Re: SU, and here there
Free Cable- TV chick insensible breach youngster depositary seam bald cohort brucellosis reach demean brake rope diesel slacken chilblain florence nathaniel phenolic etc hermeneutic peg douglass rheology shannon precious offload advisory bennett prokaryote weller creditor ponder ericsson gumdrop seminary slurry consular
Report to Recipient(s)
Incident Information:- Originator: [EMAIL PROTECTED] Recipients: [EMAIL PROTECTED] Subject:Freeradius-Users digest, Vol 1 #2697 - 6 msgs The file mime001.txt (1c80.eml) you received was infected with the Exploit-MIME.gen.b virus and was deleted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Language
Content-Type: application/octet-stream; name=search[1].htm Content-Transfer-Encoding: base64 Content-ID: PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMDEvL0VOIiAiaHR0 cDovL3d3dy53My5vcmcvVFIvaHRtbDQvc3RyaWN0LmR0ZCI+CjxCQVNFIEhSRUY9Imh0dHA6 Ly9kcnMueWFob28uY29tL1M9Mjc2NjY3OS9LPWFiaWxpdGF0aW9ucy92PTIvU0lEPWUvIj4K PGh0bWw+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj0iY29udGVudC10eXBlIiBjb250ZW50PSJ0 ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPjxsaW5rIGhyZWY9Imh0dHA6Ly91cy5pMS55aW1n LmNvbS91cy55aW1nLmNvbS9pL3NlYXJjaC95c18yMDAzMDQxNi5jc3MiIHJlbD1zdHlsZXNo ZWV0IHR5cGU9dGV4dC9jc3M+PHRpdGxlPllhaG9vISBTZWFyY2ggUmVzdWx0cyBmb3IgYWJp bGl0YXRpb25zPC90aXRsZT4KPHN0eWxlPiNub3J0aCB7cGFkZGluZzogMDt9ICN3ZWIgb2wg YSB7Y29sb3I6ICM2ZjZmNmY7fSB1IHtjb2xvcjogIzAwODAwMDt9ICN0b2dnbGUge21hcmdp bi1ib3R0b206IDIwcHg7fSAjeWdtYSB7bWFyZ2luOiAzcHggMCAycHggMTBweH0gI3lzcmNo bmFkIHt0ZXh0LWFsaWduOiBjZW50ZXI7IG1hcmdpbi1ib3R0b206IDNweDt9ICN5Z3BzIHt0 ZXh0LWFsaWduOiByaWdodDsgYm9yZGVyLWJvdHRvbTogMXB4IHNvbGlkICM5OTk7IGhlaWdo dDogMS45ZW07fSAjeXNyY2h3bGMge2Zsb2F0OiBsZWZ0OyB0ZXh0LWFsaWduOiBsZWZ0OyBs aW5lLWhlaWdodDogLjhlbTt9ICN5Z25hdiB7cGFkZGluZy10b3A6IDdweDt9CiN0b2csICNz dG9nIHtwb3NpdGlvbjogcmVsYXRpdmU7cGFkZGluZzowIDAgMCA2cHg7IGJvcmRlcjogc29s aWQgIzYzNjM2MzsgYm9yZGVyLXdpZHRoOiAzcHggMCAxcHggMDsgbWluLXdpZHRoOiA1MGVt O30gCiN0b2cgcHJlIHtmb250OiAxZW0gYXJpYWw7IHotaW5kZXg6IDI7IGJhY2tncm91bmQ6 IHRyYW5zcGFyZW50IHVybChodHRwOi8vdXMuaTEueWltZy5jb20vdXMueWltZy5jb20vaS91 cy9zZWFyY2gvZ3IvcHRfdC5naWYpIG5vLXJlcGVhdDtwYWRkaW5nOiAxOHB4IDAgM3B4IDA7 IG1hcmdpbjotM3B4IDAgMCAwO30gCiN0b2cgYiBhLCAjc3RvZyBiIGEge2JvcmRlcjogMXB4 IHNvbGlkICM5OTk7IGJvcmRlci1ib3R0b20td2lkdGg6IDA7IHBhZGRpbmc6M3B4IC44ZW07 IGJhY2tncm91bmQ6ICNlMGUwZTA7IG1hcmdpbjogMDt9CiN0b2cgLm9udGFiLCAjdG9nIGIg YTpob3ZlciwgI3N0b2cgLm9udGFiLCAjc3RvZyBiIGE6aG92ZXIsICN0b2cgLm92ZXJ0YWIg e2JhY2tncm91bmQ6ICNmZmY7fSAKI3RvZyAub250YWIge2JvcmRlcjogc29saWQgIzY2Njsg Ym9yZGVyLXdpZHRoOiAxcHggMXB4IDAgMXB4O3BhZGRpbmc6M3B4IC44ZW0gNHB4O30KI3Rv ZyBhIHNwYW4sICNzdG9nIGEgc3BhbiB7dGV4dC1kZWNvcmF0aW9uOiBub25lO30KI3B3ZGJ5 IHt6LWluZGV4Oi0xOyBwb3NpdGlvbjogYWJzb2x1dGU7IHJpZ2h0OiA1MHB4OyBtYXJnaW4t dG9wOiAzcHg7fSAgCmh0bWw+Ym9keSAjcHdkYnkvKiBtYWNJRSBoaWRlICovIHt6LWluZGV4 OiAxO30KI3N0b2cge2JvcmRlci13aWR0aDogMXB4IDA7fSAKI3N0b2cgcHJlIHtmb250OiAx ZW0gYXJpYWw7IGJhY2tncm91bmQ6IHVybChodHRwOi8vdXMuaTEueWltZy5jb20vdXMueWlt Zy5jb20vaS91cy9zZWFyY2gvZ3IvcG9pbnRfYm90XzEuZ2lmKSBuby1yZXBlYXQ7IHBhZGRp bmc6IDNweCAwIDE4cHggMDsgbWFyZ2luOjAgMCAtMXB4IDA7fSAKI3N0b2cgLm9udGFiIHti b3JkZXI6IHNvbGlkICM2NjY7IGJvcmRlci13aWR0aDogMCAxcHggMXB4IDFweDtwYWRkaW5n OjRweCAxMHB4IDNweDt9IAojc3RvZyBiIGEge2JvcmRlci13aWR0aDogMCAxcHggMXB4IDFw eDt9Ci50b2d3ZWIge2JhY2tncm91bmQ6ICNhZGNmZmY7IG1hcmdpbjogMCAxMHB4O30KI3Rv Zy50b2d3ZWIgcHJlIHtiYWNrZ3JvdW5kLXBvc2l0aW9uOiAxZW0gMDt9ICNzdG9nLnRvZ3dl YiBwcmUge2JhY2tncm91bmQtcG9zaXRpb246IDFlbSAyNHB4O30KI25ld3Byb2QvKiBtYWNp ZSBoaWRlICovIHtwb3NpdGlvbjogYWJzb2x1dGU7bGVmdCA6IDM4ZW07IHRvcDogMTBweDsg YmFja2dyb3VuZDogdXJsKGh0dHA6Ly91cy5pMS55aW1nLmNvbS91cy55aW1nLmNvbS9pL3Vz L3NlYXJjaC9nci90YWcuZ2lmKSBuby1yZXBlYXQgMCAwOyB3aWR0aDogNzBweDsgaGVpZ2h0 OiA0MHB4OyBkaXNwbGF5OiBibG9jazt9Cmh0bWw+Ym9keSAjbmV3cHJvZC8qIG1hY2llIGhp ZGUgKi8ge3RvcDogNXB4OyBsZWZ0OiAzOWVtO30KI25ld3Byb2Qgc3Bhbi8qbWFjaWUgaGlk ZSovIHtkaXNwbGF5OiBub25lO30KI3RvZyAubmV3IGEge3BhZGRpbmctcmlnaHQ6IDEuNWVt O30KLnlzY2F0IHtjb2xvcjogIzZmNmY2Zjt9CiNtY2Yge21hcmdpbi10b3A6IDRweDt9CiNl YXN0IHtvdmVyZmxvdzogdmlzaWJsZTsgd2lkdGg6IDE1MHB4OyB0ZXh0LWFsaWduOiByaWdo dDt9CiNlYXN0IC5hdCB7b3ZlcmZsb3c6IGhpZGRlbjsgdGV4dC1hbGlnbjogY2VudGVyO30K I2Vhc3QgdGFibGUge3RleHQtYWxpZ246IGxlZnQ7fQo8L3N0eWxlPgo8IS0tW2lmIGx0IElF IDUuNTAwMF0+PGxpbmsgaHJlZj0iaHR0cDovL3VzLmkxLnlpbWcuY29tL3VzLnlpbWcuY29t L2xpYi9zL3RvZ19pZTUuY3NzIiB0eXBlPSJ0ZXh0L2NzcyIgcmVsPSJzdHlsZXNoZWV0Ij48 IVtlbmRpZl0tLT4KPHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0Pgo8IS0tIApmdW5jdGlv biB0Z2xDbGsocFVybCwgZm0pewogIHZhciBzcmM9Zm07CiAgaWYgKHNyYy5wKSBzcmNWYWw9 c3JjLnAudmFsdWU7CiAgZWxzZSBpZiAoc3JjLnZhKSBzcnZWYWw9c3JjLnZhLnZhbHVlOwog IHZhciBzUXJ5ID0gcFVybC5tYXRjaCgvcD0uKj8mLyk7CiAgdmFyIHNOZXdRcnkgPSAncD0n ICsgc3JjVmFsICsgJyYnOwogIGlmICh1bmVzY2FwZShzUXJ5KSAhPSBzTmV3UXJ5KSB7Cgl2 YXIgc05ld1VybD1wVXJsLnJlcGxhY2Uoc1FyeSwgc05ld1FyeSk7Cglsb2NhdGlvbi5ocmVm