Re: crash under high load
Am Fr, den 14.05.2004 um 2:37 Uhr -0400 schrieb Alan DeKok: > Stephan Jaeger <[EMAIL PROTECTED]> wrote: > > i'm having a problem with high load situations, i get "Error: Assertion > > failed in request_list.c, line 532" and the server crashes, it's acting > > as a radius proxy. > > Since you didn't say what version you're running, I'm going to > suggest upgrading to the latest CVS snapshot. Uhh! Sorry, it's the snapshot from 10th of may. Regards Stephan Jaeger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for eap/tls
Artur Hecker <[EMAIL PROTECTED]> wrote: > well, theortically, it needs a signing capacity (represented by an > included extension) to do this. anyway, in my config the client > certificates are _not_ signed by this one, they are - of course - signed > by the private key of the CA... as ANY certificate ever issued. Ok... > > If you don't list usernames and passwords in a database, then the > > server has no way of authenticating users... unless you use > > certificates. > > now i don't get it. what does the password has to do with that? we speak > about certificates, why would i configure a password? I'm saying that WITHOUT certificates, you need to have a database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stability Problem - Moreinfo
Julien freeradius <[EMAIL PROTECTED]> wrote: > Ok in fact it's a user that send this request without password. > Usually we reject well bad password. But each time this user is trying > to access, the freeradius stop receiving any request !! It's an accounting request. There isn't supposed to be a password in it. And you didn't bother saying which version of the server you were using. > Attr-102 = > 0x43414e545620536572766963696f732c432e412e3b56656e657a75656c61 > Attr-103 = 0x40a3813f These are attributes defined in the "dictionary.ascend" file. Since your server is not printing proper names for those attributes, you've edited something you weren't supposed to edit. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stability Problem Solve but not understood
Hello, As I have explain on previous post , our freeradius was crashing while reciving an accounting request from a specific user. At the end by disabling the detail and auth detail log, the user stop crashing the server. But I can't understand why. Which kind of request could crash Freeradius through the detail module ? I have try to send exactly the same attribute than him but the freeradius don't crash Which log I should check to understand and be able to reactivate the detail log ? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Gentoo Linux -- Libshadow usage..
Nico Baggus <[EMAIL PROTECTED]> wrote: > After some issues with getting freeradius compiled on an alpha with gentoo > linux one of the developers of the libshadow complains about the proposed > solution of adding -fPIC to libshadow. (to get linking with libshadow > working..) It shouldn't be necessary, in an ideal world. > One of the statements is that libshadow is internal use only and > should not be used by third party developers Uh, right. If they want nothing but "login" to read shadow passwords, then that's fine. If FreeRADIUS is going to use shadow passwords, then it needs SOME way to do this. How do they propose that the server read shadow passwords without linking against -lshadow? And why is -lshadow "internal"? Other OS's don't make it internal. Why is gentoo so magic? You can work around this in FreeRADIUS (maybe), by using rlm_passwd, but that defeats the point of using getpwent() Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: missing something - client/user vs machine
[EMAIL PROTECTED] wrote: > Regardless of who logs in to the box, I want it to > authenticate. I might have 50 local user accounts > configured, but I really only want one certificate for all > 50. Is there some way to do this that I am missing? Don't use certificates. Use EAP-PEAP, or EAP-TTLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realm question
jesk <[EMAIL PROTECTED]> wrote: > am i right, that there is no way to do it? Yes, there is. See the "realms" module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: crash under high load
Stephan Jaeger <[EMAIL PROTECTED]> wrote: > i'm having a problem with high load situations, i get "Error: Assertion > failed in request_list.c, line 532" and the server crashes, it's acting > as a radius proxy. Since you didn't say what version you're running, I'm going to suggest upgrading to the latest CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and MySql
[EMAIL PROTECTED] wrote: > My ask is how can i'm set freeradius in order to if one data base server > fail, it connect automatically at the other server? Try the latest CVS snapshots. They work a little better in this situation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on freeradius-0.9.3 and openldap-2.1.29
"Willey Kurt D" <[EMAIL PROTECTED]> wrote: > rlm_ldap: bind as cn=3Dldap,dc=3Dhost,dc=3Dcom/password to host.com:636 > Segmentation fault Try "ulimit -c unlimited" to get the core dump. This is documented in doc/bugs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: IP Pools Error?
