RE: Access-Reject has no Reply-Message (2nd try)

2003-10-20 Thread Paul Hampson 
 From: $BLnB<(B $B7z(B
(B Sent: Monday, 20 October 2003 6:35 PM
(B
(B I want my freeradius server to send Access-Reject packet with Reply-Message 
(B in it, 
(B so that NAS can alert user when authentication fails.  But, it's not 
(B working so far.
(B When authentication succeeds, my freeradius server sends Access-Accept 
(B packet
(B with Reply-Message in it.  But when authentication fails, it sends Access 
(B Reject packet
(B with no Reply-Message in it..
(B
(B So my question is why my freeradius doesn't include Reply-Message into 
(B Access-Reject
(B  packet, and how can I fix this problem?
(B
(B ---users
(B [EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret"
(B Service-Type = Framed-User,
(B Framed-Protocol = PPP,
(B Framed-IP-address = 192.168.200.1,
(B Framed-IP-Netmask = 255.255.255.0,
(B Session-Timeout = 30,
(B Reply-Message="111",
(B Reply-Message="222",
(B Reply-Message="333",
(B 
(B
(BAs you've observed, this will only add a Reply-Message if the authentication
(Bsucceeds. In the same way as it will only give an IP address or Session
(BTimeout if it succeeds.
(B
(BAs for how to send a Reply-Message on failure, I dunno off hand. :-)
(B
(B--
(BPaul "TBBle" Hampson
(BBubblesworth Pty Ltd (ABN: 51 095 284 361)
(B[EMAIL PROTECTED]
(B
(BOn a sidewalk near Portland State
(BUniversity someone wrote `Trust Jesus', and
(Bsomeone else wrote `But Cut the Cards'.
(B
(B
(B- 
(BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Access-Reject has no Reply-Message