PXNOZXdVcmw7CglyZXR1cm4gZmFsc2U7CiAgfQogIHJldHVybiB0cnVlOwogfQovLy0tPgo8 L3NjcmlwdD4KPC9oZWFkPgo8Ym9keT48ZGl2IGlkPW5vcnRoPjx0YWJsZSB3aWR0aD0iOTgl IiBhbGlnbj1jZW50ZXI+PHRyPjx0ZCB2YWxpZ249dG9wIHJvd3NwYW49Mj48YSBocmVmPSJo dHRwOi8vcmQueWFob28uY29tL009MjI0MDM5LjIzOTMwNTEuNDQ1NDI3MS4yMzI4NDY3L0Q9 eWFob29fdG9wL1M9Mjc2NjY3OTpIRUFEL0E9MTUyMjQ4MS9SPTAvU0lHPTEwcGJubmxjMS8q aHR0cDovL3NlYXJjaC55YWhvby5jb20iPjxpbWcgYm9yZGVyPTAgaGVpZ2h0PTMwIHdpZHRo PTIyMiBzcmM9Imh0dHA6Ly91cy5pMS55aW1nLmNvbS91cy55aW1nLmNvbS9pL3VzL3NlYXJj aC9nci9zY2htYV8xLmdpZiIgYWx0PSJZYWhvbyEiPjwvYT48L3RkPgo8dGQgYWxpZ249cmln aHQ+PGEgaHJlZj0iaHR0cDovL2Rycy55YWhvby5jb20vUz0yNzY2Njc5L0s9YWJpbGl0YXRp b25zL3Y9Mi9TSUQ9ZS9sPVdTSC8qLWh0dHA6Ly9zZWFyY2gueWFob28uY29tIj5TZWFyY2gg SG9tZTwvYT4gLSA8YSBocmVmPSJodHRwOi8vZHJzLnlhaG9vLmNvbS9TPTI3NjY2NzkvSz1h YmlsaXRhdGlvbnMvdj0yL1NJRD1lL2w9V1lILyotaHR0cDovL3d3dy55YWhvby5jb2
Re: compliation problem - cygwin
s, et al. - I'm sure that if you stick with it you can figure it out. Whenever I get to where you are, I throw -v option in my gcc command to see the linker command and then I play with making the linker command work specifically. I might try writing a simple c program that links to the crypt library and see if you can get that to build. Does that -enable-static work with only one - ? It looks like a "long" option, needing 2 -'s Why are you trying to enable static? Does freeradius require it on solaris? - G Simon Gray wrote: Thanks for your help. "-/usr/lib" ? That isn't a valid option to gcc. Try "-L/usr/lib" However, that last one was a bit of a red herring/typo the real output does contain "-L/usr/lib" Any other ideas? S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
raddb users file
Can anyone send me a copy of their users file, I am setting up freeradius 0.9.3 on slackware. I am used to livingston so I need to see a users file because I know a few words are diffrent. Byron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling User
We have a denyuser group and we move the username into, they are not allowed to dial up but it will allow them to check mail. If you dont want them to check mail I think the way you are doing it is easy and works.. byron - Original Message - From: "Devin Atencio" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, January 07, 2004 11:11 AM Subject: Disabling User > > I was wondering if there was an easy way to disable a user so that if they > Try to dialup it would deny them access. Currently our method is we just > Change the user's password. I have tried to set Simulatenous-Use to 0 but > That doesn't appear to work. Any ideas on a good way ? > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + MySQL on remote host question
Alan, Thanks for your reply. Actually I spent considerable time going through the FAQ, docs, etc. I even committed "death by Google". I can't tell you how much time I invested in research before posting to the list. Specifically my challenge is this. 1) I am new to freeradius, and radius in general. 2) From what I have read in the texts it appears there are several "unique" things in our implementation. Trying to pear down the variables and hone in on the cause is especially dificult when ld doesn't return any %^&&*$%** errors during compile. I also encountered a number of contradictions in respect to documentation. So being new to freeradius and not being familiar with the internals, it is hard for me to judge where this error is coming from considering I have 3 other applications complied from scratch on the same box with the same mysql setup and they are working fine. Subsequent to my post I did determine that in fact *ld* was not linking in mysqlclient. If I compile with shared libs, freeradius segfaults as I described in my previous post, however if I compile with static libs, freeradius complains "rlm_sql: Could not link driver rlm_sql_mysql: file not found" (I know 4.14 of the FAQ). That is where I am currently. I had to turn my attention to some other pressing matters, but will pick this up again in the next few days. My post to the list was two fold. I was hoping that I would get flamed (meaning i missed something silly) or someone may have seen this before and could point me in a specific direction of things to check. Since nethier occured I gather I am out in the tall grass again. Sigh... Thanks Robert Causey iMedia Associates Alan DeKok wrote: Robert Causey <[EMAIL PROTECTED]> wrote: After we built the shared library we could run the freeradius config script and it would detect the presence of the mysql client. We than ran make and it did not report any errors. And it won't run. Why? Your ld.so doesn't know about the library in /usr/local/mysql/lib. Whose fault is that? Yours. Did you try reading the FAQ, or the "libdir" configuration in radiusd.conf? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Anyone using rlm_ldap against Oracle Internet Directory?
