Re: thread safety, conditional proxy
Hi Allen, responses below... Alan DeKok wrote: Dave Mason <[EMAIL PROTECTED]> wrote: 1) I am adding a new EAP type to freeradius v0.8.1. It will need to interact with a backend and wait for replies, so I would like each authentication session to run in its own thread. Why do you care? As I've said before, the whole point of the modules is that they don't know, or care about process/threading issues. Guess I missed where you said that. If my application code doesnt know or care, something underneath needs to, so I still need to understand how it works. I assumed that if I set the type to THREAD_SAFE that each session will run in its own thread. Let me know if I'm wrong. I can audit the EAP module as you mention. If anybody else out there is using rlm_eap in a multithreaded system please let me know. I notice in the module_t structure for RLM modules that the second field, the type field, can be THREAD_SAFE or THREAD_UNSAFE. In particular, rlm_eap has this set to THREAD_UNSAFE. Is this because rlm_eap is indeed not thread safe, or is it because the implementors simply chose not to use thread support with rlm_eap? I don't know. You'd have to look at the source code to be sure. It seems risky to set this to THREAD_SAFE without knowing the whole story. What should I do to add thread support? Nothing. Modules don't *do* threading. If you want to make the module thread-safe, then audit it, to be sure that every function it calls is thread-safe. If that's true, then set the THREAD_SAFE flag in the module data structure. 2) It's possible I may have a requirement to have Accounting-Requests conditionally proxy forwarded. That is, I could have an entry in proxy.conf for the user's realm, and accthost set to some remote server. Before forwarding the message, I would like to call some function which would decide whether to forward the message as specified or drop it. That's what the pre_proxy section is for. Good deal. At first I thought it might go in pre_accounting, but I gather that function is only for adjusting the data in the request, not for altering the routing. I assume I control the proxy forwarding behavior by returning different codes from pre_proxy? Do you know where I can find them? Let me know if it's some other mechanism. Regards, Dave It's also possible I might need to generate an accounting record locally, in addition to forwarding. In the same module_t structure, I notice there is a pointer to a "pre-proxy" function. Can this be used to do what I described? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: thread safety, conditional proxy
Dave Mason <[EMAIL PROTECTED]> wrote: > 1) I am adding a new EAP type to freeradius v0.8.1. It will need to > interact with a backend and wait for replies, so I would like each > authentication session to run in its own thread. Why do you care? As I've said before, the whole point of the modules is that they don't know, or care about process/threading issues. > I notice in the module_t structure for RLM modules that the second > field, the type field, can be THREAD_SAFE or THREAD_UNSAFE. In > particular, rlm_eap has this set to THREAD_UNSAFE. Is this because > rlm_eap is indeed not thread safe, or is it because the implementors > simply chose not to use thread support with rlm_eap? I don't know. You'd have to look at the source code to be sure. > It seems risky to set this to THREAD_SAFE without knowing the whole > story. What should I do to add thread support? Nothing. Modules don't *do* threading. If you want to make the module thread-safe, then audit it, to be sure that every function it calls is thread-safe. If that's true, then set the THREAD_SAFE flag in the module data structure. > 2) It's possible I may have a requirement to have Accounting-Requests > conditionally proxy forwarded. That is, I could have an entry in > proxy.conf for the user's realm, and accthost set to some remote server. > Before forwarding the message, I would like to call some function which > would decide whether to forward the message as specified or drop it. That's what the pre_proxy section is for. > It's also possible I might need to generate an accounting record > locally, in addition to forwarding. In the same module_t structure, I > notice there is a pointer to a "pre-proxy" function. Can this be used > to do what I described? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
thread safety, conditional proxy
Hi, Just a couple of quick questions... 1) I am adding a new EAP type to freeradius v0.8.1. It will need to interact with a backend and wait for replies, so I would like each authentication session to run in its own thread. I notice in the module_t structure for RLM modules that the second field, the type field, can be THREAD_SAFE or THREAD_UNSAFE. In particular, rlm_eap has this set to THREAD_UNSAFE. Is this because rlm_eap is indeed not thread safe, or is it because the implementors simply chose not to use thread support with rlm_eap? It seems risky to set this to THREAD_SAFE without knowing the whole story. What should I do to add thread support? 2) It's possible I may have a requirement to have Accounting-Requests conditionally proxy forwarded. That is, I could have an entry in proxy.conf for the user's realm, and accthost set to some remote server. Before forwarding the message, I would like to call some function which would decide whether to forward the message as specified or drop it. It's also possible I might need to generate an accounting record locally, in addition to forwarding. In the same module_t structure, I notice there is a pointer to a "pre-proxy" function. Can this be used to do what I described? If not, is there a way? Regards, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Radius using MySql
I sent this to the list last month, but got no response. I am trying to use mysql for proxy radius instead of the user file. Can anyone shed some light on how to enter the following into radcheck/radgroupcheck and radreply/radgroupreply. DEFAULT Called-Station-ID =~ "8005551212", Proxy-To-Realm:= "MyRealm" Fall-Through = No If I just set it up as DEFAULT user under radreply, it will proxy everyone. I can't enter user names because the whole reason for doing this is to proxy based on dnis and not user name. I don't know the user names. Jeff Jarchow QCI Internet http://www.qcinet.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy cancelled
Norbert Wegener <[EMAIL PROTECTED]> wrote: > I start my freeradius 0.8.1 with /usr/local/sbin/radiusd -i 127.0.0.1 -p > 1812 -sfX > and have problems to get proxyauthentication working. Without the realm > everything works as expected. ... > proxy.conf(only the Configuration for the proxy realms, above no changes) > > realm myrealm { > type= radius > authhost= LOCAL > accthost= LOCAL > strip > } Nothing will ever be proxied with this configuration. The LOCAL realm is never proxied. See the comments in the 'proxy.conf' file shipped with the server. > rlm_realm: Authentication realm is LOCAL. > rlm_realm: auth_port is not set. proxy cancelled > > Where do I have to set an auth_port ? You don't. That error message is gone in the CVS head. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy cancelled
Norbert, At 03:23 PM 1/21/2003 +0100, you wrote: I start my freeradius 0.8.1 with /usr/local/sbin/radiusd -i 127.0.0.1 -p 1812 -sfX and have problems to get proxyauthentication working. Without the realm everything works as expected. proxy_requests = yes in radiusd.conf here is my minimal users file: users: nw@myrealm Auth-Type := Local, User-Password == "testing" Service-Type = Framed-User, Framed-IP-Address = 172.16.3.33, Framed-Protocol = PPP proxy.conf(only the Configuration for the proxy realms, above no changes) realm myrealm { type= radius authhost= LOCAL accthost= LOCAL strip } Just a note, you do not need the 'strip' token...it is the default. Actually, the way you have the 'users' file set up...you would want 'nostrip'. I get the following: Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1043, id=45, length=94 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "nw@myrealm" CHAP-Challenge = "\207\234\202\201q(\350V\361\371e\206\024\004\277@\t" CHAP-Password = 0x011cf65cb5691e1c9ad695579e01810184 NAS-IP-Address = 123.123.123.123 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Adding Auth-Type = CHAP modcall[authorize]: module "chap" returns ok modcall[authorize]: module "mschap" returns notfound rlm_realm: Looking up realm myrealm for User-Name = "nw@myrealm" rlm_realm: Found realm myrealm rlm_realm: Adding Stripped-User-Name = "nw" rlm_realm: Proxying request from user nw to realm myrealm rlm_realm: Adding Realm = "myrealm" rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled Where do I have to set an auth_port ? You do not have to set the auth port, that is just debug output. If you are receiving a reject, try adding nostrip to your proxy.conf entry. See /path/to/src/radiusd/raddb/proxy.conf Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy cancelled
I start my freeradius 0.8.1 with /usr/local/sbin/radiusd -i 127.0.0.1 -p 1812 -sfX and have problems to get proxyauthentication working. Without the realm everything works as expected. proxy_requests = yes in radiusd.conf here is my minimal users file: users: nw@myrealm Auth-Type := Local, User-Password == "testing" Service-Type = Framed-User, Framed-IP-Address = 172.16.3.33, Framed-Protocol = PPP proxy.conf(only the Configuration for the proxy realms, above no changes) realm myrealm { type= radius authhost= LOCAL accthost= LOCAL strip } I get the following: Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1043, id=45, length=94 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "nw@myrealm" CHAP-Challenge = "\207\234\202\201q(\350V\361\371e\206\024\004\277@\t" CHAP-Password = 0x011cf65cb5691e1c9ad695579e01810184 NAS-IP-Address = 123.123.123.123 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Adding Auth-Type = CHAP modcall[authorize]: module "chap" returns ok modcall[authorize]: module "mschap" returns notfound rlm_realm: Looking up realm myrealm for User-Name = "nw@myrealm" rlm_realm: Found realm myrealm rlm_realm: Adding Stripped-User-Name = "nw" rlm_realm: Proxying request from user nw to realm myrealm rlm_realm: Adding Realm = "myrealm" rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled Where do I have to set an auth_port ? Thanks Norbert Wegener -- Norbert WegenerPhone:(49)2012661379 Fax:(49)2012661377 SBS Essen,Germany Mail: [EMAIL PROTECTED] Mailfax:(49)2018165521379 smime.p7s Description: S/MIME Cryptographic Signature
Re: proxy & access-accept
Very cool! Thanks for the info. I will be doing some upgrades to our radius servers this week or next and may mess with this a bit. I am actually using exec-program-wait and have had some problems with resource usage because the perl interpreter must be loaded every time the script is run. This may be a solution. Thanks, Darren Nay - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, January 14, 2003 12:44 PM Subject: Re: proxy & access-accept > "Darren Nay" <[EMAIL PROTECTED]> wrote: > > Are there any docs available for the perl module? > > No. See 'raddb/experimental.conf' for a configuration example, and > 'src/modules/rlm_perl/example.pl' for an example script. (in the CVS > head, not in 0.8.1) > > > I am currently using exec-program with perl scripts for auth/acct, but am > > interested in using rlm_perl instead. > > Yeah, the Perl module should be a little more powerful. The only > caveat is that the module is equivalent to Exec-Program-Wait, in that > it stalls the server until the script finished. If you're looking for > 'fire and forget' perl scripts, then Exec-Program may still be your > best bet. > > > Just wondering if any are already available. If not then I'll take > > the good 'ol trial & error method.. and possibly even write up some > > docs myself in the future. > > Sounds good to me. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy & access-accept
"Darren Nay" <[EMAIL PROTECTED]> wrote: > Are there any docs available for the perl module? No. See 'raddb/experimental.conf' for a configuration example, and 'src/modules/rlm_perl/example.pl' for an example script. (in the CVS head, not in 0.8.1) > I am currently using exec-program with perl scripts for auth/acct, but am > interested in using rlm_perl instead. Yeah, the Perl module should be a little more powerful. The only caveat is that the module is equivalent to Exec-Program-Wait, in that it stalls the server until the script finished. If you're looking for 'fire and forget' perl scripts, then Exec-Program may still be your best bet. > Just wondering if any are already available. If not then I'll take > the good 'ol trial & error method.. and possibly even write up some > docs myself in the future. Sounds good to me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy & access-accept
> I've been intending to write rlm_exec for a while. It should have a > 'post-auth' section which takes over the functionality of > Exec-Program-Wait. > > But integrating it with the server core and threads is annoying. > For the short term, you could try using the Perl module. It's really > nice. > Are there any docs available for the perl module? I am currently using exec-program with perl scripts for auth/acct, but am interested in using rlm_perl instead. I checked the /docs directory on the www.freeradius.org website but saw no docs for this. Just wondering if any are already available. If not then I'll take the good 'ol trial & error method.. and possibly even write up some docs myself in the future. Thanks, Darren Nay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy & access-accept
On Tue, 2003-01-14 at 16:37, Alan DeKok wrote: > I've been intending to write rlm_exec for a while. It should have a > 'post-auth' section which takes over the functionality of > Exec-Program-Wait. > > But integrating it with the server core and threads is annoying. > For the short term, you could try using the Perl module. It's really > nice. Glad to hear - this would be great. I have looked at the perl module - the problem is that I am working on an embedded implementation where space is limited...so I would far rather use Bash rather than squeeze a Perl interpreter in as well. We may be prepared to consider sponsoring the development of an 'rlm_exec' module (depending on the price) - any takers? josh. -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy & access-accept
