Re: thread safety, conditional proxy

2003-02-17 Thread Dave Mason 
Hi Allen,
responses below...

Alan DeKok wrote:

Dave Mason <[EMAIL PROTECTED]> wrote:


1) I am adding a new EAP type to freeradius v0.8.1.  It will need to 
interact with a backend and wait for replies, so I would like each 
authentication session to run in its own thread.




 Why do you care?



 As I've said before, the whole point of the modules is that they
don't know, or care about process/threading issues.


Guess I missed where you said that.  If my application code doesnt know or care, something underneath needs to, so I still need to understand how it works.  I assumed that if I set the type to THREAD_SAFE that each session will run in its own thread.  Let me know if I'm wrong.  I can audit the EAP module as you mention.  If anybody else out there is using rlm_eap in a multithreaded system please let me know.



I notice in the module_t structure for RLM modules that the second
field, the type field, can be THREAD_SAFE or THREAD_UNSAFE.  In
particular, rlm_eap has this set to THREAD_UNSAFE.  Is this because
rlm_eap is indeed not thread safe, or is it because the implementors
simply chose not to use thread support with rlm_eap?





 I don't know.  You'd have to look at the source code to be sure.




It seems risky to set this to THREAD_SAFE without knowing the whole
story.  What should I do to add thread support?





 Nothing.  Modules don't *do* threading.



 If you want to make the module thread-safe, then audit it, to be
sure that every function it calls is thread-safe.  If that's true,
then set the THREAD_SAFE flag in the module data structure.




2) It's possible I may have a requirement to have Accounting-Requests 
conditionally proxy forwarded.  That is, I could have an entry in 
proxy.conf for the user's realm, and accthost set to some remote server. 
 Before forwarding the message, I would like to call some function which 
would decide whether to forward the message as specified or drop it. 




 That's what the pre_proxy section is for.


Good deal.  At first I thought it might go in pre_accounting, but I gather that function is only for adjusting the data in the request, not for altering the routing.

I assume I control the proxy forwarding behavior by returning different codes from pre_proxy?  Do you know where I can find them?  Let me know if it's some other mechanism.

Regards,
Dave



 It's also possible I might need to generate an accounting record 
locally, in addition to forwarding.  In the same module_t structure, I 
notice there is a pointer to a "pre-proxy" function.  Can this be used 
to do what I described?




 Yes.



 Alan DeKok.





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: thread safety, conditional proxy

2003-02-16 Thread Alan DeKok 
Dave Mason <[EMAIL PROTECTED]> wrote:
> 1) I am adding a new EAP type to freeradius v0.8.1.  It will need to 
> interact with a backend and wait for replies, so I would like each 
> authentication session to run in its own thread.

  Why do you care?

  As I've said before, the whole point of the modules is that they
don't know, or care about process/threading issues.

> I notice in the module_t structure for RLM modules that the second
> field, the type field, can be THREAD_SAFE or THREAD_UNSAFE.  In
> particular, rlm_eap has this set to THREAD_UNSAFE.  Is this because
> rlm_eap is indeed not thread safe, or is it because the implementors
> simply chose not to use thread support with rlm_eap?

  I don't know.  You'd have to look at the source code to be sure.

> It seems risky to set this to THREAD_SAFE without knowing the whole
> story.  What should I do to add thread support?

  Nothing.  Modules don't *do* threading.

  If you want to make the module thread-safe, then audit it, to be
sure that every function it calls is thread-safe.  If that's true,
then set the THREAD_SAFE flag in the module data structure.

> 2) It's possible I may have a requirement to have Accounting-Requests 
> conditionally proxy forwarded.  That is, I could have an entry in 
> proxy.conf for the user's realm, and accthost set to some remote server. 
>  Before forwarding the message, I would like to call some function which 
> would decide whether to forward the message as specified or drop it. 

  That's what the pre_proxy section is for.

>  It's also possible I might need to generate an accounting record 
> locally, in addition to forwarding.  In the same module_t structure, I 
> notice there is a pointer to a "pre-proxy" function.  Can this be used 
> to do what I described?

  Yes.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

thread safety, conditional proxy

2003-02-14 Thread Dave Mason 
Hi,
Just a couple of quick questions...

1) I am adding a new EAP type to freeradius v0.8.1.  It will need to 
interact with a backend and wait for replies, so I would like each 
authentication session to run in its own thread.  I notice in the 
module_t structure for RLM modules that the second field, the type 
field, can be THREAD_SAFE or THREAD_UNSAFE.  In particular, rlm_eap has 
this set to THREAD_UNSAFE.  Is this because rlm_eap is indeed not thread 
safe, or is it because the implementors simply chose not to use thread 
support with rlm_eap?  It seems risky to set this to THREAD_SAFE without 
knowing the whole story.  What should I do to add thread support?

2) It's possible I may have a requirement to have Accounting-Requests 
conditionally proxy forwarded.  That is, I could have an entry in 
proxy.conf for the user's realm, and accthost set to some remote server. 
Before forwarding the message, I would like to call some function which 
would decide whether to forward the message as specified or drop it. 
It's also possible I might need to generate an accounting record 
locally, in addition to forwarding.  In the same module_t structure, I 
notice there is a pointer to a "pre-proxy" function.  Can this be used 
to do what I described?  If not, is there a way?

Regards,
Dave




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy Radius using MySql

2003-02-11 Thread QCI Internet 
I sent this to the list last month, but got no response. I am trying to use
mysql for proxy radius instead of the user file. Can anyone shed some light
on how to enter the following into radcheck/radgroupcheck and
radreply/radgroupreply.

DEFAULT Called-Station-ID =~ "8005551212", Proxy-To-Realm:= "MyRealm"
Fall-Through = No

If I just set it up as DEFAULT user under radreply, it will proxy everyone.
I can't enter user names because the whole reason for doing this is to proxy
based on dnis and not user name. I don't know the user names.


Jeff Jarchow
QCI Internet
http://www.qcinet.net/




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy cancelled

2003-01-21 Thread Alan DeKok 
Norbert Wegener <[EMAIL PROTECTED]> wrote:
> I start my freeradius 0.8.1 with /usr/local/sbin/radiusd -i 127.0.0.1 -p 
> 1812 -sfX
> and have problems to get proxyauthentication working. Without the realm 
> everything works as expected.
...
> proxy.conf(only the Configuration for the proxy realms, above no changes)
> 
> realm myrealm {
>  type= radius
>  authhost= LOCAL
>  accthost= LOCAL
>  strip
> }

  Nothing will ever be proxied with this configuration.  The LOCAL
realm is never proxied.

  See the comments in the 'proxy.conf' file shipped with the server.

> rlm_realm:  Authentication realm is LOCAL.
> rlm_realm:  auth_port is not set.  proxy cancelled
> 
> Where do I have to set an auth_port ?

  You don't.  That error message is gone in the CVS head.

  Alan DeKok.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy cancelled

2003-01-21 Thread Chris Brotsos 
Norbert,

At 03:23 PM 1/21/2003 +0100, you wrote:

I start my freeradius 0.8.1 with /usr/local/sbin/radiusd -i 127.0.0.1 -p 
1812 -sfX
and have problems to get proxyauthentication working. Without the realm 
everything works as expected.
proxy_requests  = yes in radiusd.conf

here is my minimal users file:

users:
nw@myrealm Auth-Type := Local,  User-Password == "testing"
Service-Type = Framed-User,
Framed-IP-Address = 172.16.3.33,
Framed-Protocol = PPP

proxy.conf(only the Configuration for the proxy realms, above no changes)

realm myrealm {
type= radius
authhost= LOCAL
accthost= LOCAL
strip
}

Just a note, you do not need the 'strip' token...it is the default. 
Actually, the way you have the 'users' file set up...you would want 'nostrip'.


I get the following:

Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:1043, id=45, length=94
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "nw@myrealm"
CHAP-Challenge = 
"\207\234\202\201q(\350V\361\371e\206\024\004\277@\t"
CHAP-Password = 0x011cf65cb5691e1c9ad695579e01810184
NAS-IP-Address = 123.123.123.123
NAS-Port = 0
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_chap: Adding Auth-Type = CHAP
  modcall[authorize]: module "chap" returns ok
  modcall[authorize]: module "mschap" returns notfound
rlm_realm: Looking up realm myrealm for User-Name = "nw@myrealm"
rlm_realm: Found realm myrealm
rlm_realm: Adding Stripped-User-Name = "nw"
  rlm_realm: Proxying request from user nw to realm myrealm
rlm_realm: Adding Realm = "myrealm"
rlm_realm:  Authentication realm is LOCAL.
rlm_realm:  auth_port is not set.  proxy cancelled

Where do I have to set an auth_port ?

You do not have to set the auth port, that is just debug output. If you are 
receiving a reject, try adding nostrip to your proxy.conf entry. See 
/path/to/src/radiusd/raddb/proxy.conf

Chris



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

proxy cancelled

2003-01-21 Thread Norbert Wegener 
I start my freeradius 0.8.1 with /usr/local/sbin/radiusd -i 127.0.0.1 -p 
1812 -sfX
and have problems to get proxyauthentication working. Without the realm 
everything works as expected.
proxy_requests  = yes in radiusd.conf

here is my minimal users file:

users:
nw@myrealm Auth-Type := Local,  User-Password == "testing"
Service-Type = Framed-User,
Framed-IP-Address = 172.16.3.33,
Framed-Protocol = PPP

proxy.conf(only the Configuration for the proxy realms, above no changes)

realm myrealm {
type= radius
authhost= LOCAL
accthost= LOCAL
strip
}

I get the following:

Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:1043, id=45, length=94
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "nw@myrealm"
CHAP-Challenge = 
"\207\234\202\201q(\350V\361\371e\206\024\004\277@\t"
CHAP-Password = 0x011cf65cb5691e1c9ad695579e01810184
NAS-IP-Address = 123.123.123.123
NAS-Port = 0
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_chap: Adding Auth-Type = CHAP
  modcall[authorize]: module "chap" returns ok
  modcall[authorize]: module "mschap" returns notfound
rlm_realm: Looking up realm myrealm for User-Name = "nw@myrealm"
rlm_realm: Found realm myrealm
rlm_realm: Adding Stripped-User-Name = "nw"
  rlm_realm: Proxying request from user nw to realm myrealm
rlm_realm: Adding Realm = "myrealm"
rlm_realm:  Authentication realm is LOCAL.
rlm_realm:  auth_port is not set.  proxy cancelled

Where do I have to set an auth_port ?

Thanks
Norbert Wegener

--
Norbert WegenerPhone:(49)2012661379 Fax:(49)2012661377
SBS Essen,Germany  Mail: [EMAIL PROTECTED] 	Mailfax:(49)2018165521379


smime.p7s
Description: S/MIME Cryptographic Signature

Re: proxy & access-accept

2003-01-14 Thread Darren Nay 
Very cool!  Thanks for the info.

I will be doing some upgrades to our radius servers this week or next and
may mess with this a bit.  I am actually using exec-program-wait and have
had some problems with resource usage because the perl interpreter must be
loaded every time the script is run.  This may be a solution.

Thanks,

Darren Nay

- Original Message -
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, January 14, 2003 12:44 PM
Subject: Re: proxy & access-accept


> "Darren Nay" <[EMAIL PROTECTED]> wrote:
> > Are there any docs available for the perl module?
>
>   No.  See 'raddb/experimental.conf' for a configuration example, and
> 'src/modules/rlm_perl/example.pl' for an example script.  (in the CVS
> head, not in 0.8.1)
>
> > I am currently using exec-program with perl scripts for auth/acct, but
am
> > interested in using rlm_perl instead.
>
>   Yeah, the Perl module should be a little more powerful.  The only
> caveat is that the module is equivalent to Exec-Program-Wait, in that
> it stalls the server until the script finished.  If you're looking for
> 'fire and forget' perl scripts, then Exec-Program may still be your
> best bet.
>
> > Just wondering if any are already available.  If not then I'll take
> > the good 'ol trial & error method.. and possibly even write up some
> > docs myself in the future.
>
>   Sounds good to me.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy & access-accept

2003-01-14 Thread Alan DeKok 
"Darren Nay" <[EMAIL PROTECTED]> wrote:
> Are there any docs available for the perl module?

  No.  See 'raddb/experimental.conf' for a configuration example, and
'src/modules/rlm_perl/example.pl' for an example script.  (in the CVS
head, not in 0.8.1)

> I am currently using exec-program with perl scripts for auth/acct, but am
> interested in using rlm_perl instead.

  Yeah, the Perl module should be a little more powerful.  The only
caveat is that the module is equivalent to Exec-Program-Wait, in that
it stalls the server until the script finished.  If you're looking for
'fire and forget' perl scripts, then Exec-Program may still be your
best bet.

> Just wondering if any are already available.  If not then I'll take
> the good 'ol trial & error method.. and possibly even write up some
> docs myself in the future.

  Sounds good to me.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy & access-accept

2003-01-14 Thread Darren Nay 
>   I've been intending to write rlm_exec for a while.  It should have a
> 'post-auth' section which takes over the functionality of
> Exec-Program-Wait.
>
>   But integrating it with the server core and threads is annoying.
> For the short term, you could try using the Perl module.  It's really
> nice.
>

Are there any docs available for the perl module?

I am currently using exec-program with perl scripts for auth/acct, but am
interested in using rlm_perl instead.  I checked the /docs directory on the
www.freeradius.org website but saw no docs for this.  Just wondering if any
are already available.  If not then I'll take the good 'ol trial & error
method.. and possibly even write up some docs myself in the future.

Thanks,

Darren Nay


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy & access-accept

2003-01-14 Thread Josh Howlett 
On Tue, 2003-01-14 at 16:37, Alan DeKok wrote:
>   I've been intending to write rlm_exec for a while.  It should have a
> 'post-auth' section which takes over the functionality of
> Exec-Program-Wait.
> 
>   But integrating it with the server core and threads is annoying.
> For the short term, you could try using the Perl module.  It's really
> nice.

Glad to hear - this would be great.

I have looked at the perl module - the problem is that I am working on
an embedded implementation where space is limited...so I would far
rather use Bash rather than squeeze a Perl interpreter in as well.

We may be prepared to consider sponsoring the development of an
'rlm_exec' module (depending on the price) - any takers?

josh.