2003-10-17 Thread $BLnB<(B $B7z(B 
(BI want my freeradius to send Access-Reject packet with Reply-Message in it, 
(B
(Bso that NAS can alert user in some fancy way when authentication fails.
(BBut, it's not working so far.
(BWhen authentication succeeds, my freeradius sends Access-Accept packet
(Bwith Reply-Message in it, but this is not the way I want it to be.
(B
(BAccording to RFC, Access-Reject packet MAY contain Reply-Message.
(BI have searched this ML, and found out that freeradius normally contain
(BReply-Message in Access-Reject packet if Reply-Message is configured.
(B
(BSo my question is:
(B Why my freeradius doesn't put Reply-Message into Access-Reject packet, and
(Bhow can I fix this problem?
(B
(BI have attached some logs below.
(BI really need help.
(BAny information would be greatly appreciated.
(B
(B
(BRegards,
(BTakeru
(B
(B---
(B[version]
(B[EMAIL PROTECTED] raddb]# radiusd -v
(Bradiusd: FreeRADIUS Version 0.5, for host i686-redhat-linux-gnu, built on 
(BApr  4
(B 2002 at 04:33:11
(B
(B
(B[users]
(B[EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret"
(BService-Type = Framed-User,
(BFramed-Protocol = PPP,
(BFramed-IP-address = 192.168.200.1,
(BFramed-IP-Netmask = 255.255.255.0,
(BSession-Timeout = 30,
(BReply-Message="111",
(B
(B
(B[radius.conf]
(B[EMAIL PROTECTED] raddb]# more radiusd.conf
(B##
(B## radiusd.conf -- FreeRADIUS server configuration file.
(B##
(B##  http://www.freeradius.org/
(B##  $Id: radiusd.conf.in,v 1.87 2002/03/14 18:47:06 aland Exp $
(B##
(B
(B#   The location of other config files and
(B#   logfiles are declared in this file
(B#
(B#   Also general configuration for modules can be done
(B#   in this file, it is exported through the API to
(B#   modules that ask for it.
(B#
(B#   The configuration variables defined here are of the form ${foo}
(B#   They are local to this file, and do not change from request to
(B#   request.
(B#
(B#   The per-request variables are of the form %{Attribute-Name}, and
(B#   are taken from the values of the attribute in the incoming
(B#   request.  See 'doc/variables.txt' for more information.
(B
(B# Stuff from autoconf
(Bprefix = /usr
(Bexec_prefix = /usr
(Bsysconfdir = /etc
(Blocalstatedir = /var
(Bsbindir = /usr/sbin
(Blogdir = ${localstatedir}/log/radius
(Braddbdir = ${sysconfdir}/raddb
(Bradacctdir = ${logdir}/radacct
(B
(B#  Location of config and logfiles.
(Bconfdir = ${raddbdir}
(Brun_dir = ${localstatedir}/run
(B
(B#
(B# libdir: Where to find the rlm_* modules.
(B#
(B#   This should be automatically set at configuration time.
(B#
(B#   If the server builds and installs, but fails at execution time
(B#   with an 'undefined symbol' error, then you can use the libdir
(B#   directive to work around the problem.
(B#
(B#   The cause is usually that a library has been installed on your
(B#   system in a place where the dynamic linker CANNOT find it.  When
(B#   executing as root (or another user), your personal environment MAY
(B#   be set up to allow the dynamic linker to find the library.  When
(B#   executing as a daemon, FreeRADIUS MAY NOT have the same
(B#   personalized configuration.
(B#
(B#   To work around the problem, find out which library contains that 
(Bsymbol,
(B#   and add the directory containing that library to the end of 'libdir',
(B#   with a colon separating the directory names.  NO spaces are allowed.
(B#
(B#   e.g. libdir = /usr/local/lib:/opt/package/lib
(B#
(B#   If that does not work, then you can re-configure and re-build the
(B#   server to NOT use shared libraries, via:
(B#
(B#   ./configure --disable-shared
(B#   make
(B#   make install
(B#
(Blibdir = /usr/lib
(B
(B#  pidfile: Where to place the PID of the RADIUS server.
(B#
(B#  The server may be signalled while it's running by using this
(B#  file.
(B#
(B#  This file is written when ONLY running in daemon mode.
(B#
(B#  e.g.:  kill -HUP `cat /var/run/radiusd.pid`
(B#
(Bpidfile = ${run_dir}/radiusd.pid
(B
(B
(B# user/group: The name (or #number) of the user/group to run radiusd as.
(B#
(B#   We STRONGLY recommend that you run the server with as few permissions
(B#   as possible.  That is, if you're not using shadow passwords, the
(B#   user and group items below should be set to 'nobody'.
(B#
(B#On SCO (ODT 3) use "user = nouser" and "group = nogroup".
(B#
(B#  NOTE that some kernels refuse to setgid(group)
(B#  when the value of (unsigned)group is above 6;
(B#  don't use group nobody on these systems!
(B#
(B#  On systems with shadow passwords, you might have to set 'group = shadow'
(B#  for the server to be able to read the shadow password file.  If you can
(B#  authenticate user

Re: Access-Reject has no Reply-Message

2003-10-17 Thread Thor Spruyt 
- Original Message - 
(BFrom: "$BLnB<(B $B7z(B" [EMAIL PROTECTED]
(B I want my freeradius to send Access-Reject packet with Reply-Message in
(Bit,
(B
(B so that NAS can alert user in some fancy way when authentication fails.
(B But, it's not working so far.
(B When authentication succeeds, my freeradius sends Access-Accept packet
(B with Reply-Message in it, but this is not the way I want it to be.
(B
(B According to RFC, Access-Reject packet MAY contain Reply-Message.
(B I have searched this ML, and found out that freeradius normally contain
(B Reply-Message in Access-Reject packet if Reply-Message is configured.
(B
(B So my question is:
(B  Why my freeradius doesn't put Reply-Message into Access-Reject packet,
(Band
(B how can I fix this problem?
(B
(B I have attached some logs below.
(B I really need help.
(B Any information would be greatly appreciated.
(B
(BI have sent a patch for this, but probably it wasn't accepted.
(BMaybe you now a better way to patch, so that it's accepted?
(B
(BHere's my patch, which works fine for my needs:
(B--- src/main/auth.c.orig 2003-08-27 15:57:17.0 +0200
(B+++ src/main/auth.c 2003-08-27 16:02:34.0 +0200
(B@@ -805,15 +805,18 @@
(B * had a non-zero exit status.
(B */
(Bif (umsg[0] == '\0') {
(B-user_msg = "\r\nAccess denied (external check failed).";
(B+/* Don't tell NAS that auth failed by external check */
(B+user_msg = NULL;
(B} else {
(B user_msg = umsg[0];
(B}
(B
(Brequest-reply-code = PW_AUTHENTICATION_REJECT;
(B-   tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
(B-
(B-   pairadd(request-reply-vps, tmp);
(B+   /* Only add reply-message when one is available */
(B+   if (user_msg != NULL) {
(B+tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
(B+pairadd(request-reply-vps, tmp);
(B+   }
(Brad_authlog("Login incorrect (external check failed)",
(B  request, 0);
(B
(B
(B
(BThor.
(B
(B
(B- 
(BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access-Reject has no Reply-Message