Particularly in relation to standard dialup and pppoe-adsl/ftth auth. I'd appreciate an off-list contact (since little of this is strictly relevant to FR) if you are. I have my proof-of-concept design basically functioning but have a couple oidldapd-specific questions I'd like to bounce off someone whose already done it. -- David Van Cleef - Engineering Manager [EMAIL PROTECTED] - Fusion Network Services, K.K. [EMAIL PROTECTED]- Global OnLine Japan -- "We have forgotten at least two important things..." -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mailing List suggestion...
Hey Vincent are you always so positive??? Byron - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, January 07, 2004 2:07 PM Subject: Re: Mailing List suggestion... > [EMAIL PROTECTED] wrote on 01/07/2004 01:59:26 > PM: > > > Greetings... > > > > Would it be a good idea to replace the footer added to each message > > with something like: > > > > - > > Before posting please read/search: > > http://www.freeradius.org/faq > > http://lists.cistron.nl/pipermail/freeradius-users > > http://lists.cistron.nl/pipermail/freeradius-devel > > http://www.google.com > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > Why bother? They don't read the current one, either! :) > > Vincent Giovannone > Network Infrastructure Group > Information Services Division > Rush University Medical Center > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementing a realtime-prepaid platform with freeradius
German, I am currently working on something similar. I can't go into great detail because I am under NDA, however I can give you the general approach. In Cisco VOIP aplications it is possible to do authentication via what Cisco refers to as AAA authentication. This realy does authenication to a radius server. Using freeradius with mysql, it is possible to include some custom attributes associated with the user that will be returned with the authorization query. It then should be possible from your Cisco TCL script to use those attribues and handle the call accordingly. Your backend systems could then simply update the mysql database for realtime updates. Look at the Cisco web site for information on TCL and writing IVR scripts. There is some sample code and applications there as well that should help. Also look at the mysql db schema and sql.conf that is included in the freeradius dist and if you havn't already, pick up a copy of the radius book from O'Reily. This will start to give you an idea of how flexable the integration is, and how you can massage the sql queries to get the custom attributes. Hope this helps. Robert Causey iMedia Associates German Viera wrote: Hi everybody, I have been working with free radius for a while and I think is one of the most usefull open source radius servers arround. Right now I am just logging accounting details for a VoIP platform, also making auth to users (both with the text detail and users file.) My questing is if does anybothy of the freeradius communy implemented or is implementing a real-time prepaid service for users. If don't I would like to know if somebody could give me some tip to code an application that receive the RADIUS logs of auth in order to response with the availability of time, depending on the dialed number (I am using cisco AS5300 ..and I think some VSA have this items) also that updates the time left in the users file . Hope somebody could give me a hand on this , Regards, German Viera Montevideo Uruguay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling User
If it is a linux system try passwd -l username to lock account and passwd -u username to unlock. Richard - Original Message - From: "Bill Campbell" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, January 07, 2004 1:27 PM Subject: Re: Disabling User > On Wed, Jan 07, 2004, Anson Rinesmith wrote: > >Just set their Auth-Type := Reject, no need to change the password. > > That's fine for radius, but doesn't solve the larger problem (e.g. POP/IMAP > access and other things that depend on the password). > > Bill > -- > INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC > UUCP: camco!bill PO Box 820; 6641 E. Mercer Way > FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 > URL: http://www.celestial.com/ > > What's this script do? > unzip ; touch ; finger ; mount ; gasp ; yes ; umount ; sleep > Hint for the answer: not everything is computer-oriented. Sometimes you're > in a sleeping bag, camping out. > (Contributed by Frans van der Zande.) > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP setting for supplicant
So should I enable DHCP for the AP? Also, another thing, when I set the supplicant's ip settings to auto, the AP cannot be reached (no reply from ping, can't access the AP). I can only access and ping the AP when I set a static ip for the supplicant. Thanks From: "Alan DeKok" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: IP setting for supplicant Date: Wed, 07 Jan 2004 16:46:54 -0500 "matt morris" <[EMAIL PROTECTED]> wrote: > I tried taking out the Framed-IP-Netmask line and set my supplicant's ip to > be dynamic after, but it still doesn't have access to the internet. The ip > and netmask of the supplicant are both still 0.0.0.0, and the DHCP server is > 255.255.255.255 from ipconfig. I want to ask how should I configure the DHCP > settings in my supplicant, AP and router. Right now only the router has DHCP > enabled, and the WinXP supplicant is using dynamic ip. The supplicant gets it's IP from the AP. The AP gets that IP from the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius and non-plain text passwords (resolution)
Replying to two messages here... > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Alan DeKok > Sent: Wednesday, January 07, 2004 11:11 AM > To: [EMAIL PROTECTED] > Subject: Re: Free Radius and non-plain text passwords > > > "Phillip Ames" <[EMAIL PROTECTED]> wrote: > > I have been able to get Free Radius to authenticate from a router > > using CHAP. The problem with this is that the passwords are stored > > in plain text in the users file on the authentication server. > > See the FAQ. This isn't much of a problem. >From the FAQ section 4.4: - You have 2 choices: 1. You allow CHAP and store all the passwords plaintext. Advantage: passwords don't go cleartext over the phone line between the user and the terminal server. Disadvantage: You have to store the passwords in cleartext on the server. 2. You don't allow CHAP, just PAP. Advantage: you don't store cleartext passwords on your system. Disadvantage: passwords go in cleartext over the phone line between the user and the terminal server. Now, people say CHAP is more secure. Now you decide which is more likely: - the phone line between the user and the terminal server gets sniffed and a cracker (a GOOD one) intercepts just one password - your radius server is hacked into and a cracker gets ALL passwords of ALL users. Right. Still think CHAP is more secure ? I thought so. - Personally, I would find it more likely that the latter scenario occurs and all the passwords are now in plaintext available to the cracker. This also seems to be what the last line implies, indicating that it _is_ a problem to leave a lot of plaintext passwords lying around (or perhaps I'm just not getting the sarcasm through a text-only rendition of the FAQ). Regardless, now that I have learned about the Crypt-Password attribute, I am satisfied with how they are stored on the server user file. Is it possible that the sample "users" file could be updated to include a sample entry that uses a Crypt-Password attribute? Grep'ing the entire stock raddb/ directory shows that it is only mentioned in mssql.conf(line 102) and postgresql.conf(line 126) which is fine for database users but I think it's important enough that it should be included in the generic "users" file which most people will at least read when looking for examples. [rest of message snipped] On to message 2! > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Alan DeKok > Sent: Wednesday, January 07, 2004 11:04 AM > To: [EMAIL PROTECTED] > Subject: Re: Free Radius and non-plain text passwords (resolution) [snip] > > On a side note, I was also unable to discover anything > different between > > Auth-Type := System and Auth-Type := Local. > > There's a huge difference. Try using the *default* configuration > files as shipped, and you'll see that the users are authenticated > against /etc/passwd, for Auth-Type = "System". Read the default > "users" file. It explains this. Thank you for pointing that out, I didn't see that previously. -Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail File
"Bobby R. Cox" <[EMAIL PROTECTED]> wrote: > I would like the detail file/dir to look like this... > > /usr/var/radius/radacct/detail The server doesn't look up hostnames, because it takes too long. > I am not sure on the syntax to get the host name to show rather then > the client ip address. "ln -s" $ cd /usr/var/radius/radacct $ mkdir $ ln -s hostname> Then edit the detailfile as you said. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Detail File
Hello,
I am tweaking the detail section of the radiusd.conf. It states in the
file that you can have the detail file created under the host
directory. Currently mine looks like this...
