Re: Help me !!!

[Alan DeKok]

Prasad Yaramti <[EMAIL PROTECTED]> wrote:
>Help me how store the username and password in the server,how to
> authneticate ?  How to pass the my username and password to server ???

  Read the FAQ.  It explains how to do this.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help me !!!

[Julius Igugu]

Can you give more details of your setup?Prasad Yaramti <[EMAIL PROTECTED]> wrote:

Hi  there,
  
    I  am new this radius authentication  Concept,actually  my requirement  is to check User name and  Passsword  via Radius server.In this aspect  I  have to pass user name  and Password to Radius  and to get authenticate. 
   Help me how store the username and password in the server,how to authneticate ?  How to pass the my username and password to server 
 
Thanks inadvance for your  help
 
Regards,Prasad.


Do you Yahoo!?Free Pop-Up Blocker - Get it now
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing

Re: Help

[Alan DeKok]

Shashidhara S Bapat <[EMAIL PROTECTED]> wrote:
> I have a windows user connected through AP600 (NAS), and it is not
> responding. (I ran 'radiusd' with -X option ..and found it not showing
> any message, when the windows-user tried to access. It's allowing user
> to access the NAS without asking for any password).

  Then it's a problem with the NAS configuration.  Nothing you do to
FreeRADIUS will help.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with ldap and pap

[Alan DeKok]

"Rick Whitley" <[EMAIL PROTECTED]> wrote:
> Please forgive my ignorance here. There is much about this I do not
> understand. I am using the Alfa&Ariss client.

  Please pick a subject, ONE subject, and stick to it.  Also, if
you're not going to answer my questions, there isn't much incentive
for me to help you, is there?

>  If it is sending eap packetts and those packetts do not contain a
> pap password does that mean I can't use pap? Should I consider
> another method?

  It means that what I told you was correct.  Now go do as I said, and
stop asking irrelevant questions.  Instead, *educate* yourself as to
what's going on.  Buy the RADIUS book.  Read all of the documentation,
and all of the comments in 'radiusd.conf' before asking more
questions.

  Also, describe *problems*, not *solutions*.  You're stuck on PAP
because you don't know how the server works.  Stop trying to figure
out how to use PAP to solve a problem you don't understand.


  If you configure the LDAP module to pull a password out of an LDAP
database for a user, then almost all of the authentication methods in
the server will work AUTOMATICALLY.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with ldap and pap

[Rick Whitley]

Please forgive my ignorance here. There is much about this I do not
understand. I am using the Alfa&Ariss client. If it is sending eap
packetts and those packetts do not contain a pap password does that mean
I can't use pap? Should I consider another method?

rick...
Rom.5:8

>>> [EMAIL PROTECTED] 12/08/03 03:27PM >>>
"Rick Whitley" <[EMAIL PROTECTED]> wrote:
> Thanks for the info...should I comment out the eap module in
radiusd?

  Huh?  Can you explain to me why you would think that was necessary?

  Your client is sending EAP packets.  How are you going to
authenticate them, if you don't use the EAP module?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with ldap and pap

[Alan DeKok]

"Rick Whitley" <[EMAIL PROTECTED]> wrote:
> Thanks for the info...should I comment out the eap module in radiusd?

  Huh?  Can you explain to me why you would think that was necessary?

  Your client is sending EAP packets.  How are you going to
authenticate them, if you don't use the EAP module?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with ldap and pap

[Rick Whitley]

Thanks for the info...should I comment out the eap module in radiusd?
Now reading rlm_ldap.


rick...
Rom.5:8

>>> [EMAIL PROTECTED] 12/08/03 03:18PM >>>
"Rick Whitley" <[EMAIL PROTECTED]> wrote:
> I am running freeradius snapshot 20030922. I need to get pap working
> with ldap. How do I set the password attribute for pap? Where do I
look
> in the docs to provide this info? 

  doc/rlm_ldap should be a place to start.

> users:
> 
> DEFAULT   Auth-Type := pap

  Don't do that.

> rad_recv: Access-Request packet from host 10.5.50.115:1645, id=164,
> length=126
...
> EAP-Message = 0x0201000c01696e7374616c6c

  EAP messages don't contain PAP passwords.  So setting "Auth-Type :=
PAP" won't work.


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with ldap and pap

[Alan DeKok]

 sent previous message too soon

> modcall: group authorize returns ok
>   rad_check_password:  Found Auth-Type pap
> auth: type "PAP"
> modcall: entering group authtype
> rlm_pap: Attribute "Password" is required for authentication.
>   modcall[authenticate]: module "pap" returns invalid
> modcall: group authtype returns invalid
> auth: Failed to validate the user.

  See?  That won't work.

  Why don't you try authenticating the user *without* editing the
"users" file, to see if it works?  Odds are that once you point the
server to an LDAP database, then PAP, EAP, and everything else will
work automatically.

 Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with ldap and pap

[Alan DeKok]

"Rick Whitley" <[EMAIL PROTECTED]> wrote:
> I am running freeradius snapshot 20030922. I need to get pap working
> with ldap. How do I set the password attribute for pap? Where do I look
> in the docs to provide this info? 

  doc/rlm_ldap should be a place to start.

> users:
> 
> DEFAULT   Auth-Type := pap

  Don't do that.

> rad_recv: Access-Request packet from host 10.5.50.115:1645, id=164,
> length=126
...
> EAP-Message = 0x0201000c01696e7374616c6c

  EAP messages don't contain PAP passwords.  So setting "Auth-Type :=
PAP" won't work.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Help with RLM MYSQL

[Patrick de Ruiter]

Hmm,

You probably forgot to install the mysql devel rpm.

Cheers
Patrick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Breuer
Nicolas - BelCenter.com
Sent: woensdag 3 december 2003 10:55
To: [EMAIL PROTECTED]
Subject: Help with RLM MYSQL



 Hello

 I have a big prob..

 I would like to use the rlm sql mysql module..
 My os is redhat 9 and i can't install and use this module..

 When i do a config , make & make install
 (in dynamic or static), all module 'll be loaded
 except mysql

rlm_sqlippool: Could not link driver rlm_sql_mysql: file not found
rlm_sqlippool: Make sure it (and all its dependent libraries!) are in
the search path of your system's ld.

I add my libdir to ld.conf and run ldconfig , same probs.

 Please help me

 Thanks
 Nico

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with RLM MYSQL

[Bill Campbell]

On Wed, Dec 03, 2003, Breuer Nicolas - BelCenter.com wrote:
>
> Hello
>
> I have a big prob..
>
> I would like to use the rlm sql mysql module..
> My os is redhat 9 and i can't install and use this module..

I just ran into this last week when building freeradius under the
OpenPKG.org packaging system.

If your mysql headers and libraries aren't in /usr/local/include and
/usr/local/lib or similar standard locations or aren't installed at all,
you probably have to do a couple of things:
:19: warning: macro `..' not defined

  1.  You may need to install the mysql-devel RPM on your RH system if they
  headers and libraries aren't there (I'm not very familiar with RH RPM
  structures, currently using SuSE, formerly Caldera Linux).

  2.  You may have to add a couple of options to your configure:
   ./configure \
  --with-mysql-include-dir=path_to_mysql_headers \
  --with-mysql-lib-dir=path_to_mysql_libraries \
  ...

The base ./configure script doesn't give the options for mysql or
postgresql, and probably some others.  I found them by running
``./configure --help'' in the appropriate directories.

Bill
--
INTERNET:   [EMAIL PROTECTED]  Bill Campbell; Celestial Systems, Inc.
UUCP:   camco!bill  PO Box 820; 6641 E. Mercer Way
FAX:(206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/

``The who nation is interested that the best use shall be made of these
[new] territories.  We want them for the homes of free white people''
-- Abraham Lincoln, Octobe 16, 1854

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with RLM MYSQL

[Breuer Nicolas - BelCenter.com]

 Liste files i have

config.log
configure
db_mysql.sql
Makefile.in
rlm_sql_mysql.la
sql_mysql.lo
config.status
configure.in
Makefile
rlm_sql_mysql.a
sql_mysql.c
sql_mysql.o


On 3 Dec 2003 at 11:16, Arthur B Olsen wrote:

> The file is missing. Go to
> $(radiussource)/src/modules/rlm_sql/drivers/rlm_sql_mysql/ and see if
> it is built.
>
> On Wednesday 03 December 2003 09:55, Breuer Nicolas - BelCenter.com
> wrote: >  Hello > >  I have a big prob.. > >  I would like to use the
> rlm sql mysql module.. >  My os is redhat 9 and i can't install and
> use this module.. > >  When i do a config , make & make install >  (in
> dynamic or static), all module 'll be loaded >  except mysql > >
> rlm_sqlippool: Could not link driver rlm_sql_mysql: file not found >
> rlm_sqlippool: Make sure it (and all its dependent libraries!) are in
> > the search path of your system's ld. > > I add my libdir to ld.conf
> and run ldconfig , same probs. > >  Please help me > >  Thanks >  Nico
> > > - > List info/subscribe/unsubscribe? See >
> http://www.freeradius.org/list/users.html
>
> --
> Arthur B Olsen
> P/F Teletech
> J.C. Svabosgøta 8
> 100 Tórshavn
> Tlf: 317265
> Mobil:220781
> Email:[EMAIL PROTECTED]
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



BREUER NICOLAS
Content & Marketing Manager

** BELCENTER ISP & PORTALS **
Avenue Henri Conscience, 94
B -1140 Bruxelles

** HelpDesk : 0902/40.120 **
Tél. :+32 2 243 0 243
Fax :+32 2 243 0 244

E Mail : [EMAIL PROTECTED]

http://www.BelCenter.com | http://www.BelCenter.net
http://www.LuxCenter.net  | http://www.BulkSMS.be









-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with RLM MYSQL

[Arthur B Olsen]

The file is missing. Go to 
$(radiussource)/src/modules/rlm_sql/drivers/rlm_sql_mysql/ and see if it is 
built. 

On Wednesday 03 December 2003 09:55, Breuer Nicolas - BelCenter.com wrote:
>  Hello
>
>  I have a big prob..
>
>  I would like to use the rlm sql mysql module..
>  My os is redhat 9 and i can't install and use this module..
>
>  When i do a config , make & make install
>  (in dynamic or static), all module 'll be loaded
>  except mysql
>
> rlm_sqlippool: Could not link driver rlm_sql_mysql: file not found
> rlm_sqlippool: Make sure it (and all its dependent libraries!) are in
> the search path of your system's ld.
>
> I add my libdir to ld.conf and run ldconfig , same probs.
>
>  Please help me
>
>  Thanks
>  Nico
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-- 
Arthur B Olsen
P/F Teletech
J.C. Svabosgøta 8
100 Tórshavn
Tlf: 317265
Mobil:220781
Email:[EMAIL PROTECTED]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with EAP/TLS config

[Alan DeKok]

"John Furman" <[EMAIL PROTECTED]> wrote:
> I am wondering if anyone has some pointers on how I should proceed from
> here.  I am at a loss as to why this isn't working.  Output and version
> info below.

  I'd say you're using an older version of the server.  Upgrate to
0.9.3, or the CVS snapshot.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help!

[Alan DeKok]

"Åíΰ" <[EMAIL PROTECTED]> wrote:
> When I'm compling radiusd-02.28.02,the following errors occur:
> rlm_dbm_parser.o: In function `open_storage':
> /usr/src/802/radius/radiusd/src/modules/rlm_dbm/rlm_dbm_parser.c:101:
> undefined reference to `dbm_open'

  If you're not using rlm_dbm, simply delete that directory.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help on FreeBSD.

[Sancho2k.net Lists]

Roger Cates wrote:

We are trying to set up FreeRadius on a FreeBSD 4.8 system. For some
reason it won't compile. It complained about not having gnu make, so I
downloaded, compiled and installed gnu make and it still says it can't
find it.
Are there any switches or flags I need to adjust?
Once you've installed gmake from ports, run 'gmake' instead of 'make' 
during your installation.

DS

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help

[Alan DeKok]

"arniel" <[EMAIL PROTECTED]> wrote:
>  Can anyone tell me how to make EAP-TLS and PAM work together? or
> EAP-TLS and a Windows Active Directory work together?

  You can't.  They're not designed to work together.

>  I want my Users to authenticate based on the /etc/passwd of my
> linux box..  or users in my active directory? aside from the
> "whatever" shared secret authentication and certificate..

  Use EAP-TTLS, and require a client-side certificate.

  EAP-TLS authenticates anyone who has a client certificate which has
been signed by the root certificate.  No password is required, and no
password will ever be supplied.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help with freeradius 0.9.0, Active Directory, and MS-CHAPv2

[Sean Perry]

Paul Hampson wrote:
 Yet, somehow, IAS does CHAP against AD.  Is anyone willing to bet
*against* the idea that Microsoft has one API for customers, and
another, better API for themselves?


So surely you could proxy CHAP requests to IAS, and authenticate other
requests using the superior powers of FreeRADIUS. You'd end up with
a post-proxy section that looks a lot like your post-auth section.
I'm probably terribly terribly wrong here, but to my mind you _should_
be able to. After all, MS _have_ supplied a RADIUS interface to the
passwords on the server, which seems an improvement over having to
write the W32API authentication calls yourself.
In my case I am ONLY using Radius for our VPN and do not really expect 
this to change.  While I would like to use freeradius it does not make 
much sense to do so.  For others your suggestion probably makes more sense.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: help with freeradius 0.9.0, Active Directory, and MS-CHAPv2

[Paul Hampson]

> From: Alan DeKok
> Sent: Thursday, 4 September 2003 11:46 PM

> Sean Perry <[EMAIL PROTECTED]> wrote:
> > I am trying to setup a Linux VPN.  Most of the pieces are now in place. 
> >   I am trying to authenticate against radius which in turn will 
> > authenticate against our existing Active Directory server.

>   People have done this.  To a certain extent, AD is just another LDAP
> server.

> > Is this possible?

>   Not with CHAP.  AD doesn't allow you to look at the users clear-text
> passwords, so CHAP is impossible.

>   Yet, somehow, IAS does CHAP against AD.  Is anyone willing to bet
> *against* the idea that Microsoft has one API for customers, and
> another, better API for themselves?

So surely you could proxy CHAP requests to IAS, and authenticate other
requests using the superior powers of FreeRADIUS. You'd end up with
a post-proxy section that looks a lot like your post-auth section.

I'm probably terribly terribly wrong here, but to my mind you _should_
be able to. After all, MS _have_ supplied a RADIUS interface to the
passwords on the server, which seems an improvement over having to
write the W32API authentication calls yourself.

--
=
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

This is a one line proof...if we start
sufficiently far to the left.
-- Cambridge University Math Department
-
Random signature generator 3.0 by Paul "TBBle" Hampson
=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help with freeradius 0.9.0, Active Directory, and MS-CHAPv2

[Sean Perry]

Alan DeKok wrote:

Sean Perry <[EMAIL PROTECTED]> wrote:

 Not with CHAP.  AD doesn't allow you to look at the users clear-text
passwords, so CHAP is impossible.
I have solved this in other cases by using the password to rebind as the 
user.  If the bind fails the password is incorrect.  What I have not 
seen is a way to get the password out of CHAP.  Is this a viable solution??


  No.  As I had said above, it's impossible.

Thanks Alan.

When I started this project it looked like all of the pieces were there. 
 Now the next person will be able to find this thread and know about 
the issues.

Looks like I am going to try the IAS authentication approach and see how 
it works.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help with freeradius 0.9.0, Active Directory, and MS-CHAPv2

[Alan DeKok]

Sean Perry <[EMAIL PROTECTED]> wrote:
> >   Not with CHAP.  AD doesn't allow you to look at the users clear-text
> > passwords, so CHAP is impossible.
> 
> I have solved this in other cases by using the password to rebind as the 
> user.  If the bind fails the password is incorrect.  What I have not 
> seen is a way to get the password out of CHAP.  Is this a viable solution??

  No.  As I had said above, it's impossible.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help with freeradius 0.9.0, Active Directory, and MS-CHAPv2

[Sean Perry]

Alan DeKok wrote:

Sean Perry <[EMAIL PROTECTED]> wrote:

I am trying to setup a Linux VPN.  Most of the pieces are now in place. 
 I am trying to authenticate against radius which in turn will 
authenticate against our existing Active Directory server.


  People have done this.  To a certain extent, AD is just another LDAP
server.

yeah, I have it working in other applications like apache so I know it 
can be done.

Looking through the archives I see several people try but no real 
responses.  Ron Wahler claims to have Active Directory working but he 
was not using chap.

Is this possible?


