remake and > reinstall all modules, may be you still having rlm_passwd binary > compiled from 0.6 release version, it should be recompiled. Yeaaa! It works. Thanks. ÓÐÁÓÉÂÏ! ;) but I found rlm_passwd was not compiled after general make. i have to cd'ing to src/modules/rlm_passwd and run 'make; make install' to compile and install rlm_passwd.so. Some bugs in Makefile-s? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault in rlm_passwd
Hello!
Problem is Segmentation fault in rlm_passwd
I try to authorize pptp user via local simplest file /etc/raddb/userlist
with format = "*User-Name:User-Password"
= radiusd.conf fragment =
modules {
...
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
passwd raddb_userlist {
filename = /etc/raddb/userlist
format = "*User-Name:User-Password"
authtype = MS-CHAP
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}
} # end of modules
authorize {
preprocess
suffix
files
raddb_userlist
mschap
}
= users file (is very simple for debug purposes =
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
with freeradius latest snapshot (Mon Jul 15 08:29:11 2002) I have
Segmentation fault.
With 0.6 release exits with "undefined symbol: md4_calc:" (see below)
==
root@vpn:/etc/raddb# gdb radiusd
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...
(gdb) set args -XX
(gdb) run
Starting program: /usr/local/sbin/radiusd -XX
[New Thread 1024 (LWP 12673)]
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
read_config_files: reading dictionary
read_config_files: reading clients
read_config_files: reading realms
read_config_files: reading naslist
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
main: debug_level = 0
read_config_files: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded MS-CHAP
mschap: ignore_password = no
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded passwd
passwd: filename = "/etc/raddb/userlist"
passwd: format = "*User-Name:User-Password"
passwd: authtype = "MS-CHAP"
passwd: ignorenislike = no
passwd: allowmultiplekeys = no
passwd: hashsize = 100
rlm_passwd: nfields: 2 keyfield 0(User-Name) listable: no
Module: Instantiated passwd (raddb_userlist)
Module: Loaded detail
detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.5:1025, id=134, length=133
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "mmike"
MS-CHAP-Challenge = 0x7983c03e2529
gethostbyname_r compiling problem
Hi! I can't compile last snapshot with errors: misc.c:57: too few arguments to function `gethostbyaddr_r' misc.c:90: too few arguments to function `gethostbyname_r' in src/lib/misc.c:57 hp = gethostbyname_r(host, &result, buffer, sizeof(buffer), &error); gethostbyname_r have a 5 arguments. in /usr/include/netdb.h: extern int gethostbyname_r (__const char *__restrict __name, struct hostent *__restrict __result_buf, char *__restrict __buf, size_t __buflen, struct hostent **__restrict __result, int *__restrict __h_errnop) __THROW; 6 args. Slackware-8.0 glibc-2.2.3 what's wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait Responce
Hello again! My question is not about useful features, but about bug in program. again: in doc/README we see: -- For backwards compatibility, if the output doesn't look like valid radius A/V pairs, the output is taken as a message and added to the reply sent to the NAS as Port-Message. -- It does not work :( Sincerely, Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait Responce
Hello!
Today I update my radiusd (01/09/18) to latest snapshot.
It's good feature to use Exec-Program-Wait output as additional AV-pair or as
Reply-Message. AV-pair transmitted ok.
Reply-Message is not.
in doc/README:
--
For backwards compatibility, if the output doesn't look like valid
radius A/V pairs, the output is taken as a message and added to the
reply sent to the NAS as Port-Message.
--
What's on practice:
--
Ready to process requests.
rad_recv: Access-Request packet from host x.x.x.x:1749, id=248, length=162
User-Name = "mmike"
Password = "\0240\242\351>\320i\034\027\257\315\035}\233\274\257"
NAS-IP-Address = x.x.x.x
NAS-Port = 20109
NAS-Port-Type = Async
Service-Type = Login-User
Calling-Station-Id = ""
Ascend-Calling-Id-Type-Of-Num = Unknown
Ascend-Calling-Id-Number-Plan = ISDN-Telephony
Ascend-Calling-Id-Presentatn = Allowed
Ascend-Calling-Id-Screening = User-Not-Screened
Acct-Session-Id = "367234457"
Ascend-Data-Rate = 33600
Ascend-Xmit-Rate = 31200
Exec-Program: /etc/ppp/radauth
Exec-Program-Wait: value-pairs: Limit exceeded
Exec-Program: returned: 1
Login incorrect (external check failed): [mmike] (from nas local port 20109 cli
)
Sending Access-Reject of id 248 to x.x.x.x:1749
Reply-Message = "\r\nAccess denied (external check failed)."
