subject:"RE\: Authentication"

Re: Authentication process

2003-11-27 Thread kconnell

There is an open-source project called NoCatAuth which is a box that acts like a 
"BlueSocket" appliance. It hi-jacks HTTP sessions and passes off the authentication to 
a radius box.

I haven't yet tried the NoCatAuth soulution, but I had done the above with a 
BlueSocket box and
a FreeRadius server.


Ken Connell
Intermediate Network Engineer
Computer & Communication Services
Ryerson University
350 Victoria St
RM AB50
Toronto, Ont
M5B 2K3
416-979-5000 x6709

- Original Message -
From: ZORBADELOS KONSTANTINOS <[EMAIL PROTECTED]>
Date: Thursday, November 27, 2003 3:42 am
Subject: Re: Authentication process

> At Wed, 26 Nov 2003 11:55:30 -0800 (PST),
> Mike Million wrote:
> > 
> Hi,
> I had a talk with a guy in my company that has experience setting up
> wireless stuff as I do not have any experience on that (I have a bit
> in the radius part). He told me that there are commercial solutions
> that offer the functionality you request, that is direct a user to a
> web page for AAA and engage a radius session. They are used in
> wireless environments and intercept the traffic before the outgoing
> router and enforce the policy you configure. Some solutions are
> Cisco BBSM, Nomadix USG, Nokia PO22.
> Without having any experience on that as I told you before, if I had
> to do such a project I would also try to find out if the
> functionality can be achieved using open source (free) software. We
> already have the radius part. I have seen a relevant article in linux
> journal
> http://www.linuxjournal.com/article.php?sid=6897
> (Linux Makes Wi-Fi Happen in New York City)
> 
> and also
> http://www-106.ibm.com/developerworks/library/l-wap.html?ca=dnt-429
> (Building a wireless access point on Linux)
> 
> I don't know if I helped at all but I also cc that to the list for
> archiving purposes.
> 
> > [1  ]
> > hello!
> >  
> > Thanks a bunch. 
> >  
> > Apart from web form & executing a CGI script, is there any way 
> around? The accounting will have to be from the radius client in 
> the NAS. 
> >  
> > This is the problem that I am trying to solve. 
> > When my users go to any of my location (hotel, cafe etc) I want 
> to authenticate them and also time them. They will be initially 
> served a login page. I know there are lots of people doing this 
> already, like the guys who set up hotspots. When I go to a 
> starbucks house, this T-mobile login page comes up which then 
> authenticates me. I am looking for pretty much the same 
> functionality. 
> >  
> > I deeply appreciate your tips.
> >  
> > Thanks again
> > Mike
> > 
> > ZORBADELOS KONSTANTINOS <[EMAIL PROTECTED]> wrote:
> > At Tue, 25 Nov 2003 20:18:30 -0800 (PST),
> > Mike Million wrote:
> > > 
> > > [1 ]
> > > I am a novice here, so my question may sound pretty silly. 
> > > 
> > > I am trying to authenticate users through an Orinico AP-2500 
> WAP using an username & a password. AP-2500 provides this "portal 
> page" feature where you can redirect the users to a webpage (in an 
> external webserver) for then to log-in. So, I once I have a 
> external form with the sufficient fields I want, how will i pass 
> that information (username, pass etc) to the radius server. I mean 
> what is the format that I use. Are there any client API's that I 
> can call. ?
> > > 
> > > Any help would be appreciated.
> > > 
> > > Sincerely,
> > > Mike
> > > 
> > >
> > Your web form should generate a valid radius message
> > (access-request). Now if this form sends the message directly to 
> the radius
> > server your script will be the radius client and should 
> therefore be
> > declared in clients.conf (the IP of your web server that is). What
> > about the accounting? Is this sent by the NAS equipment?
> > Now if you need to create a cgi script or something like that that
> > generates radius messages you should look for Radius libraries
> > (modules) for your language of choice. The format of the message is
> > specified in the rfcs.
> > 
> > > 
> > > 
> > > -
> > > Do you Yahoo!?
> > > Free Pop-Up Blocker - Get it now
> > > [2 ]
> > > 
> > ==
> > Kostas Zorbadelos
> > Currently at: Otenet IT Department 
> >  [EMAIL PROTECTED]
> > 
> > Out there in the darkness, out there in the night
> > out there in the starlight, one soul burns brighter
> > than a thousand suns.
> > 
> > 
> > -
> > Do you Yahoo!?
> > Free Pop-Up Blocker - Get it now
> > [2  ]
> > 
> ==
>  Kostas Zorbadelos
>  Currently at: Otenet IT Department 
>   [EMAIL PROTECTED]
>  
>  Out there in the darkness, out there in the night
>  out there in the starlight, one soul burns brighter
>  than a thousand suns.
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication process

2003-11-27 Thread ZORBADELOS KONSTANTINOS

At Wed, 26 Nov 2003 11:55:30 -0800 (PST),
Mike Million wrote:
> 
Hi,
I had a talk with a guy in my company that has experience setting up
wireless stuff as I do not have any experience on that (I have a bit
in the radius part). He told me that there are commercial solutions
that offer the functionality you request, that is direct a user to a
web page for AAA and engage a radius session. They are used in
wireless environments and intercept the traffic before the outgoing
router and enforce the policy you configure. Some solutions are
Cisco BBSM, Nomadix USG, Nokia PO22.
Without having any experience on that as I told you before, if I had
to do such a project I would also try to find out if the
functionality can be achieved using open source (free) software. We
already have the radius part. I have seen a relevant article in linux
journal
http://www.linuxjournal.com/article.php?sid=6897
(Linux Makes Wi-Fi Happen in New York City)

and also
http://www-106.ibm.com/developerworks/library/l-wap.html?ca=dnt-429
(Building a wireless access point on Linux)

I don't know if I helped at all but I also cc that to the list for
archiving purposes.

> [1  ]
> hello!
>  
> Thanks a bunch. 
>  
> Apart from web form & executing a CGI script, is there any way around? The 
> accounting will have to be from the radius client in the NAS. 
>  
> This is the problem that I am trying to solve. 
> When my users go to any of my location (hotel, cafe etc) I want to authenticate them 
> and also time them. They will be initially served a login page. I know there are 
> lots of people doing this already, like the guys who set up hotspots. When I go to a 
> starbucks house, this T-mobile login page comes up which then authenticates me. I am 
> looking for pretty much the same functionality. 
>  
> I deeply appreciate your tips.
>  
> Thanks again
> Mike
> 
> ZORBADELOS KONSTANTINOS <[EMAIL PROTECTED]> wrote:
> At Tue, 25 Nov 2003 20:18:30 -0800 (PST),
> Mike Million wrote:
> > 
> > [1 ]
> > I am a novice here, so my question may sound pretty silly. 
> > 
> > I am trying to authenticate users through an Orinico AP-2500 WAP using an username 
> > & a password. AP-2500 provides this "portal page" feature where you can redirect 
> > the users to a webpage (in an external webserver) for then to log-in. So, I once I 
> > have a external form with the sufficient fields I want, how will i pass that 
> > information (username, pass etc) to the radius server. I mean what is the format 
> > that I use. Are there any client API's that I can call. ?
> > 
> > Any help would be appreciated.
> > 
> > Sincerely,
> > Mike
> > 
> >
> Your web form should generate a valid radius message
> (access-request). Now if this form sends the message directly to the radius
> server your script will be the radius client and should therefore be
> declared in clients.conf (the IP of your web server that is). What
> about the accounting? Is this sent by the NAS equipment?
> Now if you need to create a cgi script or something like that that
> generates radius messages you should look for Radius libraries
> (modules) for your language of choice. The format of the message is
> specified in the rfcs.
> 
> > 
> > 
> > -
> > Do you Yahoo!?
> > Free Pop-Up Blocker - Get it now
> > [2 ]
> > 
> ==
> Kostas Zorbadelos
> Currently at: Otenet IT Department 
> mailto: [EMAIL PROTECTED]
> 
> Out there in the darkness, out there in the night
> out there in the starlight, one soul burns brighter
> than a thousand suns.
> 
> 
> -
> Do you Yahoo!?
> Free Pop-Up Blocker - Get it now
> [2  ]
> 
==
  Kostas Zorbadelos
  Currently at: Otenet IT Department 
  mailto: [EMAIL PROTECTED]
  
  Out there in the darkness, out there in the night
  out there in the starlight, one soul burns brighter
  than a thousand suns.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication process

2003-11-26 Thread ZORBADELOS KONSTANTINOS

At Tue, 25 Nov 2003 20:18:30 -0800 (PST),
Mike Million wrote:
> 
> [1  ]
> I am a novice here, so my question may sound pretty silly. 
>  
> I am trying to authenticate users through an Orinico AP-2500 WAP using an username & 
> a password. AP-2500 provides this "portal page" feature where you can redirect the 
> users to a webpage (in an external webserver) for then to log-in. So, I once I have 
> a external form with the sufficient fields I want, how will i pass that information 
> (username, pass etc) to the radius server. I mean what is the format that I use. Are 
> there any client API's that I can call. ?
>  
> Any help would be appreciated.
>  
> Sincerely,
> Mike
>  
>
Your web form should generate a valid radius message
(access-request). Now if this form sends the message directly to the radius
server your script will be the radius client and should therefore be
declared in clients.conf (the IP of your web server that is). What
about the accounting? Is this sent by the NAS equipment?
Now if you need to create a cgi script or something like that that
generates radius messages you should look for Radius libraries
(modules) for your language of choice. The format of the message is
specified in the rfcs.

> 
> 
> -
> Do you Yahoo!?
> Free Pop-Up Blocker - Get it now
> [2  ]
> 
==
  Kostas Zorbadelos
  Currently at: Otenet IT Department 
  mailto: [EMAIL PROTECTED]
  
  Out there in the darkness, out there in the night
  out there in the starlight, one soul burns brighter
  than a thousand suns.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication against /etc/shadow using ...

2003-11-18 Thread Alan DeKok

=?iso-8859-1?Q?Jos=E9?= Berenguer <[EMAIL PROTECTED]> wrote:
> We know that System authentication won't work for EAP-MD5. But, it's
> possible to make it using CHAP or PEAP?

  No.  See the FAQ.  It talks SPECIFICALLY about system authentication
and CHAP.

  Microsoft PEAP doesn't send clear-text passwords, so it's impossible
to use /etc/password for authentication.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication against /etc/shadow using ...

2003-11-18 Thread Guy Davies

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



> -Original Message-
> From: Artur Hecker [mailto:[EMAIL PROTECTED]
> Sent: 18 November 2003 15:49
> To: [EMAIL PROTECTED]
> Subject: Re: Authentication against /etc/shadow using ...
> 
> 
> salut
> 
> 
> > No, CHAP, and MS-CHAP (the inner authentication method used 
> with PEAP)
> > require clear text passwords.  Therefore, the shadow 
> password file is not
> > compatible with these methods.  This bit me to start with.
> 
> so, there is no PAP for PEAP?

Not if you use an MS client, which is the most convincing reason to do so.
;-)

Regards,

Guy

> > You could always try TTLS with SYSTEM as the inner 
> authentication mechanism?
> > Alan is a strong proponent of TTLS vs PEAP, and I have to 
> say that in a
> > purist sense, he's absolutely right.  Unfortunately, the 
> two largest players
> > in the market have used (two incompatible versions of) PEAP 
> :-(.  This means
> > that it is more trivial, particularly with Microsoft based 
> clients, to use
> > PEAP/MS-CHAPv2.
> 
> well, one thing is for sure: TTLS supports PAP as the inner 
> authentication method.
> 
> 
> ciao
> artur
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-BEGIN PGP SIGNATURE-
Version: PGP 8.0

iQA/AwUBP7pAsY3dwu/Ss2PCEQI0UQCfdwp2VP0JbZvrockuDpNgCyYYETwAn3jM
jY49iDOiK2chLJfsISuEvWGi
=Elbt
-END PGP SIGNATURE-

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication against /etc/shadow using ...

2003-11-18 Thread Artur Hecker

salut


No, CHAP, and MS-CHAP (the inner authentication method used with PEAP)
require clear text passwords.  Therefore, the shadow password file is not
compatible with these methods.  This bit me to start with.
so, there is no PAP for PEAP?


You could always try TTLS with SYSTEM as the inner authentication mechanism?
Alan is a strong proponent of TTLS vs PEAP, and I have to say that in a
purist sense, he's absolutely right.  Unfortunately, the two largest players
in the market have used (two incompatible versions of) PEAP :-(.  This means
that it is more trivial, particularly with Microsoft based clients, to use
PEAP/MS-CHAPv2.
well, one thing is for sure: TTLS supports PAP as the inner 
authentication method.

ciao
artur


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication against /etc/shadow using ...

2003-11-18 Thread Guy Davies

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

No, CHAP, and MS-CHAP (the inner authentication method used with PEAP)
require clear text passwords.  Therefore, the shadow password file is not
compatible with these methods.  This bit me to start with.

You could always try TTLS with SYSTEM as the inner authentication mechanism?
Alan is a strong proponent of TTLS vs PEAP, and I have to say that in a
purist sense, he's absolutely right.  Unfortunately, the two largest players
in the market have used (two incompatible versions of) PEAP :-(.  This means
that it is more trivial, particularly with Microsoft based clients, to use
PEAP/MS-CHAPv2.