  Not with CHAP.  AD doesn't allow you to look at the users clear-text
passwords, so CHAP is impossible.
I have solved this in other cases by using the password to rebind as the 
user.  If the bind fails the password is incorrect.  What I have not 
seen is a way to get the password out of CHAP.  Is this a viable solution??

  Yet, somehow, IAS does CHAP against AD.  Is anyone willing to bet
*against* the idea that Microsoft has one API for customers, and
another, better API for themselves?
it is not entirely unreasonable to believe they have a CHAP --> Kerberos 
interface.  But I agree with you, they definately make life harder for 
the rest of us.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help with freeradius 0.9.0, Active Directory, and MS-CHAPv2

[Alan DeKok]

Sean Perry <[EMAIL PROTECTED]> wrote:
> I am trying to setup a Linux VPN.  Most of the pieces are now in place. 
>   I am trying to authenticate against radius which in turn will 
> authenticate against our existing Active Directory server.

  People have done this.  To a certain extent, AD is just another LDAP
server.

> Looking through the archives I see several people try but no real 
> responses.  Ron Wahler claims to have Active Directory working but he 
> was not using chap.
> 
> Is this possible?

  Not with CHAP.  AD doesn't allow you to look at the users clear-text
passwords, so CHAP is impossible.

  Yet, somehow, IAS does CHAP against AD.  Is anyone willing to bet
*against* the idea that Microsoft has one API for customers, and
another, better API for themselves?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help with freeradius 0.9.0, Active Directory, and MS-CHAPv2

[Alan Lehman]

Sean Perry wrote:
I am trying to setup a Linux VPN.  Most of the pieces are now in place. 
 I am trying to authenticate against radius which in turn will 
authenticate against our existing Active Directory server.

Looking through the archives I see several people try but no real 
responses.  Ron Wahler claims to have Active Directory working but he 
was not using chap.

Is this possible?



- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


It is theoretically possible. You will need to install Internet Authentication Service, which is MS's RADIUS server. I've used IAS 
with Cisco devices, but I'm still trying to get pam_radius_auth to work on my RH9 system so I can try it with that.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: help,help again

[Sun]

I'm more dumb.
Fortunetly,I have cisco catalyst 2950 ,one computer and one lan connection
Could you give me step by step configuration from beginning please!!!
:)


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ÍõÕñ¹ú
Sent: Wednesday, August 06, 2003 12:00 AM
To: [EMAIL PROTECTED]
Subject: help,help

hello,freeradius-users！
I installed the freeradius0.9.0 and configed with cisco2950,the database is 
mysql,now the authentication is correct,
but the accounting is not .

what should I do?

my radiusd.conf :

#
#  Accounting.  Log the accounting data.
#
accounting {
#
#  Ensure that we have a semi-unique identifier for every
#  request, and many NAS boxes are broken.
acct_unique

#
#  Create a 'detail'ed log of the packets.
#  Note that accounting requests which are proxied
#  are also logged in the detail file.
detail
daily

unix# wtmp file

#
#  For Simultaneous-Use tracking.
#
#  Due to packet losses in the network, the data here
#  may be incorrect.  There's little we can do about it.
radutmp
#   sradutmp

#  Return an address to the IP Pool when we see a stop record.
#   main_pool
sql
}   
　　  [EMAIL PROTECTED]
　　　   2003-08-06



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: help,help again

[Tim Rich, Jr.]

Configuration of which? freeRADIUS? the CISCO 2950?
Tim 

-Original Message-
From: Sun [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 05, 2003 11:51 PM
To: [EMAIL PROTECTED]
Subject: RE: help,help again




I'm more dumb.
Fortunetly,I have cisco catalyst 2950 ,one computer and one lan connection
Could you give me step by step configuration from beginning please!!!
:)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ÍõÕñ¹ú
Sent: Wednesday, August 06, 2003 12:00 AM
To: [EMAIL PROTECTED]
Subject: help,help

hello,freeradius-users！
I installed the freeradius0.9.0 and configed with cisco2950,the
database is mysql,now the authentication is correct,
but the accounting is not .

what should I do?

my radiusd.conf :

#
#  Accounting.  Log the accounting data.
#
accounting {
#
#  Ensure that we have a semi-unique identifier for every
#  request, and many NAS boxes are broken.
acct_unique

#
#  Create a 'detail'ed log of the packets.
#  Note that accounting requests which are proxied
#  are also logged in the detail file.
detail
daily

unix# wtmp file

#
#  For Simultaneous-Use tracking.
#
#  Due to packet losses in the network, the data here
#  may be incorrect.  There's little we can do about it.
radutmp
#   sradutmp

#  Return an address to the IP Pool when we see a stop record.
#   main_pool
sql
}   
　　  [EMAIL PROTECTED]
　　　   2003-08-06



- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.505 / Virus Database: 302 - Release Date: 7/30/2003
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.505 / Virus Database: 302 - Release Date: 7/30/2003
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: help,help again

[Sun]

Hmmmall ???
Maybe from OS
Continue with switch device
May i
I just a new fresh user :)

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Rich
Sent: Wednesday, August 06, 2003 11:00 AM
To: '[EMAIL PROTECTED]'
Subject: RE: help,help again

Configuration of which? freeRADIUS? the CISCO 2950?
Tim 

-Original Message-
From: Sun [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 05, 2003 11:51 PM
To: [EMAIL PROTECTED]
Subject: RE: help,help again




I'm more dumb.
Fortunetly,I have cisco catalyst 2950 ,one computer and one lan connection
Could you give me step by step configuration from beginning please!!!
:)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ÍõÕñ¹ú
Sent: Wednesday, August 06, 2003 12:00 AM
To: [EMAIL PROTECTED]
Subject: help,help

hello,freeradius-users！
I installed the freeradius0.9.0 and configed with cisco2950,the
database is mysql,now the authentication is correct,
but the accounting is not .

what should I do?

my radiusd.conf :

#
#  Accounting.  Log the accounting data.
#
accounting {
#
#  Ensure that we have a semi-unique identifier for every
#  request, and many NAS boxes are broken.
acct_unique

#
#  Create a 'detail'ed log of the packets.
#  Note that accounting requests which are proxied
#  are also logged in the detail file.
detail
daily

unix# wtmp file

#
#  For Simultaneous-Use tracking.
#
#  Due to packet losses in the network, the data here
#  may be incorrect.  There's little we can do about it.
radutmp
#   sradutmp

#  Return an address to the IP Pool when we see a stop record.
#   main_pool
sql
}   
　　  [EMAIL PROTECTED]
　　　   2003-08-06



- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.505 / Virus Database: 302 - Release Date: 7/30/2003
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.505 / Virus Database: 302 - Release Date: 7/30/2003
 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help Needed Regarding Accounting in FreeRadius with / without MySql

[Oliver Graf]

On Wed, Jul 30, 2003 at 04:15:22PM +0530, Pradeep Rai wrote:
> I do not know how to configure accounting information for new users. Does

Tell your NAS to send accounting information.

> this require MySQL for it. Is this possible w/o using MySQL. What all files 

you can log into detail files.

> do I need to configure ?

radiusd.conf, look for 'detail'

Oliver.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Help to a new FreeRADIUS user

[Pubs]

I think you should first ./configure make and make install then test it with
basics functions (auth with files, acct with files etc etc) THEN try to set
up LEAP, I don't think LEAP is the easiest way to begin in radius and Linux
..

Nicolas

> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] la part de Idriss
> MAMODALY
> Envoyé : mercredi 9 juillet 2003 17:27
> À : [EMAIL PROTECTED]
> Objet : Help to a new FreeRADIUS user
>
>
> Hello,
>
> I will wish to use the FreeRADIUS (it is within a use in
> company). I downloaded the file
> "freeradius-snapshot-20030708.tar.gz", I unzip it, installed it
> while following the instructions of the "INSTALL" file such as:
>
> $ /configure
> $ make
> $ make install
>
> During compilation, it does a lots of errors. Moreover, i was
> unable to find and run the "radiusd" file (as indicated in the
> docs of install...).
> Then, I decided to use the "rpm" packages, available in
> downloading on http://rpmfind.net. It did function better on the
> installation, but, it do not allow the LEAP authentification,
> because the version is less recent than the
> "freeradius-snapshot-20030708.tar.gz" file ...
>
> Could you help me, please ? Maybe i forgot to do something... I
> need help because I am a new user of FreeRADIUS and even Linux...
>
> Thank you very much, Greetings.
>
> P.S.: I use the Linux Mandrake 9.1. distribution.
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help

[Alan DeKok]

"Pradeep Rai" <[EMAIL PROTECTED]> wrote:
> 2> how shall we run ./configure to install freeradius for just
> authentication and authorization purpuse (main if We dont want
> accounting facility)

  You don't.  If you don't use accounting, it won't take any
resources.

> 3> which "conf" or normal text files should be modify if we want to
> store accoutning information of each user listed in "user" file.

  I thought you said you didn't want accounting?

> 4> Is there any free web based interface or command line executable file
> available for adding clients, users authentication and accouting
> information in /usr/local/etc/raddb/ path.

  vi?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help

[a . l . m . buxey]

Hi,

> 1> when we run ./radiusd without any option 
> it runs lt-radius that we can see from ps -ef command.
> how to see how much RAM size does it take (run time memory use of radius server)
> i tried #cat /proc/meminfo and also cat /proc/(PID)/meminfo didnt work.
> #cat /proc/(PID)/status 
> gives me Vmsize (Should i consider this as memory usage of radiusd.
> also consider that I will be running this on linux mips machine.

what platform?  try other 'ps' arguments - eg ps -aux
try top, try checking the /proc entry for the process etc

 
> 2> how shall we run ./configure to install freeradius for just authentication and 
> authorization purpuse (main if We dont want accounting facility)

./configure --help

this lists all the stuff you can and cant do
 
..the other questions are FAQ/Doc and google :-)

alan

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help: EAP-TLS with Windows XP failure

[Luke Diamand]

Sorry about the lateness of this, but perhaps this will be useful to 
someone somewhere:

On 21 Apr 2003, Sungwon Ha wrote:
Hi!

I have a question about an access denied message from RADIUS. I was using RADIUS for 
EAP-TLS authentication with Window XP (service pack 2). But XP was denied because 
RADIUS
produced error as follows
<<< TLS 1.0 Alert [length 0002], fatal access_denied

TLS Alert read:fatal:access denied 


> SSL alert number 49

I've just seen this as well. This is with XPsp1 doing EAP/TLS. It goes 
away if I ask XP to *not* validate the server certificate.

I also see the following in the XP RASTLS log:

  AuthenticateServer
  FGetEKUUsage
  FCheckUsage
  The server's cert does not have the 'Server Authentication' usage
  MakeAlert(49,Schannel)
Not quite sure what this means; the root certificate on the XP machine 
certainly *does* claim to be good for server authentication so I suppose 
it's talking about the cert that freeradius is using.

What's odd is that this setup was working a while back. 
Xsupplicant(linux) seems quite happy about my server certificate.

Luke Diamand









- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help configuring FR with cisco aironet 350, eap/leap and W2000

[Luca Benassi]

At 10.13 20/06/03 -0500, you wrote:
I don't use rlm_eap but suggest you read src/radiusd/doc/rlm_eap. It 
explains exactly what your problem is, (e.g. "At least one EAP-Type 
sub-stanza should be defined as above, otherwise the server will not know 
what type of eap authentication mechanism to be usedAll the various 
options and their associated default values for each EAP-Type are 
documented in the sample radiusd.conf that is provided with the 
distribution."). Looks to me like you have said requirements commented out 
in your eap block.
Thank you Cris,
now it's all ok.
I've changed the bind_address to *one* of my two IP on the machine, instead 
of using " = *".

Now I'm battleing with ldap ;)

Bye,
Luca
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help configuring FR with cisco aironet 350, eap/leap and W2000

[Chris Brotsos]

At 09:35 AM 6/20/2003, you wrote:
I'm trying to set up a configuration where the freeradius server
authenticates win 2000 clients in a wireless lan with cisco aironet 350.
(Sorry for this long mex)

My forbidden dream is ldap, but ... for the moment eap is enough.

Here are the main portion of conf files.
radiusd.conf
* * *
bind_address = 192.168.27.4
modules {
eap {
#   default_eap_type = md5
timer_expire = 60
#   md5 {
#   }
I don't use rlm_eap but suggest you read src/radiusd/doc/rlm_eap. It 
explains exactly what your problem is, (e.g. "At least one EAP-Type 
sub-stanza should be defined as above, otherwise the server will not know 
what type of eap authentication mechanism to be usedAll the various 
options and their associated default values for each EAP-Type are 
documented in the sample radiusd.conf that is provided with the 
distribution."). Looks to me like you have said requirements commented out 
in your eap block.

HTH,

Chris Brotsos



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help with WEP keys

[Alan DeKok]

Dave Mason <[EMAIL PROTECTED]> wrote:
> I briefly asked about WEP keys a while back, and Alan referred me to the 
> mppe code in rlm_mschap.  I was wondering if I could get a quick comment 
> on how this differs from the mppe code in rlm_eap_tls.  That code 
> appears to use an SSL session, while the mschap code does not.

  See the TLS RFC for details as to why the MPPE code is different
from that used for MS-CHAP.

> Finally, I just have a question about the mschap mppe code.  In 
> mppe_chap2_gen_keys128 there is a section commented out.  That section 
> appears to set the salt, which I thought was required.

  The salt is for encrypting the keys, from what I recall.  It's not
used for generating the keys.

> Later, I see that mppe_gen_respkey is also commented out, and there
> is a note that says it's not required because encoding will be done
> by tunnel_pwencode.  What's going on there?  Is that only for
> passwords or can other attributes use it too?

  See the dictionaries.  'encrypt=1' tells the server to decrypt the
attribute when received, and to encrypt the attribute when sent.  The
MSCHAP module doesn't receive or send attributes on the wire, so it
MUST keep the contents of the attributes in un-encrypted form.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with MS Chap v2

[Frank Cusack]

On Fri, Mar 28, 2003 at 06:34:31AM -0500, Alan DeKok wrote:
> Frank Cusack <[EMAIL PROTECTED]>wrote:
> > On Fri, Mar 28, 2003 at 11:51:36AM +0300, 3APA3A wrote:
> > > /etc/smbpasswd  is  really  not  required and was only for compatibility
> > > (anyway  it  should  be  noted  in Release Notes for peoples who upgrade
> > > their RADIUS versions).

> > Yeah, I personally think both should be added back ...
> 
>   I am strongly opposed to duplicate functionality in the code.  If
> rlm_passwd can do all of the work of reading attributes from
> /etc/smbpasswd, then we should use it, and not duplicate that code
> elsewhere.
> 
>   To put it another way, what is the gain in having rlm_mschap read
> /etc/smbpasswd?

ah.  none.

/fc

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with MS Chap v2

[Alan DeKok]

Frank Cusack <[EMAIL PROTECTED]>wrote:
> On Fri, Mar 28, 2003 at 11:51:36AM +0300, 3APA3A wrote:
> > /etc/smbpasswd  is  really  not  required and was only for compatibility
> > (anyway  it  should  be  noted  in Release Notes for peoples who upgrade
> > their RADIUS versions).

  I've done that, and added code to rlm_mschap which will complain if
people try to configure it to use /etc/smbpasswd, and will tell people
what to do to fix the problem.

> > Removing  SMB-Account-CTRL attribute handling is not good, I know people
> > use  it.  It's  very  convinient  if  accounts are bulk imported from NT
> > domain  or  from SAMBA. It's standard atribute from SAMBA passwd format,
> > SAMBA LDAP schema, etc.

  That I agree with.  But I was trying to take baby steps, to ensure
that I could get one thing working, becofee I added another.

> Yeah, I personally think both should be added back ...

  I am strongly opposed to duplicate functionality in the code.  If
rlm_passwd can do all of the work of reading attributes from
/etc/smbpasswd, then we should use it, and not duplicate that code
elsewhere.

  To put it another way, what is the gain in having rlm_mschap read
/etc/smbpasswd?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with MS Chap v2

[Frank Cusack]

On Fri, Mar 28, 2003 at 11:51:36AM +0300, 3APA3A wrote:
> 
> --Thursday, March 27, 2003, 2:39:42 PM, you wrote to [EMAIL PROTECTED]:
> 
> 
> AD>   Try the latest CVS snapshot.  I've re-written rlm_mschap to be
> AD> smaller, simpler, and to have significantly more debug messages.
> 
> AD>   It won't look at /etc/smbpasswd any more, but that's probably a Good
> AD> Thing.
> 
> /etc/smbpasswd  is  really  not  required and was only for compatibility
> (anyway  it  should  be  noted  in Release Notes for peoples who upgrade
> their RADIUS versions).
> 
> Removing  SMB-Account-CTRL attribute handling is not good, I know people
> use  it.  It's  very  convinient  if  accounts are bulk imported from NT
> domain  or  from SAMBA. It's standard atribute from SAMBA passwd format,
> SAMBA LDAP schema, etc.