Josh Howlett <[EMAIL PROTECTED]> wrote: > It seems to me that Freeradius could do with a more flexible/extensible > approach to calling external scripts/executables - is this a reasonable > comment? Oh, yes. > Would it be best to write a new module for handling external scripts to > manage the situations where the existing mechanisms (Exec-Program, etc) > aren't sufficient (or even to replace them)? I've been intending to write rlm_exec for a while. It should have a 'post-auth' section which takes over the functionality of Exec-Program-Wait. But integrating it with the server core and threads is annoying. For the short term, you could try using the Perl module. It's really nice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy & access-accept
At 01:03 PM 1/14/2003 +, Josh Howlett wrote: Hi all, I'd like to run a script when an Access-Accept is proxied through a Freeradius proxy server (ie. in the same way that you can run a script (through acct_users) when accounting Stop/Start packets are proxied) Is this possible at all? Yes, two new 'methods' were recently added: 'post-auth' and 'post-proxy' in addition to the 'authorize,authenticate,etc.' Not all modules have been updated with hooks for this yet. We are using a modified 'rlm_files' to add a 'postproxy_usersfile' hook. It is fairly trivial to add, simply look at how the 'preproxy_usersfile' hook is added. Hope this helps, -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy & access-accept
Thanks. >From a cursory glance at the source, there don't seem to be many modules that support this method - and none of those that do support it have anything to do with running external scripts/executables. It seems to me that Freeradius could do with a more flexible/extensible approach to calling external scripts/executables - is this a reasonable comment? Would it be best to write a new module for handling external scripts to manage the situations where the existing mechanisms (Exec-Program, etc) aren't sufficient (or even to replace them)? josh. On Tue, 2003-01-14 at 14:13, Mike Varley wrote: > Look into the 'post_auth' functionality. Essentially, after any > authorization, modules listed in the post_auth {} section of the > radiusd.conf file get run, and they must have a method associated with > the post_authorization hook in the module structure. > > Hope that helps. I can provide more detail if your interested; not sure > how this will hook up to scripts. > > MV > > On Tue, 2003-01-14 at 08:03, Josh Howlett wrote: > > Hi all, > > > > I'd like to run a script when an Access-Accept is proxied through a > > Freeradius proxy server (ie. in the same way that you can run a script > > (through acct_users) when accounting Stop/Start packets are proxied) > > > > Is this possible at all? > > > > thanks, josh. > > > > -- > > --- > > Josh Howlett, Networking & Digital Communications, > > Information Systems & Computing, University of Bristol, U.K. > > 'phone: 0117 928 7850 email: [EMAIL PROTECTED] > > > > --- > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy & access-accept
Look into the 'post_auth' functionality. Essentially, after any authorization, modules listed in the post_auth {} section of the radiusd.conf file get run, and they must have a method associated with the post_authorization hook in the module structure. Hope that helps. I can provide more detail if your interested; not sure how this will hook up to scripts. MV On Tue, 2003-01-14 at 08:03, Josh Howlett wrote: > Hi all, > > I'd like to run a script when an Access-Accept is proxied through a > Freeradius proxy server (ie. in the same way that you can run a script > (through acct_users) when accounting Stop/Start packets are proxied) > > Is this possible at all? > > thanks, josh. > > -- > --- > Josh Howlett, Networking & Digital Communications, > Information Systems & Computing, University of Bristol, U.K. > 'phone: 0117 928 7850 email: [EMAIL PROTECTED] > > --- > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy & access-accept
Hi all, I'd like to run a script when an Access-Accept is proxied through a Freeradius proxy server (ie. in the same way that you can run a script (through acct_users) when accounting Stop/Start packets are proxied) Is this possible at all? thanks, josh. -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy using SQL
Anyone have any recommendations as to how to put this in. It is kind of like an if/then clause, so I am not sure how to do it. Because if I just put in something like: [UserName][Attribute] [Value] DEFAULT Proxy-To-Realmabcrealm It will proxy all users to this realm. > "QCI Internet" <[EMAIL PROTECTED]> wrote: > > I have proxy setup and running using key/value pairs just like described on > > a previous post like below: > > > > >> DEFAULT Called-Station-ID =~ ".{6}", Proxy-To-Realm:= "abcrealm" > > >> Fall-Through = Yes > > > > My question is, is this possible using rlm_sql instead of rlm_files? > > I believe so. The SQL configuration mirrors what the 'files' module > does. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy using SQL
"QCI Internet" <[EMAIL PROTECTED]> wrote: > I have proxy setup and running using key/value pairs just like described on > a previous post like below: > > >> DEFAULT Called-Station-ID =~ ".{6}", Proxy-To-Realm:= "abcrealm" > >> Fall-Through = Yes > > My question is, is this possible using rlm_sql instead of rlm_files? I believe so. The SQL configuration mirrors what the 'files' module does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy using SQL
I have proxy setup and running using key/value pairs just like described on a previous post like below: >> DEFAULT Called-Station-ID =~ ".{6}0000", Proxy-To-Realm:= "abcrealm" >> Fall-Through = Yes My question is, is this possible using rlm_sql instead of rlm_files? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can i set attribute after the proxy server authenticated the user information?
Huang Zhong <[EMAIL PROTECTED]> wrote: > I added the following lines in the config file "hints" ... > now, the result is: > the customer's radius server successfully > authenticated the request from freeradius server, but > i lose the attributes added in the file "hints". I'll bet money it's because you don't have a 'Hints == "PPP"' entry in the 'users' file. See how the distributed file uses hints... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can i set attribute after the proxy server authenticated the user information?
At 11:07 PM 12/22/2002 -0800, you wrote: I've downloaded freeradius0.8.1 and installed it on a FreeBSD 4.4 pc. I added the following lines in the config file "hints" DEFAULT Suffix = "@test1.vpdn", Strip-User-Name = No Hint = "PPP", Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "lcp:interface-config=ip vrf forwarding vrf1\\n ip unnumbered loopback1\\n peer default ip address pool vpn1" # the last line is a set of command for the cisco router as NAS lines in proxy.conf realm test1.vpdn { type= radius authhost= 211.xx.xx.93:1812 accthost= 211.xx.xx.93:1813 secret = WinRadius } # i dont want the radius server 211.xx.xx.93 to return any attribtes about NAS because it belongs to our customer. now, the result is: the customer's radius server successfully authenticated the request from freeradius server, but i lose the attributes added in the file "hints". can i do anything to override the customer's radius's returned attributes? See if rlm_attr_filter will do what you need. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
can i set attribute after the proxy server authenticated the user information?
I've downloaded freeradius0.8.1 and installed it on a FreeBSD 4.4 pc. I added the following lines in the config file "hints" DEFAULT Suffix = "@test1.vpdn", Strip-User-Name = No Hint = "PPP", Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "lcp:interface-config=ip vrf forwarding vrf1\\n ip unnumbered loopback1\\n peer default ip address pool vpn1" # the last line is a set of command for the cisco router as NAS lines in proxy.conf realm test1.vpdn { type= radius authhost= 211.xx.xx.93:1812 accthost= 211.xx.xx.93:1813 secret = WinRadius } # i dont want the radius server 211.xx.xx.93 to return any attribtes about NAS because it belongs to our customer. now, the result is: the customer's radius server successfully authenticated the request from freeradius server, but i lose the attributes added in the file "hints". can i do anything to override the customer's radius's returned attributes? thank you all. __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 + Proxy...
20-Dec-02 at 17:39, Tamer Demir ([EMAIL PROTECTED]) wrote : > At 05:23 PM 12/20/2002, you wrote: > >20-Dec-02 at 17:23, Tamer Demir ([EMAIL PROTECTED]) wrote : > >> I know it looks strange but, In an scenario like this: you are a big > >> company and you have a contract with many smaller companies with their > >own > >> realms. The users which are in this small companies may connect to the > >> Internet by using other small companies' NASes. And in order to solve the > >> accounting conflict between the small companies the big company wants all > >> the data about the authenticating users from all other small companies. > >Big > >> company just will act as a referee. > >> > >> Is this somehow possible by using proxy option in FreeRADIUS, if yes how? > > > >Either all your radius servers are proxies to the big company's radius > >server(s) or you use something like radrelay and just use the accounting > >information (which contains the detail you need) you don't need the > >actual packets that are sent to the user, just the accounting info. > > Unfortunately, What if big company wants all the detailed informations and > also the small companies want all the detailed info too, like MAC address > of the users, the beginning and end time of the connection and the small > company name that the wireless user connected. They get all that, have you looked at an accounting record? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 + Proxy...
Tamer Demir <[EMAIL PROTECTED]> wrote: > > What do you mean by that? > > I mean, can FreeRADIUS understand the authentication packets that comes > from a client that has an IPv6 IP address(128)? Since we are planning to > use RADIUS in an IPv6 Testbed to authenticate the users. And I answered that in my previous message, in text you deleted. > In an scenario like this: you are a big > company and you have a contract with many smaller companies with their own > realms. The users which are in this small companies may connect to the > Internet by using other small companies' NASes. And in order to solve the > accounting conflict between the small companies the big company wants all > the data about the authenticating users from all other small companies. Big > company just will act as a referee. > > Is this somehow possible by using proxy option in FreeRADIUS, if yes how? No. Use radrelay. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 + Proxy...
At 05:23 PM 12/20/2002, you wrote: 20-Dec-02 at 17:23, Tamer Demir ([EMAIL PROTECTED]) wrote : > I know it looks strange but, In an scenario like this: you are a big > company and you have a contract with many smaller companies with their own > realms. The users which are in this small companies may connect to the > Internet by using other small companies' NASes. And in order to solve the > accounting conflict between the small companies the big company wants all > the data about the authenticating users from all other small companies. Big > company just will act as a referee. > > Is this somehow possible by using proxy option in FreeRADIUS, if yes how? Either all your radius servers are proxies to the big company's radius server(s) or you use something like radrelay and just use the accounting information (which contains the detail you need) you don't need the actual packets that are sent to the user, just the accounting info. Unfortunately, What if big company wants all the detailed informations and also the small companies want all the detailed info too, like MAC address of the users, the beginning and end time of the connection and the small company name that the wireless user connected. Tamer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 + Proxy...
At 04:05 PM 12/20/2002, you wrote: Tamer Demir <[EMAIL PROTECTED]> wrote: > Is FreeRADIUS IPv6 compatible? What do you mean by that? I mean, can FreeRADIUS understand the authentication packets that comes from a client that has an IPv6 IP address(128)? Since we are planning to use RADIUS in an IPv6 Testbed to authenticate the users. > And, after the authentication of the user I want to send (proxy) the > authentication packets to another FreeRADIUS server, How can I do > that? Why? I know it looks strange but, In an scenario like this: you are a big company and you have a contract with many smaller companies with their own realms. The users which are in this small companies may connect to the Internet by using other small companies' NASes. And in order to solve the accounting conflict between the small companies the big company wants all the data about the authenticating users from all other small companies. Big company just will act as a referee. Is this somehow possible by using proxy option in FreeRADIUS, if yes how? Thanks a lot, Tamer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 + Proxy...
20-Dec-02 at 17:23, Tamer Demir ([EMAIL PROTECTED]) wrote : > I know it looks strange but, In an scenario like this: you are a big > company and you have a contract with many smaller companies with their own > realms. The users which are in this small companies may connect to the > Internet by using other small companies' NASes. And in order to solve the > accounting conflict between the small companies the big company wants all > the data about the authenticating users from all other small companies. Big > company just will act as a referee. > > Is this somehow possible by using proxy option in FreeRADIUS, if yes how? Either all your radius servers are proxies to the big company's radius server(s) or you use something like radrelay and just use the accounting information (which contains the detail you need) you don't need the actual packets that are sent to the user, just the accounting info. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 + Proxy...
Tamer Demir <[EMAIL PROTECTED]> wrote: > Is FreeRADIUS IPv6 compatible? What do you mean by that? Does FreeRADIUS send/receive packets on IPv6 interfaces? No. Does FreeRADIUS send/receive radius packets which contain ipv6 configuration attributes? Sort of. As always, patches are welcome. > And, after the authentication of the user I want to send (proxy) the > authentication packets to another FreeRADIUS server, How can I do > that? Why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPv6 + Proxy...
