Ldap authorization - reject if not found
Hello,
I would like to authorize the user against LDAP, and if LDAP returns error
or not found set Auth-Type = Reject. What do I have to write in radiusd.conf
to get this?
I know that if no Auth-Type is set, the user will also be rejected, but
this is not enough for me, because my authorize modulus is like this:
authorize {
eap
ldap
}
Although the user is not present in ldap, the eap inizialization is setting
Auth-Type = EAP!!
Thanks in advance
Alejandro Martínez Marcos
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip billing
В сообщении от 19 Апрель 2004 12:43 Roberto Pioli написал(a): > I'm beginning to test freeradius for voip billing with cisco 5300 > equipment; I'm going use the cisco_h323_db_schema-postgres.sql. > There's a graphic interface like dialup_admin that can be used with this > database? Only selfmaded. I'm view one VoIP billing system. But this system working with only logs ... :( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [please help me]user collision
You can try enabling usercollide to yes and reload freeradius, however, follow what is recommened. - Original Message - From: 俊宏 To: [EMAIL PROTECTED] Sent: Monday, April 19, 2004 9:00 AM Subject: [please help me]user collision Hi All, I want to use the feature "usercollide", but there is a recommand that "do not use this feature" and it "currently does not work with all modules". My goal is that to build the freeradius with peap and users can use the same username with different password(without MySQL, use user files(text file)). The configuration in FreeRadius with PEAP is ok. But just do not know how to config other parameters to achieve the "usercollide" with "failover". Please help me to config radius.conf and user files to solve this problem. Thanks a lot..and forgive my pool english.. :) Kelvin
how to create check attribute dinamically?
Hello freeradius-users, I need to create a check attribute depending on how much seconds or octets user have. Ideal, i would like to equate reply attribute to a newly created check attribute or to turn reply to check attribute. I need this to differentiate users by their limits and give them ip addresses from a different networks, so i can manage their connections with firewall. I already posted this question here (subject "different pools for user with and without traffic"), but have no answers. All i need is that i could write in 'users' file something like this: DEFAULT Check-Traffic-Limit <= 0, Pool-Name := "illegal_pool" -- Best regards, Alexander mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: how to create check attribute dinamically?
Hello Milver, Monday, April 19, 2004, 1:30:05 PM, you wrote: >> I need to create a check attribute depending on how much seconds or >> octets user have. Ideal, i would like to equate reply attribute to a >> newly created check attribute or to turn reply to check attribute. I >> need this to differentiate users by their limits and give them >> ip addresses from a different networks, so i can manage their >> connections with firewall. I already posted this question here >> (subject "different pools for user with and without traffic"), but >> have no answers. All i need is that i could write in 'users' file >> something like this: >> >> DEFAULT Check-Traffic-Limit <= 0, Pool-Name := "illegal_pool" >> MSN> you might want to use groupings with your database. so replies MSN> sent depends on the user groups an account belongs to. MSN> if an account belongs to subnet1, you could sent them the group attributes MSN> such as MSN> specific IP for them, traffic limit, framed-mtu, protocol, expiration, MSN> compression and more... Well, it doesn't matter how it will work. Then i need to split users in two groups - one with some traffic left and another with zero or negative traffic value and then give them different addresses from different pools according to the group names. But how can i do it dinamically? I mean, value of traffic is calculating when user login, so if he have no octets left, he must have address from 192.168.222.0/24 network, and if he have some octets left, he must have address from 192.168.111.0/24 network. So, the main question is - where and what should i write to make this scheme work? -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to create check attribute dinamically?
> I need to create a check attribute depending on how much seconds or > octets user have. Ideal, i would like to equate reply attribute to a > newly created check attribute or to turn reply to check attribute. I > need this to differentiate users by their limits and give them > ip addresses from a different networks, so i can manage their > connections with firewall. I already posted this question here > (subject "different pools for user with and without traffic"), but > have no answers. All i need is that i could write in 'users' file > something like this: > > DEFAULT Check-Traffic-Limit <= 0, Pool-Name := "illegal_pool" > you might want to use groupings with your database. so replies sent depends on the user groups an account belongs to. if an account belongs to subnet1, you could sent them the group attributes such as specific IP for them, traffic limit, framed-mtu, protocol, expiration, compression and more... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accessing/using the EAP identifier field
Hi,
In short, this mail is about EAP methods
accessing/using the EAP identifier field.
In details, after reading the Packet modification
attacks paragraph in the RFC 2284bis ("It is
RECOMMENDED that methods providing integrity
protection of EAP packets include coverage of all the
EAP header fields, including the Code, Identifier,
Length, Type and Type-Data fields."), I wondered how
the EAP Identifier field was managed under FreeRADIUS.
