Freeradius lastest cvs cannot compile in freebsd 4.8
hello, i tried to compile the latest cvs of freeradius in freebsd 4.8, mysql Ver 12.22 Distrib 4.0.17, for portbld-freebsd4.8 (i386) and i got this error: /usr/include/sys/cdefs.h:273: warning: `_POSIX_C_SOURCE' is not defined /usr/include/sys/cdefs.h:279: warning: `_POSIX_C_SOURCE' is not defined sql_mysql.c:30: mysql/errmsg.h: No such file or directory sql_mysql.c:34: mysql/mysql.h: No such file or directory sql_mysql.c:195: warning: `MYSQL_VERSION_ID' is not defined sql_mysql.c:38: syntax error before `MYSQL' sql_mysql.c: In function `sql_init_socket': sql_mysql.c:67: warning: implicit declaration of function `mysql_init' sql_mysql.c:67: structure has no member named `conn' sql_mysql.c:68: structure has no member named `sock' sql_mysql.c:68: warning: implicit declaration of function `mysql_real_connect' sql_mysql.c:68: structure has no member named `conn' sql_mysql.c:75: `CLIENT_FOUND_ROWS' undeclared (first use in this function) sql_mysql.c:75: (Each undeclared identifier is reported only once sql_mysql.c:75: for each function it appears in.) sql_mysql.c:77: warning: implicit declaration of function `mysql_error' sql_mysql.c:77: structure has no member named `conn' sql_mysql.c:77: warning: format argument is not a pointer (arg 3) sql_mysql.c:78: structure has no member named `sock' sql_mysql.c: In function `sql_destroy_socket': sql_mysql.c:94: warning: unused parameter `config' sql_mysql.c: In function `sql_check_error': sql_mysql.c:113: `CR_SERVER_GONE_ERROR' undeclared (first use in this function) sql_mysql.c:114: `CR_SERVER_LOST' undeclared (first use in this function) sql_mysql.c:122: `CR_OUT_OF_MEMORY' undeclared (first use in this function) sql_mysql.c:123: `CR_COMMANDS_OUT_OF_SYNC' undeclared (first use in this function) sql_mysql.c:124: `CR_UNKNOWN_ERROR' undeclared (first use in this function) sql_mysql.c: In function `sql_query': sql_mysql.c:146: structure has no member named `sock' sql_mysql.c:151: warning: implicit declaration of function `mysql_query' sql_mysql.c:151: structure has no member named `sock' sql_mysql.c:152: warning: implicit declaration of function `mysql_errno' sql_mysql.c:152: structure has no member named `sock' sql_mysql.c: In function `sql_store_result': sql_mysql.c:168: structure has no member named `sock' sql_mysql.c:172: structure has no member named `result' sql_mysql.c:172: warning: implicit declaration of function `mysql_store_result' sql_mysql.c:172: structure has no member named `sock' sql_mysql.c:175: structure has no member named `sock' sql_mysql.c:175: warning: format argument is not a pointer (arg 3) sql_mysql.c:176: structure has no member named `sock' sql_mysql.c:164: warning: unused parameter `config' sql_mysql.c: In function `sql_num_fields': sql_mysql.c:198: warning: implicit declaration of function `mysql_num_fields' sql_mysql.c:198: structure has no member named `sock' sql_mysql.c:202: structure has no member named `sock' sql_mysql.c:202: warning: format argument is not a pointer (arg 3) sql_mysql.c:190: warning: unused parameter `config' sql_mysql.c: In function `sql_select_query': sql_mysql.c:220: warning: nested extern declaration of `mysql_query' sql_mysql.c:220: warning: nested extern declaration of `mysql_errno' sql_mysql.c:223: warning: nested extern declaration of `mysql_store_result' sql_mysql.c:223: warning: nested extern declaration of `mysql_errno' sql_mysql.c:223: warning: nested extern declaration of `mysql_error' sql_mysql.c:232: warning: nested extern declaration of `mysql_num_fields' sql_mysql.c:232: warning: nested extern declaration of `mysql_error' sql_mysql.c: In function `sql_num_rows': sql_mysql.c:250: structure has no member named `result' sql_mysql.c:251: warning: implicit declaration of function `mysql_num_rows' sql_mysql.c:251: structure has no member named `result' sql_mysql.c:246: warning: unused parameter `config' sql_mysql.c: In function `sql_fetch_row': sql_mysql.c:273: structure has no member named `result' sql_mysql.c:277: warning: implicit declaration of function `mysql_fetch_row' sql_mysql.c:277: structure has no member named `result' sql_mysql.c:277: warning: assignment makes pointer from integer without a cast sql_mysql.c:280: structure has no member named `sock' sql_mysql.c:266: warning: unused parameter `config' sql_mysql.c: In function `sql_free_result': sql_mysql.c:298: structure has no member named `result' sql_mysql.c:299: warning: implicit declaration of function `mysql_free_result' sql_mysql.c:299: structure has no member named `result' sql_mysql.c:300: structure has no member named `result' sql_mysql.c:294: warning: unused parameter `config' sql_mysql.c: In function `sql_error': sql_mysql.c:320: structure has no member named `sock' sql_mysql.c:321: warning: return discards qualifiers from pointer target type sql_mysql.c:323: structure has no member named `sock' sql_mysql.c:323: warning: return makes pointer from integer without a cast sql_mysql.c:316: warning: unused parameter `config' sql_mysql.c: In fu
Update account packets
Hi all, Just looking into the accouting section of radius, we have a Cisco 2611XM LNS running IOS 12.3 with the config option "aaa accounting update periodic 5" which sents accounting updates every 5 minutes to the radius server. As it stands, we have a PHP interface to the SQL radius database where a user can login and view their usage. This currently only shows their session usage after they have disconnected. I am trying to set it up so radius updates every 5 minutes when it gets these update packets (instead of just updating when it gets a stop packet as users are online for days/weeks at a time) but am having no luck... is this possible with freeradius? Any help would be appreciated. -- Nikolas Geyer Systems Administration Infinite Networks Ph: 02 6239 2152 Fax: 02 6239 2041 13 Wiluna Street Fyshwick ACT 2609 http://www.infinite.net.au/ IMPORTANT NOTICE: This message may contain privileged and confidential information intended only for the above named addressee. If you are not the intended recipient of this message, you are hereby notified that any use, distribution or reproduction of this message or any part thereof is prohibited. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Infinite Networks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ascend MAX responses....