Yeah, I personally think both should be added back ...

/fc

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with MS Chap v2

[Guy Warner]

Thanks for the fast replies. The line
Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the user
makes me believe the packet is corrupted. Is there any way to test this. My
suspicion is that the packet is being corrupted by the proxy server, however
since this is running a dedicated operating system there is not a lot I can
modify on it. The software used to send the initial request to the proxy is
RASPPOE_098B.

The LDAP server is authorizing the user names fine.

Thanks again.

Guy Warner

- Original Message -
From: "3APA3A" <[EMAIL PROTECTED]>
To: "Guy Warner" <[EMAIL PROTECTED]>
Sent: Wednesday, March 26, 2003 4:19 PM
Subject: Re: Help needed with MS Chap v2


> Dear Guy Warner,
>
> Authentication fails because of username or password mismatch. It may be
> if  packet  is  corrupted,  if  realm  is  not stripped from username or
> password contains non-ASCII characters.
>
> --Wednesday, March 26, 2003, 7:10:32 PM, you wrote to
[EMAIL PROTECTED]:
>
> GW> Hi
>
> GW> I am trying to set up a Freeradius 0.8.1 server to authenticate users
with
> GW> MS Chap v2. The information about each user is obtained from an LDAP
server.
> GW> The requests for authentication are being received via a proxy server.
>
> GW> The problem is that all requests to authenticate a user result in
> GW>  rlm_mschap: Nothing in the packet I recognise: Rejecting the
user
>
> GW> The mschap section of radiusd.conf is as follows
>
> GW>  mschap {
> GW> authtype = MS-CHAP
> GW> use_mppe = yes
> GW> require_encryption = yes
> GW> require_strong = yes
> GW> }
>
>
> GW> The output from radiusd in debug mode contains the following
>
> GW> rad_recv: Access-Request packet from host :1814,
id=3,
> GW> length=172
> GW> MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2
> GW> MS-CHAP2-Response =
> GW>
0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3
> GW> 05c09460bdc1c3047ab43476f5
> GW> User-Name = "[EMAIL PROTECTED]"
> GW> NAS-IP-Address = 
> GW> NAS-Identifier = 
> GW> Service-Type = Framed-User
> GW> Framed-Protocol = PPP
> GW> Proxy-State = 0x313630
> GW> ..
> GW> Debug: modcall: entering group authtype
> GW> Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password
> GW> Debug: rlm_mschap: Authentication failed
> GW> Debug: rlm_mschap: Nothing in the packet I recognise:
Rejecting the
> GW> user
> GW> Debug:   modcall[authenticate]: module "mschap" returns reject
>
>
> GW> The username is stripped of the domain since usernames are storred on
the
> GW> LDAP server in the short form.
>
> GW> Any suggestions on how to fix this problem would be gratefully
received. If
> GW> I have not provided sufficient information to diagnose the error then
please
> GW> let me know and I will send more information.
>
>
> GW> Thanks in advance
>
>
> GW> Guy Warner
>
>
> GW> -
> GW> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>
> --
> ~/ZARAZA
> ÝÍÈÀÊàì - ïî ìîðäå!  (Ëåì)
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with MS Chap v2

[Josh Howlett]

Guy,

Do the LDAP server logs show anything?

josh.

On Wed, 2003-03-26 at 16:10, Guy Warner wrote:
> Hi
> 
> I am trying to set up a Freeradius 0.8.1 server to authenticate users with
> MS Chap v2. The information about each user is obtained from an LDAP server.
> The requests for authentication are being received via a proxy server.
> 
> The problem is that all requests to authenticate a user result in
>  rlm_mschap: Nothing in the packet I recognise: Rejecting the user
> 
> The mschap section of radiusd.conf is as follows
> 
>  mschap {
> authtype = MS-CHAP
> use_mppe = yes
> require_encryption = yes
> require_strong = yes
> }
> 
> 
> The output from radiusd in debug mode contains the following
> 
> rad_recv: Access-Request packet from host :1814, id=3,
> length=172
> MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2
> MS-CHAP2-Response =
> 0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3
> 05c09460bdc1c3047ab43476f5
> User-Name = "[EMAIL PROTECTED]"
> NAS-IP-Address = 
> NAS-Identifier = 
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Proxy-State = 0x313630
> ..
> Debug: modcall: entering group authtype
> Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password
> Debug: rlm_mschap: Authentication failed
> Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the
> user
> Debug:   modcall[authenticate]: module "mschap" returns reject
> 
> 
> The username is stripped of the domain since usernames are storred on the
> LDAP server in the short form.
> 
> Any suggestions on how to fix this problem would be gratefully received. If
> I have not provided sufficient information to diagnose the error then please
> let me know and I will send more information.
> 
> 
> Thanks in advance
> 
> 
> Guy Warner
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 
---
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]

---


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with MS Chap v2

[3APA3A]

Dear Guy Warner,

Authentication fails because of username or password mismatch. It may be
if  packet  is  corrupted,  if  realm  is  not stripped from username or
password contains non-ASCII characters.

--Wednesday, March 26, 2003, 7:10:32 PM, you wrote to [EMAIL PROTECTED]:

GW> Hi

GW> I am trying to set up a Freeradius 0.8.1 server to authenticate users with
GW> MS Chap v2. The information about each user is obtained from an LDAP server.
GW> The requests for authentication are being received via a proxy server.

GW> The problem is that all requests to authenticate a user result in
GW>  rlm_mschap: Nothing in the packet I recognise: Rejecting the user

GW> The mschap section of radiusd.conf is as follows

GW>  mschap {
GW> authtype = MS-CHAP
GW> use_mppe = yes
GW> require_encryption = yes
GW> require_strong = yes
GW> }


GW> The output from radiusd in debug mode contains the following

GW> rad_recv: Access-Request packet from host :1814, id=3,
GW> length=172
GW> MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2
GW> MS-CHAP2-Response =
GW> 0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3
GW> 05c09460bdc1c3047ab43476f5
GW> User-Name = "[EMAIL PROTECTED]"
GW> NAS-IP-Address = 
GW> NAS-Identifier = 
GW> Service-Type = Framed-User
GW> Framed-Protocol = PPP
GW> Proxy-State = 0x313630
GW> ..
GW> Debug: modcall: entering group authtype
GW> Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password
GW> Debug: rlm_mschap: Authentication failed
GW> Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the
GW> user
GW> Debug:   modcall[authenticate]: module "mschap" returns reject


GW> The username is stripped of the domain since usernames are storred on the
GW> LDAP server in the short form.

GW> Any suggestions on how to fix this problem would be gratefully received. If
GW> I have not provided sufficient information to diagnose the error then please
GW> let me know and I will send more information.


GW> Thanks in advance


GW> Guy Warner


GW> - 
GW> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
~/ZARAZA
ÝÍÈÀÊàì - ïî ìîðäå!  (Ëåì)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help

[navin]

help





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Help Please - Monthly Time Limit

[Adam Fladwood]

Microsoft left out that part of the protocol... users on a Mac will see
it, however you're pretty much out of luck with windows.

Adam

Bill Anderson said:
> Thanks a bunch.  That did it.  A second question.  Now that it works,
> it is supposed to send a reply message back to the user, however, the
> end user gets a 691 error, username and  password invalid.  Any way to
> change this behavior.  I tried it on both XP and NT.  Thanks.
>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] Behalf Of Kostas
>> Kalevras
>> Sent: Wednesday, March 05, 2003 2:23 PM
>> To: [EMAIL PROTECTED]
>> Subject: Re: Help Please - Monthly Time Limit
>>
>>
>> On Wed, 5 Mar 2003, Bill Anderson wrote:
>>
>> > I am so close to getting the monthly time limit working and I
>> just need a
>> > little help.  I have looked through the archives and have found
>> things that
>> > have brought me this far, however, I believe I am close.  Does
>> anyone have
>> > any idea what I am doing wrong?  Basically what I would like to
>> do is have a
>> > user to be rejected if they reach their monthly time limit.  I
>> am not using
>> > SQL.  I have attached the following information:
>> >
>> > /etc/raddb/users
>> > radiusd debug session (radiusd -X)
>> > /etc/raddb/radiusd.conf
>> >
>> > users file:
>> >
>> > mytestuser   Max-Monthly-Session := 30, Auth-Type := Local,
>> User-Password ==
>> > "somepass"
>> > Service-Type = Framed-User,
>> > Framed-Protocol = PPP,
>> > Framed-IP-Address = 255.255.255.254,
>> > Framed-IP-Netmask = 255.255.255.255,
>> > Framed-Routing = None,
>> > Framed-MTU = 1500,
>> > Framed-Compression = Van-Jacobson-TCP-IP,
>> > Idle-Timeout = 900,
>> > Session-Timeout = 21600,
>> > Port-Limit = 1,
>>
>> > DEFAULT Max-Monthly-Session > 30, Auth-Type = Reject
>> > Reply-Message = "Max monthly hours achieved"
>>
>> You don't need this check if you set Max-Monthly-Session
>>
>> >
>> > Debug Session:
>> >
>> > [EMAIL PROTECTED] raddb]# radiusd -X
>> > Starting - reading configuration files ...
>> > Config:   including file: /etc/raddb/proxy.conf
>> > Config:   including file: /etc/raddb/clients.conf
>> > rad_recv: Access-Request packet from host 209.95.37.8:1647, id=149,
>> length=182
>> > User-Name = "mytestuser"
>> > User-Password = "backd00r"
>> > NAS-IP-Address = 209.247.5.114
>> > NAS-Port = 136
>> > Service-Type = Framed-User
>> > Framed-Protocol = PPP
>> > Ascend-Data-Rate = 21600
>> > Ascend-Calling-Id-Type-Of-Num = Unknown
>> > Ascend-Calling-Id-Number-Plan = Unknown
>> > Ascend-Xmit-Rate = 49333
>> > Called-Station-Id = "5032134042"
>> > Calling-Station-Id = "5038850150"
>> > Acct-Session-Id = "386694565"
>> > NAS-Port-Type = Async
>> > Ascend-NAS-Port-Format = 2_4_5_5
>> > Proxy-State = 0x3533
>> > modcall: entering group authorize
>> >   modcall[authorize]: module "preprocess" returns ok
>> > rlm_chap: Could not find proper Chap-Password attribute in request
>> >   modcall[authorize]: module "chap" returns noop
>> >   modcall[authorize]: module "mschap" returns notfound
>> > rlm_counter: Entering module authorize code
>> > rlm_counter: Could not find Check item value pair
>> >   modcall[authorize]: module "counter" returns noop
>> > rlm_realm: No '@' in User-Name = "mytestuser", looking up realm
>> NULL rlm_realm: No such realm NULL
>> >   modcall[authorize]: module "suffix" returns noop
>> > users: Matched mytestuser at 1
>> >   modcall[authorize]: module "files" returns ok
>>
>> You have files after counter in your authorize section. Try
>> puting the counter
>> module after the files module
>>
>>
>>
>> ># encryption moderate
>> >#   require_encryption = yes
>> >
>> ># require_strong alwa

RE: Help Please - Monthly Time Limit

[Bill Anderson]

Thanks a bunch.  That did it.  A second question.  Now that it works, it is
supposed to send a reply message back to the user, however, the end user
gets a 691 error, username and  password invalid.  Any way to change this
behavior.  I tried it on both XP and NT.  Thanks.

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Kostas
> Kalevras
> Sent: Wednesday, March 05, 2003 2:23 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Help Please - Monthly Time Limit
>
>
> On Wed, 5 Mar 2003, Bill Anderson wrote:
>
> > I am so close to getting the monthly time limit working and I
> just need a
> > little help.  I have looked through the archives and have found
> things that
> > have brought me this far, however, I believe I am close.  Does
> anyone have
> > any idea what I am doing wrong?  Basically what I would like to
> do is have a
> > user to be rejected if they reach their monthly time limit.  I
> am not using
> > SQL.  I have attached the following information:
> >
> > /etc/raddb/users
> > radiusd debug session (radiusd -X)
> > /etc/raddb/radiusd.conf
> >
> > users file:
> >
> > mytestuser   Max-Monthly-Session := 30, Auth-Type := Local,
> User-Password ==
> > "somepass"
> > Service-Type = Framed-User,
> > Framed-Protocol = PPP,
> > Framed-IP-Address = 255.255.255.254,
> > Framed-IP-Netmask = 255.255.255.255,
> > Framed-Routing = None,
> > Framed-MTU = 1500,
> > Framed-Compression = Van-Jacobson-TCP-IP,
> > Idle-Timeout = 900,
> > Session-Timeout = 21600,
> > Port-Limit = 1,
>
> > DEFAULT Max-Monthly-Session > 30, Auth-Type = Reject
> > Reply-Message = "Max monthly hours achieved"
>
> You don't need this check if you set Max-Monthly-Session
>
> >
> > Debug Session:
> >
> > [EMAIL PROTECTED] raddb]# radiusd -X
> > Starting - reading configuration files ...
> > Config:   including file: /etc/raddb/proxy.conf
> > Config:   including file: /etc/raddb/clients.conf
> > rad_recv: Access-Request packet from host 209.95.37.8:1647, id=149,
> > length=182
> > User-Name = "mytestuser"
> > User-Password = "backd00r"
> > NAS-IP-Address = 209.247.5.114
> > NAS-Port = 136
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> > Ascend-Data-Rate = 21600
> > Ascend-Calling-Id-Type-Of-Num = Unknown
> > Ascend-Calling-Id-Number-Plan = Unknown
> > Ascend-Xmit-Rate = 49333
> > Called-Station-Id = "5032134042"
> > Calling-Station-Id = "5038850150"
> > Acct-Session-Id = "386694565"
> > NAS-Port-Type = Async
> > Ascend-NAS-Port-Format = 2_4_5_5
> > Proxy-State = 0x3533
> > modcall: entering group authorize
> >   modcall[authorize]: module "preprocess" returns ok
> > rlm_chap: Could not find proper Chap-Password attribute in request
> >   modcall[authorize]: module "chap" returns noop
> >   modcall[authorize]: module "mschap" returns notfound
> > rlm_counter: Entering module authorize code
> > rlm_counter: Could not find Check item value pair
> >   modcall[authorize]: module "counter" returns noop
> > rlm_realm: No '@' in User-Name = "mytestuser", looking up realm NULL
> > rlm_realm: No such realm NULL
> >   modcall[authorize]: module "suffix" returns noop
> > users: Matched mytestuser at 1
> >   modcall[authorize]: module "files" returns ok
>
> You have files after counter in your authorize section. Try
> puting the counter
> module after the files module
>
>
>
> > # encryption moderate
> > #   require_encryption = yes
> >
> > # require_strong always requires 128 bit key
> > # encryption
> > #   require_strong = yes
> > }
> >
> > # Lightweight Directory Access Protocol (LDAP)
> > #
> > #  This module definition allows you to use LDAP for
> > #  authorization and authentication (Auth-Type := LDAP)
> > #
> > #  See doc/rlm_ldap for description of configuration options
> > #  and sample authorize{} and authenticate{} blocks
> > ldap {
> >  

Re: Help Please - Monthly Time Limit

[Kostas Kalevras]

On Wed, 5 Mar 2003, Bill Anderson wrote:

> I am so close to getting the monthly time limit working and I just need a
> little help.  I have looked through the archives and have found things that
> have brought me this far, however, I believe I am close.  Does anyone have
> any idea what I am doing wrong?  Basically what I would like to do is have a
> user to be rejected if they reach their monthly time limit.  I am not using
> SQL.  I have attached the following information:
>
> /etc/raddb/users
> radiusd debug session (radiusd -X)
> /etc/raddb/radiusd.conf
>
> users file:
>
> mytestuser   Max-Monthly-Session := 30, Auth-Type := Local, User-Password ==
> "somepass"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-IP-Address = 255.255.255.254,
> Framed-IP-Netmask = 255.255.255.255,
> Framed-Routing = None,
> Framed-MTU = 1500,
> Framed-Compression = Van-Jacobson-TCP-IP,
> Idle-Timeout = 900,
> Session-Timeout = 21600,
> Port-Limit = 1,

> DEFAULT Max-Monthly-Session > 30, Auth-Type = Reject
> Reply-Message = "Max monthly hours achieved"