Hello, Is FreeRADIUS IPv6 compatible? And, after the authentication of the user I want to send (proxy) the authentication packets to another FreeRADIUS server, How can I do that? It is like proxying the packets to 2 other RADIUS server but one of them is its own. Regards, Tamer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Config Using Auth Attributes
At 05:42 PM 12/9/2002 -0500, you wrote: Is is possible to setup proxy radius not based so much on realms but based on Key/Value pairs in the authentication packets? For example, I have many resellers and I need to be able to proxy requests based on DNIS (CalledStationID) or even just the last 4 digits of the DNIS. Keep the proxy.conf configuration the same. Add a Proxy-To-Realm attribute through DEFAULT profiles that use the DNIS as a check-item. This could be done, for example, through rlm_files or rlm_fastusers. HTH, Chris Brotsos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Config Using Auth Attributes
Is is possible to setup proxy radius not based so much on realms but based on Key/Value pairs in the authentication packets? For example, I have many resellers and I need to be able to proxy requests based on DNIS (CalledStationID) or even just the last 4 digits of the DNIS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy configurations
I am new to cistron. How do i setup my sever to authenticate dial in users using command line. I use a PuTTY interface. Troy J. White C.E.O. D.A. JAZ Internet Technologies 727-321-8899 Powered by Verizon _ Sign up for FREE email from Premier Internet Service at http://www.dajaz.net _ Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy configuration
maximo <[EMAIL PROTECTED]> wrote: > I am trying to configure my radius server as proxy, but i have a dont > know if it is possible write "tacacs+" value in type option from > proxy.conf file the, this beause we are in transition process and we > need to do authentication any number users with tacacs+ and others ones > with radius servers. There is any way to do it? See 'tac2rad', somewhere on the net. FreeRADIUS doesn't do TACACS+, and will never do TACACS+ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy configuration
Hi, everybody. I am trying to configure my radius server as proxy, but i have a dont know if it is possible write "tacacs+" value in type option from proxy.conf file the, this beause we are in transition process and we need to do authentication any number users with tacacs+ and others ones with radius servers. There is any way to do it? Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Realms configuration
Mike Varley <[EMAIL PROTECTED]> wrote: > Faster and more efficient aswell. How often is proxy information going > to change, really? And SIGHUPing FreeRADIUS is not a costly affair. If everything is going well, proxy information won't change that often. If you want to have multiple fail-over realms, then the proxy information changes on every proxied request. The server has to keep track of which realms are live, which aren't, and which was the last realm it used (for round-robin). > One solution we came up with was a compromise; changing proxy > information in the Database could trigger a re-write of the realms file, > and SIGHUP the FR server. The only problem here being that someone > *could* inadvertently change only the realms file, SIGHUP the process, > and be out of synch with the DB. That's not a serious issue, in my opinion. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Realms configuration
On Mon, 2002-12-02 at 14:58, Alan DeKok wrote: > Mike Varley <[EMAIL PROTECTED]> wrote: > > I would like to use a database (SQL?) to manage my realms, instead of > > the text files. The advantages are twofold: a unified repository for all > > my user data (ISP, IP Pools, local usernames) and the other benefit is I > > could add/remove realms w/o sending a SIGHUP to the radius proxy. > > That sounds reasonable. > > > Before I go and change the core components within the freeradius > > library, has anyone else implemented this type of system before, and > > have a better solution? Can I get this kind of behaviour through > > modules? (ie, do a DB lookup, and add the result to the local list if > > its not already in the list etc...) > > No, not really. > > The server needs a bunch of information for realms. Name, IP, port, > secret, alive/dead status, etc. > > It's just easier if the server manages those lists itself > internally, rather than doing DB calls all of the time. > Faster and more efficient aswell. How often is proxy information going to change, really? And SIGHUPing FreeRADIUS is not a costly affair. One solution we came up with was a compromise; changing proxy information in the Database could trigger a re-write of the realms file, and SIGHUP the FR server. The only problem here being that someone *could* inadvertently change only the realms file, SIGHUP the process, and be out of synch with the DB. Hmmm MV -- ~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Realms configuration
Mike Varley <[EMAIL PROTECTED]> wrote: > I would like to use a database (SQL?) to manage my realms, instead of > the text files. The advantages are twofold: a unified repository for all > my user data (ISP, IP Pools, local usernames) and the other benefit is I > could add/remove realms w/o sending a SIGHUP to the radius proxy. That sounds reasonable. > Before I go and change the core components within the freeradius > library, has anyone else implemented this type of system before, and > have a better solution? Can I get this kind of behaviour through > modules? (ie, do a DB lookup, and add the result to the local list if > its not already in the list etc...) No, not really. The server needs a bunch of information for realms. Name, IP, port, secret, alive/dead status, etc. It's just easier if the server manages those lists itself internally, rather than doing DB calls all of the time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Realms configuration
Currently, FreeRADIUS uses text files to define realms for proxying requests. The files are parsed and put into a list at startup, and then the core libraries use this list during runtime to lookup realm information when proxying requests. I would like to use a database (SQL?) to manage my realms, instead of the text files. The advantages are twofold: a unified repository for all my user data (ISP, IP Pools, local usernames) and the other benefit is I could add/remove realms w/o sending a SIGHUP to the radius proxy. Before I go and change the core components within the freeradius library, has anyone else implemented this type of system before, and have a better solution? Can I get this kind of behaviour through modules? (ie, do a DB lookup, and add the result to the local list if its not already in the list etc...) Thoughts and opinions are welcome. Thank you! MV -- ~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting acknowledgement & radius proxy
hi guys, i have the following setup: cistron radius -> forwarding server (proxy) freeradius -> remote server for certain realms + mysql accounting i have thousands of users on the freeradius server which is proxied by cistron radius. prior to upgrading to the current 0.8 release from the aug. 29 snapshot, accounting packets sent by the NASes where being acknowledged by the remote server thru the proxy server (which i think, is the correct behavior). but right after the upgrade, it seems that all accounting acknowledgments sent by the remote server where being delivered directly to the NASes instead of the proxy. this results in voluminous complaints by rlm_sql about 'duplicate entry' such as this one: Error: rlm_sql: Couldn't insert SQL accounting STOP record - Duplicate entry '7f93e019ee9b1b76' for key 1 i've already verified on the sql database that the accounting details have been logged. i suspect that the NAS didn't get the acknowledgment from the remote server, thus, it continue to resend the accounting packets. any ideas? help is already appreciated. regards, ronald -- [Never be afraid to try something new. Remember, amateurs built the ark, and professionals built the Titanic.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TACACS/PROXY gateway
"Ing. Carlos M. Martinez" <[EMAIL PROTECTED]> wrote: > i have a fairly large all-Cisco equipment and we use freeRadius for > accounting and user authentication (we used to have cistron, we migrated > to FR 0.3 a while ago) Upgrade, PLEASE upgrade. > Is there any way to proxy a tacacs request to a radius server in the > free/open source software world ? There are commercial products that do > this, but they're out the question. Miquel wrote 'tac2rad', I think. He doesn't maintain it, but the source is out there somewhere, and it pretty much works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TACACS/PROXY gateway
Hi, i have a fairly large all-Cisco equipment and we use freeRadius for accounting and user authentication (we used to have cistron, we migrated to FR 0.3 a while ago) Now i have these new very cheap cisco ADSL routers, the 805 and the 827 which only support TACACS/TACACS+. Is there any way to proxy a tacacs request to a radius server in the free/open source software world ? There are commercial products that do this, but they're out the question. regards, Carlos Ing. Carlos M. Martinez Network Administrator ADINET - ANTEL Uruguay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: MySQL-Proxy-Exec-Program-Wait
"Mike Dain" <[EMAIL PROTECTED]> wrote: > I've tried adding: > > DEFAULT Exec-Program-Wait = "/shell/example" > > to the users file. What's the point of writing documentation (what little there is), if it's not going to be read? What's the point of adding debugging, warning, and error messages to the server, fi they're going to be ignored? I don't know about 0.7, but the latest CVS has examples in scripts/exec-program-wait of how to use it. What you posted here did NOT follow the example, and if you had run the server in debugging mode, it would have complained that what you did was wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: MySQL-Proxy-Exec-Program-Wait
I've tried adding: DEFAULT Exec-Program-Wait = "/shell/example" to the users file. I also uncommented "files" in the "authorize" section of radius.conf. After restarting the radius server with these set (and the example from /scripts/exec-program-wait) the example script is still not being run. So basically, I'm still trying to get an attribute to be used for every user. Everything else is SQL so I think that it might be skipping the users file and going straight to SQL. - Mike - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, November 11, 2002 3:55 PM Subject: Re: Fw: MySQL-Proxy-Exec-Program-Wait > "Mike Dain" <[EMAIL PROTECTED]> wrote: > > Now I'm trying to add in an Exec-Program-Wait script. I don't care > > if it only runs for proxy users or if it runs for everyone, I just > > need to add in that attribute/value (Exec-Program-Wait/scriptname) > > to everyone that logs in. Can someone tell me how to add in > > attributes that effect all users. > > See 'scripts/exec-program-wait'. It has examples. > > > The server doesn't use the "users" file or system at all (it only > > authenticates using SQL). > >So add a 'users' file with nothing more than the DEFAULT > statement, which does the Exec-Program-Wait. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: MySQL-Proxy-Exec-Program-Wait
"Mike Dain" <[EMAIL PROTECTED]> wrote: > Now I'm trying to add in an Exec-Program-Wait script. I don't care > if it only runs for proxy users or if it runs for everyone, I just > need to add in that attribute/value (Exec-Program-Wait/scriptname) > to everyone that logs in. Can someone tell me how to add in > attributes that effect all users. See 'scripts/exec-program-wait'. It has examples. > The server doesn't use the "users" file or system at all (it only > authenticates using SQL). So add a 'users' file with nothing more than the DEFAULT statement, which does the Exec-Program-Wait. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fw: MySQL-Proxy-Exec-Program-Wait
I didn't get any responses...so I'm trying again... See message below. - Mike - Original Message - From: "Mike Dain" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 06, 2002 1:12 PM Subject: MySQL-Proxy-Exec-Program-Wait > I'm using my server for both local authentication and proxy to another > server. I'm using MySQL for authentication/accounting. I have all of the > realms/secrets/etc. setup in the proxy.conf file, and everything seems to > work ok. Accounting shows up in the radacct table for all of it. > > Now I'm trying to add in an Exec-Program-Wait script. I don't care if it > only runs for proxy users or if it runs for everyone, I just need to add in > that attribute/value (Exec-Program-Wait/scriptname) to everyone that logs > in. Can someone tell me how to add in attributes that effect all users. > > The server doesn't use the "users" file or system at all (it only > authenticates using SQL). > > Any help would be greatly appreciated. > > Thanks, > Mike > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL-Proxy-Exec-Program-Wait
I'm using my server for both local authentication and proxy to another server. I'm using MySQL for authentication/accounting. I have all of the realms/secrets/etc. setup in the proxy.conf file, and everything seems to work ok. Accounting shows up in the radacct table for all of it. Now I'm trying to add in an Exec-Program-Wait script. I don't care if it only runs for proxy users or if it runs for everyone, I just need to add in that attribute/value (Exec-Program-Wait/scriptname) to everyone that logs in. Can someone tell me how to add in attributes that effect all users. The server doesn't use the "users" file or system at all (it only authenticates using SQL). Any help would be greatly appreciated. Thanks, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy (preprocess?)
Thanks! It looks like that should work. I'm going to write some scripts up and see how it goes. I'll let everyone know the results. - Mike - Original Message - From: "Kevin Bonner" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, November 04, 2002 3:26 PM Subject: Re: proxy (preprocess?) > Has anyone attempted this before? I'm using MySQL & Freeradius. After > looking at lots of config files, etc. I think that a preprocess addition > might work. Does anyone know if the Realms/NAS tables work now? I could > also write a script to check account balances and remove the Realms entry > if the account balance is negative (if the Realms table works now). Read about Exec-Program-Wait in doc/README. That would probably be your easiest solution, just write a script to check the acct balance and exit with the proper return status. Kevin Bonner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy (preprocess?)
> Has anyone attempted this before? I'm using MySQL & Freeradius. After > looking at lots of config files, etc. I think that a preprocess addition > might work. Does anyone know if the Realms/NAS tables work now? I could > also write a script to check account balances and remove the Realms entry > if the account balance is negative (if the Realms table works now). Read about Exec-Program-Wait in doc/README. That would probably be your easiest solution, just write a script to check the acct balance and exit with the proper return status. Kevin Bonner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy (preprocess?)