Hello Alexander, Friday, May 14, 2004, 8:01:57 AM, you wrote: AL> Yes, it seems that sometimes NAS-Port-Id is missing. For example: AL> Request is: AL> Service-Type = Framed-User AL> User-Name = "bpv89" AL> Framed-Protocol = PPP AL> CHAP-Password = xx AL> CHAP-Challenge = xx AL> NAS-Identifier = "zeus.domain.ru" AL> NAS-Port-Type = Async AL> And this client is not receiving address, because rlm_ippool AL> return NOOP after NAS port id check. I'm using exppp on AL> freebsd-4.8R-p13 and multiport cards as a NAS, and i found that AL> such requests comes only from some ports/modems (i.e. AL> /dev/cuaa10), and other is doing fine. AL> Why NAS-Port-Id so critical for rlm_ippool? Can i do some AL> workaround for this problem, maybe with some hack of rlm_ippool.c? AL> I mean, do rlm_ippool really need NAS-Port-Id? It seems to me that i found a problem, and it's not the freeradius issue. I think it's exppp or mgetty or even OS problem, but not freeradius. Sorry for bothering. -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: IP Pools Error?
Hello Alan, Thursday, May 13, 2004, 5:36:18 PM, you wrote: >>I have pretty the same problem here. When i'm testing connection - >>all working fine. But when there's some users connected - >>rlm_ippool seems to be not working. In debug mode i've seen that >>processing of such 'bad' requests are finished right after entering >>'post-auth' block, and in these cases ippool is not invoked - >>radiusd says 'Finished request blah-blah' and then it comes to >>another request. Maybe, some server tuning should be done? I mean, >>number of threads, timeouts and such. Tomorrow i will try it. AD> I would suggest adding more debug statements to the rlm_ippool AD> module, so you can see WHY it isn't assigning an IP. Odds are that AD> the request doesn't contain enough information for it to assign an IP. Yes, it seems that sometimes NAS-Port-Id is missing. For example: Request is: Service-Type = Framed-User User-Name = "bpv89" Framed-Protocol = PPP CHAP-Password = xx CHAP-Challenge = xx NAS-Identifier = "zeus.domain.ru" NAS-Port-Type = Async And this client is not receiving address, because rlm_ippool return NOOP after NAS port id check. I'm using exppp on freebsd-4.8R-p13 and multiport cards as a NAS, and i found that such requests comes only from some ports/modems (i.e. /dev/cuaa10), and other is doing fine. Why NAS-Port-Id so critical for rlm_ippool? Can i do some workaround for this problem, maybe with some hack of rlm_ippool.c? I mean, do rlm_ippool really need NAS-Port-Id? -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for Possiblities
Hello, You should effectively assign him an local IP address and a special dns with wildcard that point to your server. So any http request will open your server webpage... Maybe that there is better solutions for that, it's just a suggestion. Nick Marino wrote: What I am looking for is a way to redirect a user to a specific web page on my web server if there account access has been restricted instead of setting for reject and locking them out totally. We are an ISP and need to block users access and redirect them to a specific web page if they have not payed thier bill and the account is on hold till it is resolved. Is there any way to do this using freeradius? I know I can assign them a specific IP address like maybe a private address to restrict them from surfing or accessing the internet but is there a way to display them a message so they will know why they have been put on restricted access. Any Ideas would be greatly appreciated. I am running Freeradius with mysql on Linux and have apache web server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous login problem at realm server
Hi I am facing probelm after shiting to freeradius from cistron radius. I have a realm server and there is running another radius (icradius). at mysql database there is simutaneous login options has been put as 5 in radgroupcheck table. but when user is trying to login more than one radius is rejecting to connect. It worked fine when i used cistron radius. here is the following entry i have at my realm server radgroupcheck table mysql> select * from radgroupcheck where groupname='GALILEO'; +-+---+--+-+ | id | GroupName | Attribute| Value | +-+---+--+-+ | 118 | GALILEO | NAS-Identifier | Redback | | 117 | GALILEO | Simultaneous-Use | 5 | +-+---+--+-+ any suggestion? - This mail sent through IMP: http://mail.accesstel.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looking for Possiblities
What I am looking for is a way to redirect a user to a specific web page on my web server if there account access has been restricted instead of setting for reject and locking them out totally. We are an ISP and need to block users access and redirect them to a specific web page if they have not payed thier bill and the account is on hold till it is resolved. Is there any way to do this using freeradius? I know I can assign them a specific IP address like maybe a private address to restrict them from surfing or accessing the internet but is there a way to display them a message so they will know why they have been put on restricted access. Any Ideas would be greatly appreciated. I am running Freeradius with mysql on Linux and have apache web server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: HELP: Compile freeradius with C++ module and third party library
Hi, > If youre already doing this, I'm not sure where the error would be > coming from. You can use the "nm" command to check the symbols that are > defined in your library and make sure the one you want is really there. > > Dave [Htin Hlaing] Thanks for the input Dave. Yeah, I was already doing that. I just found out that the c++ library that I wanted to use was built with g++ version 3.3.1 and I was using gcc, g++ 2.95.4. After I switched to 3.3.1, things work fine. Thanks, Htin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for eap/tls
hi alan
Yes. See the tls{} configuration. It points to a server
certificate. The client certificates are signed with this certificate.
well, theortically, it needs a signing capacity (represented by an
included extension) to do this. anyway, in my config the client
certificates are _not_ signed by this one, they are - of course - signed
by the private key of the CA... as ANY certificate ever issued.
so, if you say you sign them by the server certificate, for me it means
that either root.pem and server.pem are the same files OR - more
generally - that a CA has signed a server a "special" certificate
permitting it to sign other certificates - which is actually quite
unusual but possible. so, i'm trying to understand what it is and what
would it provide...