-- 
---
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]

---


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy & access-accept

2003-01-14 Thread Alan DeKok 
Josh Howlett <[EMAIL PROTECTED]> wrote:
> It seems to me that Freeradius could do with a more flexible/extensible
> approach to calling external scripts/executables - is this a reasonable
> comment?  

  Oh, yes.

> Would it be best to write a new module for handling external scripts to
> manage the situations where the existing mechanisms (Exec-Program, etc)
> aren't sufficient (or even to replace them)?

  I've been intending to write rlm_exec for a while.  It should have a
'post-auth' section which takes over the functionality of
Exec-Program-Wait.

  But integrating it with the server core and threads is annoying.
For the short term, you could try using the Perl module.  It's really
nice.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy & access-accept

2003-01-14 Thread Chris Parker 
At 01:03 PM 1/14/2003 +, Josh Howlett wrote:

Hi all,

I'd like to run a script when an Access-Accept is proxied through a
Freeradius proxy server (ie. in the same way that you can run a script
(through acct_users) when accounting Stop/Start packets are proxied)

Is this possible at all?


Yes, two new 'methods' were recently added:

'post-auth' and 'post-proxy' in addition to the 'authorize,authenticate,etc.'

Not all modules have been updated with hooks for this yet.  We are
using a modified 'rlm_files' to add a 'postproxy_usersfile' hook.  It
is fairly trivial to add, simply look at how the 'preproxy_usersfile' hook
is added.

Hope this helps,
-Chris
--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy & access-accept

2003-01-14 Thread Josh Howlett 
Thanks.

>From a cursory glance at the source, there don't seem to be many modules
that support this method - and none of those that do support it have
anything to do with running external scripts/executables.

It seems to me that Freeradius could do with a more flexible/extensible
approach to calling external scripts/executables - is this a reasonable
comment?  

Would it be best to write a new module for handling external scripts to
manage the situations where the existing mechanisms (Exec-Program, etc)
aren't sufficient (or even to replace them)?

josh.

On Tue, 2003-01-14 at 14:13, Mike Varley wrote:
> Look into the 'post_auth' functionality. Essentially, after any
> authorization, modules listed in the post_auth {} section of the
> radiusd.conf file get run, and they must have a method associated with
> the post_authorization hook in the module structure.
> 
> Hope that helps. I can provide more detail if your interested; not sure
> how this will hook up to scripts.
> 
> MV
> 
> On Tue, 2003-01-14 at 08:03, Josh Howlett wrote:
> > Hi all,
> > 
> > I'd like to run a script when an Access-Accept is proxied through a
> > Freeradius proxy server (ie. in the same way that you can run a script
> > (through acct_users) when accounting Stop/Start packets are proxied)
> > 
> > Is this possible at all?
> > 
> > thanks, josh.
> > 
> > -- 
> > ---
> > Josh Howlett, Networking & Digital Communications,
> > Information Systems & Computing, University of Bristol, U.K.
> > 'phone: 0117 928 7850 email: [EMAIL PROTECTED]
> > 
> > ---
> > 
> > 
> > - 
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 
---
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]

---


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy & access-accept

2003-01-14 Thread Mike Varley 
Look into the 'post_auth' functionality. Essentially, after any
authorization, modules listed in the post_auth {} section of the
radiusd.conf file get run, and they must have a method associated with
the post_authorization hook in the module structure.

Hope that helps. I can provide more detail if your interested; not sure
how this will hook up to scripts.

MV

On Tue, 2003-01-14 at 08:03, Josh Howlett wrote:
> Hi all,
> 
> I'd like to run a script when an Access-Accept is proxied through a
> Freeradius proxy server (ie. in the same way that you can run a script
> (through acct_users) when accounting Stop/Start packets are proxied)
> 
> Is this possible at all?
> 
> thanks, josh.
> 
> -- 
> ---
> Josh Howlett, Networking & Digital Communications,
> Information Systems & Computing, University of Bristol, U.K.
> 'phone: 0117 928 7850 email: [EMAIL PROTECTED]
> 
> ---
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 
~~~
Mike Varley -= SOMA Networks =-
Tel: 416.977.1414   x1578
email: [EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

proxy & access-accept

2003-01-14 Thread Josh Howlett 
Hi all,

I'd like to run a script when an Access-Accept is proxied through a
Freeradius proxy server (ie. in the same way that you can run a script
(through acct_users) when accounting Stop/Start packets are proxied)

Is this possible at all?

thanks, josh.

-- 
---
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]

---


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy using SQL

2003-01-08 Thread QCI Internet 
Anyone have any recommendations as to how to put this in. It is kind of like
an if/then clause, so I am not sure how to do it. Because if I just put in
something like:

[UserName][Attribute]   [Value]
DEFAULT  Proxy-To-Realmabcrealm

It will proxy all users to this realm.



> "QCI Internet" <[EMAIL PROTECTED]> wrote:
> > I have proxy setup and running using key/value pairs just like described
on
> > a previous post like below:
> >
> > >> DEFAULT Called-Station-ID =~ ".{6}", Proxy-To-Realm:= "abcrealm"
> > >> Fall-Through = Yes
> >
> > My question is, is this possible using rlm_sql instead of rlm_files?
>
>   I believe so.  The SQL configuration mirrors what the 'files' module
> does.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy using SQL

2003-01-08 Thread Alan DeKok 
"QCI Internet" <[EMAIL PROTECTED]> wrote:
> I have proxy setup and running using key/value pairs just like described on
> a previous post like below:
> 
> >> DEFAULT Called-Station-ID =~ ".{6}", Proxy-To-Realm:= "abcrealm"
> >> Fall-Through = Yes
> 
> My question is, is this possible using rlm_sql instead of rlm_files?

  I believe so.  The SQL configuration mirrors what the 'files' module
does.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy using SQL

2003-01-08 Thread QCI Internet 
I have proxy setup and running using key/value pairs just like described on
a previous post like below:

>> DEFAULT Called-Station-ID =~ ".{6}0000", Proxy-To-Realm:= "abcrealm"
>> Fall-Through = Yes

My question is, is this possible using rlm_sql instead of rlm_files?


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: can i set attribute after the proxy server authenticated the user information?

2002-12-23 Thread Alan DeKok 
Huang Zhong <[EMAIL PROTECTED]> wrote:
> I added the following lines in the config file "hints"
...

> now, the result is:
> the customer's radius server successfully
> authenticated the request from freeradius server, but
> i lose the attributes added in the file "hints".

  I'll bet money it's because you don't have a 'Hints == "PPP"' entry
in the 'users' file.  See how the distributed file uses hints...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: can i set attribute after the proxy server authenticated the user information?

2002-12-23 Thread Chris Brotsos 
At 11:07 PM 12/22/2002 -0800, you wrote:

I've downloaded freeradius0.8.1 and installed it on a
FreeBSD 4.4 pc.

I added the following lines in the config file "hints"

DEFAULT Suffix = "@test1.vpdn", Strip-User-Name = No
Hint = "PPP",
Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "lcp:interface-config=ip vrf
forwarding vrf1\\n ip unnumbered loopback1\\n peer
default ip address pool vpn1"

# the last line is a set of command for the cisco
router as NAS

lines in proxy.conf

realm test1.vpdn {
type= radius
authhost= 211.xx.xx.93:1812
accthost= 211.xx.xx.93:1813
secret  = WinRadius
}

# i dont want the radius server 211.xx.xx.93 to return
any attribtes about NAS because it belongs to our
customer.

now, the result is:
the customer's radius server successfully
authenticated the request from freeradius server, but
i lose the attributes added in the file "hints".

can i do anything to override the customer's radius's
returned attributes?


See if rlm_attr_filter will do what you need.

Chris



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

can i set attribute after the proxy server authenticated the user information?

2002-12-22 Thread Huang Zhong 
I've downloaded freeradius0.8.1 and installed it on a
FreeBSD 4.4 pc.

I added the following lines in the config file "hints"

DEFAULT Suffix = "@test1.vpdn", Strip-User-Name = No 
Hint = "PPP",
Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "lcp:interface-config=ip vrf
forwarding vrf1\\n ip unnumbered loopback1\\n peer
default ip address pool vpn1"

# the last line is a set of command for the cisco
router as NAS

lines in proxy.conf

realm test1.vpdn {
type= radius
authhost= 211.xx.xx.93:1812
accthost= 211.xx.xx.93:1813
secret  = WinRadius
} 

# i dont want the radius server 211.xx.xx.93 to return
any attribtes about NAS because it belongs to our
customer.

now, the result is:
the customer's radius server successfully
authenticated the request from freeradius server, but
i lose the attributes added in the file "hints".

can i do anything to override the customer's radius's
returned attributes?

thank you all.


__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPv6 + Proxy...

2002-12-20 Thread Simon White 
20-Dec-02 at 17:39, Tamer Demir ([EMAIL PROTECTED]) wrote :
> At 05:23 PM 12/20/2002, you wrote:
> >20-Dec-02 at 17:23, Tamer Demir ([EMAIL PROTECTED]) wrote :
> >> I know it looks strange but, In an scenario like this: you are a big
> >> company and you have a contract with many smaller companies with their 
> >own
> >> realms. The users which are in this small companies may connect to the
> >> Internet by using other small companies' NASes. And in order to solve the
> >> accounting conflict between the small companies the big company wants all
> >> the data about the authenticating users from all other small companies. 
> >Big
> >> company just will act as a referee.
> >>
> >> Is this somehow possible by using proxy option in FreeRADIUS, if yes how?
> >
> >Either all your radius servers are proxies to the big company's radius
> >server(s) or you use something like radrelay and just use the accounting
> >information (which contains the detail you need) you don't need the
> >actual packets that are sent to the user, just the accounting info.
> 
> Unfortunately, What if big company wants all the detailed informations and 
> also the small companies want all the detailed info too, like MAC address 
> of the users, the beginning and end time of the connection and the small 
> company name that the wireless user connected.

They get all that, have you looked at an accounting record?

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPv6 + Proxy...

2002-12-20 Thread Alan DeKok 
Tamer Demir <[EMAIL PROTECTED]> wrote:
> >   What do you mean by that?
> 
> I mean, can FreeRADIUS understand the authentication packets that comes 
> from a client that has an IPv6 IP address(128)? Since we are planning to 
> use RADIUS in an IPv6 Testbed to authenticate the users.

  And I answered that in my previous message, in text you deleted.

> In an scenario like this: you are a big 
> company and you have a contract with many smaller companies with their own 
> realms. The users which are in this small companies may connect to the 
> Internet by using other small companies' NASes. And in order to solve the 
> accounting conflict between the small companies the big company wants all 
> the data about the authenticating users from all other small companies. Big 
> company just will act as a referee.
> 
> Is this somehow possible by using proxy option in FreeRADIUS, if yes how?

  No.  Use radrelay.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPv6 + Proxy...

2002-12-20 Thread Tamer Demir 
At 05:23 PM 12/20/2002, you wrote:

20-Dec-02 at 17:23, Tamer Demir ([EMAIL PROTECTED]) wrote :
> I know it looks strange but, In an scenario like this: you are a big
> company and you have a contract with many smaller companies with their own
> realms. The users which are in this small companies may connect to the
> Internet by using other small companies' NASes. And in order to solve the
> accounting conflict between the small companies the big company wants all
> the data about the authenticating users from all other small companies. 
Big
> company just will act as a referee.
>
> Is this somehow possible by using proxy option in FreeRADIUS, if yes how?

Either all your radius servers are proxies to the big company's radius
server(s) or you use something like radrelay and just use the accounting
information (which contains the detail you need) you don't need the
actual packets that are sent to the user, just the accounting info.

Unfortunately, What if big company wants all the detailed informations and 
also the small companies want all the detailed info too, like MAC address 
of the users, the beginning and end time of the connection and the small 
company name that the wireless user connected.

Tamer


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPv6 + Proxy...

2002-12-20 Thread Tamer Demir 
At 04:05 PM 12/20/2002, you wrote:

Tamer Demir <[EMAIL PROTECTED]> wrote:
> Is FreeRADIUS  IPv6 compatible?

  What do you mean by that?


I mean, can FreeRADIUS understand the authentication packets that comes 
from a client that has an IPv6 IP address(128)? Since we are planning to 
use RADIUS in an IPv6 Testbed to authenticate the users.

> And, after the authentication of the user I want to send (proxy) the
> authentication packets to another FreeRADIUS server, How can I do
> that?

  Why?


I know it looks strange but, In an scenario like this: you are a big 
company and you have a contract with many smaller companies with their own 
realms. The users which are in this small companies may connect to the 
Internet by using other small companies' NASes. And in order to solve the 
accounting conflict between the small companies the big company wants all 
the data about the authenticating users from all other small companies. Big 
company just will act as a referee.

Is this somehow possible by using proxy option in FreeRADIUS, if yes how?

Thanks a lot,

Tamer



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPv6 + Proxy...

2002-12-20 Thread Simon White 
20-Dec-02 at 17:23, Tamer Demir ([EMAIL PROTECTED]) wrote :
> I know it looks strange but, In an scenario like this: you are a big 
> company and you have a contract with many smaller companies with their own 
> realms. The users which are in this small companies may connect to the 
> Internet by using other small companies' NASes. And in order to solve the 
> accounting conflict between the small companies the big company wants all 
> the data about the authenticating users from all other small companies. Big 
> company just will act as a referee.
> 
> Is this somehow possible by using proxy option in FreeRADIUS, if yes how?

Either all your radius servers are proxies to the big company's radius
server(s) or you use something like radrelay and just use the accounting
information (which contains the detail you need) you don't need the
actual packets that are sent to the user, just the accounting info.

-- 
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS  Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS  14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS  tel +212.3.767.4861 - fax +212.3.767.4863

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPv6 + Proxy...

2002-12-20 Thread Alan DeKok 
Tamer Demir <[EMAIL PROTECTED]> wrote:
> Is FreeRADIUS  IPv6 compatible?

  What do you mean by that?

  Does FreeRADIUS send/receive packets on IPv6 interfaces?  No.

  Does FreeRADIUS send/receive radius packets which contain ipv6
configuration attributes?  Sort of.

  As always, patches are welcome.

> And, after the authentication of the user I want to send (proxy) the 
> authentication packets to another FreeRADIUS server, How can I do
> that?

  Why?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

IPv6 + Proxy...

2002-12-20 Thread Tamer Demir 
Hello,

Is FreeRADIUS  IPv6 compatible?

And, after the authentication of the user I want to send (proxy) the 
authentication packets to another FreeRADIUS server, How can I do that? It 
is like proxying the packets to 2 other RADIUS server but one of them is 
its own.

Regards,
Tamer


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy Config Using Auth Attributes

2002-12-10 Thread Chris Brotsos 
At 05:42 PM 12/9/2002 -0500, you wrote:

Is is possible to setup proxy radius not based so much on realms but based
on Key/Value pairs in the authentication packets? For example, I have many
resellers and I need to be able to proxy requests based on DNIS
(CalledStationID) or even just the last 4 digits of the DNIS.


Keep the proxy.conf configuration the same. Add a Proxy-To-Realm attribute 
through DEFAULT profiles that use the DNIS as a check-item. This could be 
done, for example, through rlm_files or rlm_fastusers.


HTH,

Chris Brotsos



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy Config Using Auth Attributes

2002-12-09 Thread QCI Internet 
Is is possible to setup proxy radius not based so much on realms but based
on Key/Value pairs in the authentication packets? For example, I have many
resellers and I need to be able to proxy requests based on DNIS
(CalledStationID) or even just the last 4 digits of the DNIS.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy configurations

2002-12-05 Thread troy white 
I am new to cistron. How do i setup my sever to authenticate dial in users using 
command line. I use a PuTTY interface. 

Troy J. White
C.E.O.
D.A. JAZ Internet Technologies
727-321-8899
Powered by Verizon

_
Sign up for FREE email from Premier Internet Service at http://www.dajaz.net

_
Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, 
POP & more! http://www.everyone.net/selectmail?campaign=tag

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy configuration

2002-12-05 Thread Alan DeKok 
maximo <[EMAIL PROTECTED]> wrote:
> I am trying to configure my radius server as proxy, but i have a dont 
> know if it is possible write  "tacacs+" value in type option from 
> proxy.conf file the, this beause we are in transition process and we 
> need to do authentication any number users with tacacs+ and others ones 
> with radius servers. There is any way to do it?

  See 'tac2rad', somewhere on the net.

  FreeRADIUS doesn't do TACACS+, and will never do TACACS+

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

proxy configuration

2002-12-05 Thread maximo 
Hi, everybody.
I am trying to configure my radius server as proxy, but i have a dont 
know if it is possible write  "tacacs+" value in type option from 
proxy.conf file the, this beause we are in transition process and we 
need to do authentication any number users with tacacs+ and others ones 
with radius servers. There is any way to do it?

Thank you


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy Realms configuration

2002-12-02 Thread Alan DeKok 
Mike Varley <[EMAIL PROTECTED]> wrote:
> Faster and more efficient aswell. How often is proxy information going
> to change, really? And SIGHUPing FreeRADIUS is not a costly affair.

  If everything is going well, proxy information won't change that
often.

  If you want to have multiple fail-over realms, then the proxy
information changes on every proxied request.  The server has to keep
track of which realms are live, which aren't, and which was the last
realm it used (for round-robin).

> One solution we came up with was a compromise; changing proxy
> information in the Database could trigger a re-write of the realms file,
> and SIGHUP the FR server. The only problem here being that someone
> *could* inadvertently change only the realms file, SIGHUP the process,
> and be out of synch with the DB.

That's not a serious issue, in my opinion.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy Realms configuration

2002-12-02 Thread Mike Varley 
On Mon, 2002-12-02 at 14:58, Alan DeKok wrote:
> Mike Varley <[EMAIL PROTECTED]> wrote:
> > I would like to use a database (SQL?) to manage my realms, instead of
> > the text files. The advantages are twofold: a unified repository for all
> > my user data (ISP, IP Pools, local usernames) and the other benefit is I
> > could add/remove realms w/o sending a SIGHUP to the radius proxy.
> 
>   That sounds reasonable.
> 
> > Before I go and change the core components within the freeradius
> > library, has anyone else implemented this type of system before, and
> > have a better solution? Can I get this kind of behaviour through
> > modules? (ie, do a DB lookup, and add the result to the local list if
> > its not already in the list etc...)
> 
>   No, not really.
> 
>   The server needs a bunch of information for realms.  Name, IP, port,
> secret, alive/dead status, etc.
> 
>   It's just easier if the server manages those lists itself
> internally, rather than doing DB calls all of the time.
> 

Faster and more efficient aswell. How often is proxy information going
to change, really? And SIGHUPing FreeRADIUS is not a costly affair.

One solution we came up with was a compromise; changing proxy
information in the Database could trigger a re-write of the realms file,
and SIGHUP the FR server. The only problem here being that someone
*could* inadvertently change only the realms file, SIGHUP the process,
and be out of synch with the DB.

Hmmm


MV


-- 
~~~
Mike Varley -= SOMA Networks =-
Tel: 416.977.1414   x1578
email: [EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy Realms configuration