Indeed, I'm working on a pre-shared key EAP method and
I would like to protect the EAP header thanks to a MAC
calculated by my method. To do so, my method needs to
know the value of the EAP Identifier field of the EAP
request packet it will be sent in.
I see basically three ways to do so:
1) RADIUS tells the EAP method the value of the EAP
Identifier field of the EAP request packet it will
send. Pros: simple and logical Cons: I don't see any
apart from that this is not the way it works under
Freeradius.
2) The EAP method guesses the value of the EAP
Identifier field of the EAP request packet it will
send. Pros: this is the easiest tweak I have found to
make things work under Freeradius (details given
below). Cons: this is not portable and if Freeradius
changes its behavior my method will make the wrong
guesses.
3) The EAP method is allowed to choose the value of
the EAP Identifier field of the EAP request packet it
will be sent in. Pros: it works and is portable Cons:
the EAP method has to make sure the identifier it
chooses does not collide with the previous identifier
I made some investigations before coming to solution
#2. After testing the id field in the EAP_PACKET
structure (defined in eap_types.h), it appeared that
this field didn't match with the EAP identifier which
was in the sent EAP request (precluding solution #3).
I did not find how to have solution #1 work under
Freeradius. Solution #2 works out fine since
Freeradius seems to calculate the value of the EAP
Identifier field of the EAP request packet it will
send by incrementing the previous one by one.
Practically in a WLAN scenario, the first EAP message
received by Freeradius is generally an EAP
Response/Identity sent by the AP. Thus the AP dictates
the intial value FreeRADIUS increments later on. This
behavior of Freeradius, though allowed, is however not
the one recommended by RFC 2284bis : "The value of the
EAP Identifier field of the EAP request packet it will
send. One way to achieve this is to start the
Identifier at an initial value and increment it for
each new Request. Initializing the first Identifier
with a random number rather than starting from zero is
recommended, since it makes sequence attacks somewhat
harder."
Any feedback is of course most welcome.
Aurélien
Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/
Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo!
Messenger sur http://fr.messenger.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap authorization - reject if not found
=?iso-8859-1?Q?Alejandro_Mart=EDnez_Marcos?= <[EMAIL PROTECTED]> wrote:
> I would like to authorize the user against LDAP, and if LDAP
> returns error or not found set Auth-Type = Reject. What do I
> have to write in radiusd.conf to get this?
Nothing.
> I know that if no Auth-Type is set, the user will also be rejected, but
> this is not enough for me, because my authorize modulus is like this:
> authorize {
> eap
> ldap
> }
> Although the user is not present in ldap, the eap inizialization is
> setting Auth-Type = EAP!!
The EAP module doesn't supply a password, but it needs one to do
EAP. So if the LDAP module doesn't supply one either, EAP
authentication will fail.
"Auth-Type = EAP" says to TRY to authenticate the user via EAP. If
there's no password, that authenticatsion will fail.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius setting on Aironet 1100 AP
Hi, I would like to configure my aironet 1100 AP for 802.1x. I want to know who to setup the AP to forward incoming packet to the Radius server, Precisely how to inform the AP about the Radius server and the secret key. As well as how to enable EAP on AP. Regards, Aoun. University of Stuttgart. [EMAIL PROTECTED] wrote: Send Freeradius-Users mailing list submissions to[EMAIL PROTECTED]To subscribe or unsubscribe via the World Wide Web, visithttp://lists.freeradius.org/mailman/listinfo/freeradius-usersor, via email, send a message with subject or body 'help' to[EMAIL PROTECTED]You can reach the person managing the list at[EMAIL PROTECTED]When replying, please edit your Subject line so it is more specificthan "Re: Contents of Freeradius-Users digest..."Today's Topics:1. Re: FreeRadius, MySQL, and custom attributes (Alan DeKok)2. Re: FreeRadius, MySQL, and custom attributes (Alan DeKok)3. [please help me]user collision (=?big5?B?q1Snuw==?=)4. Re: Freeradius-Users digest, Vol 1 #3119 - 15 msgs (Herbert)--__--__--Message: 1From: "Alan DeKok" <[EMAIL PROTECTED]>To: [EMAIL PROTECTED]Subject: Re: FreeRadius, MySQL, and custom attributes Date: Sun, 18 Apr 2004 18:53:23 -0400Reply-To: [EMAIL PROTECTED]"stenmark " <[EMAIL PROTECTED]>wrote:> I did not know how to put a vendor attribute into the reply (and> obviously you just use the radreply table and the> authorize_reply_query does the trick).The only difference between vendor attributes and standardattributes is the "dictionary" files. For everything else in theserver, all attributes are treated identically.