--
i.e.
Exec-Program: /etc/ppp/radauth
Exec-Program-Wait: value-pairs: Limit exceeded<+
Exec-Program: returned: 1 |
my NAS had to receive this string as Reply-Message +
but it got
Reply-Message = "\r\nAccess denied (external check failed)."
instead
bug was is near userparse().
old (v0.2) code:
---
...
do {
previous_token = last_token;
if ((vp = pairread(&p, &last_token)) == NULL) {
return -1;
}
pairadd(first_pair, vp);
...
---
new one:
---
...
do {
previous_token = last_token;
if ((vp = pairread(&p, &last_token)) == NULL) {
return T_INVALID;
}
pairadd(first_pair, vp);
} while (*p && (last_token == T_COMMA));
...
---
Difference is: 'return -1;' and 'return T_INVALID;'
T_INVALID declared as 'T_INVALID = 0,' in src/include/token.h
in radius_exec_program() fragment
vp = NULL;
n = userparse(answer, &vp);
if (vp)
pairfree(&vp);
if (n < 0) {
radlog(L_DBG, "Exec-Program-Wait: plaintext: %s", answer);
-
'(n < 0)' always FALSE.
I think, LRAD_TOKEN must be expanded with "-1" value.
I'll try change 'if (n < 0) {' in radius_exec_program()
to 'if (n == T_INVALID)'. "AVP"-like responses becomes "Reply-Message".
:(
I'll try change 'return T_INVALID;' to 'return -1' in 'userparse()' -
it's not working good too (possible type mismatch).
Mike.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: '/usr/local/lib/rlm_* is not an ELF file' ERROR
Sorry, all works. I fix: Auth-Type := System instead Auth-Type := Local But I still have errors: radiusd: '/usr/local/lib/rlm_unix.a' is not an ELF file :( Thanks! > When I try to authorize local user via system passwd file I get Auth-Reject > packet. radius says: > modcall: group authorize returns ok > rad_check_password: Found auth-type Local > auth: type Local > auth: Failed to validate the user. > user declared in /etc/raddb/users as: > DEFAULT Auth-Type := Local > Service-Type = Framed-User, > Ascend-Assign-IP-Pool = 1, > Framed-Protocol = PPP, > Framed-MTU = 576 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
'/usr/local/lib/rlm_* is not an ELF file' ERROR
When I try to authorize local user via system passwd file I get Auth-Reject packet. radius says: modcall: group authorize returns ok rad_check_password: Found auth-type Local auth: type Local auth: Failed to validate the user. user declared in /etc/raddb/users as: DEFAULT Auth-Type := Local Service-Type = Framed-User, Ascend-Assign-IP-Pool = 1, Framed-Protocol = PPP, Framed-MTU = 576 whenever I run my freeradius, I have errors: radiusd: '/usr/local/lib/rlm_unix.a' is not an ELF file radiusd: '/usr/local/lib/rlm_preprocess.a' is not an ELF file radiusd: '/usr/local/lib/rlm_realm.a' is not an ELF file radiusd: '/usr/local/lib/rlm_files.a' is not an ELF file radiusd: '/usr/local/lib/rlm_detail.a' is not an ELF file radiusd: '/usr/local/lib/rlm_radutmp.a' is not an ELF file It is possible "rlm_unix.a' is not an ELF file" error is cause of my failures? Compiling made after ./configure --sysconfdir=/etc --localstatedir=/var --with-threads=no I have 2.0.36 Linux box with gnulibc1 as system library. ar: supported targets: elf32-i386 a.out-i386-linux coff-i386 elf32-m68k coff-m68k ieee a.out-m68k-linux a.out-sunos-big elf32-sparc srec symbolsrec tekhex binary ihex trad-core Thanks! Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