2002-12-02 Thread Alan DeKok 
Mike Varley <[EMAIL PROTECTED]> wrote:
> I would like to use a database (SQL?) to manage my realms, instead of
> the text files. The advantages are twofold: a unified repository for all
> my user data (ISP, IP Pools, local usernames) and the other benefit is I
> could add/remove realms w/o sending a SIGHUP to the radius proxy.

  That sounds reasonable.

> Before I go and change the core components within the freeradius
> library, has anyone else implemented this type of system before, and
> have a better solution? Can I get this kind of behaviour through
> modules? (ie, do a DB lookup, and add the result to the local list if
> its not already in the list etc...)

  No, not really.

  The server needs a bunch of information for realms.  Name, IP, port,
secret, alive/dead status, etc.

  It's just easier if the server manages those lists itself
internally, rather than doing DB calls all of the time.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy Realms configuration

2002-12-02 Thread Mike Varley 
Currently, FreeRADIUS uses text files to define realms for proxying
requests. The files are parsed and put into a list at startup, and then
the core libraries use this list during runtime to lookup realm
information when proxying requests.

I would like to use a database (SQL?) to manage my realms, instead of
the text files. The advantages are twofold: a unified repository for all
my user data (ISP, IP Pools, local usernames) and the other benefit is I
could add/remove realms w/o sending a SIGHUP to the radius proxy.

Before I go and change the core components within the freeradius
library, has anyone else implemented this type of system before, and
have a better solution? Can I get this kind of behaviour through
modules? (ie, do a DB lookup, and add the result to the local list if
its not already in the list etc...)

Thoughts and opinions are welcome.

Thank you!