Hi All, I have recently set up a nice shiny radius machine using MySQL & Freeradius. I have an environment where I have multiple NAS machines, and while everything looks great for the connections to the CISCO NAS's (God bless em'), the Lucent Ascend MAX units seem to do weird things when we point them at the radius machine. Can anybody explain what might be happening when the following output is shown from the logs? It appears to be attempting to authenticate this info (which is clearly not user info). Thu Jan 15 15:23:13 2004 : Auth: Login incorrect: [banner/ascend] (from client 202.xxx.xxx.xxx port 0) Thu Jan 15 15:23:15 2004 : Auth: Login incorrect: [initial-banner-oldmax/ascend] (from client 202.126.109.227 port 0) Thu Jan 15 15:23:15 2004 : Auth: Login incorrect: [bridge-oldmax-1/ascend] (from client 202.xxx.xxx.xxx port 0) Thu Jan 15 15:23:15 2004 : Auth: Login incorrect: [frdlink-oldmax-1/ascend] (from client 202.xxx.xxx.xxx port 0) Thu Jan 15 15:23:15 2004 : Auth: Login incorrect: [permconn-oldmax-1/ascend] (from client 202.xxx.xxx.xxx port 0) Thu Jan 15 15:23:15 2004 : Auth: Login incorrect: [pools-oldmax/ascend] (from client 202.xxx.xxx.xxx port 0) Thu Jan 15 15:23:15 2004 : Auth: Login incorrect: [route-oldmax-1/ascend] (from client 202.xxx.xxx.xxx port 0) Thu Jan 15 15:23:15 2004 : Auth: Login incorrect: [dovbs-oldmax-1/ascend] (from client 202.xxx.xxx.xxx port 0) Thu Jan 15 15:23:16 2004 : Auth: Login incorrect: [route-1/ascend] (from client 202.xxx.xxx.xxx port 0) Thu Jan 15 15:23:16 2004 : Auth: Login incorrect: [dovbs-1/ascend] (from client 202.xxx.xxx.xxx port 0) I've read some bits and pieces about Ascend MAX's sending non-standard attributes, but I'm not sure if this is the cause Please help !! Warm Regards, Callum --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 19/08/2003 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank username/password
Adil Bikarbass <[EMAIL PROTECTED]> wrote: > Received PAP_AUTH_REQ on port S3 of 6 bytes containing: > 01 01 00 06 00 00 > Sending PAP_AUTH_NAK on port S3 of 14 bytes containing:wire bytes 18 So the request is being reject by the PPP software, and it's not even sending a RADIUS request. There is nothing you can do to the RADIUS server to fix this problem. Ask your NAS vendor what to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem assigning static IP
Albert Silva Gibert <[EMAIL PROTECTED]> wrote: > >Here you assign the network 33.33.33.0/24 to the user. His interface > >gets 33.33.33.2 as ip in this network, which gets routed to this IP. > > I'm agreeing with you, I'm trying to assign to the "users NIC" interface > one IP inside the range of the VLAN 1!!! Go back and read what Oliver wrote. He said you assigned a *network* to the user, which is more than one IP. You say you want to assign the user one IP, which is very different from many IP's. > Why? Maybe I didn't understood the attribute Framed-IP-Address or the > Framed-IP-Netmask. And what are the differences between uses > Framed-IP-Address/Framed-IP-Netmask or Framed-Routed? The FAQ talksa bout this. Read it. Also read: http://www.freeradiusd.org/rfc/attributes.html It has a list of attributes, with links to their definitions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank username/password
Here is what i got on my PM3 when trying to connect using an empty username Begin of output -- S3: LCP Open Received UNKNOWN on port S3 of 14 bytes containing:wire bytes 18 0c 03 00 12 67 6e 33 3c 4d 53 52 41 53 56 35 2e 31 30 Received UNKNOWN on port S3 of 24 bytes containing:wire bytes 28 0c 04 00 1c 67 6e 33 3c 4d 53 52 41 53 2d 31 2d 50 43 41 42 44 45 4c 4d 41 4a 49 44 Received PAP_AUTH_REQ on port S3 of 6 bytes containing: 01 01 00 06 00 00 Sending PAP_AUTH_NAK on port S3 of 14 bytes containing:wire bytes 18 03 01 00 12 0d 49 6e 76 61 6c 69 64 20 4c 6f 67 69 6e Received LCP_TERMINATE_REQUEST on port S3 of 12 bytes containing:wire bytes 16 05 05 00 10 67 6e 33 3c 00 3c cd 74 00 00 02 b3 Sending LCP_TERMINATE_ACK on port S3 of 0 bytes containing:wire bytes 4 06 02 00 04 -- end of output And here is what i got when i use a username like "hi" : begin of output --- Received LCP_CONFIGURE_REQUEST on port S2 of 16 bytes containing:wire bytes 20 01 02 00 14 02 06 00 00 00 00 05 06 14 14 1b 12 07 02 08 02 Sending LCP_CONFIGURE_ACK on port S2 of 16 bytes containing:wire bytes 20 02 02 00 14 02 06 00 00 00 00 05 06 14 14 1b 12 07 02 08 02 S2: LCP Open Received UNKNOWN on port S2 of 14 bytes containing:wire bytes 18 0c 03 00 12 14 14 1b 12 4d 53 52 41 53 56 35 2e 31 30 Received UNKNOWN on port S2 of 18 bytes containing:wire bytes 22 0c 04 00 16 14 14 1b 12 4d 53 52 41 53 2d 31 2d 55 53 45 52 2d 31 Received PAP_AUTH_REQ on port S2 of 16 bytes containing: 01 00 00 10 04 6a 6f 63 6b 06 66 73 74 6f 6e 65 Sending PAP_AUTH_ACK on port S2 of 16 bytes containing:wire bytes 20 02 00 00 14 0f 4c 6f 67 69 6e 20 53 75 63 63 65 65 64 65 64 --- end of output -- Seems like my PM3 is sending a "Not acking" for some reason when it gets empty usernames Still investigating Adil On Wed, 14 Jan 2004, Alan DeKok wrote: > Adil Bikarbass <[EMAIL PROTECTED]> wrote: > > So i'm wondering what's wrong and why i'm not getting anything in the logs > > if there is an empty username > > You're getting nothing in the logs because the NAS isn't sending any > packets to FreeRADIUS. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- |-Adil Bikarbass |-IT Manager |-MTDS S.A. |-tel +212.3.767.4861 |-fax +212.3.767.4863 |-gsm +212.6.139. 4541 |-14, rue 16 novembre |-Rabat, Kingdom of Morocco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem assigning static IP
Hi Oliver, thanks for the answer! >> >> user Auth-Type := EAP, User-Password == "userpsw" >> Reply-Message = "Hi user!!!", >> Service-Type = Framed-User, >> Framed-Protocol = PPP, >> Framed-IP-Address = 33.33.33.2, >> Framed-IP-Netmask = 255.255.255.0, >Here you assign the network 33.33.33.0/24 to the user. His interface >gets 33.33.33.2 as ip in this network, which gets routed to this IP. I'm agreeing with you, I'm trying to assign to the "users NIC" interface one IP inside the range of the VLAN 1!!! I want to make VLANs for different groups of users inside the LAN. That's the reason I implemented the VLAN 1. >> interface Vlan1 >> ip address 33.33.33.1 255.255.255.0 >But wait! Your cisco has an interface in this network! Of course!!! If it doesn't have one, how the users of this VLAN can talk? >Won't work. The cisco will not accept the routing information you did send in your >radius paket. So the user should get droppen. Why? Maybe I didn't understood the attribute Framed-IP-Address or the Framed-IP-Netmask. And what are the differences between uses Framed-IP-Address/Framed-IP-Netmask or Framed-Routed? >If you just want to try to assign one IP, please read the FAQ and do not use a netmask, >cause this is propably not what you want... I had already proved without the netmask, only with the address, and with the addres and the Frame-Routed but steel doesn't work. Albert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple module lookups when only one should be used
I would (expect/hope) both would run unless there is a
(fallthrough = no) explicit or implied.
> users that dial into a number ending in 195 get the
> correct Auth-Type &
> Autz-Type, as do other calls that need to auth off of
> LDAP1. Problem is,
> when I have the LDAP2 instances in authorize {}
> authenticate {}, users
> authing off of LDAP1 do not get the correct group
> attributes per the group
> lookup in module instance ldap1. when radiusd is in
> debug mode, it shows
> the LDAP1 users going through both the ldap1 and ldap2
> module instances..
>
> Am I right in thinking it should only go through one
> or the other when
> Auth-Type is set as such?
>
> -Mike
>
>
> #radiusd.conf
> -
> modules {
> ldap ldap1 {
> ...