> I did not understand how to put the attributes into the reply. I> did not mean to try and make a new custom query (I was thinking that> this one I was adding was going to be recognized because of the> information located on a website).You were asking questions about why your solution didn't work. Youshould have been describing what you wanted.> I was trying to use this page to help me set this up; and someone had also given me a link to this page saying this is what I should do.> http://mail.gnu.org/archive/html/help-gnu-radius/2004-02/msg00038.htmlAh. You were trying to follow directions for another piece ofsoftware.FreeRADIUS is not GNU Radius. They are very different.> I wasn't sure if this website was right or not (since it said> gnu-radius), but since someone else (two people actually) had told> me this is what I should use, that lead me to belive this website> was correct. I now know that it is not correct.Exactly. It's not correct.> To conclude, I now have figured it out (mainly with Alan DeKok,> Craig Green's), and it all makes sense (as I look back at the trouble> I was having and look at the answer, the word "DUH!" comes to mind)Nice to hear you've solved your problems. Next time, describe whatyou want, rather than what you think the server should be doing. Youshould get to a solution much more quickly then.Alan DeKok.--__--__--Message: 2From: "Alan DeKok" <[EMAIL PROTECTED]>To: [EMAIL PROTECTED]Subject: Re: FreeRadius, MySQL, and custom attributes Date: Sun, 18 Apr 2004 18:56:10 -0400Reply-To: [EMAIL PROTECTED]"Bob Ross" <[EMAIL PROTECTED]>wrote:> The big difference I asked almost the exact same help, and received no> replies except if I wanted to get help to get mine working it was going to> cost 3 books and shipping cost over seas. Or reference to the web site.Try asking *different* questions. Maybe no one understood you.Be persistent, but don't post the *same* questions again. If no oneanswered the first time, odds are no one will answer a re-post.Make your questions descriptive. If people have to spend 10 minutestrying to figure out what you mean, or what you're doing, they're nogoing to respond.This isn't to say those were your mistakes. But the majority ofquestions I ignore are ones where I can't even begin to figure outwhat people are doing. I could go back and forth asking them toexplain themselves, or I could just delete their message, and answer amessage where someone else *did* explain what they were doing.Alan DeKok.--__--__--Message: 3From: "=?big5?B?q1Snuw==?=" <[EMAIL PROTECTED]>To: <[EMAIL PROTECTED]>Subject: [please help me]user collisionDate: Mon, 19 Apr 2004 09:00:08 +0100Reply-To: [EMAIL PROTECTED]This is a multi-part message in MIME format.--=_NextPart_000_005E_01C425EC.B6D97270Content-Type: text/plain;charset="big5"Content-Transfer-Encoding: quoted-printableHi All,I want to use the feature "usercollide", but there is a recommand that ="do not use this feature" and it "currently does not work with all =modules".My goal is that to build the freeradius with peap and users can use the =same username with different password(without MySQL, use user files(text =file)).The configuration in FreeRadius with PEAP is ok. But just do not know =how to config other parameters to achieve the "usercollide" with ="failover".Please help me to config radius.conf and user files to solve this =problem.Thanks a lot..and forgive my pool
Re: [please help me]user collision
On Mon, 2004-04-19 at 03:00, äå wrote: > The configuration in FreeRadius with PEAP is ok. But just do not know > how to config other parameters to achieve the "usercollide" with > "failover". User collision is not possible with PEAP/EAP-MSCHAPv2 as user collison processing takes place in the authorize section, and the authorize section of the EAP-MSCHAPv2 module (where it would need to be processed) currently does not support user collision. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius setting on Aironet 1100 AP
this is imho not a help service for cisco hardware. however, i'm sure that by opening a web browser and connecting to your AP 1100 address you will find all the answers you need, quasi automagically. just read the web pages of the ap, it is self-explanatory. ciao artur Aoun Shah wrote: Hi, I would like to configure my aironet 1100 AP for 802.1x. I want to know who to setup the AP to forward incoming packet to the Radius server, Precisely how to inform the AP about the Radius server and the secret key. As well as how to enable EAP on AP. Regards, Aoun. University of Stuttgart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Module- Help
I am new to this list, so please correct me if I am not formatting this email correctly.
I have FreeRadius 0.9.3. It is running on redhat 7.2. LDAP is authenticating against Novell Edir. It works beautifully. I have an issue though with multiple objects in the directory with the same name, but in different contexts and are different object classes. What I am asking, is how can I modify the LDAP filter from ' filter = "(Dsname=%{User-Name})" ' to one that would make it search for Dsname only within objects with the class of "person"? Any help is greatly appreciate.