You don't need this check if you set Max-Monthly-Session

>
> Debug Session:
>
> [EMAIL PROTECTED] raddb]# radiusd -X
> Starting - reading configuration files ...
> Config:   including file: /etc/raddb/proxy.conf
> Config:   including file: /etc/raddb/clients.conf
> rad_recv: Access-Request packet from host 209.95.37.8:1647, id=149,
> length=182
> User-Name = "mytestuser"
> User-Password = "backd00r"
> NAS-IP-Address = 209.247.5.114
> NAS-Port = 136
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Ascend-Data-Rate = 21600
> Ascend-Calling-Id-Type-Of-Num = Unknown
> Ascend-Calling-Id-Number-Plan = Unknown
> Ascend-Xmit-Rate = 49333
> Called-Station-Id = "5032134042"
> Calling-Station-Id = "5038850150"
> Acct-Session-Id = "386694565"
> NAS-Port-Type = Async
> Ascend-NAS-Port-Format = 2_4_5_5
> Proxy-State = 0x3533
> modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
> rlm_chap: Could not find proper Chap-Password attribute in request
>   modcall[authorize]: module "chap" returns noop
>   modcall[authorize]: module "mschap" returns notfound
> rlm_counter: Entering module authorize code
> rlm_counter: Could not find Check item value pair
>   modcall[authorize]: module "counter" returns noop
> rlm_realm: No '@' in User-Name = "mytestuser", looking up realm NULL
> rlm_realm: No such realm NULL
>   modcall[authorize]: module "suffix" returns noop
> users: Matched mytestuser at 1
>   modcall[authorize]: module "files" returns ok

You have files after counter in your authorize section. Try puting the counter
module after the files module



>   # encryption moderate
>   #   require_encryption = yes
>
>   # require_strong always requires 128 bit key
>   # encryption
>   #   require_strong = yes
>   }
>
>   # Lightweight Directory Access Protocol (LDAP)
>   #
>   #  This module definition allows you to use LDAP for
>   #  authorization and authentication (Auth-Type := LDAP)
>   #
>   #  See doc/rlm_ldap for description of configuration options
>   #  and sample authorize{} and authenticate{} blocks
>   ldap {
>   server = "ldap.your.domain"
>   # identity = "cn=admin,o=My Org,c=UA"
>   # password = mypass
>   basedn = "o=My Org,c=UA"
>   filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>
>   # set this to 'yes' to use TLS encrypted connections
>   # to the LDAP database by using the StartTLS extended
>   # operation.
>   start_tls = no
>   # set this to 'yes' to use TLS encrypted connections to the
>   # LDAP database by passing the LDAP_OPT_X_TLS_TRY option to
>   # the ldap library.
>   tls_mode = no
>
>   # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
>   # profile_attribute = "radiusProfileDn"
>   access_attr = "dialupAccess"
>
>   # Mapping of RADIUS dictionary attributes to LDAP
>   # directory attributes.
>   dictionary_mapping = ${raddbdir}/ldap.attrmap
>
>   # ldap_cache_timeout = 120
>   # ldap_cache_size = 0
>   ldap_connections_number = 5
>   # password_header = "{clear}"
>   # password_attribute = userPassword
>   # groupname_attribute = cn
>   # groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
> fUniqueNames)(unique

RE: help me

[Victor Churchill]

If you have "service password-encryption" on your cisco
it will mismatch, this can be changed by "no service password-encryption"
and then re typing the radius-server key command

the secret must be the same on your Cisco as well as your clients.conf and
proxy.conf

That is how I got mine to work.

-Vic

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Nguyen Nhu Hao
Sent: Saturday, March 01, 2003 9:23 PM
To: [EMAIL PROTECTED]
Subject: Re: help me


Hi Tarvid,
Thank a lot for your kindness.
I followed as you showed me but I could not solve the problem. Could you
help me to find out the bug
I give you my router configuration here
pascal#show run
Building configuration...

Current configuration : 4169 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname pascal
!
no logging console
aaa new-model
aaa authentication login default group radius local

...
...
radius-server host 172.16.5.5 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server timeout 10
radius-server key 123456


and the file client.conf

client 172.16.5.1 {
secret  = 123456
shortname   = pascal
}

the file naslist

# NAS Name  Short Name  Type
#   --  
#portmaster1.isp.compm1.NY  livingston
#portmaster2.isp.compm1.LA  livingston
localhost   local   portslave
pascal  pascal  cisco

and radius log when logined fail

more /usr/local/var/log/radius/radius.log
Mon Dec  2 11:37:30 2002 : Info: HASH:  Reinitializing hash structures and
lists for caching...
Mon Dec  2 11:37:30 2002 : Info: HASH:  Stored 30 entries from /etc/passwd
Mon Dec  2 11:37:30 2002 : Info: HASH:  Stored 40 entries from /etc/group
Mon Dec  2 11:37:30 2002 : Info: Listening on IP address 172.16.5.5, ports
1645/udp and 1646/udp.
Mon Dec  2 11:37:30 2002 : Info: Ready to process requests.
Mon Dec  2 11:37:57 2002 : Auth: Login incorrect:
[hao/8R=\275\326CG\214\224\227\003\231Y'\230c] (from client pascal port 66
cli 172
.16.5.3)


nhuhao
- Original Message -
From: "tarvid" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, February 28, 2003 5:49 PM
Subject: Re: help me


> On Saturday 01 March 2003 11:32 pm, Nguyen Nhu Hao wrote:
> > Hi all,
> >  I am a newbie with radius and unix, I would like to install freeradius
=
> >  in RedHat 7.1 and I use a router to authenicate via radius. I installed
=
> >  ok, but I could not authenticate success. I configured authentication =
> >  use unix module.
>
> >HASH:  user hao found in hashtable bucket 47290
> >modcall[authenticate]: module "unix" returns reject
> >  modcall: group authenticate returns reject
> >  auth: Failed to validate the user.
> >  Login incorrect: [hao/\236\232M\236s<\3121\211\214\344\347"+\214\031] =
> >  (from client pascal port 66 cli 172.16.5.3)
> >WARNING: Unprintable characters in the password. ?  Double-check the
=
> >  shared secret on the server and the NAS!
>
> Have you followed up on the above error message?
>
> The 'secret" in clients.conf must match exactly the "secret" in your
server.
>
> You might log bad passwords to see if your server got anything like what
the
> router sent.
>
> Jim Tarvid
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help me

[Nguyen Nhu Hao]

Hi Tarvid,
Thank a lot for your kindness.
I followed as you showed me but I could not solve the problem. Could you
help me to find out the bug
I give you my router configuration here
pascal#show run
Building configuration...

Current configuration : 4169 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname pascal
!
no logging console
aaa new-model
aaa authentication login default group radius local

...
...
radius-server host 172.16.5.5 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server timeout 10
radius-server key 123456


and the file client.conf

client 172.16.5.1 {
secret  = 123456
shortname   = pascal
}

the file naslist

# NAS Name  Short Name  Type
#   --  
#portmaster1.isp.compm1.NY  livingston
#portmaster2.isp.compm1.LA  livingston
localhost   local   portslave
pascal  pascal  cisco

and radius log when logined fail

more /usr/local/var/log/radius/radius.log
Mon Dec  2 11:37:30 2002 : Info: HASH:  Reinitializing hash structures and
lists for caching...
Mon Dec  2 11:37:30 2002 : Info: HASH:  Stored 30 entries from /etc/passwd
Mon Dec  2 11:37:30 2002 : Info: HASH:  Stored 40 entries from /etc/group
Mon Dec  2 11:37:30 2002 : Info: Listening on IP address 172.16.5.5, ports
1645/udp and 1646/udp.
Mon Dec  2 11:37:30 2002 : Info: Ready to process requests.
Mon Dec  2 11:37:57 2002 : Auth: Login incorrect:
[hao/8R=\275\326CG\214\224\227\003\231Y'\230c] (from client pascal port 66
cli 172
.16.5.3)


nhuhao
- Original Message -
From: "tarvid" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, February 28, 2003 5:49 PM
Subject: Re: help me


> On Saturday 01 March 2003 11:32 pm, Nguyen Nhu Hao wrote:
> > Hi all,
> >  I am a newbie with radius and unix, I would like to install freeradius
=
> >  in RedHat 7.1 and I use a router to authenicate via radius. I installed
=
> >  ok, but I could not authenticate success. I configured authentication =
> >  use unix module.
>
> >HASH:  user hao found in hashtable bucket 47290
> >modcall[authenticate]: module "unix" returns reject
> >  modcall: group authenticate returns reject
> >  auth: Failed to validate the user.
> >  Login incorrect: [hao/\236\232M\236s<\3121\211\214\344\347"+\214\031] =
> >  (from client pascal port 66 cli 172.16.5.3)
> >WARNING: Unprintable characters in the password. ?  Double-check the
=
> >  shared secret on the server and the NAS!
>
> Have you followed up on the above error message?
>
> The 'secret" in clients.conf must match exactly the "secret" in your
server.
>
> You might log bad passwords to see if your server got anything like what
the
> router sent.
>
> Jim Tarvid
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help me

[tarvid]

On Saturday 01 March 2003 11:32 pm, Nguyen Nhu Hao wrote:
> Hi all,
>  I am a newbie with radius and unix, I would like to install freeradius =
>  in RedHat 7.1 and I use a router to authenicate via radius. I installed =
>  ok, but I could not authenticate success. I configured authentication =
>  use unix module.

>HASH:  user hao found in hashtable bucket 47290
>modcall[authenticate]: module "unix" returns reject
>  modcall: group authenticate returns reject
>  auth: Failed to validate the user.
>  Login incorrect: [hao/\236\232M\236s<\3121\211\214\344\347"+\214\031] =
>  (from client pascal port 66 cli 172.16.5.3)
>WARNING: Unprintable characters in the password. ?  Double-check the =
>  shared secret on the server and the NAS!

Have you followed up on the above error message?

The 'secret" in clients.conf must match exactly the "secret" in your server.

You might log bad passwords to see if your server got anything like what the 
router sent.

Jim Tarvid


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Help-ME...radcheck: Permission denied

[Tim D. McCracken]

You need to determine why you are tring to insert a duplicate key. My wild
guess from looking at your log is that you shut the system down and then
restarted it, and when you restart, it is trying to reinsert records that
already exist. Relational databases will not allow that on tables with a
primary key or columns defined as 'unique'.



> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of leaobicalho
> Sent: Wednesday, February 19, 2003 12:52 PM
> To: [EMAIL PROTECTED]
> Subject: Help-ME...radcheck: Permission denied
>
>
> Always when im check, show this
> message, How can i do for work?
> Above have logs of postmaster, radiusd
> and radclient
>
> Log of postmaster
> -
> DEBUG:  database system was shut down
> at 2003-02-19 15:33:25 BRT
> DEBUG:  checkpoint record is at 0/19D420
> DEBUG:  redo record is at 0/19D420;
> undo record is at 0/0; shutdown TRUE
> DEBUG:  next transaction id: 875; next
> oid: 16633
> DEBUG:  database system is ready
> ERROR:  pg_atoi: error in "fredf":
> can't parse "fredf"
> ERROR:  Cannot insert a duplicate key
> into unique index usergroup_pkey
> DEBUG:  pq_recvbuf: unexpected EOF on
> client connection
> ERROR:  radcheck: Permission denied.
> ERROR:  radcheck: Permission denied.
> ERROR:  radcheck: Permission denied.
> ERROR:  radcheck: Permission denied.
> 
>
> Log of Radius Server
> 
> lm_sql (sql): Attempting to connect
> rlm_sql_postgresql #0
> rlm_sql (sql): Connected new DB handle, #0
> rlm_sql_postgresql: query: SELECT
> id,UserName,Attribute,Value,Op FROM
> radcheck WHERE Username = 'fredf'
> ORDER BY id
> rlm_sql_postgresql: Status:
> PGRES_FATAL_ERROR
> rlm_sql_postgresql: affected rows =
> rlm_sql_postgresql: Postgresql
> check_error: s, returning SQL_DOWN
> rlm_sql (sql): failed after re-connect
> rlm_sql_getvpdata: database query error
> rlm_sql (sql): SQL query error;
> rejecting user
> rlm_sql (sql): Released sql socket id: 0
> rad_recv: Access-Request packet from
> host 200.253.21.202:32792, id=97,
> length=57
> Dropping packet from client Leao:32792
> - ID: 97 due to dead request 2
> 
>
>
> Log of Radius Client
> 
> [root@dev1 radius]# radclient -q -s
> 127.0.0.1 auth test123
> user-name=test
> radclient: no response from server
> 
>
>
>
> __
> E-mail Premium BOL
> Antivírus, anti-spam e até 100 MB de espaço. Assine já!
> http://email.bol.com.br/
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help Needed: VoIP Billing System

[Aleksandar Zhelyazkov]

Zahara wrote:


Hello All
 
I am analysing a VoIP billing application.  I need some info about a 
few things.  I'd appreciate all the help and details that you could 
provide. 
 
Here is what we need to do:
 
Our customers connect to our gateway/gatekeeper through IP or PSTN 
(calling cards through IVR system).  We have 2 RADIUS servers.  I 
still don't know which RADIUS server they're going to be though.  We 
have a web-enabled application that will be used to view billing 
reports and to register and manage customers etc.
*
*
There can be 3 types of callers.  prepaid, postpaid and calling 
cards.  My questions are:

Correct me if I'm wrong. The following is based on suggestion that you 
will use cisco gateways.

 
1. Is RADIUS server responsible to check the customer's billing status 
before authorizing the calls? To see if the user has enough balance to 
go ahead with this call (e.g. for prepaid customers).

Radius is responsible for returning radius attribute wich you are 
responsible to insert as a reply item.
The billing you must do yourself and based on it to tell the radius to 
return the required attribute.
E.g h323-credit-time or h323-credit-amount. The h323-credit-amount can 
be implemented easy with
database trigger.H323-credit-time is different story and is hardest to 
implement (rlm_perl,rlm_python are your friends)

 
2. Who is responsible for monitoring this call (during as well as 
after the call)?
 
3. Who is responsible to monitor bong charges (for calling cards) and 
other distance charges at each billing increment during the call


 
4. Who is responsible for disconnecting the call, as soon as the 
available balance is consumed?
 
5. How is this disconnection and monitoring process works?

I don't understand what you mean by monitoring the call but the answer 
to 5. is IVR.
Afther the call the ivr is responsible for everithing. When to 
disconnect the call, what
message to play , to beep if you have one minute etc.

 
6. Who stores the CDR's? Where are they stored? Can they be stored 
directly to our Oracle DB?

You have more than all the information you need to build a CDR in 
radacct table.
Just write your own application.

 
7. When do the CDR's become available to our web-enable application 
for reporting and processing? After the call ends?

see previous answer.

Hope it helps.


 
Looking forward to hear from you.
 
Thanks.
 
Zahara.





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help Needed: VoIP Billing System

[Amiri]

Dear Zahram

If you are in iran We are working on a same project you can contact us for it.

Mehdi Amiri

ps : see Irandata.com for detail of us.


--- Zahara <[EMAIL PROTECTED]> wrote:
> Hello All
> 
> I am analysing a VoIP billing application.  I need some info about a few things.  
>I'd appreciate
> all the help and details that you could provide.  
> 
> Here is what we need to do:
> 
> Our customers connect to our gateway/gatekeeper through IP or PSTN (calling cards 
>through IVR
> system).  We have 2 RADIUS servers.  I still don't know which RADIUS server they're 
>going to be
> though.  We have a web-enabled application that will be used to view billing reports 
>and to
> register and manage customers etc.
>  
> Authentication:
> This is what I have understood about the process:
>  
> RADIUS server and our web-enabled application will be sharing a database (we want 
>Oracle)
> containing all the customer related info.  The gatekeeper (cisco 7206 VXR) receives 
>a call
> request.  It is configured to ask the RADIUS server to authenticate the user.  
>RADIUS server is
> configured to check our user table for authentication.  For authentic users, the 
>next step is
> authorization.
>  
> Authorization:
> There can be 3 types of callers.  prepaid, postpaid and calling cards.  My questions 
>are:
> 
> 1. Is RADIUS server responsible to check the customer's billing status before 
>authorizing the
> calls? To see if the user has enough balance to go ahead with this call (e.g. for 
>prepaid
> customers).
>  
> 2. Who is responsible for monitoring this call (during as well as after the call)? 
> 
> 3. Who is responsible to monitor bong charges (for calling cards) and other distance 
>charges at
> each billing increment during the call?
> 
> 4. Who is responsible for disconnecting the call, as soon as the available balance 
>is consumed?
> 
> 5. How is this disconnection and monitoring process works?
> 
> 6. Who stores the CDR's? Where are they stored? Can they be stored directly to our 
>Oracle DB?
> 
> 7. When do the CDR's become available to our web-enable application for reporting and
> processing? After the call ends?
> 
> Looking forward to hear from you.
>  
> Thanks.
>  
> Zahara.
> 


__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help with Exec-program-wait

[DouRiX]

Chhai Thach wrote:

I have been trying to execute a perl script using Exec-Program-Wait.
First I created an SH file called exec-program-wait, then from inside
the sh program, I run ./myperlscript

I get this error:

radius_xlat:  '/usr/tarka/bin/exec-program-wait'
Exec-Program: /usr/tarka/bin/exec-program-wait
/usr/tarka/bin/exec-program-wait: ./myperlscript: No such file or
directory
Exec-Program-Wait: value-pairs: Reply-Message += "Hello, %u", 
Exec-Program: returned: 0

My purpose is to run the perl script, rather than SH. And it seems this
is the only way I can figure out how.

