Re: LEAP with iPAQ 5450, Cisco 340 Series AP, and freeradius
Michael Griego <[EMAIL PROTECTED]> wrote: > I'll take a look at the patch that gets submitted, but technically, the > HP client is correct per the RFCs. The EAP RFC simply says that the > sequence number must be "different". Only the EAP-TLS RFC states that > the sequence number must be numerically sequential. LEAP isn't in an RFC. And so far as RADIUS & EAP interaction, no EAP variant other than LEAP sends an EAP "Request" packet to a RADIUS server. LEAP is implemented the way it is because it interoperates with Cisco clients, which behave in the expected way. HP does it differently... if they're interoperable with Cisco ACS, then I guess we should make the LEAP handling a little more forgiving. > Hmm... as per above, this may need to be looked at... Non-TLS EAP types > must be able to handle non-sequential sequences while the TLS-based EAP > types must be sequential to be RFC-compliant. I haven't seen any interoperability problems until now, so I'm hesitant to change the code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius document
"Truong Manh Cuong" <[EMAIL PROTECTED]> wrote: > Where can I upload so that, some one can modify and add more to it. And > then all newbies can read? A web page? The only time code or documentation is included with the server is after it has been reviewed. I regularly get emails asking for write access to the source repository, so someone can add their favourite patch. The answer is always "No. Show me the patch first." Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius document
Title: Message Hi all, I see that there is so few document about freeradius. I use postgresql database and I have my own document for radius, and dialup_admin web interface. Where can I upload so that, some one can modify and add more to it. And then all newbies can read? Mailing list is a goodway but sometimes I see that there is some questions that newbie asks again and again and you have to waste your time to reply. Thanks and Regards Manh Cuong.
Re: LEAP with iPAQ 5450, Cisco 340 Series AP, and freeradius
> The State is OK. That's good. The EAP-Message starts off with > "0x0100", which looks like the correct EAP packet type (1), but the > wrong sequence number (0). The client SHOULD have responded with a > sequence number of 4, I think. At least, that's what the Cisco > clients do. I'll take a look at the patch that gets submitted, but technically, the HP client is correct per the RFCs. The EAP RFC simply says that the sequence number must be "different". Only the EAP-TLS RFC states that the sequence number must be numerically sequential. > And the EAP module doesn't see a sequence number of 4, so it ignores > the request. Hmm... as per above, this may need to be looked at... Non-TLS EAP types must be able to handle non-sequential sequences while the TLS-based EAP types must be sequential to be RFC-compliant. -- --Mike -- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP with iPAQ 5450, Cisco 340 Series AP, and freeradius
Derek Orpen <[EMAIL PROTECTED]> wrote: > In any case, I created a special build of freeradius that works with > the HP client and was able to complete my testing. Thanks for pointing > me in the right direction. That's what I'm here for. Can you post a patch, so others don't run into the same issue? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP with iPAQ 5450, Cisco 340 Series AP, and freeradius
Thanks for taking the time to look at this, Alan. This is the leap client HP has available for download for the iPAQ 5450 on their website. Sounds like they should fix their client. In any case, I created a special build of freeradius that works with the HP client and was able to complete my testing. Thanks for pointing me in the right direction. - Derek On 20-Feb-2004 22:17 Alan DeKok wrote: | Derek Orpen <[EMAIL PROTECTED]> wrote: | > The AP responds correctly to the first challenge sent by freeradius. | > But freeradius doesn't seem to know what to do with the challenge | > from the AP. | | The AP isn't sending challenges... | | > Sending Access-Challenge of id 231 to 209.47.155.132:1255 | > EAP-Message = 0x03030004 | > Message-Authenticator = 0x | > State = 0xa0c5f9550e7600ebdc8e2ea363823f9d | > Finished request 22 | | Note the "0x0303" from the EAP-Message. It indicates EAP success, | and an sequence number of 3. | | > rad_recv: Access-Request packet from host 209.47.155.132:1256, id=232, | > length=179 | | > State = 0xa0c5f9550e7600ebdc8e2ea363823f9d | ... | > EAP-Message = 0x01161101000889df7f1f20328e24646f7270656e | | The State is OK. That's good. The EAP-Message starts off with | "0x0100", which looks like the correct EAP packet type (1), but the | wrong sequence number (0). The client SHOULD have responded with a | sequence number of 4, I think. At least, that's what the Cisco | clients do. | | > rlm_eap: Request not found in the list | > rlm_eap: Either EAP-request timed out OR EAP-response to an unknown | > EAP-request | | And the EAP module doesn't see a sequence number of 4, so it ignores | the request. | | It should be possible to fix the server to be a little more | forgiving, but my first question is why does that LEAP client do | something different from every other LEAP client... | | Alan DeKok. | | - | List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Programmer needed to work on custom developments of freeradius