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
which created a detail file/dir like such
/usr/var/log/radius/radacct//detail-
I would like the detail file/dir to look like this...
/usr/var/radius/radacct/detail
I am not sure on the syntax to get the host name to show rather then
the client ip address.
Is this correct..?
detailfile = ${radacctdir}/%{Client-Hostname}/detail
TIA
Bobby R. Cox
Linux Systems Administrator
Project Mutual Telephone
Fix the Problem Not the Blame <><
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP setting for supplicant
"matt morris" <[EMAIL PROTECTED]> wrote: > I tried taking out the Framed-IP-Netmask line and set my supplicant's ip to > be dynamic after, but it still doesn't have access to the internet. The ip > and netmask of the supplicant are both still 0.0.0.0, and the DHCP server is > 255.255.255.255 from ipconfig. I want to ask how should I configure the DHCP > settings in my supplicant, AP and router. Right now only the router has DHCP > enabled, and the WinXP supplicant is using dynamic ip. The supplicant gets it's IP from the AP. The AP gets that IP from the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP setting for supplicant
Thanks for your reply. I tried taking out the Framed-IP-Netmask line and set my supplicant's ip to be dynamic after, but it still doesn't have access to the internet. The ip and netmask of the supplicant are both still 0.0.0.0, and the DHCP server is 255.255.255.255 from ipconfig. I want to ask how should I configure the DHCP settings in my supplicant, AP and router. Right now only the router has DHCP enabled, and the WinXP supplicant is using dynamic ip. I'm going to try the Framed-Route attribute next, but I just want to make sure the DHCP setting is right 1st, if it has anything to do with the problem. Thanks again. From: "Alan DeKok" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: IP setting for supplicant Date: Wed, 07 Jan 2004 10:47:26 -0500 "matt morris" <[EMAIL PROTECTED]> wrote: > (2) Redhat 7.2 with Freeradius 0.9.3, with its own WAN ip; in the user file: > Framed-IP-Address =192.168.0.105, Framed-IP-Netmask = 255.255.255.0, > Framed-MTU = 1380 See the FAQ for reasons why you don't want to use Framed-IP-Netmask. > (Actually a question: Does the user's framed-MTU have to match that of the > AP's?) If not, you'll get fragmentation. > (3) WinXP Supplicant, set with static ip 192.168.0.105 and netmask > 255.255.255.0, Default gateway and DNS to router's internal ip. Huh? You're trying to use RADIUS to set an IP when the supplicant already has a static IP? You do realize that your configuration is inconsistent, don't you? > Both freeradius' and the AP's log shows the authenication was successful, > but the supplicant was not supplied with an ip (just 0.0.0.0). I've tried > getting rid of router from the setup (un-setting the Ap's default gateway > and DNS while setting the supplicant's to the internal ip of the AP), but > still no luck Try configuring the supplicant to use a dynamic IP, rather than a static one. That might make a difference. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=dept/bcomm&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling User
On Wed, Jan 07, 2004, Anson Rinesmith wrote: >Just set their Auth-Type := Reject, no need to change the password. That's fine for radius, but doesn't solve the larger problem (e.g. POP/IMAP access and other things that depend on the password). Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ What's this script do? unzip ; touch ; finger ; mount ; gasp ; yes ; umount ; sleep Hint for the answer: not everything is computer-oriented. Sometimes you're in a sleeping bag, camping out. (Contributed by Frans van der Zande.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Disabling User
Just set their Auth-Type := Reject, no need to change the password. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devin Atencio Sent: Wednesday, January 07, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: Disabling User I was wondering if there was an easy way to disable a user so that if they Try to dialup it would deny them access. Currently our method is we just Change the user's password. I have tried to set Simulatenous-Use to 0 but That doesn't appear to work. Any ideas on a good way ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mailing List suggestion...
[EMAIL PROTECTED] wrote on 01/07/2004 01:59:26 PM: > Greetings... > > Would it be a good idea to replace the footer added to each message > with something like: > > - > Before posting please read/search: > http://www.freeradius.org/faq > http://lists.cistron.nl/pipermail/freeradius-users > http://lists.cistron.nl/pipermail/freeradius-devel > http://www.google.com > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Why bother? They don't read the current one, either! :) Vincent Giovannone Network Infrastructure Group Information Services Division Rush University Medical Center - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementing a realtime-prepaid platform with freeradius
Hi German,
I'm sure you aren't alone - there are many people who think of this (including me).
There are some projects started for opensource billing that supports prepaid
You may try to look at Mike Tkachuk's http://sourceforge.net/projects/voipbill/, it's
not finished yet though. Through perl scripts you can do what you want easily. There
is also an experimental perl module you might wanna look at(see experimental.conf in
your raddb). This module is used in production environment by some people and is
supposed to be faster than exec-program-wait.
In this experimental.conf you will find reference to example.pl script that contains
usable comments that should get you started easily. The correct way to set
h323-credit-time is $RAD_REPLY{'h323-credit-amount'} = "h323-credit-time=100"; //sets
timeout to 100
Called-Station-Id key of %RAD-REQUEST should contain dialed digits.
Beware, I'm a newbie in radius and, therefore, I might be wrong(just as anybody else)
;))
Hope this helps.
> Hi everybody,
>
> I have been working with free radius for a while and I think is one of the most
> usefull open source radius servers arround.
> Right now I am just logging accounting details for a VoIP platform, also making auth
> to users (both with the text detail and users file.) My questing is if does anybothy
> of the freeradius communy implemented or is implementing a real-time prepaid service
> for users. If don't I would like to know if somebody could give me some tip to code
> an application that receive the RADIUS logs of auth in order to response with the
> availability of time, depending on the dialed number (I am using cisco AS5300 ..and
> I think some VSA have this items) also that updates the time left in the users file .
>
> Hope somebody could give me a hand on this ,
>
>
> Regards,
>
> German Viera
> Montevideo
> Uruguay
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[4]: freeradius MSCHAPv2 possible bug
Hello Alan,
You've been absolutely right. The bug was in radius module for pppd
and it sent wrong MS-CHAP2-Response value for freeradius. Problem was
in function, which compose this attribute from client authentication
response. Format of PPP response packet and MS-CHAP-Response av pair
differs slightly, confirming the comments of the developer of the
plug-in (something about idiots).
I've seen here that 3 person in this mailing list are suffering from
the same bug, so, could you please excuse the posting of the patch? It was made
against the latest cvs version of pppd from samba.org:
Index: radius.c
===
RCS file: /cvsroot/ppp/pppd/plugins/radius/radius.c,v
retrieving revision 1.21
diff -u -r1.21 radius.c
--- radius.c25 Nov 2003 11:50:10 - 1.21
+++ radius.c7 Jan 2004 19:18:43 -
@@ -425,7 +425,7 @@
case CHAP_MICROSOFT_V2:
{
/* MS-CHAP-Challenge and MS-CHAP2-Response */
- MS_Chap2Response *rmd = (MS_Chap2Response *) (response + 1);
+ MS_Chap2Response *rmd = (MS_Chap2Response *) response;
u_char *p = cpassword;
if (response_len != MS_CHAP2_RESPONSE_LEN)
It completely fixes the problem of authenticating with pppd against
freeradius using MSCHAPv2.