Can any help? Thanks.

Exec-Program-Wait = '/your/perl/script' ?

@+
--
DouRiX
   [MISERICORDE, n. A dagger which in mediaeval warfare was used by the 
foot
  soldier to remind an unhorsed knight that he was mortal. -- Ambrose 
Bierce]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

re: Help! Can't compile rlm_sql_oracle on solaris

[Chayim I. Kirshen]

About 2 minutes before your email came in I just stumbled across
something similar.  Here's exactly what I had to do:

1. build binutils:
options --target=sparcv9-sun-solaris2

2. build gcc:
options -host=sparcv9-sun-solaris2 --with-gnu-as --with-gnu-ar
--with-as=/path-to/as --with-ar=/path-to/ar

3. OHOME=/path-to/oraclehome
   LD_LIBRARY_PATH=/lib:/path-to-gcc/lib
   export OHOME LD_LIBRARY_PATH

4. build freeradius:
- options are only specific to my install.  nothing fancy occurred

5. deploy!

Thanks a tonne for all your help.  I hope this list is useful to the
next person.  Note, to those interested in compiling the gcc for solaris
(repeatably), I will be posting a document on my website
(www.gnupower.net) in the upcoming week/month depending on time.

cheers,

--ck

> Here is what I do to set a 64-bit solaris env:
> 
> ( assuming you've installed 64-bit version of gcc in /usr/local/gcc-v9 )
> 
> PATH=/usr/local/gcc-v9/bin:$PATH
> LD_LIBRARY_PATH=/usr/local/gcc-v9/lib:$LD_LIBRARY_PATH
> CFLAGS="-mcpu=v9 -Wa,-xarch=v9a"
> CXXFLAGS=$CFLAGS
> export PATH LD_LIBRARY_PATH CFLAGS CXXFLAGS
> 
> >And that was great.  Except I've got this new issue where I can't use
> >libcrypt.so because of a linker error.  Here's my new error and the gcc
> >line that's generating it.  I haven't compiled glibc on Solaris yet (and
> >so far I'm happily avoiding it).
> >
> >gcc .libs/radiusdS.o -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS
> >-Wall -D_GNU_SOURCE -DNDEBUG -I../include -o .libs/radiusd radiusd.o
> >files.o util.o acct.o nas.o log.o valuepair.o version.o proxy.o exec.o
> >auth.o timestr.o conffile.o modules.o modcall.o session.o xlat.o
> >threads.o smux.o radius_snmp.o client.o request_list.o mainconfig.o
> >-L/export/home/chayim/freeradius/src/lib
> >/export/home/chayim/freeradius/src/lib/.libs/libradius.so -lcrypt
> >/export/home/chayim/freeradius/libltdl/.libs/libltdl.so -ldl -lnsl
> >-lresolv -lsocket -lposix4 -lpthread -R/shared/toolchain//lib
> >ld: fatal: file /lib/libcrypt.so: wrong ELF class: ELFCLASS32
> >ld: fatal: File processing errors. No output written to .libs/radiusd
> >collect2: ld returned 1 exit status
> 
> Note that you above set '/lib' explicitly to be the first place for
> ld to look.  Try removing the '/lib' from the front of your LD_LIBRARY_PATH.
> 
> -Chris
> --
> \\\|||///  \  StarNet Inc.  \ Chris Parker
> \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
> | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
> oOo---(_)---oOo--\--
>\ Wholesale Internet Services - http://www.megapop.net
> 
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

re: Help! Can't compile rlm_sql_oracle on solaris

[Chris Parker]

At 04:51 PM 2/6/2003 -0500, Chayim I. Kirshen wrote:

Well, I solved the rlm_sql_oracle issue (thanks Chris):

Here's what I needed to do:

1. recompile my gcc for 64 bit.  This means use a 32 bit gcc to
bootstrap binutils, and then create a 64 bit compiler.

2. export LD_LIBRARY_PATH=/lib:/path-to-compiler/lib


Here is what I do to set a 64-bit solaris env:

( assuming you've installed 64-bit version of gcc in /usr/local/gcc-v9 )

PATH=/usr/local/gcc-v9/bin:$PATH
LD_LIBRARY_PATH=/usr/local/gcc-v9/lib:$LD_LIBRARY_PATH
CFLAGS="-mcpu=v9 -Wa,-xarch=v9a"
CXXFLAGS=$CFLAGS
export PATH LD_LIBRARY_PATH CFLAGS CXXFLAGS


And that was great.  Except I've got this new issue where I can't use
libcrypt.so because of a linker error.  Here's my new error and the gcc
line that's generating it.  I haven't compiled glibc on Solaris yet (and
so far I'm happily avoiding it).

gcc .libs/radiusdS.o -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS
-Wall -D_GNU_SOURCE -DNDEBUG -I../include -o .libs/radiusd radiusd.o
files.o util.o acct.o nas.o log.o valuepair.o version.o proxy.o exec.o
auth.o timestr.o conffile.o modules.o modcall.o session.o xlat.o
threads.o smux.o radius_snmp.o client.o request_list.o mainconfig.o
-L/export/home/chayim/freeradius/src/lib
/export/home/chayim/freeradius/src/lib/.libs/libradius.so -lcrypt
/export/home/chayim/freeradius/libltdl/.libs/libltdl.so -ldl -lnsl
-lresolv -lsocket -lposix4 -lpthread -R/shared/toolchain//lib
ld: fatal: file /lib/libcrypt.so: wrong ELF class: ELFCLASS32
ld: fatal: File processing errors. No output written to .libs/radiusd
collect2: ld returned 1 exit status


Note that you above set '/lib' explicitly to be the first place for
ld to look.  Try removing the '/lib' from the front of your LD_LIBRARY_PATH.

-Chris
--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

re: Help! Can't compile rlm_sql_oracle on solaris

[Chayim I. Kirshen]

Well, I solved the rlm_sql_oracle issue (thanks Chris):

Here's what I needed to do:

1. recompile my gcc for 64 bit.  This means use a 32 bit gcc to
bootstrap binutils, and then create a 64 bit compiler.

2. export LD_LIBRARY_PATH=/lib:/path-to-compiler/lib

And that was great.  Except I've got this new issue where I can't use
libcrypt.so because of a linker error.  Here's my new error and the gcc
line that's generating it.  I haven't compiled glibc on Solaris yet (and
so far I'm happily avoiding it).

gcc .libs/radiusdS.o -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS
-Wall -D_GNU_SOURCE -DNDEBUG -I../include -o .libs/radiusd radiusd.o
files.o util.o acct.o nas.o log.o valuepair.o version.o proxy.o exec.o
auth.o timestr.o conffile.o modules.o modcall.o session.o xlat.o
threads.o smux.o radius_snmp.o client.o request_list.o mainconfig.o 
-L/export/home/chayim/freeradius/src/lib
/export/home/chayim/freeradius/src/lib/.libs/libradius.so -lcrypt
/export/home/chayim/freeradius/libltdl/.libs/libltdl.so -ldl -lnsl
-lresolv -lsocket -lposix4 -lpthread -R/shared/toolchain//lib
ld: fatal: file /lib/libcrypt.so: wrong ELF class: ELFCLASS32
ld: fatal: File processing errors. No output written to .libs/radiusd
collect2: ld returned 1 exit status


On Thu, 2003-02-06 at 16:37, Chris Parker wrote:
> At 04:28 PM 2/6/2003 -0500, Chayim I. Kirshen wrote:
> >Chris,
> >
> >My compiler is now 64 bit (with a bit of work), but I still can't link.
> >Any ideas?  BTW: since I'm not subscribed to the list, can you reply all
> >so I can see it as well.
> 
> Can you reprint the error you are seeing?
> 
> Also, can you show the output of 'file ' where  is the rlm_sql.o
> file and the oracle lib that isn't working?
> 
> Also, please list the output of 'ldd ' where  is the
> library that is failing to link.
> 
> -Chris
> 
> 
> >thanks,
> >
> >--ck
> >
> >
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> --
> \\\|||///  \  StarNet Inc.  \ Chris Parker
> \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
> | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
> oOo---(_)---oOo--\--
>\ Wholesale Internet Services - http://www.megapop.net
> 
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

re: Help! Can't compile rlm_sql_oracle on solaris

[Chris Parker]

At 04:28 PM 2/6/2003 -0500, Chayim I. Kirshen wrote:

Chris,

My compiler is now 64 bit (with a bit of work), but I still can't link.
Any ideas?  BTW: since I'm not subscribed to the list, can you reply all
so I can see it as well.


Can you reprint the error you are seeing?

Also, can you show the output of 'file ' where  is the rlm_sql.o
file and the oracle lib that isn't working?

Also, please list the output of 'ldd ' where  is the
library that is failing to link.

-Chris



thanks,

--ck


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

re: Help! Can't compile rlm_sql_oracle on solaris

[Chayim I. Kirshen]

Chris,

My compiler is now 64 bit (with a bit of work), but I still can't link. 
Any ideas?  BTW: since I'm not subscribed to the list, can you reply all
so I can see it as well.

thanks,

--ck


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help! Can't compile rlm_sql_oracle on solaris

[Chris Parker]

At 11:48 AM 2/5/2003 -0500, Chayim I. Kirshen wrote:

Hi there,

I'm trying to compile rlm_sql_oracle for solaris.  I've got the oracle9i
client installed and when linking I get an error because of the ELFCLASS
of the file.  I've printed the output of the make below.  Hopefully,
someone can help me!
Oh, I've got GNU make, the GCC, and am running Solaris 8i.  Thanks!


It looks like perhaps you have a 64-bit version of the oracle libs, but
you haven't told GCC to compile 64-bit versions of freeradius.

Either use a 32-bit version of Oracle, or tell GCC to compile in 64-bit
mode.  Getting GCC to compile 64-bit binaries is possible, though it
is a fairly involved process and not for the faint of heart ( you have
to bootstrap a 32bit compiler that can produce 64bit output, then build
a 64bit native compler ).

You could try telling './configure' that your host is: sparc64-sun-solaris2.8

-Chris
--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HELP: EAP/TLS - XP

[Artur Hecker]

hi philip


thanks for the point, david probably just has to check the extensions 
and other things. however, it seems that the server certificate isn't 
accepted, not the client certificate.

something has to be wrong, since in my case, too, it worked fine with 
cisco and orinoco equipment, since the 0.5 fr release, so...

ciao
artur


Philip Blow wrote:
David, Artur,

This problem appears to be caused by having the Server Authentication
and
Client Authentication properties set in the certificate. If you disable
all
extended certificate properties except the Client Authentication in the
Client certificate on the XP machine the EAP authentication should work.

It worked for me via both Symbol and Orinoco APs with certificates that
I generated with the OpenCA certificate authority.

Cheers,

Philip Blow
Senior Technical Manager
Simply Wireless
[EMAIL PROTECTED]
 



hi David

ok, it's good news then... if you followed exactly the steps, it


should 

work fine.

to find the error, just put the same certificate which is available at




the server side on your XP machine and open it using the crypto 
extensions (double-click). XP should say you what is missing. the most



probable error would be imho an expiration date. the second possible 
would be the forgotten extension (as already said, both errors should 
not be there if you followed exactly the script, but still, check it).



check the availability of the private key, check the certification


path, 

XP should know the signing CA (meaning that the cert is signed by the


CA 

whose certificate is installed under certification authorities).

regards,
artur


David Baer wrote:


The problem has been partially solved (or let's say:  narrowed).
Somehow the server's certificate is not accepted by the



XP-supplicant.


If the "Validate server certificate" check box is unchecked, the



authentication


succeeds. To leave the server's certificate unvalidated is not very



desirbale though.


I used the script by Ken Roser



(http://www.freeradius.org/doc/EAPTLS.pdf) to generate 

the certificates. 
Any idea what I could have done wrong with the server's certificate?
david



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: HELP: EAP/TLS - XP

[Philip Blow]

David, Artur,

This problem appears to be caused by having the Server Authentication
and
Client Authentication properties set in the certificate. If you disable
all
extended certificate properties except the Client Authentication in the
Client certificate on the XP machine the EAP authentication should work.

It worked for me via both Symbol and Orinoco APs with certificates that
I generated with the OpenCA certificate authority.

Cheers,

Philip Blow
Senior Technical Manager
Simply Wireless
[EMAIL PROTECTED]
 


> hi David
> 
> ok, it's good news then... if you followed exactly the steps, it
should 
> work fine.
> 
> to find the error, just put the same certificate which is available at

> the server side on your XP machine and open it using the crypto 
> extensions (double-click). XP should say you what is missing. the most

> probable error would be imho an expiration date. the second possible 
> would be the forgotten extension (as already said, both errors should 
> not be there if you followed exactly the script, but still, check it).

> check the availability of the private key, check the certification
path, 
> XP should know the signing CA (meaning that the cert is signed by the
CA 
> whose certificate is installed under certification authorities).
> 
> regards,
> artur
> 
> 
> David Baer wrote:
> > The problem has been partially solved (or let's say:  narrowed).
> > Somehow the server's certificate is not accepted by the
XP-supplicant.
> > If the "Validate server certificate" check box is unchecked, the
authentication
> > succeeds. To leave the server's certificate unvalidated is not very
desirbale though.
> > I used the script by Ken Roser
(http://www.freeradius.org/doc/EAPTLS.pdf) to generate 
> > the certificates. 
> > Any idea what I could have done wrong with the server's certificate?
> > david

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HELP: EAP/TLS - XP

[Artur Hecker]

hi David

ok, it's good news then... if you followed exactly the steps, it should 
work fine.

to find the error, just put the same certificate which is available at 
the server side on your XP machine and open it using the crypto 
extensions (double-click). XP should say you what is missing. the most 
probable error would be imho an expiration date. the second possible 
would be the forgotten extension (as already said, both errors should 
not be there if you followed exactly the script, but still, check it). 
check the availability of the private key, check the certification path, 
XP should know the signing CA (meaning that the cert is signed by the CA 
whose certificate is installed under certification authorities).

regards,
artur


David Baer wrote:
The problem has been partially solved (or let's say:  narrowed).
Somehow the server's certificate is not accepted by the XP-supplicant.
If the "Validate server certificate" check box is unchecked, the authentication
succeeds. To leave the server's certificate unvalidated is not very desirbale though.
I used the script by Ken Roser (http://www.freeradius.org/doc/EAPTLS.pdf) to generate 
the certificates. 
Any idea what I could have done wrong with the server's certificate?
david


--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HELP: EAP/TLS - XP

[David Baer]

The problem has been partially solved (or let's say:  narrowed).
Somehow the server's certificate is not accepted by the XP-supplicant.
If the "Validate server certificate" check box is unchecked, the authentication
succeeds. To leave the server's certificate unvalidated is not very desirbale though.
I used the script by Ken Roser (http://www.freeradius.org/doc/EAPTLS.pdf) to generate 
the certificates. 
Any idea what I could have done wrong with the server's certificate?
david

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HELP: EAP/TLS - XP

[Artur Hecker]

commenting on my own post:


> effectively, it's a re-request since the id-number is the same. the TLS
> error probably comes from the shortened message or something similar,
> the data seems to be corrupted in some way. radius seems to just reject
> from that moment on, it doesn't seem to check the second message for its
> correctness (IMHO, it should however, since it's udp).

what i want to say is: the first message can be wrong because it is UDP.
freeradius doesn't answer to it with a Reject. this is correct IMHO. it
should accept N ( N=? ) wrong re-requests (requests with same ID, same
eap number, etc. but _different_ data) before rejecting a user.

