Re[6]: decode passwort by rlm_perl
> Michael Chernyakhovsky <[EMAIL PROTECTED]> wrote: >> You can not to remember "YWJyYWNhZGFicmE=" for 10 seconds to decode >> this latter, but "abracadabra" can ;) >> I understand, that it's no matter how to keep plain password - encoded >> or not, but CASUAL OBSERVER can't remember encoded password while >> looks on monitor. > So why the heck is a casual observer looking at the encrypted > passwords? What's wrong with your system? Why doesn't it have proper > security and file permissions? system is good, permissions is right. I work not in isolated room. It's POSSIBLE somebody can stay near me and can see some of output on my monitor. i don't want allow hi could see absolutely plain passwords. So, password encoding is just for this. Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: decode passwort by rlm_perl
I agree, Alan. this is no difference when somebody have FULL access to files. I just want to hide password from casual observer who can see for a moment this file. It's like qualcomm popper saves passwords in gdb-file. passwords are just xor'ed there. >> MS-CHAP an similar auth-methods require to know users plain passwords. >> i want to keep passwords in file and load it by rlm_passwd. All works >> good. but for more security i think keep it crypted. > Don't bother. It doesn't make any difference. > How are you going to decrypt the passwords? The key is going to > have to go somewhere, and having a key plus encrypted passwords is no > different than having plain-text passwords. It's no matter - RC4 or elementary XOR. Even 'QWxhbg' (base64 without '=' padding) looks less readable then 'Alan' ;) Now i know how to load crypted password - i need use other attribute for this. After decryption perl have to add User-Password attribute to Check-Items. It works. Thank you. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
decode passwort by rlm_perl
Hi! Two questions. MS-CHAP an similar auth-methods require to know users plain passwords. i want to keep passwords in file and load it by rlm_passwd. All works good. but for more security i think keep it crypted. module mschap wants to see decrypted (plain) password. IMHO, this is good idea to decrypt password by rlm_perl. I can use any method to encrypt-decrypt password. But. when rlm_perl renews attibutes values it use pairmove function, which ignore all new values for User-Password and Crypt-Password. there is no more suitable attributes in dictionary. I can create individual attribute and use them, but it is not very good - i have to check dictionaries after each update. How to decode Password more suitable? second question. Where to insert decoding code? rlm_perl have both autorize and authenticate methods to handle radius's calling. IMHO authenticate is better place. when i try to insert perl to authenticate section i can make it by 2 ways. first : authenticate { perl authtype MS-CHAP { mschap } } In this case perl is not executed. when i try authenticate { authtype MS-CHAP { perl mschap } } perl executed, but mschap ignored :( Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
perl. what is differs?
I try to use perl. I am confused in sub authorize i write for debuging something like sub authorize { ... print_attrs(%RAD_REQUEST, %RAD_REPLY, %RAD_CHECK); deb_print ("walk on hash RAD_REQUEST"); for $k (keys %RAD_REQUEST) { deb_print ("$k = $RAD_REQUEST{$k} "); } return $retval; } deb_print is sub deb_print { print "radius.pl: ", @_,"\n"; } i use arguments in print_attrs sub print_attrs { my(%REQUEST, %REPLY, %CHECK) = @_; logging("RAD_REQUEST: ==="); for (keys %REQUEST) { deb_print("$_ = $REQUEST{$_} "); } logging("RAD_REPLY: ==="); for (keys %REPLY) { deb_print("$_ = $REPLY{$_} "); } logging("RAD_CHECK: ==="); for (keys %CHECK) { deb_print("$_ = $CHECK{$_} "); } } output is: radius.pl: RAD_REQUEST: === radius.pl: Service-Type = Framed-User radius.pl: Auth-Type = MS-CHAP radius.pl: Calling-Station-Id = 192.168.0.2 radius.pl: MS-CHAP-Challenge = 0x71d56b9f34d89e3db8fba365beb64b08 radius.pl: Client-IP-Address = 192.168.0.12 radius.pl: Framed-Protocol = PPP radius.pl: User-Name = mmike radius.pl: User-Password = mike radius.pl: MS-CHAP2-Response = 0x0100e7814331bd36eafd3cfd1a646fbd3ac2000 0769c73a6a9107f13152e660efc401eafeea5e6e3aec5c18f radius.pl: Connect-Info = 1524 radius.pl: NAS-Port = 0 radius.pl: NAS-IP-Address = 192.168.0.12 radius.pl: RAD_REPLY: === radius.pl: RAD_CHECK: === radius.pl: walk on hash RAD_REQUEST radius.pl: Service-Type = Framed-User radius.pl: Calling-Station-Id = 192.168.0.2 radius.pl: MS-CHAP-Challenge = 0x71d56b9f34d89e3db8fba365beb64b08 radius.pl: Client-IP-Address = 192.168.0.12 radius.pl: Framed-Protocol = PPP radius.pl: User-Name = mmike radius.pl: MS-CHAP2-Response = 0x0100e7814331bd36eafd3cfd1a646fbd3ac2000 0769c73a6a9107f13152e660efc401eafeea5e6e3aec5c18f radius.pl: Connect-Info = 1524 radius.pl: NAS-Port = 0 radius.pl: NAS-IP-Address = 192.168.0.12 output from print_attrs looks like no attributes in RAD_CHECK both User-Password and Auth-Type in RAD_REQUEST. but in really they in RAD_CHECK. when i not use arguments in print_attrs sub print_attrs { #my(%REQUEST, %REPLY, %CHECK) = @_; . } then i have follow output radius.pl: RAD_REQUEST: === radius.pl: Service-Type = Framed-User radius.pl: Calling-Station-Id = 192.168.0.2 radius.pl: MS-CHAP-Challenge = 0x71d56b9f34d89e3db8fba365beb64b08 radius.pl: Client-IP-Address = 192.168.0.12 radius.pl: Framed-Protocol = PPP radius.pl: User-Name = mmike radius.pl: MS-CHAP2-Response = 0x0100e7814331bd36eafd3cfd1a646fbd3ac2000 0769c73a6a9107f13152e660efc401eafeea5e6e3aec5c18f radius.pl: Connect-Info = 1524 radius.pl: NAS-Port = 0 radius.pl: NAS-IP-Address = 192.168.0.12 radius.pl: RAD_REPLY: === radius.pl: RAD_CHECK: === radius.pl: User-Password = mike radius.pl: Auth-Type = MS-CHAP radius.pl: walk on hash RAD_REQUEST radius.pl: Service-Type = Framed-User radius.pl: Calling-Station-Id = 192.168.0.2 radius.pl: MS-CHAP-Challenge = 0x71d56b9f34d89e3db8fba365beb64b08 radius.pl: Client-IP-Address = 192.168.0.12 radius.pl: Framed-Protocol = PPP radius.pl: User-Name = mmike radius.pl: MS-CHAP2-Response = 0x0100e7814331bd36eafd3cfd1a646fbd3ac2000 0769c73a6a9107f13152e660efc401eafeea5e6e3aec5c18f radius.pl: Connect-Info = 1524 radius.pl: NAS-Port = 0 radius.pl: NAS-IP-Address = 192.168.0.12 Looks good - both User-Password and Auth-Type in RAD_CHECK in print_attrs and in walk on hash. what is the reason of such different behaviour? Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
offer about rad_malloc. (bugs in rlm_passwd)
Today i have tried to define why rlm_passwd make segmentation fault. there are bug in allocation hash-table for pointers . There no memset after allocations. so all pointers are garbage. There are another unknown bugs in rlm_passwd. I don't know where. Tomorrow i'll find it. But today i offer to change rad_malloc. Adding line memset(ptr, 0, size); before return ptr; in function rad_malloc() is good, IMHO. It's make code more secure. If no, say why. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[5]: rlm_perl cause fall out to core
Hi! > On _2003-06-18 at 13:55, Michael Chernyakhovsky wrote: >> Just now i try recompile my perl with USE_ITHREADS. >> no results. radiusd fault after kill -HUP. >> > Send output from radiusd -xxx or -X perl -V and gdb trace >> Mike. I'm really sorry. I was mistaken :( perl looks good. troubles seams in rlm_passwd. I have found out bug when i began to use rlm_perl. in the same time appear first message about " rlm_perl cause fall out to core" Today i have very much experiences to define causes of segmentation faults. I exclude all modules in reverse order i use it. i was mistaken also because radiusd run with -X options does not output any debug messages after kill -HUP :(. It's looks like hunged. And please forgive me again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: rlm_perl cause fall out to core
No results :( it segmentation faults. It seems my perl (slackware 9.0, perl 5.8.0) is built without -Duseithreads flag there are /*#define USE_ITHREADS/ **/ line in my /usr/lib/perl5/5.8.0/i386-linux/CORE/config.h Also, as i noticed, perl_destruct and perl_free does not execute anywhere. perl_destruct executed when USE_ITHREADS defined. Although when i try to add perl_destruct/perl_free radius fault anyway :( Mike. > On _ 2003-06-17 at 21:55, [EMAIL PROTECTED] wrote: >> > Hi. I have a problem with rlm_perl on version 0.8.1 (under FreeBSD 5.1 Release). >> > After starting radiusd with -xyz I've got segmentation fault. >> > What I do wrong? >> >> I confirm the problem. >> >> My radiusd (latest snapshot) works fine until it got -HUP signal. >> After kill -HUP it works until first request or next -HUP signal. >> > Use rlm_perl from cvs or get a patch from > http://redguy.orbitel.bg/~alien/ > version in 0.8.1 is unstable and probably broken. (That's why it is in > testing section ) so don't use it. Instead of this grab the latest cvs > and try it. >> without rlm_perl all looks stable. >> >> linux 2.4.20-SMP, slackware 9.0. >> perl, v5.8.0 built for i386-linux. >> >> Mike. >> >> >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl cause fall out to core
> Hi. I have a problem with rlm_perl on version 0.8.1 (under FreeBSD 5.1 Release). > After starting radiusd with -xyz I've got segmentation fault. > What I do wrong? I confirm the problem. My radiusd (latest snapshot) works fine until it got -HUP signal. After kill -HUP it works until first request or next -HUP signal. without rlm_perl all looks stable. linux 2.4.20-SMP, slackware 9.0. perl, v5.8.0 built for i386-linux. Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: rlm_acct_unique possible bug