MV

-- 
~~~
Mike Varley -= SOMA Networks =-
Tel: 416.977.1414   x1578
email: [EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

accounting acknowledgement & radius proxy

2002-11-29 Thread arise 

hi guys,

i have the following setup:

cistron radius -> forwarding server (proxy)
freeradius -> remote server for certain realms + mysql accounting

i have thousands of users on the freeradius server which is proxied by
cistron radius. prior to upgrading to the current 0.8 release from the aug.
29 snapshot, accounting packets sent by the NASes where being acknowledged
by the remote server thru the proxy server (which i think, is the correct
behavior).

but right after the upgrade, it seems that all accounting
acknowledgments sent by the remote server where being delivered directly to
the NASes instead of the proxy. this results in voluminous complaints by
rlm_sql about 'duplicate entry' such as this one:

Error: rlm_sql: Couldn't insert SQL accounting STOP record - Duplicate
entry '7f93e019ee9b1b76' for key 1

i've already verified on the sql database that the accounting details have
been logged. i suspect that the NAS didn't get the acknowledgment from the
remote server, thus, it continue to resend the accounting packets.

any ideas? help is already appreciated.

regards,
ronald

--
[Never be afraid to try something new.
Remember, amateurs built the ark,
and professionals built the Titanic.]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: TACACS/PROXY gateway

2002-11-26 Thread Alan DeKok 
"Ing. Carlos M. Martinez" <[EMAIL PROTECTED]> wrote:
> i have a fairly large all-Cisco equipment and we use freeRadius for
> accounting and user authentication (we used to have cistron, we migrated
> to FR 0.3 a while ago)

  Upgrade, PLEASE upgrade.

> Is there any way to proxy a tacacs request to a radius server in the
> free/open source software world ? There are commercial products that do
> this, but they're out the question.

  Miquel wrote 'tac2rad', I think.  He doesn't maintain it, but the
source is out there somewhere, and it pretty much works.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

TACACS/PROXY gateway

2002-11-26 Thread Ing. Carlos M. Martinez 

Hi,

i have a fairly large all-Cisco equipment and we use freeRadius for
accounting and user authentication (we used to have cistron, we migrated
to FR 0.3 a while ago)

Now i have these new very cheap cisco ADSL routers, the 805 and the 827
which only support TACACS/TACACS+.

Is there any way to proxy a tacacs request to a radius server in the
free/open source software world ? There are commercial products that do
this, but they're out the question.

regards,

Carlos


Ing. Carlos M. Martinez
Network Administrator
ADINET - ANTEL
Uruguay



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fw: MySQL-Proxy-Exec-Program-Wait

2002-11-11 Thread Alan DeKok 
"Mike Dain" <[EMAIL PROTECTED]> wrote:
> I've tried adding:
> 
> DEFAULT Exec-Program-Wait = "/shell/example"
> 
> to the users file.

What's the point of writing documentation (what little there
is), if it's not going to be read?  What's the point of adding
debugging, warning, and error messages to the server, fi they're going
to be ignored?

  I don't know about 0.7, but the latest CVS has examples in
scripts/exec-program-wait of how to use it.

  What you posted here did NOT follow the example, and if you had run
the server in debugging mode, it would have complained that what you
did was wrong.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fw: MySQL-Proxy-Exec-Program-Wait

2002-11-11 Thread Mike Dain 
I've tried adding:

DEFAULT Exec-Program-Wait = "/shell/example"

to the users file.  I also uncommented "files" in the "authorize" section of
radius.conf.  After restarting the radius server with these set (and the
example from /scripts/exec-program-wait) the example script is still not
being run.

So basically, I'm still trying to get an attribute to be used for every
user.  Everything else is SQL so I think that it might be skipping the users
file and going straight to SQL.

- Mike




- Original Message -
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, November 11, 2002 3:55 PM
Subject: Re: Fw: MySQL-Proxy-Exec-Program-Wait


> "Mike Dain" <[EMAIL PROTECTED]> wrote:
> > Now I'm trying to add in an Exec-Program-Wait script.  I don't care
> > if it only runs for proxy users or if it runs for everyone, I just
> > need to add in that attribute/value (Exec-Program-Wait/scriptname)
> > to everyone that logs in.  Can someone tell me how to add in
> > attributes that effect all users.
>
>   See 'scripts/exec-program-wait'.  It has examples.
>
> > The server doesn't use the "users" file or system at all (it only
> > authenticates using SQL).
>
>So add a 'users' file with nothing more than the DEFAULT
> statement, which does the Exec-Program-Wait.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fw: MySQL-Proxy-Exec-Program-Wait

2002-11-11 Thread Alan DeKok 
"Mike Dain" <[EMAIL PROTECTED]> wrote:
> Now I'm trying to add in an Exec-Program-Wait script.  I don't care
> if it only runs for proxy users or if it runs for everyone, I just
> need to add in that attribute/value (Exec-Program-Wait/scriptname)
> to everyone that logs in.  Can someone tell me how to add in
> attributes that effect all users.

  See 'scripts/exec-program-wait'.  It has examples.

> The server doesn't use the "users" file or system at all (it only
> authenticates using SQL).

   So add a 'users' file with nothing more than the DEFAULT
statement, which does the Exec-Program-Wait.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Fw: MySQL-Proxy-Exec-Program-Wait

2002-11-11 Thread Mike Dain 
I didn't get any responses...so I'm trying again...  See message below.

- Mike


- Original Message -
From: "Mike Dain" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 06, 2002 1:12 PM
Subject: MySQL-Proxy-Exec-Program-Wait


> I'm using my server for both local authentication and proxy to another
> server.  I'm using MySQL for authentication/accounting.  I have all of the
> realms/secrets/etc. setup in the proxy.conf file, and everything seems to
> work ok.  Accounting shows up in the radacct table for all of it.
>
> Now I'm trying to add in an Exec-Program-Wait script.  I don't care if it
> only runs for proxy users or if it runs for everyone, I just need to add
in
> that attribute/value (Exec-Program-Wait/scriptname) to everyone that logs
> in.  Can someone tell me how to add in attributes that effect all users.
>
> The server doesn't use the "users" file or system at all (it only
> authenticates using SQL).
>
> Any help would be greatly appreciated.
>
> Thanks,
> Mike
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MySQL-Proxy-Exec-Program-Wait

2002-11-06 Thread Mike Dain 
I'm using my server for both local authentication and proxy to another
server.  I'm using MySQL for authentication/accounting.  I have all of the
realms/secrets/etc. setup in the proxy.conf file, and everything seems to
work ok.  Accounting shows up in the radacct table for all of it.

Now I'm trying to add in an Exec-Program-Wait script.  I don't care if it
only runs for proxy users or if it runs for everyone, I just need to add in
that attribute/value (Exec-Program-Wait/scriptname) to everyone that logs
in.  Can someone tell me how to add in attributes that effect all users.

The server doesn't use the "users" file or system at all (it only
authenticates using SQL).

Any help would be greatly appreciated.

Thanks,
Mike


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy (preprocess?)

2002-11-04 Thread Mike Dain 
Thanks!  It looks like that should work.  I'm going to write some scripts up
and see how it goes.  I'll let everyone know the results.

- Mike



- Original Message -
From: "Kevin Bonner" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, November 04, 2002 3:26 PM
Subject: Re: proxy (preprocess?)


> Has anyone attempted this before?  I'm using MySQL & Freeradius.  After
> looking at lots of config files, etc. I think that a preprocess addition
> might work.  Does anyone know if the Realms/NAS tables work now?  I could
> also write a script to check account balances and remove the Realms entry
> if the account balance is negative (if the Realms table works now).

Read about Exec-Program-Wait in doc/README.  That would probably be your
easiest solution, just write a script to check the acct balance and exit
with
the proper return status.

Kevin Bonner

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy (preprocess?)

2002-11-04 Thread Kevin Bonner 
> Has anyone attempted this before?  I'm using MySQL & Freeradius.  After
> looking at lots of config files, etc. I think that a preprocess addition
> might work.  Does anyone know if the Realms/NAS tables work now?  I could
> also write a script to check account balances and remove the Realms entry
> if the account balance is negative (if the Realms table works now).

Read about Exec-Program-Wait in doc/README.  That would probably be your 
easiest solution, just write a script to check the acct balance and exit with 
the proper return status.

Kevin Bonner

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

proxy (preprocess?)

2002-11-04 Thread Mike Dain 
I'm trying to setup my server to only allow proxying if a resellers account
balance is good.
Example:

User connects to NAS
NAS sends user/pass to my radius server
My radius server checks the account balance of reseller
if reseller account balance > 0
send request to reseller radius server & continue as normal...
else
deny request

It could also work like:

User connects to NAS
NAS sends user/pass to my radius server
My radius server sends request to reseller radius server
if reseller radius server says OK
if reseller account balance > 0
   send authok
else
send deny


Has anyone attempted this before?  I'm using MySQL & Freeradius.  After
looking at lots of config files, etc. I think that a preprocess addition
might work.  Does anyone know if the Realms/NAS tables work now?  I could
also write a script to check account balances and remove the Realms entry if
the account balance is negative (if the Realms table works now).

Any ideas/help would be greatly appreciate.

Thanks,
Mike


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy Attributes

2002-10-22 Thread Darren Nay 
Hey All,

This may be a stupid question, but still, one to which I don't know the
answer. :)  If so, please forgive my ingnorance.

I am trying to find a way to strip attributes sent "from" the NAS in the
proxy authentication request in freeradius.  I am able to modify the
attributes that are sent back "to" the NAS after authentication using that
attr_filter module, but I don't see a way of stripping certain attributes
that are sent "from" the NAS.

Is this possible?  I have a proxy client who has an issue with the
"Service-Type" attribute that would be solved if I could strip that
attribute before it reaches their radius.

Thanks for any assistance!

Darren Nay - [EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: Proxy Radius

2002-10-09 Thread 3APA3A 

Dear Mehdi Roomi,

You  should  use  both  rlm_passwd and rlm_mschap modules (rlm_passwd in
authorize, rlm_mschap in authenticate. Optionally you can use rlm_mschap
in authorize).

See doc/rlm_mschap and doc/rlm_passwd.

--Wednesday, October 9, 2002, 5:32:02 PM, you wrote to 
[EMAIL PROTECTED]:

MR>   Thank You.
MR> I exported NT SAM passwords into a file successfully. one sample line is as 
MR> following:
MR> borj2:1003:4f132fed9c9f145daad3b435b51404ee:6af463cbfe0f54eadfefd907ec233491:::

MR> currently my freeradius configured to use clear text passwords which stored 
MR> in mysql and pap authentication method for authentication.

MR> Now I think that I should use rlm_passwd module instead of rlm_mschap? and 
MR> import this file into radcheck table of radius database.
MR> also I want new passwords to be saved as clear text .
MR> another problem is that I want users to be able to change their passwords 
MR> from web site and I don't know how to check the previous passwords in my PHP 
MR> program.


MR> Regards,
MR> M. Roomi



>>You   can   export   your   crypted  NT  passwords  to  FreeRADIUS.  See
>>doc/rlm_mschap
>>
>>--Wednesday, October 9, 2002, 1:28:51 PM, you wrote to 
>>[EMAIL PROTECTED]:
>>
>>MR>   Hi,
>>MR> I have my previous NT commercial accounting server(ISPUtil) with more 
>>than
>>MR> 1 active users on it. as I cant't export crypted NT passwords into
>>MR> freeradius, I want to define all new accounts in FreeRadius and also 
>>want
>>MR> freeradius acts as the master Accounting  server and if the accounts 
>>doesn't
>>MR> exist in FreeRadius, I want the user to be redirected to Previous nasty 
>>NT
>>MR> accounting server.
>>
>>MR> Freeradius proxy always redirects the requests to NT accounting server
>>MR> before searching itself for this username!
>>MR> I want FreeRadius First search itself and if the username doesn't exist 
>>, It
>>MR> redirect it to Next accounting Server.
>>
>>MR> Additional Info:
>>MR> there is no seprator like '@' in the username and I don't want to use 
>>in new
>>MR> accounts too.
>>MR> as I configured freeradius, it acts as proxy, as it works well when the
>>MR> username doesn't exist in freeradius so it redirected to NT accounting
>>MR> server.
>>MR> but when the username exists in the Freeradius, It doesn't authenticate 
>>the
>>MR> user and resend it to second server.
>>
>>
>>MR> please let me know how to reconfigue the proxy radius.
>>
>>MR> Regards,
>>MR> M. Roomi
>>
>>
>>
>>MR> _
>>MR> Join the worlds largest e-mail service with MSN Hotmail.
>>MR> http://www.hotmail.com
>>
>>
>>MR> -
>>MR> List info/subscribe/unsubscribe? See 
>>http://www.freeradius.org/list/users.html
>>
>>
>>--
>>~/ZARAZA
>>
MR>     - .
>>  
MR> ,  .  ()
>>
>>
>>-
>>List info/subscribe/unsubscribe? See 
>>http://www.freeradius.org/list/users.html




MR> _
MR> Join the world’s largest e-mail service with MSN Hotmail. 
MR> http://www.hotmail.com


MR> - 
MR> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
~/ZARAZA
Èòàê, ÿ áóäó êðàòîê. (Òâåí)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy Radius

2002-10-09 Thread Mehdi Roomi 

  Thank You.
I exported NT SAM passwords into a file successfully. one sample line is as 
following:
borj2:1003:4f132fed9c9f145daad3b435b51404ee:6af463cbfe0f54eadfefd907ec233491:::

currently my freeradius configured to use clear text passwords which stored 
in mysql and pap authentication method for authentication.

Now I think that I should use rlm_passwd module instead of rlm_mschap? and 
import this file into radcheck table of radius database.
also I want new passwords to be saved as clear text .
another problem is that I want users to be able to change their passwords 
from web site and I don't know how to check the previous passwords in my PHP 
program.


Regards,
M. Roomi



>You   can   export   your   crypted  NT  passwords  to  FreeRADIUS.  See
>doc/rlm_mschap
>
>--Wednesday, October 9, 2002, 1:28:51 PM, you wrote to 
>[EMAIL PROTECTED]:
>
>MR>   Hi,
>MR> I have my previous NT commercial accounting server(ISPUtil) with more 
>than
>MR> 1 active users on it. as I cant't export crypted NT passwords into
>MR> freeradius, I want to define all new accounts in FreeRadius and also 
>want
>MR> freeradius acts as the master Accounting  server and if the accounts 
>doesn't
>MR> exist in FreeRadius, I want the user to be redirected to Previous nasty 
>NT
>MR> accounting server.
>
>MR> Freeradius proxy always redirects the requests to NT accounting server
>MR> before searching itself for this username!
>MR> I want FreeRadius First search itself and if the username doesn't exist 
>, It
>MR> redirect it to Next accounting Server.
>
>MR> Additional Info:
>MR> there is no seprator like '@' in the username and I don't want to use 
>in new
>MR> accounts too.
>MR> as I configured freeradius, it acts as proxy, as it works well when the
>MR> username doesn't exist in freeradius so it redirected to NT accounting
>MR> server.
>MR> but when the username exists in the Freeradius, It doesn't authenticate 
>the
>MR> user and resend it to second server.
>
>
>MR> please let me know how to reconfigue the proxy radius.
>
>MR> Regards,
>MR> M. Roomi
>
>
>
>MR> _
>MR> Join the worlds largest e-mail service with MSN Hotmail.
>MR> http://www.hotmail.com
>
>
>MR> -
>MR> List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html
>
>
>--
>~/ZARAZA
>
    - .
>  
,  .  ()
>
>
>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html




_
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy Radius

2002-10-09 Thread 3APA3A 

Dear Mehdi Roomi,

You   can   export   your   crypted  NT  passwords  to  FreeRADIUS.  See
doc/rlm_mschap

--Wednesday, October 9, 2002, 1:28:51 PM, you wrote to 
[EMAIL PROTECTED]:

MR>   Hi,
MR> I have my previous NT commercial accounting server(ISPUtil) with more than 
MR> 1 active users on it. as I cant't export crypted NT passwords into 
MR> freeradius, I want to define all new accounts in FreeRadius and also want 
MR> freeradius acts as the master Accounting  server and if the accounts doesn't 
MR> exist in FreeRadius, I want the user to be redirected to Previous nasty NT 
MR> accounting server.

MR> Freeradius proxy always redirects the requests to NT accounting server 
MR> before searching itself for this username!
MR> I want FreeRadius First search itself and if the username doesn't exist , It 
MR> redirect it to Next accounting Server.

MR> Additional Info:
MR> there is no seprator like '@' in the username and I don't want to use in new 
MR> accounts too.
MR> as I configured freeradius, it acts as proxy, as it works well when the 
MR> username doesn't exist in freeradius so it redirected to NT accounting 
MR> server.
MR> but when the username exists in the Freeradius, It doesn't authenticate the 
MR> user and resend it to second server.


MR> please let me know how to reconfigue the proxy radius.

MR> Regards,
MR> M. Roomi



MR> _
MR> Join the world’s largest e-mail service with MSN Hotmail. 
MR> http://www.hotmail.com


MR> - 
MR> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
~/ZARAZA
Ïîÿâèëñÿ íîâûé òèï ýëåìåíòàðíûõ ÷àñòèö - øêâàðêè.
Íå î÷åíü áîëüøèå, ñëåãêà ïîäãîðåâøèå.  (Ëåì)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy Radius

2002-10-09 Thread Mehdi Roomi 

  Hi,
I have my previous NT commercial accounting server(ISPUtil) with more than 
1 active users on it. as I cant't export crypted NT passwords into 
freeradius, I want to define all new accounts in FreeRadius and also want 
freeradius acts as the master Accounting  server and if the accounts doesn't 
exist in FreeRadius, I want the user to be redirected to Previous nasty NT 
accounting server.

Freeradius proxy always redirects the requests to NT accounting server 
before searching itself for this username!
I want FreeRadius First search itself and if the username doesn't exist , It 
redirect it to Next accounting Server.

Additional Info:
there is no seprator like '@' in the username and I don't want to use in new 
accounts too.
as I configured freeradius, it acts as proxy, as it works well when the 
username doesn't exist in freeradius so it redirected to NT accounting 
server.
but when the username exists in the Freeradius, It doesn't authenticate the 
user and resend it to second server.


please let me know how to reconfigue the proxy radius.

Regards,
M. Roomi



_
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Round-Robin Proxy Support

2002-10-01 Thread Chris Parker 

Everyone,

The current CVS version of the server now contains support for a
round-robin load distribution of remote proxy requests.

Previously, the server supported multiple entries for the same 'realm'
with different entries in 'proxy.conf'.  The server would use each entry
in turn until it was marked dead, and would then move on to the next realm
entry.  This is the default behaviour and remains unchanged.

The new behaviour cycles each successive request through all of the listed 
servers, so that each request is assigned to a different server as it comes
in.

This is implemented in the 'proxy.conf' via the following entries:

The following sets the max number of servers you want to allow for
each realm.  If not set, it will default to 15.

proxy server {
 servers_per_realm = 15
}

The following enables a round-robin distribution on a realm:

realm  serv.com {
   type   = radius
   authhost   = rad1.serv.com:1812
   accthost   = rad1.serv.com:1813
   secret = TheirKey
   ldflag = round_robin
   nostrip
}

realm  serv.com {
   type   = radius
   authhost   = rad2.serv.com:1812
   accthost   = rad2.serv.com:1813
   secret = TheirKey
   ldflag = round_robin
   nostrip
}

In the above example, setting the 'ldflag' attribute with 'round_robin'
enables the load distribution.  All realm entries must be configured
identically.  IE, they must all have the same flag of 'round_robin' or
'fail_over'.  The first packet for 'serv.com' will be sent to rad1.serv.com,
the second packet will be sent to rad2.serv.com, the third packet will be
sent to rad1.serv.com, and so on.

This has been tested to ensure backwards compatability with previous
'proxy.conf' configurations.  Remote server failures in a round-robin
distribution situation are handled gracefully, and should not result
in "lost" packets.

If there are any questions or problems associated with this, please
post your experience and any debugging traces showing your problem to
the list.

Thanks,
-Chris

--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fw: Hints & Proxy

2002-10-01 Thread angelos karageorgiou 




Darren Nay wrote:

  Can anyone tell me if this is a possibility??  Using hints, or otherwise.(refer to the forwarded message)Thanks in advance!Darren Nay - [EMAIL PROTECTED]- Original Message -From: "Darren Nay" <[EMAIL PROTECTED]>To: <[EMAIL PROTECTED]>Sent: Friday, September 27, 2002 2:57 PMSubject: Hints & Proxy
  
Hello all,I haven't used hints much in the past but I am wondering if it might bepossible to use them for proxying certain requests to a secondary radius.Or if there is possibly another way (besides hints) that this could beaccomplished.For example.  We have a realm hosted on one radius, and would like to
  
  proxy
  
some of the requests for that realm to another radius, but have some stillauthenticating on the primary radius.. say for example, all of the userswith a prxy- prefix (ie. [EMAIL PROTECTED]) would be sent to the
  
  secondary
  
radius for authentication.  A username without the prefix though would
  
  still
  
authenticate on the primary radius.  Make sense?Is this is a possibility?  And, if so, is there some documentation on itsomewhere?  I haven't had much luck finding any relevant docs.Thanks for any help that can be provided!Darren Nay - [EMAIL PROTECTED]
  
  - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




Actually this is failry easy, use the null realm and configure it as local
for the accounts to be authenticated locally

realm NULL {
    type    = radius
    authhost    = LOCAL:1645
    accthost    = LOCAL:1646
    notrealm
}

realm realm.com{
    type    = radius
     authhost    = thathost:1645
     accthost    = thathost:1646
}




Now I have a question for you all, have you noticed memoty leaks with freeradius
, I have one whose RSS gets close to 140M in a single day
I restart it every 3 days or so.

Re: Fw: Hints & Proxy

2002-09-30 Thread Darren Nay 

Franklin,

Thanks for the suggestion.  This just might work.  :)  I'll give it a try.

Darren

- Original Message -
From: "Franklin Trumpy" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 30, 2002 12:44 PM
Subject: Re: Fw: Hints & Proxy


> Darren,
>
> I'm not exactly certain how your requirements could be met (gracefully)
> using hints. However, take a look at doc/configurable_failover. You
> should be able to use multiple instances of the realm module to
> simultaneously support both a prefix and suffix realm. I'm not sure how
> graceful *this* solution is either, and your mileage may vary.
>
> Franklin
>
> --
> Franklin Trumpy, NFA, MNGS, GSc | Say not, "I have found the truth,"
> Sr. UNIX Systems Administrator  | but rather, "I have found a truth."
> Lighthouse Communications   |
> [EMAIL PROTECTED] | Say not, "I have found the path of the
soul."
> (515)244-1115   | Say rather, "I have met the soul walking
> (888)953-3278   |   upon my path."
> http://www.lh.net   |
> | -Kahlil Gibran, _The Prophet_,
1923
> |
>
> On Mon, 30 Sep 2002, Darren Nay wrote:
>
> > Date: Mon, 30 Sep 2002 10:59:28 -0600
> > From: Darren Nay <[EMAIL PROTECTED]>
> > Reply-To: [EMAIL PROTECTED]
> > To: [EMAIL PROTECTED]
> > Subject: Fw: Hints & Proxy
> >
> > Can anyone tell me if this is a possibility??  Using hints, or
otherwise.
> > (refer to the forwarded message)
> >
> > Thanks in advance!
> >
> > Darren Nay - [EMAIL PROTECTED]
> >
> > - Original Message -
> > From: "Darren Nay" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Friday, September 27, 2002 2:57 PM
> > Subject: Hints & Proxy
> >
> >
> > > Hello all,
> > >
> > > I haven't used hints much in the past but I am wondering if it might
be
> > > possible to use them for proxying certain requests to a secondary
radius.
> > > Or if there is possibly another way (besides hints) that this could be
> > > accomplished.
> > >
> > > For example.  We have a realm hosted on one radius, and would like to
> > proxy
> > > some of the requests for that realm to another radius, but have some
still
> > > authenticating on the primary radius.. say for example, all of the
users
> > > with a prxy- prefix (ie. [EMAIL PROTECTED]) would be sent to the
> > secondary
> > > radius for authentication.  A username without the prefix though would
> > still
> > > authenticate on the primary radius.  Make sense?
> > >
> > > Is this is a possibility?  And, if so, is there some documentation on
it
> > > somewhere?  I haven't had much luck finding any relevant docs.
> > >
> > > Thanks for any help that can be provided!
> > >
> > > Darren Nay - [EMAIL PROTECTED]
> > >
> > >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
> >
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fw: Hints & Proxy

2002-09-30 Thread Franklin Trumpy 

Darren,

I'm not exactly certain how your requirements could be met (gracefully) 
using hints. However, take a look at doc/configurable_failover. You
should be able to use multiple instances of the realm module to
simultaneously support both a prefix and suffix realm. I'm not sure how
graceful *this* solution is either, and your mileage may vary.

Franklin

--
Franklin Trumpy, NFA, MNGS, GSc | Say not, "I have found the truth,"
Sr. UNIX Systems Administrator  | but rather, "I have found a truth."
Lighthouse Communications   | 
[EMAIL PROTECTED] | Say not, "I have found the path of the soul."
(515)244-1115   | Say rather, "I have met the soul walking
(888)953-3278   |   upon my path."
http://www.lh.net   |
| -Kahlil Gibran, _The Prophet_, 1923
|

On Mon, 30 Sep 2002, Darren Nay wrote:

> Date: Mon, 30 Sep 2002 10:59:28 -0600
> From: Darren Nay <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Fw: Hints & Proxy
> 
> Can anyone tell me if this is a possibility??  Using hints, or otherwise.
> (refer to the forwarded message)
> 
> Thanks in advance!
> 
> Darren Nay - [EMAIL PROTECTED]
> 
> - Original Message -
> From: "Darren Nay" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, September 27, 2002 2:57 PM
> Subject: Hints & Proxy
> 
> 
> > Hello all,
> >
> > I haven't used hints much in the past but I am wondering if it might be
> > possible to use them for proxying certain requests to a secondary radius.
> > Or if there is possibly another way (besides hints) that this could be
> > accomplished.
> >
> > For example.  We have a realm hosted on one radius, and would like to
> proxy
> > some of the requests for that realm to another radius, but have some still
> > authenticating on the primary radius.. say for example, all of the users
> > with a prxy- prefix (ie. [EMAIL PROTECTED]) would be sent to the
> secondary
> > radius for authentication.  A username without the prefix though would
> still
> > authenticate on the primary radius.  Make sense?
> >
> > Is this is a possibility?  And, if so, is there some documentation on it
> > somewhere?  I haven't had much luck finding any relevant docs.
> >
> > Thanks for any help that can be provided!
> >
> > Darren Nay - [EMAIL PROTECTED]
> >
> >
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Fw: Hints & Proxy

2002-09-30 Thread Darren Nay 

Can anyone tell me if this is a possibility??  Using hints, or otherwise.
(refer to the forwarded message)

Thanks in advance!

Darren Nay - [EMAIL PROTECTED]

- Original Message -
From: "Darren Nay" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 27, 2002 2:57 PM
Subject: Hints & Proxy


> Hello all,
>
> I haven't used hints much in the past but I am wondering if it might be
> possible to use them for proxying certain requests to a secondary radius.
> Or if there is possibly another way (besides hints) that this could be
> accomplished.
>
> For example.  We have a realm hosted on one radius, and would like to
proxy
> some of the requests for that realm to another radius, but have some still
> authenticating on the primary radius.. say for example, all of the users
> with a prxy- prefix (ie. [EMAIL PROTECTED]) would be sent to the
secondary
> radius for authentication.  A username without the prefix though would
still
> authenticate on the primary radius.  Make sense?
>
> Is this is a possibility?  And, if so, is there some documentation on it
> somewhere?  I haven't had much luck finding any relevant docs.
>
> Thanks for any help that can be provided!
>
> Darren Nay - [EMAIL PROTECTED]
>
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hints & Proxy

2002-09-27 Thread Darren Nay 

Hello all,

I haven't used hints much in the past but I am wondering if it might be
possible to use them for proxying certain requests to a secondary radius.
Or if there is possibly another way (besides hints) that this could be
accomplished.

For example.  We have a realm hosted on one radius, and would like to proxy
some of the requests for that realm to another radius, but have some still
authenticating on the primary radius.. say for example, all of the users
with a prxy- prefix (ie. [EMAIL PROTECTED]) would be sent to the secondary
radius for authentication.  A username without the prefix though would still
authenticate on the primary radius.  Make sense?

Is this is a possibility?  And, if so, is there some documentation on it
somewhere?  I haven't had much luck finding any relevant docs.

Thanks for any help that can be provided!

Darren Nay - [EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Question regarding Proxy-State [33] Attribute

2002-09-20 Thread Brandon Lehmann 

Just as a fun Record. I have resolved this issue... Read below for some fun
stuff.

 START CUT 

-Original Message-
From: Ballew, Dean A [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 20, 2002 4:49 PM
To: Brandon Lehmann; Radius Testing
Cc: Dan-CPM; Stephen Goff
Subject: RE: Worldteq - Status of Realm Activation: IP Change


Brandon,
  Please try again.  Your realm was pointing (test server only) to another
company that previously owned this realm...
Proxy-state will not be sent in your dialtests.   Proxy-state will be
implemented with our system upgrades in the near future.
Dean

-Original Message-
From: Brandon Lehmann [mailto:[EMAIL PROTECTED]] 