2003-10-17 Thread Alan DeKok 
=?iso-2022-jp?B?GyRCTG5CPBsoQiAbJEI3ehsoQg==?= [EMAIL PROTECTED] wrote:
 According to RFC, Access-Reject packet MAY contain Reply-Message.
 I have searched this ML, and found out that freeradius normally contain
 Reply-Message in Access-Reject packet if Reply-Message is configured.

  Have you configured a Reply-Message?

 So my question is:
  Why my freeradius doesn't put Reply-Message into Access-Reject packet, and
 how can I fix this problem?
 
 I have attached some logs below.

  You attached 'radiusd.conf', not the output of 'radiusd -X', as
requested in the FAQ and README's.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Sending a access reject packets

2003-09-06 Thread Fastbyte 
Hi,
how can i send a access reject packet or another possibility to 
disconnect user without using radius? Lets say with php, wher can i find 
some example or tip, also in other programming languages?

--

---
Regards,
Sergio



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Sending a access reject packets

2003-09-06 Thread Paul Hampson 
 From: Fastbyte
 Sent: Sunday, 7 September 2003 12:44 AM

 how can i send a access reject packet or another possibility to 
 disconnect user without using radius? Lets say with php, wher can i find 
 some example or tip, also in other programming languages?

If you're talking about disconnecting currently-online users,
that's not a RADIUS thing, really. There _was_ a draft method of
telling a NAS to disconnect a user that uses the RADIUS protocol,
but it's not supported by FreeRADIUS directly, you'd have to build
the request and use radclient to send it to the NAS.

In short, it's NAS-specific, and outside RADIUS's area. The answers
will be in the documentation for your NAS.

--
=
Paul TBBle Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

This is a one line proof...if we start
sufficiently far to the left.
-- Cambridge University Math Department
-
Random signature generator 3.0 by Paul TBBle Hampson
=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending a access reject packets

2003-09-06 Thread Fastbyte 
Hi Paul,

thanx for a quick answer, but my problem is a NAS because I´m using 
Belkin F5D7130-4 and I have seen that this ap doesn´t do accounting.
So my idea was to parse log file and then automaticly generate a
radius auth-reject. But with this answer I´m really out of any fresh
ideas... Can you give some more pointers?

Sergio



Paul Hampson wrote:

From: Fastbyte
Sent: Sunday, 7 September 2003 12:44 AM


how can i send a access reject packet or another possibility to 
disconnect user without using radius? Lets say with php, wher can i find 
some example or tip, also in other programming languages?


If you're talking about disconnecting currently-online users,
that's not a RADIUS thing, really. There _was_ a draft method of
telling a NAS to disconnect a user that uses the RADIUS protocol,
but it's not supported by FreeRADIUS directly, you'd have to build
the request and use radclient to send it to the NAS.
In short, it's NAS-specific, and outside RADIUS's area. The answers
will be in the documentation for your NAS.
--
=
Paul TBBle Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]
This is a one line proof...if we start
sufficiently far to the left.
-- Cambridge University Math Department
-
Random signature generator 3.0 by Paul TBBle Hampson
=
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Sending a access reject packets

2003-09-06 Thread Paul Hampson 
 From: Fastbyte
 Sent: Sunday, 7 September 2003 1:57 AM

 thanx for a quick answer, but my problem is a NAS because I´m using
 Belkin F5D7130-4 and I have seen that this ap doesn´t do accounting.
 So my idea was to parse log file and then automaticly generate a
 radius auth-reject. But with this answer I´m really out of any fresh
 ideas... Can you give some more pointers?