Independently of the user & password existing in a database.
If you don't list usernames and passwords in a database, then the
server has no way of authenticating users... unless you use
certificates.
now i don't get it. what does the password has to do with that? we speak
about certificates, why would i configure a password?
i begin to think that we are terribly misunderstanding each other :-)
ciao
artur
--
Artur Hecker
artur[at]hecker.info
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stability Problem - Moreinfo
Hello again,
Ok in fact it's a user that send this request without password.
Usually we reject well bad password. But each time this user is trying
to access, the freeradius stop receiving any request !!
We need to reboot the freeradius. I have replace the realusername of the
user for VALIDUSERNAME.
On the radius.log I see nothing about this access-request, I need to run
the freeradius with -X option and checking the log.
What could be wrong with this user and How can I prevent the radiusd to
crash ?
Thanks in advance
Log details follow
3 request 3 crash ...
Cleaning up request 11 ID 68 with timestamp 40a3e412
Nothing to do. Sleeping until we see a request.
rad_recv: Accounting-Request packet from host 216.231.201.222:37625,
id=235, length=307
Framed-IP-Address = 200.44.79.128
Acct-Session-Id = "000136EE"
Acct-Authentic = RADIUS
NAS-Port-Type = Async
User-Name = "VALIDUSERNAME"
User-Password = ""
Calling-Station-Id = "2123723449"
Framed-Protocol = PPP
Called-Station-Id = "2000"
NAS-Port = 160
NAS-IP-Address = 200.44.79.1
Acct-Delay-Time = 0
Service-Type = Framed-User
Acct-Status-Type = Start
Attr-101 = 0x3230302e34342e33322e3937
Attr-102 =
0x43414e545620536572766963696f732c432e412e3b56656e657a75656c61
Attr-103 = 0x40a3813f
Attr-104 = 0xc7c0
Attr-105 = 0x0002
Attr-101 = 0x3139322e3136382e302e3737
Attr-102 = 0x
Attr-103 = 0x40a3e46b
Attr-104 = 0x8f80
Attr-107 = 0x3231362e3233312e3230312e323232
Attr-108 = 0x332e322e3320283429204665622031387468202032303032
Attr-110 = 0x6154
Proxy-State =
0x475249433a3a3139322e3136382e302e37373a3a313634363a3a31303834343832363637
rad_lowerpair: User-Name now 'VALIDUSERNAME'
rad_lowerpair: User-Password now ''
rad_rmspace_pair: User-Name now 'VALIDUSERNAME'
rad_rmspace_pair: User-Password now ''
modcall: entering group preacct for request 12
modcall[preacct]: module "preprocess" returns noop for request 12
rlm_realm: No '#' in User-Name = "VALIDUSERNAME", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[preacct]: module "suffix" returns noop for request 12
modcall[preacct]: module "files" returns noop for request 12
modcall: group preacct returns noop for request 12
modcall: entering group accounting for request 12
rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in
request, unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address =
216.231.201.222,NAS-IP-Address = 200.44.79.1,Acct-Session-Id =
"000136EE",User-Name = "VALIDUSERNAME"'
rlm_acct_unique: Acct-Unique-Session-ID = "4a114aa38ef74b3b".
modcall[accounting]: module "acct_unique" returns ok for request 12
radius_xlat: '/var/log/freeradius/radacct/216.231.201.222/detail-20040513'
rlm_detail:
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/freeradius/radacct/216.231.201.222/detail-20040513
^C
Cleaning up request 20 ID 49 with timestamp 40a3e67f
Nothing to do. Sleeping until we see a request.