> }
>
> ldap ldap2 {
> ...
> }
> }
>
> authorize {
> Autz-Type LDAP1 {
> ldap1
> }
>
>Autz-Type LDAP2 {
>ldap2
>}
> }
>
> authenticate {
> Auth-Type LDAP1 {
> ldap1
> }
>
>Auth-Type LDAP2 {
>ldap2
>}
> }
>
> -
>
> # users
> -
> DEFAULT Called-Station-Id =~ "195$", Auth-Type :=
> LDAP2, Autz-Type :=
> LDAP2
> etc
>
> DEFAULT Auth-Type := LDAP1, Autz-Type := LDAP1
> Fall-Through = Yes
>
> DEFAULT Auth-Type := LDAP1, Autz-Type := LDAP1,
> Ldap-Group == "dial1"
> ...etc
>
> DEFAULT Auth-Type := LDAP1, Autz-Type := LDAP1,
> Ldap-Group == "dial2"
> etc
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple module lookups when only one should be used
Chris Parker <[EMAIL PROTECTED]> wrote:
> > I'm open to suggestions for what to do with the "authorize" section
> >and Autz-Type. I don't want to break older configurations, so that's
> >a bit of a constraint.
>
> Have an 'old_style_authorize' config directive that defaults to yes.
Nah. I took a quick look into it. A better way would be to have an
"indexed" sub-list, like "redundant".
e.g.
authorize {
chap
foo
bar
indexed {
Autz-Type ldap1 {
ldap1
}
Autz-Type ldap2 {
ldap2
}
}
eap
}
The "indexed" group would work just like "authenticate" does, except
using the Autz-Type attribute. Simple, and pretty clean.
As a bonus, it's probably only ~50 lines of code.
> The problem is that Authenticate works, because we set Auth-Type prior
> to entering that block. We don't have anything to set Autz-Type prior
> to running the Authorize block. :\
Yes, but we should really have some kind of "goto" in the various
blocks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank username/password
I'll monitor ppp negocoqtion on my NAS I'll let you know Thanks On Wed, 14 Jan 2004, Alan DeKok wrote: > Adil Bikarbass <[EMAIL PROTECTED]> wrote: > > So i'm wondering what's wrong and why i'm not getting anything in the logs > > if there is an empty username > > You're getting nothing in the logs because the NAS isn't sending any > packets to FreeRADIUS. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- |-Adil Bikarbass |-IT Manager |-MTDS S.A. |-tel +212.3.767.4861 |-fax +212.3.767.4863 |-gsm +212.6.139. 4541 |-14, rue 16 novembre |-Rabat, Kingdom of Morocco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple module lookups when only one should be used
At 02:45 PM 1/14/2004, Alan DeKok wrote:
Mike Sturdee <[EMAIL PROTECTED]> wrote:
> users that dial into a number ending in 195 get the correct Auth-Type &
> Autz-Type, as do other calls that need to auth off of LDAP1. Problem is,
> when I have the LDAP2 instances in authorize {} authenticate {}, users
> authing off of LDAP1 do not get the correct group attributes per the group
> lookup in module instance ldap1. when radiusd is in debug mode, it shows
> the LDAP1 users going through both the ldap1 and ldap2 module instances..
Yes. The "authorize" section processes the modules from top to
bottom, even if set Autz-Type previously.
The issue is that the "authorize" section *started* by processing
modules from top to bottom, and the Autz-Type was added later. So it
may not entirely do the right thing at times...
I'm open to suggestions for what to do with the "authorize" section
and Autz-Type. I don't want to break older configurations, so that's
a bit of a constraint.
Have an 'old_style_authorize' config directive that defaults to yes.
All it to be set to 'no' to achieve 'authenticate' style processing
based on 'autz-type'.
The problem is that Authenticate works, because we set Auth-Type prior
to entering that block. We don't have anything to set Autz-Type prior
to running the Authorize block. :\
Is the functionality required above something could be accomplished with
the 'configureable failover' behaviour of modifying processing of modules
based on return value of previous module call?
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank username/password
Adil Bikarbass <[EMAIL PROTECTED]> wrote: > So i'm wondering what's wrong and why i'm not getting anything in the logs > if there is an empty username You're getting nothing in the logs because the NAS isn't sending any packets to FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Blank username/password
My NAS config seems to be OK
Nothing special in it, i specified the radius server and the shared secret
So i'm wondering what's wrong and why i'm not getting anything in the logs
if there is an empty username
any other ideas?
Adil
On Wed, 14 Jan 2004, Dustin Doris wrote:
>
> On Wed, 14 Jan 2004, Adil Bikarbass wrote:
>
> > Well i've noticed after reading the debug that the request with the empty
> > username did not even hit the radius server (nothing on the debug output)
> >
> > But when using any character on the username i got some input :
> >
>
> I would say that is a problem on your NAS.
>
>
> > - Begining of Input -
> >
> > rad_recv: Accounting-Request packet from host my_NAS:1026, id=252,
> > length=101
> > Acct-Session-Id = "B85D"
> > User-Name = "t"
> > NAS-IP-Address = my_NAS
> > NAS-Port = 45
> > NAS-Port-Type = ISDN
> > Acct-Status-Type = Start
> > Acct-Authentic = RADIUS
> > Called-Station-Id = "1"
> > Calling-Station-Id = "037680045"
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> > Framed-IP-Address = 194.204.200.232
> > Acct-Delay-Time = 0
> > modcall: entering group preacct for request 28
> > rlm_realm: No '/' in User-Name = "t", looking up realm NULL
> > rlm_realm: No such realm "NULL"
> > modcall[preacct]: module "ROAM" returns noop for request 28
> > rlm_realm: No '@' in User-Name = "t", looking up realm NULL
> > rlm_realm: No such realm "NULL"
> > modcall[preacct]: module "suffix" returns noop for request 28
> > modcall[preacct]: module "files" returns noop for request 28
> > modcall[preacct]: module "preprocess" returns noop for request 28
> > modcall: group preacct returns noop for request 28
> > modcall: entering group accounting for request 28
> > rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request,
> > unique ID MAY be inconsistent
> > rlm_acct_unique: Hashing ',Client-IP-Address = my_NAS,NAS-IP-Address =
> > my_NAS,Acct-Session-Id = "B85D",User-Name = "t"'
> > rlm_acct_unique: Acct-Unique-Session-ID = "2dd4757bbb6a253d".
> > modcall[accounting]: module "acct_unique" returns ok for request 28
> > radius_xlat: '/var/log/radius/radacct/my_NAS/detail'
> > rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail expands to
> > /var/log/radius/radacct/my_NAS/detail
> > modcall[accounting]: module "detail" returns ok for request 28
> > modcall[accounting]: module "unix" returns ok for request 28
> > radius_xlat: '/var/log/radius/radutmp'
> > radius_xlat: 't'
> > modcall[accounting]: module "radutmp" returns ok for request 28
> > modcall: group accounting returns ok for request 28
> > Sending Accounting-Response of id 252 to my_NAS:1026
> > Finished request 28
> > Going to the next request
> > Waking up in 6 seconds...
> >
> > -- End Debug
> >
> > My users file contains the following
> >
> > DEFAUTL Auth-Type := Accept, Called-Station-Id == "1"
> >
> > Please advise
> >
> > Adil
> >
> >
> > On Wed, 14 Jan 2004, Anson Rinesmith wrote:
> >
> > > With the supplied line in your "users" file, could you send me your relevant
> > > output from radiusd -X, might help debug your problem.