A quick read of the Belkin website suggests that it's not possible.
In fact, RADIUS isn't actually mentioned at all in the product brief
or another review I read. The review mentioned a complete lack of
monitoring features for the device, so the best I can say is this
device is apparently ill-suited to any environment where you care
more than These MACs are allowed, these are disallowed.

--
=
Paul TBBle Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

This is a one line proof...if we start
sufficiently far to the left.
-- Cambridge University Math Department
-
Random signature generator 3.0 by Paul TBBle Hampson
=


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending a access reject packets

2003-09-06 Thread Fastbyte 
Thanx,

then I must switch to Linksys or D-Link 

I want to stay with radius eap/ttl-eap-md5 but the choice of low-cost
ap is very very small.
Paul Hampson wrote:

From: Fastbyte
Sent: Sunday, 7 September 2003 1:57 AM


thanx for a quick answer, but my problem is a NAS because I´m using
Belkin F5D7130-4 and I have seen that this ap doesn´t do accounting.
So my idea was to parse log file and then automaticly generate a
radius auth-reject. But with this answer I´m really out of any fresh
ideas... Can you give some more pointers?


A quick read of the Belkin website suggests that it's not possible.
In fact, RADIUS isn't actually mentioned at all in the product brief
or another review I read. The review mentioned a complete lack of
monitoring features for the device, so the best I can say is this
device is apparently ill-suited to any environment where you care
more than These MACs are allowed, these are disallowed.
--
=
Paul TBBle Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]
This is a one line proof...if we start
sufficiently far to the left.
-- Cambridge University Math Department
-
Random signature generator 3.0 by Paul TBBle Hampson
=
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Access-Reject problem.

2003-06-20 Thread Genoud Richard 
hi !
I use freeradius 0.8.1.
i've configured freeradius with a reject_delay of one second.
I send an acces-request for a bad user with ntradping. (time-out 15sec, 
 only one attempt )

with ethereal, I get :
time 0 : source 10.0.9.192 access request id 7
and nothing else...
if I send another access-request :
time 20 : source 10.0.9.192 access request id 8
time 20 : source 10.0.9.192 access reject id 7
the access-reject corresponding with the 1st access request is sent ...

weird isn't it ?
is there something I missed ?
here's the log :
rad_recv: Access-Request packet from host 10.0.9.192:61007, id=7, length=44
Thread 5 assigned request 45
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Nothing to do.  Sleeping until we see a request.
Thread 5 handling request 45, (8 handled so far)
User-Name = toto
User-Password = titi
modcall: entering group authorize
radius_xlat:  'toto'
rlm_sql (SQL1): sql_set_user escaped user -- 'toto'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = 'toto' ORDER BY id'
rlm_sql (/usr/local/var/log/radius/sqltrace.sql): Reserving sql socket id: 0
rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM 
radcheck WHERE Username = 'toto' ORDER BY id
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'toto' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query:  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'toto' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
Username = 'toto' ORDER BY id'
rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM 
radreply WHERE Username = 'toto' ORDER BY id
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
 FROM radgroupreply,usergroup WHERE usergroup.Username = 'toto' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query:  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
 FROM radgroupreply,usergroup WHERE usergroup.Username = 'toto' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (SQL1): Pairs do not match for user [toto]
rlm_sql (/usr/local/var/log/radius/sqltrace.sql): Released sql socket id: 0
  modcall[authorize]: module SQL1 returns notfound
  modcall[authorize]: module mschap returns notfound
modcall: group authorize returns notfound
auth: No authenticate method (Auth-Type) configuration found for the 
request: Rejecting the user
auth: Failed to validate the user.
Delaying request 45 for 1 seconds
Finished request 45
Going to the next request
Thread 5 waiting to be assigned a request