I'm trying to setup my server to only allow proxying if a resellers account balance is good. Example: User connects to NAS NAS sends user/pass to my radius server My radius server checks the account balance of reseller if reseller account balance > 0 send request to reseller radius server & continue as normal... else deny request It could also work like: User connects to NAS NAS sends user/pass to my radius server My radius server sends request to reseller radius server if reseller radius server says OK if reseller account balance > 0 send authok else send deny Has anyone attempted this before? I'm using MySQL & Freeradius. After looking at lots of config files, etc. I think that a preprocess addition might work. Does anyone know if the Realms/NAS tables work now? I could also write a script to check account balances and remove the Realms entry if the account balance is negative (if the Realms table works now). Any ideas/help would be greatly appreciate. Thanks, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Attributes
Hey All, This may be a stupid question, but still, one to which I don't know the answer. :) If so, please forgive my ingnorance. I am trying to find a way to strip attributes sent "from" the NAS in the proxy authentication request in freeradius. I am able to modify the attributes that are sent back "to" the NAS after authentication using that attr_filter module, but I don't see a way of stripping certain attributes that are sent "from" the NAS. Is this possible? I have a proxy client who has an issue with the "Service-Type" attribute that would be solved if I could strip that attribute before it reaches their radius. Thanks for any assistance! Darren Nay - [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Proxy Radius
Dear Mehdi Roomi, You should use both rlm_passwd and rlm_mschap modules (rlm_passwd in authorize, rlm_mschap in authenticate. Optionally you can use rlm_mschap in authorize). See doc/rlm_mschap and doc/rlm_passwd. --Wednesday, October 9, 2002, 5:32:02 PM, you wrote to [EMAIL PROTECTED]: MR> Thank You. MR> I exported NT SAM passwords into a file successfully. one sample line is as MR> following: MR> borj2:1003:4f132fed9c9f145daad3b435b51404ee:6af463cbfe0f54eadfefd907ec233491::: MR> currently my freeradius configured to use clear text passwords which stored MR> in mysql and pap authentication method for authentication. MR> Now I think that I should use rlm_passwd module instead of rlm_mschap? and MR> import this file into radcheck table of radius database. MR> also I want new passwords to be saved as clear text . MR> another problem is that I want users to be able to change their passwords MR> from web site and I don't know how to check the previous passwords in my PHP MR> program. MR> Regards, MR> M. Roomi >>You can export your crypted NT passwords to FreeRADIUS. See >>doc/rlm_mschap >> >>--Wednesday, October 9, 2002, 1:28:51 PM, you wrote to >>[EMAIL PROTECTED]: >> >>MR> Hi, >>MR> I have my previous NT commercial accounting server(ISPUtil) with more >>than >>MR> 1 active users on it. as I cant't export crypted NT passwords into >>MR> freeradius, I want to define all new accounts in FreeRadius and also >>want >>MR> freeradius acts as the master Accounting server and if the accounts >>doesn't >>MR> exist in FreeRadius, I want the user to be redirected to Previous nasty >>NT >>MR> accounting server. >> >>MR> Freeradius proxy always redirects the requests to NT accounting server >>MR> before searching itself for this username! >>MR> I want FreeRadius First search itself and if the username doesn't exist >>, It >>MR> redirect it to Next accounting Server. >> >>MR> Additional Info: >>MR> there is no seprator like '@' in the username and I don't want to use >>in new >>MR> accounts too. >>MR> as I configured freeradius, it acts as proxy, as it works well when the >>MR> username doesn't exist in freeradius so it redirected to NT accounting >>MR> server. >>MR> but when the username exists in the Freeradius, It doesn't authenticate >>the >>MR> user and resend it to second server. >> >> >>MR> please let me know how to reconfigue the proxy radius. >> >>MR> Regards, >>MR> M. Roomi >> >> >> >>MR> _ >>MR> Join the worlds largest e-mail service with MSN Hotmail. >>MR> http://www.hotmail.com >> >> >>MR> - >>MR> List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html >> >> >>-- >>~/ZARAZA >> MR> - . >> MR> , . () >> >> >>- >>List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html MR> _ MR> Join the worlds largest e-mail service with MSN Hotmail. MR> http://www.hotmail.com MR> - MR> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA Èòàê, ÿ áóäó êðàòîê. (Òâåí) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Radius
Thank You. I exported NT SAM passwords into a file successfully. one sample line is as following: borj2:1003:4f132fed9c9f145daad3b435b51404ee:6af463cbfe0f54eadfefd907ec233491::: currently my freeradius configured to use clear text passwords which stored in mysql and pap authentication method for authentication. Now I think that I should use rlm_passwd module instead of rlm_mschap? and import this file into radcheck table of radius database. also I want new passwords to be saved as clear text . another problem is that I want users to be able to change their passwords from web site and I don't know how to check the previous passwords in my PHP program. Regards, M. Roomi >You can export your crypted NT passwords to FreeRADIUS. See >doc/rlm_mschap > >--Wednesday, October 9, 2002, 1:28:51 PM, you wrote to >[EMAIL PROTECTED]: > >MR> Hi, >MR> I have my previous NT commercial accounting server(ISPUtil) with more >than >MR> 1 active users on it. as I cant't export crypted NT passwords into >MR> freeradius, I want to define all new accounts in FreeRadius and also >want >MR> freeradius acts as the master Accounting server and if the accounts >doesn't >MR> exist in FreeRadius, I want the user to be redirected to Previous nasty >NT >MR> accounting server. > >MR> Freeradius proxy always redirects the requests to NT accounting server >MR> before searching itself for this username! >MR> I want FreeRadius First search itself and if the username doesn't exist >, It >MR> redirect it to Next accounting Server. > >MR> Additional Info: >MR> there is no seprator like '@' in the username and I don't want to use >in new >MR> accounts too. >MR> as I configured freeradius, it acts as proxy, as it works well when the >MR> username doesn't exist in freeradius so it redirected to NT accounting >MR> server. >MR> but when the username exists in the Freeradius, It doesn't authenticate >the >MR> user and resend it to second server. > > >MR> please let me know how to reconfigue the proxy radius. > >MR> Regards, >MR> M. Roomi > > > >MR> _ >MR> Join the worlds largest e-mail service with MSN Hotmail. >MR> http://www.hotmail.com > > >MR> - >MR> List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > >-- >~/ZARAZA > - . > , . () > > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Radius
Dear Mehdi Roomi, You can export your crypted NT passwords to FreeRADIUS. See doc/rlm_mschap --Wednesday, October 9, 2002, 1:28:51 PM, you wrote to [EMAIL PROTECTED]: MR> Hi, MR> I have my previous NT commercial accounting server(ISPUtil) with more than MR> 1 active users on it. as I cant't export crypted NT passwords into MR> freeradius, I want to define all new accounts in FreeRadius and also want MR> freeradius acts as the master Accounting server and if the accounts doesn't MR> exist in FreeRadius, I want the user to be redirected to Previous nasty NT MR> accounting server. MR> Freeradius proxy always redirects the requests to NT accounting server MR> before searching itself for this username! MR> I want FreeRadius First search itself and if the username doesn't exist , It MR> redirect it to Next accounting Server. MR> Additional Info: MR> there is no seprator like '@' in the username and I don't want to use in new MR> accounts too. MR> as I configured freeradius, it acts as proxy, as it works well when the MR> username doesn't exist in freeradius so it redirected to NT accounting MR> server. MR> but when the username exists in the Freeradius, It doesn't authenticate the MR> user and resend it to second server. MR> please let me know how to reconfigue the proxy radius. MR> Regards, MR> M. Roomi MR> _ MR> Join the worlds largest e-mail service with MSN Hotmail. MR> http://www.hotmail.com MR> - MR> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA Ïîÿâèëñÿ íîâûé òèï ýëåìåíòàðíûõ ÷àñòèö - øêâàðêè. Íå î÷åíü áîëüøèå, ñëåãêà ïîäãîðåâøèå. (Ëåì) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Radius
Hi, I have my previous NT commercial accounting server(ISPUtil) with more than 1 active users on it. as I cant't export crypted NT passwords into freeradius, I want to define all new accounts in FreeRadius and also want freeradius acts as the master Accounting server and if the accounts doesn't exist in FreeRadius, I want the user to be redirected to Previous nasty NT accounting server. Freeradius proxy always redirects the requests to NT accounting server before searching itself for this username! I want FreeRadius First search itself and if the username doesn't exist , It redirect it to Next accounting Server. Additional Info: there is no seprator like '@' in the username and I don't want to use in new accounts too. as I configured freeradius, it acts as proxy, as it works well when the username doesn't exist in freeradius so it redirected to NT accounting server. but when the username exists in the Freeradius, It doesn't authenticate the user and resend it to second server. please let me know how to reconfigue the proxy radius. Regards, M. Roomi _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Round-Robin Proxy Support
Everyone, The current CVS version of the server now contains support for a round-robin load distribution of remote proxy requests. Previously, the server supported multiple entries for the same 'realm' with different entries in 'proxy.conf'. The server would use each entry in turn until it was marked dead, and would then move on to the next realm entry. This is the default behaviour and remains unchanged. The new behaviour cycles each successive request through all of the listed servers, so that each request is assigned to a different server as it comes in. This is implemented in the 'proxy.conf' via the following entries: The following sets the max number of servers you want to allow for each realm. If not set, it will default to 15. proxy server { servers_per_realm = 15 } The following enables a round-robin distribution on a realm: realm serv.com { type = radius authhost = rad1.serv.com:1812 accthost = rad1.serv.com:1813 secret = TheirKey ldflag = round_robin nostrip } realm serv.com { type = radius authhost = rad2.serv.com:1812 accthost = rad2.serv.com:1813 secret = TheirKey ldflag = round_robin nostrip } In the above example, setting the 'ldflag' attribute with 'round_robin' enables the load distribution. All realm entries must be configured identically. IE, they must all have the same flag of 'round_robin' or 'fail_over'. The first packet for 'serv.com' will be sent to rad1.serv.com, the second packet will be sent to rad2.serv.com, the third packet will be sent to rad1.serv.com, and so on. This has been tested to ensure backwards compatability with previous 'proxy.conf' configurations. Remote server failures in a round-robin distribution situation are handled gracefully, and should not result in "lost" packets. If there are any questions or problems associated with this, please post your experience and any debugging traces showing your problem to the list. Thanks, -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Hints & Proxy
Darren Nay wrote: Can anyone tell me if this is a possibility?? Using hints, or otherwise.(refer to the forwarded message)Thanks in advance!Darren Nay - [EMAIL PROTECTED]- Original Message -From: "Darren Nay" <[EMAIL PROTECTED]>To: <[EMAIL PROTECTED]>Sent: Friday, September 27, 2002 2:57 PMSubject: Hints & Proxy Hello all,I haven't used hints much in the past but I am wondering if it might bepossible to use them for proxying certain requests to a secondary radius.Or if there is possibly another way (besides hints) that this could beaccomplished.For example. We have a realm hosted on one radius, and would like to proxy some of the requests for that realm to another radius, but have some stillauthenticating on the primary radius.. say for example, all of the userswith a prxy- prefix (ie. [EMAIL PROTECTED]) would be sent to the secondary radius for authentication. A username without the prefix though would still authenticate on the primary radius. Make sense?Is this is a possibility? And, if so, is there some documentation on itsomewhere? I haven't had much luck finding any relevant docs.Thanks for any help that can be provided!Darren Nay - [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Actually this is failry easy, use the null realm and configure it as local for the accounts to be authenticated locally realm NULL { type = radius authhost = LOCAL:1645 accthost = LOCAL:1646 notrealm } realm realm.com{ type = radius authhost = thathost:1645 accthost = thathost:1646 } Now I have a question for you all, have you noticed memoty leaks with freeradius , I have one whose RSS gets close to 140M in a single day I restart it every 3 days or so.