I sent this patch to one of the maintainers of the pppd and asked to
commit it to the source tree. Hope fixed pppd will be available for wide
public soon.
Kind regards,
Anton Golubev
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mailing List suggestion...
Greetings... Would it be a good idea to replace the footer added to each message with something like: - Before posting please read/search: http://www.freeradius.org/faq http://lists.cistron.nl/pipermail/freeradius-users http://lists.cistron.nl/pipermail/freeradius-devel http://www.google.com List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Just a suggestion... Miguel C. Miguel Marques, Development Services, Computing and Network Services, York University e-mail: miguel at yorku.ca, voice: (416)736-2100x22684, fax: (416)736-5830 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on Debian
You should really post questions directly to the freeradius mailing list. That way other people can see the answers provided. > I was reading your answer in the freeradius forum, and I perceived that you > use DEBIAN. I'm using DEBIAN too, and I'm having a problem with my > freeradius configuration, I imagine! Always my NAS try to authenticate an > client in the server I receive a message like this: > > rad_recv: Access-Request packet from host 192.168.1.11:3618, id=133, > length=59 Ignoring request from unknown client 192.168.1.11:3618 Looks like it doesn't recognize your NAS. Check your clients.conf file and make sure you have a client listed for your NAS with the correct secret and a short name. Look at the default clients.conf file for examples. Nick -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius MSCHAPv2 possible bug
Mauro Luzi <[EMAIL PROTECTED]> wrote: > I tried all options: NT-Password and clear-text User-Password, it don't > work with mschap-v2. with other autentications (pap, chap and mschap-v1) > work fine. It works for me, and other people on this list. What platform are you running on? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + MySQL on remote host question
Robert Causey <[EMAIL PROTECTED]> wrote: > After we built the shared library we could run the > freeradius config script and it would detect the presence of the mysql > client. We than ran make and it did not report any errors. And it won't run. Why? Your ld.so doesn't know about the library in /usr/local/mysql/lib. Whose fault is that? Yours. Did you try reading the FAQ, or the "libdir" configuration in radiusd.conf? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Implementing a realtime-prepaid platform with freeradius
Hi everybody, I have been working with free radius for a while and I think is one of the most usefull open source radius servers arround. Right now I am just logging accounting details for a VoIP platform, also making auth to users (both with the text detail and users file.) My questing is if does anybothy of the freeradius communy implemented or is implementing a real-time prepaid service for users. If don't I would like to know if somebody could give me some tip to code an application that receive the RADIUS logs of auth in order to response with the availability of time, depending on the dialed number (I am using cisco AS5300 ..and I think some VSA have this items) also that updates the time left in the users file . Hope somebody could give me a hand on this , Regards, German Viera Montevideo Uruguay
Re: Disabling User
"Devin Atencio" <[EMAIL PROTECTED]> wrote: > I was wondering if there was an easy way to disable a user so that if they > Try to dialup it would deny them access. Currently our method is we just > Change the user's password. I have tried to set Simulatenous-Use to 0 but > That doesn't appear to work. Any ideas on a good way ? FAQ #5.2 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling User
On Wed, Jan 07, 2004, Devin Atencio wrote: > >I was wondering if there was an easy way to disable a user so that if they >Try to dialup it would deny them access. Currently our method is we just >Change the user's password. I have tried to set Simulatenous-Use to 0 but >That doesn't appear to work. Any ideas on a good way ? I would think changing the password is easier than fiddling simulataneous use. Normally when using encrypted passwords, we disable the account by prepending a ``*'' character to the encrypted password so now password will work. Then removing the ``*'' from the password enables the account easily. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``When dealing with any spammer, one must always keep in mind that you are dealing with someone who makes their living through forgery, fraud, theft, subterfuge and obfuscation. Stated simply, spammers lie.'' David Ritz <[EMAIL PROTECTED]> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Disabling User
I was wondering if there was an easy way to disable a user so that if they Try to dialup it would deny them access. Currently our method is we just Change the user's password. I have tried to set Simulatenous-Use to 0 but That doesn't appear to work. Any ideas on a good way ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
huntgroup file
Can someone send me an example of huntgroup file and it ísn`t the huntgroup one that appears in the examples or faqs? Thanks _ Charla con tus amigos en línea mediante MSN Messenger. http://messenger.microsoft.com/es - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compliation problem - cygwin
Thanks for your help. > "-/usr/lib" ? That isn't a valid option to gcc. Try "-L/usr/lib" However, that last one was a bit of a red herring/typo the real output does contain "-L/usr/lib" Any other ideas? S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSBlaster and Freeradius
I would also suggest moving freeradius to its own server that way when a new worm is released you wont have to keep changing your filters. -Drew -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:22 AM To: [EMAIL PROTECTED] Subject: Re: MSBlaster and Freeradius Josh Howlett <[EMAIL PROTECTED]> wrote: > My best guess is that the MSBlaster UDP from the user(s) is swamping the > kernel, resulting in RADIUS UDP packets getting lost. Yup. The kernel has a limited queue for incoming packets. > Has anyone else seen this, or have any suggestions? Put a firewall rule in to block the UDP port used by MSBlaster. No one else uses it for anything, so that block won't be too problematic. I'm not sure if system supports this, but you may be able to rate-limit the port. e.g. 10 packets/s are OK, >100 packets/s result in them all getting dropped. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSBlaster and Freeradius
Josh Howlett <[EMAIL PROTECTED]> wrote: > My best guess is that the MSBlaster UDP from the user(s) is swamping the > kernel, resulting in RADIUS UDP packets getting lost. Yup. The kernel has a limited queue for incoming packets. > Has anyone else seen this, or have any suggestions? Put a firewall rule in to block the UDP port used by MSBlaster. No one else uses it for anything, so that block won't be too problematic. I'm not sure if system supports this, but you may be able to rate-limit the port. e.g. 10 packets/s are OK, >100 packets/s result in them all getting dropped. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSBlaster and Freeradius
Yes, that's correct. josh. On Wed, 2004-01-07 at 16:41, Drew Weaver wrote: > This homebrew nas is the same box that is running your radius server? > > -Drew > > > -Original Message- > From: Josh Howlett [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 07, 2004 11:10 AM > To: [EMAIL PROTECTED] > Subject: MSBlaster and Freeradius > > We have been experiencing problems with the MSBlaster worm and > Freeradius. > > The Freeradius daemon is running on a (homebrew) NAS that also > terminates VPN sessions. If a VPN user is infected, it seems that the > MSBlaster traffic prevents FreeRADIUS from operating correctly. > > The exact mode of failure is unclear, because FreeRADIUS does not > generate any errors, but the result is that FreeRADIUS claims never to > recieve any proxy RADIUS packets it has sent out (and thus it can't > authenticate users). (ie. requests keep timing out). > > My best guess is that the MSBlaster UDP from the user(s) is swamping the > kernel, resulting in RADIUS UDP packets getting lost. > > Has anyone else seen this, or have any suggestions? > > many thanks, josh. -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSBlaster and Freeradius
This homebrew nas is the same box that is running your radius server? -Drew -Original Message- From: Josh Howlett [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:10 AM To: [EMAIL PROTECTED] Subject: MSBlaster and Freeradius We have been experiencing problems with the MSBlaster worm and Freeradius. The Freeradius daemon is running on a (homebrew) NAS that also terminates VPN sessions. If a VPN user is infected, it seems that the MSBlaster traffic prevents FreeRADIUS from operating correctly. The exact mode of failure is unclear, because FreeRADIUS does not generate any errors, but the result is that FreeRADIUS claims never to recieve any proxy RADIUS packets it has sent out (and thus it can't authenticate users). (ie. requests keep timing out). My best guess is that the MSBlaster UDP from the user(s) is swamping the kernel, resulting in RADIUS UDP packets getting lost. Has anyone else seen this, or have any suggestions? many thanks, josh. -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MSBlaster and Freeradius
We have been experiencing problems with the MSBlaster worm and Freeradius. The Freeradius daemon is running on a (homebrew) NAS that also terminates VPN sessions. If a VPN user is infected, it seems that the MSBlaster traffic prevents FreeRADIUS from operating correctly. The exact mode of failure is unclear, because FreeRADIUS does not generate any errors, but the result is that FreeRADIUS claims never to recieve any proxy RADIUS packets it has sent out (and thus it can't authenticate users). (ie. requests keep timing out). My best guess is that the MSBlaster UDP from the user(s) is swamping the kernel, resulting in RADIUS UDP packets getting lost. Has anyone else seen this, or have any suggestions? many thanks, josh. -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius and non-plain text passwords
"Phillip Ames" <[EMAIL PROTECTED]> wrote:
> I have been able to get Free Radius to authenticate from a router
> using CHAP. The problem with this is that the passwords are stored
> in plain text in the users file on the authentication server.