Hi! > Really didn't notice that, happened couple of times, wonder why pppd > sends 2 acct-starts and sometimes with different session IDs. > Sorry to report this as it ain't a bug then, and thanks for the fast > reply. Yes, problem in pppd's radius plug-in. Acct-Session-Id generated as strncpy(rstate.session_id, rc_mksid(), sizeof(rstate.session_id)); in radius_acct_start() function. rc_mksid defined in /pppd/plugins/radius/radiusclient/lib/util.c as rc_mksid (void) { static char buf[14]; sprintf (buf, "%08lX%04X", (unsigned long int) time (NULL), (unsigned int) get pid ()); } i.e. when radius server don't answer to Acct-Start request pppd repeat it and generate another request Acct-Start, i.e. execute radius_acct_start() one more. so, i think, it's right to move line strncpy(rstate.session_id, rc_mksid(), sizeof(rstate.session_id)); from radius_acct_start() function to radius_init(), so rc_mksid() will called once. Mike. > On Tue, 2003-06-17 at 14:54, Chris Parker wrote: >> At 02:24 PM 6/17/2003 +0100, Manuel Sousa wrote: >> >Hi, all >> > >> >I've been using freeradius and noticed that sometimes the >> >Acct-Unique-Session-ID gave me different values for the same inputs. >> >A partial output of radiusd -X is: >> > >> >rlm_acct_unique: Hashing 'Acct-Session-Id = "3EEF21621014",User-Name = >> >"noc"' >> >rlm_acct_unique: Acct-Unique-Session-ID = "889e46aba4217ad4". >> > >> >rlm_acct_unique: Hashing 'Acct-Session-Id = "3EEF21631014",User-Name = >> >"noc"' >> >rlm_acct_unique: Acct-Unique-Session-ID = "6836c775ae8a6c48". >> > >> >Wonder if anyone else experienced the same problem. I'm using >> >freeradius-0.8.1. >> >> Look closer at the Acct-Session-Id, particulary the 8th position. Your >> first line has a '2', your second line has a '3'. They are not the same, >> hence the hash result is not the same. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
move AVP from config list to packet list. HOW?
Hi! as i understand rlm_files module don't use any avp from config list to check items while parse users-file. It's so? imagine, some module insert certain avp to config-list. i want to check this avp against some value in my users-file. but i can't :( So I need to move this attribute-value-pair from config attributes list to packet list before rlm_files module. how can i do this? Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: rlm_passwd
Friday, September 27, 2002, 9:26:16 PM Alan wrote: > You shouldn't use Group-Name, as that attribute is already used for > Unix groups. Over-loading it with two different meanings will make it > NOT work. > Pick another name: My-Group, or something like that. If necessary, > add that attribute to the dictionary. It does not work anyway :( passwd raddb_group { filename = /etc/raddb/group format = "My-Group:::*,User-Name" hashsize = 50 ignorenislike = yes allowmultiplekeys = no } my users: -- 10:DEFAULT My-Group == "slow", Pool-Name := "ippool-1-slow" 11: Fall-Through = 1 12: 13:DEFAULT My-Group == "fast", Pool-Name := "ippool-1-fast" 14: Fall-Through = 1 15: ... 28: 29:DEFAULT Service-Type == Framed-User 30: Framed-MTU = 1500, 31: Exec-Program-Wait = "/etc/raddb/scripts/radauth", 32: Service-Type = Framed-User --- radiusd -xx output is: . rlm_passwd: Added My-Group: fast modcall[authorize]: module "raddb_group" returns ok modcall[authorize]: module "mschap" returns ok users: Matched DEFAULT at 29 modcall[authorize]: module "files" returns ok . My-Group set to fast. i guess match have to be at 13 and 29, but matched at 29 only :( What's wrong? Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: rlm_passwd
> You shouldn't use Group-Name, as that attribute is already used for > Unix groups. Over-loading it with two different meanings will make it > NOT work. > Pick another name: My-Group, or something like that. If necessary, > add that attribute to the dictionary. Thank you! Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_passwd
in doc/rlm_passwd we read: If the request contains a User-Name attribute with value 'vlad', and thepasswdfile (/etc/group) contains following record: wheel:*:0:root,vlad,test Group-Name attribute will be added to configuration items list with value of "wheel". where and how I can use configuration items in users file? i try something like: radiusd.conf: -- passwd raddb_group { filename = /etc/raddb/group format = "Group-Name:::*,User-Name" hashsize = 50 ignorenislike = yes allowmultiplekeys = no } authorize { ... raddb_group ... } -- users: -- 1: DEFAULT Group-Name == "slow" Pool-Name := "slowpool" 2: Fall-Through = 1 3: 4: DEFAULT Service-Type == Framed-User 5:Framed-MTU = 1500, 6:Exec-Program-Wait = "/etc/raddb/scripts/radauth", 7:Service-Type = Framed-User -- but rlm_passwd: Added Group: fast modcall[authorize]: module "raddb_group" returns ok ... users: Matched DEFAULT at 4 modcall[authorize]: module "files" returns ok so configuration item is not checked in users. How i can use such items for check? Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users lookup and another question