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Adil
> > > Bikarbass
> > > Sent: Wednesday, January 14, 2004 10:36 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: Blank username/password
> > >
> > > I've tried this too but with the same result when the username is not
> > > empty it's accepted otherwise it's rejeted,
> > >
> > > The problem is with empty usernames/passwords, once again i want to grant
> > > access based on the Called-Station-Id no matter what the username is
> > > (empty username).
> > >
> > > Any tips?
> > >
> > > Thanks
> > >
> > > On Wed, 14 Jan 2004, Anson Rinesmith wrote:
> > >
> > > >
> > > > >Our users file contains the following DEFAULT entry :
> > > >
> > > > You have
> > > > >DEFAUTL Auth-Type := Accept, Called-Station-Id == "1"
> > > >
> > > > DEFAULT Called-Station-ID == "9995551234", Auth-Type := "Accept"
> > > >
> > > > Is Closer to what you need in your users file
> > > >
> > > >
> > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > > >
> > >
> > >
> >
> > --
> > |-Adil Bikarbass
> > |-IT Manager
> > |-MTDS S.A.
> > |-tel +212.3.767.4861
> > |-fax +212.3.767.4863
> > |-gsm +212.6.139. 4541
> > |-14, rue 16 novembre
> > |-Rabat, Kingdom of Morocco
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
|-Adil Bikarbass
|-IT Manager
|-MTDS S.A.
|-tel +212.3.767.4861
|-fax +212.3.767.4863
|-gsm +212.6.139. 4541
|-14, rue 16 novembre
|-Rabat, Kingdom of Morocco
-
List info/subscribe/unsubscribe?
RE: Blank username/password
I'm running Lucent Postmaster 3 ComOS version 3.9 which is running just
fine
I'll double check the config
Thanks
On Wed, 14 Jan 2004, Dustin Doris wrote:
>
> On Wed, 14 Jan 2004, Adil Bikarbass wrote:
>
> > Well i've noticed after reading the debug that the request with the empty
> > username did not even hit the radius server (nothing on the debug output)
> >
> > But when using any character on the username i got some input :
> >
>
> I would say that is a problem on your NAS.
>
>
> > - Begining of Input -
> >
> > rad_recv: Accounting-Request packet from host my_NAS:1026, id=252,
> > length=101
> > Acct-Session-Id = "B85D"
> > User-Name = "t"
> > NAS-IP-Address = my_NAS
> > NAS-Port = 45
> > NAS-Port-Type = ISDN
> > Acct-Status-Type = Start
> > Acct-Authentic = RADIUS
> > Called-Station-Id = "1"
> > Calling-Station-Id = "037680045"
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> > Framed-IP-Address = 194.204.200.232
> > Acct-Delay-Time = 0
> > modcall: entering group preacct for request 28
> > rlm_realm: No '/' in User-Name = "t", looking up realm NULL
> > rlm_realm: No such realm "NULL"
> > modcall[preacct]: module "ROAM" returns noop for request 28
> > rlm_realm: No '@' in User-Name = "t", looking up realm NULL
> > rlm_realm: No such realm "NULL"
> > modcall[preacct]: module "suffix" returns noop for request 28
> > modcall[preacct]: module "files" returns noop for request 28
> > modcall[preacct]: module "preprocess" returns noop for request 28
> > modcall: group preacct returns noop for request 28
> > modcall: entering group accounting for request 28
> > rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request,
> > unique ID MAY be inconsistent
> > rlm_acct_unique: Hashing ',Client-IP-Address = my_NAS,NAS-IP-Address =
> > my_NAS,Acct-Session-Id = "B85D",User-Name = "t"'
> > rlm_acct_unique: Acct-Unique-Session-ID = "2dd4757bbb6a253d".
> > modcall[accounting]: module "acct_unique" returns ok for request 28
> > radius_xlat: '/var/log/radius/radacct/my_NAS/detail'
> > rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail expands to
> > /var/log/radius/radacct/my_NAS/detail
> > modcall[accounting]: module "detail" returns ok for request 28
> > modcall[accounting]: module "unix" returns ok for request 28
> > radius_xlat: '/var/log/radius/radutmp'
> > radius_xlat: 't'
> > modcall[accounting]: module "radutmp" returns ok for request 28
> > modcall: group accounting returns ok for request 28
> > Sending Accounting-Response of id 252 to my_NAS:1026
> > Finished request 28
> > Going to the next request
> > Waking up in 6 seconds...
> >
> > -- End Debug
> >
> > My users file contains the following
> >
> > DEFAUTL Auth-Type := Accept, Called-Station-Id == "1"
> >
> > Please advise
> >
> > Adil
> >
> >
> > On Wed, 14 Jan 2004, Anson Rinesmith wrote:
> >
> > > With the supplied line in your "users" file, could you send me your relevant
> > > output from radiusd -X, might help debug your problem.
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Adil
> > > Bikarbass
> > > Sent: Wednesday, January 14, 2004 10:36 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: Blank username/password
> > >
> > > I've tried this too but with the same result when the username is not
> > > empty it's accepted otherwise it's rejeted,
> > >
> > > The problem is with empty usernames/passwords, once again i want to grant
> > > access based on the Called-Station-Id no matter what the username is
> > > (empty username).
> > >
> > > Any tips?
> > >
> > > Thanks
> > >
> > > On Wed, 14 Jan 2004, Anson Rinesmith wrote:
> > >
> > > >
> > > > >Our users file contains the following DEFAULT entry :
> > > >
> > > > You have
> > > > >DEFAUTL Auth-Type := Accept, Called-Station-Id == "1"
> > > >
> > > > DEFAULT Called-Station-ID == "9995551234", Auth-Type := "Accept"
> > > >
> > > > Is Closer to what you need in your users file
> > > >
> > > >
> > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > > >
> > >
> > >
> >
> > --
> > |-Adil Bikarbass
> > |-IT Manager
> > |-MTDS S.A.
> > |-tel +212.3.767.4861
> > |-fax +212.3.767.4863
> > |-gsm +212.6.139. 4541
> > |-14, rue 16 novembre
> > |-Rabat, Kingdom of Morocco
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
|-Adil Bikarbass
|-IT Manager
|-MTDS S.A.
|-tel +212.3.767.4861
|-fax +212.3.767.4863
|-gsm +212.6.139. 4541
|-14, rue 16 novembre
|-Rabat, Kingdom of Morocco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple module lookups when only one should be used
Mike Sturdee <[EMAIL PROTECTED]> wrote:
> users that dial into a number ending in 195 get the correct Auth-Type &
> Autz-Type, as do other calls that need to auth off of LDAP1. Problem is,
> when I have the LDAP2 instances in authorize {} authenticate {}, users
> authing off of LDAP1 do not get the correct group attributes per the group
> lookup in module instance ldap1. when radiusd is in debug mode, it shows
> the LDAP1 users going through both the ldap1 and ldap2 module instances..
Yes. The "authorize" section processes the modules from top to
bottom, even if set Autz-Type previously.
The issue is that the "authorize" section *started* by processing
modules from top to bottom, and the Autz-Type was added later. So it
may not entirely do the right thing at times...
I'm open to suggestions for what to do with the "authorize" section
and Autz-Type. I don't want to break older configurations, so that's
a bit of a constraint.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple module lookups when only one should be used
users that dial into a number ending in 195 get the correct Auth-Type &
Autz-Type, as do other calls that need to auth off of LDAP1. Problem is,
when I have the LDAP2 instances in authorize {} authenticate {}, users
authing off of LDAP1 do not get the correct group attributes per the group
lookup in module instance ldap1. when radiusd is in debug mode, it shows
the LDAP1 users going through both the ldap1 and ldap2 module instances..