it now seems to reject immediately after the second message arrives or
is it able to see that the messages are exactly the same?

developers, could you say on the fly what the current behaviour is?


thanks
artur


-- 
Artur Hecker
De'partement Informatique et Re'seaux, ENST Paris
http://www.infres.enst.fr/~hecker


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HELP: EAP/TLS - XP

[Artur Hecker]

hi

David Baer wrote:
> hi, thanks for looking at the matter, Artur.
>
>> in fact, unless you shortened your post, there seems to be two
>> requests one after another or am i wrong? because radius actually
>> doesn't do anything about the wrong request. it denies the next
>> one... well, it's perhaps normal.
>
> well strange is (or is it a normal retry?), that it has two rad_recv
> of id=95. one at (*A*) and than the other one at  (*B*). then he is
> sending the reject message on the line (*E*) to id=95, but it is not
> clear to which. However, I think the problem really is between line
> (*C*) and (*D*) which prevents me from getting an Access-Accept This
> error seems to happen from time to time, I've found another post in
> the mailing list
> (http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg115-
> 98.html). But there isn't a solution (or even a guess, as to where it
> comes from) around. Advice is appreciated. david

it's probably a bug in your AP implementation. try the newest firmware, e.g.

effectively, it's a re-request since the id-number is the same. the TLS
error probably comes from the shortened message or something similar,
the data seems to be corrupted in some way. radius seems to just reject
from that moment on, it doesn't seem to check the second message for its
correctness (IMHO, it should however, since it's udp).

compare the two messages by snooping on the interface. if the error is
always the same, try to change some parameters (framed-mtu value,
perhaps even another user-name, etc.)


ciao
artur

-- 
Artur Hecker
De'partement Informatique et Re'seaux, ENST Paris
http://www.infres.enst.fr/~hecker


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HELP: EAP/TLS - XP

[David Baer]

hi, 
thanks for looking at the matter, Artur.
> in fact, unless you shortened your post, there seems to be two requests
> one after another or am i wrong? because radius actually doesn't do
> anything about the wrong request. it denies the next one... well, it's
> perhaps normal.
well strange is (or is it a normal retry?), that it has two rad_recv of id=95. one at 
(*A*) and than the other one at  (*B*).
then he is sending the reject message on the line (*E*) to id=95, but it is not clear 
to which. 
However, I think the problem really is between line (*C*) and (*D*) which prevents me 
from getting an Access-Accept
This error seems to happen from time to time, I've found another post in the mailing 
list (http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg11598.html). 
But there isn't a solution (or even a guess, as to where it comes from) around.
Advice is appreciated.
david



rad_recv: Access-Request packet from host 10.56.56.201:6001, id=95, length=180 
 (*A*)
User-Name = "Hera"
NAS-IP-Address = 10.56.56.201
Called-Station-Id = "00-02-2d-48-6d-89"
Calling-Station-Id = "00-05-3c-06-6e-61"
NAS-Identifier = "hercules"
State = 
0xcbc90276b2c75bcf69c846a00bbb35e62f922b3ea0b9afaf4605a59f14b2fa8fc483abdc
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 
"\002\007\000!\r\200\000\000\000\027\025\003\001\000\022^\333$,\363"\275\010\010\374\234\204y\337\306U-g"
Message-Authenticator = 0x9095e69b06f47161b67f54139c32e1ef
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
  modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "Hera", looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module "suffix" returns noop
users: Matched Hera at 98
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - tls
rlm_eap: processing type tls
rlm_eap_tls:  Length Included
<<< TLS 1.0 Alert [length 0002], fatal access_denied   
 (*C*)

TLS Alert read:fatal:access denied
2727:error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access 
denied:s3_pkt.c:1037:SSL alert number 49
rlm_eap_tls: SSL_read Error
 Error code is . 6
 SSL Error . 6
rlm_eap_tls: BIO_read Error
 Error code is . 5
 Error in SSL . 5  
  (*D*)
  modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Delaying request 10 for 1 seconds
Finished request 10
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.56.56.201:6001, id=95, length=180(*B*)
Sending Access-Reject of id 95 to 10.56.56.201:6001
(*E*)
EAP-Message = "\004\007\000\004"
Message-Authenticator = 0x
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 6 ID 91 with timestamp 3e2b922e
Cleaning up request 7 ID 92 with timestamp 3e2b922e
Cleaning up request 8 ID 93 with timestamp 3e2b922e
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 9 ID 94 with timestamp 3e2b922f
Cleaning up request 10 ID 95 with timestamp 3e2b922f
Nothing to do.  Sleeping until we see a request.




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HELP: EAP/TLS - XP

[Artur Hecker]

hi

> I don't think it's an AP problem, because Raymon McKey
> (http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm) is working
> with the same AP. i never tried with md5, did it work with you?

and you probably can't since you use XP SP1 which does not offer EAP/MD5
for wireless anymore :)


> do you work with an english XP? (just asking, because I have japanese
> XP and the other person that had this problem also had an asian
> name.) I don't know nothing about XP, but could it be possible, that
> this is some japanese-XP bug? I'm trying to get into the source code,
> but this might take some time (I'm not very good in C). however, it
> seems that the radius server did not get the expected message. it
> would have needed an ACK-response, but received something else...

in fact, unless you shortened your post, there seems to be two requests
one after another or am i wrong? because radius actually doesn't do
anything about the wrong request. it denies the next one... well, it's
perhaps normal.

some developers here? :-)


ciao
artur


-- 
Artur Hecker Groupe Acce`s et Mobilite'
hecker[at]enst[dot]fr De'partement Informatique et Re'seaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr  ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HELP: EAP/TLS - XP

[David Baer]

Hi Jeffrey, 
>   Do you work well via md5? I cannot work fine with ap-2000 too? :(
> I guess it is AP problem!
I don't think it's an AP problem, because Raymon McKey 
(http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm) is working with the 
same AP. i never tried with md5, did it work with you?

do you work with an english XP? (just asking, because I have japanese XP and 
the other person that had this problem also had an asian name.)
I don't know nothing about XP, but could it be possible, that this is some 
japanese-XP bug?
I'm trying to get into the source code, but this might take some time (I'm not 
very good in C). however, it seems that the radius server did not get the 
expected message. it would have needed an ACK-response, but received 
something else...

david

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HELP: EAP/TLS - XP

[Jeffery Huang]

Dear David,
  Do you work well via md5? I cannot work fine with ap-2000 too? :(
I guess it is AP problem!
¦b ¶g¤@, 2003-01-20 14:39, David Baer ¼g¹D¡G
> I'm trying to get XP and freeRADIUS working together.  I encountered a problem that 
>has been reported here before 
> (http://lists.cistron.nl/pipermail/freeradius-users/2002-August/009650.html), but no 
>solution has been posted. 
> Maybe someone else has an stumbled accross it or has an idea.
> 
> The thing is that all tls handshake passed and then it seems that the supplicant 
>backs off...
> I'm using Service Pack 1 and a Orinoco 2000 AP with img 2.0.10 installed.
> 
> thanks for any help,
> david
> 
> 
> 
> rad_recv: Access-Request packet from host 10.56.56.201:6001, id=95, length=180
>   User-Name = "Hera"
>   NAS-IP-Address = 10.56.56.201
>   Called-Station-Id = "00-02-2d-48-6d-89"
>   Calling-Station-Id = "00-05-3c-06-6e-61"
>   NAS-Identifier = "hercules"
>   State = 
>0xcbc90276b2c75bcf69c846a00bbb35e62f922b3ea0b9afaf4605a59f14b2fa8fc483abdc
>   Framed-MTU = 1400
>   NAS-Port-Type = Wireless-802.11
>   EAP-Message = 
>"\002\007\000!\r\200\000\000\000\027\025\003\001\000\022^\333$,\363"\275\010\010\374\234\204y\337\306U-g"
>   Message-Authenticator = 0x9095e69b06f47161b67f54139c32e1ef
> modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
>   modcall[authorize]: module "eap" returns updated
> rlm_realm: No '@' in User-Name = "Hera", looking up realm NULL
> rlm_realm: No such realm NULL
>   modcall[authorize]: module "suffix" returns noop
> users: Matched Hera at 98
>   modcall[authorize]: module "files" returns ok
> modcall: group authorize returns updated
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate
> rlm_eap: Request found, released from the list
> rlm_eap: EAP_TYPE - tls
> rlm_eap: processing type tls
> rlm_eap_tls:  Length Included
> <<< TLS 1.0 Alert [length 0002], fatal access_denied
> 
> TLS Alert read:fatal:access denied
> 2727:error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access 
>denied:s3_pkt.c:1037:SSL alert number 49
> rlm_eap_tls: SSL_read Error
>  Error code is . 6
>  SSL Error . 6
> rlm_eap_tls: BIO_read Error
>  Error code is . 5
>  Error in SSL . 5
>   modcall[authenticate]: module "eap" returns ok
> modcall: group authenticate returns ok
> Delaying request 10 for 1 seconds
> Finished request 10
> Going to the next request
> Waking up in 5 seconds...
> rad_recv: Access-Request packet from host 10.56.56.201:6001, id=95, length=180
> Sending Access-Reject of id 95 to 10.56.56.201:6001
>   EAP-Message = "\004\007\000\004"
>   Message-Authenticator = 0x
> --- Walking the entire request list ---
> Waking up in 2 seconds...
> --- Walking the entire request list ---
> Cleaning up request 6 ID 91 with timestamp 3e2b922e
> Cleaning up request 7 ID 92 with timestamp 3e2b922e
> Cleaning up request 8 ID 93 with timestamp 3e2b922e
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 9 ID 94 with timestamp 3e2b922f
> Cleaning up request 10 ID 95 with timestamp 3e2b922f
> Nothing to do.  Sleeping until we see a request.
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 
Regard,
Jeffery Huang
iMining Technology Inc.,
Addr: 8F-4 No.432, Sec. 1, 
Keelung Rd., Taipei,Taiwan
Tel: 886-2-27235122 ext 20
Fax: 886-2-27232287
mail:[EMAIL PROTECTED]
http://www.imining.com.tw


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help!!!How can I use MySQL and EAP together?

[Artur Hecker]

> you do not use to put the auth type explicitly, it should be put by the

ahem, i meant: "you do not need to put the auth-type"

sorry. never write mails in industry meetings :)


ciao
artur

-- 
_
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr Département Informatique et Réseaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr  ENST Paris

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help!!!How can I use MySQL and EAP together?

[Artur Hecker]

hi

wanglu wrote:
> 
>   I installed freeradius-snapshot-2002-0916 in Redhat7.2. I want to configure it to 
>use
> mysql. According to http://www.swx.nl/freeradius/freeradiussql.html, it does work. I 
>want
> to use MySQL and 'Auth-Type=EAP'.

why did you install this particular (and very old) snapshot? take
verison 0.8.1 or a newer snapshot (but it has nothing to do with your
problem).


>   I have read the documents of eap and eaptsl.pdf, where I can not find out the 
>answer.
> Whether MySQL can only be used with 'AUth-Type=PAP' together? What can I do to use 
>MySQL 
> and EAP authentication together???Hope you can help me.

you do not use to put the auth type explicitly, it should be put by the
authorize section automatically, depending on the user config e.g. in
the sql data base.

so, in radiusd.conf:

authorize {
sql
}

authenticate {
eap
}

in users:

userAuth-Type := Local, User-Password == "password"



ciao
artur


-- 
_
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr Département Informatique et Réseaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr  ENST Paris

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with radrelay

[Simon]

On Mon, Dec 16, 2002 at 10:03:26AM +1100, Iq wrote:
> 
> Hi everyone,
>Need a little help with radrelay. I have two NAS boxes (a
> portmaster and Ascend). Both of them authenticate customers from two radius
> servers (radius-0.8). One primary and other secondary. I want to run
> radrelay. My questions are
> as it says in doc/radrelay
> 1.  radrelay -S secret_file  detail-combined
> what is a secret file, what should it contain and how do we write it ?
>  where it says server, which server is that is it the primary server IP
> (localhost) or secondary server IP ?
> My detail-combined is getting created.

>From the radrelay manpage:
   -S secret_file
  Read remote server secret from file,  the  file  should  contain
  nothing other then the plain-text secret.

doc/radrelay is slightly out of date, use -r  instead
of  above.

I'll send a patch with some updates for doc/radrelay, -n should be
mentioned in there to.

-- 
Simon


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HELP !

[Alan DeKok]

"Grey V. Solop" <[EMAIL PROTECTED]> wrote:
> I have FreeBSD, freeRADIUS MSSQL, Win2k-RRAS. It is necessary to
> adjust authorization of users. How it to make?

  Read the documentation?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help equired for EAP

[Artur Hecker]

hi

john zurowski wrote:
> 
> I'm trying to use Freeradius with a 3com 802.11 Lan AP (8000).
> 
> It supports EAP-MD5 which is the authentication method I'm attempting
> to use.
> 
> However it fails when attempting to autheticate the user. Has anyone
> used EAP-MD5 with 802.11 AP and Freeradius ?

why don't you provide some info on that? like what exactly fails e.g.?
or some logs? how are we supposed to help you if you don't say anything?

give it a try


ciao
artur


-- 
_
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr Département Informatique et Réseaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr  ENST Paris

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with hints/users file please

[Alan DeKok]

Guillermo Schimmel <[EMAIL PROTECTED]> wrote:
> I will have to wait at least until 0.8 (That sounds stable enough for 
> him. I don't get it.)
> 
> So, there isn't any chances for me to rewrite the Calling-Station-Id value?

  Not until 0.8, sorry.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with hints/users file please

[Guillermo Schimmel]

Ok . Thanks.

Unfortunately, my boss doesn't want to upgrade the freeradius to the cvs 
version.
He is getting older and it's starting to like stability.

I will have to wait at least until 0.8 (That sounds stable enough for 
him. I don't get it.)

So, there isn't any chances for me to rewrite the Calling-Station-Id value?


Thank you very much to both of you Alan and Chris for your time.


Guillermo



Alan DeKok wrote:

Chris Parker <[EMAIL PROTECTED]> wrote:
 

You will probably want to try an entry similar to:

DEFAULT Called-Station-Id == "40004009"
  Called-Station-Id := "1140004009"


I believe it will work both before authorization and accounting, though
I'm not positive on the accounting part.
   


 When using preproxy, *all* requests which get proxied get passed
through the 'preproxy_users' file.  This means BOTH accounting and
authentication.

 It may be useful to split them up, but that may be more work than
it's worth.

 Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with hints/users file please

[Alan DeKok]

Chris Parker <[EMAIL PROTECTED]> wrote:
> You will probably want to try an entry similar to:
> 
> DEFAULT Called-Station-Id == "40004009"
>Called-Station-Id := "1140004009"
> 
> 
> I believe it will work both before authorization and accounting, though
> I'm not positive on the accounting part.

  When using preproxy, *all* requests which get proxied get passed
through the 'preproxy_users' file.  This means BOTH accounting and
authentication.

  It may be useful to split them up, but that may be more work than
it's worth.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with hints/users file please

[Chris Parker]

At 02:44 PM 10/17/2002 -0300, Guillermo Schimmel wrote:

I have downloaded the cvs version, but before start the tests I would like 
to know if the pre_proxy feature works for accounting and authentication, 
or just authentication.

And how would the config be?

Something like this?

DEFAULT Called-Station-Id == "40004009", Called-Station-Id : = "40004009"

No, look at the sample in the file:

#DEFAULT
#   User-Name := `%{Stripped-User-Name:-%{User-Name}}`

You will probably want to try an entry similar to:

DEFAULT Called-Station-Id == "40004009"
  Called-Station-Id := "1140004009"


I believe it will work both before authorization and accounting, though
I'm not positive on the accounting part.

-Chris
--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with hints/users file please

[Guillermo Schimmel]

I have downloaded the cvs version, but before start the tests I would 
like to know if the pre_proxy feature works for accounting and 
authentication, or just authentication.

And how would the config be?

Something like this?

DEFAULT Called-Station-Id == "40004009", Called-Station-Id : = "40004009"

Thanks


Chris Parker wrote:

At 12:18 PM 10/17/2002 -0300, Guillermo Schimmel wrote:



Chris Parker wrote:


At 11:41 AM 10/17/2002 -0300, Guillermo Schimmel wrote:


Hi list:

I have to proxy some request to another's company radius, based on 
called-station-id.