Regards,

Guy

> -Original Message-
> From: José Berenguer [mailto:[EMAIL PROTECTED]
> Sent: 18 November 2003 12:56
> To: [EMAIL PROTECTED]
> Subject: Authentication against /etc/shadow using ...
> 
> 
> 
> We are trying to authenticate users with FreeRadius 0.9.2 against
> the /etc/shadow file in a solaris system.
> 
> We know that System authentication won't work for 
> EAP-MD5. But, it's
> possible to make it using CHAP or PEAP?
> 
> Thanks!
> 
> **
>   José Berenguer Giménez
>  Área de Comunicaciones-Servicio de Informática
>   UNIVERSIDAD DE ALMERÍA
>Crta. de Sacramento s/n, 04120 - Almería
>Tlf.: 950014014 E-mail: [EMAIL PROTECTED]
> **
> 
> 

-BEGIN PGP SIGNATURE-
Version: PGP 8.0

iQA/AwUBP7oj6Y3dwu/Ss2PCEQLwEgCfa8BpLkZkUe1Qvv0VQbJwJhVBF7UAoNLx
qmHZ2Al1enQvOwZ0vLgLgN3j
=btj/
-END PGP SIGNATURE-

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Authentication problem

2003-10-29 Thread Ulrich Walcher

Am Mit, 2003-10-29 um 09.55 schrieb Remesh:
> hai ,
> 
> in my case when i am dialing  we can see the following entry when we run tcpdump udp
> 
> 16:29:59.071115 164.100.96.13.datametrics > mp9.radius:  rad-access-req 66 [id 1] 
> Attr[  NAS_ipaddr{164.100.96.13} NAS_port{7} NAS_port_type{Sync} User{nitpubpl} 
> [|radius]
> 
> 
> no entries in logs especially. 'Ready to process requests' is showing in radius.log.
> 
> please help me
> 
> Remesh

run radiusd -X
All logs will be shown on the screen...
Uli

> 
> On Wed, 29 Oct 2003 Ulrich Walcher wrote :
> >Am Mit, 2003-10-29 um 07.57 schrieb Remesh:
> > > hai friends,
> > >
> > > I have installed free radius and radtest commands working fine locally.
> > > The OS used is RedHat 8.0 . But When i am trying this command from other 
> > > servers, it is not responding. Also when i am dialing, i am getting 
> > > authentication failed message.
> > >
> >[...]
> >Please post the logs.
> >Uli
> >
> >
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> Remesh Babu. T


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Authentication problem

2003-10-29 Thread Remesh

hai ,

in my case when i am dialing  we can see the following entry when we run tcpdump udp

16:29:59.071115 164.100.96.13.datametrics > mp9.radius:  rad-access-req 66 [id 1] 
Attr[  NAS_ipaddr{164.100.96.13} NAS_port{7} NAS_port_type{Sync} User{nitpubpl} 
[|radius]


no entries in logs especially. 'Ready to process requests' is showing in radius.log.

please help me

Remesh

On Wed, 29 Oct 2003 Ulrich Walcher wrote :
>Am Mit, 2003-10-29 um 07.57 schrieb Remesh:
> > hai friends,
> >
> > I have installed free radius and radtest commands working fine locally.
> > The OS used is RedHat 8.0 . But When i am trying this command from other servers, 
> > it is not responding. Also when i am dialing, i am getting authentication failed 
> > message.
> >
>[...]
>Please post the logs.
>Uli
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Remesh Babu. T

Re: Authentication problem

2003-10-29 Thread Ulrich Walcher

Am Mit, 2003-10-29 um 07.57 schrieb Remesh:
> hai friends,
> 
> I have installed free radius and radtest commands working fine locally.
> The OS used is RedHat 8.0 . But When i am trying this command from other servers, it 
> is not responding. Also when i am dialing, i am getting authentication failed 
> message.
> 
[...]
Please post the logs.
Uli


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication with FreeRadius and /etc/shadow

2003-10-22 Thread Alan DeKok

=?iso-8859-1?Q?Jos=E9?= Berenguer <[EMAIL PROTECTED]> wrote:
> I can't read /etc/shadow. Password are encrypt.
> The error is (in debug mode):

  As you have discovered, you cannot use /etc/passwd to authenticate
EAP sessions.

  EAP *requires* a plain-text password.  /etc/passwd does not supply
one.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication with FreeRadius and /etc/shadow

2003-10-22 Thread José Berenguer

Hello, now in debug mode:
HASH:  Stored 1905 entries from /etc/passwd.radius
HASH:  Stored 107 entries from /etc/group.radius
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "chap"
 eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
 detail: detailfile =
"/usr/local/etc/raddb/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/usr/local/etc/raddb/users"
 files: acctusersfile = "/usr/local/etc/raddb/acct_users"
 files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded passwd
 passwd: filename = "/etc/shadow.radius"
 passwd: format = "*User-Name:Password:::"
 passwd: authtype = "System"
 passwd: delimiter = ":"
passwd: ignorenislike = no
 passwd: allowmultiplekeys = no
passwd: hashsize = 3000
rlm_passwd: nfields: 9 keyfield 0(User-Name) listable: no
Module: Instantiated passwd (etc_shadow)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
 detail: detailfile =
"/usr/local/etc/raddb/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = "/usr/local/etc/raddb/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address 150.214.156.2, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.


I can't read /etc/shadow. Password are encrypt.
The error is (in debug mode):

   rad_recv: Access-Request packet from host 10.0.120.11:2049, id=133, length=104
User-Name = "jose"
NAS-Port = 101
NAS-Port-Type = Ethernet
NAS-IP-Address = 10.0.120.11
Service-Type = Framed-User
Framed-MTU = 1024
Calling-Station-Id = "00-4F-4E-06-84-2D"
EAP-Message = 0x02010009016a6f7365
Message-Authenticator = 0x07be8f6cb6064cc05029d8dd9e900693
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:  '/usr/local/etc/raddb/radacct/10.0.120.11/auth-detail-20031022'
rlm_detail: /usr/local/etc/raddb/radacct/%{Client-IP-Address}/auth-detail-%Y%m%2
  modcall[authorize]: module "auth_log" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  rlm_eap: EAP packet type notification id 1 length 9
  rlm_eap: EAP Start not found
  modcall[authorize]: module "eap" returns updated for request 0
rlm_realm: No '@' in User-Name = "jose", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 152
users: Matched DEFAULT at 174
  modcall[authorize]: module "files" returns ok for request 0
rlm_passwd: Added Password: 'YLp6TAFQQQ6Ek' to config_items
rlm_passwd: Adding Auth-Type: System
  modcall[authorize]: module "etc_shadow" returns ok for request 0
modcall: group authorize returns updated for request 0
  rad_check_password:  Found Auth-Type EAP
  rad_check_password:  Found Auth-Type System
Warning:  Found 2 auth-types on request for user 'jose'
auth: type "System"
modcall: entering group authenticate for request 0
rlm_unix: Attribute "User-Password" is required for authentication.
  modcall[authenticate]: module "unix" returns invalid for request 0
modcall: group authenticate returns invalid for request 0
auth: Failed to validate the user.
Login incorrect: [jose/] (from client prueba port 1)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 133 to 10.0.120.11:2049
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 133 with timestamp 3f9639b9
Nothing to do.  Sleeping until we see a request.



RADIUSD.CONF:
..
 user = root
group = shadow
..
modules {
  ..
 chap {

RE: Authentication based on interface?

2003-10-21 Thread Alan Litster

> I was thinking about checking the interface, but the it appears only when
> NAS-Port-Type=ISDN:
> Vendor-Specific = "V9:T1:L24:interface=Serial0/0:30"
> NAS-Port-Type = ISDN   ^^^
> NAS-Port = 20030
Have you ran FreeRADIUS in debug mode (radiusd -X) and done a capture of all
the attributes the router sends for the various protocols? A dump of that
may be useful

> When someone calls from PSTN it doesnt report any Vendor-Specific, but
> just Async and a port number:
> Cisco-AVPair = "interface=Async92"
> NAS-Port-Type = Async
> NAS-Port = 92
> (Sometimes instead of "NAS-Port = 92" I get "NAS-Port = 1312686172",why?!)
Did you have a look at the link to cisco's web site I sent? Look for 'aaa
nas-port extended'

> Since I dont get the interface (Serialx/y) info every time, the only way
> is to check if the NAS-Port is between a specific range if I get it right.
>
> Something like that perhaps?
> insert into radgroupcheck values('0','group1','NAS-Port','65-94',:=')
> insert into radgroupcheck values('0','group2','NAS-Port','97-128',:=')
>  ...  .... 
> ,'20001-20030' (for ISDN)
> supposing that Serial0/0 has ports 65-94, and Serial1/0 97-128.
>
> I'm not very familiar with sql syntax, so I'd appreciate some help on
> that...
Close, here's an example

INSERT INTO radcheck VALUES (1,'user1','Password',':=','testing123');
INSERT INTO radcheck VALUES
(2,'user2','User-Password',':=','VRs1vR06MAQ2M');

INSERT INTO radgroupcheck VALUES (1,'group1','Auth-Type',':=','Local');
INSERT INTO radgroupcheck VALUES (2,'group2','Auth-Type',':=','PAP');
INSERT INTO radgroupcheck VALUES (3,'group1','NAS-Port','==','65-94');
INSERT INTO radgroupcheck VALUES (4,'group2','NAS-Port','==','97-128');

INSERT INTO usergroup VALUES (1,'user1','group1');
INSERT INTO usergroup VALUES (2,'user2','group2');

the password for 'user2' is stored using the SQL ENCRYPT function, they're
both authenticated against the SQL database.

If you haven't done so already, you may be able to get more information by
enabling the extended NAS-Port attribute.

See also the Cisco doc on RADIUS attributes at for NAS-Port
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csn
t30/user/ad.htm#1173

The easy part is locking users down by groups, the harder part is
determining the best way to lock those groups down by interface. It soly
depends on the information that the router presents via radius.


---
This email, and any files transmitted with it, is copyright and may contain 
confidential information.
The contents are intended for the use of the addressee(s) only.
Unauthorized use may be unlawful.
If you receive this email by mistake, please advise sender immediately.
The views of the author may not necessarily constitute the views of Telco Electronics 
Limited.
Nothing in this mail shall bind Telco Electronics Limited in any contract or 
obligation.

Telco Electronics Limited
6-8 Oxford Court
Brackley
Northants
NN13 7XY

Tel 07000 701999
Fax 07000 701777

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication based on interface?

2003-10-21 Thread Anastasios Sotiropoulos

> You forgot to mention how your radius server is configured, using the system
> password file, sql, LDAP?

I am using mysql.

> Either way though, as a general solution you should be able to separate the
> two by adding NAS-Port and group as check conditions to the users file.
> You'll need one for each interface.

I was thinking about checking the interface, but the it appears only when
NAS-Port-Type=ISDN:
Vendor-Specific = "V9:T1:L24:interface=Serial0/0:30"
NAS-Port-Type = ISDN   ^^^
NAS-Port = 20030

When someone calls from PSTN it doesnt report any Vendor-Specific, but
just Async and a port number:
Cisco-AVPair = "interface=Async92"
NAS-Port-Type = Async
NAS-Port = 92
(Sometimes instead of "NAS-Port = 92" I get "NAS-Port = 1312686172",why?!)

Since I dont get the interface (Serialx/y) info every time, the only way
is to check if the NAS-Port is between a specific range if I get it right.

Something like that perhaps?
insert into radgroupcheck values('0','group1','NAS-Port','65-94',:=')
insert into radgroupcheck values('0','group2','NAS-Port','97-128',:=')
 ...  ....  ,'20001-20030' (for ISDN)
supposing that Serial0/0 has ports 65-94, and Serial1/0 97-128.

I'm not very familiar with sql syntax, so I'd appreciate some help on
that...


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication based on interface?

2003-10-21 Thread Alan Litster


You forgot to mention how your radius server is configured, using the system
password file, sql, LDAP?

Either way though, as a general solution you should be able to separate the
two by adding NAS-Port and group as check conditions to the users file.
You'll need one for each interface.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur
_c/scprt2/scrad.htm#xtocid182648
See also the cisco doc that comes with freeradius.

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Anastasios
> Sotiropoulos
> Sent: 21 October 2003 01:49
> To: [EMAIL PROTECTED]
> Subject: Authentication based on interface?
>
>
>
> I have a cicso 3600 with 2 physical interfaces (2 ISDN PRIs) and want
> to make 2 usergroups with separate access to them (ex. group1 can login
> only from Serial0/0, and group2 -> Serial1/0). How could that be done?
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


---
This email, and any files transmitted with it, is copyright and may contain 
confidential information.
The contents are intended for the use of the addressee(s) only.
Unauthorized use may be unlawful.
If you receive this email by mistake, please advise sender immediately.
The views of the author may not necessarily constitute the views of Telco Electronics 
Limited.
Nothing in this mail shall bind Telco Electronics Limited in any contract or 
obligation.

Telco Electronics Limited
6-8 Oxford Court
Brackley
Northants
NN13 7XY

Tel 07000 701999
Fax 07000 701777

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication with FreeRadius and /etc/shadow

2003-10-20 Thread Alan DeKok

=?iso-8859-1?Q?Jos=E9?= Berenguer <[EMAIL PROTECTED]> wrote:
> We are trying to authenticate users with FreeRadius 0.9.2 against
> the /etc/shadow file in a Solaris system, but we always get an error
> like this:
> 
> Info: Ready to process requests.
> Info: rlm_eap_md5: Issuing Challenge
> Auth: Login OK: [jose/]
> Info: rlm_eap_md5: No password configured for this user
> Auth: Login incorrect: [jose/]

  System authentication will NEVER work for EAP-MD5.  It's CHAP.  See
the FAQ.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication request hacking

2003-08-18 Thread Alan DeKok

"Hans Jorgensen" <[EMAIL PROTECTED]> wrote:
> I am trying to implement my own request type, with its own request number 
> (100), queries etc.

  Huh?  Why?

> I have copied and based the code on auth.c, because I will like the users to 
> authenticate them selves, when sending the request.
> But the authentication does not work. If I change the request number to 1 
> (authentication request), the code works.

  That's because Access-Request is type 1, and it's the only type
allowed when authenticating users.

> Is the encryption algorithm using the request number when encrypting the 
> password?