Thanks,
John F. Hottel Systems IntegratorNational Wildlife Federation703.438.6372[EMAIL PROTECTED]
proxying request
Hi All I’ve got a Freeradius 0.9.3 server proxying requests to a Cistron server. The problem I’m having is that the ip address of the NAS is used when allowing the request. The NAS is on ADSL with a changing IP address. Is it possible to have the freeradius server’s ip making the request (in a NAT sort of way)? I’ve opened the entire ADSL range for my server but the Cistron admin won’t. Thanks Barry --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.532 / Virus Database: 326 - Release Date: 2003/10/27
Re: LDAP Module- Help
On Mon, 19 Apr 2004, John Hottel wrote:
> I am new to this list, so please correct me if I am not formatting this
> email correctly.
>
> I have FreeRadius 0.9.3. It is running on redhat 7.2. LDAP is
> authenticating against Novell Edir. It works beautifully. I have an
> issue though with multiple objects in the directory with the same name,
> but in different contexts and are different object classes. What I am
> asking, is how can I modify the LDAP filter from ' filter =
> "(Dsname=%{User-Name})" ' to one that would make it search for Dsname
> only within objects with the class of "person"? Any help is greatly
> appreciate.
"(&(Dsname=%{User-Name})(objectclass=person))"
Though this is not a freeradius question!
>
> Thanks,
>
> John F. Hottel
> Systems Integrator
> National Wildlife Federation
> 703.438.6372
> [EMAIL PROTECTED]
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Ascend Auth
Hi all, i have a strange problem with an ascend. probably this is not freeradius' fault, but anyway, perhaps someone is familiar with this type of problem. i am running freeradius 0.9.1 with mysql support. all dial-in's to the ascend are denied with "auth: login incorrect" message. here is what the log looks like: Mon Apr 19 16:38:22 2004 : Auth: Login incorrect: [account-name1/\263\350>\027\271\240\365] (from client rade port 0) Mon Apr 19 16:38:27 2004 : Auth: Login incorrect: [account-name2/\034y]? \341\207\371] (from client rade port 0) Mon Apr 19 16:38:27 2004 : Auth: Login incorrect: [account-name3/Ib1QG\200h] (from client rade port 0) I think the password is garbage. i have a few other NAS's running and their password is in cleartext. any ideas whats the cause of that garbage ?! Regards, Philipp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco-AVPair & cisco_vsa_hack()
Hi,
As Alan DeKok advised us, we upgraded to the latest CVS snapshot on
17/04/2004... and now it's working fine, thanks :-)
Pascal Polleunus wrote:
Hi,
We are trying to do VoIP accounting using Cisco material but we've
problems with the attribute "Cisco-AVPair".
We've defined "with_cisco_vsa_hack = yes", and it works for other
Cisco's VSA.
In rlm_preprocess.c, in cisco_vsa_hack(), I found:
/*
* Cisco-AVPair's get packed as:
*
* Cisco-AVPair = "h323-foo-bar = baz"
*
* which makes sense only if you're a lunatic.
* This code looks for the attribute named inside
* of the string, and if it exists, adds it as a new
* attribute.
*/
Does that well mean that %{h323-foo-bar} will be available (if defined
in a dictionary)?
So if we receive the following:
Cisco-AVPair = "h323-incoming-conf-id=..."
Cisco-AVPair = "gw-rxd-cdn=ton:0,npi:1,#:0123456789"
Cisco-AVPair = "in-carrier-id=1"
%{h323-incoming-conf-id}, %{gw-rxd-cdn} and %{in-carrier-id} should be
available, right?
h323-incoming-conf-id is already defined in dictionary.cisco, so we
didn't redefined it, but for the others, we've defined a dictionary
containing the following entries:
ATTRIBUTE in-carrier-id 224 string Cisco
ATTRIBUTE out-carrier-id 225 string Cisco
ATTRIBUTE gw-rxd-cdn 226 string Cisco
And we tried also with the following entries instead:
VALUE Cisco-AVPairin-carrier-id 224
VALUE Cisco-AVPairout-carrier-id 225
VALUE Cisco-AVPairgw-rxd-cdn 226
But, %{Cisco-AVPair} contains only the first attribute received
("h323-incoming-conf-id=...") and %{gw-rxd-cdn} and %{in-carrier-id}
contain nothing.
Does someone know how to solve that?
