Re: LEAP with iPAQ 5450, Cisco 340 Series AP, and freeradius

[Alan DeKok]

Michael Griego <[EMAIL PROTECTED]> wrote:
> I'll take a look at the patch that gets submitted, but technically, the
> HP client is correct per the RFCs.  The EAP RFC simply says that the
> sequence number must be "different".  Only the EAP-TLS RFC states that
> the sequence number must be numerically sequential.

  LEAP isn't in an RFC.  And so far as RADIUS & EAP interaction, no
EAP variant other than LEAP sends an EAP "Request" packet to a RADIUS
server.

  LEAP is implemented the way it is because it interoperates with
Cisco clients, which behave in the expected way.  HP does it
differently... if they're interoperable with Cisco ACS, then I guess
we should make the LEAP handling a little more forgiving.

> Hmm... as per above, this may need to be looked at...  Non-TLS EAP types
> must be able to handle non-sequential sequences while the TLS-based EAP
> types must be sequential to be RFC-compliant.

  I haven't seen any interoperability problems until now, so I'm
hesitant to change the code.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius document

[Alan DeKok]

"Truong Manh Cuong" <[EMAIL PROTECTED]> wrote:
> Where  can I upload so that, some one can modify and add more to it. And
> then all newbies can read?

  A web page?

  The only time code or documentation is included with the server is
after it has been reviewed.  I regularly get emails asking for write
access to the source repository, so someone can add their favourite
patch.  The answer is always "No.  Show me the patch first."

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Radius document

[Truong Manh Cuong]

Title: Message



Hi all, I see that 
there is so few document about freeradius. I use postgresql database and I have 
my own document for radius, and dialup_admin web interface.
Where  can I 
upload so that, some one can modify and add more to it. And then all newbies can 
read?
Mailing list is a 
goodway but sometimes I see that there is some questions that newbie asks 
again and again and you have to waste your time to reply.
Thanks and 
Regards
Manh 
Cuong.

Re: LEAP with iPAQ 5450, Cisco 340 Series AP, and freeradius

[Michael Griego]

>   The State is OK.  That's good.  The EAP-Message starts off with
> "0x0100", which looks like the correct EAP packet type (1), but the
> wrong sequence number (0).  The client SHOULD have responded with a
> sequence number of 4, I think.  At least, that's what the Cisco
> clients do.

I'll take a look at the patch that gets submitted, but technically, the
HP client is correct per the RFCs.  The EAP RFC simply says that the
sequence number must be "different".  Only the EAP-TLS RFC states that
the sequence number must be numerically sequential.


>   And the EAP module doesn't see a sequence number of 4, so it ignores
> the request.

Hmm... as per above, this may need to be looked at...  Non-TLS EAP types
must be able to handle non-sequential sequences while the TLS-based EAP
types must be sequential to be RFC-compliant.


-- 

--Mike
 
--
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LEAP with iPAQ 5450, Cisco 340 Series AP, and freeradius

[Alan DeKok]

Derek Orpen <[EMAIL PROTECTED]> wrote:
> In any case, I created a special build of freeradius that works with
> the HP client and was able to complete my testing. Thanks for pointing
> me in the right direction.

  That's what I'm here for.

  Can you post a patch, so others don't run into the same issue?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LEAP with iPAQ 5450, Cisco 340 Series AP, and freeradius

[Derek Orpen]

Thanks for taking the time to look at this, Alan. This is the leap 
client HP has available for download for the iPAQ 5450 on their 
website. Sounds like they should fix their client.

In any case, I created a special build of freeradius that works with
the HP client and was able to complete my testing. Thanks for pointing
me in the right direction.

- Derek


On 20-Feb-2004 22:17 Alan DeKok wrote:
| Derek Orpen <[EMAIL PROTECTED]> wrote:
| > The AP responds correctly to the first challenge sent by freeradius. 
| > But freeradius doesn't seem to know what to do with the challenge 
| > from the AP.
| 
|   The AP isn't sending challenges...
| 
| > Sending Access-Challenge of id 231 to 209.47.155.132:1255
| >   EAP-Message = 0x03030004
| >   Message-Authenticator = 0x
| >   State = 0xa0c5f9550e7600ebdc8e2ea363823f9d
| > Finished request 22
| 
|   Note the "0x0303" from the EAP-Message.  It indicates EAP success,
| and an sequence number of 3.
| 
| > rad_recv: Access-Request packet from host 209.47.155.132:1256, id=232,
| > length=179
| 
| >   State = 0xa0c5f9550e7600ebdc8e2ea363823f9d
| ...
| >   EAP-Message = 0x01161101000889df7f1f20328e24646f7270656e
| 
|   The State is OK.  That's good.  The EAP-Message starts off with
| "0x0100", which looks like the correct EAP packet type (1), but the
| wrong sequence number (0).  The client SHOULD have responded with a
| sequence number of 4, I think.  At least, that's what the Cisco
| clients do.
| 
| >   rlm_eap: Request not found in the list
| > rlm_eap: Either EAP-request timed out OR EAP-response to an unknown
| > EAP-request
| 
|   And the EAP module doesn't see a sequence number of 4, so it ignores
| the request.
| 
|   It should be possible to fix the server to be a little more
| forgiving, but my first question is why does that LEAP client do
| something different from every other LEAP client...
| 
|   Alan DeKok.
| 
| - 
| List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Programmer needed to work on custom developments of freeradius