  No.  But other portions of the packet are used.  See the RFC's.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication problem

2003-08-16 Thread Juha Sievi-Korte

On Sat, 16 Aug 2003, apellido jr., wilfredo p wrote:

 Please do not post multiple times, it doesn't help you.

> The computer you are dialling cannot establish a
> Dial-up Networking connection
> Check you password, then try again. Then, when i try
> to look in the log there's no activity or message.

 What does the servers debug output say when you try to connect from
dial-up client? In my knowledge, your config seems to be fine, so does
the NAS even send any auth-requests to your radius?

--
_
   | | "... Think about all the positive sides in life, they
 _ | |_   _  _   _  ___   never last forever ... (c)Sentenced
| || | | | || |_| || O |+-+ AMD Duron 1300MHz & ATI Radeon +--+
|| |_| || | | || | ||  http://students.oamk.fi/~sijuma00  |
|  E-mail: [EMAIL PROTECTED]  |

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication-Request

2003-08-14 Thread Alan DeKok

Kent Hansen <[EMAIL PROTECTED]> wrote:
> rad_recv: Access-Request packet from host ip_on_the_cisco_ap:1024, id=0, 
> length=159
> Authentication-Request sent to a non-authentication port from client 
> rtest:1024 - ID 0 : IGNORED
...
> The wireless client try to access the network with a username and
> password, i have setup on the freeradius. Whats wrong?

  You've configured the client to send Access-Requests to port 1813.
That's wrong.  Use 1812.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication request hacking

2003-08-14 Thread Artur Hecker

hmmm, if i understood you correctly, by authentication request you mean
the RADIUS Access-Request. in that case, what you do would be a
violation of the RFC. why don't you specify your authentication scheme
by using a VSA (or EAP-subtype) and specifying a module to handle it? it
would be much easier and your server would remain inter-functional.

except, there is a misunderstanding in what you say. Access-Requests are
not sent by users, they are sent by NASes. perhaps you should read
ftp://ftp.rfc-editor.org/in-notes/rfc2865.txt .

unless i'm completely misunderstanding what you are saying, you are
about to do something very ugly :-)

ciao
artur

Hans Jorgensen wrote:
> 
> Dear list.
> 
> I am trying to implement my own request type, with its own request number
> (100), queries etc.
> I have copied and based the code on auth.c, because I will like the users to
> authenticate them selves, when sending the request.
> But the authentication does not work. If I change the request number to 1
> (authentication request), the code works.
> This is the case with both CHAP-Password and User-Password.
> 
> Is the encryption algorithm using the request number when encrypting the
> password?
> 
> Thanks in advance.
> 
> Hans
> 
> _
> Få gode tilbud direkte i din mailbox http://jatak.msn.dk
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication-Request

2003-08-14 Thread Chris Parker

At 07:02 PM 8/13/2003 +0200, Kent Hansen wrote:
Hi!

Get this error when my wireless client try to join the Cisco 350/FreeRadius:

Error on freeradius:
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host ip_on_the_cisco_ap:1024, id=0,
length=159
Authentication-Request sent to a non-authentication port from client
rtest:1024 - ID 0 : IGNORED
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host ip_on_the_cisco_ap:1025, id=1,
length=159
Authentication-Request sent to a non-authentication port from client
rtest:1025 - ID 1 : IGNORED

The wireless client try to access the network with a username and password, i
have setup on the freeradius. Whats wrong?
From reading the error messages above, it sounds like the server received
and authentication-request packet on a port other than 1812.
-Chris

--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication-Request

2003-08-14 Thread Artur Hecker

yes, why don't you change the port in the radius configuration of your 
AP 350? obviously it tries to connect to the port which your server uses 
for something else: probably a typo of you. it should be (udp)1812 
unless you changed something.

ciao
artur
Kent Hansen wrote:

Hi!

Get this error when my wireless client try to join the Cisco 350/FreeRadius:

Error on freeradius:
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host ip_on_the_cisco_ap:1024, id=0, 
length=159
Authentication-Request sent to a non-authentication port from client 
rtest:1024 - ID 0 : IGNORED
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host ip_on_the_cisco_ap:1025, id=1, 
length=159
Authentication-Request sent to a non-authentication port from client 
rtest:1025 - ID 1 : IGNORED

The wireless client try to access the network with a username and password, i 
have setup on the freeradius. Whats wrong?

Kent





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication, Authorization process

2003-08-14 Thread Dustin Doris

> Hello,
>
> In FreeRADIUS, authorization is done before authentication. Is that a
> proper sequence regarding the standard RADIUS concept?
>
> For example, when a user mistypes the password, FreeRADIUS still send
> out the attributes to RADIUS client. Would that be an issue (ie,
> security, loading, ...)?

The only attributes it should send back to the client with a mistyped
password is auth-reject.

>
> Best Regards,
> Bush
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication problems with EAP/TLS (and Enterasys)

2003-08-14 Thread Alan DeKok

Sevcik Berndt <[EMAIL PROTECTED]> wrote:
> I try to authenticate an XP Client via an Enterasys RoamaboutR2 Access
> Point with freeradius. But the client get never authenticated.

  Does the server send a reject?

> Output from radius.log:
> ri Aug  8 10:52:28 2003 : Info: rlm_eap_tls:  Length Included
> Fri Aug  8 10:52:28 2003 : Error: TLS_accept:error in SSLv3 read client
> certificate A
> Fri Aug  8 10:52:28 2003 : Info: rlm_eap_tls: SSL_read Error
> Fri Aug  8 10:52:28 2003 : Error:  Error code is . 2
> Fri Aug  8 10:52:28 2003 : Error:  SSL Error . 2

  Those are recoverable errors.  The server continues sending EAP
packets, so they're not a problem.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication problems with EAP/TLS (and Enterasys)

2003-08-14 Thread diomedes

Hi,
Try to put in clients.conf, in the lines of the NAS the following attribute
nastype   = other
I had a similar problem and with that line all goes perfectly ( or nearly)

Good luck

Other possibility is to try authenticate with the same configuration but 
with other AP, if it's possible.

Regards.
Omar
Sevcik Berndt wrote:

I try to authenticate an XP Client via an Enterasys RoamaboutR2 Access
Point with freeradius. But the client get never authenticated. My
problem that I have no idea where I should search for the error. I used
the www.impossiblereflex.xom/8021x/eap-tls-HOWTO.htm Howto for setup.
Output from freeradius -X -A:
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.4.14:1205, id=253,
length=116
   Message-Authenticator = 0x78a9e48d042ad1f7109083edf2b3146d
   User-Name = "Sevcik Berndt"
   NAS-IP-Address = 10.0.4.14
   NAS-Port = 2
   NAS-Port-Type = Wireless-802.11
   Calling-Station-Id = "00-01-f4-ec-3d-7c"
   EAP-Message = 0x024400120153657663696b204265726e6474
   Framed-MTU = 1000
modcall: entering group authorize
 modcall[authorize]: module "preprocess" returns ok
 rlm_eap: EAP packet type response id 68 length 18
 rlm_eap: EAP Start not found
 modcall[authorize]: module "eap" returns updated
   rlm_realm: No '@' in User-Name = "Sevcik Berndt", looking up realm
NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop
   users: Matched DEFAULT at 152
   users: Matched Sevcik Berndt at 216
 modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
 rlm_eap: EAP Identity
 rlm_eap: processing type tls
 rlm_eap_tls: Initiate
 rlm_eap_tls: Start returned 1
 modcall[authenticate]: module "eap" returns handled
modcall: group authenticate returns handled
Sending Access-Challenge of id 253 to 10.0.4.14:1205
   EAP-Message = 0x014500060d20
   Message-Authenticator = 0x
   State = 0x1c0ccba6d22ad97dab13096d340f0290
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.4.14:1205, id=254,
length=196
   Message-Authenticator = 0x31199cd93954566ea164f46ce86d6b59
   User-Name = "Sevcik Berndt"
   State = 0x1c0ccba6d22ad97dab13096d340f0290
   NAS-IP-Address = 10.0.4.14
   NAS-Port = 2
   NAS-Port-Type = Wireless-802.11
   Calling-Station-Id = "00-01-f4-ec-3d-7c"
   Framed-MTU = 1000
   EAP-Message =
0x024500500d8000461603010041013d03013f3371da3a9bab75032c2c86afd3288de5d42d63265b6afe930d235a87d1df9a1600040005000a000900640062000300060013001200630100
modcall: entering group authorize
 modcall[authorize]: module "preprocess" returns ok
 rlm_eap: EAP packet type response id 69 length 80
 rlm_eap: EAP Start not found
 modcall[authorize]: module "eap" returns updated
   rlm_realm: No '@' in User-Name = "Sevcik Berndt", looking up realm
NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop
   users: Matched DEFAULT at 152
   users: Matched Sevcik Berndt at 216
 modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
 rlm_eap: Request found, released from the list
 rlm_eap: EAP_TYPE - tls
 rlm_eap: processing type tls
 rlm_eap_tls: Authenticate
 rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
 eaptls_verify returned 11
undefined: before/accept initialization
TLS_accept: before/accept initialization
 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
 rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
 rlm_eap_tls: >>> TLS 1.0 Handshake [length 063c], Certificate
TLS_accept: SSLv3 write certificate A
 rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a0], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
rlm_eap_tls: SSL_read Error
Error code is . 2
SSL Error . 2
In SSL Handshake Phase
In SSL Accept mode
 eaptls_process returned 13
 modcall[authenticate]: module "eap" returns handled
modcall: group authenticate returns handled
Sending Access-Challenge of id 254 to 10.0.4.14:1205
   EAP-Message =
0x0146040a0dc00735160301004a024603013f3371d4fe8d552850335d9175f699f43cd56559f163ff0b5ff946dacb6a1374206ca02c80ec917fa450bd683bec1717b4a30e22a02f22c4415966534ce01d79ab000400160301063c0b0006380006350002a8308202a43082020da003020102020101300d06092a864886f70d010104050030818e310b3009060355040613024154310f300d060355040813065669656e6e613121301f060355040a131854474d202d20536368756c652064657220546563686e696b31133011060355040b130a49542d53657276696365311830160

Re: Authentication problems with EAP/TLS (and Enterasys)

2003-08-10 Thread Sevcik Berndt

nastype = other has not worked. The situation is the same than before. I
have also not the possibility to use an other AP.

Berndt


On Fri, 2003-08-08 at 13:33, diomedes wrote:
> Hi,
> Try to put in clients.conf, in the lines of the NAS the following attribute
> nastype   = other
> 
> I had a similar problem and with that line all goes perfectly ( or nearly)
> 
> Good luck
> 
> Other possibility is to try authenticate with the same configuration but 
> with other AP, if it's possible.
> 
> Regards.
> Omar
> 
> 
> Sevcik Berndt wrote:
> 
> >I try to authenticate an XP Client via an Enterasys RoamaboutR2 Access
> >Point with freeradius. But the client get never authenticated. My
> >problem that I have no idea where I should search for the error. I used
> >the www.impossiblereflex.xom/8021x/eap-tls-HOWTO.htm Howto for setup.
> >
> >Output from freeradius -X -A:
> >Ready to process requests.
> >rad_recv: Access-Request packet from host 10.0.4.14:1205, id=253,
> >length=116
> >Message-Authenticator = 0x78a9e48d042ad1f7109083edf2b3146d
> >User-Name = "Sevcik Berndt"
> >NAS-IP-Address = 10.0.4.14
> >NAS-Port = 2
> >NAS-Port-Type = Wireless-802.11
> >Calling-Station-Id = "00-01-f4-ec-3d-7c"
> >EAP-Message = 0x024400120153657663696b204265726e6474
> >Framed-MTU = 1000
> >modcall: entering group authorize
> >  modcall[authorize]: module "preprocess" returns ok
> >  rlm_eap: EAP packet type response id 68 length 18
> >  rlm_eap: EAP Start not found
> >  modcall[authorize]: module "eap" returns updated
> >rlm_realm: No '@' in User-Name = "Sevcik Berndt", looking up realm
> >NULL
> >rlm_realm: No such realm "NULL"
> >  modcall[authorize]: module "suffix" returns noop
> >users: Matched DEFAULT at 152
> >users: Matched Sevcik Berndt at 216
> >  modcall[authorize]: module "files" returns ok
> >modcall: group authorize returns updated
> >  rad_check_password:  Found Auth-Type EAP
> >auth: type "EAP"
> >modcall: entering group authenticate
> >  rlm_eap: EAP Identity
> >  rlm_eap: processing type tls
> >  rlm_eap_tls: Initiate
> >  rlm_eap_tls: Start returned 1
> >  modcall[authenticate]: module "eap" returns handled
> >modcall: group authenticate returns handled
> >Sending Access-Challenge of id 253 to 10.0.4.14:1205
> >EAP-Message = 0x014500060d20
> >Message-Authenticator = 0x
> >State = 0x1c0ccba6d22ad97dab13096d340f0290
> >Finished request 0
> >Going to the next request
> >--- Walking the entire request list ---
> >Waking up in 6 seconds...
> >rad_recv: Access-Request packet from host 10.0.4.14:1205, id=254,
> >length=196
> >Message-Authenticator = 0x31199cd93954566ea164f46ce86d6b59
> >User-Name = "Sevcik Berndt"
> >State = 0x1c0ccba6d22ad97dab13096d340f0290
> >NAS-IP-Address = 10.0.4.14
> >NAS-Port = 2
> >NAS-Port-Type = Wireless-802.11
> >Calling-Station-Id = "00-01-f4-ec-3d-7c"
> >Framed-MTU = 1000
> >EAP-Message =
> >0x024500500d8000461603010041013d03013f3371da3a9bab75032c2c86afd3288de5d42d63265b6afe930d235a87d1df9a1600040005000a000900640062000300060013001200630100
> >modcall: entering group authorize
> >  modcall[authorize]: module "preprocess" returns ok
> >  rlm_eap: EAP packet type response id 69 length 80
> >  rlm_eap: EAP Start not found
> >  modcall[authorize]: module "eap" returns updated
> >rlm_realm: No '@' in User-Name = "Sevcik Berndt", looking up realm
> >NULL
> >rlm_realm: No such realm "NULL"
> >  modcall[authorize]: module "suffix" returns noop
> >users: Matched DEFAULT at 152
> >users: Matched Sevcik Berndt at 216
> >  modcall[authorize]: module "files" returns ok
> >modcall: group authorize returns updated
> >  rad_check_password:  Found Auth-Type EAP
> >auth: type "EAP"
> >modcall: entering group authenticate
> >  rlm_eap: Request found, released from the list
> >  rlm_eap: EAP_TYPE - tls
> >  rlm_eap: processing type tls
> >  rlm_eap_tls: Authenticate
> >  rlm_eap_tls: processing TLS
> >rlm_eap_tls:  Length Included
> >  eaptls_verify returned 11
> >undefined: before/accept initialization
> >TLS_accept: before/accept initialization
> >  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
> >TLS_accept: SSLv3 read client hello A
> >  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
> >TLS_accept: SSLv3 write server hello A
> >  rlm_eap_tls: >>> TLS 1.0 Handshake [length 063c], Certificate
> >TLS_accept: SSLv3 write certificate A
> >  rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a0], CertificateRequest
> >TLS_accept: SSLv3 write certificate request A
> >TLS_accept: SSLv3 flush data
> >TLS_accept:error in SSLv3 read client certificate A
> >rlm_eap_tls: SSL_read Error
> > Error code is . 2
> > SSL Error . 2
> >In SSL Handshake Phase
> >In SSL Accept mode
> >  eaptls_process returned 13
> >  modcall[authenticate]: module "eap" returns handl

RE: Authentication with user-password

2003-07-28 Thread Alex Chen




First, 
the names in the DB are all case sensitive. They are 'UserName', 
'Attribute', 'op', and 'Value'. 
Not 
'username', 'attribute', 'op', and 'value'.
 