See the FAQ. This isn't much of a problem.
> 1. It seems that the authentication method is chosen by the client(in
> this case the router) - please correct me if I am wrong on this assumption.
See recent posts to the list. The choice of the user doing PAP or
CHAP is not up to the RADIUS server.
> 3. How do I set up PAP for the Free Radius server?
Huh? You don't have to do anything. It automatically supports PAP.
> I'd also rather not add an account to my /etc/passwd file for all
> the users who need to authenticate with this system, so I looked
> at the rlm_passwd module. It seems like this might be a better
> route if I use the "authtype = crypt" config line to make sure the
> passwords are crypted.
... on the server. Which means you can't do CHAP, EAP-MD5, or a
host of other authentication methods.
> Would the
> following be the correct way of setting up that type of configuration?
>
> passwd etc_raddb_mypasswdfile {
> filename =3D ${raddbdir}/mypasswdfile
> format =3D "*User-Name::Password"
Possibly. I don't use rlm_passwd, so I'm less familiar with it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius and non-plain text passwords (resolution)
"Phillip Ames" <[EMAIL PROTECTED]> wrote: > Now my user password file contains entries like this: > > bad Auth-Type := System, Crypt-Password == > "$1$37l.BBR2$bcYRkPw.bkkTAz3gkjsZZ1" > > Where "bad" is the user and "$1$37l.BBR2$bcYRkPw.bkkTAz3gkjsZZ1" is the > md5 of "password" That won't entirely do what you expect. > On a side note, I was also unable to discover anything different between > Auth-Type := System and Auth-Type := Local. There's a huge difference. Try using the *default* configuration files as shipped, and you'll see that the users are authenticated against /etc/passwd, for Auth-Type = "System". Read the default "users" file. It explains this. The reason it isn't doing what you expect is that you're telling it to do two contradictory things. So it picks one which makes sense, and authenticates the user. You've told it: 1) Look in/etc/passwd to find a crypt'd password for the user, and then use that crypt'd password to do the authentication 2) Use the given Crypt-Password to do the authentication. In this case, the server can do one of two things: a) use /etc/password, dicsover the user isn't there, complain about that, and reject the user. b) ignore the request to use /etc/passwd, because the Crypt-Password matches. The server currently does (b). If it did (a), you'd be wondering why it's complaining that it can't find a password for the user, when you supplied a Crypt-Password. All these problems stem from a misunderstanding of what "System" authentication means. It's explained in the default "users" file, among other places. Please read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Settings
Vincent: Thank you for your response. It does make sense & you have been kind to explain and respond to my concerns/questions. It is interesting how many people do not know the answer to this question. I have received several direct emails from people on this list who has mentioned that they also want to know the answer to my question but to scare to ask. They do not inflame anybody. Again thank you very much for your response. Kirti -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 9:28 AM To: [EMAIL PROTECTED] Subject: RE: Settings [EMAIL PROTECTED] wrote on 01/06/2004 04:48:36 PM: > Max_request setting in "radius.conf" is supposed to be the maximum number of > requests which the server keeps track of. It is supposed to be 4 * number of > clients. > > In this situation what is a client: > > (1) is it number of NAS being serviced by the RADIUS server -or- *ding* > (2) is it number of dial-in customers -or- No. That wouldn't make any sense; the only time a connection to the radius server is made (in _general_; not absolutely true) is when a user connects or disconnects. The connection to the radius server is NOT held open. So using that guideline above, let's say you have 10 NASes, and set max requests to 40. That means that one nas can handle 40 simultaneous requests, or all ten can handle four requests each, or one can have 39, one 1, and the rest none, or any combination thereof. The more important (and therefore more intelligent) question is how many people do you expect to be dialing in at the same time? Not connected, I mean actually either dialing the phone, or trying to authenticate to a wireless access point, or authenticate to a router, or whatever you're planning on using RADIUS for. THAT'S when max connections is important. > (3) is it number of dial-in ports which are serviced by a RADIUS server? That would make even less sense. > The RADIUS book by O'Rielly describes client as in Client/Server > relationship. It doesn't describe it as a user/server or port/server relationship? How appropriate! > If that is true, then Clients will be number of NAS on the > system. That does not make sense because one NAS (3Com TC) may have 10 HiPer > DSP cards and another may have 14. Therefore the number of maximum > connections might be quite different. The only reason that's not making sense is because you're thinking of RADIUS as a protocol that holds the connection open for the entire conversation, like telnet. Throw that idea away. Vincent Giovannone Network Infrastructure Group Information Services Division Rush University Medical Center - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to set no authentication for users
John Horne <[EMAIL PROTECTED]> wrote:
...
> This all works fine; the user is authenticated and radiusd sees that
> MS-CHAPv2 is being used (and is to be used).
Hmm... so MS-CHAPv2 works, as I suspected. Recent discussion on the
list says it's broken on some systems, but I don't know why.
> However, if I simply change the users file entry to:
>
> fred Auth-Type := Local, User-Password != "anything"
>
> Specifying that the pwd should not be 'anything' then it doesn't work.
> That is, I cannot authenticate. The radiusd output shows:
I don't see why you would expect that user to authenticate.
> My thought was to make a default entry such as:
>
> DEFAULT Auth-Type := Local, User-Password != "something"
>
> I have tried, from the FAQ, using just 'Auth-Type = Accept' but although
> radiusd seems to accept the user and password, the connection then
> fails.
Hmm... that's probably an issue with the MS-CHAP module.
OK, go to src/modules/rlm_mschap/rlm_mschap.c, look for:
vp = pairmake("Auth-Type", authtype_name, T_OP_SET);
change the T_OP_SET to T_OP_EQ, and re-compile & install the
module. It should work then.
> Anyone got any suggestions about this. Relevant parts of the
> radiusd.conf are below, but simply change the users file entry operator
> from '==' to '!=' surely shouldn't cause a problem? All the encryption
> stuff should work because instead of comparing the users file password
> with the one the user enters when connecting should simply check for
> equality or not. When '==' is used they should be equal, when '!=' is
> used the should not be equal.