rad_recv: Accounting-Request packet from host 216.231.201.222:38554,
id=235, length=307
Framed-IP-Address = 200.44.79.128
Acct-Session-Id = "000136EE"
Acct-Authentic = RADIUS
NAS-Port-Type = Async
User-Name = "VALIDUSERNAME"
User-Password = ""
Calling-Station-Id = "2123723449"
Framed-Protocol = PPP
Called-Station-Id = "2000"
NAS-Port = 160
NAS-IP-Address = 200.44.79.1
Acct-Delay-Time = 0
Service-Type = Framed-User
Acct-Status-Type = Start
Attr-101 = 0x3230302e34342e33322e3937
Attr-102 =
0x43414e545620536572766963696f732c432e412e3b56656e657a75656c61
Attr-103 = 0x40a3813f
Attr-104 = 0xc7c0
Attr-105 = 0x0002
Attr-101 = 0x3139322e3136382e302e3737
Attr-102 = 0x
Attr-103 = 0x40a3e6d7
Attr-104 = 0x8f80
Attr-107 = 0x3231362e3233312e3230312e323232
Attr-108 = 0x332e322e3320283429204665622031387468202032303032
Attr-110 = 0x63b7
Proxy-State =
0x475249433a3a3139322e3136382e302e37373a3a313634363a3a31303834343833323837
rad_lowerpair: User-Name now 'VALIDUSERNAME'
rad_lowerpair: User-Password now ''
rad_rmspace_pair: User-Name now 'VALIDUSERNAME'
rad_rmspace_pair: User-Password now ''
modcall: entering group preacct for request 21
modcall[preacct]: module "preprocess" returns noop for request 21
rlm_realm: No '#' in User-Name = "VALIDUSERNAME", looking up realm NULL
rlm_realm: No
Gentoo Linux -- Libshadow usage..
Alan, After some issues with getting freeradius compiled on an alpha with gentoo linux one of the developers of the libshadow complains about the proposed solution of adding -fPIC to libshadow. (to get linking with libshadow working..) One of the statements is that libshadow is internal use only and should not be used by third party developers Can you please comment on that: Here is a reference: http://bugs.gentoo.org/show_bug.cgi?id=37725 As far as I can tell -lshadow should not be used in the Makefile from rlm_unix. Looking forward to your comment on this, this might be something you want to get fixed before 1.0 Kind regards, Nico Baggus. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stability Problem
Hello Everything was working correctly until today. We use the freeradius with mysql modules on OSX. Since 6 month the server run well. But today we have problem with it, after a reboot of the computer, the freeradius run 10 minutes and then stop receiving request. When the server stop receiving request the deomon is still running, and port are still open. (Check through netstat and top) We monitorise the radius.log file, but there is nothing special on the log. Did someone have any clue about this ? Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco Client - Cisco Aironet - FreeRadius - SafeWord Radius Server
Currently, I have a laptop setup with XP with SP1 that has the Cisco Aironet Client Utility intalled. I also have a Cisco Aironet 350. The LEAP authentication is working fine with a user defined in the users file on FreeRadius (snapshot-20040511). What I would like to do now is take it one step further and authenticate some users ([EMAIL PROTECTED]) to SafeWord using there RADIUS server. I am very familair to SafeWord's RADIUS Server and have setup debug on that end. I can see the request within the debug, but fails with, 'missing password'. Question: How can i terminate the EAP/LEAP at FreeRadius, and have just the ID And Password verified by the SafeWord Radius Server (since it does not support EAP right now)? I figure I would need to setup Proxying (Realms) but how do I terminate the EAP but proxy the Auth request to SafeWord for the authentication? Your help and suggestions would be very helpful. Chris Check out the coupons and bargains on MSN Offers! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
missing something - client/user vs machine
Hi, Perhaps I am missing something obvious (ok, maybe not perhaps, maybe it is obvious) but I am trying to use freeradius with openssl as CA and set up EAP/TLS. Everything works if I issue a cert for each user account on the wireless boxes, but here is what I really want to happen - Regardless of who logs in to the box, I want it to authenticate. I might have 50 local user accounts configured, but I really only want one certificate for all 50. Is there some way to do this that I am missing? I even ran mmc to make the CA root for the MACHINE, but that did not seem to help - it seems I have to install the cert under each user account and this will not be good since I will have over 6000 of these silly things when we are done. Help? Thanks... Kat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: Compile freeradius with C++ module and third party library
Hi,
My first guess would be to ask if you're calling a C++ method directly
from C. You can link a C++ library into Freeradius, but in order to
call a C++ method you have to put it inside a C wrapper function. Your
code would like something like this:
interface.h
--
#ifdef __cplusplus
extern "C"
{
#endif
int
interfaceWrapper(int arg);
#ifdef __cplusplus
extern "C"
}
#endif
interface.cpp
#include "interface.h"
#include "C++_library.h"
int
interfaceWrapper(int arg)
{
int rc;
new yourC++object;
rc = yourC++object->method(arg);
delete yourC++object;
// or you may want to use a persistent object. Just keep a pointer
to it that you can get to.
return rc;
}
Freeradius rlm_xxx.c
-
#include "interface.h"
int
xxx_authenticate // for example
{
if (interfaceWrapper(arg) == 0)
return RLM_MODULE_OK;
else
return RLM_MODULE_FAILURE;
}
This gives you an interface.o and rlm_xxx.o which must both be linked
into radiusd, along with your library.
If youre already doing this, I'm not sure where the error would be
coming from. You can use the "nm" command to check the symbols that are
defined in your library and make sure the one you want is really there.