Am I right in thinking it should only go through one or the other when
Auth-Type is set as such?
-Mike
#radiusd.conf
-
modules {
ldap ldap1 {
...
}
ldap ldap2 {
...
}
}
authorize {
Autz-Type LDAP1 {
ldap1
}
Autz-Type LDAP2 {
ldap2
}
}
authenticate {
Auth-Type LDAP1 {
ldap1
}
Auth-Type LDAP2 {
ldap2
}
}
-
# users
-
DEFAULT Called-Station-Id =~ "195$", Auth-Type := LDAP2, Autz-Type :=
LDAP2
etc
DEFAULT Auth-Type := LDAP1, Autz-Type := LDAP1
Fall-Through = Yes
DEFAULT Auth-Type := LDAP1, Autz-Type := LDAP1, Ldap-Group == "dial1"
...etc
DEFAULT Auth-Type := LDAP1, Autz-Type := LDAP1, Ldap-Group == "dial2"
etc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Blank username/password
On Wed, 14 Jan 2004, Adil Bikarbass wrote:
> Well i've noticed after reading the debug that the request with the empty
> username did not even hit the radius server (nothing on the debug output)
>
> But when using any character on the username i got some input :
>
I would say that is a problem on your NAS.
> - Begining of Input -
>
> rad_recv: Accounting-Request packet from host my_NAS:1026, id=252,
> length=101
> Acct-Session-Id = "B85D"
> User-Name = "t"
> NAS-IP-Address = my_NAS
> NAS-Port = 45
> NAS-Port-Type = ISDN
> Acct-Status-Type = Start
> Acct-Authentic = RADIUS
> Called-Station-Id = "1"
> Calling-Station-Id = "037680045"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Address = 194.204.200.232
> Acct-Delay-Time = 0
> modcall: entering group preacct for request 28
> rlm_realm: No '/' in User-Name = "t", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[preacct]: module "ROAM" returns noop for request 28
> rlm_realm: No '@' in User-Name = "t", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[preacct]: module "suffix" returns noop for request 28
> modcall[preacct]: module "files" returns noop for request 28
> modcall[preacct]: module "preprocess" returns noop for request 28
> modcall: group preacct returns noop for request 28
> modcall: entering group accounting for request 28
> rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request,
> unique ID MAY be inconsistent
> rlm_acct_unique: Hashing ',Client-IP-Address = my_NAS,NAS-IP-Address =
> my_NAS,Acct-Session-Id = "B85D",User-Name = "t"'
> rlm_acct_unique: Acct-Unique-Session-ID = "2dd4757bbb6a253d".
> modcall[accounting]: module "acct_unique" returns ok for request 28
> radius_xlat: '/var/log/radius/radacct/my_NAS/detail'
> rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail expands to
> /var/log/radius/radacct/my_NAS/detail
> modcall[accounting]: module "detail" returns ok for request 28
> modcall[accounting]: module "unix" returns ok for request 28
> radius_xlat: '/var/log/radius/radutmp'
> radius_xlat: 't'
> modcall[accounting]: module "radutmp" returns ok for request 28
> modcall: group accounting returns ok for request 28
> Sending Accounting-Response of id 252 to my_NAS:1026
> Finished request 28
> Going to the next request
> Waking up in 6 seconds...
>
> -- End Debug
>
> My users file contains the following
>
> DEFAUTL Auth-Type := Accept, Called-Station-Id == "1"
>
> Please advise
>
> Adil
>
>
> On Wed, 14 Jan 2004, Anson Rinesmith wrote:
>
> > With the supplied line in your "users" file, could you send me your relevant
> > output from radiusd -X, might help debug your problem.
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Adil
> > Bikarbass
> > Sent: Wednesday, January 14, 2004 10:36 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: Blank username/password
> >
> > I've tried this too but with the same result when the username is not
> > empty it's accepted otherwise it's rejeted,
> >
> > The problem is with empty usernames/passwords, once again i want to grant
> > access based on the Called-Station-Id no matter what the username is
> > (empty username).
> >
> > Any tips?
> >
> > Thanks
> >
> > On Wed, 14 Jan 2004, Anson Rinesmith wrote:
> >
> > >
> > > >Our users file contains the following DEFAULT entry :
> > >
> > > You have
> > > >DEFAUTL Auth-Type := Accept, Called-Station-Id == "1"
> > >
> > > DEFAULT Called-Station-ID == "9995551234", Auth-Type := "Accept"
> > >
> > > Is Closer to what you need in your users file
> > >
> > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > >
> >
> >
>
> --
> |-Adil Bikarbass
> |-IT Manager
> |-MTDS S.A.
> |-tel +212.3.767.4861
> |-fax +212.3.767.4863
> |-gsm +212.6.139. 4541
> |-14, rue 16 novembre
> |-Rabat, Kingdom of Morocco
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: striping AVP pairs from the Radius request
At 11:26 AM 1/14/2004, Bojan Tomic wrote: Hello I'm using freeRADIUS as a proxy for radius requests. Now, is it possible to strip some AVP pairs from the original request before the request is proxied forward and how do I do that? rlm_attr_filter Use the current CVS version, as it adds support for pre/post-proxy instances. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
striping AVP pairs from the Radius request
Hello I'm using freeRADIUS as a proxy for radius requests. Now, is it possible to strip some AVP pairs from the original request before the request is proxied forward and how do I do that? Thanks Bojan -- Sudjelujte u Iskon Bonus nagradnom programu i osvajajte nagrade. Saznajte više na web adresi http://www.iskon.biz/bonus/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Blank username/password
On Wed, 14 Jan 2004, Mike Ockenga wrote: > > > From: Adil Bikarbass [mailto:[EMAIL PROTECTED] > > > Our users file contains the following DEFAULT entry : > > > > DEFAUTL Auth-Type := Accept, Called-Station-Id == "1" >^^ > Is this an actual copy/paste from your file? If so, I don't believe any users will > match the entry. No it's not, i've got it right on my users file > > If it is not a c/p, then nevermind. > > -- Mike > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- |-Adil Bikarbass |-IT Manager |-MTDS S.A. |-tel +212.3.767.4861 |-fax +212.3.767.4863 |-gsm +212.6.139. 4541 |-14, rue 16 novembre |-Rabat, Kingdom of Morocco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Blank username/password
> From: Adil Bikarbass [mailto:[EMAIL PROTECTED] > Our users file contains the following DEFAULT entry : > > DEFAUTL Auth-Type := Accept, Called-Station-Id == "1" ^^ Is this an actual copy/paste from your file? If so, I don't believe any users will match the entry. If it is not a c/p, then nevermind. -- Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Blank username/password
Well i've noticed after reading the debug that the request with the empty
username did not even hit the radius server (nothing on the debug output)
But when using any character on the username i got some input :
- Begining of Input -
rad_recv: Accounting-Request packet from host my_NAS:1026, id=252,
length=101
Acct-Session-Id = "B85D"
User-Name = "t"
NAS-IP-Address = my_NAS
NAS-Port = 45
NAS-Port-Type = ISDN
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Called-Station-Id = "1"
Calling-Station-Id = "037680045"
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 194.204.200.232
Acct-Delay-Time = 0
modcall: entering group preacct for request 28
rlm_realm: No '/' in User-Name = "t", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[preacct]: module "ROAM" returns noop for request 28
rlm_realm: No '@' in User-Name = "t", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[preacct]: module "suffix" returns noop for request 28
modcall[preacct]: module "files" returns noop for request 28
modcall[preacct]: module "preprocess" returns noop for request 28
modcall: group preacct returns noop for request 28
modcall: entering group accounting for request 28
rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = my_NAS,NAS-IP-Address =
my_NAS,Acct-Session-Id = "B85D",User-Name = "t"'
rlm_acct_unique: Acct-Unique-Session-ID = "2dd4757bbb6a253d".
modcall[accounting]: module "acct_unique" returns ok for request 28
radius_xlat: '/var/log/radius/radacct/my_NAS/detail'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail expands to
/var/log/radius/radacct/my_NAS/detail
modcall[accounting]: module "detail" returns ok for request 28
modcall[accounting]: module "unix" returns ok for request 28
radius_xlat: '/var/log/radius/radutmp'
radius_xlat: 't'
modcall[accounting]: module "radutmp" returns ok for request 28
modcall: group accounting returns ok for request 28
Sending Accounting-Response of id 252 to my_NAS:1026
Finished request 28
Going to the next request
Waking up in 6 seconds...