Hi, I am sorry if this is a wrong place to post this message however we needed someone who knows freradius quiet well to work on it for us. We need a programer to customise a certain feature within FreeRadius+Mysql for us and it would be appreciate if you please send me your details+past experiences if you are interested work on this matter. Preferrably a freelancer is ideal for this temp work. E-mail me and i will send you details of what needs to be done... a basic overview of the requested task is: "Radius Proxy" for a Calling Card database as well as "local database management" and filtering of attributes based on local database before sending to "remote server"... Regards Hamed Nik _ Express yourself with cool emoticons - download MSN Messenger today! http://www.msn.co.uk/messenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Recommended required reading: "How To Ask Questions The Smart Way" howto
I will readily admit that it is perhaps a little heavy handed, and possibly even condensing, but I remind everyone of the existence of the "How To Ask Questions The Smart Way" howto. http://www.catb.org/~esr/faqs/smart-questions.html Since it also implicitly covers generic debugging techniques, the process of asking a "smart question" may very well solve your problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Port limit & concurrency checks, wholesale accounting, and dealing with dead servers
"Troy Settle" <[EMAIL PROTECTED]> wrote: > I'm sorry, I thought this was why most radius servers now have > concurrency checking built in. Why would FreeRadius have something like > radcheck if not to enforce the total number of concurrent logins each > user is allowed to have? FreeRADIUS does this when configured, but it doesn't currently use Port-Limit to enforce that when home servers ask for limiting concurrent logins. > So, NAS-1 is supposed to know that [EMAIL PROTECTED] is logged in > on NAS-2 and not allow the connection? I don't know what equipment > you're using Alan, but my boxes (Lucent TNT) do not talk amongst > themselves from pop to pop. I understand. But can't the home server track and enforce simultaneous access? That makes a huge amount of more sense. Think of what happens when there are 4 POP providers doing proxying. A home server sends each "Port-Limit = 2" for a user, and now the user can login 8 times! The horror! It's not up to the proxying server to enforce concurrent logins for a home server. And Port-Limit is NOT the right attribute to use. >From the RFC's, Port-Limit: --- is intended for use in conjunction with Multilink PPP [12] or similar uses. --- I'm not sure that Multilink PPP works across multiple NASes. If it does, then there's some reason for a proxying server to remember and enforce Port-Limit. If it doesn't, then the proxying server should send the attribute back to the NAS, and forget about it. > The problem when you're a proxy server, is that you don't know how many > ports (logins) a particular user is allowed unless the home server sends > a radius attribute such as 'Port-Limit' in response to the > authentication request. Please explain why it's the responsibility of the proxy server to track this. Please explain how this works across multiple POP providers. It doesn't. Port-Limit isn't intended to limit concurrent access. > In this case, it shouldn't even be difficult. Freeradius already has > concurrency checks (awkwardly called simultaneous-use). I just need to > know how to enforce those checks based on information passed from the > home server. Put the Port-Limit into a database, and do: DEFAULT Realm = "port-limit-realm", Simultaneous-Use = `%{db: get Port-Limit}` Dynamic expansion of variables is a cool thing. > I also need to know how to track those limits so that I can > accurately bill the VISP for his customers that are allowed to use > multiple ports (multiple ports per login, or just multiple logins > per customer). You don't track the limits. You enforce the limits. Once you enforce the limits, you record user activity in your accounting logs. You then bill from those accounting logs. What the