I am doing it with this line:

DEFAULT Called-Station-Id == "40004009", Proxy-To-Realm := "prima"

Now, the problem is that the PSTN switch that we use, (Ericsson 
AXE) is a piece of s..., and we receive things like:

40004009
1140004009 (11 is the area code)
12240004009 (122 is our telco code)
1221140004009 (both)

And so on


There is a regular expression operator that would allow you to do
something like:

DEFAULT Called-Station-Id =~ "*40004009$", Proxy-To-Realm := "prima"



The problem with that is that I have several cities, and the numbers 
can contain each other, like:

City 1: 400040
City 2: 40400040

So I would have to play with the order in with the expresion are 
evaluated, and I don't like it :)


Yes, proper parsing order will be needed. :)


How can I rewrite the Called-Station-Id AND Proxy-To-Realm?




You could try using the ":=" operator on the second Called-Station-Id
attribute.



This doesn't work. There is something on "processing_users_file" that 
says:

If an attribute is already present in the check pairlist of the 
request it will not be changed (see files.c:movepair).


Right, so that won't work for you.


Also, there is currently a new feature added to the server for 
'pre-proxy'
under which you could rewrite the attributes before proxying to the 
remote
server. This is a new feature so it's not widely documented yet, but it
does exist and should allow you to do what you need.


So I think that this could be what I need. What can I read about 
this? How new is that? It is on 0.7? Or on CVS?


It is in the latest CVS version. See the file 'preproxy_users' for more
information. It is very basic at the moment, but it does allow you to
rewrite attributes prior to proxying.

-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net



- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with hints/users file please

[Chris Parker]

At 12:18 PM 10/17/2002 -0300, Guillermo Schimmel wrote:



Chris Parker wrote:


At 11:41 AM 10/17/2002 -0300, Guillermo Schimmel wrote:


Hi list:

I have to proxy some request to another's company radius, based on 
called-station-id.

I am doing it with this line:

DEFAULT Called-Station-Id == "40004009", Proxy-To-Realm := "prima"

Now, the problem is that the PSTN switch that we use, (Ericsson AXE) is 
a piece of s..., and we receive things like:

40004009
1140004009 (11 is the area code)
12240004009 (122 is our telco code)
1221140004009 (both)

And so on

There is a regular expression operator that would allow you to do
something like:

DEFAULT Called-Station-Id =~ "*40004009$", Proxy-To-Realm := "prima"


The problem with that is that I have several cities, and the numbers can 
contain each other, like:

City 1: 400040
City 2: 40400040

So I would have to play with the order in with the expresion are 
evaluated, and I don't like it :)

Yes, proper parsing order will be needed.  :)


How can I rewrite the Called-Station-Id AND Proxy-To-Realm?



You could try using the ":=" operator on the second Called-Station-Id
attribute.


This doesn't work. There is something on "processing_users_file" that says:

If an attribute is already present in the check pairlist of the request it 
will not be changed (see files.c:movepair).

Right, so that won't work for you.


Also, there is currently a new feature added to the server for 'pre-proxy'
under which you could rewrite the attributes before proxying to the remote
server. This is a new feature so it's not widely documented yet, but it
does exist and should allow you to do what you need.


So I think that this could be what I need. What can I read about this? How 
new is that? It is on 0.7? Or on CVS?

It is in the latest CVS version.  See the file 'preproxy_users' for more
information.  It is very basic at the moment, but it does allow you to
rewrite attributes prior to proxying.

-Chris
--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with hints/users file please

[Guillermo Schimmel]

Chris Parker wrote:


At 11:41 AM 10/17/2002 -0300, Guillermo Schimmel wrote:


Hi list:

I have to proxy some request to another's company radius, based on 
called-station-id.

I am doing it with this line:

DEFAULT Called-Station-Id == "40004009", Proxy-To-Realm := "prima"

Now, the problem is that the PSTN switch that we use, (Ericsson AXE) 
is a piece of s..., and we receive things like:

40004009
1140004009 (11 is the area code)
12240004009 (122 is our telco code)
1221140004009 (both)

And so on


There is a regular expression operator that would allow you to do
something like:

DEFAULT Called-Station-Id =~ "*40004009$", Proxy-To-Realm := "prima"


The problem with that is that I have several cities, and the numbers can 
contain each other, like:

City 1: 400040
City 2: 40400040

So I would have to play with the order in with the expresion are 
evaluated, and I don't like it :)



Now, the other company is using radiator, and they would like to 
receive allways "1140004009".

How can I rewrite the Called-Station-Id AND Proxy-To-Realm?


You could try using the ":=" operator on the second Called-Station-Id
attribute.



This doesn't work. There is something on "processing_users_file" that says:

If an attribute is already present in the check pairlist of the request 
it will not be changed (see files.c:movepair).

But there is no movepair on files.c :(



Also, there is currently a new feature added to the server for 
'pre-proxy'
under which you could rewrite the attributes before proxying to the 
remote
server. This is a new feature so it's not widely documented yet, but it
does exist and should allow you to do what you need.

So I think that this could be what I need. What can I read about this? 
How new is that? It is on 0.7? Or on CVS?

Thanks



-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net



- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with hints/users file please

[Chris Parker]

At 11:41 AM 10/17/2002 -0300, Guillermo Schimmel wrote:


Hi list:

  I have to proxy some request to another's company radius, based on 
called-station-id.

   I am doing it with this line:

   DEFAULT Called-Station-Id == "40004009", Proxy-To-Realm := "prima"

   Now, the problem is that the PSTN switch that we use, (Ericsson AXE) 
is a piece of s..., and we receive things like:

   40004009
   1140004009(11 is the area code)
   12240004009  (122 is our telco code)
   1221140004009  (both)

   And so on

There is a regular expression operator that would allow you to do
something like:

DEFAULT Called-Station-Id =~ "*40004009$", Proxy-To-Realm := "prima"


  Now, the other company is using radiator, and they would like to 
receive allways "1140004009".

   How can I rewrite the Called-Station-Id AND  Proxy-To-Realm?

You could try using the ":=" operator on the second Called-Station-Id
attribute.

Also, there is currently a new feature added to the server for 'pre-proxy'
under which you could rewrite the attributes before proxying to the remote
server.  This is a new feature so it's not widely documented yet, but it
does exist and should allow you to do what you need.

-Chris
--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help - checkrad not being called

[Kostas Kalevras]

On Tue, 15 Oct 2002, Tim wrote:

> Hi,
>
> Yep.. I have both of the sql queries for simul use uncommented ..  below is
> my radiusd -X output ..  (checkrad is in /usr/local/sbin and executable by

I think that until today's cvs the server alaways thought that checkrad was
located in /sbin/checkrad. Try moving it there.

> everybody), also my NAS's are set up in clients.conf  .. and below the
> radiusd -X output is the output created when a user has 0 stoptime in the
> db, but is not actually online .. (stale session) ..  I also have debug in
> checkrad turned on, but nothing is showing up ..
>

--
kkalev


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help - checkrad not being called

[Tim]

Hi,

Yep.. I have both of the sql queries for simul use uncommented ..  below is 
my radiusd -X output ..  (checkrad is in /usr/local/sbin and executable by 
everybody), also my NAS's are set up in clients.conf  .. and below the 
radiusd -X output is the output created when a user has 0 stoptime in the 
db, but is not actually online .. (stale session) ..  I also have debug in 
checkrad turned on, but nothing is showing up ..


debian:~/freeradius# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/sql.conf
  main: prefix = "/usr/local"
  main: localstatedir = "/var"
  main: logdir = "/var/log/radius"
  main: libdir = "/usr/local/lib"
  main: radacctdir = "/var/log/radius/radacct"
  main: hostname_lookups = no
read_config_files:  reading dictionary
read_config_files:  reading clients
read_config_files:  reading realms
read_config_files:  reading naslist
  main: max_request_time = 30
  main: cleanup_delay = 5
  main: max_requests = 1024
  main: delete_blocked_requests = 0
  main: port = 0
  main: allow_core_dumps = no
  main: log_stripped_names = no
  main: log_auth = no
  main: log_auth_badpass = yes
  main: log_auth_goodpass = no
  main: pidfile = "/var/run/radiusd/radiusd.pid"
  main: user = "nobody"
  main: group = "nogroup"
  main: usercollide = no
  main: lower_user = "no"
  main: lower_pass = "no"
  main: nospace_user = "yes"
  main: nospace_pass = "yes"
  main: proxy_requests = no
  security: max_attributes = 200
  security: reject_delay = 1
  main: debug_level = 0
read_config_files:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded PAP
  pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded preprocess
  preprocess: huntgroups = "/etc/raddb/huntgroups"
  preprocess: hints = "/etc/raddb/hints"
  preprocess: with_ascend_hack = yes
  preprocess: ascend_channels_per_line = 30
  preprocess: with_ntdomain_hack = no
  preprocess: with_specialix_jetstream_hack = no
  preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded SQL
  sql: driver = "rlm_sql_mysql"
  sql: server = "localhost"
  sql: port = ""
  sql: login = "root"
  sql: password = ""
  sql: radius_db = "radius"
  sql: acct_table = "radacct"
  sql: acct_table2 = "radacct"
  sql: authcheck_table = "radcheck"
  sql: authreply_table = "radreply"
  sql: groupcheck_table = "radgroupcheck"
  sql: groupreply_table = "radgroupreply"
  sql: usergroup_table = "usergroup"
  sql: nas_table = "nas"
  sql: dict_table = "dictionary"
  sql: sqltrace = no
  sql: sqltracefile = "/var/log/radius/sqltrace.sql"
  sql: deletestalesessions = yes
  sql: num_sql_socks = 5
  sql: sql_user_name = "%{User-Name}"
  sql: authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM 
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
  sql: authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM 
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
  sql: authorize_group_check_query = "SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
 
FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' 
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id"
  sql: authorize_group_reply_query = "SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
 
FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' 
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id"
  sql: authenticate_query = "SELECT Value,Attribute FROM radcheck WHERE 
UserName = '%{User-Name}' AND ( Attribute = 'User-Password' OR Attribute = 
'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC"
  sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', 
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), 
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = 
%{Acct-Delay-Time} WHERE AcctSessionTime=0 AND AcctStopTime=0 AND 
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
  sql: accounting_update_query = "UPDATE radacct SET FramedIPAddress = 
'%{Framed-IP-Address}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND 
UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}' AND 
AcctStopTime = 0"
  sql: accounting_start_query = "INSERT into radacct (RadAcctId, 
AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, 
NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, 
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, 
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, 
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('', 
'%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', 
'%{Realm}', '%{NA

Re: help - checkrad not being called

[Kostas Kalevras]

On Mon, 14 Oct 2002, Tim wrote:

> Yep ..  I have
> -
> | GroupName |  Attribute -   | Value   | Op  |
> -
> | dialup|  Simultaneous-Use  |   1  |  :=  |
> -
>
> in my radgroupcheck MySQL db ..

Both simul_count_query and simul_verify_query should be uncommented in sql.conf.
Run the server in debug mode (radiusd -X) and check the output.
Do you have checkrad in the default location? The server will not honor the
checkrad option of radiusd.conf for the moment.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: help - checkrad not being called

[Tim]

No, this I not similar to my problem (I think, as I haven't gotten to using 
it in production as yet, so I am not sure what will happen down the track)..

my problem is that if a simul use is detected via the MySQL radacct db, 
checkrad does not kick in (start) and do a double check to the NAS itself ..

At 14:44 12/10/2002 -0500, you wrote:

>I get entries all the time like line 7 below and I have to manually go
>in to the database and remove them myself to clear that line for use.
>
>is this similar to your problem?
>I see no way to stop it other than manually removing them.
>
>Phone numbers and ip's removed for security
>
># user ip address caller id name duration
>1 sonny 204.49.000.00 0 Sonny Heath 02:38:04
>2 robert 204.49.000.00 0 Robert Nelson 02:22:01
>3 david 204.49.000.00 00 David Bartlett 01:52:39
>4 nicole 204.49.000.00 0 Nicole Nelson 01:19:25
>5 coblepdl 204.49.000.00  Betty Coble 00:28:32
>6 angelheart 204.49.000.00  Joyce Smith 00:17:58
>7  - 8508920287 Unknown User 00:12:08
>8 jgodwin 204.49.000.00 0 Jenifer Godwin 00:10:29
>9 carolcos1218 204.49.000.00 0 Carol Cosson 00:02:40
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]] On Behalf Of Kostas
>Kalevras
>Sent: Saturday, October 12, 2002 2:19 PM
>To: [EMAIL PROTECTED]
>Subject: Re: help - checkrad not being called
>
>On Thu, 10 Oct 2002, Tim wrote:
>
> > I have freeradius 0.7 & MySQL up and running on a debian woody box
>(kernel
> > 2.2-20), and doing all that it should EXCEPT allowing users to login
>if
> > they still have a stale session in the db (Mysql)..  I have session{
>sql }
> > in radius.conf set to sql ..
> >
> > /usr/local/sbin checkrad runs correctly when run manually and I have
>it set
> > to debug mode, so I can see when it is being called ..  now, when I
>have a
> > stale session in the DB, and use NTRadPing to request a new auth, it
>ALWAYS
> > comes back saying the user is online, and checkrad never seems to get
> > called ..
> >
> > I have searched the archives, and even applied a patch suggested back
>in
> > August, but it still appears checkrad is still not being run.
> >
> > I have tried with 0.7, and the latest snapshot 1009 ..  and both give
>the
> > same result ..
> >
> > What am I missing that is causing checkrad to be ingnore/not called ??
> >
> > All help greatly appreciated ..
> >
> >
> > Tim Fraser
>
>Have you set Simultaneous-Use to 1 for your users?
>
>--
>Kostas Kalevras Network Operations Center
>[EMAIL PROTECTED]  National Technical University of Athens, Greece
>Work Phone: +30 210 7721861
>'Go back to the shadow' Gandalf
>
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>
>---
>Incoming mail is certified Virus Free.
>Checked by AVG anti-virus system (http://www.grisoft.com).
>Version: 6.0.400 / Virus Database: 226 - Release Date: 10/9/2002
>
>
>---
>Outgoing mail is certified Virus Free.
>Checked by AVG anti-virus system (http://www.grisoft.com).
>Version: 6.0.400 / Virus Database: 226 - Release Date: 10/9/2002
>
>
>
>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html


Tim Fraser

*
Relax Internet
Internet Service Provider (dial-up & ADSL) / Web Hosting
www.relax.com.au

*



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help - checkrad not being called

[Tim]

Yep ..  I have
-
| GroupName |  Attribute -   | Value   | Op  |
-
| dialup|  Simultaneous-Use  |   1  |  :=  |
-

in my radgroupcheck MySQL db ..


At 22:18 12/10/2002 +0300, you wrote:
>On Thu, 10 Oct 2002, Tim wrote:
>
> > I have freeradius 0.7 & MySQL up and running on a debian woody box (kernel
> > 2.2-20), and doing all that it should EXCEPT allowing users to login if
> > they still have a stale session in the db (Mysql)..  I have session{ sql }
> > in radius.conf set to sql ..
> >
> > /usr/local/sbin checkrad runs correctly when run manually and I have it set
> > to debug mode, so I can see when it is being called ..  now, when I have a
> > stale session in the DB, and use NTRadPing to request a new auth, it ALWAYS
> > comes back saying the user is online, and checkrad never seems to get
> > called ..
> >
> > I have searched the archives, and even applied a patch suggested back in
> > August, but it still appears checkrad is still not being run.
> >
> > I have tried with 0.7, and the latest snapshot 1009 ..  and both give the
> > same result ..
> >
> > What am I missing that is causing checkrad to be ingnore/not called ??
> >
> > All help greatly appreciated ..
> >
> >
> > Tim Fraser
>
>Have you set Simultaneous-Use to 1 for your users?
>
>--
>Kostas Kalevras Network Operations Center
>[EMAIL PROTECTED]  National Technical University of Athens, Greece
>Work Phone: +30 210 7721861
>'Go back to the shadow' Gandalf
>
>
>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html


Tim Fraser

*
Relax Internet
Internet Service Provider (dial-up & ADSL) / Web Hosting
www.relax.com.au

*



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: help - checkrad not being called

[Nick Marino]

I get entries all the time like line 7 below and I have to manually go
in to the database and remove them myself to clear that line for use.

is this similar to your problem?
I see no way to stop it other than manually removing them.