rad_recv: Access-Request packet from host 10.0.9.192:61008, id=8, length=44
Thread 1 assigned request 46
--- Walking the entire request list ---
Sending Access-Reject of id 7 to 10.0.9.192:61007
Cleaning up request 45 ID 7 with timestamp 3ef30d3c
Nothing to do.  Sleeping until we see a request.
Thread 1 handling request 46, (9 handled so far)
User-Name = toto
User-Password = titi
modcall: entering group authorize
radius_xlat:  'toto'
rlm_sql (SQL1): sql_set_user escaped user -- 'toto'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = 'toto' ORDER BY id'
rlm_sql (/usr/local/var/log/radius/sqltrace.sql): Reserving sql socket id: 0
rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM 
radcheck WHERE Username = 'toto' ORDER BY id
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'toto' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query:  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'toto' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
Username = 'toto' ORDER BY id'
rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM 
radreply WHERE Username = 'toto' ORDER BY id
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
 FROM radgroupreply,usergroup WHERE usergroup.Username = 'toto' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query:  SELECT 
radgroupreply.id

Re: Returning Proxy-State (or anything else) in Access-Reject situations.

2002-05-05 Thread Alan DeKok 

Chris A. Kalin [EMAIL PROTECTED] wrote:
 OK, I'm dealing with a UUNet reseller who apparently requires me to return
 the Proxy-State attribute he sends me in either an Access-Accept or
 Access-Reject situation.  The Proxy-State attribute is returned just fine
 when the username and password works correctly (Access-Accept).  However,
 when the password is not correct for the username (Access-Reject), then
 _nothing_ beyond the Access-Reject is returned.  Not a Proxy-State, nothing.
 Did I miss something to make this happen or is UUNet asking for something
 unreasonable?

  If a Proxy-State is in a request packet, it MUST be returned in all
reply packets for that request.

 On a similar note, I've noticed that when I want to send a Reply-Message in
 an Access-Reject situation, the RADIUS server won't send it back, just like
 the above situation.

  Hmm... I'm seeing it being sent back in my local tests.

 UUNet won't play ball with me unless I can either prove to them that they're
 wrong (aka they don't really need me to do this) or I can send them back a
 Proxy-State response no matter what.  Can anyone help me out with this?

  The server SHOULD send back Proxy-State in reject messages.  If it's
not, then there's a bug.

  Testing it in debugging mode should let you see quickly if the
Proxy-State is being sent back.

 As an aside, I'm noticing an unbelievably long time before my postings hit
 the list, and every so often I'll see an old post of mine end up back on the
 list.  I know my mail server isn't re-sending them, is something going on
 with the list server?

  The list server was sitting on email for a week or so.  It looks
like it's now been fixed.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Returning Proxy-State (or anything else) in Access-Reject situations.

2002-05-05 Thread Chris A. Kalin 

Yup, that's what I've done for now, and it works perfectly.  Thanks
everyone!

Chris Kalin

- Original Message -
From: Franklin Trumpy [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, May 05, 2002 11:49 AM
Subject: Re: Returning Proxy-State (or anything else) in Access-Reject
situations.


 I was in the exact same situation, both with FreeRADIUS and with an
 outside reseller.

 In radiusd.conf, under security {}, set reject_delay = 0, and you should
 find your problems solved. I think this was discussed as a bug on the list
 sometime last year.

 Franklin

 On Sun, 5 May 2002, Chris A. Kalin wrote:
 
  OK, I'm dealing with a UUNet reseller who apparently requires me to
return
  the Proxy-State attribute he sends me in either an Access-Accept or
  Access-Reject situation.  The Proxy-State attribute is returned just
fine
  when the username and password works correctly (Access-Accept).
However,
  when the password is not correct for the username (Access-Reject), then
  _nothing_ beyond the Access-Reject is returned.  Not a Proxy-State,
nothing.
  Did I miss something to make this happen or is UUNet asking for
something
  unreasonable?
 
  On a similar note, I've noticed that when I want to send a Reply-Message
in
  an Access-Reject situation, the RADIUS server won't send it back, just
like
  the above situation.