[hamed akhavan]

Hi,

I am sorry if this is a wrong place to post this message however we needed 
someone who knows freradius quiet well to work on it for us. We need a 
programer to customise a certain feature within FreeRadius+Mysql for us and 
it would be appreciate if you please send me your details+past experiences 
if you are interested work on this matter. Preferrably a freelancer is ideal 
for this temp work. E-mail me and i will send you details of what needs to 
be done...

a basic overview of the requested task is:
"Radius Proxy" for a Calling Card database as well as "local database 
management" and filtering of attributes based on local database before 
sending to "remote server"...

Regards
Hamed Nik
_
Express yourself with cool emoticons - download MSN Messenger today! 
http://www.msn.co.uk/messenger

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Recommended required reading: "How To Ask Questions The Smart Way" howto

[Jeff Warnica]

I will readily admit that it is perhaps a little heavy handed, and
possibly even condensing, but I remind everyone of the existence of the
"How To Ask Questions The Smart Way" howto.

http://www.catb.org/~esr/faqs/smart-questions.html

Since it also implicitly covers generic debugging techniques, the
process of asking a "smart question" may very well solve your problem.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Port limit & concurrency checks, wholesale accounting, and dealing with dead servers

[Alan DeKok]

"Troy Settle" <[EMAIL PROTECTED]> wrote:
> I'm sorry, I thought this was why most radius servers now have
> concurrency checking built in.  Why would FreeRadius have something like
> radcheck if not to enforce the total number of concurrent logins each
> user is allowed to have?

  FreeRADIUS does this when configured, but it doesn't currently use
Port-Limit to enforce that when home servers ask for limiting
concurrent logins.

> So, NAS-1 is supposed to know that [EMAIL PROTECTED] is logged in
> on NAS-2 and not allow the connection?  I don't know what equipment
> you're using Alan, but my boxes (Lucent TNT) do not talk amongst
> themselves from pop to pop.

  I understand.  But can't the home server track and enforce
simultaneous access?  That makes a huge amount of more sense.

  Think of what happens when there are 4 POP providers doing
proxying.  A home server sends each "Port-Limit = 2" for a user, and
now the user can login 8 times!  The horror!

  It's not up to the proxying server to enforce concurrent logins for
a home server.  And Port-Limit is NOT the right attribute to use.
>From the RFC's, Port-Limit:

---
is intended for use in conjunction with Multilink PPP [12] or
similar uses.
---

  I'm not sure that Multilink PPP works across multiple NASes.  If it
does, then there's some reason for a proxying server to remember and
enforce Port-Limit.  If it doesn't, then the proxying server should
send the attribute back to the NAS, and forget about it.

> The problem when you're a proxy server, is that you don't know how many
> ports (logins) a particular user is allowed unless the home server sends
> a radius attribute such as 'Port-Limit' in response to the
> authentication request.

  Please explain why it's the responsibility of the proxy server to
track this.  Please explain how this works across multiple POP
providers.

  It doesn't.  Port-Limit isn't intended to limit concurrent access.

> In this case, it shouldn't even be difficult.  Freeradius already has
> concurrency checks (awkwardly called simultaneous-use).  I just need to
> know how to enforce those checks based on information passed from the
> home server.

  Put the Port-Limit into a database, and do:

DEFAULT   Realm = "port-limit-realm", Simultaneous-Use = `%{db: get Port-Limit}`

  Dynamic expansion of variables is a cool thing.

>  I also need to know how to track those limits so that I can
> accurately bill the VISP for his customers that are allowed to use
> multiple ports (multiple ports per login, or just multiple logins
> per customer).

  You don't track the limits.  You enforce the limits.  Once you
enforce the limits, you record user activity in your accounting logs.
You then bill from those accounting logs.