Hi! My users authenticated with mschap module. All users separated on 2 groups: "fast", and "slow". They all can dial to one of many NAS. Framed-IP-Address depend on NAS-IP-Address and user group. I plan to user ippool module for Framed-IP-Address assigning. So I need in general "NAS-quantity" X "group-quantity" pools. My question is How radius can assign ippool? I try to make this via users-file as shown below. there is my /etc/raddb/users: 1: user0 User-Category := "fast" 2: Fall-Through = 1 3: 4: user1 User-Category := "fast" 5:Fall-Through = 1 6: 7: user2 User-Category := "slow" 8:Fall-Through = 1 9: 10:DEFAULT User-Category == "slow", Pool-Name := "ippool-1-slow" 11: Fall-Through = 1 12: 13:DEFAULT User-Category == "fast", Pool-Name := "ippool-1-fast" 14: Fall-Through = 1 15: 16:DEFAULT Service-Type == Framed-User 17: Framed-MTU = 1500, 18: Service-Type = Framed-User debug output is: Thread 1 handling request 0, (1 handled so far) Service-Type = Framed-User Framed-Protocol = PPP User-Name = "user1" MS-CHAP-Challenge = MS-CHAP2-Response = .. NAS-IP-Address = 192.168.0.5 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_passwd: Added User-Password: password-of-user1 rlm_passwd: Added Group-Name: fast rlm_passwd: Adding Auth-Type: MS-CHAP modcall[authorize]: module "raddb_userlist" returns ok modcall[authorize]: module "mschap" returns ok users: Matched user1 at 4 users: Matched DEFAULT at 16 I think there have to be match at 13 line. But it isn't so. Why? How slow will work such check with 500 users in /etc/raddb/users file? Each user will described by 2 lines like: user0 User-Category := "fast" Fall-Through = 1 My other way was to create group-like file with format groupname:::username module rlm_unix can set Group attribute in appropriate value. but it does not called in authenticate section because auth-type is MS-CHAP after mschap module call in authorize section. Can i force calling rlm_unix module in authenticate section when Auth-Type == "MS-CHAP" ? Thanks in advance! Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: ippool bug or config problem?
Tuesday, September 24, 2002, 7:29:03 PM, [EMAIL PROTECTED] wrote: > On Tue, 24 Sep 2002 [EMAIL PROTECTED] wrote: >> >> ippool assign the same ip address for two different users. >> May be my config is broken? >> When i use large pool (1-254), i have the same bug after restarting >> radiusd. >> - Now I try send auth packet with radclient (user >mmike): >> >> Thread 1 handling request 0, (1 handled so far) >> Service-Type = Framed-User >> Framed-Protocol = PPP >> User-Name = "mmike" >> MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565 >> MS-CHAP2-Response = >0x01002bbf1007dc607b833af3cdd279ece38b2284ae758753dd9cd3e78d98dfcdde06a8db899b56543336 >> NAS-IP-Address = 192.168.0.5 >> NAS-Port = 0 > All Access-Requests contain the same NAS/Port pair. rlm_ippool will consider the > corresponding ip allocated stale and will free it. As a result it will get > reallocated to another user. Whith large pool (1-254) ippool returns differ ip for the same requests. (old db-files removed) Auth-request: Service-Type = Framed-User Framed-Protocol = PPP User-Name = "mmike" MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565 MS-CHAP2-Response = 0x01002bbf1007dc607b833af3cdd279ece38b2284ae758753dd9cd3e78d98dfcdde06a8db899b56543336 NAS-IP-Address = 192.168.0.5 NAS-Port = 0 # radiusd -xx | grep ippool ippool: session-db = "/etc/raddb/pools/db.pool-1-fast" ippool: ip-index = "/etc/raddb/pools/db.pool-1-fast.idx" ippool: range-start = 192.168.5.1 IP address [192.168.5.1] ippool: range-stop = 192.168.5.254 IP address [192.168.5.254] ippool: netmask = 255.255.255.0 IP address [255.255.255.0] ippool: cache-size = 800 rlm_ippool: Initializing database Module: Instantiated ippool (ippool-1-fast) REQUEST #1 rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.55 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module "ippool-1-fast" returns ok REQUEST #2 rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: Found a stale entry for ip/port: 192.168.5.55/0 rlm_ippool: num: 0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.217 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module "ippool-1-fast" returns ok REQUEST #3 rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: Found a stale entry for ip/port: 192.168.5.217/0 rlm_ippool: num: 0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.92 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module "ippool-1-fast" returns ok REQUEST #4 rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: Found a stale entry for ip/port: 192.168.5.92/0 rlm_ippool: num: 0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.233 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module "ippool-1-fast" returns ok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippool bug or config problem?