-- End Debug
My users file contains the following
DEFAUTL Auth-Type := Accept, Called-Station-Id == "1"
Please advise
Adil
On Wed, 14 Jan 2004, Anson Rinesmith wrote:
> With the supplied line in your "users" file, could you send me your relevant
> output from radiusd -X, might help debug your problem.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Adil
> Bikarbass
> Sent: Wednesday, January 14, 2004 10:36 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Blank username/password
>
> I've tried this too but with the same result when the username is not
> empty it's accepted otherwise it's rejeted,
>
> The problem is with empty usernames/passwords, once again i want to grant
> access based on the Called-Station-Id no matter what the username is
> (empty username).
>
> Any tips?
>
> Thanks
>
> On Wed, 14 Jan 2004, Anson Rinesmith wrote:
>
> >
> > >Our users file contains the following DEFAULT entry :
> >
> > You have
> > >DEFAUTL Auth-Type := Accept, Called-Station-Id == "1"
> >
> > DEFAULT Called-Station-ID == "9995551234", Auth-Type := "Accept"
> >
> > Is Closer to what you need in your users file
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
>
--
|-Adil Bikarbass
|-IT Manager
|-MTDS S.A.
|-tel +212.3.767.4861
|-fax +212.3.767.4863
|-gsm +212.6.139. 4541
|-14, rue 16 novembre
|-Rabat, Kingdom of Morocco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank username/password
Adil Bikarbass <[EMAIL PROTECTED]> wrote: > Our users file contains the following DEFAULT entry : > > DEFAUTL Auth-Type := Accept, Called-Station-Id == "1" Where? Order does matter. If I put that at the top of my "users" file, then users can login without a User-Name or User-Password attribute, or when those attributes are empty strings. Read the output of "radiusd -X". It will tell you which lines in the "users" file matched. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Blank username/password
With the supplied line in your "users" file, could you send me your relevant output from radiusd -X, might help debug your problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adil Bikarbass Sent: Wednesday, January 14, 2004 10:36 AM To: [EMAIL PROTECTED] Subject: RE: Blank username/password I've tried this too but with the same result when the username is not empty it's accepted otherwise it's rejeted, The problem is with empty usernames/passwords, once again i want to grant access based on the Called-Station-Id no matter what the username is (empty username). Any tips? Thanks On Wed, 14 Jan 2004, Anson Rinesmith wrote: > > >Our users file contains the following DEFAULT entry : > > You have > >DEFAUTL Auth-Type := Accept, Called-Station-Id == "1" > > DEFAULT Called-Station-ID == "9995551234", Auth-Type := "Accept" > > Is Closer to what you need in your users file > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- |-Adil Bikarbass |-IT Manager |-MTDS S.A. |-tel +212.3.767.4861 |-fax +212.3.767.4863 |-gsm +212.6.139. 4541 |-14, rue 16 novembre |-Rabat, Kingdom of Morocco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
Joe Hetrick <[EMAIL PROTECTED]> wrote: > After some thought, I changed my crypt in the LDIF to something else, > first SSHA, and then MD5, and all of a sudden > auth worked (with both). Clearly I have a probem with CRYPT... I recall something a while ago about link ordering with crypt on *BSD. Something about another lbirary (maybe OpenSSL) supplying a crypt which over-rode the BSD crypt, but didn't do the same thing. It sounds like the same problem to me. > It wouldn't be a big deal, except I have many crypt'd PW's I'd intended > on migrating into my directory that I would like radius to auth > against. You should be able to get it to work, but you've got to figure out a way to get the dynamic linker on your system to use give FreeRADIUS the *correct* version of crypt. Maybe LD_PRELOAD will help here... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Blank username/password
I've tried this too but with the same result when the username is not empty it's accepted otherwise it's rejeted, The problem is with empty usernames/passwords, once again i want to grant access based on the Called-Station-Id no matter what the username is (empty username). Any tips? Thanks On Wed, 14 Jan 2004, Anson Rinesmith wrote: > > >Our users file contains the following DEFAULT entry : > > You have > >DEFAUTL Auth-Type := Accept, Called-Station-Id == "1" > > DEFAULT Called-Station-ID == "9995551234", Auth-Type := "Accept" > > Is Closer to what you need in your users file > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- |-Adil Bikarbass |-IT Manager |-MTDS S.A. |-tel +212.3.767.4861 |-fax +212.3.767.4863 |-gsm +212.6.139. 4541 |-14, rue 16 novembre |-Rabat, Kingdom of Morocco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Blank username/password
>Our users file contains the following DEFAULT entry : You have >DEFAUTL Auth-Type := Accept, Called-Station-Id == "1" DEFAULT Called-Station-ID == "9995551234", Auth-Type := "Accept" Is Closer to what you need in your users file - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP Check Attributes ?
"Markus Bangerter" <[EMAIL PROTECTED]> wrote: ... > with this users file it seems to work. > but i still got one problem. i want to have the "Client-IP-Address" > attribute on the second line in the "users" file, Why? Did you not read the "man" page, which explains that the format of the entries is important? Or do you think that those restrictions don't mean anything, or don't apply to you? > [/etc/raddb/users]:12 WARNING! Check item "Client-IP-Address" ?found in > reply item list for user "mbangerter". ?This attribute MUST go on the first line > with the other check items > > what am i doing wrong here ? What part of that message do you not understand? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[5]: Rewrite function as in gnu radius.
=?koi8-r?Q?=22?=P.P.=?koi8-r?Q?=22=20?= <[EMAIL PROTECTED]> wrote: > I'm still having some troubles - it took me some time to figure out > that authorize is called before authenticate (I saw output from -X but > couldn't unrestand why authorize is before authenticate) doc/aaa.txt ? > Any comments on that?? I'm I supposed to keep those two hashes untouched..?? You should be able to edit them. > Another thing is still unclear to me - I needed to set User-Password > = "something"; not Auth-Type= "auth module" to chose authentication > method... Can I explicitly specify authentication I want the requst to > take?? Yes. That's what the Auth-Type attribute is for. But in many cases, it's better for the server to figure it out on its own. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius using a Cistron users file.