Second, name of password field is either 'User-Password', which is the 
standard attribute defined in
the 
RFC, or 'Crypt-Password' a server side attribute. Look for these 
names in the 'dictionary' file.
 
'User-Password' is plain text and 'Crypt-Password' contains encrypted 
password.  The
encryption method used is the 'crypt' function in Linux.  See the 
'cryptpasswd'  Perl script
under 
the scripts subdirectory.
 

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Salvin 
  KumarSent: Sunday, July 27, 2003 7:59 PMTo: 
  [EMAIL PROTECTED]Subject: Authentication with 
  user-password
  Hi
   
  I am able to authenticate users from the database 
  with the use of  the password. And this is how my radcheck table 
  looks:
   
  radius=# SELECT * from radcheck; id | 
  username | attribute | op | 
  value+--+---++---  3 | 
  trial    | password  | == | test  1 | 
  joe  | password  | == | eoj  2 | 
  salvin   | password  | == | sal(3 rows)
   
  Now I want to authenticate a user without the 
  password.
  How is that possible.
   
   
  cheers

Re: Authentication with user-password

2003-07-27 Thread Oliver Graf

On Mon, Jul 28, 2003 at 02:58:36PM +1200, Salvin Kumar wrote:
> Hi
> 
> I am able to authenticate users from the database with the use of  the password. And 
> this is how my radcheck table looks:
> 
> radius=# SELECT * from radcheck;
>  id | username | attribute | op | value
> +--+---++---
>   3 | trial| password  | == | test
>   1 | joe  | password  | == | eoj
>   2 | salvin   | password  | == | sal
> (3 rows)
> 
> Now I want to authenticate a user without the password.
> How is that possible.

Auth-Type := Accept


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication Fails From Client Machine

2003-06-21 Thread Puneet B


> When I run tcpdump and then run NTRADPING from my 
> client machine, the server shows the requests for 
> authentication but I still get a no response from 
> server error. I'm sure there is something simple 
> I'm missing any suggestions?

What does the freeRadius logfile show? Is the IP address
of that client configured on your freeRadius installation?
There are some cases where the server can drop a request
(or rather 'MUST silently discard' as per the RFC) and not 
respond, but the logfile will have a note of that!
Puneet

___
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication failures after hours of operation

2003-05-31 Thread Alan DeKok

Oliver Graf <[EMAIL PROTECTED]> wrote:
> Yep, the PAP module is sort of useless. Don't forget to check rlm_unix
> which also does crypts. rlm_unix should work like rlm_sql: just fetch
> data, so that some other module (rlm_pap) can authenticate it. Or am I
> wrong?

  rlm_unix should ONLY do getpwent() and possibly crypt(), but not
necessarily crypt().

  All of it's hacks as to caching /etc/passwd should go away, once we
verify that rlm_passwd does the same thing.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication failures after hours of operation

2003-05-31 Thread Oliver Graf

On Fri, May 30, 2003 at 09:32:36AM -0400, Alan DeKok wrote:
> Oliver Graf <[EMAIL PROTECTED]> wrote:
> > Is this a good place for the mutex? Or is it better to have some init
> > function for the mutex which is called from threads.c?
> 
>   The best thing to do, as I said before, is to delete the calls to
> crypt() (and ALL authentication checks) from src/main/auth.c, and fix
> the code so that the PAP module works.
> 
>   That will allow the mutex to be in a logical place: the PAP module's
> data structure.

Yep, the PAP module is sort of useless. Don't forget to check rlm_unix
which also does crypts. rlm_unix should work like rlm_sql: just fetch
data, so that some other module (rlm_pap) can authenticate it. Or am I
wrong?

Oliver.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication failures after hours of operation

2003-05-30 Thread Alan DeKok

Oliver Graf <[EMAIL PROTECTED]> wrote:
> Is this a good place for the mutex? Or is it better to have some init
> function for the mutex which is called from threads.c?

  The best thing to do, as I said before, is to delete the calls to
crypt() (and ALL authentication checks) from src/main/auth.c, and fix
the code so that the PAP module works.

  That will allow the mutex to be in a logical place: the PAP module's
data structure.

  ALan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication failures after hours of operation

2003-05-30 Thread Oliver Graf

On Thu, May 29, 2003 at 03:34:30PM +0200, Oliver Graf wrote:
> On Thu, May 29, 2003 at 03:19:59PM +0300, Kostas Kalevras wrote:
> > > It now locks while using crypt. This is only good, if this is the only
> > > use of crypt. If pap (for example) is also used, it should use the
> > > same mutex to lock while doing an crypt (as should do any other
> > > freeradius code using crypt).
> > >
> > > The server seems running und is responsive :) the next hours will show
> > > if the problem is fixed with this.
> > 
> > OK, then declare a new function radius_crypt() with a mutex in it, put it
> > somewhere in src/lib and change all calls  to crypt() to call radius_crypt()
> > instead.
> 
> Yep, I had something like this in mind. But now I will fetch me some
> beer, fire the barbecue and have a nice Vatertag :)
> 
> I'll write the clean version tomorrow.

Ok, here it is. I have now one radiusd with the old version, and one with
this version running (both production systems :) ).

The function lrad_crypt_check does crypt and check in one, cause the
return value of crypt might be a reused string buffer...

Is this a good place for the mutex? Or is it better to have some init
function for the mutex which is called from threads.c?

Oliver.

--- src/lib/crypt.c.orig2003-05-30 09:40:29.0 +0200
+++ src/lib/crypt.c 2003-05-30 09:29:16.0 +0200
@@ -0,0 +1,61 @@
+/*
+ * a thread-safe crypt wrapper
+ */
+
+#include "libradius.h"
+#include 
+#include 
+#include 
+
+#if HAVE_PTHREAD_H
+#include   
+#endif
+
+static int lrad_crypt_init=0;
+static pthread_mutex_t lrad_crypt_mutex;
+
+/*
+ * initializes authcrypt_mutex
+ */
+
+
+/*
+ * performs a crypt password check in an thread-safe way.
+ *
+ * returns:  0 -- check succeeded
+ *  -1 -- failed to crypt
+ *   1 -- check failed
+ */
+int lrad_crypt_check(const char *key, const char *crypted) {
+  char *libc_crypted=NULL, *our_crypted=NULL;
+  int result=0;
+
+#if HAVE_PTHREAD_H
+  if (!lrad_crypt_init == 0) {
+   pthread_mutex_init(&lrad_crypt_mutex, NULL);
+   lrad_crypt_init=1;
+  }
+
+  pthread_mutex_lock(&lrad_crypt_mutex);
+#endif
+
+  libc_crypted=crypt(key,crypted);
+  if (libc_crypted)
+   our_crypted=strdup(libc_crypted);
+
+#if HAVE_PTHREAD_H
+  pthread_mutex_unlock(&lrad_crypt_mutex);
+#endif
+
+  if (our_crypted == NULL)
+   return -1;
+
+  if (strcmp(crypted, our_crypted) == 0)
+   result = 0;
+  else
+   result = 1;
+
+  free(our_crypted);
+
+  return result;
+}
Index: src/lib/Makefile
===
RCS file: /source/radiusd/src/lib/Makefile,v
retrieving revision 1.14
diff -u -r1.14 Makefile
--- src/lib/Makefile3 Mar 2003 19:48:06 -   1.14
+++ src/lib/Makefile30 May 2003 08:03:54 -
@@ -3,7 +3,7 @@
 
 SRCS   = dict.c print.c radius.c valuepair.c token.c misc.c \
log.c filters.c missing.c md4.c md5.c sha1.c hmac.c \
-   snprintf.c isaac.c smbdes.c
+   snprintf.c isaac.c smbdes.c crypt.c
 
 INCLUDES   = ../include/radius.h ../include/libradius.h \
  ../include/missing.h ../include/autoconf.h
Index: src/include/libradius.h
===
RCS file: /source/radiusd/src/include/libradius.h,v
retrieving revision 1.58
diff -u -r1.58 libradius.h
--- src/include/libradius.h 21 Apr 2003 20:39:57 -  1.58
+++ src/include/libradius.h 30 May 2003 08:03:54 -
@@ -298,4 +298,7 @@
 const unsigned char *challenge, unsigned char *response);
 
 
+/* crypt wrapper from crypt.c */
+int lrad_crypt_check(const char *key, const char *crypted);
+
 #endif /*LIBRADIUS_H*/
Index: src/main/auth.c
===
RCS file: /source/radiusd/src/main/auth.c,v
retrieving revision 1.125
diff -u -r1.125 auth.c
--- src/main/auth.c 10 Apr 2003 18:09:03 -  1.125
+++ src/main/auth.c 30 May 2003 08:03:55 -
@@ -31,10 +31,6 @@
 #include 
 #include 
 
-#if HAVE_CRYPT_H
-#  include 
-#endif
-
 #if HAVE_NETINET_IN_H
 #  include 
 #endif
@@ -190,7 +186,6 @@
VALUE_PAIR *password_pair;
VALUE_PAIR *auth_item;
char string[MAX_STRING_LEN];
-   const char *crypted_password;
int auth_type = -1;
int result;
int auth_type_count = 0;
@@ -276,16 +271,13 @@
return -1;
}

-   crypted_password = crypt((char *)auth_item->strvalue,
-(char *)password_pair->strvalue);
-   if (!crypted_password) {
-   rad_authlog("Login incorrect "
-   "(system failed to supply an encrypted 
password for comparison)", request, 0);
-   return -1;
-

Re: authentication failures after hours of operation

2003-05-29 Thread Oliver Graf

On Thu, May 29, 2003 at 03:19:59PM +0300, Kostas Kalevras wrote:
> > It now locks while using crypt. This is only good, if this is the only
> > use of crypt. If pap (for example) is also used, it should use the
> > same mutex to lock while doing an crypt (as should do any other
> > freeradius code using crypt).
> >
> > The server seems running und is responsive :) the next hours will show
> > if the problem is fixed with this.
> 
> OK, then declare a new function radius_crypt() with a mutex in it, put it
> somewhere in src/lib and change all calls  to crypt() to call radius_crypt()
> instead.

Yep, I had something like this in mind. But now I will fetch me some
beer, fire the barbecue and have a nice Vatertag :)

I'll write the clean version tomorrow.

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication failures after hours of operation

2003-05-29 Thread Kostas Kalevras

On Thu, 29 May 2003, Oliver Graf wrote:

> On Tue, May 27, 2003 at 05:33:37PM +0200, Oliver Graf wrote:
> > On Tue, May 27, 2003 at 09:27:53AM -0400, Alan DeKok wrote:
> > > Oliver Graf <[EMAIL PROTECTED]> wrote:
> > > > My test showed that the Crypt-Password is the problem. The test users
> > > > with User-Password and auth-type Local work as before, test user (and
> > > > normal users) with Crypt-Password and Crypt-Local are rejected (auth
> > > > failed).
> > >
> > >   OK.  See src/modules/rlm_pap/rlm_pap.c for examples of wrapping a
> > > pthread mutex around calls to crypt(), which isn't thread-safe.  I'll
> > > take a look at fixing it in the CVS head.
> >
> > Hmmm... sort of weird that it takes that long for the bug to
> > manifest. But you're right, crypt is not thread safe.
> >
> > I think I'll wait for your update, cause doing the lock for a module
> > is easy cause I have the instance, but (without diving to much into
> > the source) I don't see where I get to the thread mutex from only a
> > REQUEST *...
>
> After some fruitless attemps to use PAP, I did patch auth.c a bit.
>
> It now locks while using crypt. This is only good, if this is the only
> use of crypt. If pap (for example) is also used, it should use the
> same mutex to lock while doing an crypt (as should do any other
> freeradius code using crypt).
>
> The server seems running und is responsive :) the next hours will show
> if the problem is fixed with this.

OK, then declare a new function radius_crypt() with a mutex in it, put it
somewhere in src/lib and change all calls  to crypt() to call radius_crypt()
instead.