ippool assign the same ip address for two different users. May be my config is broken? When i use large pool (1-254), i have the same bug after restarting radiusd. - radiusd.conf modules { ippool ippool-1-fast { range-start = 192.168.5.1 range-stop = 192.168.5.6 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/pools/db.pool-1-fast ip-index = ${raddbdir}/pools/db.pool-1-fast.idx } } accounting { detail unix radutmp ippool-1-fast } post-auth { ippool-1-fast } - end of radiusd.conf - users DEFAULT NAS-IP-Address == "192.168.0.5", Service-Type == Framed-User, Pool-Name := "ippool-1-fast" Framed-MTU = 1500, Service-Type = Framed-User, Fall-Through = 1 - end of users Now run radiusd: root@vpn:/etc/raddb# radiusd -xx Starting - reading configuration files ... ... Module: Loaded IPPOOL ippool: session-db = "/etc/raddb/pools/db.pool-1-fast" ippool: ip-index = "/etc/raddb/pools/db.pool-1-fast.idx" ippool: range-start = 192.168.5.1 IP address [192.168.5.1] ippool: range-stop = 192.168.5.6 IP address [192.168.5.6] ippool: netmask = 255.255.255.0 IP address [255.255.255.0] ippool: cache-size = 800 rlm_ippool: Initializing database Module: Instantiated ippool (ippool-1-fast) Initializing the thread pool... thread: start_servers = 5 thread: max_servers = 32 thread: min_spare_servers = 3 thread: max_spare_servers = 10 thread: max_requests_per_server = 0 thread: cleanup_delay = 5 Ready to process requests. Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.5:1026, id=70, length=133 Thread 1 assigned request 0 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Nothing to do. Sleeping until we see a request. - Now I try send auth packet with radclient (user mmike): Thread 1 handling request 0, (1 handled so far) Service-Type = Framed-User Framed-Protocol = PPP User-Name = "mmike" MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565 MS-CHAP2-Response = 0x01002bbf1007dc607b833af3cdd279ece38b2284ae758753dd9cd3e78d98dfcdde06a8db899b56543336 NAS-IP-Address = 192.168.0.5 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_passwd: Added User-Password: mike rlm_passwd: Added Group: fast rlm_passwd: Adding Auth-Type: MS-CHAP modcall[authorize]: module "raddb_userlist" returns ok modcall[authorize]: module "mschap" returns ok rlm_realm: No '@' in User-Name = "mmike", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 201 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" modcall: entering group authenticate rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok modcall: group authenticate returns ok Login OK: [mmike] (from client 192.168.0.5 port 0) modcall: entering group post-auth rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.3 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module "ippool-1-fast" returns ok modcall: group post-auth returns ok Sending Access-Accept of id 70 to 192.168.0.5:1026 Framed-MTU = 1500 Service-Type = Framed-User MS-CHAP2-Success = 0x01533d453742313241354342463337383533443044383236383 73933463331363332363844463839414236 MS-MPPE-Recv-Key = 0xe3464568c260d4f054599eac8c270f89762624d03837024c13e 53c392029a3ca21c2 MS-MPPE-Send-Key = 0xe345be695620746dcc14948143420d08d333dd86889a5a66f9a 1e084b1c5a4b6d723 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Framed-IP-Address = 192.168.5.3 OK ip assigned 192.168.5.3 Now I try to connect with pppd+radiusclient (user mmmike) Nothing to do. Sleeping until we see a request. Thread 1 handling request 5, (2 handled so far) Service-Type = Framed-User Framed-Protocol = PPP User-Name = "mmmike" MS-CHAP-Challenge = 0x35a4ce64ebf19fc25af6921225399273 MS-CHAP2-Response = 0x010068295ca3c0f2c063e229225a129b53df00 00405f88f247c0d22d083286a7123eb6cc61415f5401ad09fc NAS-IP-Address = 192.168.0.5 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_passwd: Added User-Password: mike rlm_passwd: Added Group: fast rlm_passwd: Adding Auth-Type: MS-CHAP modcall[authorize]: modu
Re[3]: Group reject. Group* attribute bug in users file?
> Dear [EMAIL PROTECTED], > Group-Name == "slow" > checks for Group-Name attribute in check list (that is list of > attributes received in RADIUS request). > format = "*User-Name:User-Password:Group-Name" > adds Group-Name attribute to config items list. So there will never be > Group-Name in check list. Changing Group-Name to Group will give no > result. Can I move attribute from config items list to check list? Or how i can check config attribute? > I can change rlm_passwd to be able to add something to replay attributes > list. In this case you will be able to directly add Pool-Name from > passwd file to RADIUS reply. No. this is bad idea to add Pool-Name to Reply. Imagine, I have 2 NASes with 2 ip-pool for each (ippool-1-fast, ippool-1-slow for 1-st NAS and ippool-2-fast, ippool-2-slow for 2-ns NAS). So we have 4 different ip-pools. User can connect to any of NASes. rlm_passwd returns slow or fast for the user. If user from slow group connected to NAS#1, Pool-Name have to changed to ippool-1-slow. If user connected to NAS#1, then Pool-Name := ippool-2-slow. Can you explain me how I can make such choice? mmr>> I have similar problem. I try group-based authenticate. mmr>> in radius.conf: mmr>> passwd raddb_userlist { mmr>> filename = /etc/raddb/userlist mmr>> format = "*User-Name:User-Password:Group-Name" mmr>> authtype = MS-CHAP mmr>> hashsize = 1000 mmr>> ignorenislike = no