Sent: Friday, September 20, 2002 3:22 PM
To: '[EMAIL PROTECTED]'
Cc: '[EMAIL PROTECTED]'; Stephen Goff
Subject: FW: Worldteq - Status of Realm Activation: IP Change


When testing the realms I have run into a few problems. Viewing our radius
logs, I do NOT see a Proxy-State attribute being sent from the test radius
proxies. It looks like the users are authenticating ok, but the session will
not start with the test numbers. If you could please let me know why this
may be happening, it would be greatly appreciated. A snapshot of a logfile
from you guys would work even better if the trouble is indeed on our end.
All dialup tests were done w/ the user '[EMAIL PROTECTED]'.

Thanks for your help.

Brandon Lehmann
Network Support Specialist
Networld Online Inc.
1243 Napoleon Street
Fremont, OH 43420
800-644-6638
[EMAIL PROTECTED]
www.nwonline.net

 END CUT ---

The really funny thing is... that we are the only ones that have ever owned
that realm... interesting.. sounds like no one ever set it up to me.

Thanks to all of you that helped!

Brandon Lehmann
Network Support Specialist
Networld Online Inc.
1243 Napoleon Street
Fremont, OH 43420
800-644-6638
[EMAIL PROTECTED] 
www.nwonline.net


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Chris
> Parker
> Sent: Friday, September 20, 2002 3:36 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Question regarding Proxy-State [33] Attribute
> 
> 
> At 03:19 PM 9/20/2002 -0400, Brandon Lehmann wrote:
> >Chris,
> >
> > This is the result from my debug (radiusd -x -x)
> >
> >rad_recv: Accounting-Request packet from host 
> 209.211.205.27:46810, id=250,
> >length=445
> >Thread 2 assigned request 6
> >--- Walking the entire request list ---
> >Threads: total/active/spare threads = 5/1/4
> >Waking up in 5 seconds...
> >Thread 2 handling request 6, (2 handled so far)
> > User-Name = "[EMAIL PROTECTED]"
> > NAS-IP-Address = 63.152.3.66
> > NAS-Port = 7190
> > Service-Type = Framed-User
> > Cisco-AVPair = "disc-cause-ext=1043"
> > Cisco-AVPair = "pre-bytes-in=250"
> > Cisco-AVPair = "pre-bytes-out=216"
> > Cisco-AVPair = "pre-paks-in=8"
> > Cisco-AVPair = "pre-paks-out=6"
> > Cisco-AVPair = "pre-session-time=27"
> > Cisco-AVPair = "connect-progress=101"
> > Cisco-AVPair = "nas-rx-speed=26400"
> > Cisco-AVPair = "nas-tx-speed=38000"
> > Cisco-NAS-Port = "Async3/07*Serial7/0:1:22"
> > Calling-Station-Id = "4193321376"
> > Acct-Status-Type = Stop
> > Acct-Delay-Time = 0
> > Acct-Input-Octets = 0
> > Acct-Output-Octets = 8
> > Acct-Session-Id = "02000C91"
> > Acct-Authentic = RADIUS
> > Acct-Session-Time = 0
> > Acct-Input-Packets = 0
> > Acct-Output-Packets = 1
> > NAS-Port-Type = Async
> > X-Ascend-Pre-Input-Octets = 250
> > X-Ascend-Pre-Output-Octets = 216
> > X-Ascend-Pre-Input-Packets = 8
> > X-Ascend-Pre-Output-Packets = 6
> > X-Ascend-Disconnect-Cause = 43
> > X-Ascend-Connect-Progress = 101
> > X-Ascend-Data-Rate = 26400
> > X-Ascend-PreSession-Time = 27
> > X-Ascend-Xmit-Rate = 38000
> 
> Qwest isn't sending you a Proxy-State attribute.  Kindly ask them how
> you are supposed to return one if they aren't sending one?
> 
> http://www.freeradius.org/rfc/rfc2865.html#Proxy-State
> 
> -Chris
> --
> \\\|||///  \  StarNet Inc.  \ Chris Parker
> \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
> | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
> oOo---(_)---oOo--\
> --
>\ Wholesale Internet Services - 
http://www.megapop.net



- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Question regarding Proxy-State [33] Attribute

2002-09-20 Thread Brandon Lehmann 

Thanks Chris... Funny how that works... They are both slow at fixing
problems and mindless in setting up their own specifications.

Thanks again. If I need anymore help, now I know where to get it :)

Brandon Lehmann
Network Support Specialist
Networld Online Inc.
1243 Napoleon Street
Fremont, OH 43420
800-644-6638
[EMAIL PROTECTED] 
www.nwonline.net


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Chris
> Parker
> Sent: Friday, September 20, 2002 3:36 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Question regarding Proxy-State [33] Attribute
> 
> 
> At 03:19 PM 9/20/2002 -0400, Brandon Lehmann wrote:
> >Chris,
> >
> > This is the result from my debug (radiusd -x -x)
> >
> >rad_recv: Accounting-Request packet from host 
> 209.211.205.27:46810, id=250,
> >length=445
> >Thread 2 assigned request 6
> >--- Walking the entire request list ---
> >Threads: total/active/spare threads = 5/1/4
> >Waking up in 5 seconds...
> >Thread 2 handling request 6, (2 handled so far)
> > User-Name = "[EMAIL PROTECTED]"
> > NAS-IP-Address = 63.152.3.66
> > NAS-Port = 7190
> > Service-Type = Framed-User
> > Cisco-AVPair = "disc-cause-ext=1043"
> > Cisco-AVPair = "pre-bytes-in=250"
> > Cisco-AVPair = "pre-bytes-out=216"
> > Cisco-AVPair = "pre-paks-in=8"
> > Cisco-AVPair = "pre-paks-out=6"
> > Cisco-AVPair = "pre-session-time=27"
> > Cisco-AVPair = "connect-progress=101"
> > Cisco-AVPair = "nas-rx-speed=26400"
> > Cisco-AVPair = "nas-tx-speed=38000"
> > Cisco-NAS-Port = "Async3/07*Serial7/0:1:22"
> > Calling-Station-Id = "4193321376"
> > Acct-Status-Type = Stop
> > Acct-Delay-Time = 0
> > Acct-Input-Octets = 0
> > Acct-Output-Octets = 8
> > Acct-Session-Id = "02000C91"
> > Acct-Authentic = RADIUS
> > Acct-Session-Time = 0
> > Acct-Input-Packets = 0
> > Acct-Output-Packets = 1
> > NAS-Port-Type = Async
> > X-Ascend-Pre-Input-Octets = 250
> > X-Ascend-Pre-Output-Octets = 216
> > X-Ascend-Pre-Input-Packets = 8
> > X-Ascend-Pre-Output-Packets = 6
> > X-Ascend-Disconnect-Cause = 43
> > X-Ascend-Connect-Progress = 101
> > X-Ascend-Data-Rate = 26400
> > X-Ascend-PreSession-Time = 27
> > X-Ascend-Xmit-Rate = 38000
> 
> Qwest isn't sending you a Proxy-State attribute.  Kindly ask them how
> you are supposed to return one if they aren't sending one?
> 
> http://www.freeradius.org/rfc/rfc2865.html#Proxy-State
> 
> -Chris
> --
> \\\|||///  \  StarNet Inc.  \ Chris Parker
> \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
> | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
> oOo---(_)---oOo--\
> --
>\ Wholesale Internet Services - 
http://www.megapop.net



- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Question regarding Proxy-State [33] Attribute

2002-09-20 Thread Chris Parker 

At 03:19 PM 9/20/2002 -0400, Brandon Lehmann wrote:
>Chris,
>
> This is the result from my debug (radiusd -x -x)
>
>rad_recv: Accounting-Request packet from host 209.211.205.27:46810, id=250,
>length=445
>Thread 2 assigned request 6
>--- Walking the entire request list ---
>Threads: total/active/spare threads = 5/1/4
>Waking up in 5 seconds...
>Thread 2 handling request 6, (2 handled so far)
> User-Name = "[EMAIL PROTECTED]"
> NAS-IP-Address = 63.152.3.66
> NAS-Port = 7190
> Service-Type = Framed-User
> Cisco-AVPair = "disc-cause-ext=1043"
> Cisco-AVPair = "pre-bytes-in=250"
> Cisco-AVPair = "pre-bytes-out=216"
> Cisco-AVPair = "pre-paks-in=8"
> Cisco-AVPair = "pre-paks-out=6"
> Cisco-AVPair = "pre-session-time=27"
> Cisco-AVPair = "connect-progress=101"
> Cisco-AVPair = "nas-rx-speed=26400"
> Cisco-AVPair = "nas-tx-speed=38000"
> Cisco-NAS-Port = "Async3/07*Serial7/0:1:22"
> Calling-Station-Id = "4193321376"
> Acct-Status-Type = Stop
> Acct-Delay-Time = 0
> Acct-Input-Octets = 0
> Acct-Output-Octets = 8
> Acct-Session-Id = "02000C91"
> Acct-Authentic = RADIUS
> Acct-Session-Time = 0
> Acct-Input-Packets = 0
> Acct-Output-Packets = 1
> NAS-Port-Type = Async
> X-Ascend-Pre-Input-Octets = 250
> X-Ascend-Pre-Output-Octets = 216
> X-Ascend-Pre-Input-Packets = 8
> X-Ascend-Pre-Output-Packets = 6
> X-Ascend-Disconnect-Cause = 43
> X-Ascend-Connect-Progress = 101
> X-Ascend-Data-Rate = 26400
> X-Ascend-PreSession-Time = 27
> X-Ascend-Xmit-Rate = 38000

Qwest isn't sending you a Proxy-State attribute.  Kindly ask them how
you are supposed to return one if they aren't sending one?

http://www.freeradius.org/rfc/rfc2865.html#Proxy-State

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Question regarding Proxy-State [33] Attribute

2002-09-20 Thread Brandon Lehmann 

Chris,

This is the result from my debug (radiusd -x -x)

rad_recv: Accounting-Request packet from host 209.211.205.27:46810, id=250,
length=445
Thread 2 assigned request 6
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 2 handling request 6, (2 handled so far)
User-Name = "[EMAIL PROTECTED]"
NAS-IP-Address = 63.152.3.66
NAS-Port = 7190
Service-Type = Framed-User
Cisco-AVPair = "disc-cause-ext=1043"
Cisco-AVPair = "pre-bytes-in=250"
Cisco-AVPair = "pre-bytes-out=216"
Cisco-AVPair = "pre-paks-in=8"
Cisco-AVPair = "pre-paks-out=6"
Cisco-AVPair = "pre-session-time=27"
Cisco-AVPair = "connect-progress=101"
Cisco-AVPair = "nas-rx-speed=26400"
Cisco-AVPair = "nas-tx-speed=38000"
Cisco-NAS-Port = "Async3/07*Serial7/0:1:22"
Calling-Station-Id = "4193321376"
Acct-Status-Type = Stop
Acct-Delay-Time = 0
Acct-Input-Octets = 0
Acct-Output-Octets = 8
Acct-Session-Id = "02000C91"
Acct-Authentic = RADIUS
Acct-Session-Time = 0
Acct-Input-Packets = 0
Acct-Output-Packets = 1
NAS-Port-Type = Async
X-Ascend-Pre-Input-Octets = 250
X-Ascend-Pre-Output-Octets = 216
X-Ascend-Pre-Input-Packets = 8
X-Ascend-Pre-Output-Packets = 6
X-Ascend-Disconnect-Cause = 43
X-Ascend-Connect-Progress = 101
X-Ascend-Data-Rate = 26400
X-Ascend-PreSession-Time = 27
X-Ascend-Xmit-Rate = 38000
modcall: entering group preacct
  modcall[preacct]: module "preprocess" returns noop
rlm_realm: Looking up realm nwonline.net for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm DEFAULT
  rlm_realm: Proxying request from user test to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm:  Preparing to proxy accounting request to realm DEFAULT 
  modcall[preacct]: module "suffix" returns ok
modcall: group preacct returns ok
modcall: entering group accounting
radius_xlat:  '/usr/local/var/log/radius/radacct/detail.log'
rlm_detail: /usr/local/var/log/radius/radacct/detail.log expands to
/usr/local/var/log/radius/radacct/detail.log
rlm_detail: Freeradius-Proxied-To set to 208.231.144.20
  modcall[accounting]: module "detail" returns ok
radius_xlat:  '[EMAIL PROTECTED]'
Accounting: logout: login entry for NAS nas14.arlington1.va.us.da.qwest port
7190 not found
  modcall[accounting]: module "radutmp" returns ok
modcall: group accounting returns ok
Sending Accounting-Request of id 4 to 208.231.144.20:1646
User-Name = "[EMAIL PROTECTED]"
NAS-IP-Address = 63.152.3.66
NAS-Port = 7190
Service-Type = Framed-User
Cisco-AVPair = "1043"
Cisco-AVPair = "250"
Cisco-AVPair = "216"
Cisco-AVPair = "8"
Cisco-AVPair = "6"
Cisco-AVPair = "27"
Cisco-AVPair = "101"
Cisco-AVPair = "26400"
Cisco-AVPair = "38000"
Cisco-NAS-Port = "Async3/07*Serial7/0:1:22"
Calling-Station-Id = "4193321376"
Acct-Status-Type = Stop
Acct-Delay-Time = 0
Acct-Input-Octets = 0
Acct-Output-Octets = 8
Acct-Session-Id = "02000C91"
Acct-Authentic = RADIUS
Acct-Session-Time = 0
Acct-Input-Packets = 0
Acct-Output-Packets = 1
NAS-Port-Type = Async
X-Ascend-Pre-Input-Octets = 250
X-Ascend-Pre-Output-Octets = 216
X-Ascend-Pre-Input-Packets = 8
X-Ascend-Pre-Output-Packets = 6
X-Ascend-Disconnect-Cause = 43
X-Ascend-Connect-Progress = 101
X-Ascend-Data-Rate = 26400
X-Ascend-PreSession-Time = 27
X-Ascend-Xmit-Rate = 38000
Proxy-State = "250"
Thread 2 waiting to be assigned a request
rad_recv: Accounting-Response packet from host 208.231.144.20:1646, id=4,
length=25
Thread 3 assigned request 6
rl_next:  returning NULL
Waking up in 5 seconds...
Thread 3 handling request 6, (2 handled so far)
Proxy-State = 0x323530
Sending Accounting-Response of id 250 to 209.211.205.27:46810
Finished request 6
Going to the next request
Thread 3 waiting to be assigned a request


>From what it looks like, Qwest is not sending me proxy-state attributes.
This is really interesting as they told us that these were required. My
testing will still not let me log on.

Brandon Lehmann
Network Support Specialist
Networld Online Inc.
1243 Napoleon Street
Fremont, OH 43420
800-644-6638
[EMAIL PROTECTED] 
www.nwonline.net


> -Original Message-
&

RE: Question regarding Proxy-State [33] Attribute

2002-09-20 Thread Brandon Lehmann 

So what your saying... is that i should use the CVS snapshot and try this.

freeradius does show a succesful auth. but the session never comes up. Our
realms are already in production, but we are doing testing for Qwest's new
requirement for round-robin radius (using the qwest test #). I'll try the
cvs snapshot first. Thanks.

Brandon Lehmann
Network Support Specialist
Networld Online Inc.
1243 Napoleon Street
Fremont, OH 43420
800-644-6638
[EMAIL PROTECTED] 
www.nwonline.net


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Franklin
> Trumpy
> Sent: Friday, September 20, 2002 2:31 PM
> To: '[EMAIL PROTECTED]'
> Subject: Re: Question regarding Proxy-State [33] Attribute
> 
> 
> 
> On Fri, 20 Sep 2002, Brandon Lehmann wrote:
> > The only reason that this would happen is because our proxy 
> server is
> > NOT sending back a Proxy-State [33] attribute. How can I 
> make sure that
> > FreeRadius sends this attr back? If I can't get it to do this, can
> > someone please advise a software package that can do this?
> 
> If the Proxy-State attribute is getting lost somewhere, it's most
> likely being stripped off by the VopRADIUS server, which, of 
> course, it
> shouldn't be doing.
> 
> I can confirm that the FreeRADIUS CVS snapshot dated 08/16/2002 does
> receive Proxy-State attributes from QWest NAS correctly, does 
> proxy them
> correctly (to, in my case, a Radiator server *shudder*), and 
> does return
> them to the QWest client correctly. It has been behaving exactly as it
> should according to the RFC through various releases and CVS 
> iterations
> for about a year.
> 
> Does your FreeRADIUS server show a successful authentication, 
> but then the
> actual session fails to come up, or does the FreeRADIUS server show a
> failed authentication? On a QWest-specific note, unless your
> realm is already in production, Proxy-State shouldn't preclude a
> successful connection at the NAS end.
> 
> Franklin
> 
> --
> Franklin Trumpy, NFA, MNGS, GSc | Say not, "I have found the truth,"
> Sr. UNIX Systems Administrator  | but rather, "I have found a truth."
> Lighthouse Communications   | 
> [EMAIL PROTECTED] | Say not, "I have found the 
> path of the soul."
> (515)244-1115   | Say rather, "I have met the 
> soul walking
> (888)953-3278   |   upon my path."
> http://www.lh.net   |
> | -Kahlil Gibran, 
> _The Prophet_, 1923
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question regarding Proxy-State [33] Attribute

2002-09-20 Thread Chris Parker 

At 01:31 PM 9/20/2002 -0500, Franklin Trumpy wrote:

>On Fri, 20 Sep 2002, Brandon Lehmann wrote:
> > The only reason that this would happen is because our proxy server is
> > NOT sending back a Proxy-State [33] attribute. How can I make sure that
> > FreeRadius sends this attr back? If I can't get it to do this, can
> > someone please advise a software package that can do this?
>
>If the Proxy-State attribute is getting lost somewhere, it's most
>likely being stripped off by the VopRADIUS server, which, of course, it
>shouldn't be doing.

Which FreeRADIUS handles very gracefully.  It also handles Merit servers
which decide to mangle attributes.  Any Proxy-State attributes that are
received in a reply from a remote server are discarded by FreeRADIUS.  The
Proxy-State attributes that were sent in the *original* request are
copied into the reply to send back to Qwest.  IE, the server already
handles the case of a remote server stripping or mangling the Proxy-State(s).

Hence the request to run it in debug to see what Qwest is sending, and
what is being sent back to them.

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question regarding Proxy-State [33] Attribute