>
> Oliver.
>
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication failures after hours of operation

2003-05-29 Thread Oliver Graf

On Tue, May 27, 2003 at 05:33:37PM +0200, Oliver Graf wrote:
> On Tue, May 27, 2003 at 09:27:53AM -0400, Alan DeKok wrote:
> > Oliver Graf <[EMAIL PROTECTED]> wrote:
> > > My test showed that the Crypt-Password is the problem. The test users
> > > with User-Password and auth-type Local work as before, test user (and
> > > normal users) with Crypt-Password and Crypt-Local are rejected (auth
> > > failed).
> > 
> >   OK.  See src/modules/rlm_pap/rlm_pap.c for examples of wrapping a
> > pthread mutex around calls to crypt(), which isn't thread-safe.  I'll
> > take a look at fixing it in the CVS head.
> 
> Hmmm... sort of weird that it takes that long for the bug to
> manifest. But you're right, crypt is not thread safe.
> 
> I think I'll wait for your update, cause doing the lock for a module
> is easy cause I have the instance, but (without diving to much into
> the source) I don't see where I get to the thread mutex from only a
> REQUEST *...

After some fruitless attemps to use PAP, I did patch auth.c a bit.

It now locks while using crypt. This is only good, if this is the only
use of crypt. If pap (for example) is also used, it should use the
same mutex to lock while doing an crypt (as should do any other
freeradius code using crypt).

The server seems running und is responsive :) the next hours will show
if the problem is fixed with this.

Oliver.

--- freeradius-snapshot-20030529/src/main/threads.c.orig2003-05-29 
13:44:07.0 +0200
+++ freeradius-snapshot-20030529/src/main/threads.c 2003-05-29 13:58:49.0 
+0200
@@ -134,6 +134,10 @@
  */
 static pthread_mutex_t fork_mutex;
 
+/*
+ * This mutex solves a threading porblem with crypt in auth.c
+ */
+pthread_mutex_t authcrypt_mutex;
 
 /*
  * A mapping of configuration file names to internal integers
@@ -770,6 +774,7 @@
 *  Initialize the mutex used to remember calls to fork.
 */
pthread_mutex_init(&fork_mutex, NULL);
+   pthread_mutex_init(&authcrypt_mutex, NULL);

/*
 *  Initialize the data structure where we remember the
--- freeradius-snapshot-20030529/src/main/auth.c.orig   2003-05-29 13:42:03.0 
+0200
+++ freeradius-snapshot-20030529/src/main/auth.c2003-05-29 13:56:52.0 
+0200
@@ -276,8 +276,15 @@
return -1;
}

+#if HAVE_PTHREAD_H
+   pthread_mutex_lock(&authcrypt_mutex);
+#endif
crypted_password = crypt((char *)auth_item->strvalue,
-(char *)password_pair->strvalue);
+(char 
*)password_pair->strvalue);
+#if HAVE_PTHREAD_H
+   pthread_mutex_unlock(&authcrypt_mutex);
+#endif
+
if (!crypted_password) {
rad_authlog("Login incorrect "
"(system failed to supply an encrypted 
password for comparison)", request, 0);
--- freeradius-snapshot-20030529/src/include/radiusd.h.orig 2003-05-29 
13:47:12.0 +0200
+++ freeradius-snapshot-20030529/src/include/radiusd.h  2003-05-29 13:58:38.0 
+0200
@@ -230,6 +230,7 @@
 extern int proxy_port;
 extern int proxyfd;
 extern const char  *radiusd_version;
+extern pthread_mutex_t authcrypt_mutex;
 
 /*
  * Function prototypes.

Re: authentication and accounting using proxy feature

2003-04-01 Thread Franklin Trumpy

On Tue, 1 Apr 2003, Wisam Najim wrote:

> I have configured the freeRADIUS to proxy requests to another remote
> RADIUS (...) The problem is for every request the freeRADIUS that
> proxies the request tries to authenticate the customer locally even if that
> customer rquest is proxied (...)

Under the default configuration, yes, at least on 0.8.1. Check
doc/configurable_failover.txt. You need to exit authorization {} after
you've dealt with the suffix. Putting:

suffix {
   updated = return
   }

before whatever you're using to authorize your non-proxy users should
help.

> (...) and also, once customer is succesfuley authenticated by
> remote RADIUS, it enters an accounting record for that customer in the
> local detailed file. I want to know if there is a way to stop this. I
> want a proxied request to be authenticated by remote RADIUS only and also I
> want the accounting records to be inserted in the remote RADIUS detailed
> file only.

Read the few days of the list. There's an answer there.

Franklin

--
Franklin Trumpy, NFA, MNGS, GSc |  The wound of peace is surety,
Sr. UNIX Systems Administrator  |  Surety secure; but modest doubt is called
Lighthouse Communications   |  The beacon of the wise, the tent that searches
[EMAIL PROTECTED] |  To th' bottom of the worst.
(515)244-1115   |
(888)953-3278   |William Shakespeare
http://www.lh.net   |Troilus and Cressida (II, ii)

On Tue, 1 Apr 2003, Wisam Najim wrote:

> Date: Tue, 01 Apr 2003 07:24:04 +0400
> From: Wisam Najim <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: authentication and accounting using proxy feature
>
>
> Hi All,
>
> I have configured the freeRADIUS to proxy requests to another remote RADIUS.
> It works fine and I get all required users proxied to remote RADIUS. The
> problem is for every request the freeRADIUS that proxies the request tries
> to authenticate the customer locally even if that customer rquest is proxied
> and also, once customer is succesfuley authenticated by remote RADIUS, it
> enters an accounting record for that customer in the local detailed file. I
> want to know if there is a way to stop this. I want a proxied request to be
> authenticated by remote RADIUS only and also I want the accounting records
> to be inserted in the remote RADIUS detailed file only.
>
> Your help is highly appreciated.
>
>
>  
>  Regards,
>
>
>
>
>
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication

2003-03-27 Thread Martin Shears

an example users entry might be:

usernamePassword == "testing123",
Calling-Station-ID == "12345678"
Framed-MTU = 576,
Service-Type = Framed-User

If you read into the users file format, you will see you have the identifier 
(username,group), check items and reply items.  The check items are things 
that must succeed such as password but you can also add items usch as 
Calling-Station-ID, Called-Station-ID or Nas-IP-Address etc

Reply items are those sent back during Authorization to the router/access 
server once the Authentication is successfull.

Cheers

Martin

On Friday 28 March 2003 03:59, Keith Ballard wrote:
> Hi all,
> Just a quick question before I go much deeper.
>
> Is it possible to authenticate a dial-up with freeradius based not just on
> username/password, but also phone number called from (ie only allow dial-in
> from one particular number per customer).
> If so can anyone please point me to a faq, etc (I couldn't find it in the
> Radius book).
>
> regards,
> Keith
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-- 
Martin ([EMAIL PROTECTED])
ICQ# 748846

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication

2003-03-27 Thread freeradius mailing list

Add that to the users file.

username User-Password == "whatever", Calling-Station-Id == "333-"

something like that.  It will look for all three variables before finding
a match.



On Thu, 27 Mar 2003, Keith Ballard wrote:

> Hi all,
> Just a quick question before I go much deeper.
>
> Is it possible to authenticate a dial-up with freeradius based not just on
> username/password, but also phone number called from (ie only allow dial-in
> from one particular number per customer).
> If so can anyone please point me to a faq, etc (I couldn't find it in the
> Radius book).
>
> regards,
> Keith
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication

2003-03-27 Thread Tim McCracken

Check page 38 in the Radius book.

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Keith
> Ballard
> Sent: Thursday, March 27, 2003 11:30 AM
> To: [EMAIL PROTECTED]
> Subject: Authentication
>
>
> Hi all,
> Just a quick question before I go much deeper.
>
> Is it possible to authenticate a dial-up with freeradius based not just on
> username/password, but also phone number called from (ie only
> allow dial-in
> from one particular number per customer).
> If so can anyone please point me to a faq, etc (I couldn't find it in the
> Radius book).
>
> regards,
> Keith
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication Attributes

2003-03-12 Thread Alan DeKok

Chris Hanrahan <[EMAIL PROTECTED]> wrote:
> Is there a way to configure FreeRadius such that it verifies a
> users's ID and password against an NT domain AND requires that a user
> be in an NT Domain group before issuing an access granted reply ?

  Source code modifications.  See pam_winbind, or Samba for some
starters.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication Attributes

2003-03-12 Thread Chris Hanrahan

> If I am running winbindd and specify Group=='vpn_users', will> FreeRadius check for a group called "vpn_users" by using winbindd ?> No. The 'Group' is only for Unix groups.
Is there a way to configure FreeRadius such that it verifies a users's ID and password against an NT domain AND requires that a user be in an NT Domain group before issuing an access granted reply ?  I am trying to replace Microsoft's IAS server with FreeRadius, and IAS is configured in this manner.
Thanks
Chris Hanrahan
 Alan DeKok <[EMAIL PROTECTED]> wrote:
Chris Hanrahan <[EMAIL PROTECTED]>wrote:> I am running FreeRadius 0.8.1 and am trying to configure the users> file. Are the authentication attributes, such as Auth-Type, Group,> and User-Password documented anywhere ?The User-Password is documented in the RFC's. See:http://www.freeradius.org/rfc/attributes.html> If I am running winbindd and specify Group=='vpn_users', will> FreeRadius check for a group called "vpn_users" by using winbindd ?No. The 'Group' is only for Unix groups.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlDo you Yahoo!?
Yahoo! Web Hosting - establish your business online

Re: Authentication Attributes

2003-03-12 Thread Alan DeKok

Chris Hanrahan <[EMAIL PROTECTED]> wrote:
> I am running FreeRadius 0.8.1 and am trying to configure the users
> file.  Are the authentication attributes, such as Auth-Type, Group,
> and User-Password documented anywhere ?

  The User-Password is documented in the RFC's.  See:

http://www.freeradius.org/rfc/attributes.html

> If I am running winbindd and specify Group=='vpn_users', will
> FreeRadius check for a group called "vpn_users" by using winbindd ?

  No.  The 'Group' is only for Unix groups.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication problem

2003-03-10 Thread Kostas Kalevras

On Fri, 7 Mar 2003, QAdmin wrote:

> Hi everyone,
> I have a particular authentication problem that I need to solve
> quickly, and I need your help... here it is:
>
> First, I am using FreeRadius 0.8.1 with the "users" file.
>
> My freeradius server will receive two authentication requests for
> the same User-Name, but will have to return different attributes
> depending on the NAS connecting to it.
>
> So, if it receives a request for [EMAIL PROTECTED] and the request
> packet contains NAS-IP-Address 192.168.100.1 then I know I have
> to reply with some predefined attributes.
>
> Next, if a request comes in again for [EMAIL PROTECTED], but this time
> the NAS-IP-Address attribute is set to something else than 192.168.100.1
> then I need to return another set of Attributes in reply.
>
> I've tried to set two "[EMAIL PROTECTED]" entries in the users file,
> the first having a check list that looks like this:
>
> [EMAIL PROTECTED]  User-Password == "password"
> Auth-Type := Local,
> Service-Type = Framed-User
> ...
>
> and another entry below:
>
> [EMAIL PROTECTED] NAS-IP-Address == "192.168.100.1", User-Password ==
> "Password"
>   Auth-Type := Local,
>   Service-Type = Outbound-User
>   ...
>
>
> Now, that just don't work. Because the requests are specific
> to a single User-Name, it will always match on the first entry it finds
> in the users file, matching this User-Name.
>
> Is there a way I can tell FreeRadius not to stop his match
> on the first occurence of "[EMAIL PROTECTED]", but carefully inspect
> all values in the checklist ?
>
> At best,
> Would it be possible to have a "catch-all" entry that just watches for
> the NAS-IP-Address 192.168.100.1 and return the proper attributes ?

DEFAULT NAS-IP-Address == "192.168.100.1", Auth-Type := Local
Service-Type = Outbound-User

DEFAULT Auth-Type := Local
Service-Type = Framed-User

[EMAIL PROTECTED]   User-Password == "Password"

>
> I want avoid having to run a separate radius server AND also having
> double entries for each user in the users file.
>
> Thank you for your help.
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication problem

2003-03-08 Thread freeradius mailing list

Try putting the second one first - the NAS IP entry and then on the bottom
of it put

Fall-Through = no



On Fri, 7 Mar 2003, QAdmin wrote:

> Hi everyone,
> I have a particular authentication problem that I need to solve
> quickly, and I need your help... here it is:
>
> First, I am using FreeRadius 0.8.1 with the "users" file.
>
> My freeradius server will receive two authentication requests for
> the same User-Name, but will have to return different attributes
> depending on the NAS connecting to it.
>
> So, if it receives a request for [EMAIL PROTECTED] and the request
> packet contains NAS-IP-Address 192.168.100.1 then I know I have
> to reply with some predefined attributes.
>
> Next, if a request comes in again for [EMAIL PROTECTED], but this time
> the NAS-IP-Address attribute is set to something else than 192.168.100.1
> then I need to return another set of Attributes in reply.
>
> I've tried to set two "[EMAIL PROTECTED]" entries in the users file,
> the first having a check list that looks like this:
>
> [EMAIL PROTECTED]  User-Password == "password"
> Auth-Type := Local,
> Service-Type = Framed-User
> ...
>
> and another entry below:
>
> [EMAIL PROTECTED] NAS-IP-Address == "192.168.100.1", User-Password ==
> "Password"
>   Auth-Type := Local,
>   Service-Type = Outbound-User
>   ...
>
>
> Now, that just don't work. Because the requests are specific
> to a single User-Name, it will always match on the first entry it finds
> in the users file, matching this User-Name.
>
> Is there a way I can tell FreeRadius not to stop his match
> on the first occurence of "[EMAIL PROTECTED]", but carefully inspect
> all values in the checklist ?
>
> At best,
> Would it be possible to have a "catch-all" entry that just watches for
> the NAS-IP-Address 192.168.100.1 and return the proper attributes ?
>
> I want avoid having to run a separate radius server AND also having
> double entries for each user in the users file.
>
> Thank you for your help.
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication against MySQL

2003-02-10 Thread Scott Bartlett

>That is exactly what I had to do.  All the docs say put it in
>radgroupreply.  But it seems that it will not recognize it anywhere in
>the DB.  I never did get a good answer, I think it soemthing in the
>recent code, older versions seem to be fine. The only way I could make
>it work was to change it at the users file.  So now I have no default
>System for local logins.