Re: Fw: Hints & Proxy
Franklin, Thanks for the suggestion. This just might work. :) I'll give it a try. Darren - Original Message - From: "Franklin Trumpy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 30, 2002 12:44 PM Subject: Re: Fw: Hints & Proxy > Darren, > > I'm not exactly certain how your requirements could be met (gracefully) > using hints. However, take a look at doc/configurable_failover. You > should be able to use multiple instances of the realm module to > simultaneously support both a prefix and suffix realm. I'm not sure how > graceful *this* solution is either, and your mileage may vary. > > Franklin > > -- > Franklin Trumpy, NFA, MNGS, GSc | Say not, "I have found the truth," > Sr. UNIX Systems Administrator | but rather, "I have found a truth." > Lighthouse Communications | > [EMAIL PROTECTED] | Say not, "I have found the path of the soul." > (515)244-1115 | Say rather, "I have met the soul walking > (888)953-3278 | upon my path." > http://www.lh.net | > | -Kahlil Gibran, _The Prophet_, 1923 > | > > On Mon, 30 Sep 2002, Darren Nay wrote: > > > Date: Mon, 30 Sep 2002 10:59:28 -0600 > > From: Darren Nay <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > To: [EMAIL PROTECTED] > > Subject: Fw: Hints & Proxy > > > > Can anyone tell me if this is a possibility?? Using hints, or otherwise. > > (refer to the forwarded message) > > > > Thanks in advance! > > > > Darren Nay - [EMAIL PROTECTED] > > > > - Original Message - > > From: "Darren Nay" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, September 27, 2002 2:57 PM > > Subject: Hints & Proxy > > > > > > > Hello all, > > > > > > I haven't used hints much in the past but I am wondering if it might be > > > possible to use them for proxying certain requests to a secondary radius. > > > Or if there is possibly another way (besides hints) that this could be > > > accomplished. > > > > > > For example. We have a realm hosted on one radius, and would like to > > proxy > > > some of the requests for that realm to another radius, but have some still > > > authenticating on the primary radius.. say for example, all of the users > > > with a prxy- prefix (ie. [EMAIL PROTECTED]) would be sent to the > > secondary > > > radius for authentication. A username without the prefix though would > > still > > > authenticate on the primary radius. Make sense? > > > > > > Is this is a possibility? And, if so, is there some documentation on it > > > somewhere? I haven't had much luck finding any relevant docs. > > > > > > Thanks for any help that can be provided! > > > > > > Darren Nay - [EMAIL PROTECTED] > > > > > > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Hints & Proxy
Darren, I'm not exactly certain how your requirements could be met (gracefully) using hints. However, take a look at doc/configurable_failover. You should be able to use multiple instances of the realm module to simultaneously support both a prefix and suffix realm. I'm not sure how graceful *this* solution is either, and your mileage may vary. Franklin -- Franklin Trumpy, NFA, MNGS, GSc | Say not, "I have found the truth," Sr. UNIX Systems Administrator | but rather, "I have found a truth." Lighthouse Communications | [EMAIL PROTECTED] | Say not, "I have found the path of the soul." (515)244-1115 | Say rather, "I have met the soul walking (888)953-3278 | upon my path." http://www.lh.net | | -Kahlil Gibran, _The Prophet_, 1923 | On Mon, 30 Sep 2002, Darren Nay wrote: > Date: Mon, 30 Sep 2002 10:59:28 -0600 > From: Darren Nay <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: Fw: Hints & Proxy > > Can anyone tell me if this is a possibility?? Using hints, or otherwise. > (refer to the forwarded message) > > Thanks in advance! > > Darren Nay - [EMAIL PROTECTED] > > - Original Message - > From: "Darren Nay" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, September 27, 2002 2:57 PM > Subject: Hints & Proxy > > > > Hello all, > > > > I haven't used hints much in the past but I am wondering if it might be > > possible to use them for proxying certain requests to a secondary radius. > > Or if there is possibly another way (besides hints) that this could be > > accomplished. > > > > For example. We have a realm hosted on one radius, and would like to > proxy > > some of the requests for that realm to another radius, but have some still > > authenticating on the primary radius.. say for example, all of the users > > with a prxy- prefix (ie. [EMAIL PROTECTED]) would be sent to the > secondary > > radius for authentication. A username without the prefix though would > still > > authenticate on the primary radius. Make sense? > > > > Is this is a possibility? And, if so, is there some documentation on it > > somewhere? I haven't had much luck finding any relevant docs. > > > > Thanks for any help that can be provided! > > > > Darren Nay - [EMAIL PROTECTED] > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fw: Hints & Proxy
Can anyone tell me if this is a possibility?? Using hints, or otherwise. (refer to the forwarded message) Thanks in advance! Darren Nay - [EMAIL PROTECTED] - Original Message - From: "Darren Nay" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 27, 2002 2:57 PM Subject: Hints & Proxy > Hello all, > > I haven't used hints much in the past but I am wondering if it might be > possible to use them for proxying certain requests to a secondary radius. > Or if there is possibly another way (besides hints) that this could be > accomplished. > > For example. We have a realm hosted on one radius, and would like to proxy > some of the requests for that realm to another radius, but have some still > authenticating on the primary radius.. say for example, all of the users > with a prxy- prefix (ie. [EMAIL PROTECTED]) would be sent to the secondary > radius for authentication. A username without the prefix though would still > authenticate on the primary radius. Make sense? > > Is this is a possibility? And, if so, is there some documentation on it > somewhere? I haven't had much luck finding any relevant docs. > > Thanks for any help that can be provided! > > Darren Nay - [EMAIL PROTECTED] > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hints & Proxy
Hello all, I haven't used hints much in the past but I am wondering if it might be possible to use them for proxying certain requests to a secondary radius. Or if there is possibly another way (besides hints) that this could be accomplished. For example. We have a realm hosted on one radius, and would like to proxy some of the requests for that realm to another radius, but have some still authenticating on the primary radius.. say for example, all of the users with a prxy- prefix (ie. [EMAIL PROTECTED]) would be sent to the secondary radius for authentication. A username without the prefix though would still authenticate on the primary radius. Make sense? Is this is a possibility? And, if so, is there some documentation on it somewhere? I haven't had much luck finding any relevant docs. Thanks for any help that can be provided! Darren Nay - [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question regarding Proxy-State [33] Attribute
Just as a fun Record. I have resolved this issue... Read below for some fun stuff. START CUT -Original Message- From: Ballew, Dean A [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 4:49 PM To: Brandon Lehmann; Radius Testing Cc: Dan-CPM; Stephen Goff Subject: RE: Worldteq - Status of Realm Activation: IP Change Brandon, Please try again. Your realm was pointing (test server only) to another company that previously owned this realm... Proxy-state will not be sent in your dialtests. Proxy-state will be implemented with our system upgrades in the near future. Dean -Original Message- From: Brandon Lehmann [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 3:22 PM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]'; Stephen Goff Subject: FW: Worldteq - Status of Realm Activation: IP Change When testing the realms I have run into a few problems. Viewing our radius logs, I do NOT see a Proxy-State attribute being sent from the test radius proxies. It looks like the users are authenticating ok, but the session will not start with the test numbers. If you could please let me know why this may be happening, it would be greatly appreciated. A snapshot of a logfile from you guys would work even better if the trouble is indeed on our end. All dialup tests were done w/ the user '[EMAIL PROTECTED]'. Thanks for your help. Brandon Lehmann Network Support Specialist Networld Online Inc. 1243 Napoleon Street Fremont, OH 43420 800-644-6638 [EMAIL PROTECTED] www.nwonline.net END CUT --- The really funny thing is... that we are the only ones that have ever owned that realm... interesting.. sounds like no one ever set it up to me. Thanks to all of you that helped! Brandon Lehmann Network Support Specialist Networld Online Inc. 1243 Napoleon Street Fremont, OH 43420 800-644-6638 [EMAIL PROTECTED] www.nwonline.net > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Chris > Parker > Sent: Friday, September 20, 2002 3:36 PM > To: [EMAIL PROTECTED] > Subject: RE: Question regarding Proxy-State [33] Attribute > > > At 03:19 PM 9/20/2002 -0400, Brandon Lehmann wrote: > >Chris, > > > > This is the result from my debug (radiusd -x -x) > > > >rad_recv: Accounting-Request packet from host > 209.211.205.27:46810, id=250, > >length=445 > >Thread 2 assigned request 6 > >--- Walking the entire request list --- > >Threads: total/active/spare threads = 5/1/4 > >Waking up in 5 seconds... > >Thread 2 handling request 6, (2 handled so far) > > User-Name = "[EMAIL PROTECTED]" > > NAS-IP-Address = 63.152.3.66 > > NAS-Port = 7190 > > Service-Type = Framed-User > > Cisco-AVPair = "disc-cause-ext=1043" > > Cisco-AVPair = "pre-bytes-in=250" > > Cisco-AVPair = "pre-bytes-out=216" > > Cisco-AVPair = "pre-paks-in=8" > > Cisco-AVPair = "pre-paks-out=6" > > Cisco-AVPair = "pre-session-time=27" > > Cisco-AVPair = "connect-progress=101" > > Cisco-AVPair = "nas-rx-speed=26400" > > Cisco-AVPair = "nas-tx-speed=38000" > > Cisco-NAS-Port = "Async3/07*Serial7/0:1:22" > > Calling-Station-Id = "4193321376" > > Acct-Status-Type = Stop > > Acct-Delay-Time = 0 > > Acct-Input-Octets = 0 > > Acct-Output-Octets = 8 > > Acct-Session-Id = "02000C91" > > Acct-Authentic = RADIUS > > Acct-Session-Time = 0 > > Acct-Input-Packets = 0 > > Acct-Output-Packets = 1 > > NAS-Port-Type = Async > > X-Ascend-Pre-Input-Octets = 250 > > X-Ascend-Pre-Output-Octets = 216 > > X-Ascend-Pre-Input-Packets = 8 > > X-Ascend-Pre-Output-Packets = 6 > > X-Ascend-Disconnect-Cause = 43 > > X-Ascend-Connect-Progress = 101 > > X-Ascend-Data-Rate = 26400 > > X-Ascend-PreSession-Time = 27 > > X-Ascend-Xmit-Rate = 38000 > > Qwest isn't sending you a Proxy-State attribute. Kindly ask them how > you are supposed to return one if they aren't sending one? > > http://www.freeradius.org/rfc/rfc2865.html#Proxy-State > > -Chris > -- > \\\|||/// \ StarNet Inc. \ Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\ > -- >\ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question regarding Proxy-State [33] Attribute
Thanks Chris... Funny how that works... They are both slow at fixing problems and mindless in setting up their own specifications. Thanks again. If I need anymore help, now I know where to get it :) Brandon Lehmann Network Support Specialist Networld Online Inc. 1243 Napoleon Street Fremont, OH 43420 800-644-6638 [EMAIL PROTECTED] www.nwonline.net > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Chris > Parker > Sent: Friday, September 20, 2002 3:36 PM > To: [EMAIL PROTECTED] > Subject: RE: Question regarding Proxy-State [33] Attribute > > > At 03:19 PM 9/20/2002 -0400, Brandon Lehmann wrote: > >Chris, > > > > This is the result from my debug (radiusd -x -x) > > > >rad_recv: Accounting-Request packet from host > 209.211.205.27:46810, id=250, > >length=445 > >Thread 2 assigned request 6 > >--- Walking the entire request list --- > >Threads: total/active/spare threads = 5/1/4 > >Waking up in 5 seconds... > >Thread 2 handling request 6, (2 handled so far) > > User-Name = "[EMAIL PROTECTED]" > > NAS-IP-Address = 63.152.3.66 > > NAS-Port = 7190 > > Service-Type = Framed-User > > Cisco-AVPair = "disc-cause-ext=1043" > > Cisco-AVPair = "pre-bytes-in=250" > > Cisco-AVPair = "pre-bytes-out=216" > > Cisco-AVPair = "pre-paks-in=8" > > Cisco-AVPair = "pre-paks-out=6" > > Cisco-AVPair = "pre-session-time=27" > > Cisco-AVPair = "connect-progress=101" > > Cisco-AVPair = "nas-rx-speed=26400" > > Cisco-AVPair = "nas-tx-speed=38000" > > Cisco-NAS-Port = "Async3/07*Serial7/0:1:22" > > Calling-Station-Id = "4193321376" > > Acct-Status-Type = Stop > > Acct-Delay-Time = 0 > > Acct-Input-Octets = 0 > > Acct-Output-Octets = 8 > > Acct-Session-Id = "02000C91" > > Acct-Authentic = RADIUS > > Acct-Session-Time = 0 > > Acct-Input-Packets = 0 > > Acct-Output-Packets = 1 > > NAS-Port-Type = Async > > X-Ascend-Pre-Input-Octets = 250 > > X-Ascend-Pre-Output-Octets = 216 > > X-Ascend-Pre-Input-Packets = 8 > > X-Ascend-Pre-Output-Packets = 6 > > X-Ascend-Disconnect-Cause = 43 > > X-Ascend-Connect-Progress = 101 > > X-Ascend-Data-Rate = 26400 > > X-Ascend-PreSession-Time = 27 > > X-Ascend-Xmit-Rate = 38000 > > Qwest isn't sending you a Proxy-State attribute. Kindly ask them how > you are supposed to return one if they aren't sending one? > > http://www.freeradius.org/rfc/rfc2865.html#Proxy-State > > -Chris > -- > \\\|||/// \ StarNet Inc. \ Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\ > -- >\ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question regarding Proxy-State [33] Attribute