 --
 Franklin Trumpy, NFA, MNGS, GSc | Say not, I have found the truth,
 UNIX Systems Administrator  | but rather, I have found a truth.
 Lighthouse Communications   |
 [EMAIL PROTECTED] | Say not, I have found the path of the
soul.
 (515)244-1115   | Say rather, I have met the soul walking
 (888)953-3278   |   upon my path.
 http://www.lh.net   |
 | -Kahlil Gibran, _The Prophet_,
1923



 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access-Reject proxied without Reply-Message

2002-03-29 Thread Fduch the Pravking 

On Thu, Mar 28, 2002 at 11:56:32PM -0500, Alan DeKok wrote:
 Fduch the Pravking [EMAIL PROTECTED] wrote:
  We have freeradius-0.5 doing only proxy.
  And the problem is:
  when radius receives Access-Reject packet from remote server,
  it proxies it back to the NAS without any attributes,
  Reply-Message in particular.
 
   Read the RFC's.  That's how RADIUS is *supposed* to work.

I've found nothing in RFC 2865 about any restrictions
for Access-Reject but this:

   If any condition is not met, the RADIUS server sends an Access-
   Reject response indicating that this user request is invalid.  If
   desired, the server MAY include a text message in the Access-Reject
   which MAY be displayed by the client to the user.  No other
   Attributes (except Proxy-State) are permitted in an Access-Reject.

So, Reply-Message MAY be present in Access-Reject,
and it is PRESENT in the packet from remote server,
but is not being sent back to NAS by this proxy radius.

Correct me if I wrong, please.

Here is a bug, I think, and it comes from delaying
the Access-Reject:

On Thu, Mar 28, 2002 at 09:42:48AM -0600, Chris Parker wrote:
 At 06:18 PM 3/28/2002 +0300, Fduch the Pravking wrote:
 And what does Delaying request 91752 for 1 seconds mean?

 It's a throttling feature.  Some radius clients can cause what amounts
 to a DOS by repeatedly requesting authentication for failed users.  IE,
 user gets rejected, nas sends another request, user gets rejected, nas
 sends another request.  This was for a PPPoE/DSL authetication, so it
 was instantaneous.  A configurable delay before sending the Reject
 back to the NAS allows the server to effectively throttle the rate at
 which that type of NAS can hammer it with requests.  If you set it to
 zero, it disables the delay all-together.

 This is in the 'security' section of the 'radiusd.conf' file.

Sorry, Chris, I'm slightly blind :)

When I set reject_delay = 0 in the security section of radiusd.conf,
the same Access-Request packet shows the following:

% radtest sltest bad_passwd localhost:1645 3 testing123
Sending Access-Request of id 68 to 127.0.0.1:1645
User-Name = sltest
User-Password = U\356~\271\354X\213bcV\301\032/V\\
NAS-IP-Address = dyatel.antar.bryansk.ru
NAS-Port-Id = 3
rad_recv: Access-Reject packet from host 127.0.0.1:1645, id=68, length=46
Reply-Message = Authentication failure\r\n

So, if the reject_delay = 0, radius sends the Reply-Message
in Access-Reject back to the NAS,
and if reject_delay = 1, does not.

Or, maybe it's a feature?


Thanks for your comments.

-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access-Reject proxied without Reply-Message

2002-03-29 Thread Fduch the Pravking 

On Thu, Mar 28, 2002 at 09:42:48AM -0600, Chris Parker wrote:
 At 06:18 PM 3/28/2002 +0300, Fduch the Pravking wrote:
 By the way, how can I say Any number of such attribute
 for rlm_attr_filter?
 
 It should already do that.  It doesn't track state, so if you permit
 'Ascend-Data-Filter ~= .*' then it will allow through all attributes
 that match that rule.