There was a thread on this a couple of days ago (which also finally
prompted today's updating of the FR/MySQL notes at
http://www.frontios.com/freeradius.html). 

Basically, auth-type should be a check item, not a reply item, and if
FreeRadius doesn't get one it defaults to 'Local'. 

Search the list under the subject: "freeradius not reading Auth-Type
from MySQL" for more...

Regards,

SB




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication against MySQL

2003-02-10 Thread Robert Canary

Well Rick,

That is exactly what I had to do.  All the docs say put it in
radgroupreply.  But it seems that it will not recognize it anywhere in
the DB.  I never did get a good answer, I think it soemthing in the
recent code, older versions seem to be fine. The only way I could make
it work was to change it at the users file.  So now I have no default
System for local logins.

> Rick Evans wrote:
> 
> Hello,
> 
> I am new to using Freeradius as well as to the list so I apologize for
> any ignorant statements.
> 
> I am using Freeradius + MySQL and up until a few minutes ago, I could
> get a user 'test' to authenticate against the Radius server as long as
> the
> user was entered into the system, however not if the user was in the
> Radius
> database (MySQL).
> 
> I was getting the same errors about "DEFAULT Auth-Type := System" and
> it
> would reject the username/password combination.  I have setup in the
> radgroupreply table, a field entry setting the Auth-Type to Local.  I
> also setup in
> the radgroupcheck table the same type of entry based on a previous
> read
> message.  I would still get the same errors when running the Radius
> server
> in its 'debbuging' mode.
> 
> I just recently modified the 'users' file and changed the Default
> Auth-Type to 'Local'
> instead of 'System' and it started working.  Is this the correct
> location to specify
> this attribute or is there a cleaner way of setting it?
> 
> Thank you for all of your help and suggestions.
> 
> Rick Evans

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication time

2003-01-10 Thread Andrew Pilley

On Fri, Jan 10, 2003 at 10:07:34AM -0500, Roy Wills wrote:
> hmmmid ont think i am explaining this very well. I need some users to only have 
>access for a week 
> (ie: monday to following monday) and some users have a month of access (ie: Jan 1 to 
>Jan 31). I do not 
> think that actuall session times are going to work in this case since they are not 
>actually doing a 
> traditional dial-in setup. Radius is just there to have centralized authorization 
>for about 6 networks 
> across the city. Is there an attribute to allow from first login to say disable 
>after 7 days or 30 days?

i suspect you'll have to use perl/python and friends to write a script
to check through their logs, and when they reach their limit, modify
their password so they can no longer authenticate properly.

I'm in the middle of doing something similar to work with pre-paid
accounts, but i'm in no position to be giving out code at this time.
in my case, however, i'm adding a Framed-Address reply for that user,
(made easy by using mysql for auth/logging) which belongs to the rfc1918
address range. this allows me to filter any web requests to our own
webpage, whch displays an appropriate message (since windows ignores any
ppp messages iirc) allowing us to let them on, but not to do anything
useful (stops people who have autodial from dialing up a fortune in
connect/disconnect charges)

Andrew 'ashridah' Pilley

> 
> 1/10/03 4:18:42 AM, Kostas Kalevras <[EMAIL PROTECTED]> wrote:
> 
> >On Thu, 9 Jan 2003, Roy Wills wrote:
> >
> >> ok...i have read the radiusd.conf and scoured once again the docs and am not
> >> grasping where i need to put the attrib. i have users that only have access
> >> for a week and some for a month. Its
> >> all time-frame based and varies. i guess my question now is do i have a line
> >> like this for every usrs on top of the accept lines?
> >>DEFAULT  Daily-Session-Time > 3600, Auth-Type = Reject
> >>Reply-Message = "You've used up more than one hour today
> >> or do i need to create a db.counter file for theese? If this is totally wrong
> >> can you point me to a faq better than the docs that are with it?
> >
> >The docs are really just fine.
> >
> >You can set the corresponding attribute for each user:
> >
> >userweekly   Max-Weekly-Session := 4500
> >
> >usermonthly  Max-Monthly-Session := 45000
> >
> >Just make sure you don't set DEFAULT entries with these attributes.
> >
> >>
> >>
> >> 1/9/2003 4:30:35 PM, "Alan DeKok" <[EMAIL PROTECTED]> wrote:
> >>
> >> >Roy Wills <[EMAIL PROTECTED]> wrote:
> >> >> Is there a way to limit the time a user can spend online? What i
> >> >> want to do is say that user X has 1 week of use and after that they
> >> >> are no longer allowed to log in.
> >> >
> >> >  Yes.  Read 'raddb/radiusd.conf', and look for the 'counter' module.
> >> >
> >> >> If so when does the time start, when the first logins or when i put
> >> >> the user/pass in the users file?
> >> >
> >> >  When the user first logs in.
> >> >
> >> >  Alan DeKok.
> >> >
> >> >-
> >> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >> >
> >> >
> >>
> >>
> >>
> >>
> >> -
> >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >>
> >
> >--
> >Kostas Kalevras  Network Operations Center
> >[EMAIL PROTECTED]   National Technical University of Athens, Greece
> >Work Phone:  +30 210 7721861
> >'Go back to the shadow'  Gandalf
> >
> >- 
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
> 
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication time

2003-01-10 Thread Roy Wills

hmmmid ont think i am explaining this very well. I need some users to only have 
access for a week 
(ie: monday to following monday) and some users have a month of access (ie: Jan 1 to 
Jan 31). I do not 
think that actuall session times are going to work in this case since they are not 
actually doing a 
traditional dial-in setup. Radius is just there to have centralized authorization for 
about 6 networks 
across the city. Is there an attribute to allow from first login to say disable after 
7 days or 30 days?

1/10/03 4:18:42 AM, Kostas Kalevras <[EMAIL PROTECTED]> wrote:

>On Thu, 9 Jan 2003, Roy Wills wrote:
>
>> ok...i have read the radiusd.conf and scoured once again the docs and am not
>> grasping where i need to put the attrib. i have users that only have access
>> for a week and some for a month. Its
>> all time-frame based and varies. i guess my question now is do i have a line
>> like this for every usrs on top of the accept lines?
>>DEFAULT  Daily-Session-Time > 3600, Auth-Type = Reject
>>Reply-Message = "You've used up more than one hour today
>> or do i need to create a db.counter file for theese? If this is totally wrong
>> can you point me to a faq better than the docs that are with it?
>
>The docs are really just fine.
>
>You can set the corresponding attribute for each user:
>
>userweekly Max-Weekly-Session := 4500
>
>usermonthlyMax-Monthly-Session := 45000
>
>Just make sure you don't set DEFAULT entries with these attributes.
>
>>
>>
>> 1/9/2003 4:30:35 PM, "Alan DeKok" <[EMAIL PROTECTED]> wrote:
>>
>> >Roy Wills <[EMAIL PROTECTED]> wrote:
>> >> Is there a way to limit the time a user can spend online? What i
>> >> want to do is say that user X has 1 week of use and after that they
>> >> are no longer allowed to log in.
>> >
>> >  Yes.  Read 'raddb/radiusd.conf', and look for the 'counter' module.
>> >
>> >> If so when does the time start, when the first logins or when i put
>> >> the user/pass in the users file?
>> >
>> >  When the user first logs in.
>> >
>> >  Alan DeKok.
>> >
>> >-
>> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>> >
>> >
>>
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>
>--
>Kostas KalevrasNetwork Operations Center
>[EMAIL PROTECTED] National Technical University of Athens, Greece
>Work Phone:+30 210 7721861
>'Go back to the shadow'Gandalf
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication time

2003-01-10 Thread Kostas Kalevras

On Thu, 9 Jan 2003, Roy Wills wrote:

> ok...i have read the radiusd.conf and scoured once again the docs and am not
> grasping where i need to put the attrib. i have users that only have access
> for a week and some for a month. Its
> all time-frame based and varies. i guess my question now is do i have a line
> like this for every usrs on top of the accept lines?
>DEFAULT  Daily-Session-Time > 3600, Auth-Type = Reject
>Reply-Message = "You've used up more than one hour today
> or do i need to create a db.counter file for theese? If this is totally wrong
> can you point me to a faq better than the docs that are with it?

The docs are really just fine.

You can set the corresponding attribute for each user:

userweekly  Max-Weekly-Session := 4500

usermonthly Max-Monthly-Session := 45000

Just make sure you don't set DEFAULT entries with these attributes.

>
>
> 1/9/2003 4:30:35 PM, "Alan DeKok" <[EMAIL PROTECTED]> wrote:
>
> >Roy Wills <[EMAIL PROTECTED]> wrote:
> >> Is there a way to limit the time a user can spend online? What i
> >> want to do is say that user X has 1 week of use and after that they
> >> are no longer allowed to log in.
> >
> >  Yes.  Read 'raddb/radiusd.conf', and look for the 'counter' module.
> >
> >> If so when does the time start, when the first logins or when i put
> >> the user/pass in the users file?
> >
> >  When the user first logs in.
> >
> >  Alan DeKok.
> >
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication time

2003-01-09 Thread Roy Wills

ok...i have read the radiusd.conf and scoured once again the docs and am not grasping 
where i need to put the attrib. i have users that only have access for a week and some 
for a month. Its 
all time-frame based and varies. i guess my question now is do i have a line like this 
for every usrs on top of the accept lines?
   DEFAULT  Daily-Session-Time > 3600, Auth-Type = Reject
   Reply-Message = "You've used up more than one hour today
or do i need to create a db.counter file for theese? If this is totally wrong can you 
point me to a faq better than the docs that are with it?

1/9/2003 4:30:35 PM, "Alan DeKok" <[EMAIL PROTECTED]> wrote:

>Roy Wills <[EMAIL PROTECTED]> wrote:
>> Is there a way to limit the time a user can spend online? What i
>> want to do is say that user X has 1 week of use and after that they
>> are no longer allowed to log in.
>
>  Yes.  Read 'raddb/radiusd.conf', and look for the 'counter' module.
>
>> If so when does the time start, when the first logins or when i put
>> the user/pass in the users file?
>
>  When the user first logs in.
>
>  Alan DeKok.
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication time

2003-01-09 Thread Alan DeKok

Roy Wills <[EMAIL PROTECTED]> wrote:
> Is there a way to limit the time a user can spend online? What i
> want to do is say that user X has 1 week of use and after that they
> are no longer allowed to log in.

  Yes.  Read 'raddb/radiusd.conf', and look for the 'counter' module.

> If so when does the time start, when the first logins or when i put
> the user/pass in the users file?

  When the user first logs in.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication vs. Authorization question

2002-11-27 Thread Alan DeKok

Artur Hecker <[EMAIL PROTECTED]> wrote:
> his question is how to mangle the response adding authorization data... 
> Jukka, i think you should take a loot at postproxying available in 
> freeradius 0.8 or in the snapshots (not sure about that).

  No.  Once the reply is received from the home server, FreeRADIUS
will run the packet through the authorization stage again.  At this
point, you can add whatever authorization you decide is necessary.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication vs. Authorization question

2002-11-27 Thread Jukka Lehti

> Jukka wanted to know how to ADD authorization data
> to the response sent by the remote server. The 
> remote server _doesn't_ send any authorization data,
> it's not supposed to and there is nothing to be done
> about it, at least not by Jukka.
> 
> his question is how to mangle the response adding
> authorization data... 

Exactly.

> you can definitely add whatever you want using
> postproxying. the question is however, if there
> is a simplier way to achieve the same result.

Thanks, I'll check it out.

__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication vs. Authorization question

2002-11-27 Thread Evren Yurtesen

The data should be in radreply table or radgroupreply (if your user is in
a group in usergroup table)

I am not a proxying expert but I think it would be nice to check the
remote server if its even able to send these data. I might be off the
track also! You can perhaps use the radclient program to test the
situation when you connect to server with radclient you should just enter
the a/v pairs and then press CTRL+D

running

#radclient 192.168.168.1 auth YOURSECRET

then sending

User-Name = "John"
User-Password = "hello"
^D

should do...do you receive the replies you want?


Evren

On Wed, 27 Nov 2002, Jukka Lehti wrote:

> --- Evren Yurtesen <[EMAIL PROTECTED]> wrote:
> > What kind of db are you using? can you send
> > radiusd -xx
> > output of authentication session?
> 
> I'm using MySQL at the moment and it's working ok.
> Output attached.
> 
> > do you mean that the remote server is working good
> > when you connect it
> > directly? for example with radclient ?
> 
> It's working ok, yes. I get the authentication data
> from the remote server but don't know how to add
> authorization data from local db to reply?
> 
> > On Wed, 27 Nov 2002, Jukka Lehti wrote:
> > 
> > > Hi,
> > > 
> > > I've set up freeradius 0.8 so that users like
> > > john@test get authenticated from a remote RADIUS
> > > server, i.e., freeradius works as a proxy. This is
> > > working well, so no problem here. But: the remote
> > > server only returns authentication data (un/pw
> > > ok/bad), I have authorization data in my local DB
> > > (Session-Timeout etc). How could I add this
> > > authorization data to RADIUS reply after
> > successful
> > > authentication from the remote server? I've been
> > > experimenting with autztype directive, but without
> > > success yet. Any other ideas/examples?
> > > 
> > > Thanks in advance.
> > > 
> > > __
> > > Do you Yahoo!?
> > > Yahoo! Mail Plus - Powerful. Affordable. Sign up
> > now.
> > > http://mailplus.yahoo.com
> > > 
> > > - 
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > > 
> > 
> 
> 
> 
> __
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication vs. Authorization question

2002-11-27 Thread Evren Yurtesen

Well I suspected if the remote server maybe dont even have this data
inside or somehow it doesnt send back. I thought the first thing is to
check if the remote server is working good, without any problems.