At 03:19 PM 9/20/2002 -0400, Brandon Lehmann wrote: >Chris, > > This is the result from my debug (radiusd -x -x) > >rad_recv: Accounting-Request packet from host 209.211.205.27:46810, id=250, >length=445 >Thread 2 assigned request 6 >--- Walking the entire request list --- >Threads: total/active/spare threads = 5/1/4 >Waking up in 5 seconds... >Thread 2 handling request 6, (2 handled so far) > User-Name = "[EMAIL PROTECTED]" > NAS-IP-Address = 63.152.3.66 > NAS-Port = 7190 > Service-Type = Framed-User > Cisco-AVPair = "disc-cause-ext=1043" > Cisco-AVPair = "pre-bytes-in=250" > Cisco-AVPair = "pre-bytes-out=216" > Cisco-AVPair = "pre-paks-in=8" > Cisco-AVPair = "pre-paks-out=6" > Cisco-AVPair = "pre-session-time=27" > Cisco-AVPair = "connect-progress=101" > Cisco-AVPair = "nas-rx-speed=26400" > Cisco-AVPair = "nas-tx-speed=38000" > Cisco-NAS-Port = "Async3/07*Serial7/0:1:22" > Calling-Station-Id = "4193321376" > Acct-Status-Type = Stop > Acct-Delay-Time = 0 > Acct-Input-Octets = 0 > Acct-Output-Octets = 8 > Acct-Session-Id = "02000C91" > Acct-Authentic = RADIUS > Acct-Session-Time = 0 > Acct-Input-Packets = 0 > Acct-Output-Packets = 1 > NAS-Port-Type = Async > X-Ascend-Pre-Input-Octets = 250 > X-Ascend-Pre-Output-Octets = 216 > X-Ascend-Pre-Input-Packets = 8 > X-Ascend-Pre-Output-Packets = 6 > X-Ascend-Disconnect-Cause = 43 > X-Ascend-Connect-Progress = 101 > X-Ascend-Data-Rate = 26400 > X-Ascend-PreSession-Time = 27 > X-Ascend-Xmit-Rate = 38000 Qwest isn't sending you a Proxy-State attribute. Kindly ask them how you are supposed to return one if they aren't sending one? http://www.freeradius.org/rfc/rfc2865.html#Proxy-State -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question regarding Proxy-State [33] Attribute
Chris, This is the result from my debug (radiusd -x -x) rad_recv: Accounting-Request packet from host 209.211.205.27:46810, id=250, length=445 Thread 2 assigned request 6 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds... Thread 2 handling request 6, (2 handled so far) User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 63.152.3.66 NAS-Port = 7190 Service-Type = Framed-User Cisco-AVPair = "disc-cause-ext=1043" Cisco-AVPair = "pre-bytes-in=250" Cisco-AVPair = "pre-bytes-out=216" Cisco-AVPair = "pre-paks-in=8" Cisco-AVPair = "pre-paks-out=6" Cisco-AVPair = "pre-session-time=27" Cisco-AVPair = "connect-progress=101" Cisco-AVPair = "nas-rx-speed=26400" Cisco-AVPair = "nas-tx-speed=38000" Cisco-NAS-Port = "Async3/07*Serial7/0:1:22" Calling-Station-Id = "4193321376" Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 8 Acct-Session-Id = "02000C91" Acct-Authentic = RADIUS Acct-Session-Time = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 1 NAS-Port-Type = Async X-Ascend-Pre-Input-Octets = 250 X-Ascend-Pre-Output-Octets = 216 X-Ascend-Pre-Input-Packets = 8 X-Ascend-Pre-Output-Packets = 6 X-Ascend-Disconnect-Cause = 43 X-Ascend-Connect-Progress = 101 X-Ascend-Data-Rate = 26400 X-Ascend-PreSession-Time = 27 X-Ascend-Xmit-Rate = 38000 modcall: entering group preacct modcall[preacct]: module "preprocess" returns noop rlm_realm: Looking up realm nwonline.net for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm DEFAULT rlm_realm: Proxying request from user test to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Preparing to proxy accounting request to realm DEFAULT modcall[preacct]: module "suffix" returns ok modcall: group preacct returns ok modcall: entering group accounting radius_xlat: '/usr/local/var/log/radius/radacct/detail.log' rlm_detail: /usr/local/var/log/radius/radacct/detail.log expands to /usr/local/var/log/radius/radacct/detail.log rlm_detail: Freeradius-Proxied-To set to 208.231.144.20 modcall[accounting]: module "detail" returns ok radius_xlat: '[EMAIL PROTECTED]' Accounting: logout: login entry for NAS nas14.arlington1.va.us.da.qwest port 7190 not found modcall[accounting]: module "radutmp" returns ok modcall: group accounting returns ok Sending Accounting-Request of id 4 to 208.231.144.20:1646 User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 63.152.3.66 NAS-Port = 7190 Service-Type = Framed-User Cisco-AVPair = "1043" Cisco-AVPair = "250" Cisco-AVPair = "216" Cisco-AVPair = "8" Cisco-AVPair = "6" Cisco-AVPair = "27" Cisco-AVPair = "101" Cisco-AVPair = "26400" Cisco-AVPair = "38000" Cisco-NAS-Port = "Async3/07*Serial7/0:1:22" Calling-Station-Id = "4193321376" Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 8 Acct-Session-Id = "02000C91" Acct-Authentic = RADIUS Acct-Session-Time = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 1 NAS-Port-Type = Async X-Ascend-Pre-Input-Octets = 250 X-Ascend-Pre-Output-Octets = 216 X-Ascend-Pre-Input-Packets = 8 X-Ascend-Pre-Output-Packets = 6 X-Ascend-Disconnect-Cause = 43 X-Ascend-Connect-Progress = 101 X-Ascend-Data-Rate = 26400 X-Ascend-PreSession-Time = 27 X-Ascend-Xmit-Rate = 38000 Proxy-State = "250" Thread 2 waiting to be assigned a request rad_recv: Accounting-Response packet from host 208.231.144.20:1646, id=4, length=25 Thread 3 assigned request 6 rl_next: returning NULL Waking up in 5 seconds... Thread 3 handling request 6, (2 handled so far) Proxy-State = 0x323530 Sending Accounting-Response of id 250 to 209.211.205.27:46810 Finished request 6 Going to the next request Thread 3 waiting to be assigned a request >From what it looks like, Qwest is not sending me proxy-state attributes. This is really interesting as they told us that these were required. My testing will still not let me log on. Brandon Lehmann Network Support Specialist Networld Online Inc. 1243 Napoleon Street Fremont, OH 43420 800-644-6638 [EMAIL PROTECTED] www.nwonline.net > -Original Message- &
RE: Question regarding Proxy-State [33] Attribute
So what your saying... is that i should use the CVS snapshot and try this. freeradius does show a succesful auth. but the session never comes up. Our realms are already in production, but we are doing testing for Qwest's new requirement for round-robin radius (using the qwest test #). I'll try the cvs snapshot first. Thanks. Brandon Lehmann Network Support Specialist Networld Online Inc. 1243 Napoleon Street Fremont, OH 43420 800-644-6638 [EMAIL PROTECTED] www.nwonline.net > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Franklin > Trumpy > Sent: Friday, September 20, 2002 2:31 PM > To: '[EMAIL PROTECTED]' > Subject: Re: Question regarding Proxy-State [33] Attribute > > > > On Fri, 20 Sep 2002, Brandon Lehmann wrote: > > The only reason that this would happen is because our proxy > server is > > NOT sending back a Proxy-State [33] attribute. How can I > make sure that > > FreeRadius sends this attr back? If I can't get it to do this, can > > someone please advise a software package that can do this? > > If the Proxy-State attribute is getting lost somewhere, it's most > likely being stripped off by the VopRADIUS server, which, of > course, it > shouldn't be doing. > > I can confirm that the FreeRADIUS CVS snapshot dated 08/16/2002 does > receive Proxy-State attributes from QWest NAS correctly, does > proxy them > correctly (to, in my case, a Radiator server *shudder*), and > does return > them to the QWest client correctly. It has been behaving exactly as it > should according to the RFC through various releases and CVS > iterations > for about a year. > > Does your FreeRADIUS server show a successful authentication, > but then the > actual session fails to come up, or does the FreeRADIUS server show a > failed authentication? On a QWest-specific note, unless your > realm is already in production, Proxy-State shouldn't preclude a > successful connection at the NAS end. > > Franklin > > -- > Franklin Trumpy, NFA, MNGS, GSc | Say not, "I have found the truth," > Sr. UNIX Systems Administrator | but rather, "I have found a truth." > Lighthouse Communications | > [EMAIL PROTECTED] | Say not, "I have found the > path of the soul." > (515)244-1115 | Say rather, "I have met the > soul walking > (888)953-3278 | upon my path." > http://www.lh.net | > | -Kahlil Gibran, > _The Prophet_, 1923 > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding Proxy-State [33] Attribute
At 01:31 PM 9/20/2002 -0500, Franklin Trumpy wrote: >On Fri, 20 Sep 2002, Brandon Lehmann wrote: > > The only reason that this would happen is because our proxy server is > > NOT sending back a Proxy-State [33] attribute. How can I make sure that > > FreeRadius sends this attr back? If I can't get it to do this, can > > someone please advise a software package that can do this? > >If the Proxy-State attribute is getting lost somewhere, it's most >likely being stripped off by the VopRADIUS server, which, of course, it >shouldn't be doing. Which FreeRADIUS handles very gracefully. It also handles Merit servers which decide to mangle attributes. Any Proxy-State attributes that are received in a reply from a remote server are discarded by FreeRADIUS. The Proxy-State attributes that were sent in the *original* request are copied into the reply to send back to Qwest. IE, the server already handles the case of a remote server stripping or mangling the Proxy-State(s). Hence the request to run it in debug to see what Qwest is sending, and what is being sent back to them. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding Proxy-State [33] Attribute
On Fri, 20 Sep 2002, Brandon Lehmann wrote: > The only reason that this would happen is because our proxy server is > NOT sending back a Proxy-State [33] attribute. How can I make sure that > FreeRadius sends this attr back? If I can't get it to do this, can > someone please advise a software package that can do this? If the Proxy-State attribute is getting lost somewhere, it's most likely being stripped off by the VopRADIUS server, which, of course, it shouldn't be doing. I can confirm that the FreeRADIUS CVS snapshot dated 08/16/2002 does receive Proxy-State attributes from QWest NAS correctly, does proxy them correctly (to, in my case, a Radiator server *shudder*), and does return them to the QWest client correctly. It has been behaving exactly as it should according to the RFC through various releases and CVS iterations for about a year. Does your FreeRADIUS server show a successful authentication, but then the actual session fails to come up, or does the FreeRADIUS server show a failed authentication? On a QWest-specific note, unless your realm is already in production, Proxy-State shouldn't preclude a successful connection at the NAS end. Franklin -- Franklin Trumpy, NFA, MNGS, GSc | Say not, "I have found the truth," Sr. UNIX Systems Administrator | but rather, "I have found a truth." Lighthouse Communications | [EMAIL PROTECTED] | Say not, "I have found the path of the soul." (515)244-1115 | Say rather, "I have met the soul walking (888)953-3278 | upon my path." http://www.lh.net | | -Kahlil Gibran, _The Prophet_, 1923 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding Proxy-State [33] Attribute
Brandon Lehmann <[EMAIL PROTECTED]> wrote: > This is what we are running into. On top of some errors about > accounting (FreeRadius wants us to add ALL of qwest's NAS boxes to the > clients file.. ick) No, that's definitely not true. The ONLY addresses which are required to be in the 'clients' file are the machines which send packets to the server. > The only reason that this would happen is because our proxy server > is NOT sending back a Proxy-State [33] attribute. How can I make > sure that FreeRadius sends this attr back? Look at the output of debugging mode? Also, try upgrading to the latest CVS snapshot. It has a few more fixes which didn't make it into 0.7.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding Proxy-State [33] Attribute
At 09:51 AM 9/20/2002 -0400, Brandon Lehmann wrote: >Hi List, > > We are currently trying to get FreeRadius 0.7.1 to work with our >VopRadius server. This is how it flows. > > Our users dial into the Qwest Network. The Qwest NAS sends a request >to Qwest's radius proxy servers -> Qwest proxy servers send a request to one >of our proxy servers -> our proxy server sends the request to our VopRadius >server -> VopRadius authenicates the user. Sounds easy right? > > This is what we are running into. On top of some errors about >accounting (FreeRadius wants us to add ALL of qwest's NAS boxes to the >clients file.. ick) we are not getting authenticated. Huh? Uhh, no. You don't need to do that unless Qwest's NAS are going to talk to your radius server directly. If requests are proxied through Qwest's radius servers, then you only have to add their Radius server IPs to your clients file. >The only reason that this would happen is because our proxy server is NOT >sending back a Proxy-State [33] attribute. How can I make sure that >FreeRadius sends this attr back? If I can't get it to do this, can someone >please advise a software package that can do this? If Qwest's server sends it to you, then FreeRADIUS will send it back. You can find out what you are receiving from Qwest and what you are sending back by running the server in Debug mode ( radiusd -x -x ). Good luck. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question regarding Proxy-State [33] Attribute