2002-09-20 Thread Franklin Trumpy 


On Fri, 20 Sep 2002, Brandon Lehmann wrote:
> The only reason that this would happen is because our proxy server is
> NOT sending back a Proxy-State [33] attribute. How can I make sure that
> FreeRadius sends this attr back? If I can't get it to do this, can
> someone please advise a software package that can do this?

If the Proxy-State attribute is getting lost somewhere, it's most
likely being stripped off by the VopRADIUS server, which, of course, it
shouldn't be doing.

I can confirm that the FreeRADIUS CVS snapshot dated 08/16/2002 does
receive Proxy-State attributes from QWest NAS correctly, does proxy them
correctly (to, in my case, a Radiator server *shudder*), and does return
them to the QWest client correctly. It has been behaving exactly as it
should according to the RFC through various releases and CVS iterations
for about a year.

Does your FreeRADIUS server show a successful authentication, but then the
actual session fails to come up, or does the FreeRADIUS server show a
failed authentication? On a QWest-specific note, unless your
realm is already in production, Proxy-State shouldn't preclude a
successful connection at the NAS end.

Franklin

--
Franklin Trumpy, NFA, MNGS, GSc | Say not, "I have found the truth,"
Sr. UNIX Systems Administrator  | but rather, "I have found a truth."
Lighthouse Communications   | 
[EMAIL PROTECTED] | Say not, "I have found the path of the soul."
(515)244-1115   | Say rather, "I have met the soul walking
(888)953-3278   |   upon my path."
http://www.lh.net   |
| -Kahlil Gibran, _The Prophet_, 1923



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question regarding Proxy-State [33] Attribute

2002-09-20 Thread Alan DeKok 

Brandon Lehmann <[EMAIL PROTECTED]> wrote:
>   This is what we are running into. On top of some errors about
> accounting (FreeRadius wants us to add ALL of qwest's NAS boxes to the
> clients file.. ick)

  No, that's definitely not true.  The ONLY addresses which are
required to be in the 'clients' file are the machines which send
packets to the server.

> The only reason that this would happen is because our proxy server
> is NOT sending back a Proxy-State [33] attribute. How can I make
> sure that FreeRadius sends this attr back?

  Look at the output of debugging mode?

  Also, try upgrading to the latest CVS snapshot.  It has a few more
fixes which didn't make it into 0.7.1.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question regarding Proxy-State [33] Attribute

2002-09-20 Thread Chris Parker 

At 09:51 AM 9/20/2002 -0400, Brandon Lehmann wrote:
>Hi List,
>
> We are currently trying to get FreeRadius 0.7.1 to work with our
>VopRadius server. This is how it flows.
>
> Our users dial into the Qwest Network. The Qwest NAS sends a request
>to Qwest's radius proxy servers -> Qwest proxy servers send a request to one
>of our proxy servers -> our proxy server sends the request to our VopRadius
>server -> VopRadius authenicates the user. Sounds easy right?
>
> This is what we are running into. On top of some errors about
>accounting (FreeRadius wants us to add ALL of qwest's NAS boxes to the
>clients file.. ick) we are not getting authenticated.

Huh?  Uhh, no.  You don't need to do that unless Qwest's NAS are going
to talk to your radius server directly.  If requests are proxied through
Qwest's radius servers, then you only have to add their Radius server IPs
to your clients file.

>The only reason that this would happen is because our proxy server is NOT 
>sending back a Proxy-State [33] attribute. How can I make sure that 
>FreeRadius sends this attr back? If I can't get it to do this, can someone 
>please advise a software package that can do this?

If Qwest's server sends it to you, then FreeRADIUS will send it back.  You
can find out what you are receiving from Qwest and what you are sending back
by running the server in Debug mode ( radiusd -x -x ).

Good luck.

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question regarding Proxy-State [33] Attribute

2002-09-20 Thread Brandon Lehmann 

Hi List,

We are currently trying to get FreeRadius 0.7.1 to work with our
VopRadius server. This is how it flows.

Our users dial into the Qwest Network. The Qwest NAS sends a request
to Qwest's radius proxy servers -> Qwest proxy servers send a request to one
of our proxy servers -> our proxy server sends the request to our VopRadius
server -> VopRadius authenicates the user. Sounds easy right?

This is what we are running into. On top of some errors about
accounting (FreeRadius wants us to add ALL of qwest's NAS boxes to the
clients file.. ick) we are not getting authenticated. The only reason that
this would happen is because our proxy server is NOT sending back a
Proxy-State [33] attribute. How can I make sure that FreeRadius sends this
attr back? If I can't get it to do this, can someone please advise a
software package that can do this?

Thank you and have a good day.

Brandon Lehmann
Network Support Specialist
Networld Online Inc.
1243 Napoleon Street
Fremont, OH 43420
800-644-6638
[EMAIL PROTECTED] 
www.nwonline.net

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems to use as proxy

2002-09-05 Thread Alan DeKok 

Wolfgang Bremer <[EMAIL PROTECTED]> wrote:
> I'm trying to configure the freeradius (Version 0.5)  to proxy requests
> to a remote server.

  Please don't post problems or bug reports with old versions of the
server.  There are MANY bugs fixed in newer releases, see:

http://www.freeradius.org/radiusd/doc/ChangeLog

  If you can reproduce the problem with 0.7, then you might want to
try the latest CVS snapshot.

  If you can't reproduce the problem with 0.7, then the problem was
found and solved months ago.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problems to use as proxy

2002-09-05 Thread Wolfgang Bremer 

Hi,

I'm trying to configure the freeradius (Version 0.5)  to proxy requests
to a remote server.

I'm getting a message 'No request found for proxy reply from server XXX'

Has anybody got the same problem?

Here is some debug output:


Server#/usr/local/sbin/radiusd -x
Starting - reading configuration files ...
Module: Loaded System
Module: Instantiated unix (unix)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded files
Module: Instantiated files (files)
Module: Loaded detail
Module: Instantiated detail (detail)
Module: Loaded radutmp
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:4079, id=163,
length=71
User-Name = "[EMAIL PROTECTED]"
User-Password = "o\264FU\260\n\317\346l\2134?\037F\272\214"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "1"
rlm_chap: Could not find proper Chap-Password attribute in request
Sending Access-Request of id 1 to 192.1.1.1:1812
User-Name = "radiustest"
User-Password =
"\215\022\360`\241t\227\203\344\3067\r\260\250z;"
    NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "1"
Proxy-State = "163"
rad_recv: Access-Accept packet from host 192.1.1.1:1812, id=1, length=37

No request found for proxy reply from server Radius2 - ID 1

The Server Radius2 just loggs a successfull login

regards

Wolfgang Bremer





begin:vcard 
n:Bremer;Wolfgang
tel;work:+49 21 02 90 58 56
x-mozilla-html:TRUE
adr:;;
version:2.1
email;internet:[EMAIL PROTECTED]
fn:Wolfgang Bremer
end:vcard

Re: [FreeRadius] Random port for proxy requests?

2002-08-26 Thread Chris Parker 

At 10:29 AM 8/25/2002 -0400, Tabor J. Wells wrote:
>On Sun, Aug 25, 2002 at 12:09:10PM +0200,
>Xavier Mertens <[EMAIL PROTECTED]> is thought to have said:
>
> > It's LVS (http://www.linuxvirtualserver.org)
> > What do you recommand to load-balance RADIUS traffic? Any suggestion?
>
>I've used Alteon products (now owned by Nortel) to load balance my RADIUS
>traffic at my last company. They are RADIUS aware and will do their health
>checks by trying to do an auth against each real server behind the virtual
>IPs.

You should be able to load balance with any udp aware load balancer as
long as you are not trying to proxy the requests from your systems to
anywhere else.

If you want to proxy from your systems, the situation becomes more complex
as you need to keep some sort of state so that proxy replies are returned
to the system that originally sent them.  Or you need to start playing with
different interfaces for inbound/outbound traffic ( so that your NAS see
the radius behind the LB, but proxy traffic outbound takes a different
source ip specific to each machine.

A couple ways to do it, but you really have to have a solid understanding
of the radius protocol and the implications of source addresses and how
radius servers utilize the packet source to make decisions.

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [FreeRadius] Random port for proxy requests?

2002-08-25 Thread Tabor J. Wells 

On Sun, Aug 25, 2002 at 12:09:10PM +0200,
Xavier Mertens <[EMAIL PROTECTED]> is thought to have said:

> It's LVS (http://www.linuxvirtualserver.org)
> What do you recommand to load-balance RADIUS traffic? Any suggestion?

I've used Alteon products (now owned by Nortel) to load balance my RADIUS
traffic at my last company. They are RADIUS aware and will do their health
checks by trying to do an auth against each real server behind the virtual
IPs.

-- 

Tabor J. Wells [EMAIL PROTECTED]
Fsck It! Just another victim of the ambient morality

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [FreeRadius] Re: [FreeRadius] Re: Random port for proxy requests?

2002-08-25 Thread Alan DeKok 

Xavier Mertens <[EMAIL PROTECTED]> wrote:
> It's LVS (http://www.linuxvirtualserver.org)
> What do you recommand to load-balance RADIUS traffic? Any suggestion?

  No, sorry.  I would probably recommend using a custom version of
FreeRADIUS, as it knows about the RADIUS protocol.

  The LVS load-balancer appears to just load-balance random UDP
packets, and probably doesn't even work with RADIUS.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [FreeRadius] Re: [FreeRadius] Re: Random port for proxy requests?

2002-08-25 Thread Xavier Mertens 

It's LVS (http://www.linuxvirtualserver.org)
What do you recommand to load-balance RADIUS traffic? Any suggestion?

Xavier

--
http://www.rootshell.be
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc

On Fri, 23 Aug 2002, Alan DeKok wrote:

> 
> Xavier Mertens <[EMAIL PROTECTED]> wrote:
> > To be honest, I don't know why the load-balancer does not perform its job.
> > Seems that it imagines that all requests from the same source port belong to
> > the same session... :(
> 
>   Then it's not a RADIUS load balancer.
> 
>   Alan DeKok.
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [FreeRadius] Re: Random port for proxy requests?

2002-08-22 Thread Xavier Mertens 

Your comments are rights.
To be honest, I don't know why the load-balancer does not perform its job.
Seems that it imagines that all requests from the same source port belong to
the same session... :(

Xavier

--
http://www.rootshell.be
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc

On Thu, 22 Aug 2002, Alan DeKok wrote:

> 
> Xavier <[EMAIL PROTECTED]> wrote:
> > My radiusd is used as a proxy and send request to a load-balancer (LVS).
> > But all packets are forwarded with the same source port (8002) and the LVS is
> > unable to load-balance. Any suggestion or a patch to generate a random port?
> 
>   Why would this be necessary?  Why can't the load-balancer do
> something intelligent?
> 
> 
>   In order for FreeRADIUS to send proxied requests from random ports,
> it would have to open, and listen on, *many* sockets.  This gets
> expensive.  It also doesn't add anything to the server, and just makes
> it slower and more complicated.
> 
>   Alan DeKok.
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Random port for proxy requests?

2002-08-22 Thread Alan DeKok 

Xavier <[EMAIL PROTECTED]> wrote:
> My radiusd is used as a proxy and send request to a load-balancer (LVS).
> But all packets are forwarded with the same source port (8002) and the LVS is
> unable to load-balance. Any suggestion or a patch to generate a random port?

  Why would this be necessary?  Why can't the load-balancer do
something intelligent?


  In order for FreeRADIUS to send proxied requests from random ports,
it would have to open, and listen on, *many* sockets.  This gets
expensive.  It also doesn't add anything to the server, and just makes
it slower and more complicated.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Random port for proxy requests?

2002-08-22 Thread Xavier 

Hi,

I just installed a FreeRadius, works fine! Seems to be a very strong
implementation of the RADIUS protocol.

But, I already have a question. :)

My radiusd is used as a proxy and send request to a load-balancer (LVS).
But all packets are forwarded with the same source port (8002) and the LVS is
unable to load-balance. Any suggestion or a patch to generate a random port?

Xavier

--
http://www.rootshell.be
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius proxy server configuration

2002-08-14 Thread Zhang, Defu 
Title: Freeradius proxy server configuration 






I set up two freeradius servers to test the proxy feature.


In one machine (A), I installed radius server and a radius client testing program.

In another machine (B), I installed radius server only.


I configured server A and B by editing radiusd.conf, client.conf, and users.

I configured client testing program to point to B, it works fine. I send user name and password, the authentication is OK.

I changed client configuration program to point to A,  it works fine. I send user name and password, the authentication is OK.

Now, while client point to A, I tried to configure both radius servers in a realm.

I edited proxy.conf to include a realm. For example, 


    realm abcd.com {

        type    = radius

        authhost = xxx.xxx.xxx.xxx

        authhost = yyy.yyy.yyy.yyy

        secret = 1234

    }


The secret 1234 are used for both A, B and client.


I restarted both servers by specifying "-x" is debug mode.


My OS is RedHat 7.1 and RedHat 7.2. I know Freeradius-0.5 default to proxy server, so the server is already proxy server.

I submit password through client program as before. In users file of A, I have user "aa", in users file of B, I have user "bb".

When I submit aa, the authentication is OK from A.

When submit bb, A reject the authentication, and does not proxy the request to B. Nothing is sent to B and B received nothing.

Thanks in advance for help.


Defu Zhang

Re: accounting-start proxy error

2002-08-13 Thread Josh . Howlett 

>> It works fine for authentication request/accept and accounting-stop, but
>> my  NAS complains about the accounting-start messages:
>
>   Then it's most likely a problem with the attributes in the
> accounting start packet.
>
>>  WARNING: Identifier does not match - ignoring response
>>  WARNING: Invalid response signature - check secret!
>
>   If the first message is true, then the second is a caused by the
> first.
>
>   You say that the NAS complains about the accounting-start packet,
> but FreeRADIUS never sends one to the NAS, it only sends an
> Accounting-Response packet.  So where does this message come from, and
> when does it happen?

Sorry, my mistake, I meant Accounting-Request.

   This is what Freeradius gets from the NAS:

rad_recv: Accounting-Request packet from host xxx.xxx.xxx.xxx:, id=120, 
length=149
Acct-Delay-Time = 8
NAS-IP-Address = xxx.xxx.xxx.xxx
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = ""
Acct-Status-Type = Start
Acct-Session-Id = "3b7a0001"
Acct-Authentic = RADIUS
User-Name = "x"

   This is what Freeradius proxies to MS IAS:

Sending Accouting-Request of id 22 to xxx.xxx.xxx.xxx:
Acct-Delay-Time = 8
NAS-IP-Address = xxx.xxx.xxx.xxx