But definetely I am not an expert at proxying but I thought the proxy
should automaticly forward all the data received from the server. Thats
also another reason why I thought proxy dont receive anything.

Evren

On Wed, 27 Nov 2002, Artur Hecker wrote:

> 
> Evren, i think you misunderstand the question: Jukka wanted to know how 
> to ADD authorization data to the response sent by the remote server. The 
> remote server _doesn't_ send any authorization data, it's not supposed 
> to and there is nothing to be done about it, at least not by Jukka.
> 
> his question is how to mangle the response adding authorization data... 
> Jukka, i think you should take a loot at postproxying available in 
> freeradius 0.8 or in the snapshots (not sure about that).
> 
> you can definitely add whatever you want using postproxying. the 
> question is however, if there is a simplier way to achieve the same result.
> 
> 
> ciao
> artur
> 
> 
> 
> Evren Yurtesen wrote:
> > What kind of db are you using? can you send
> > radiusd -xx
> > output of authentication session?
> > 
> > do you mean that the remote server is working good when you connect it
> > directly? for example with radclient ?
> 
> -- 
> Artur Hecker   Groupe Accès et Mobilité
> hecker[at]enst[dot]fr   Département Informatique et Réseaux
> +33 1 45 81 7507  46, rue Barrault 75634 Paris cedex 13
> http://www.infres.enst.frENST Paris
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication vs. Authorization question

2002-11-27 Thread Artur Hecker


Evren, i think you misunderstand the question: Jukka wanted to know how 
to ADD authorization data to the response sent by the remote server. The 
remote server _doesn't_ send any authorization data, it's not supposed 
to and there is nothing to be done about it, at least not by Jukka.

his question is how to mangle the response adding authorization data... 
Jukka, i think you should take a loot at postproxying available in 
freeradius 0.8 or in the snapshots (not sure about that).

you can definitely add whatever you want using postproxying. the 
question is however, if there is a simplier way to achieve the same result.


ciao
artur



Evren Yurtesen wrote:
What kind of db are you using? can you send
radiusd -xx
output of authentication session?

do you mean that the remote server is working good when you connect it
directly? for example with radclient ?


--
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr		  Département Informatique et Réseaux
+33 1 45 81 7507		46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr   ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication vs. Authorization question

2002-11-27 Thread Jukka Lehti

--- Evren Yurtesen <[EMAIL PROTECTED]> wrote:
> What kind of db are you using? can you send
> radiusd -xx
> output of authentication session?

I'm using MySQL at the moment and it's working ok.
Output attached.

> do you mean that the remote server is working good
> when you connect it
> directly? for example with radclient ?

It's working ok, yes. I get the authentication data
from the remote server but don't know how to add
authorization data from local db to reply?

> On Wed, 27 Nov 2002, Jukka Lehti wrote:
> 
> > Hi,
> > 
> > I've set up freeradius 0.8 so that users like
> > john@test get authenticated from a remote RADIUS
> > server, i.e., freeradius works as a proxy. This is
> > working well, so no problem here. But: the remote
> > server only returns authentication data (un/pw
> > ok/bad), I have authorization data in my local DB
> > (Session-Timeout etc). How could I add this
> > authorization data to RADIUS reply after
> successful
> > authentication from the remote server? I've been
> > experimenting with autztype directive, but without
> > success yet. Any other ideas/examples?
> > 
> > Thanks in advance.
> > 
> > __
> > Do you Yahoo!?
> > Yahoo! Mail Plus - Powerful. Affordable. Sign up
> now.
> > http://mailplus.yahoo.com
> > 
> > - 
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> > 
> 



__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


rad.log
Description: rad.log

Re: Authentication vs. Authorization question

2002-11-27 Thread Evren Yurtesen

What kind of db are you using? can you send
radiusd -xx
output of authentication session?

do you mean that the remote server is working good when you connect it
directly? for example with radclient ?

Evren

On Wed, 27 Nov 2002, Jukka Lehti wrote:

> Hi,
> 
> I've set up freeradius 0.8 so that users like
> john@test get authenticated from a remote RADIUS
> server, i.e., freeradius works as a proxy. This is
> working well, so no problem here. But: the remote
> server only returns authentication data (un/pw
> ok/bad), I have authorization data in my local DB
> (Session-Timeout etc). How could I add this
> authorization data to RADIUS reply after successful
> authentication from the remote server? I've been
> experimenting with autztype directive, but without
> success yet. Any other ideas/examples?
> 
> Thanks in advance.
> 
> __
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication of users ADSL

2002-11-13 Thread Alan DeKok

"Samyr Alves" <[EMAIL PROTECTED]> wrote:
> how to configure radius for authentication of users ADSL?

  Read the docs?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication

2002-11-04 Thread Alan DeKok

"Miles Wilton" <[EMAIL PROTECTED]> wrote:
> Is there any way to make authentication occur first from PAM an dthen if
> this fails, off a username/password in MySQL db?

  Yes.  See 'doc/configurable_failover'

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication rejection

2002-10-16 Thread Alan DeKok


michael j douglas <[EMAIL PROTECTED]> wrote:
> I have free radius running with mysql data base..The router is a Cisco 
> 2611 and I can authenticate locally using the cisco router.When I send 
> the request to the radius server the tunnel is opened and the radius 
> server rejects the user. it states "Unable to authenticate the user"

  Why?  Did you bother running the server in debugging mode, and
reading the output, as suggested in the FAQ, the README, and about 4
other places?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius re-authentication

2002-09-11 Thread Brett Maxfield


Miquel van Smoorenburg wrote:
> In article <[EMAIL PROTECTED]>,
> Brett Maxfield  <[EMAIL PROTECTED]> wrote:
> 
>>An example of this is that you specify a group that says that user may 
>>ony connect on saturdays and sundays, which is fine unless they connect 
>>late sunday and stay connected until the following saturday (i 
>>exaggerate just slightly to make my point)
> 
> 
> The Login-Time attribute already takes cares of this. It calculates
> the remaining time and sends it back to the radius server as
> the session-timeout attribute. If you set Login-Time = "Sa,Su" and
> you connect on sunday at 23:00, session-timeout is set to 3600 (one hour).
> After that: 

Excellent :)

This is what i was after..

Thanks
Brett


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius re-authentication

2002-09-11 Thread Miquel van Smoorenburg

In article <[EMAIL PROTECTED]>,
Brett Maxfield  <[EMAIL PROTECTED]> wrote:
>An example of this is that you specify a group that says that user may 
>ony connect on saturdays and sundays, which is fine unless they connect 
>late sunday and stay connected until the following saturday (i 
>exaggerate just slightly to make my point)

The Login-Time attribute already takes cares of this. It calculates
the remaining time and sends it back to the radius server as
the session-timeout attribute. If you set Login-Time = "Sa,Su" and
you connect on sunday at 23:00, session-timeout is set to 3600 (one hour).
After that: 

You can always set session-timeout to 86400 regardless, so every
users gets disconnected after 24 hours, forcing them to
reconnect and re-authenticate.

Mike.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius re-authentication

2002-09-10 Thread Frank Cusack


On Tue, Sep 10, 2002 at 03:50:16PM -0700, Frank Cusack wrote:
> The only feasible way to implement this (as far as I can see) is if you
> are talking about PPP users that do CHAP.  Create a VSA which is a
> re-authorise timer.  It would be 20-40 or so of additional code in pppd
> and no additional code in the radius server.  This would not be load
> based.

Let me correct myself: no additional code anywhere.  From pppd(8):

   chap-interval n
  If  this option is given, pppd will rechallenge the
  peer every n seconds.

/fc

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius re-authentication

2002-09-10 Thread Frank Cusack

On Wed, Sep 11, 2002 at 07:59:26AM +1000, Brett Maxfield wrote:
> I think that you are right, insofar as having re-authentication as part 
> of the radius server itself would be a very bad idea. From a design 
> point of view it should be a completely seperate server, but for the 
> sake of reusability of freeradius rules it would make sense to package 
> such a program with freeradius.

Not really, such an application would never work well in practice.

The only feasible way to implement this (as far as I can see) is if you
are talking about PPP users that do CHAP.  Create a VSA which is a
re-authorise timer.  It would be 20-40 or so of additional code in pppd
and no additional code in the radius server.  This would not be load
based.

> If this were a seperate daemon, it would be up to the user to decide if 
> they needed to run it. The problem i have with leaving kickoffs up to 
> the user's application, is that it means you have to duplicate the rules 
> you have already written as part of the radius daemon in a third party 
> application.

So write one up.  I doubt it will be well received.  (But if it *is* good,
no reason it wouldn't be included with freeradius.)  If you want to pursue
this at least start by generating a more fleshed out design ... so you can
be thoroughly flamed. :-)

/fc

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius re-authentication

2002-09-10 Thread Brett Maxfield

Alan DeKok wrote:
> Brett Maxfield <[EMAIL PROTECTED]> wrote:
> 
>>My understanding is that authentication basically happens once, at 
>>logon. What i would like is for some external agent (not radius) to 
>>create a list of online users (via SNMP or Telnet/Finger) and 
>>periodically re-query that list of users against the radius server to 
>>see if they would be authenticated, based on the current situation.
> 
>   That's problematic, and I'm not sure it's a good idea.
> 
>   Do you really want to simplify the work of writing and enforcing
> timeouts in an application, by increasing the load on the RADIUS
> server and the network?

I think that you are right, insofar as having re-authentication as part 
of the radius server itself would be a very bad idea. From a design 
point of view it should be a completely seperate server, but for the 
sake of reusability of freeradius rules it would make sense to package 
such a program with freeradius.

If this were a seperate daemon, it would be up to the user to decide if 
they needed to run it. The problem i have with leaving kickoffs up to 
the user's application, is that it means you have to duplicate the rules 
you have already written as part of the radius daemon in a third party 
application.

As far as the network load of checking for users, it would have to be 
left up to the end user. If all the traffic beween the kickoff server 
and the access servers is across an ethernet it might be acceptable.

Cheers
Brett

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius re-authentication

2002-09-10 Thread Alan DeKok

Brett Maxfield <[EMAIL PROTECTED]> wrote:
> My understanding is that authentication basically happens once, at 
> logon. What i would like is for some external agent (not radius) to 
> create a list of online users (via SNMP or Telnet/Finger) and 
> periodically re-query that list of users against the radius server to 
> see if they would be authenticated, based on the current situation.

  That's problematic, and I'm not sure it's a good idea.

  Do you really want to simplify the work of writing and enforcing
timeouts in an application, by increasing the load on the RADIUS
server and the network?

> One solution would be to calculate the session time until the next time 
> the authentication would fail, say 12pm on sunday at logon. I guess this 
> could be dne with scripts, but it makes the assumption you counter is 
> time for which there is a control.

  The Session-Timeout attribute is supposed to be used by any RADIUS
client to control session timeouts.  If the application ignores this
attribute, and implements timeouts via some other method, then it's
broken.

> This particular would fall down if you wanted to immediately stop a user 
> when they went over something like a bytes-downloaded-per-day counter.

  Which isn't a standard RADIUS attribute, precisely because it's so
hard to administer.

> Generic re-authorization would also allow you to kick off a user after 
> setting them to be disabled, as the next status check would have them 
> kicked off because they would fail authorization at that time.

  Then the application should take care of re-authorization.  It's
difficult for the RADIUS server to know when to kick the user off,
which is why there's no standard 'radkill'.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius re-authentication

2002-09-10 Thread Brett Maxfield

Frank Cusack wrote:
> On Wed, Sep 11, 2002 at 12:21:55AM +1000, Brett Maxfield wrote:
> 
> (ppp can rechallenge the user when doing chap; which I assume is what
> you are going for here--I can't think of another scenario where you
> re-authorise users)

My bad :)

My understanding is that authentication basically happens once, at 
logon. What i would like is for some external agent (not radius) to 
create a list of online users (via SNMP or Telnet/Finger) and 
periodically re-query that list of users against the radius server to 
see if they would be authenticated, based on the current situation.

An example of this is that you specify a group that says that user may 
ony connect on saturdays and sundays, which is fine unless they connect 
late sunday and stay connected until the following saturday (i 
exaggerate just slightly to make my point)

One solution would be to calculate the session time until the next time 
the authentication would fail, say 12pm on sunday at logon. I guess this 
could be dne with scripts, but it makes the assumption you counter is 
time for which there is a control.

This particular would fall down if you wanted to immediately stop a user 
when they went over something like a bytes-downloaded-per-day counter.

Generic re-authorization would also allow you to kick off a user after 
setting them to be disabled, as the next status check would have them 
kicked off because they would fail authorization at that time.

Cheers
Brett

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius re-authentication

2002-09-10 Thread Frank Cusack

On Wed, Sep 11, 2002 at 12:21:55AM +1000, Brett Maxfield wrote:
> Hello,
> 
> I am looking for a copy of radkill or something similar. I have read the 
> FAQ and the site listed does not work (the name resolves, but there is 
> no route to host)
> 
> What i would like is to have a daemon periodically query the freeradius
> server and re-authorise online users, and if authorisation fails, kick 
> off each user that fails re-authentication.
> 
> Does anybody know of another ftp location (or an alternative program) ?

I don't, but I'm replying anyway because this is most interesting.  I
was just discussing with someone about how the Class attribute might
be incorrect in ppp when doing multiple authentications, but dropped
that as an academic point.  Your timing is amazing.