Thanks for your help,
Pascal Polleunus
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: We are willing to pay to get support on this (Was: Cisco-AVPair & cisco_vsa_hack())
Jerome Warnier wrote: ...snip... There is also a crontab file in this directory, which uses most the other scripts there, but needs fixing before being (optionally) put into /etc/cron.d. This file needs fixing anyway, because it currently points to /usr/local/... Did not use any yet, so you are probably right. Maybe a debconf question would be useful (setup crontab for accounting or not)? Don't forget it just applies to Dialup Admin, which many people won't probably bother installing anyway. The default install directory for dialup admin is /usr/local/... If you are installing in other locations, then write a "sed" script to update the command locations. -- Guy Fraser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to add attributes at post proxy stage ?
Hi, i´am movin away from Cistron and now having a issue with the different behavior both servers have. Ciston calls users twice once at the time sending the resquest and second when the answer from the home server is recievd. Could matche there then based on realms, usernames and wildcards. Wich is very nice to add attributes to some realm or user. Now i need same function with Freeradius. Well i think a "post_proxy_authorize = yes" would do and my usersfile is parsed again. Is there a better way of doing it in freeradius ?! I just like to add some attributes befor sending the ACK furter to the NAS, the filtre module can only match on realms and not usernames so thats not an option as far as i can see. bye Holger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compile freeradius in C++
Hello, Does anyone know how I could compile freeradius in C++ using g++ instead of gcc ? I am not very familiar with the underlying configure mechanism , all i know is to type 'configure' an then 'make' ... many thank's. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vendor-Specific, radclient ?
Hello, I'm new, have read the archives, the FAQ but still can not get this right: I want to set up a freeradius server to use for testing a new (Vendor ID CableLabs = 4491) set of "Vendor-Specific" attributes. With the radclient I can make "normal" requests and all is fine ( I get replies, I can see the RADIUS msgs in ethereal) 1) What do I put in stead of "foo": Vendor-Specific = "foo" (How do I get the Vendor ID in there, and the vendor specific data .) 2) I suspect I somehow use dictionaries. If so can someone please give me an example of how to use one of the existing vendor specific dictionaries, and how to add my own dictionary once I get a grip on how to use them. 3) I have run the server code in gdb and noticed there is some special case handling of Vendor-Specific data, do I need to alter the code for "my" vendor specific data? I'm using 0.9.3 on redhat. The thing is pretty cool, thanks, -Johan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile freeradius in C++
"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > Does anyone know how I could compile freeradius in C++ using g++ instead of > gcc ? Why? There's no C++ code in FreeRADIUS, so there's no point in using a C++ compiler. > I am not very familiar with the underlying configure mechanism , all i know > is to type 'configure' an then 'make' ... Then you're definitely not going to want to use a C++ compiler. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add attributes at post proxy stage ?
"Holger Steppke" <[EMAIL PROTECTED]> wrote: > Now i need same function with Freeradius. Well i think a > "post_proxy_authorize = yes" > would do and my usersfile is parsed again. Yes. That's what it's there fore. > Is there a better way of doing it in freeradius ?! That depends on what you want. You described your current implementation, which is less important than your end goals. > I just like to add some attributes befor sending the ACK furter to the NAS, > the filtre module can only match on realms and not usernames so thats not an > option as far as i can see. For now, that's the simplest way to do it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Ascend Auth
Philipp Steinkrueger <[EMAIL PROTECTED]> wrote: > Mon Apr 19 16:38:22 2004 : Auth: Login incorrect: > [account-name1/\263\350>\027\271\240\365] (from client rade port 0) > Mon Apr 19 16:38:27 2004 : Auth: Login incorrect: [account-name2/\034y]? > \341\207\371] (from client rade port 0) The shared secret is wrong. See the FAQ. > I think the password is garbage. i have a few other NAS's running and their > password is in cleartext. any ideas whats the cause of that garbage ?! It's in the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor-Specific, radclient ?