mmr>> allowmultiplekeys = no mmr>> } mmr>> in /etc/raddb/userlist: mmr>> mmike:mike:fast mmr>> users file (with line numbers): mmr>> 185:DEFAULT Group-Name == "slow", Pool-Name := "ippool-1-slow" mmr>> 186:Fall-Through = Yes mmr>> 187: mmr>> 188:DEFAULT Group-Name == "fast", Pool-Name := "ippool-1-fast" mmr>> 189:Fall-Through = Yes mmr>> 190: mmr>> 191:DEFAULT Service-Type == Framed-User mmr>> 192:Framed-MTU = 1500, mmr>> 193:Service-Type = Framed-User, mmr>> 194:Fall-Through = Yes mmr>> now i run radiusd: mmr>> # radiusd -xx mmr>> ... mmr>> modcall: entering group authorize mmr>> modcall[authorize]: module "preprocess" returns ok mmr>> rlm_passwd: Added User-Password: mike mmr>> rlm_passwd: Added Group-Name: fast < Group-Name attribute added with value "fast" mmr>> rlm_passwd: Adding Auth-Type: MS-CHAP mmr>> mmr>> users: Matched DEFAULT at 191 mmr>> modcall[authorize]: module "files" returns ok mmr>> ... mmr>> MATCH found at line 191 only. Hm.. what about line 188?!!! mmr>> I try use "Group" attr instead "Group-Name". Result is the same. mmr>> Its like a bug? >>> I have install freeradius 0.7.1 on slackware 8.0 with shadow password >>> Installation was ok and basic functions are working. >>> I have experience problems wen i try to deny access to one of the groups >>> on the radius server >>> Following instruction did not help. >>> I try : >>> DEFAULT Group == "users" , Auth-Type :=Reject >>> DEFAULT Group == users , Auth-Type :=Reject >>> DEFAULT Group == "users" , Auth-Type =Reject >>> DEFAULT Group == users , Auth-Type =Reject >>> And more before: >>> DEFAULT Auth-Type := System >>> but nothing work. >>> User marcin , group users was always able to authenticate. >>> This is a debug of the auth process: >>> >>> rad_recv: Access-Request packet from host 216.168.1.38:4751, id=131, >>> length=81 >>> NAS-IP-Address = 216.168.1.38 >>> Calling-Station-Id = "204.251.93.250" >>> User-Name = "marcin?X0040;hostplus.net" >>> User-Password = "\274\252\2162\275\rS+\305F.\240\007Ia" >>> modcall: entering group authorize >>> modcall[authorize]: module "preprocess" returns ok >>> rlm_realm: Looking up realm hostplus.net for User-Name = >>> "marcin?X0040;hostplus.net" >>> rlm_realm: Found realm hostplus.net >>> rlm_realm: Adding Stripped-User-Name = "marcin" >>> rlm_realm: Proxying request from user marcin to realm hostplus.net >>> rlm_realm: Adding Realm = "hostplus.net" >>> rlm_realm: Authentication realm is LOCAL. >>> rlm_realm: auth_port is not set. proxy cancelled >>> modcall[authorize]: module "suffix" returns noop >>> users: Matched DEFAULT at 6 >>> modcall[authorize]: module "files" returns ok >>> modcall: group authorize returns ok >>> rad_check_password: Found Auth-Type System >>> auth: type "System" >>> modcall: entering group authenticate >>> modcall[authenticate]: module "unix" returns ok >>> modcall: group authenticate returns ok >>> Login OK: [marcin?X0040;hostplus.net] (from client supernews port 0 cli >>> 204.251.93.250) >>> Sending Access-Accept of id 131 to 216.168.1.38:4751 >>> Finished request 4 >>> Going to the next request >>> >>> And one more thing. >>> Will i be able to limit access based on >>> Called-Station-id ? >>> If so what would be a process to set this up? >>> >>> >>> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group reject. Group* attribute bug in users file?
I have similar problem. I try group-based authenticate. in radius.conf: passwd raddb_userlist { filename = /etc/raddb/userlist format = "*User-Name:User-Password:Group-Name" authtype = MS-CHAP hashsize = 1000 ignorenislike = no allowmultiplekeys = no } in /etc/raddb/userlist: mmike:mike:fast users file (with line numbers): 185:DEFAULT Group-Name == "slow", Pool-Name := "ippool-1-slow" 186:Fall-Through = Yes 187: 188:DEFAULT Group-Name == "fast", Pool-Name := "ippool-1-fast" 189:Fall-Through = Yes 190: 191:DEFAULT Service-Type == Framed-User 192:Framed-MTU = 1500, 193:Service-Type = Framed-User, 194:Fall-Through = Yes now i run radiusd: # radiusd -xx ... modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_passwd: Added User-Password: mike rlm_passwd: Added Group-Name: fast < Group-Name attribute added with value "fast" rlm_passwd: Adding Auth-Type: MS-CHAP users: Matched DEFAULT at 191 modcall[authorize]: module "files" returns ok ... MATCH found at line 191 only. Hm.. what about line 188?!!! I try use "Group" attr instead "Group-Name". Result is the same. Its like a bug? > I have install freeradius 0.7.1 on slackware 8.0 with shadow password > Installation was ok and basic functions are working. > I have experience problems wen i try to deny access to one of the groups > on the radius server > Following instruction did not help. > I try : > DEFAULT Group == "users" , Auth-Type :=Reject > DEFAULT Group == users , Auth-Type :=Reject > DEFAULT Group == "users" , Auth-Type =Reject > DEFAULT Group == users , Auth-Type =Reject > And more before: > DEFAULT Auth-Type := System > but nothing work. > User marcin , group users was always able to authenticate. > This is a debug of the auth process: > > rad_recv: Access-Request packet from host 216.168.1.38:4751, id=131, > length=81 > NAS-IP-Address = 216.168.1.38 > Calling-Station-Id = "204.251.93.250" > User-Name = "marcin?X0040;hostplus.net" > User-Password = "\274\252\2162\275\rS+\305F.