It doesn't do that.
raddb/attrs:
DEFAULT
Service-Type == Framed-User,
Service-Type == Login-User,
Login-Service == Telnet,
Login-Service == Rlogin,
Login-Service == TCP-Clear,
Login-TCP-Port = 65536,
Framed-IP-Address =~ .*,
Framed-IP-Netmask == 255.255.255.255,
Framed-Protocol == PPP,
Framed-Protocol == SLIP,
Framed-Compression == Van-Jacobson-TCP-IP,
Framed-MTU = 576,
Framed-Filter-ID =~ .*,
Reply-Message =~ .*,
Session-Timeout = 28800,
Idle-Timeout = 600,
Port-Limit = 2,
Cisco-AVPair =~ .*,
Fall-Through = Yes

And here are logs:

rad_recv: Access-Request packet from host client:2893, id=244, length=64
Thread 1 assigned request 35
--- Walking the entire request list ---
Waking up in 4 seconds...
Thread 1 handling request 35, (5 handled so far)
User-Name = stricted-user@realm
User-Password = crypted password
NAS-IP-Address = NAS
NAS-Port-Id = 3
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
  modcall[authorize]: module attr_filter returns noop
  modcall[authorize]: module files returns notfound
  rlm_realm: Proxying request from user register to realm realm
  modcall[authorize]: module suffix returns updated
modcall: group authorize returns updated
Sending Access-Request of id 13 to remote server
User-Name = stricted-user@realm
User-Password = crypted-password
NAS-IP-Address = NAS
NAS-Port-Id = 3
Proxy-State = 244
Thread 1 waiting to be assigned a request
rad_recv: Access-Accept packet from host remote server, id=13, length=1241
Thread 2 assigned request 35
Waking up in 4 seconds...
Thread 2 handling request 35, (5 handled so far)
User-Name = stricted-user@realm
User-Password = crypted password
NAS-IP-Address = NAS
Proxy-State = 0x323434
NAS-Identifier = NAS id
Service-Type = Framed-User
Framed-Protocol = PPP
Cisco-AVPair = ip:inacl#1=permit udp...
Cisco-AVPair = ip:inacl#2=permit udp...
Cisco-AVPair = ip:inacl#3=permit udp...
Cisco-AVPair = ip:inacl#4=permit udp...
Cisco-AVPair = ip:inacl#5=permit udp...
Cisco-AVPair = ip:inacl#6=permit udp...
Cisco-AVPair = ip:inacl#7=permit udp...
Cisco-AVPair = ip:inacl#8=permit tcp...
Cisco-AVPair = ip:inacl#9=permit tcp...
Cisco-AVPair = ip:inacl#10=deny ip any any
Cisco-AVPair = ip:outacl#1=permit udp...
Cisco-AVPair = ip:outacl#2=permit udp...
Cisco-AVPair = ip:outacl#3=permit udp...
Cisco-AVPair = ip:outacl#4=permit udp...
Cisco-AVPair = ip:outacl#5=permit udp...
Cisco-AVPair = ip:outacl#6=permit udp...
Cisco-AVPair = ip:outacl#7=permit udp...
Cisco-AVPair = ip:outacl#8=permit tcp...
Cisco-AVPair = ip:outacl#9=permit tcp...
Cisco-AVPair = ip:outacl#10=deny ip any any
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
  attr_filter: Matched entry DEFAULT at line 84
  modcall[authorize]: module attr_filter returns updated
  modcall[authorize]: module files returns notfound
  modcall[authorize]: module suffix returns ok
modcall: group authorize returns updated
  rad_check_password:  Found Auth-Type
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [stricted-user@realm] (from nas client port 0)
Sending Access-Accept of id 244 to client:2893
Service-Type = Framed-User
Framed-Protocol = PPP
Cisco-AVPair = ip:inacl#1=permit udp...
Finished request 35
Going to the next request


So, only the first Cisco-AVPair attribute is sent back to the NAS.
The only way I see is to add as many 'Cisco-AVPair =~ .*' lines
to raddb/attrs as it seems to be possible :(

Any comments or suggestions?

-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access-Reject proxied without Reply-Message

2002-03-29 Thread Alan DeKok 

Fduch the Pravking [EMAIL PROTECTED] wrote:
 So, if the reject_delay = 0, radius sends the Reply-Message
 in Access-Reject back to the NAS,
 and if reject_delay = 1, does not.

  That's a bug.  I would think that rad_respond(), in
src/main/radiusd.c is to blame.  It shouldn't clean up
request-reply-vps if request-reply-data is NULL.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access-Reject proxied without Reply-Message

2002-03-28 Thread Alan DeKok 

Fduch the Pravking [EMAIL PROTECTED] wrote:
 We have freeradius-0.5 doing only proxy.
 And the problem is:
 when radius receives Access-Reject packet from remote server,
 it proxies it back to the NAS without any attributes,
 Reply-Message in particular.