Johan <[EMAIL PROTECTED]> wrote: > 1) What do I put in stead of "foo": Vendor-Specific = "foo" > (How do I get the Vendor ID in there, and the vendor specific data .) Nothing. > 2) I suspect I somehow use dictionaries. If so can someone please give me > an example of how to use one of the existing vendor specific dictionaries, > and how to add my own dictionary once I get a grip on how to use them. "man dictionary" See "dictionary.juniper" for a simple example. > 3) I have run the server code in gdb and noticed there is some special > case handling of Vendor-Specific data, do I need to alter the code for > "my" vendor specific data? No. > I'm using 0.9.3 on redhat. > The thing is pretty cool, Nice to hear. Thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile freeradius in C++
At 11:41 19/04/2004, you wrote: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > Does anyone know how I could compile freeradius in C++ using g++ instead of > gcc ? Why? There's no C++ code in FreeRADIUS, so there's no point in using a C++ compiler. I am writing a module that need to use C++ files that I wish I did not need to rewrite... > I am not very familiar with the underlying configure mechanism , all i know > is to type 'configure' an then 'make' ... Then you're definitely not going to want to use a C++ compiler. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: We are willing to pay to get support on this (Was: Cisco-AVPair & cisco_vsa_hack())
On Mon, 2004-04-19 at 17:13, Guy Fraser wrote: > Jerome Warnier wrote: > ...snip... > > >There is also a crontab file in this directory, which uses most the > >other scripts there, but needs fixing before being (optionally) put into > >/etc/cron.d. This file needs fixing anyway, because it currently points > >to /usr/local/... > >Did not use any yet, so you are probably right. Maybe a debconf question > >would be useful (setup crontab for accounting or not)? > >Don't forget it just applies to Dialup Admin, which many people won't > >probably bother installing anyway. > > > The default install directory for dialup admin is /usr/local/... > > If you are installing in other locations, then write a "sed" script to > update the > command locations. I know, we were discussing about the Debian package, which installs by default into /usr, not /usr/local. Anyway, don't mind if you do not use the current Debian packages. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ports mismatch between config and debug messages
Hi, Running freeradius -x, we get the following: ... Listening on authentication x.x.x.x:1812 Listening on accounting x.x.x.x:1813 Ready to process requests. rad_recv: Accounting-Request packet from host y.y.y.y:1646, id=84, length=461 ... Sending Accounting-Response of id 84 to y.y.y.y:1646 In radiusd.conf: port = 1812 In /etc/services: datametrics 1645/tcpold-radius datametrics 1645/udpold-radius sa-msg-port 1646/tcpold-radacct sa-msg-port 1646/udpold-radacct radius 1812/tcp radius 1812/udp radius-acct 1813/tcpradacct # Radius Accounting radius-acct 1813/udpradacct What's wrong, our config or is it just the output? Regards, Pascal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Taged Attributes
Hi, i think i wrote already on this list that i migrating from cistron to freeradius 0.9.3 so there i found anothere point i like to highlight. It is subject to discuss. maybe its wanted that way don´t know. Bascily adding multiple Attributes from the same name does work with += adding an attribute only if its not there will work with =. Thats my understanding. If i now like to add multiple taged Attributes with same name i need to use += I belive freeradius does not distinguish diffrent Tags as different Attributes. >From my point of view he should do that as Attribute:1 isn´t the same as Attribute:2. So eg. Tunnel-Endpoint:1 isnt the same as Tunnel-Endpoint:2 Well the Name is the same but not the Tag. Whats your view on this ? Bye Holger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ports mismatch between config and debug messages
> Hi, > > Running freeradius -x, we get the following: > ... > Listening on authentication x.x.x.x:1812 > Listening on accounting x.x.x.x:1813 > Ready to process requests. > rad_recv: Accounting-Request packet from host y.y.y.y:1646, id=84, > length=461 > ... > Sending Accounting-Response of id 84 to y.y.y.y:1646 > > > In radiusd.conf: > port = 1812 > > In /etc/services: > datametrics 1645/tcpold-radius > datametrics 1645/udpold-radius > sa-msg-port 1646/tcpold-radacct > sa-msg-port 1646/udpold-radacct > > radius 1812/tcp > radius 1812/udp > radius-acct 1813/tcpradacct # Radius Accounting > radius-acct 1813/udpradacct > > > What's wrong, our config or is it just the output? > > > Regards, > Pascal If I have understand doc about radiusd.conf, if you write port=1812, freeradius doens't use /etc/services, try to let default value "port=0", then Freeradius will read /etc/services. Maybe that could help you. Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ports mismatch between config and debug messages
Pascal Polleunus <[EMAIL PROTECTED]> wrote: > What's wrong, our config or is it just the output? There's nothing wrong. The server is doing exactly what you're telling it to do, and is doing exactly the right thing. You're getting confused about the port the clients is sending the packet *from*. FreeRADIUS can't control that port, and that port is essentially meaningless. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ports mismatch between config and debug messages