\240\007Ia" > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > rlm_realm: Looking up realm hostplus.net for User-Name = > "marcin?X0040;hostplus.net" > rlm_realm: Found realm hostplus.net > rlm_realm: Adding Stripped-User-Name = "marcin" > rlm_realm: Proxying request from user marcin to realm hostplus.net > rlm_realm: Adding Realm = "hostplus.net" > rlm_realm: Authentication realm is LOCAL. > rlm_realm: auth_port is not set. proxy cancelled > modcall[authorize]: module "suffix" returns noop > users: Matched DEFAULT at 6 > modcall[authorize]: module "files" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type System > auth: type "System" > modcall: entering group authenticate > modcall[authenticate]: module "unix" returns ok > modcall: group authenticate returns ok > Login OK: [marcin?X0040;hostplus.net] (from client supernews port 0 cli > 204.251.93.250) > Sending Access-Accept of id 131 to 216.168.1.38:4751 > Finished request 4 > Going to the next request > > And one more thing. > Will i be able to limit access based on > Called-Station-id ? > If so what would be a process to set this up? > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Set for request attribute in Exec-Program-Wait
How to set request attribute in Exec-Program-Wait? For example, I can set poolname like: DEFAULT Service-Type == Framed-User, Pool-Name := "ippool-1" I need set Pool-Name in external script, called on Exec-Program-Wait for use in rlm_ippool. but I can't - Exec-Program-Wait set value-pair Pool-Name in "ippool-1" and rlm_ippool says "Could not find Pool-Name attribute". # radiusd -xx Exec-Program: /etc/raddb/scripts/radauth Exec-Program-Wait: value-pairs: Pool-Name = "ippool-1" Exec-Program: returned: 0 Login OK: [testuser] (from client 192.168.0.5 port 0) modcall: entering group post-auth rlm_ippool: Could not find Pool-Name attribute. modcall[post-auth]: module "ippool-1" returns noop .. I try use ":=" instead "=" in. Result is the same. Can I modify request attribute from Exec-Program-Wait script? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Segmentation fault in rlm_passwd
> --Monday, July 15, 2002, 1:19:53 PM, you wrote to [EMAIL PROTECTED]: mmr>> m_mschap-0.6.so: undefined symbol: md4_calc > There was a problem with dynamic library building. This problem will be > fixed in upcoming 0.6.1 and should be fixed in latest CVS snapshot. mmr>> Program received signal SIGSEGV, Segmentation fault. mmr>> [Switching to Thread 1024 (LWP 12673)] mmr>> 0x401cb79b in passwd_authorize (instance=0x80bb5f0, request=0x80bd910) mmr>> at rlm_passwd.c:425 mmr>> 425 for (key = request->packet->vps; > it looks strange (there is nothing changed since release and nothing on > rlm_passwd.c:425 to cause the segfault). Try to completely remake and > reinstall all modules, may be you still having rlm_passwd binary > compiled from 0.6 release version, it should be recompiled. Yeaaa! It works. Thanks. ÓÐÁÓÉÂÏ! ;) but I found rlm_passwd was not compiled after general make. i have to cd'ing to src/modules/rlm_passwd and run 'make; make install' to compile and install rlm_passwd.so. Some bugs in Makefile-s? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault in rlm_passwd
Hello! Problem is Segmentation fault in rlm_passwd I try to authorize pptp user via local simplest file /etc/raddb/userlist with format = "*User-Name:User-Password" = radiusd.conf fragment = modules { ... mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } passwd raddb_userlist { filename = /etc/raddb/userlist format = "*User-Name:User-Password" authtype = MS-CHAP hashsize = 100 ignorenislike = no allowmultiplekeys = no } } # end of modules authorize { preprocess suffix files raddb_userlist mschap } = users file (is very simple for debug purposes = DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes with freeradius latest snapshot (Mon Jul 15 08:29:11 2002) I have Segmentation fault. With 0.6 release exits with "undefined symbol: md4_calc:" (see below) == root@vpn:/etc/raddb# gdb radiusd GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-slackware-linux"... (gdb) set args -XX (gdb) run Starting program: /usr/local/sbin/radiusd -XX [New Thread 1024 (LWP 12673)] Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no read_config_files: reading dictionary read_config_files: reading clients read_config_files: reading realms read_config_files: reading naslist main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 main: debug_level = 0 read_config_files: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded MS-CHAP mschap: ignore_password = no mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded passwd passwd: filename = "/etc/raddb/userlist" passwd: format = "*User-Name:User-Password" passwd: authtype = "MS-CHAP" passwd: ignorenislike = no passwd: allowmultiplekeys = no passwd: hashsize = 100 rlm_passwd: nfields: 2 keyfield 0(User-Name) listable: no Module: Instantiated passwd (raddb_userlist) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp. Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.5:1025, id=134, length=133 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "mmike" MS-CHAP-Challenge = 0x7983c03e2529
gethostbyname_r compiling problem