Phone numbers and ip's removed for security

# user ip address caller id name duration 
1 sonny 204.49.000.00 0 Sonny Heath 02:38:04 
2 robert 204.49.000.00 0 Robert Nelson 02:22:01 
3 david 204.49.000.00 00 David Bartlett 01:52:39 
4 nicole 204.49.000.00 0 Nicole Nelson 01:19:25 
5 coblepdl 204.49.000.00  Betty Coble 00:28:32 
6 angelheart 204.49.000.00  Joyce Smith 00:17:58 
7  - 8508920287 Unknown User 00:12:08 
8 jgodwin 204.49.000.00 0 Jenifer Godwin 00:10:29 
9 carolcos1218 204.49.000.00 0 Carol Cosson 00:02:40 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:freeradius-users-admin@;lists.cistron.nl] On Behalf Of Kostas
Kalevras
Sent: Saturday, October 12, 2002 2:19 PM
To: [EMAIL PROTECTED]
Subject: Re: help - checkrad not being called

On Thu, 10 Oct 2002, Tim wrote:

> I have freeradius 0.7 & MySQL up and running on a debian woody box
(kernel
> 2.2-20), and doing all that it should EXCEPT allowing users to login
if
> they still have a stale session in the db (Mysql)..  I have session{
sql }
> in radius.conf set to sql ..
>
> /usr/local/sbin checkrad runs correctly when run manually and I have
it set
> to debug mode, so I can see when it is being called ..  now, when I
have a
> stale session in the DB, and use NTRadPing to request a new auth, it
ALWAYS
> comes back saying the user is online, and checkrad never seems to get
> called ..
>
> I have searched the archives, and even applied a patch suggested back
in
> August, but it still appears checkrad is still not being run.
>
> I have tried with 0.7, and the latest snapshot 1009 ..  and both give
the
> same result ..
>
> What am I missing that is causing checkrad to be ingnore/not called ??
>
> All help greatly appreciated ..
>
>
> Tim Fraser

Have you set Simultaneous-Use to 1 for your users?

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.400 / Virus Database: 226 - Release Date: 10/9/2002
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.400 / Virus Database: 226 - Release Date: 10/9/2002
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help - checkrad not being called

[Kostas Kalevras]

On Thu, 10 Oct 2002, Tim wrote:

> I have freeradius 0.7 & MySQL up and running on a debian woody box (kernel
> 2.2-20), and doing all that it should EXCEPT allowing users to login if
> they still have a stale session in the db (Mysql)..  I have session{ sql }
> in radius.conf set to sql ..
>
> /usr/local/sbin checkrad runs correctly when run manually and I have it set
> to debug mode, so I can see when it is being called ..  now, when I have a
> stale session in the DB, and use NTRadPing to request a new auth, it ALWAYS
> comes back saying the user is online, and checkrad never seems to get
> called ..
>
> I have searched the archives, and even applied a patch suggested back in
> August, but it still appears checkrad is still not being run.
>
> I have tried with 0.7, and the latest snapshot 1009 ..  and both give the
> same result ..
>
> What am I missing that is causing checkrad to be ingnore/not called ??
>
> All help greatly appreciated ..
>
>
> Tim Fraser

Have you set Simultaneous-Use to 1 for your users?

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help & Info SQL

[Aleksandar Zhelyazkov]

Gian-Carlo Baldarelli wrote:

>May I ask the exact meaning of the tables and how to use them ?
>
>
>
>radacct
>radcheck
>radgroupcheck
>radgroupreply
>radreply
>usergroup
>
>I guess tha a user has to be inserted in the radchek with: 
>UserName(username) - Attribute (User-Password) - Vale (password)- op (???)
>
>and suppose in usergroup:
>UserName ( username) - GroupName (group )
>
>so I suppose in radgroupreplay:
>GroupName (dialin) Attribute (Auth-Type) Value (PAP)
>
>
>and the others tables 
>
>and what does it mean "op"? 
>
>
>
>
>
>
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Dear Gian-Carlo
1.radacct for accounting
2. man 5 users for operators (op)





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help

[Nick Marino]

got it! Did away with radwatch and went with daemon tools instead.

- Original Message -
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 23, 2002 1:34 PM
Subject: Re: Help


> "Nick Marino" <[EMAIL PROTECTED]> wrote:
> > Anyone know what this is all about?
> > Weird thing is everything is working perfectly.. but I keep seeing this
> > repeated over and over in the log.
>
>   You're running radwatch, and there's already a RADIUS server
> running, so the one that radwatch tries to start fails.
>
>   Figure out why you've told the machine to start two RADIUS servers,
> and fix that problem.  The log messages should go away.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help

[Alan DeKok]

"Nick Marino" <[EMAIL PROTECTED]> wrote:
> Anyone know what this is all about?
> Weird thing is everything is working perfectly.. but I keep seeing this
> repeated over and over in the log.

  You're running radwatch, and there's already a RADIUS server
running, so the one that radwatch tries to start fails.

  Figure out why you've told the machine to start two RADIUS servers,
and fix that problem.  The log messages should go away.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with FreeBSD4.6

[Alan DeKok]

[EMAIL PROTECTED] wrote:

> I used the Service-Type = Administrative (as specified in rfc2865)
> but freeradius complains  Service-Type>
>
> Can anyone please tells me if FreeRadius support rfc2865 attributes.

  Yes, but it may be missing some entries in the dictionary files.  If
you have any fixes, see 'raddb/dictionary' for the dictionary, and
'doc/DIFFS' for how to submit patches.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Help with FreeBSD4.6

[Mathias . Kenfack-Tabakem]

I am running FreeRadius 0.7.1 on FreeBSD 4.6 below is a sample of my user
file

 Auth-Type += System, Service-Type == Login

(I hope this helps)

This tells radius to use /etc/master.passwd for authentication and it works
on my. I do have a problem though. After login, I don't have any privilege
commands (I can't even read the running config on Extreme switches - but I
can on Cisco and Foundry) So my problem is only with Extreme.

I used  the Service-Type = Administrative (as specified in rfc2865) but
freeradius complains 

Can anyone please tells me if FreeRadius support rfc2865 attributes.

Thanks in advance,
Many thanks for your help with accounting issue I'll have another go at it
next week. Victor says it works on his system so it is possible.

Mathias,


-Original Message-
From: Monah Baki [mailto:[EMAIL PROTECTED]]
Sent: 18 September 2002 21:16
To: [EMAIL PROTECTED]
Subject: Re: Help with FreeBSD4.6 


Any comments are most welcome, I'm still learning :)

I have Freeradius running on FreeBSD 4.6.2, and Openbsd as a client 
(Still in a test environment)

vi /usr/local/radius/etc/raddb/users
add the following:

   Auth-Type := Local, User-Password == ""

vi /usr/local/radius/etc/raddb/clients.conf
client  { <<< My OpenBSD IP address
 secret  =   <<< must match the  
in /etc/raddb/servers
 shortname   = 
}


On the Openbsd server:
vi /etc/login.conf
add the following:
:\
 :requirehome@:\
 :auth=radius:\
 :radius-server=:\
 :radius-timeout=1:\
 :radius-retries=5:

add the following as root
useradd -m -d /home/ -c "test radius user" -s /bin/ksh -u 
1 -L  

mkdir -m 755 /etc/raddb
echo " " > /etc/raddb/servers
chmod 400 /etc/raddb/servers

On Wednesday, September 18, 2002, at 03:47  AM, Gian-Carlo Baldarelli 
wrote:

> I need only system authentication and as I red in the conf
>
> - I comment out in radius.conf
>
> #  for some systems, like FreeBSD.
> #
> #passwd = /etc/passwd
> #   shadow = /etc/shadow
> group = /etc/group
>
> - Radius is running under nobody:nobody
>
> output:
> ...
>  rad_check_password:  Found Auth-Type System
> auth: type "System"
> modcall: entering group authenticate
> rlm_unix: [remadmin]: invalid password
>   modcall[authenticate]: module "unix" returns reject
> modcall: group authenticate returns reject
> auth: Failed to validate the user.
>
> ..
>
> Where is the problem ?
> The password is correct, the user can log on locally
> Has this user to be part of a particular group ?
> Where I do configure the group that has the authorizations ???
>
>
> -Messaggio originale-
> Da: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]Per conto di Artur
> Hecker
> Inviato: martedì 17 settembre 2002 15.55
> A: [EMAIL PROTECTED]
> Oggetto: Re: R: R: radius.conf
>
>
> hi
>
>> Here is my user in /etc/passwd
>>
>> demo:*:1906:100:demo:/home/ftp/./:/etc/notelnet
>>
>> until know the user config file, is the user.sample with no change
>
> can you login locally with the password you used? does radius read both
> /etc/passwd AND /etc/shadow? i can't see it in the log since you
> truncated it.
>
>
>> rlm_unix: [demo]: invalid password
>>   modcall[authenticate]: module "unix" returns reject
>> modcall: group authenticate returns reject
>> auth: Failed to validate the user.
>
>
> ciao
> artur
>
>
> --
> Artur Hecker   Groupe Accès et Mobilité
> hecker[at]enst[dot]fr   Département Informatique et Réseaux
> +33 1 45 81 7507  46, rue Barrault 75634 Paris cedex 13
> http://www.infres.enst.frENST Paris
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


DISCLAIMER
This e-mail is intended only for the use of the addressees named above and
may be confidential. If you are not an addressee you must not read it and
must not use any information contained in nor copy it nor inform any person
other than TeleCity Limited or the addressees of its existence or contents.
If you have received this email and are not a named addressee, please delete
it and notify the TeleCity IT department on 0161 226 7643 or by email at
[EMAIL PROTECTED]



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with FreeBSD4.6

[Monah Baki]

Any comments are most welcome, I'm still learning :)

I have Freeradius running on FreeBSD 4.6.2, and Openbsd as a client 
(Still in a test environment)

vi /usr/local/radius/etc/raddb/users
add the following:

   Auth-Type := Local, User-Password == ""

vi /usr/local/radius/etc/raddb/clients.conf
client  { <<< My OpenBSD IP address
 secret  =   <<< must match the  
in /etc/raddb/servers
 shortname   = 
}


On the Openbsd server:
vi /etc/login.conf
add the following:
:\
 :requirehome@:\
 :auth=radius:\
 :radius-server=:\
 :radius-timeout=1:\
 :radius-retries=5:

add the following as root
useradd -m -d /home/ -c "test radius user" -s /bin/ksh -u 
1 -L  

mkdir -m 755 /etc/raddb
echo " " > /etc/raddb/servers
chmod 400 /etc/raddb/servers

On Wednesday, September 18, 2002, at 03:47  AM, Gian-Carlo Baldarelli 
wrote:

> I need only system authentication and as I red in the conf
>
> - I comment out in radius.conf
>
> #  for some systems, like FreeBSD.
> #
> #passwd = /etc/passwd
> #   shadow = /etc/shadow
> group = /etc/group
>
> - Radius is running under nobody:nobody
>
> output:
> ...
>  rad_check_password:  Found Auth-Type System
> auth: type "System"
> modcall: entering group authenticate
> rlm_unix: [remadmin]: invalid password
>   modcall[authenticate]: module "unix" returns reject
> modcall: group authenticate returns reject
> auth: Failed to validate the user.
>
> ..
>
> Where is the problem ?
> The password is correct, the user can log on locally
> Has this user to be part of a particular group ?
> Where I do configure the group that has the authorizations ???
>
>
> -Messaggio originale-
> Da: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]Per conto di Artur
> Hecker
> Inviato: martedì 17 settembre 2002 15.55
> A: [EMAIL PROTECTED]
> Oggetto: Re: R: R: radius.conf
>
>
> hi
>
>> Here is my user in /etc/passwd
>>
>> demo:*:1906:100:demo:/home/ftp/./:/etc/notelnet
>>
>> until know the user config file, is the user.sample with no change
>
> can you login locally with the password you used? does radius read both
> /etc/passwd AND /etc/shadow? i can't see it in the log since you
> truncated it.
>
>
>> rlm_unix: [demo]: invalid password
>>   modcall[authenticate]: module "unix" returns reject
>> modcall: group authenticate returns reject
>> auth: Failed to validate the user.
>
>
> ciao
> artur
>
>
> --
> Artur Hecker   Groupe Accès et Mobilité
> hecker[at]enst[dot]fr   Département Informatique et Réseaux
> +33 1 45 81 7507  46, rue Barrault 75634 Paris cedex 13
> http://www.infres.enst.frENST Paris
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help!!!

[Kostas Kalevras]

On Thu, 12 Sep 2002, huangjian wrote:

> Sorry!My english is very poor.
> Question:
> Radius-server often crashed when it received numerous authentication-requests within 
>short time..
> Errors as follow:
>
> Error: rlm)sql: All sockets are being used! Please increase maximum number of 
>sockets!
>
> Error:Invalid operator for item User-Password: reverting to '=='
>
> Error:rlm_sql: There are no DB handles to use!
>
> Error:CHILD: exit on signal (11)
>
>
> email:[EMAIL PROTECTED]

What version are you using? Did you also get any warnings about unresponsive
children? If you are using the latest CVS and you still get segmentation
faults, try finding the core dump (you should have core dumps enabled in your
radiusd.conf enable_core_dumps = yes and in your shell, ulimit -c unlimited)
and do a back trace with gdb
gdb /radiusd core
bt

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help!!!

[arise]

hi,

On Thu, 12 Sep 2002, huangjian wrote:

> Sorry!My english is very poor.
> Question:
> Radius-server often crashed when it received numerous authentication-requests within 
>short time..
> Errors as follow:
>
> Error: rlm)sql: All sockets are being used! Please increase maximum number of 
>sockets!

as the message suggests, increase the maximum number of sockets in the
sql.conf file.

refer also to doc/tuning_guide for more tips.

hope this helps,

ronald

--
[Never be afraid to try something new.
Remember, amateurs built the ark,
and professionals built the Titanic.]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with setup of: freeradius-0.7 + mysql (+ dialup_admin)

[Alan DeKok]

"Max Gorouvein" <[EMAIL PROTECTED]> wrote:
> One of the problems I ran into is that radius cannot connect to mysql
> through a socket because it's looking for it in the /var/lib/mysql/ dir, but
> the way I have it is in /tmp.  Where/how do I change that?

  That's a MySQL setup question.  FreeRADIUS can't control that at
all.

> It would save a lot of trouble if somebody could suggest where I can read
> exactly the setup for mysql, or pin point me in the right direction.  I've
> never dealt with radius so i have no idea how the authentication works, nor
> do i know what's required for the authentication (keywords, sections, etc
> etc)

Read the docs, and the configuration files.  They're a
decent start.  Go to Amazon, and look at the RADIUS book, it has more
information.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HELP Please...

[Nick Davis]

It looks like it is the port number on the NAS where that user is connected 
to.

Nick


On Tuesday 20 August 2002 05:27, stuartc wrote:
> Just going throught these logs Can someone tell me please what the /S
> means on the end of each log.
>
> Thanks
>
> Stu
>
>
>
>
> Tue Aug 20 04:05:28 2002: Auth: Login OK: [0161010] (from nas
> 17.0.64.102/S20309)
> Tue Aug 20 04:05:47 2002: Auth: Login OK:
> [01-004E967E-01-000E-0960-01BD8210-@dim] (from nas
> 17.0.64.102/S20088)
> Tue Aug 20 04:06:31 2002: Auth: Login OK: [0161012] (from nas
> 17.0.64.100/S20118)
> Tue Aug 20 04:06:49 2002: Auth: Login OK:
> [01-0017F2C9-01-007E-0960-0041B049-@dim] (from nas
> 17.0.64.100/S20145)
> Tue Aug 20 04:06:54 2002: Auth: Login OK: [0161032] (from nas
> 17.0.64.102/S20709)
> Tue Aug 20 04:07:03 2002: Auth: Login OK: [0161010] (from nas
> 17.0.64.102/S20223)
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-- 
Nick Davis 
Associate Systems Administrator 
[EMAIL PROTECTED] 
Internet Exposure, Inc. 
http://www.iexposure.com  

(612)676-1946 
Web Development-Web Marketing-ISP Services

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help

[Alan DeKok]

"Javier Santos" <[EMAIL PROTECTED]> wrote:
> I try to install radius on unix sun solaris 5.8 machine 
> but the command to install does not work.

  Let me re-phrase:  "Things are broken.  How do I fix them?"


  Step 1 is to post a DESCRIPTION of what went wrong.  No one can read
your mind, or log into your machine remotely to discover the errors
that you are seeing, but don't feel like posting to the list.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help for a configuration.

[Alan DeKok]

"Pierluigi Frullani" <[EMAIL PROTECTED]> wrote:
> What I need to realize is an authentication scheme based on username for
> access and particular value pair attribute,and on a group for other
> attribute.

  I don't think that should be too hard.

> So i need to use some "mangle" that could be in the user section and route
> theprocess to get the return VP in another section of the config files.

  Uh... I doubt that.  Why not just put all of the users into a Unix
group, and key off of that?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html