"Alex Moen" <[EMAIL PROTECTED]> wrote: > Actually, yes it does look like a crypted password. So when you wrote: > > > The weird thing is that when I use "IZOofOc2ONteU" as a > > > password in radtest, ... You meant that you were using "IZOofOc2ONteU" as a clear-text password, right? Otherwise, I don't understand why you would be putting a crypt'd password into radtest. The User-Password attribute takes a clear-text password. See the RFC's. > Hung up? What do you mean, hung up? This user file works perfectly > with Cistron, FreeRADIUS != Cistron > However, in a *real life* scenario, where no one will use clear-text > passwords in a users file, I disagree completely. See the FAQ. Clear-text passwords are the *only* way of getting CHAP, MS-CHAPv1, MS-CHAPv2, and EAP-MD5 to work. There are *lots* of people with clear-text passwords in the "users" file. > it does NOT work. As I have shown you again and again with my > examples. The problem I have is that your examples contradict what you claim you want. I've been quite confused as to what you're doing, and why. > I have read the FAQ, which, BTW, is almost word-for-word from > the Cistron website Because the same people wrote both. > and shows "incorrect" config lines when comparing it to the man > pages and user file. Submit a patch. > At least I can get that to work. I thought I would try something > new, but I don't have the time to deal with a piece of software that > does not do what it's docs say it should in a given situation, or > where I get dumped on for asking a reasonable question and supply > supporting documentation. You were getting "dumped on"? I thought I was telling you pointedly that I didn't understand what you were trying to do, or why. I was asking you for more information, so I *could* understand your situation, and help you. Once again, I don't understand... In any case, I see now that Chris read through what you said, to understand what you intended. I guess I'm a little naive, in that I take what people say at face value. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Blank username/password
Dear all, Thanks first of all for making this list available. I'm new to this list, i've searched the mail archive regarding my problem but in vain. I'm running Freeradius 0.9.3 using flat users file. I want to grant access to our dialup users based on the number called (Called-Station-Id) no need for a username or a password. Our users file contains the following DEFAULT entry : DEFAUTL Auth-Type := Accept, Called-Station-Id == "1" What happens is that when a user calls the right phone number and provide a blank username/password he got rejected. But when the user put any character as a username he got connected. How can we have the user either type a blank username or any string as username and get authenticated? Please advise -- |-Adil Bikarbass |-MTDS S.A. |-tel +212.3.767.4861 |-fax +212.3.767.4863 |-gsm +212.6.139. 4541 |-14, rue 16 novembre |-Rabat, Kingdom of Morocco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius using a Cistron users file.
At 08:14 AM 1/14/2004, Alex Moen wrote: > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Chris Parker > Sent: Tuesday, January 13, 2004 5:36 PM > To: [EMAIL PROTECTED] > Subject: RE: Freeradius using a Cistron users file. > Perhaps rather than storing a crypted password in the > plaintext Password attribute, you could try using the > 'Crypted-Password' attribute. > > -Chris Thank you, Chris, for the advise. That worked. Is that documented anywhere, other than maybe the O'Reilly Radius book (that I don't have)? I could not find it anywhere in the man pages, docs, faq, etc. I'm adding an example of using a 'Crypt-Local' and 'Crypted-Password' entry to the CVS users file. We've got examples for 'Local' and 'User-Password' so it makes sense to have the Crypted ones as well. The confusion on this whole thing stemmed from the fact that I am trying to integrate a freeradius server into an existing Cistron environment, and the way we have configured the users file is to put an encrypted password string into the Password attribute... Yep, while FR descended from Cistron, it's not quite the same in terms of how it handles and parses things. Glad it's working for you now. :) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending VAR's
At 07:01 PM 1/13/2004, [EMAIL PROTECTED] wrote: How do I send the attributes back to the NAS with the Accept packet ? Add them to the Reply-Items in the users profile. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ms-chap + mysql auth
On Wednesday 14 January 2004 14:03, Anton Golubev wrote: Thanks Anton > Hi George, > > If you use linux with pppd, try to upgrade the second to the latest CVS > version. Read how to access it at www.samba.org/ppp. Latest version > contains my patch for radius module, which fixes very similar looking > bug. > > Cheers, > Anton > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Georgi > Ivanov > Sent: Wednesday, January 14, 2004 1:13 AM > To: [EMAIL PROTECTED] > Subject: problem with ms-chap + mysql auth > > Hello list i have a problem with ms-chap and mysql -- Aii Data Processing System Administrator IT Department - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP authentication very strange problem! PLEASE HELP
hello everyone, I have a very strange problem while I try to do PEAP authentication... I have successfully made TLS authentication, TTLS also works with secureW2 client, but when I tried to do PEAP authentication, I have a very strange problem: I am using a snaphot of freeradius from 2004/01/04 ,my supplicant is windows XP SP1 with all patch, and when I do PEAP authentication, all is fine for freeradius : I have an access accept and MPPE received and send key that are printed out. all seems to be good, my AP (which is cisco ap) says in the log : "eap authenticated successfull = username ", the same message that I had when TLS and TTLS worked. But in the same time, in Windows side, I have already the same message : "wait for authentication" and it's not really authenticated because I can't do a ping or something like that. I dont have the good message : authentication successfull, which appeared with TLS and TTLS. But why ??? I really dont understand what is not good here... I think it's a problem in windows side, don't you think so?? SI it possible ti be a problem with freeradius or my AP ?? please if someone knows, help me! Renaud Garelli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius using a Cistron users file.
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Chris Parker > Sent: Tuesday, January 13, 2004 5:36 PM > To: [EMAIL PROTECTED] > Subject: RE: Freeradius using a Cistron users file. > Perhaps rather than storing a crypted password in the > plaintext Password attribute, you could try using the > 'Crypted-Password' attribute. > > -Chris Thank you, Chris, for the advise. That worked. Is that documented anywhere, other than maybe the O'Reilly Radius book (that I don't have)? I could not find it anywhere in the man pages, docs, faq, etc. The confusion on this whole thing stemmed from the fact that I am trying to integrate a freeradius server into an existing Cistron environment, and the way we have configured the users file is to put an encrypted password string into the Password attribute... Thanks again. That's all I needed to get it to work. Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP Check Attributes ?