  Read the RFC's.  That's how RADIUS is *supposed* to work.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access Reject response for Authentication Request is very slow on Freeradius 0.5

2002-03-19 Thread Alan DeKok 

Sagara Wijetunga [EMAIL PROTECTED] wrote:
 I have observed with freeradius-0.5 that Access-Accept response takes about 
 17 milliseconds and Access-Reject response takes about 3500 milliseconds. 
 This type of long delay for Access-Reject response was not experienced with 
 freeradius-0.4.

  Please read the 'radiusd.conf' file distributed with 0.5.  It
includes new security features which help to prevent an attack from
disabling the server.  The main side effect is that by default,
authentication rejects are delayed for a configurable amount.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Access Reject response for Authentication Request is very slow on Freeradius 0.5

2002-03-19 Thread Sagara Wijetunga 

I use Intel Pentium III based PC servers, Red Hat Linux 7.2, Linux Kernel: 
2.4.7-10custom, Portslave 2002-01-19, Freeradius 0.5 and MySQL 3.23.41. My 
modem is 3Com US Robotics 56K Faxmodem. I do not use any NAS or Digital RAS 
card.

I have observed with freeradius-0.5 that Access-Accept response takes about 
17 milliseconds and Access-Reject response takes about 3500 milliseconds. 
This type of long delay for Access-Reject response was not experienced with 
freeradius-0.4.




_
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access Reject response for Authentication Request is very slow on Freeradius 0.5

2002-03-19 Thread Chris Parker 

At 12:34 AM 3/20/2002 +0600, Sagara Wijetunga wrote:
I use Intel Pentium III based PC servers, Red Hat Linux 7.2, Linux Kernel: 
2.4.7-10custom, Portslave 2002-01-19, Freeradius 0.5 and MySQL 3.23.41. My 
modem is 3Com US Robotics 56K Faxmodem. I do not use any NAS or Digital 
RAS card.

I have observed with freeradius-0.5 that Access-Accept response takes 
about 17 milliseconds and Access-Reject response takes about 3500 
milliseconds. This type of long delay for Access-Reject response was not 
experienced with freeradius-0.4.

See the response just posted to this list earlier today.

FreeRADIUS 0.5 has a new configurable time delay to sent rejects, to
prevent runaway NAS from flooding the server with rejects.  You can
modify ( or completely disable ) this delay.

-Chris

--
\\\|||///  \  StarNet Inc.  \Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Access Reject

2002-02-12 Thread Thomas Jalsovsky 


Hello

I would like to send an Access reject packet to NAS when the 
User-Name and User-Password fields match (successfull auth.)
I want to do that with DB, but I don't know what and where I have to put.
Could anybody tell me?

I tryed put to radgroupreply:
mygroup | Auth-Type | Reject

But it still returns Access accept and the sw in the NAS requires Access 
reject.

Thanks,
Thomas




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access Reject

2002-02-07 Thread Thomas Jalsovsky 



On Thu, 7 Feb 2002, Alan DeKok wrote:

 Thomas Jalsovsky [EMAIL PROTECTED] wrote:
  I would like to send an Access reject packet to NAS when the 
  User-Name and User-Password fields match (successfull auth.)
 
   Hmm... the server isn't really set up to do that now.
 
  But it still returns Access accept and the sw in the NAS requires Access 
  reject.
 
   Why does the NAS require and access reject when the username and
 password are OK?
 
   Alan DeKok.
 

The sw in the NAS does:
does ISDN preauthentication - AAA with phone number,reject
if the auth. failed, it means, the use can continue, the ISDN line should 
be picked up. If not, the ISDN disconnect will applied (it is important 
for toll free - 800 - numbers).
If the poneno,reject isn't in the database, the user can continue, the 
script tries authentication by the phone number in way:
AAA phone number,accept if auth is successful, auth is done; if not 
account and pin are asked from the user

Thomas


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html