Hi! I can't compile last snapshot with errors: misc.c:57: too few arguments to function `gethostbyaddr_r' misc.c:90: too few arguments to function `gethostbyname_r' in src/lib/misc.c:57 hp = gethostbyname_r(host, &result, buffer, sizeof(buffer), &error); gethostbyname_r have a 5 arguments. in /usr/include/netdb.h: extern int gethostbyname_r (__const char *__restrict __name, struct hostent *__restrict __result_buf, char *__restrict __buf, size_t __buflen, struct hostent **__restrict __result, int *__restrict __h_errnop) __THROW; 6 args. Slackware-8.0 glibc-2.2.3 what's wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait Responce
Hello again! My question is not about useful features, but about bug in program. again: in doc/README we see: -- For backwards compatibility, if the output doesn't look like valid radius A/V pairs, the output is taken as a message and added to the reply sent to the NAS as Port-Message. -- It does not work :( Sincerely, Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait Responce
Hello! Today I update my radiusd (01/09/18) to latest snapshot. It's good feature to use Exec-Program-Wait output as additional AV-pair or as Reply-Message. AV-pair transmitted ok. Reply-Message is not. in doc/README: -- For backwards compatibility, if the output doesn't look like valid radius A/V pairs, the output is taken as a message and added to the reply sent to the NAS as Port-Message. -- What's on practice: -- Ready to process requests. rad_recv: Access-Request packet from host x.x.x.x:1749, id=248, length=162 User-Name = "mmike" Password = "\0240\242\351>\320i\034\027\257\315\035}\233\274\257" NAS-IP-Address = x.x.x.x NAS-Port = 20109 NAS-Port-Type = Async Service-Type = Login-User Calling-Station-Id = "" Ascend-Calling-Id-Type-Of-Num = Unknown Ascend-Calling-Id-Number-Plan = ISDN-Telephony Ascend-Calling-Id-Presentatn = Allowed Ascend-Calling-Id-Screening = User-Not-Screened Acct-Session-Id = "367234457" Ascend-Data-Rate = 33600 Ascend-Xmit-Rate = 31200 Exec-Program: /etc/ppp/radauth Exec-Program-Wait: value-pairs: Limit exceeded Exec-Program: returned: 1 Login incorrect (external check failed): [mmike] (from nas local port 20109 cli ) Sending Access-Reject of id 248 to x.x.x.x:1749 Reply-Message = "\r\nAccess denied (external check failed)." -- i.e. Exec-Program: /etc/ppp/radauth Exec-Program-Wait: value-pairs: Limit exceeded<+ Exec-Program: returned: 1 | my NAS had to receive this string as Reply-Message + but it got Reply-Message = "\r\nAccess denied (external check failed)." instead bug was is near userparse(). old (v0.2) code: --- ... do { previous_token = last_token; if ((vp = pairread(&p, &last_token)) == NULL) { return -1; } pairadd(first_pair, vp); ... --- new one: --- ... do { previous_token = last_token; if ((vp = pairread(&p, &last_token)) == NULL) { return T_INVALID; } pairadd(first_pair, vp); } while (*p && (last_token == T_COMMA)); ... --- Difference is: 'return -1;' and 'return T_INVALID;' T_INVALID declared as 'T_INVALID = 0,' in src/include/token.h in radius_exec_program() fragment vp = NULL; n = userparse(answer, &vp); if (vp) pairfree(&vp); if (n < 0) { radlog(L_DBG, "Exec-Program-Wait: plaintext: %s", answer); - '(n < 0)' always FALSE. I think, LRAD_TOKEN must be expanded with "-1" value. I'll try change 'if (n < 0) {' in radius_exec_program() to 'if (n == T_INVALID)'. "AVP"-like responses becomes "Reply-Message". :( I'll try change 'return T_INVALID;' to 'return -1' in 'userparse()' - it's not working good too (possible type mismatch). Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: '/usr/local/lib/rlm_* is not an ELF file' ERROR
Sorry, all works. I fix: Auth-Type := System instead Auth-Type := Local But I still have errors: radiusd: '/usr/local/lib/rlm_unix.a' is not an ELF file :( Thanks! > When I try to authorize local user via system passwd file I get Auth-Reject > packet. radius says: > modcall: group authorize returns ok > rad_check_password: Found auth-type Local > auth: type Local > auth: Failed to validate the user. > user declared in /etc/raddb/users as: > DEFAULT Auth-Type := Local > Service-Type = Framed-User, > Ascend-Assign-IP-Pool = 1, > Framed-Protocol = PPP, > Framed-MTU = 576 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
'/usr/local/lib/rlm_* is not an ELF file' ERROR
When I try to authorize local user via system passwd file I get Auth-Reject packet. radius says: modcall: group authorize returns ok rad_check_password: Found auth-type Local auth: type Local auth: Failed to validate the user. user declared in /etc/raddb/users as: DEFAULT Auth-Type := Local Service-Type = Framed-User, Ascend-Assign-IP-Pool = 1, Framed-Protocol = PPP, Framed-MTU = 576 whenever I run my freeradius, I have errors: radiusd: '/usr/local/lib/rlm_unix.a' is not an ELF file radiusd: '/usr/local/lib/rlm_preprocess.a' is not an ELF file radiusd: '/usr/local/lib/rlm_realm.a' is not an ELF file radiusd: '/usr/local/lib/rlm_files.a' is not an ELF file radiusd: '/usr/local/lib/rlm_detail.a' is not an ELF file radiusd: '/usr/local/lib/rlm_radutmp.a' is not an ELF file It is possible "rlm_unix.a' is not an ELF file" error is cause of my failures? Compiling made after ./configure --sysconfdir=/etc --localstatedir=/var --with-threads=no I have 2.0.36 Linux box with gnulibc1 as system library. ar: supported targets: elf32-i386 a.out-i386-linux coff-i386 elf32-m68k coff-m68k ieee a.out-m68k-linux a.out-sunos-big elf32-sparc srec symbolsrec tekhex binary ihex trad-core Thanks! Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html