Hi List, We are currently trying to get FreeRadius 0.7.1 to work with our VopRadius server. This is how it flows. Our users dial into the Qwest Network. The Qwest NAS sends a request to Qwest's radius proxy servers -> Qwest proxy servers send a request to one of our proxy servers -> our proxy server sends the request to our VopRadius server -> VopRadius authenicates the user. Sounds easy right? This is what we are running into. On top of some errors about accounting (FreeRadius wants us to add ALL of qwest's NAS boxes to the clients file.. ick) we are not getting authenticated. The only reason that this would happen is because our proxy server is NOT sending back a Proxy-State [33] attribute. How can I make sure that FreeRadius sends this attr back? If I can't get it to do this, can someone please advise a software package that can do this? Thank you and have a good day. Brandon Lehmann Network Support Specialist Networld Online Inc. 1243 Napoleon Street Fremont, OH 43420 800-644-6638 [EMAIL PROTECTED] www.nwonline.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems to use as proxy
Wolfgang Bremer <[EMAIL PROTECTED]> wrote: > I'm trying to configure the freeradius (Version 0.5) to proxy requests > to a remote server. Please don't post problems or bug reports with old versions of the server. There are MANY bugs fixed in newer releases, see: http://www.freeradius.org/radiusd/doc/ChangeLog If you can reproduce the problem with 0.7, then you might want to try the latest CVS snapshot. If you can't reproduce the problem with 0.7, then the problem was found and solved months ago. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems to use as proxy
Hi, I'm trying to configure the freeradius (Version 0.5) to proxy requests to a remote server. I'm getting a message 'No request found for proxy reply from server XXX' Has anybody got the same problem? Here is some debug output: Server#/usr/local/sbin/radiusd -x Starting - reading configuration files ... Module: Loaded System Module: Instantiated unix (unix) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:4079, id=163, length=71 User-Name = "[EMAIL PROTECTED]" User-Password = "o\264FU\260\n\317\346l\2134?\037F\272\214" NAS-IP-Address = 255.255.255.255 NAS-Port-Id = "1" rlm_chap: Could not find proper Chap-Password attribute in request Sending Access-Request of id 1 to 192.1.1.1:1812 User-Name = "radiustest" User-Password = "\215\022\360`\241t\227\203\344\3067\r\260\250z;" NAS-IP-Address = 255.255.255.255 NAS-Port-Id = "1" Proxy-State = "163" rad_recv: Access-Accept packet from host 192.1.1.1:1812, id=1, length=37 No request found for proxy reply from server Radius2 - ID 1 The Server Radius2 just loggs a successfull login regards Wolfgang Bremer begin:vcard n:Bremer;Wolfgang tel;work:+49 21 02 90 58 56 x-mozilla-html:TRUE adr:;; version:2.1 email;internet:[EMAIL PROTECTED] fn:Wolfgang Bremer end:vcard
Re: [FreeRadius] Random port for proxy requests?
At 10:29 AM 8/25/2002 -0400, Tabor J. Wells wrote: >On Sun, Aug 25, 2002 at 12:09:10PM +0200, >Xavier Mertens <[EMAIL PROTECTED]> is thought to have said: > > > It's LVS (http://www.linuxvirtualserver.org) > > What do you recommand to load-balance RADIUS traffic? Any suggestion? > >I've used Alteon products (now owned by Nortel) to load balance my RADIUS >traffic at my last company. They are RADIUS aware and will do their health >checks by trying to do an auth against each real server behind the virtual >IPs. You should be able to load balance with any udp aware load balancer as long as you are not trying to proxy the requests from your systems to anywhere else. If you want to proxy from your systems, the situation becomes more complex as you need to keep some sort of state so that proxy replies are returned to the system that originally sent them. Or you need to start playing with different interfaces for inbound/outbound traffic ( so that your NAS see the radius behind the LB, but proxy traffic outbound takes a different source ip specific to each machine. A couple ways to do it, but you really have to have a solid understanding of the radius protocol and the implications of source addresses and how radius servers utilize the packet source to make decisions. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [FreeRadius] Random port for proxy requests?
On Sun, Aug 25, 2002 at 12:09:10PM +0200, Xavier Mertens <[EMAIL PROTECTED]> is thought to have said: > It's LVS (http://www.linuxvirtualserver.org) > What do you recommand to load-balance RADIUS traffic? Any suggestion? I've used Alteon products (now owned by Nortel) to load balance my RADIUS traffic at my last company. They are RADIUS aware and will do their health checks by trying to do an auth against each real server behind the virtual IPs. -- Tabor J. Wells [EMAIL PROTECTED] Fsck It! Just another victim of the ambient morality - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [FreeRadius] Re: [FreeRadius] Re: Random port for proxy requests?
Xavier Mertens <[EMAIL PROTECTED]> wrote: > It's LVS (http://www.linuxvirtualserver.org) > What do you recommand to load-balance RADIUS traffic? Any suggestion? No, sorry. I would probably recommend using a custom version of FreeRADIUS, as it knows about the RADIUS protocol. The LVS load-balancer appears to just load-balance random UDP packets, and probably doesn't even work with RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [FreeRadius] Re: [FreeRadius] Re: Random port for proxy requests?
It's LVS (http://www.linuxvirtualserver.org) What do you recommand to load-balance RADIUS traffic? Any suggestion? Xavier -- http://www.rootshell.be echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc On Fri, 23 Aug 2002, Alan DeKok wrote: > > Xavier Mertens <[EMAIL PROTECTED]> wrote: > > To be honest, I don't know why the load-balancer does not perform its job. > > Seems that it imagines that all requests from the same source port belong to > > the same session... :( > > Then it's not a RADIUS load balancer. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [FreeRadius] Re: Random port for proxy requests?
Your comments are rights. To be honest, I don't know why the load-balancer does not perform its job. Seems that it imagines that all requests from the same source port belong to the same session... :( Xavier -- http://www.rootshell.be echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc On Thu, 22 Aug 2002, Alan DeKok wrote: > > Xavier <[EMAIL PROTECTED]> wrote: > > My radiusd is used as a proxy and send request to a load-balancer (LVS). > > But all packets are forwarded with the same source port (8002) and the LVS is > > unable to load-balance. Any suggestion or a patch to generate a random port? > > Why would this be necessary? Why can't the load-balancer do > something intelligent? > > > In order for FreeRADIUS to send proxied requests from random ports, > it would have to open, and listen on, *many* sockets. This gets > expensive. It also doesn't add anything to the server, and just makes > it slower and more complicated. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Random port for proxy requests?
Xavier <[EMAIL PROTECTED]> wrote: > My radiusd is used as a proxy and send request to a load-balancer (LVS). > But all packets are forwarded with the same source port (8002) and the LVS is > unable to load-balance. Any suggestion or a patch to generate a random port? Why would this be necessary? Why can't the load-balancer do something intelligent? In order for FreeRADIUS to send proxied requests from random ports, it would have to open, and listen on, *many* sockets. This gets expensive. It also doesn't add anything to the server, and just makes it slower and more complicated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Random port for proxy requests?
Hi, I just installed a FreeRadius, works fine! Seems to be a very strong implementation of the RADIUS protocol. But, I already have a question. :) My radiusd is used as a proxy and send request to a load-balancer (LVS). But all packets are forwarded with the same source port (8002) and the LVS is unable to load-balance. Any suggestion or a patch to generate a random port? Xavier -- http://www.rootshell.be echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius proxy server configuration
Title: Freeradius proxy server configuration I set up two freeradius servers to test the proxy feature. In one machine (A), I installed radius server and a radius client testing program. In another machine (B), I installed radius server only. I configured server A and B by editing radiusd.conf, client.conf, and users. I configured client testing program to point to B, it works fine. I send user name and password, the authentication is OK. I changed client configuration program to point to A, it works fine. I send user name and password, the authentication is OK. Now, while client point to A, I tried to configure both radius servers in a realm. I edited proxy.conf to include a realm. For example, realm abcd.com { type = radius authhost = xxx.xxx.xxx.xxx authhost = yyy.yyy.yyy.yyy secret = 1234 } The secret 1234 are used for both A, B and client. I restarted both servers by specifying "-x" is debug mode. My OS is RedHat 7.1 and RedHat 7.2. I know Freeradius-0.5 default to proxy server, so the server is already proxy server. I submit password through client program as before. In users file of A, I have user "aa", in users file of B, I have user "bb". When I submit aa, the authentication is OK from A. When submit bb, A reject the authentication, and does not proxy the request to B. Nothing is sent to B and B received nothing. Thanks in advance for help. Defu Zhang
Re: accounting-start proxy error
>> It works fine for authentication request/accept and accounting-stop, but >> my NAS complains about the accounting-start messages: > > Then it's most likely a problem with the attributes in the > accounting start packet. > >> WARNING: Identifier does not match - ignoring response >> WARNING: Invalid response signature - check secret! > > If the first message is true, then the second is a caused by the > first. > > You say that the NAS complains about the accounting-start packet, > but FreeRADIUS never sends one to the NAS, it only sends an > Accounting-Response packet. So where does this message come from, and > when does it happen? Sorry, my mistake, I meant Accounting-Request. This is what Freeradius gets from the NAS: rad_recv: Accounting-Request packet from host xxx.xxx.xxx.xxx:, id=120, length=149 Acct-Delay-Time = 8 NAS-IP-Address = xxx.xxx.xxx.xxx Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = "" Acct-Status-Type = Start Acct-Session-Id = "3b7a0001" Acct-Authentic = RADIUS User-Name = "x" This is what Freeradius proxies to MS IAS: Sending Accouting-Request of id 22 to xxx.xxx.xxx.xxx: Acct-Delay-Time = 8 NAS-IP-Address = xxx.xxx.xxx.xxx Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = "" Acct-Status-Type = Start Acct-Session-Id = "3b7a0001" Acct-Authentic = RADIUS User-Name = "x" Proxy-State = "120" Freeradius gets the following back from MS IAS: rad_recv: Accouting-Response packet from xxx.xxx.xxx.xxx:, id=22, length=25 Proxy-State = 0x313230 And sends it on to the NAS: Sending Accouting-Response of id 120 to xxx.xxx.xxx.xxx:xx And the NAS generates the error: WARNING: Identifier does not match - ignoring response WARNING: Invalid response signature - check secret! Josh Howlett, Networking and Digital Communications Group, Information Systems & Computing, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)117 928 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting-start proxy error
[EMAIL PROTECTED] wrote: > It works fine for authentication request/accept and accounting-stop, but my > NAS complains about the accounting-start messages: Then it's most likely a problem with the attributes in the accounting start packet. > WARNING: Identifier does not match - ignoring response > WARNING: Invalid response signature - check secret! If the first message is true, then the second is a caused by the first. You say that the NAS complains about the accounting-start packet, but FreeRADIUS never sends one to the NAS, it only sends an Accounting-Response packet. So where does this message come from, and when does it happen? > It seems strange that freeradius is only complaining about accounting-stop, > so it looks to me like freeradius is mis-handling accounting-start when > proxying them. I don't see why it would be treated any differently than any other accounting messages... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting-start proxy error