>> Hi, >> >> Running freeradius -x, we get the following: >> ... >> Listening on authentication x.x.x.x:1812 >> Listening on accounting x.x.x.x:1813 >> Ready to process requests. >> rad_recv: Accounting-Request packet from host y.y.y.y:1646, id=84, >> length=461 >> ... >> Sending Accounting-Response of id 84 to y.y.y.y:1646 >> >> >> In radiusd.conf: >> port = 1812 >> >> In /etc/services: >> datametrics 1645/tcpold-radius >> datametrics 1645/udpold-radius >> sa-msg-port 1646/tcpold-radacct >> sa-msg-port 1646/udpold-radacct >> >> radius 1812/tcp >> radius 1812/udp >> radius-acct 1813/tcpradacct # Radius Accounting >> radius-acct 1813/udpradacct >> >> >> What's wrong, our config or is it just the output? >> >> >> Regards, >> Pascal > > > If I have understand doc about radiusd.conf, if you write port=1812, > freeradius doens't use /etc/services, try to let default value "port=0", > then Freeradius will read /etc/services. Maybe that could help you. > > Fred > I add something to my answer, your NAS uses old port to talk to radius(1645), and your radius use new one(1812). Configure your radius and your NAS to talk on the same port. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ports mismatch between config and debug messages
Frédéric EVRARD wrote: Hi, Running freeradius -x, we get the following: ... Listening on authentication x.x.x.x:1812 Listening on accounting x.x.x.x:1813 Ready to process requests. rad_recv: Accounting-Request packet from host y.y.y.y:1646, id=84, length=461 ... Sending Accounting-Response of id 84 to y.y.y.y:1646 In radiusd.conf: port = 1812 In /etc/services: datametrics 1645/tcpold-radius datametrics 1645/udpold-radius sa-msg-port 1646/tcpold-radacct sa-msg-port 1646/udpold-radacct radius 1812/tcp radius 1812/udp radius-acct 1813/tcpradacct # Radius Accounting radius-acct 1813/udpradacct What's wrong, our config or is it just the output? Regards, Pascal If I have understand doc about radiusd.conf, if you write port=1812, freeradius doens't use /etc/services, try to let default value "port=0", then Freeradius will read /etc/services. Maybe that could help you. Fred I add something to my answer, your NAS uses old port to talk to radius(1645), and your radius use new one(1812). Configure your radius and your NAS to talk on the same port. Sorry, I didn't mention that everything is working fine! We want to use the ports 1812/1813 and the NAS are sending on port 1813. If the NAS were not sending on the same port FreeRADIUS is listening on it should not work, right? So that seems very strange to me :-/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ports mismatch between config and debug messages
Pascal Polleunus <[EMAIL PROTECTED]> wrote: > Sorry, I didn't mention that everything is working fine! We want to use > the ports 1812/1813 and the NAS are sending on port 1813. > If the NAS were not sending on the same port FreeRADIUS is listening on > it should not work, right? Again, you're confusing "from" with "to". The NASes send FROM a port TO the port FreeRADIUS is listening on. The FROM port is irrelevant, and can have any value whatsoever. One indication that the problem is your misunderstanding is the fact that everything works. Everything works when you think it shouldn't, so you're clearly missing something. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxying request
"Barry" <[EMAIL PROTECTED]> wrote: > The problem I'm having is that the ip address of the NAS is used when > allowing the request. The NAS is on ADSL with a changing IP address. Ok... that's not much of a problem. Just list the whole network in "clients.conf". There are examples there for listing networks. > Is it possible to have the freeradius server's ip making the request > (in a NAT sort of way)? I'm not sure what you mean by that. > I've opened the entire ADSL range for my server but the Cistron admin > won't. He doesn't need to. All he needs to do is list the IP of your FreeRADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expiration attribute
can anyone elaborate more of the "Expiration" attribute? is it an attribute of password age or expiration for password? i am am trying to play around for an expiration attribute -- expiration for an account from MySQL table and not from system accounts, using freeradius under FC1. anyone? //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question - Specific DEFAULT entry for use when password fails, another for when user doesn't exist.
Hello all. I've searched, but I haven't been able to find an easy way to make this work. I'm currently using a DEFAULT entry to fill out our standard reply items. I would like to have a different default entry to be used when the username exists, but the password is incorrect, and a third to be used when the username doesn't exist. The application is to send a set of Cisco-AVPair's to redirect a user to a captive portal where they can check their password or check their account status or sign up for new service. I've looked all over and tried a number of different ways, but I haven't been able to get it to work yet. Anyone have any advice? Thanks in advance. Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question - Specific DEFAULT entry for use when password fails, another for when user doesn't exist.
"Daniel W. Halverson" <[EMAIL PROTECTED]> wrote: > I'm currently using a DEFAULT entry to fill out our standard reply > items. I would like to have a different default entry to be used when > the username exists, but the password is incorrect, and a third to be > used when the username doesn't exist. You can't do that in the "users" file. It's processed during authorization, where it doesn't know if the user exists, or if the password is invalid. See doc/configurable_failover. (Try the latest CVS snapshot, it's a little easier to understand). You can say things like: look up user in module foo if notfound, look up user in module bar You'll need multiple copies of the "files" module, but you should be able to get it to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Disconnect account after 100 hours of total time used?