Due to the way passwords are checked, it doesn't quite work that
way.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
BUG?? Couldn't open syslog/radius.log for logging: Not a directory
OS: RH9.0
Platform: i386
FreeRadius Version: 0.9.3
Problem Summary: radiusd: radiusd: Couldn't open syslog/radius.log for
logging: Not a directory
Problem Detials: It appears that freeradius is attempting to log to a file
when asked to to log to the syslog. Listed below is the config settings and
init script to confirm correct settings. In looking at the source, it
appears that RADLOG_SYSLOG is never defined and as such has a null value
when being evaluated in the following code snippets:
*radiusd.c**
#if HAVE_SYSLOG_H
/*
* If they asked for syslog, then give it to them.
* Also, initialize the logging facility with the
* configuration that they asked for.
*/
if (strcmp(radlog_dir, "syslog") == 0) {
openlog(progname, LOG_PID, syslog_facility);
radlog_dest = RADLOG_SYSLOG;
}
/* Do you want a warning if -g is used without a -l to activate it?
*/
#endif
if (strcmp(radlog_dir, "stdout") == 0) {
radlog_dest = RADLOG_STDOUT;
} else if (strcmp(radlog_dir, "stderr") == 0) {
radlog_dest = RADLOG_STDERR;
}
*log.c**
if (radlog_dest == RADLOG_NULL) {
return 0;
}
if (debug_flag
|| (radlog_dest == RADLOG_STDOUT)
|| (radlog_dir == NULL)) {
msgfd = stdout;
} else if (radlog_dest == RADLOG_STDERR) {
msgfd = stderr;
} else if (radlog_dest != RADLOG_SYSLOG) {
/*
* No log file set. It must go to stdout.
*/
if (!mainconfig.log_file) {
msgfd = stdout;
/*
* Else try to open the file.
*/
} else if ((msgfd = fopen(mainconfig.log_file, "a")) ==
NULL) {
fprintf(stderr, "%s: Couldn't open %s for logging:
%s\n",
progname, mainconfig.log_file,
strerror(errno));
fprintf(stderr, " (");
vfprintf(stderr, fmt, ap); /* the message that
caused the log */
fprintf(stderr, ")\n");
return -1;
}
}
#if HAVE_SYSLOG_H
if (radlog_dest == RADLOG_SYSLOG) {
*buffer = '\0';
len = 0;
} else
#endif
*CONFIGURATION FILE SETTINGS*
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
#logdir = ${localstatedir}/log/radius
logdir = syslog
raddbdir = ${sysconfdir}/raddb
#radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
#user = nobody
#group = nobody
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = XX.XX.XX.XX
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = no
*INIT SCRIPT*
# Source function library.
. /etc/rc.d/init.d/functions
RADIUSD=/usr/local/sbin/radiusd
LOCKF=/var/lock/subsys/radiusd
CONFIG=/usr/local/etc/raddb/radiusd.conf
[ -f $RADIUSD ] || exit 0
[ -f $CONFIG ] || exit 0
RETVAL=0
case "$1" in
start)
echo -n $"Starting RADIUS server: "
daemon $RADIUSD
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $LOCKF &&
ln -s /var/run/radiusd/radiusd.pid /var/run/radiusd.pid
2>/dev/null
;;
stop)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compliation problem - cygwin
"Simon Gray" <[EMAIL PROTECTED]> wrote: > I've spent a good few hours search through the mailing lists, google and > read doc/CYGWIN without any luck. ... > gcc .libs/radiusdS.o -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS ... > -Wl,--export-dynamic -/usr/lib "-/usr/lib" ? That isn't a valid option to gcc. Try "-L/usr/lib" > undefined reference to `_crypt' ... > Note - the output of 'nm /usr/lib/libcrypt.a' does contain '_crypt' Yes, but you're not telling it to look in /usr/lib. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP setting for supplicant
"matt morris" <[EMAIL PROTECTED]> wrote: > (2) Redhat 7.2 with Freeradius 0.9.3, with its own WAN ip; in the user file: > Framed-IP-Address =192.168.0.105, Framed-IP-Netmask = 255.255.255.0, > Framed-MTU = 1380 See the FAQ for reasons why you don't want to use Framed-IP-Netmask. > (Actually a question: Does the user's framed-MTU have to match that of the > AP's?) If not, you'll get fragmentation. > (3) WinXP Supplicant, set with static ip 192.168.0.105 and netmask > 255.255.255.0, Default gateway and DNS to router's internal ip. Huh? You're trying to use RADIUS to set an IP when the supplicant already has a static IP? You do realize that your configuration is inconsistent, don't you? > Both freeradius' and the AP's log shows the authenication was successful, > but the supplicant was not supplied with an ip (just 0.0.0.0). I've tried > getting rid of router from the setup (un-setting the Ap's default gateway > and DNS while setting the supplicant's to the internal ip of the AP), but > still no luck Try configuring the supplicant to use a dynamic IP, rather than a static one. That might make a difference. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trying to set no authentication for users
Hello,
I have been asked to run through some disaster recovery checks for our
servers, and one (pair) of these servers runs RADIUS but does so in
order to talk to a Microsoft IAS server (for the actual authentication).
In the event of a disaster the IAS server may be lost, and as such I
would like to be able to put into the 'users' file a DEFAULT entry to
simply allow all users through.
Users connecting to this system for authentication are required to be
using MS-CHAPv2 with MPPE and strong encryption. There is no problem
with this, and entering users into the users file itself for
authentication works fine. However, I am having a lot of trouble trying
to get it to just let all users through.
If I have an entry in the users file such as:
fred Auth-Type := Local, User-Password == "anything"
this works fine. Debug output from radiusd shows:
==
rad_recv: Access-Request packet from host 127.0.0.1:37229, id=55,
length=135
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "fred"
MS-CHAP-Challenge = 0x7ff02513996443c04f7d280a820730b5
MS-CHAP2-Response
=
0x01009d037c05f32b32648cc561c047c5e56c0974512bcb2c65addd6edab9c9caf4d18660ae908b206e03
NAS-IP-Address = 141.163.163.250
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
users: Matched fred at 220
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group authenticate
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module "mschap" returns ok
modcall: group authenticate returns ok
Login OK: [fred] (from client localhost port 0)
Sending Access-Accept of id 55 to 127.0.0.1:37229
MS-CHAP2-Success
=
0x01533d42424438423038344545373041393441463244373339324645323833434437313343424543413641
MS-MPPE-Recv-Key
=
0xdf02432bffb7b8b4313cdb04515ecba440ba63a8bc4a95a2a425f4c225cd850416dc
MS-MPPE-Send-Key
=
0xdf01d4b2fc3bf9cb6054f92175106cf105f49e8d3408586aa2af17f0e615fc5ffc01
MS-MPPE-Encryption-Policy = 0x0002
MS-MPPE-Encryption-Types = 0x0004
Finished request 0
==
This all works fine; the user is authenticated and radiusd sees that
MS-CHAPv2 is being used (and is to be used).
However, if I simply change the users file entry to:
fred Auth-Type := Local, User-Password != "anything"
Specifying that the pwd should not be 'anything' then it doesn't work.