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = ""
Acct-Status-Type = Start
Acct-Session-Id = "3b7a0001"
Acct-Authentic = RADIUS
User-Name = "x"
Proxy-State = "120"

   Freeradius gets the following back from MS IAS:

rad_recv: Accouting-Response packet from xxx.xxx.xxx.xxx:, id=22, 
length=25
Proxy-State = 0x313230

   And sends it on to the NAS:

Sending Accouting-Response of id 120 to xxx.xxx.xxx.xxx:xx

   And the NAS generates the error:

WARNING: Identifier does not match - ignoring response
WARNING: Invalid response signature - check secret!

Josh Howlett, Networking and Digital Communications Group,
Information Systems & Computing, University of Bristol.
email: [EMAIL PROTECTED] | phone: +44 (0)117 928 7850

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: accounting-start proxy error

2002-08-11 Thread Alan DeKok 

[EMAIL PROTECTED] wrote:
> It works fine for authentication request/accept and accounting-stop, but my 
> NAS complains about the accounting-start messages:

  Then it's most likely a problem with the attributes in the
accounting start packet.
 
>   WARNING: Identifier does not match - ignoring response
>   WARNING: Invalid response signature - check secret!

  If the first message is true, then the second is a caused by the
first.

  You say that the NAS complains about the accounting-start packet,
but FreeRADIUS never sends one to the NAS, it only sends an
Accounting-Response packet.  So where does this message come from, and
when does it happen?

> It seems strange that freeradius is only complaining about accounting-stop, 
> so it looks to me like freeradius is mis-handling accounting-start when 
> proxying them.

  I don't see why it would be treated any differently than any other
accounting messages...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

accounting-start proxy error

2002-08-11 Thread Josh . Howlett 

(apologies, re-sent with meaningful Subject field).

Hi,

I have freeradius 0.6 acting as a proxy for authentication and accounting.

It works fine for authentication request/accept and accounting-stop, but my 
NAS complains about the accounting-start messages:

WARNING: Identifier does not match - ignoring response
WARNING: Invalid response signature - check secret!

Freeradius does not generate any error messages in debug mode (-X).

It seems strange that freeradius is only complaining about accounting-stop, 
so it looks to me like freeradius is mis-handling accounting-start when 
proxying them.  Has anyone else seen this behaviour?

josh.

Josh Howlett, Networking and Digital Communications Group,
Information Systems & Computing, University of Bristol.
email: [EMAIL PROTECTED] | phone: +44 (0)117 928 7850

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to Configure Proxy server

2002-07-29 Thread Sachin Jain 

Hi,
I want to know how to configure a proxy server. My requests come from one 
host to a radius server which I want to forward to
another server. I added the entry for the host in proxy.conf specifying the 
realm as xx.yy.com and gave the address of the remote server
as auth-host.
However my requests are not forwarded. Can someone help.

Thanks
Sachin


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy accounting

2002-07-25 Thread Alan DeKok 

Igor Chen <[EMAIL PROTECTED]> wrote:
> I tried to configure proxying accounting requests to another radius
> server (NAS -->A-->B), but it just doesn't send anything. Autorization and
> authetification works perfectly.

  Debugging mode says... ?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy problem

2002-07-25 Thread Alan DeKok 

Ionut Muntean <[EMAIL PROTECTED]> wrote:
> Does anyone know what is wrong when you receive the following message?
> 
> Proxy: No request found for proxy reply from server  - ID X

  The proxy has sent a reply for a request which the server doesn't
know about.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

proxy accounting

2002-07-25 Thread Igor Chen 

Hi!
I tried to configure proxying accounting requests to another radius
server (NAS -->A-->B), but it just doesn't send anything. Autorization and
authetification works perfectly.

I've added

server A:
realm   test {
type= radius
authhost= server.B:1812
accthost= server.B:1812
secret  = test123
}

to proxy.conf and

server B:

client ip.of.server.A {
secret  = test123
shortname   = A
}

Just tell me where to read about that. I read
http://portmasters.com/www.livingston.com/tech/docs/radius/proxy.html
before asking that question

Will appreciate any help

-- 
cron-ripe


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy problem

2002-07-24 Thread Ionut Muntean 

Hi,

Does anyone know what is wrong when you receive the following message?


Proxy: No request found for proxy reply from server  - ID X


10x,


-- 
Ionut Muntean

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ignore proxy from certain IP

2002-07-18 Thread Kevin Bonner 

I've read docs & mailing lists, and played with a test server, but I still 
cannot figure this out.  How can I tell FR to not proxy an accounting packet 
if it came from a specific IP?

I have added an entry into proxy.conf where the accthost is LOCAL, and setup 
an entry in acct_users to proxy to this fake realm.  It matches in the entry 
in the acct_users file, but still proxies to the accthost for the realm.

Here's what I have in my acct_users file:
DEFAULT Client-IP-Address == "192.168.1.28", Replicate-To-Realm := "ignore"

In proxy.conf, I have:
realm ignore {
type= radius
authhost= LOCAL
accthost= LOCAL
notrealm
nostrip
}

In radiusd.conf:
preacct {
preprocess
files
suffix
}

The preprocess and suffix settings are unchanged.  In the files module, I've 
set cistron compatibility.

Is there a setting I can put in the acct_users file to basically skip the 
suffix realm checks?  Can I reorder entries in radiusd.conf to get it to do 
this?

Thanks,
Kevin

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

accounting proxy question

2002-07-15 Thread Kevin Bonner 

I'm trying to get freeradius 0.6 to bypass the proxy settings and handle the 
packet locally if an accounting packet comes from a certain IP.  Here's what 
I've got so far, but it still tries to proxy to the NULL realm accthost when 
I send an accounting packet.  Any help would be appreciated.

Kevin

radiusd.conf:
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = cistron
}
...
preacct {
files
suffix
preprocess
}
accounting {
radutmp
}

acct_users:
DEFAULT Client-IP-Address == "192.168.1.12", Proxy-To-Realm := "ignore"

proxy.conf:
realm ignore {
type= radius
authhost= LOCAL
accthost= LOCAL
notrealm
nostrip
}
realm NULL {
type= radius
authhost= LOCAL
accthost= 192.168.1.28:1646
secret  = simplekey
}

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS Proxy and MS IAS

2002-07-11 Thread Alan DeKok 

Dimitar Peikov <[EMAIL PROTECTED]> wrote:
> Unfortunately I made proxy request but only PAP authentication
> succeed. When using CHAP complain is about bad password!

  Read the FAQ on CHAP versus PAP.  The same issues apply to IAS.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS Proxy and MS IAS

2002-07-11 Thread Dimitar Peikov 

On Wed, 10 Jul 2002 12:25:31 -0400
"Alan DeKok" <[EMAIL PROTECTED]> wrote:

> Dimitar Peikov <[EMAIL PROTECTED]> wrote:
> > In this case NAS is MS RAS on 2k Server.
> > 
> > This is explanation of error event 'A malformed request was received from=
> >  client . The data is the packet.'
> 
>   OK, it may be bugs in tunnelling code, which was fixed in 0.6.  If
> you're running an earlier version, you should upgrade.
> 
>   Alan DeKok.
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Unfortunately I made proxy request but only PAP authentication succeed. When using 
CHAP complain is about bad password! As I see CHAP-Challenge and CHAP-Password are the 
same (perhaps secret key is the same, but the client differs).

User 'mitko' is 'ASP' domain member.

Event Viewer log:

User mitko was denied access.
 Fully-Qualified-User-Name = ASP\mitko
 NAS-IP-Address = 192.168.202.163
 NAS-Identifier = 
 Called-Station-Identifier = 
 Calling-Station-Identifier = 192.168.202.114
 Client-Friendly-Name = 192.168.202.57
 Client-IP-Address = 192.168.202.57
 NAS-Port-Type = Virtual
 NAS-Port = 6
 Policy-Name = 
 Authentication-Type = 
 EAP-Type = 
 Reason-Code = 16
 Reason = There was an authentication failure because of an unknown user name or a bad 
password.




FreeRADIUS log :
rad_recv: Access-Request packet from host 192.168.202.163:4803, id=51, length=176
NAS-IP-Address = 192.168.202.163
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 6
MS-RAS-Vendor = 311
MS-RAS-Version = "MSRASV5.00"
NAS-Port-Type = Virtual
Tunnel-Type:0 = PPTP
Tunnel-Medium-Type:0 = IP
Calling-Station-Id = "192.168.202.114"
Tunnel-Client-Endpoint:0 = "192.168.202.114"
User-Name = "mitko@ASP"
CHAP-Challenge = ";\2108\244\203G\016\317\250\255m\342\256(\302\001"
CHAP-Password = 0x007a52b3ed135b71ce9357b7d05589a781

Sending Access-Request of id 7 to 192.168.202.163:1645
User-Name = "mitko"
NAS-IP-Address = 192.168.202.163
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 6
MS-RAS-Vendor = 311
MS-RAS-Version = "MSRASV5.00"
NAS-Port-Type = Virtual
Tunnel-Type:0 = PPTP
Tunnel-Medium-Type:0 = IP
Calling-Station-Id = "192.168.202.114"
Tunnel-Client-Endpoint:0 = "192.168.202.114"
CHAP-Challenge = ";\2108\244\203G\016\317\250\255m\342\256(\302\001"
CHAP-Password = 0x007a52b3ed135b71ce9357b7d05589a781
Proxy-State = "51"
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Reject packet from host 192.168.202.163:1645, id=7, length=24
Proxy-State = 0x3531





-- 
Dimitar Peikov
Programmer Analyst
Globalization Group
"We Build e-Business"  

RILA Solutions  
27 Building, Acad.G.Bonchev Str.  
1113 Sofia, Bulgaria  

phone: (+359 2) 9797320 
phone: (+359 2) 9797300 
fax:   (+359 2) 9733355  
http://www.rila.com 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS Proxy and MS IAS

2002-07-10 Thread Alan DeKok 

Dimitar Peikov <[EMAIL PROTECTED]> wrote:
> In this case NAS is MS RAS on 2k Server.
> 
> This is explanation of error event 'A malformed request was received from=
>  client . The data is the packet.'

  OK, it may be bugs in tunnelling code, which was fixed in 0.6.  If
you're running an earlier version, you should upgrade.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS Proxy and MS IAS

2002-07-10 Thread Dimitar Peikov 

On Wed, 10 Jul 2002 12:00:18 -0400
"Alan DeKok" <[EMAIL PROTECTED]> wrote:

> Dimitar Peikov <[EMAIL PROTECTED]> wrote:
> > If I point directly from NAS to either FreeRADIUS ot MS IAS
> > authentication goes alright but when try to proxy MS IAS via
> > FreeRADIUS I get errors on MS Event viewer.
> 
>   Which are...?
> 
>   Alan DeKok.

In this case NAS is MS RAS on 2k Server.

This is explanation of error event 'A malformed request was received from client . 
The data is the packet.'

: 01 02 00 de 98 a2 95 68   ...Þ?¢?h
0008: a3 97 e3 ae 06 c3 0a 42   £?ã®.Ã.B
0010: 0b d8 74 bc 01 07 6d 69   .Øt¼..mi
0018: 74 6b 6f 04 06 c0 a8 ca   tko..À¨Ê
0020: a3 06 06 00 00 00 02 07   £...
0028: 06 00 00 00 01 05 06 00   
0030: 00 00 06 1a 0c 00 00 01   
0038: 37 09 06 00 00 01 37 1a   7.7.
0040: 12 00 00 01 37 12 0c 4d   7..M
0048: 53 52 41 53 56 35 2e 30   SRASV5.0
0050: 30 3d 06 00 00 00 05 40   0=.@
0058: 06 00 00 00 01 41 06 00   .A..
0060: 00 00 01 1f 12 31 39 32   .192
0068: 2e 31 36 38 2e 32 30 32   .168.202
0070: 2e 31 31 34 00 42 13 31   .114.B.1
0078: 39 32 2e 31 36 38 2e 32   92.168.2
0080: 30 32 2e 31 31 34 00 1a   02.114..
0088: 18 00 00 01 37 0b 12 59   7..Y
0090: 09 16 03 a3 41 a4 f8 9a   ...£A¤ø?
0098: 7a c0 6f 5a 18 07 bf 1a   zÀoZ..¿.
00a0: 3a 00 00 01 37 19 34 00   :...7.4.
00a8: 00 20 b0 02 54 7f e1 b7   . °.Tá·
00b0: 32 63 fc a4 8e 23 ca cd   2cü¤?#ÊÍ
00b8: 6c 00 00 00 00 00 00 00   l...
00c0: 00 98 98 d9 06 11 36 60   .??Ù..6`
00c8: cf ab be 91 9e ed a5 1f   Ï«¾??í¥.
00d0: b5 0a 32 02 48 49 69 35   µ.2.HIi5
00d8: a0 21 04 34 31 00  !.41.  


-- 
Dimitar Peikov
Programmer Analyst
Globalization Group
"We Build e-Business"  

RILA Solutions  
27 Building, Acad.G.Bonchev Str.  
1113 Sofia, Bulgaria  

phone: (+359 2) 9797320 
phone: (+359 2) 9797300 
fax:   (+359 2) 9733355  
http://www.rila.com 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS Proxy and MS IAS

2002-07-10 Thread Alan DeKok 

Dimitar Peikov <[EMAIL PROTECTED]> wrote:
> If I point directly from NAS to either FreeRADIUS ot MS IAS
> authentication goes alright but when try to proxy MS IAS via
> FreeRADIUS I get errors on MS Event viewer.

  Which are...?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS Proxy and MS IAS

2002-07-10 Thread Dimitar Peikov 


Hi,

Did someone tryed to proxy to MS IAS on 2K Server? I've got bad success
about that and need some help, or example on this. If I point directly
from NAS to either FreeRADIUS ot MS IAS authentication goes alright but
when try to proxy MS IAS via FreeRADIUS I get errors on MS Event viewer.

Any thoughts can be useful.

10x

-- 
Dimitar Peikov
Programmer Analyst
Globalization Group
"We Build e-Business"  

RILA Solutions  
27 Building, Acad.G.Bonchev Str.  
1113 Sofia, Bulgaria  

phone: (+359 2) 9797320 
phone: (+359 2) 9797300 
fax:   (+359 2) 9733355  
http://www.rila.com 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: accounting on a proxy

2002-07-02 Thread Chris Parker 

At 10:59 AM 7/2/2002 +0100, [EMAIL PROTECTED] wrote:
>Hi,
>
>Is it possible to ocnfigure a Freeradius proxy to log details of 
>accounting packets that it is proxying?

Yes.  Simply add the appropriate module to the 'accounting' block of
the server's config.

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

accounting on a proxy

2002-07-02 Thread Josh . Howlett 

Hi,

Is it possible to ocnfigure a Freeradius proxy to log details of accounting 
packets that it is proxying?

thanks, josh.

Josh Howlett, Networking and Digital Communications Group,
Information Systems & Computing, University of Bristol.
email: [EMAIL PROTECTED] | phone: +44 (0)117 928 7850

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy Authentication Override

2002-06-27 Thread Eric Dean 

We have a proxied customer that uses DNIS as part of their authentication
sequence; however Qwest and UUNET do not supply DNIS as part of their tests.

Is there a way to create a user [EMAIL PROTECTED] and have him locally
authenticate against a users file while allowing everything else to
proxy...or asked in a different way, can a failed proxied request get
changed into a success via some manner?

I already run access.deny and know how to turn a success into a failure, but
my attempts at reversal are not successful.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

authorization after proxy access-accept (lastest CVS)

2002-06-27 Thread Bobi 

Hi list,
I'm wondering how sql authorization pass to be ignored when my proxy 
access-request is accepted.
Now after successfull proxy accept my sql authorization module tries to 
authorize the user once more:

rad_recv: Access-Accept packet from host xx.xx.xx.xx:1812, id=12, length=63
Framed-Protocol = PPP
Idle-Timeout = 900
Filter-Id = "pmr.100"
Service-Type = 2
Framed-Compression = Van-Jacobson-TCP-IP
Session-Timeout = 86112
Proxy-State = 0x3737
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_realm: Proxy reply, or no user name.  Ignoring.
  modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 167
  modcall[authorize]: module "files" returns ok
modcall: entering group redundant
radius_xlat:  'some_username'
sql_set_user:  escaped user --> 'some_username'
radius_xlat:  'select * from table'



here is my conf:
authorize {
preprocess
suffix
files
sql

}

authenticate {
authtype PAP {
pap
}
}

-- 
B.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

<    1   2   3   4   5   6   >