  What the home server sent for Port-Limit is irrelevant, unless
you're billing based on services the user *could* have used, but chose
not to.  In that case, you can bill them infinite amounts for
providing no services...

> Ok, at the end of the month, how does rlm_counter tell me the
> min/max/average/95th-percentile for each realm?

  No, but it's a simple DB.  There's a perl script to root through
it.  You can edit the script to do get such statistics.

> I was thinking something more along the lines of a check item to
> determine if the home server is dead or alive.

  That would be a good idea.  Patches are welcome.

> One person responded with the suggestion of a second entry in the
> proxy.conf that points to an open server, which I do now.  I was
> hoping to be able to do this in a single server.

  Please read proxy.conf.  There is a configuration entry which tells
the server whether or not to fail over to a DEFAULT realm if all home
servers are marked dead.  That DEFAULT realm may be LOCAL, in which
case it's handled locally...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_ippool: could not find Pool-Name attribute

[Rogelio Alvarado Anchisi]

Hello, I find this message
always, even when it’s sending an accept message to the NAS

I’ve found several help
messages, but they are oriented to files, not to sql

How do i fix it in mysql
HELP

 


 
  
  Rogelio Alvarado Anchisi
  Ing. de Sistemas  
  Galaxy Communications Corp.
  Tel. +507-2633021 
  Cel. +507-6744093
  
 


 

rlm_ippool

[Rogelio Alvarado Anchisi]

When users are logging in I
see this error:

Rlm_ippool: Could not find Pool-Name attribute

How do i set it up?

 


 
  
  Rogelio Alvarado Anchisi
  Ing. de Sistemas  
  Galaxy
  Communications Corp.
  Tel. +507-2633021 
  Cel. +507-6744093
  
 


 

RE: Port limit & concurrency checks, wholesale accounting, and dealing with dead servers

[Troy Settle]

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Alan DeKok
> Sent: Friday, February 20, 2004 3:25 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Port limit & concurrency checks, wholesale 
> accounting, and dealing with dead servers 
> 
> 
> "Troy Settle" <[EMAIL PROTECTED]> wrote:
> > I've searched a bit on this, but am coming up empty handed 
> so far.  Can
> > anyone point me in the right direction for enforcing port-limit as
> > passed by the home server?
> 
>   I don't think you're supposed to enforce it.  The NAS is supposed to
> enforce it.

I'm sorry, I thought this was why most radius servers now have
concurrency checking built in.  Why would FreeRadius have something like
radcheck if not to enforce the total number of concurrent logins each
user is allowed to have?

So, NAS-1 is supposed to know that [EMAIL PROTECTED] is logged in
on NAS-2 and not allow the connection?  I don't know what equipment
you're using Alan, but my boxes (Lucent TNT) do not talk amongst
themselves from pop to pop.

The problem when you're a proxy server, is that you don't know how many
ports (logins) a particular user is allowed unless the home server sends
a radius attribute such as 'Port-Limit' in response to the
authentication request.  If there's a mechanism in Freeradius for this,
I've not yet seen it.

> 
> > I've come to the conclusion that depending on my wholesale customers
> > to enforce concurrency limits is not getting me very far.
> 
>   It's difficult to solve political problems in software.  Not
> impossible, just difficult.

In this case, it shouldn't even be difficult.  Freeradius already has
concurrency checks (awkwardly called simultaneous-use).  I just need to
know how to enforce those checks based on information passed from the
home server.  I also need to know how to track those limits so that I
can accurately bill the VISP for his customers that are allowed to use
multiple ports (multiple ports per login, or just multiple logins per
customer).

> 
> > Second, does anyone have any suggestions/scripts/whatever 
> for tracking
> > port usage on a per-realm basis?
> 
>   Per-realm rlm_counter?

Ok, at the end of the month, how does rlm_counter tell me the
min/max/average/95th-percentile for each realm?

I was hoping for something more along the lines of a script written in
whichever language that could parse out a detail file or SQL database
for a given time period and report back.

I could do this with MRTG or similar, but I'd rather not.

> 
> > Finally, if a home server is marked as dead, is there a way 
> I can get
> > Freeradius to go ahead and authenticate the caller under a special
> > profile?
> 
>   DEFAULT realm.

I was thinking something more along the lines of a check item to
determine if the home server is dead or alive.  One person responded
with the suggestion of a second entry in the proxy.conf that points to
an open server, which I do now.  I was hoping to be able to do this in a
single server.

--
  Troy Settle
  Pulaski Networks
  http://www.psknet.com
  866.477.5638


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html