(apologies, re-sent with meaningful Subject field). Hi, I have freeradius 0.6 acting as a proxy for authentication and accounting. It works fine for authentication request/accept and accounting-stop, but my NAS complains about the accounting-start messages: WARNING: Identifier does not match - ignoring response WARNING: Invalid response signature - check secret! Freeradius does not generate any error messages in debug mode (-X). It seems strange that freeradius is only complaining about accounting-stop, so it looks to me like freeradius is mis-handling accounting-start when proxying them. Has anyone else seen this behaviour? josh. Josh Howlett, Networking and Digital Communications Group, Information Systems & Computing, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)117 928 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to Configure Proxy server
Hi, I want to know how to configure a proxy server. My requests come from one host to a radius server which I want to forward to another server. I added the entry for the host in proxy.conf specifying the realm as xx.yy.com and gave the address of the remote server as auth-host. However my requests are not forwarded. Can someone help. Thanks Sachin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy accounting
Igor Chen <[EMAIL PROTECTED]> wrote: > I tried to configure proxying accounting requests to another radius > server (NAS -->A-->B), but it just doesn't send anything. Autorization and > authetification works perfectly. Debugging mode says... ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy problem
Ionut Muntean <[EMAIL PROTECTED]> wrote: > Does anyone know what is wrong when you receive the following message? > > Proxy: No request found for proxy reply from server - ID X The proxy has sent a reply for a request which the server doesn't know about. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy accounting
Hi! I tried to configure proxying accounting requests to another radius server (NAS -->A-->B), but it just doesn't send anything. Autorization and authetification works perfectly. I've added server A: realm test { type= radius authhost= server.B:1812 accthost= server.B:1812 secret = test123 } to proxy.conf and server B: client ip.of.server.A { secret = test123 shortname = A } Just tell me where to read about that. I read http://portmasters.com/www.livingston.com/tech/docs/radius/proxy.html before asking that question Will appreciate any help -- cron-ripe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy problem
Hi, Does anyone know what is wrong when you receive the following message? Proxy: No request found for proxy reply from server - ID X 10x, -- Ionut Muntean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ignore proxy from certain IP
I've read docs & mailing lists, and played with a test server, but I still cannot figure this out. How can I tell FR to not proxy an accounting packet if it came from a specific IP? I have added an entry into proxy.conf where the accthost is LOCAL, and setup an entry in acct_users to proxy to this fake realm. It matches in the entry in the acct_users file, but still proxies to the accthost for the realm. Here's what I have in my acct_users file: DEFAULT Client-IP-Address == "192.168.1.28", Replicate-To-Realm := "ignore" In proxy.conf, I have: realm ignore { type= radius authhost= LOCAL accthost= LOCAL notrealm nostrip } In radiusd.conf: preacct { preprocess files suffix } The preprocess and suffix settings are unchanged. In the files module, I've set cistron compatibility. Is there a setting I can put in the acct_users file to basically skip the suffix realm checks? Can I reorder entries in radiusd.conf to get it to do this? Thanks, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting proxy question
I'm trying to get freeradius 0.6 to bypass the proxy settings and handle the packet locally if an accounting packet comes from a certain IP. Here's what I've got so far, but it still tries to proxy to the NULL realm accthost when I send an accounting packet. Any help would be appreciated. Kevin radiusd.conf: files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = cistron } ... preacct { files suffix preprocess } accounting { radutmp } acct_users: DEFAULT Client-IP-Address == "192.168.1.12", Proxy-To-Realm := "ignore" proxy.conf: realm ignore { type= radius authhost= LOCAL accthost= LOCAL notrealm nostrip } realm NULL { type= radius authhost= LOCAL accthost= 192.168.1.28:1646 secret = simplekey } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Proxy and MS IAS
Dimitar Peikov <[EMAIL PROTECTED]> wrote: > Unfortunately I made proxy request but only PAP authentication > succeed. When using CHAP complain is about bad password! Read the FAQ on CHAP versus PAP. The same issues apply to IAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Proxy and MS IAS
On Wed, 10 Jul 2002 12:25:31 -0400 "Alan DeKok" <[EMAIL PROTECTED]> wrote: > Dimitar Peikov <[EMAIL PROTECTED]> wrote: > > In this case NAS is MS RAS on 2k Server. > > > > This is explanation of error event 'A malformed request was received from= > > client . The data is the packet.' > > OK, it may be bugs in tunnelling code, which was fixed in 0.6. If > you're running an earlier version, you should upgrade. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Unfortunately I made proxy request but only PAP authentication succeed. When using CHAP complain is about bad password! As I see CHAP-Challenge and CHAP-Password are the same (perhaps secret key is the same, but the client differs). User 'mitko' is 'ASP' domain member. Event Viewer log: User mitko was denied access. Fully-Qualified-User-Name = ASP\mitko NAS-IP-Address = 192.168.202.163 NAS-Identifier = Called-Station-Identifier = Calling-Station-Identifier = 192.168.202.114 Client-Friendly-Name = 192.168.202.57 Client-IP-Address = 192.168.202.57 NAS-Port-Type = Virtual NAS-Port = 6 Policy-Name = Authentication-Type = EAP-Type = Reason-Code = 16 Reason = There was an authentication failure because of an unknown user name or a bad password. FreeRADIUS log : rad_recv: Access-Request packet from host 192.168.202.163:4803, id=51, length=176 NAS-IP-Address = 192.168.202.163 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 6 MS-RAS-Vendor = 311 MS-RAS-Version = "MSRASV5.00" NAS-Port-Type = Virtual Tunnel-Type:0 = PPTP Tunnel-Medium-Type:0 = IP Calling-Station-Id = "192.168.202.114" Tunnel-Client-Endpoint:0 = "192.168.202.114" User-Name = "mitko@ASP" CHAP-Challenge = ";\2108\244\203G\016\317\250\255m\342\256(\302\001" CHAP-Password = 0x007a52b3ed135b71ce9357b7d05589a781 Sending Access-Request of id 7 to 192.168.202.163:1645 User-Name = "mitko" NAS-IP-Address = 192.168.202.163 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 6 MS-RAS-Vendor = 311 MS-RAS-Version = "MSRASV5.00" NAS-Port-Type = Virtual Tunnel-Type:0 = PPTP Tunnel-Medium-Type:0 = IP Calling-Station-Id = "192.168.202.114" Tunnel-Client-Endpoint:0 = "192.168.202.114" CHAP-Challenge = ";\2108\244\203G\016\317\250\255m\342\256(\302\001" CHAP-Password = 0x007a52b3ed135b71ce9357b7d05589a781 Proxy-State = "51" --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Reject packet from host 192.168.202.163:1645, id=7, length=24 Proxy-State = 0x3531 -- Dimitar Peikov Programmer Analyst Globalization Group "We Build e-Business" RILA Solutions 27 Building, Acad.G.Bonchev Str. 1113 Sofia, Bulgaria phone: (+359 2) 9797320 phone: (+359 2) 9797300 fax: (+359 2) 9733355 http://www.rila.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Proxy and MS IAS
Dimitar Peikov <[EMAIL PROTECTED]> wrote: > In this case NAS is MS RAS on 2k Server. > > This is explanation of error event 'A malformed request was received from= > client . The data is the packet.' OK, it may be bugs in tunnelling code, which was fixed in 0.6. If you're running an earlier version, you should upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Proxy and MS IAS
On Wed, 10 Jul 2002 12:00:18 -0400 "Alan DeKok" <[EMAIL PROTECTED]> wrote: > Dimitar Peikov <[EMAIL PROTECTED]> wrote: > > If I point directly from NAS to either FreeRADIUS ot MS IAS > > authentication goes alright but when try to proxy MS IAS via > > FreeRADIUS I get errors on MS Event viewer. > > Which are...? > > Alan DeKok. In this case NAS is MS RAS on 2k Server. This is explanation of error event 'A malformed request was received from client . The data is the packet.' : 01 02 00 de 98 a2 95 68 ...Þ?¢?h 0008: a3 97 e3 ae 06 c3 0a 42 £?ã®.Ã.B 0010: 0b d8 74 bc 01 07 6d 69 .Øt¼..mi 0018: 74 6b 6f 04 06 c0 a8 ca tko..À¨Ê 0020: a3 06 06 00 00 00 02 07 £... 0028: 06 00 00 00 01 05 06 00 0030: 00 00 06 1a 0c 00 00 01 0038: 37 09 06 00 00 01 37 1a 7.7. 0040: 12 00 00 01 37 12 0c 4d 7..M 0048: 53 52 41 53 56 35 2e 30 SRASV5.0 0050: 30 3d 06 00 00 00 05 40 0=.@ 0058: 06 00 00 00 01 41 06 00 .A.. 0060: 00 00 01 1f 12 31 39 32 .192 0068: 2e 31 36 38 2e 32 30 32 .168.202 0070: 2e 31 31 34 00 42 13 31 .114.B.1 0078: 39 32 2e 31 36 38 2e 32 92.168.2 0080: 30 32 2e 31 31 34 00 1a 02.114.. 0088: 18 00 00 01 37 0b 12 59 7..Y 0090: 09 16 03 a3 41 a4 f8 9a ...£A¤ø? 0098: 7a c0 6f 5a 18 07 bf 1a zÀoZ..¿. 00a0: 3a 00 00 01 37 19 34 00 :...7.4. 00a8: 00 20 b0 02 54 7f e1 b7 . °.Tá· 00b0: 32 63 fc a4 8e 23 ca cd 2cü¤?#ÊÍ 00b8: 6c 00 00 00 00 00 00 00 l... 00c0: 00 98 98 d9 06 11 36 60 .??Ù..6` 00c8: cf ab be 91 9e ed a5 1f Ï«¾??í¥. 00d0: b5 0a 32 02 48 49 69 35 µ.2.HIi5 00d8: a0 21 04 34 31 00 !.41. -- Dimitar Peikov Programmer Analyst Globalization Group "We Build e-Business" RILA Solutions 27 Building, Acad.G.Bonchev Str. 1113 Sofia, Bulgaria phone: (+359 2) 9797320 phone: (+359 2) 9797300 fax: (+359 2) 9733355 http://www.rila.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Proxy and MS IAS
Dimitar Peikov <[EMAIL PROTECTED]> wrote: > If I point directly from NAS to either FreeRADIUS ot MS IAS > authentication goes alright but when try to proxy MS IAS via > FreeRADIUS I get errors on MS Event viewer. Which are...? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS Proxy and MS IAS
Hi, Did someone tryed to proxy to MS IAS on 2K Server? I've got bad success about that and need some help, or example on this. If I point directly from NAS to either FreeRADIUS ot MS IAS authentication goes alright but when try to proxy MS IAS via FreeRADIUS I get errors on MS Event viewer. Any thoughts can be useful. 10x -- Dimitar Peikov Programmer Analyst Globalization Group "We Build e-Business" RILA Solutions 27 Building, Acad.G.Bonchev Str. 1113 Sofia, Bulgaria phone: (+359 2) 9797320 phone: (+359 2) 9797300 fax: (+359 2) 9733355 http://www.rila.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting on a proxy
At 10:59 AM 7/2/2002 +0100, [EMAIL PROTECTED] wrote: >Hi, > >Is it possible to ocnfigure a Freeradius proxy to log details of >accounting packets that it is proxying? Yes. Simply add the appropriate module to the 'accounting' block of the server's config. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting on a proxy
Hi, Is it possible to ocnfigure a Freeradius proxy to log details of accounting packets that it is proxying? thanks, josh. Josh Howlett, Networking and Digital Communications Group, Information Systems & Computing, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)117 928 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Authentication Override
We have a proxied customer that uses DNIS as part of their authentication sequence; however Qwest and UUNET do not supply DNIS as part of their tests. Is there a way to create a user [EMAIL PROTECTED] and have him locally authenticate against a users file while allowing everything else to proxy...or asked in a different way, can a failed proxied request get changed into a success via some manner? I already run access.deny and know how to turn a success into a failure, but my attempts at reversal are not successful. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authorization after proxy access-accept (lastest CVS)
Hi list, I'm wondering how sql authorization pass to be ignored when my proxy access-request is accepted. Now after successfull proxy accept my sql authorization module tries to authorize the user once more: rad_recv: Access-Accept packet from host xx.xx.xx.xx:1812, id=12, length=63 Framed-Protocol = PPP Idle-Timeout = 900 Filter-Id = "pmr.100" Service-Type = 2 Framed-Compression = Van-Jacobson-TCP-IP Session-Timeout = 86112 Proxy-State = 0x3737 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Proxy reply, or no user name. Ignoring. modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 167 modcall[authorize]: module "files" returns ok modcall: entering group redundant radius_xlat: 'some_username' sql_set_user: escaped user --> 'some_username' radius_xlat: 'select * from table' here is my conf: authorize { preprocess suffix files sql } authenticate { authtype PAP { pap } } -- B. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html