(ppp can rechallenge the user when doing chap; which I assume is what
you are going for here--I can't think of another scenario where you
re-authorise users)

Note that this is a well known broken part of ppp, for active attackers.
An active attacker can login as a user who is currently online by using
them as an oracle.  For dialup, it's probably a non-issue.  You may also
come across broken ppp's that don't respond to subsequent chap challenges.

The attack does not work if using MPPE since the key will still be unknown.
An active attacker can usually get around that via other means though.

/fc

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radius re-authentication

2002-09-10 Thread Brett Maxfield


Hello,

I am looking for a copy of radkill or something similar. I have read the 
FAQ and the site listed does not work (the name resolves, but there is 
no route to host)

What i would like is to have a daemon periodically query the freeradius
server and re-authorise online users, and if authorisation fails, kick 
off each user that fails re-authentication.

Does anybody know of another ftp location (or an alternative program) ?

Cheers
Brett



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication using login plus domain

2002-07-25 Thread Alan DeKok


"ntuser" <[EMAIL PROTECTED]> wrote:
> Is it possible to configure freeradius to authenticate both login and 
> login@domain and generate just one type of record in the accounting ? 

  Authentication is completely different than accounting, so the
answer is probably "no".

> For example, when a user logon using username "jeff" 
> or "[EMAIL PROTECTED]" the freeradius will generate a record with 
> just "jeff" in accounting file, for to turn easier the reports 
> extractions. In this way, I will just search for entries with 
> the "jeff" authentication.

  That's what the Stripped-User-Name attribute is for.

  See 'nostrip' in raddb/proxy.conf

  Look for 'Stripped-User-Name' in raddb/sql.conf

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication problem with PIX-515

2002-07-08 Thread Mario Vodopivec




It was a misspelled key ('1' and 'l' 
look the same in some fonts)...
It works OK now, I want to thank to all the 
people who made freeradius...
Mario.
 
- Original Message - 
From: "Mario Vodopivec" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 05, 2002 4:14 
PM
Subject: Authentication problem with 
PIX-515
> I am using FreeRadius 0.5 and Cisco PIX-515 Firewall.> 
Authentication is denied and it looks exactly like the secret key is> 
misspelled on PIX, however I already checked that and it is not. 
'radtest'> utility works just fine. Does anyone know if there is 
something specific> with PIX that would cause this problem?> 
> Here is a portion of clients.conf file and the debug output:> 
> client 10.10.1.1 {>     
secret  = 
jg8d63196hfg>     
shortname   = pix> }> > 
rad_recv: Access-Request packet from host 10.10.1.1:1645, id=74, 
length=57>     User-Name = 
"mario">     NAS-IP-Address = 
10.10.1.1>     User-Password = 
"\303\035s.\343\000\255l\323\236Z\217DG*\033"> 
    NAS-Port = 5> modcall: 
entering group authorize>   modcall[authorize]: module "preprocess" 
returns ok> rlm_eap: EAP-Message not found>   
modcall[authorize]: module "eap" returns noop>   modcall[authorize]: 
module "suffix" returns ok> radius_xlat:  'mario'> sql_escape 
in:  'mario'> sql_escape out:  'mario'> 
sql_set_user:  escaped user --> 'mario'> radius_xlat:  
'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE> Username = 
'mario' ORDER BY id'> rlm_sql: Reserving sql socket id: 4> 
rlm_postgresql Status: PGRES_TUPLES_OK> sql_postgresql: affected rows 
=> radius_xlat:  'SELECT> 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche> 
ck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE> 
usergroup.Username = 'mario' AND usergroup.GroupName => 
radgroupcheck.GroupName ORDER BY radgroupcheck.id'> rlm_postgresql 
Status: PGRES_TUPLES_OK> sql_postgresql: affected rows => 
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply 
WHERE> Username = 'mario' ORDER BY id'> rlm_postgresql Status: 
PGRES_TUPLES_OK> sql_postgresql: affected rows => 
radius_xlat:  'SELECT> 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep> 
ly.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE> 
usergroup.Username = 'mario' AND usergroup.GroupName => 
radgroupreply.GroupName ORDER BY radgroupreply.id'> rlm_postgresql 
Status: PGRES_TUPLES_OK> sql_postgresql: affected rows => 
radius_xlat:  'SELECT Value,Attribute FROM radcheck WHERE UserName = 
'mario'> AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR 
Attribute => 'Crypt-Password' ) ORDER BY Attribute DESC'> 
rlm_postgresql Status: PGRES_TUPLES_OK> sql_postgresql: affected rows 
=> rlm_sql: Released sql socket id: 4>   modcall[authorize]: 
module "sql" returns ok> modcall: group authorize returns ok> 
auth: type Local> auth: Failed to validate the user.> Login 
incorrect: [mario/s\222,\252\031\362\217\314gw\371\352\345\350\260*]> 
(from nas pix port 5)>   WARNING: Unprintable characters in the 
password. ?  Double-check the> shared secret on the server and the 
NAS!> Delaying request 0 for 1 seconds> Finished request 0> 
Going to the next request> --- Walking the entire request list 
---> Waking up in 1 seconds...> --- Walking the entire request 
list ---> Waking up in 1 seconds...> --- Walking the entire 
request list ---> Sending Access-Reject of id 74 to 
10.10.1.1:1645> Waking up in 4 seconds...> --- Walking the entire 
request list ---> Cleaning up request 0 ID 74 with timestamp 
3d25f8e9> Nothing to do.  Sleeping until we see a request.> 
> >

Re: authentication / authorization

2002-02-28 Thread Alan DeKok

Florin Andrei <[EMAIL PROTECTED]> wrote:
> First, i have to say i'm impressed with its large number of
> authentication mechanisms.

  That's one of the design goals, which makes the server somewhat
useful.

> Which gave me an idea... Is it possible to use FreeRadius with MySQL
> to do only authorization (i see the authorization requests sent via
> SQL are fully customisable, which is excellent), but do the actual
> authentication via Radius proxy?

  Sure.  List SQL in 'authorize', but not in 'authenticate'

  But you don't even need to do that.  If 'authorize' says to proxy
the request, then the internal authentication isn't called, as the
proxy has done that for you.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication problem!!

2001-12-21 Thread Vijay Rana


Thanx a lot !!
What I really wanna know is while acting as a proxy do we need to
generate any authentication key (or request authenticator)in case of
authentication server as in case of accounting.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
[EMAIL PROTECTED]
Sent: 21 December 2001 15:31
To: [EMAIL PROTECTED]
Subject: Re: Authentication problem!!

En réponse à Vijay Rana <[EMAIL PROTECTED]>:

a little hint for you:

I use ic radius for authentic and accounting 
For  testing it, I use an another computer client radius, this machine
use a
software Windows and in this machine I set up a software called
Ntradping.
Ntradping is a soft for testing a Radius server.

Please test your radius server with this 

 
> Hi all,
>  
> I have been working on radius authentication stuff for some time .I
have
> some problems which I'll like to clarify and  hope u might help me out
> on this .
>  
>  Can any one tell me --am acting as a proxy and am adding a proxy
state
> attribute to the access request message and then am generating the
> authenticator using server shared secret key. Every time am getting
the
> access reject message from the server .
> Whereas in case of accounting same is working fine . Is there any
> difference between accounting authentication and access request one.
>  
> Secondly m receiving messages from client I want to decrypt the
password
> and then encrypt password with server shared key what are the
different
> possible algorithms for doing this .
>  
> Thanx ,
> Vijay  
>  
>  
> 

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication problem!!

2001-12-21 Thread aland


"Vijay Rana" <[EMAIL PROTECTED]> wrote:
>  Can any one tell me --am acting as a proxy and am adding a proxy state
> attribute to the access request message and then am generating the
> authenticator using server shared secret key. Every time am getting the
> access reject message from the server .
> Whereas in case of accounting same is working fine . Is there any
> difference between accounting authentication and access request one.

  Yes.

  Are you doing this work all yourself?  It sounds like you're writing
your own code to do this.  Why?  The server does it already.

> Secondly m receiving messages from client I want to decrypt the password
> and then encrypt password with server shared key what are the different
> possible algorithms for doing this .

  Many.  But you don't do that.  The server takes care of it for you,
IF it's necessary.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication problem!!

2001-12-21 Thread belone


En réponse à Vijay Rana <[EMAIL PROTECTED]>:

a little hint for you:

I use ic radius for authentic and accounting 
For  testing it, I use an another computer client radius, this machine use a
software Windows and in this machine I set up a software called Ntradping.
Ntradping is a soft for testing a Radius server.

Please test your radius server with this 

 
> Hi all,
>  
> I have been working on radius authentication stuff for some time .I have
> some problems which I'll like to clarify and  hope u might help me out
> on this .
>  
>  Can any one tell me --am acting as a proxy and am adding a proxy state
> attribute to the access request message and then am generating the
> authenticator using server shared secret key. Every time am getting the
> access reject message from the server .
> Whereas in case of accounting same is working fine . Is there any
> difference between accounting authentication and access request one.
>  
> Secondly m receiving messages from client I want to decrypt the password
> and then encrypt password with server shared key what are the different
> possible algorithms for doing this .
>  
> Thanx ,
> Vijay  
>  
>  
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication by MAC address

2001-11-22 Thread Brandt Everett


Is there a way to use a DHCP server and radius to athenticate?  If they have
a valid MAC address then assign them an IP out of Pool A, if they do not
have a valid MAC, assign them an IP out of Pool B.

Brandt

- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 22, 2001 7:04 AM
Subject: Re: Authentication by MAC address


> "Kevin" <[EMAIL PROTECTED]> wrote:
> > Does anyone know if this radius server can be configured to authenticate
by
> > MAC address instead of username and password?
>
>   The RADIUS server can make authentication decisins on anything in
> the packet.
>
>   So... if your NAS sends the MAC address in a RADIUS attribute, the
> answer is 'yes'.  If not, the answer is 'no'.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication by MAC address

2001-11-22 Thread aland

"Kevin" <[EMAIL PROTECTED]> wrote:
> Does anyone know if this radius server can be configured to authenticate by
> MAC address instead of username and password?

  The RADIUS server can make authentication decisins on anything in
the packet.

  So... if your NAS sends the MAC address in a RADIUS attribute, the
answer is 'yes'.  If not, the answer is 'no'.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication

2001-09-30 Thread Bauchi


Guten Tag Dan Houtz,

Am Sonntag, 30. September 2001 um 08:14 schrieben Sie:

DH> I'm currently testing FreeRadius for a new ISP that I'm currently settings up. 
This is my first time running one with linux. I've always used NT so this is all new 
for me. Anyway, I'm
DH> authenticating against the linux system accounts. The problem I ran into is that I 
don't want these customers to be able to telnet into the system. To stop this I set 
their shell to /bin/false.
DH> This stops them from telneting in but it also causes FreeRadius to respond with a 
reject. Am I going about this in the wrong way? Your assistance is appreciated.

DH> Thanks,

DH> Dan Houtz

hi,
we use /bin/passwd ... so telnetting to the radius machine results
to a 'change your password' prompt...
ppl can change their passwords easy, but not login ...
it worked fine with cistron and with freeradius 0.2 :)

bye


-- 
Mit freundlichen Grüssen
Bauchimailto:[EMAIL PROTECTED]



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication

2001-09-30 Thread Jorge Minassian




Dan, Hi,
 
Did you try to add  "bin/false" to   
/etc/shells ?.
 
I also use /bin/false to avoid telnet (actually I 
do not longer use telenet ... :-), and use radius valoidation against system 
and
everything wokrs fine.
 
At least using Cistron, I Suppouse it should be ok 
with freeradius also.
 
 
Jorge.
 
 
 
 
 

  - Original Message - 
  From: 
  Dan Houtz 
  To: [EMAIL PROTECTED] 
  
  Sent: Sunday, September 30, 2001 3:14 
  AM
  Subject: Authentication
  
  
  
  I’m currently testing FreeRadius for a new ISP that I’m currently settings up. 
  This is my first time running one with linux. I’ve 
  always used NT so this is all new for me. Anyway, I’m authenticating against 
  the linux system accounts. The problem I ran into is 
  that I don’t want these customers to be able to telnet into the system. To 
  stop this I set their shell to /bin/false. This stops them from telneting in but it also causes FreeRadius to respond with a reject. Am I going about this 
  in the wrong way? Your assistance is appreciated.
   
  Thanks,
  Dan 
  Houtz

Re: Authentication

2001-08-22 Thread Chris Parker

At 09:49 PM 8/21/2001 -0500, you wrote:
>Can free radius authenticate on a MAC address?
>if so
>will all of the auditing information be available?

It depends on what NAS you are using, and what you mean by 'authenticate
on a MAC address'.

I'm going to hazard a guess you are doing some type of wireless/dsl/broadband
type service.  I know of a few people who are using a radius backend to
authenticate users on that type of network, so I would say that in the
general case it is possible.  Not knowing you specific case, it's hard to
state with any certainty whether it will work.

Give it a try, you've got nothing to loose at this point.  :)

-Chris
--
\\\|||///  \  Chris Parker-Manager, Development Engineering
\ ~   ~ /   \   WX *is* Wireless!\   [EMAIL PROTECTED]
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Without C we would have 'obol', 'basi', and 'pasal'

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication

2001-08-22 Thread Miquel van Smoorenburg

In article <[EMAIL PROTECTED]>,
Lawrence E. Powell SR. <[EMAIL PROTECTED]> wrote:
>Can free radius authenticate on a MAC address?

That completely depends on what the NAS sends to the radius server.
If the NAS sends the MAC address, you can probably authenticate on it.

>if so
>will all of the auditing information be available?

Again, depends on the NAS. The radius server will log all accounting
packets that the NAS sends it, nothing more, nothing less.

Mike.
-- 
"Answering above the the original message is called top posting. Sometimes
 also called the Jeopardy style. Usenet is Q & A not A & Q." -- Bob Gootee

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

83 matches

Mail list logo