home server sent for Port-Limit is irrelevant, unless you're billing based on services the user *could* have used, but chose not to. In that case, you can bill them infinite amounts for providing no services... > Ok, at the end of the month, how does rlm_counter tell me the > min/max/average/95th-percentile for each realm? No, but it's a simple DB. There's a perl script to root through it. You can edit the script to do get such statistics. > I was thinking something more along the lines of a check item to > determine if the home server is dead or alive. That would be a good idea. Patches are welcome. > One person responded with the suggestion of a second entry in the > proxy.conf that points to an open server, which I do now. I was > hoping to be able to do this in a single server. Please read proxy.conf. There is a configuration entry which tells the server whether or not to fail over to a DEFAULT realm if all home servers are marked dead. That DEFAULT realm may be LOCAL, in which case it's handled locally... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool: could not find Pool-Name attribute
Hello, I find this message always, even when it’s sending an accept message to the NAS I’ve found several help messages, but they are oriented to files, not to sql How do i fix it in mysql HELP Rogelio Alvarado Anchisi Ing. de Sistemas Galaxy Communications Corp. Tel. +507-2633021 Cel. +507-6744093
rlm_ippool
When users are logging in I see this error: Rlm_ippool: Could not find Pool-Name attribute How do i set it up? Rogelio Alvarado Anchisi Ing. de Sistemas Galaxy Communications Corp. Tel. +507-2633021 Cel. +507-6744093
RE: Port limit & concurrency checks, wholesale accounting, and dealing with dead servers
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Alan DeKok > Sent: Friday, February 20, 2004 3:25 PM > To: [EMAIL PROTECTED] > Subject: Re: Port limit & concurrency checks, wholesale > accounting, and dealing with dead servers > > > "Troy Settle" <[EMAIL PROTECTED]> wrote: > > I've searched a bit on this, but am coming up empty handed > so far. Can > > anyone point me in the right direction for enforcing port-limit as > > passed by the home server? > > I don't think you're supposed to enforce it. The NAS is supposed to > enforce it. I'm sorry, I thought this was why most radius servers now have concurrency checking built in. Why would FreeRadius have something like radcheck if not to enforce the total number of concurrent logins each user is allowed to have? So, NAS-1 is supposed to know that [EMAIL PROTECTED] is logged in on NAS-2 and not allow the connection? I don't know what equipment you're using Alan, but my boxes (Lucent TNT) do not talk amongst themselves from pop to pop. The problem when you're a proxy server, is that you don't know how many ports (logins) a particular user is allowed unless the home server sends a radius attribute such as 'Port-Limit' in response to the authentication request. If there's a mechanism in Freeradius for this, I've not yet seen it. > > > I've come to the conclusion that depending on my wholesale customers > > to enforce concurrency limits is not getting me very far. > > It's difficult to solve political problems in software. Not > impossible, just difficult. In this case, it shouldn't even be difficult. Freeradius already has concurrency checks (awkwardly called simultaneous-use). I just need to know how to enforce those checks based on information passed from the home server. I also need to know how to track those limits so that I can accurately bill the VISP for his customers that are allowed to use multiple ports (multiple ports per login, or just multiple logins per customer). > > > Second, does anyone have any suggestions/scripts/whatever > for tracking > > port usage on a per-realm basis? > > Per-realm rlm_counter? Ok, at the end of the month, how does rlm_counter tell me the min/max/average/95th-percentile for each realm? I was hoping for something more along the lines of a script written in whichever language that could parse out a detail file or SQL database for a given time period and report back. I could do this with MRTG or similar, but I'd rather not. > > > Finally, if a home server is marked as dead, is there a way > I can get > > Freeradius to go ahead and authenticate the caller under a special > > profile? > > DEFAULT realm. I was thinking something more along the lines of a check item to determine if the home server is dead or alive. One person responded with the suggestion of a second entry in the proxy.conf that points to an open server, which I do now. I was hoping to be able to do this in a single server. -- Troy Settle Pulaski Networks http://www.psknet.com 866.477.5638 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html