Where do I find sqlcounter.conf, also what I mean to say when I want 100 hours of dialup not in 1 session but if a user connects monday for 20 hours, then tuesday for 30 hours, etc, after 100 hours was used for the entire month I want it to disable the account, is there a way to do this in freeradius? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question - Specific DEFAULT entry for use when password fails, another for when user doesn't exist.
Thanks for the quick response. With failover, would you be able to detect if a user exists in the users file, but the password doesn't match? I'll grab the CVS tonight and check it out. Thanks again. Dan Alan DeKok wrote: "Daniel W. Halverson" <[EMAIL PROTECTED]> wrote: I'm currently using a DEFAULT entry to fill out our standard reply items. I would like to have a different default entry to be used when the username exists, but the password is incorrect, and a third to be used when the username doesn't exist. You can't do that in the "users" file. It's processed during authorization, where it doesn't know if the user exists, or if the password is invalid. See doc/configurable_failover. (Try the latest CVS snapshot, it's a little easier to understand). You can say things like: look up user in module foo if notfound, look up user in module bar You'll need multiple copies of the "files" module, but you should be able to get it to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect account after 100 hours of total time used?
make use of rlm_sqlcounter. - Original Message - From: "Devin Atencio" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, April 19, 2004 10:53 PM Subject: Disconnect account after 100 hours of total time used? > > Where do I find sqlcounter.conf, also what I mean to say when I want 100 > hours of dialup > not in 1 session but if a user connects monday for 20 hours, then > tuesday for 30 hours, etc, > after 100 hours was used for the entire month I want it to disable the > account, is there a way > to do this in freeradius? > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: We are willing to pay to get support on this (Was: Cisco-AVPair & cisco_vsa_hack())
On Sun, Apr 18, 2004 at 03:51:12PM +0200, Jerome Warnier wrote:
> On Sun, 2004-04-18 at 15:13, Paul Hampson wrote:
> > On Sun, Apr 18, 2004 at 12:33:53PM +0200, Jerome Warnier wrote:
> > > On Sun, 2004-04-18 at 05:43, Paul Hampson wrote:
> > > > On Sat, Apr 17, 2004 at 11:41:27PM +0200, Jerome Warnier wrote:
> > > > > On Sat, 2004-04-17 at 06:02, Paul Hampson wrote:
> > > > > > On Fri, Apr 16, 2004 at 09:55:01PM +0200, Jerome Warnier wrote:
> > > > > > > On Fri, 2004-04-16 at 20:42, Alan DeKok wrote:
> > > > > > > > ?ISO-8859-1?Q?J=E9r=F4me?= Warnier <[EMAIL PROTECTED]> wrote:
> > > > > > > > ...
> > > > > > > > Try the latest CVS snapshot, it may work better there.
> > > And you have of course to use dh_perl in debian/rules to substitute the
> > > ${perl:Depends}. I suggest the following (not tested):
> > > dh_perl -p freeradius-dialupadmin dialup_admin/bin
> > I think I'll make that a Recommends, not a Depends... Unless those perl
> > scripts are vital to the operation of most of dialup-admin? A brief
> > examination of the README suggest they're all optional extras, that I
> > (for example) would never run. (We don't do bandwidth tracking/billing,
> > and I don't want it whacking data from my radacct table.)
> There is also a crontab file in this directory, which uses most the
> other scripts there, but needs fixing before being (optionally) put into
> /etc/cron.d. This file needs fixing anyway, because it currently points
> to /usr/local/...
I'll put this in as an example, I think. However, I will have to add a
sed script to fix the paths in the crontab.
> Did not use any yet, so you are probably right. Maybe a debconf question
> would be useful (setup crontab for accounting or not)?
> Don't forget it just applies to Dialup Admin, which many people won't
> probably bother installing anyway.
Bleh, no good. Conditionally installing a file into /etc/ is a pain
under Debian Policy. I'll have to make a note in the README.Debian
about that.
--
Paul "TBBle" Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ports mismatch between config and debug messages
Alan DeKok wrote: Pascal Polleunus <[EMAIL PROTECTED]> wrote: Sorry, I didn't mention that everything is working fine! We want to use the ports 1812/1813 and the NAS are sending on port 1813. If the NAS were not sending on the same port FreeRADIUS is listening on it should not work, right? Again, you're confusing "from" with "to". Ok, understood ;-) Thanks The NASes send FROM a port TO the port FreeRADIUS is listening on. The FROM port is irrelevant, and can have any value whatsoever. One indication that the problem is your misunderstanding is the fact that everything works. Everything works when you think it shouldn't, so you're clearly missing something. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