Dave
Htin Hlaing wrote:
Hi,
Using the suggestions and the patch on the list, I put in my C++ module
in. That works fine. But from the new C++ module, I need to be able to
use another third party C++ library. There, I am having a hard time.
At this point, I configure using --with-static-modules=3Dmymodule to =
catch
the link error at compile time. In my Makefile, I put RLM_LIBS +=3D
-lstdc++ -L/home/hhlaing/project/head/libxmlrpc++ -lXmlRpc to link in
the third party library. I get link error saying the symbol not found;
the symbol is from the third party library. Here is the exact error
message:
gcc .libs/radiusdS.o -g -O2 -pthread -D_THREAD_SAFE -DOPENSSL_NO_KRB5
-Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align
-Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes
-Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef
-I../include -DHOSTINFO=3D\"\" -DRADIUSD_VERSION=3D\"1.0.0-pre0\" -o
.libs/radiusd radiusd.o files.o util.o acct.o nas.o log.o valuepair.o
version.o proxy.o exec.o auth.o timestr.o conffile.o modules.o modcall.o
session.o xlat.o threads.o smux.o radius_snmp.o client.o request_list.o
mainconfig.o -Wl,--export-dynamic
../modules/rlm_xmlrpc/.libs/rlm_xmlrpc.a -lstdc++
-L/home/hhlaing/project/head/libxmlrpc++ -lXmlRpc
-L/data/home/hhlaing/FreeRadius/radiusd-May-9/src/lib -lcrypt -lcipher
/data/home/hhlaing/FreeRadius/radiusd-May-9/src/lib/.libs/libradius.so
/data/home/hhlaing/FreeRadius/radiusd-May-9/libltdl/.libs/libltdl.so
-lcrypto -lssl -lcrypt -lcipher -Wl,--rpath
-Wl,/home/hhlaing/Install/FreeRadius-May-9/lib
/usr/lib/libc.so.4: warning: this program uses gets(), which is unsafe.
/usr/lib/libc.so.4: warning: mktemp() possibly used unsafely; consider
using mkstemp()
/usr/lib/libc.so.4: warning: tmpnam() possibly used unsafely; consider
using mkstemp()
/usr/lib/libc.so.4: warning: this program uses f_prealloc(), which is
not recommended.
/usr/lib/libc.so.4: warning: tempnam() possibly used unsafely; consider
using mkstemp()
../modules/rlm_xmlrpc/.libs/rlm_xmlrpc.a(rlm_xmlrpc.o): In function
`xmlrpcInstantiate(conf_part *, void **)':
/data/home/hhlaing/FreeRadius/radiusd-May-9/src/modules/rlm_xmlrpc/rlm_x
mlrpc.cpp:122: undefined reference to
`XmlRpc::XmlRpcClient::XmlRpcClient(char const *, int, char const *)'
gmake[3]: *** [radiusd] Error 1
gmake[3]: Leaving directory
`/data/home/hhlaing/FreeRadius/radiusd-May-9/src/main'
Thanks,
Htin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realm question
On Thursday 13 May 2004 09:19, jesk wrote: > hi again, > > i got a username with realms like this: realm1/foobar%realm2 > is there a way to use realm2 as proxy realm local and get > realm1 stripped away? > i dont want realm1 for authorizing, authentication and accounting. > > thanks in advance, > christian > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html am i right, that there is no way to do it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
crash under high load
Hi, i'm having a problem with high load situations, i get "Error: Assertion failed in request_list.c, line 532" and the server crashes, it's acting as a radius proxy. This is easily reproducable if i call radclient -c 1000 ... in a loop the server is gone within seconds. Regards Stephan Jaeger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for eap/tls
Fr=?iso-8859-1?Q?=E9d=E9ric_EVRARD?= <[EMAIL PROTECTED]> wrote:
> > Yes. See the tls{} configuration. It points to a server
> > certificate. The client certificates are signed with this certificate.
>
> And then for what the root certificate is used on client side ??
>
So the client knows it's talking to the right server.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for eap/tls
> Artur Hecker <[EMAIL PROTECTED]> wrote:
>> oh.. so theoretically the server needs a "special" server certificate
>> enabling it to sign something, right? (with the right extensions, etc.)
>
> Yes. See the tls{} configuration. It points to a server
> certificate. The client certificates are signed with this certificate.
And then for what the root certificate is used on client side ??
Fred.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for eap/tls
Artur Hecker <[EMAIL PROTECTED]> wrote:
> oh.. so theoretically the server needs a "special" server certificate
> enabling it to sign something, right? (with the right extensions, etc.)
Yes. See the tls{} configuration. It points to a server
certificate. The client certificates are signed with this certificate.
> yes ok. but if you just want to block a user for a while, you can still
> apply the rest of the authorization, right?
Yes. You can always block any user for any reason.