Hi > Read the man page for the "users" file. You're not going to send > the Client-Ip-Address attribute back to the NAS, so it becomes pretty yes, reading the manpage for the "users" file make it pretty clear to me, i just overlooked it. actually it looks like: #- # testuser User-Password == "wlan", Client-IP-Address == "192.168.199.199" # 00093dc65a54 User-Password == "00093dc65a54" #- with this users file it seems to work. if the testuser nas-ip is no the same i get: rlm_eap_leap: No User-Password or NT-Password configured for this user but i still got one problem. i want to have the "Client-IP-Address" attribute on the second line in the "users" file, so i did: testuserUser-Password == "wlan" Client-IP-Address == "192.168.199.199" --> note the tab in front ! then i got radiusd -X: [/etc/raddb/users]:12 WARNING! Check item "Client-IP-Address" ?found in reply item list for user "mbangerter". ?This attribute MUST go on the first line with the other check items what am i doing wrong here ? help appreciated, markus -- +++ GMX - die erste Adresse für Mail, Message, More +++ Neu: Preissenkung für MMS und FreeMMS! http://www.gmx.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with ms-chap + mysql auth
Hi George, If you use linux with pppd, try to upgrade the second to the latest CVS version. Read how to access it at www.samba.org/ppp. Latest version contains my patch for radius module, which fixes very similar looking bug. Cheers, Anton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Georgi Ivanov Sent: Wednesday, January 14, 2004 1:13 AM To: [EMAIL PROTECTED] Subject: problem with ms-chap + mysql auth Hello list i have a problem with ms-chap and mysql -- Aii Data Processing System Administrator IT Department - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: help with freeRADIUS user groups
> My vision was to create 2 groups, a dialup group and a > wifi group and place users appropriately. This is > so a dialup account doesn't authorize use on the wifi NAS > and vice versa. Simple. Define a group check (in the radgroupcheck table) for each group (e.g. DIALUP Called-Station-Id := ). > While I was reading up on groups, though, it didn't become > obvious how to set such a system up. I have half a mind > now to run 2 separate RADIUS servers, but I wanted > to get an opinion from the mailing list first. I am running a FreeRadius with mysql and i have about 10 different groups created. > If there is a way to acomplish this using groups, could > one of you help point me in the right direction? http://www.frontios.com/freeradius.html Good luck, Joao Frade - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OFFSRYJ, energetically with newly
Free CableTV!No more pay!- bichromate columnar primate yeoman hockey immoderate aaa kennan felt fifteenth advocate watershed logo brook bout butch tropic hesperus resemblant nicholls hewett seville asheville gemlike seaside pollster toad deprecate profuse conjure sacrament caliber antebellum brennan bespoke anthropomorphic rooftop singlehanded brimstone brave colossus intervention thrall amity brigham intellect lizard banister cookery fascism it madison decommission roth issuant della subjunctive congeal goatherd cautious tau troubleshoot retain tenacious metier fleece lineup monetary minibike asperity yoder coordinate sailboat bimini venerate referendum duffy idea swigging jorgenson railhead save mel ceremonious dick gastronomy biconnected impossible debenture irksome care diluent argue drab aileen window chicory ravage cornelius gunfire newcomer homage altern soup array calisthenic carte azimuthal implosion cyclone pamphlet crump consistent adversary port sensate disc carte curvature weak seedling neal principia horsemen gesticulate levitate chinatown throne druid volley feasible amigo kowloon artful blackbody brink teledyne place marrowbone edwin canberra protrusive voluminous scm bogus etch maureen suez piedmont hogan homebuilder florican knowlton loll suspicious emile anomaly dorcas toward stargaze babble woodhen atavism receptive polkadot bridle arclength beaver cowgirl hyena forget lyon kikuyu latitudinal soap bible cupid await brainchildren update adrift acidic trianon raffish halibut drizzle fermion freeman import posable transcription drone pup chromic execrate pennsylvania compel malign lain dunlop lawgive cedric anton chipboard dutch eighteen faith crestview dust choral freetown fallacy annal annotate absence leathery befitting upraise aileen shopworn sloe powell sandman caddy morphemic peasant panama binaural biggs archetypical starve appian declination signature bradford goren ivan catalogue glossy doherty walrus tunic copperhead broadway worship hogan incorporate skyhook brad dwight database appalachia jacobean damsel decryption maya prefabricate lousewort ambrosia clothesbrush menelaus specious metabolic depressive deactivate newtonian touchy teasel flop bidiagonal scimitar byword teratogenic skeptic scarce doubtful colony cranelike usual elder autocorrelate epsom o'clock vampire carrot dane administer metallurgist bin concision podia polytypy agile chaperon criterion demented bison miniature deaden urban concision bronchiole sidemen donna alteration bilge loin transverse marin effie cabinetry consumptive jerome belgium rebuke tumultuous hedonist cyclorama chuck saguaro moluccas phalanger closet aide bimonthly camino
Re: Disable Multiple Logins in a row (not at the same time)
The way I do this is to keep my radacct in an SQL database, to which I've
added several columns. then I use the rlm_perl with a bit of code like this:
sub authorize
{
# Check for probation period
if(db_probation($RAD_CHECK{UserName})) {
radiusd::radlog(L_INFO, "Client $RAD_CHECK{UserName} Attempted to
log in during probation");
return RLM_MODULE_REJECT;
}
# return the result
return RLM_MODULE_OK;
}
sub db_probation {
my ($UserName)= @_;
my $probation= 0;
# Get the database handle
my($dbh, $err)= db_open();
if(defined $dbh) {
# Fetch the probation etry
my $query= "select * from radacct Where UserName='$UserName' and
ProbationTo>".time();
if(my $q= $dbh->prepare($query)) {
if($q->execute()) {
if($q->fetchrow_hashref) {
# There is a probation entry !
$probation= 1;
}
} else { $err= "failure executing probation query:
".$dbh->errstr; }
# Close the query
$q->finish();
} else { $err= "failure preparing probation query: ".$dbh->errstr; }
}
# Return whatever we found.
return $probation;
}
There's actually quite a bit more happening around the edges with this
module
on our system, so that code I've trimmed out probably won't work as is,
however you can see what it's doing.
When I terminate a session because of congestion, I set the column
"ProbationTo"
for the session I've terminated to be a epoc time 15 minutes in the
future and
when the user trys to log in before then the record is found and
authorisation
is rejected.
db_open() is simply a perl function I use to do a DBI::new to open the
database handle
and then cache it.
I also realise now that I'm re-reading the code that I've failed to
handle error conditions,
I'll have to fix that :-)
Bruce
John Eckert wrote:
Thanks.
I have included the "rlm_counter" module in my radiusd.conf and
each time the server gets an "stop" request he adds he Acct-Session-Time.
Looks like this:
rlm_counter: Packet Unique ID = '5bf5b6a4e87be179'
rlm_counter: Counter Unique ID = '5dddb8291191804a'
rlm_counter: User=john, Counter=488.
rlm_counter: User=john, New Counter=524.
modcall[accounting]: module "daily" returns ok for request 31
But how can I set a maximum usage time? I have added
Max-Daily-Session = 500
to my "radgroupreply" table but I can still logon, even with my counter
being at 524.
And, the attribute "session-timeout" isn't added to the reply, so my
NAS doesn't log out the user, either.
Any short or long hints?
Version info: freeradius 0.9.2-4 on debian, mysql database
Thank you
John Eckert.
-On Donnerstag, 8. Januar 2004 11:53 -0500 Alan DeKok <[EMAIL PROTECTED]>
wrote:
John Eckert <[EMAIL PROTECTED]> wrote:
I have successfully configured my freeradius server to answer the
accounting request and to give the user an internet access for lets
say 30 Minutes. After 30 Minutes the user gets kicked.
_But_: After he gets kicked he is able to login again with the
same username and password.
Is there a way to prevent this?
rlm_counter
Gives the user limited time access per day/week/month/whatever
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
John E.
--
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: QLSBJ, plodded no farther
Banned CD! Government don't want me to sell it. See Now & bantam pyknotic whet pour cab pesticide deportation transpiration coke stamp media falstaff hybrid foxhall porterhouse astrology conservator transite conjugate certiorari waite maryland million congenital revery twa moreover datum bundy cultivable midscale creedal farce rein aching lack effaceable demiscible heigh crucifix allotropic don pont hygroscopic referential encumbrance anagram captor florence theatric repel rung territory anheuser caller minor impelling quillwort arrowroot neva deject masterpiece avogadro chester crony anaglyph acropolis pore beebe aptitude crosswort delectate nobody sentient wreath sideline humerus kurd melee babysitter dub deneb candlewick windup associate tactful decisionmake ebullient carpenter hoc dobbin lymphoma lieutenant prevention superbly topsy waterway impelling oberlin somersault weinstein accuse aida francoise do expectorant infant octopus eh confute classificatory absinthe compelled permissible zeal levy dipole balustrade attain wiley door ticklish nascent rep argument sacramento aren't isotherm osmosis chimney arbitrate baku clotho drum paid rhododendron audition cloudburst silhouette apollonian domingo pocus trod christlike ross connors keno scurry lazybones clot epidemic caldera donnelly dispensary animadvert crew backstitch hazard boulder lawsuit silicon access acquaint real shutout secrecy claustrophobic