That is, I cannot authenticate. The radiusd output shows:
===
rad_recv: Access-Request packet from host 127.0.0.1:38635, id=130,
length=135
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "fred"
MS-CHAP-Challenge = 0x5079b24962676ca1fefc3a935a7c4a12
MS-CHAP2-Response =
0x0100021413eac173639764d57968f33043e3b49cc542c3a9427787a46df5e94e67efef8c75e935267049
NAS-IP-Address = 141.163.163.250
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
users: Matched fred at 222
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group authenticate
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: Authentication failed
rlm_mschap: Nothing in the packet I recognise: Rejecting the user
modcall[authenticate]: module "mschap" returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user.
Login incorrect: [fred] (from client localhost port 0)
Delaying request 0 for 5 seconds
Finished request 0
===
My thought was to make a default entry such as:
DEFAULT Auth-Type := Local, User-Password != "something"
I have tried, from the FAQ, using just 'Auth-Type = Accept' but although
radiusd seems to accept the user and password, the connection then
fails. The mschap module (?) expects a password but doesn't see any (it
seems) - it gives a 'notfound' error. Adding the above User-Password
attribute, and using '=*' or one of the regular expression operators
('=~') seems to make no difference. Radiusd returns the same error as
above about nothing in the packet being recognised.
Anyone got any suggestions about this. Relevant parts of the
Dave
Help me with the file CDR , i can´t create a rlm_cdr, i don´t understand how I create a file radius with the CDrs of the open gatekeeper GNU Thanks CARLOS FELIPE ROJAS GOMEZ <>
RE: Settings
[EMAIL PROTECTED] wrote on 01/06/2004 04:48:36 PM: > Max_request setting in "radius.conf" is supposed to be the maximum number of > requests which the server keeps track of. It is supposed to be 4 * number of > clients. > > In this situation what is a client: > > (1) is it number of NAS being serviced by the RADIUS server -or- *ding* > (2) is it number of dial-in customers -or- No. That wouldn't make any sense; the only time a connection to the radius server is made (in _general_; not absolutely true) is when a user connects or disconnects. The connection to the radius server is NOT held open. So using that guideline above, let's say you have 10 NASes, and set max requests to 40. That means that one nas can handle 40 simultaneous requests, or all ten can handle four requests each, or one can have 39, one 1, and the rest none, or any combination thereof. The more important (and therefore more intelligent) question is how many people do you expect to be dialing in at the same time? Not connected, I mean actually either dialing the phone, or trying to authenticate to a wireless access point, or authenticate to a router, or whatever you're planning on using RADIUS for. THAT'S when max connections is important. > (3) is it number of dial-in ports which are serviced by a RADIUS server? That would make even less sense. > The RADIUS book by O'Rielly describes client as in Client/Server > relationship. It doesn't describe it as a user/server or port/server relationship? How appropriate! > If that is true, then Clients will be number of NAS on the > system. That does not make sense because one NAS (3Com TC) may have 10 HiPer > DSP cards and another may have 14. Therefore the number of maximum > connections might be quite different. The only reason that's not making sense is because you're thinking of RADIUS as a protocol that holds the connection open for the entire conversation, like telnet. Throw that idea away. Vincent Giovannone Network Infrastructure Group Information Services Division Rush University Medical Center - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compliation problem - cygwin
Hi, I've spent a good few hours search through the mailing lists, google and read doc/CYGWIN without any luck. Have removed all unneeded modules. Followed all suggestions from the back dated mailing lists with cygwin. Currently using: ./configure -without-snmp -enable-static --disable-ltdl-install The make fails with. gcc .libs/radiusdS.o -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I../include -o radiusd.exe radiusd.o files.o util.o acct.o nas.o log.o valuepair.o version.o proxy.o exec.o auth.o timestr.o conffile.o modules.o modcall.o session.o xlat.o threads.o smux.o radius_snmp.o client.o request_list.o mainconfig.o -Wl,--export-dynamic -/usr/lib -L/usr/local/src/freeradius-0.9.3/src/lib -lcrypt -lpthread /usr/lib/libradius.a .libs/libimp-cygltdl-3.a /usr/lib/libradius.a(crypt.o)(.text+0x35): In function `lrad_crypt_check': /usr/local/src/freeradius-0.9.3/src/lib/crypt.c:60: undefined reference to `_crypt'collect2: ld returned 1 exit statusrm -f .libs/radiusdS.omake[4]: *** [radiusd] Error 1make[4]: Leaving directory `/usr/local/src/freeradius-0.9.3/src/main'make[3]: *** [common] Error 1make[3]: Leaving directory `/usr/local/src/freeradius-0.9.3/src'make[2]: *** [all] Error 2make[2]: Leaving directory `/usr/local/src/freeradius-0.9.3/src'make[1]: *** [common] Error 1make[1]: Leaving directory `/usr/local/src/freeradius-0.9.3'make: *** [all] Error 2 Note - the output of 'nm /usr/lib/libcrypt.a' does contain '_crypt' Any ideas/suggestions? TIA Simon
You will not find Prescripti*on Dr!ugs cheaper anywhere else
RE: Solaries Binaries?
Hi, Maybe you should focus on figurering out why the box doesnt compile software, I think youre just missing some essential packages. If you like I can suply you with a list of the packages you need to be able to compile software. Cheers Patrick -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Shawn RamseySent: woensdag 7 januari 2004 2:53To: [EMAIL PROTECTED]Subject: Solaries Binaries? Our solaris box (Intel) is having problems compiling for some reason... in general, basically nothing will compile. Does anyone have Solaris 9 X86 they would share? Older Solaris binaries will work though if anyone is running an older Solaris. TIA
(no subject)
Do you need h_g hormone It has been labeled the health discovery of the decade. Achieve many benefits, including: Build Muscle Tone Increase Energy Energy Level - 84% Increase Do this all with: NO Cravings! NO Strenuous Exercise! http://www.ydp.popularpills.com/hgh/index.php?pid=eph2443 auction pandora elevate mortal postage unit dispensary quadrennial commissary cayuga bolometer j's dod adrienne chaw erode r beau rockies bull alway phyllis wicket invaluable moth street blockhouse say whirl tin swami finance lemma snobbery siena nc eisner septa senior biconcave parcel transpacific hydraulic algorithm stunk miterwort autonomic crowd
IP setting for supplicant
Hi, I have been having problems getting the supplicant to gain internet access through my freeradius + Dlink DWL900AP+ AP + WinXP Supplicant(Linksys WirelessG PCMCIA card) setup. I'm using EAP-MD5 authentication. Freeradius has granted Access-Accept, but the supplicant doesn't get an ip (I've added the framed-IP-Address and Netmask attribute to the users file). Basically my setup is like this: (1) The Dlink AP (with static internal ip, default gateway and DNS to router's internal ip, DHCP disabled) is connected to a Router (with WAN ip, port 1812 forwarded to the AP's ip, DHCP enabled - ip range covering Ap's ip and supplicant's framed ip); (2) Redhat 7.2 with Freeradius 0.9.3, with its own WAN ip; in the user file: Framed-IP-Address =192.168.0.105, Framed-IP-Netmask = 255.255.255.0, Framed-MTU = 1380 (Actually a question: Does the user's framed-MTU have to match that of the AP's?) (3) WinXP Supplicant, set with static ip 192.168.0.105 and netmask 255.255.255.0, Default gateway and DNS to router's internal ip. Both freeradius' and the AP's log shows the authenication was successful, but the supplicant was not supplied with an ip (just 0.0.0.0). I've tried getting rid of router from the setup (un-setting the Ap's default gateway and DNS while setting the supplicant's to the internal ip of the AP), but still no luck I know this isn't exactly a freeradius question, but I'd really appreciate it if someone in this list could help me out. Thanks in advance! _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