> i think my problem is that i don't really know who does what in the
> setup you present. rlm_eaptls checks the certificate - if it signed by
> the server's certificate than the user is granted access - independently
> of what?
Independently of the user & password existing in a database.
If you don't list usernames and passwords in a database, then the
server has no way of authenticating users... unless you use
certificates.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for eap/tls
hi alan No, but where the client certificates are signed by the server certificate. oh.. so theoretically the server needs a "special" server certificate enabling it to sign something, right? (with the right extensions, etc.) In that case, the server (through the certificatge) has already said that the user is ok (by signing the users certificate.) Since that's done, there's not much point in checking a database, to see if the server knows about the user. yes ok. but if you just want to block a user for a while, you can still apply the rest of the authorization, right? i think my problem is that i don't really know who does what in the setup you present. rlm_eaptls checks the certificate - if it signed by the server's certificate than the user is granted access - independently of what? ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: nas clients only in the database
On Thu, 13 May 2004, Alan DeKok wrote: > Stephan Jaeger <[EMAIL PROTECTED]> wrote: > > it seems inpossible right now to start freeradius without clients in the > > radiusd.conf or included files and a client file, as i'd like to with > > having them only in the mysql database. > > There isn't much code to read them out of the SQL database, so if > you don't use "clients.conf", you won't have clients. Code has been added a few days ago. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: nas clients only in the database
Stephan Jaeger <[EMAIL PROTECTED]> wrote: > it seems inpossible right now to start freeradius without clients in the > radiusd.conf or included files and a client file, as i'd like to with > having them only in the mysql database. There isn't much code to read them out of the SQL database, so if you don't use "clients.conf", you won't have clients. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
nas clients only in the database
Hi,
it seems inpossible right now to start freeradius without clients in the
radiusd.conf or included files and a client file, as i'd like to with
having them only in the mysql database.
As a workaround i commented out the "if (!c) { return -1 }" in file
mainconfig.c around line 1154 and added an if (c) {} around the next
three lines, seems to work fine.
Server also starts without clients in the nas table and doesn't crash on
incoming request, its just that it might be not to sensible without any
clients ;)
Regards
Stephan Jaeger
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP server
On Thu, 13 May 2004, [iso-8859-1] deborha malka wrote: > Hello all, > > I wanted to know if it is possible in the LDAP module, to have 2 LDAP servers (if > one fails, ...) ? > And if it is possible, how to configure them. Just configure two instances of the ldap module with different ldap servers configured on each one. Read doc/configurable_failover for more information on handling server failures. > > Thank you for advance, > > > = > D?borah Malka > > - > Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! > Cr?ez votre Yahoo! Mail > > Dialoguez en direct avec vos amis gr?ce ? Yahoo! Messenger ! -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pools Error?
Alexander Lunyov <[EMAIL PROTECTED]> wrote: > m> I believe that it has something to do with the NASes but the strange > m> thing is that while using the Cistron radius server no such issue had > m> been observed. Cistron doesn't have IP pools. >I have pretty the same problem here. When i'm testing connection - >all working fine. But when there's some users connected - >rlm_ippool seems to be not working. In debug mode i've seen that >processing of such 'bad' requests are finished right after entering >'post-auth' block, and in these cases ippool is not invoked - >radiusd says 'Finished request blah-blah' and then it comes to >another request. Maybe, some server tuning should be done? I mean, >number of threads, timeouts and such. Tomorrow i will try it. I would suggest adding more debug statements to the rlm_ippool module, so you can see WHY it isn't assigning an IP. Odds are that the request doesn't contain enough information for it to assign an IP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP server
=?iso-8859-1?q?deborha=20malka?= <[EMAIL PROTECTED]> wrote: > I wanted to know if it is possible in the LDAP module, to have 2 > LDAP servers (if one fails, ...) ? > And if it is possible, how to configure them. Yes. See doc/configurable_failover I'd suggest reading it in the latest CVS snapshot, as it that version makes more sense. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP server
Hello all, I wanted to know if it is possible in the LDAP module, to have 2 LDAP servers (if one fails, ...) ? And if it is possible, how to configure them. Thank you for advance,=Déborah Malka Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez votre Yahoo! Mail Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !
Re: IP Pools Error?
Hello m0bius, Friday, November 7, 2003, 4:56:58 PM, you wrote: m> I seem to be having a strange error occurring during the past few days m> that I think has something to do with the IP Pools Management. We use m> two Ascend Lucent MAX 3000 NAS (the one with one PRI while the second m> carries two). The problem occurs while there are more than 50 dialup m> users in which case the users can't connect and get an error type 738: m> Server did not assign an IP address... m> I've enabled ippools in radius.conf with the correct start and stop m> values and added the main_pool in the accounting and post-auth section m> as mentioned. However the weird thing is that I don't seem to have any m> logs via the radius of the unsuccessful attempts (either via the m> detail/reply logs or the dialup admin) and I can't trace the problem by m> debugging mode since the error doesn't happen all the times. It would m> look like the nases are blocking the connections. m> I believe that it has something to do with the NASes but the strange m> thing is that while using the Cistron radius server no such issue had m> been observed. I have pretty the same problem here. When i'm testing connection - all working fine. But when there's some users connected - rlm_ippool seems to be not working. In debug mode i've seen that processing of such 'bad' requests are finished right after entering 'post-auth' block, and in these cases ippool is not invoked - radiusd says 'Finished request blah-blah' and then it comes to another request. Maybe, some server tuning should be done? I mean, number of threads, timeouts and such. Tomorrow i will try it. -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: shared secret length limitation
On Thu, 13 May 2004 16:38:37 +0400 "Alexander M. Pravking" <[EMAIL PROTECTED]> wrote: > On Thu, May 13, 2004 at 11:25:34AM +0100, Graeme Hinchliffe wrote: > > Well assuming JUST the alphabet was used in the same case thats: > > > > 16^26 = 20282409603651670423947251286016 possible combinations > > Sorry for pedantry, not 16^26 but 26^16 = 4.36087428994289e+22 > ;-) Bah! :) well it's a big number either way you look at it :) (I always get confused :) ) -- - Graeme Hinchliffe (BSc) Core Team Member Zen Internet (http://www.zen.co.uk/) ICQ 3842605 (link) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: shared secret length limitation
On Thu, May 13, 2004 at 11:25:34AM +0100, Graeme Hinchliffe wrote: > Well assuming JUST the alphabet was used in the same case thats: > > 16^26 = 20282409603651670423947251286016 possible combinations Sorry for pedantry, not 16^26 but 26^16 = 4.36087428994289e+22 ;-) That is, assuming N is a desired number of combinations, A is an alphabet capacity (26 here), ln() is natural logarithm, we got (nearly) enough shared secret length L: L = ln(N) / ln(A). -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting in freeradius - logging callback string
Robert Szelepcsenyi <[EMAIL PROTECTED]> wrote: > However, I do not know, whether this attribute can appear in an > accounting packet. Moreover, there is no such item in the mySQL > schema. Is it possible to extend the schema to comprise new > attributes? Yes. Edit it. You probably want the Called-Station-Id attribute instead of Callback-Number. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [PATCH] Using the Experimental EAP-Type under FreeRADIUS
Hi Alan, > Your patch is nice, but it still doesn't let us > use EAP-Type of 255, > unless you add more code supporting it. > > Until there's code to use the experimental > EAP-Type, there isn't any > reason to add this patch. > > Alan DeKok. > I just forgot to precise that this patch should be useful only for developers who would try and/or develop an experimental EAP method, e.g. a new module, under FreeRADIUS. Sorry for this misunderstanding ;-) Aurelien Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redback missing Dictionary attributes
On Thu, 13 May 2004 07:03:30 -0400 "Alan DeKok" <[EMAIL PROTECTED]> wrote: > Graeme Hinchliffe <[EMAIL PROTECTED]> wrote: > > There are 2 missing attributes in the redback dictionary. These > > attributes relate to using RADIUS for console login authentication. > > What is the procedure for getting them added to future releases of > > FreeRADIUS? SHould i just mail them here? or upload a DIFF ? > > Mail them to the list. For 2, a diff is almost too much bother. Thats what I thought :) OK here they are: ATTRIBUTE TTY-Level-Max 72 integer Redback ATTRIBUTE TTY-Level-Start 73 integer Redback thanks -- - Graeme Hinchliffe (BSc) Core Team Member Zen Internet (http://www.zen.co.uk/) ICQ 3842605 (link) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting in freeradius - logging callback string
This give me some change. I have no idea which atribute number I should look for. The only candidate is: ATTRIBUTE Callback-Number 19 string However, I do not know, whether this attribute can appear in an accounting packet. Moreover, there is no such item in the mySQL schema. Is it possible to extend the schema to comprise new attributes? Robert Szelepcsenyi On Thu, May 13, 2004 at 05:04:38AM -0400, Alan DeKok wrote: > Robert Szelepcsenyi <[EMAIL PROTECTED]> wrote: > > Most of these users are from other subsidiares. We need to calculate > > the corresponding phone costs in order to charge them > > appropriately. For this purpose I need to log the callback dialup > > string (the phone number called). > > If the NAS sends it, FreeRADIUS will log it. > > > However, in radius I do not see anything like callback-dialstring. I > > thought that "Called-Station-Id" was the attribute, but this atribute > > is empty. When I tried to log radius packets exchanged between the > > dialup server and the radius server, I did not see this information. > > > > So, the question is: How can I log callback dialstring in radius? > > If the NAS doesn't send it, there's nothing you can do to the RADIUS > server to make it log the data. > > You may want to see 'tacp2rad' (I think). It converts tacacs+ > accounting to RADIUS packets. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redback missing Dictionary attributes
Graeme Hinchliffe <[EMAIL PROTECTED]> wrote: > There are 2 missing attributes in the redback dictionary. These > attributes relate to using RADIUS for console login authentication. > What is the procedure for getting them added to future releases of > FreeRADIUS? SHould i just mail them here? or upload a DIFF ? Mail them to the list. For 2, a diff is almost too much bother. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for eap/tls
Artur Hecker <[EMAIL PROTECTED]> wrote: > if i understand you correctly, you describe a case where the CA-root > certificate and the server certificates are one and the same, don't you? No, but where the client certificates are signed by the server certificate. In that case, the server (through the certificatge) has already said that the user is ok (by signing the users certificate.) Since that's done, there's not much point in checking a database, to see if the server knows about the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redback missing Dictionary attributes
Hiya There are 2 missing attributes in the redback dictionary. These attributes relate to using RADIUS for console login authentication. What is the procedure for getting them added to future releases of FreeRADIUS? SHould i just mail them here? or upload a DIFF ? -- - Graeme Hinchliffe (BSc) Core Team Member Zen Internet (http://www.zen.co.uk/) ICQ 3842605 (link) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 -- - Graeme Hinchliffe (BSc) Core Team Member Zen Internet (http://www.zen.co.uk/) ICQ 3842605 (link) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: shared secret length limitation
> Is 16 bytes enough to protect the server from brute > force attack ? Well assuming JUST the alphabet was used in the same case thats: 16^26 = 20282409603651670423947251286016 possible combinations take a while to search that space.. and the limit is 32, Alan said 16 is common. I think we are safe for a while :) -- - Graeme Hinchliffe (BSc) Core Team Member Zen Internet (http://www.zen.co.uk/) ICQ 3842605 (link) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for eap/tls
hi alan EAP-TLS. If the certificate supplied by the user is signed by the certificate FreeRADIUS is using, then it assumes that the user is OK. if i understand you correctly, you describe a case where the CA-root certificate and the server certificates are one and the same, don't you? why not but what is it exactly good for? ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:shared secret length limitation
Lara Adianto <[EMAIL PROTECTED]> wrote: >> What is the common practice used by radius servers and >> clients ? > Not too short, not too long. 16 is a very common >length. >> But Freeradius limits the shared-secret to 32. What is >> the rational behind this ? > Any longer than that, and it starts becoming >unmanagable. What does 'unmanageable' mean here ? Would you care to elaborate further ? Is 16 bytes enough to protect the server from brute force attack ? thank you, lara = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? Yahoo! Movies - Buy advance tickets for 'Shrek 2' http://movies.yahoo.com/showtimes/movie?mid=1808405861 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for eap/tls
Artur Hecker <[EMAIL PROTECTED]> wrote: > i have a silly question: which signed certificates? do you have more > info on this? EAP-TLS. If the certificate supplied by the user is signed by the certificate FreeRADIUS is using, then it assumes that the user is OK. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap!
On Thu, 13 May 2004, iceman09 iceman wrote:
> everybody:
>hi!
>i got a problem.i want to use ldap to charge for database.The ldap is oracle
> internet
> directory.can i use the scheme which the freeradius gives ?
Yes
>And i don't quite unstand the \freeradius-0.9.3\raddb\radiusd.conf file
> .Espetially the ldap configure
> section.My questions about it just as following:
> server = "ldap.your.domain" /* it is my oracle internet directory address */
> # identity = "cn=admin,o=My Org,c=UA" /* what is this ? Is it my username to
> login oracle internet directory
> ?*/
> # password = mypass /* Is this my password to login oracle internet directory
> ? */
>
> basedn = "o=My Org,c=UA" /* what is basedn ? */
>
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" /* what is the filter
> ?for what ? */
># profile_attribute = "radiusProfileDn"/* what is this used for ?? i don't really
> get it !!!*/
>
> # password_header = "{clear}"
> # password_attribute = userPassword /* what is this password used for ?? */
>
> # access_attr_used_for_allow = yes /* If i set this yes ,the radius will compare
> all attributes in the ldap.attrmap
> file ? */
Please read doc/rlm_ldap,doc/ldap_howto.txt
In any case if you are going to use ldap you are supposed to know what basedn or
filter mean
>
>I'm really want to know the answers,please help me!!
>
> Thanks a lot!!
>
> your honest iceman
>
>
>
>
> _
> 使用 MSN Messenger 与联机的朋友进行交流 - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for eap/tls
hi Alan Yes. The "users" file is just one form of controlling user access. You can store users in SQL, LDAP, or in signed certificates. i have a silly question: which signed certificates? do you have more info on this? ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for eap/tls
hi BLANCA FERRERO RODRIGUEZ wrote: is there any way that I can control this access of users with the users file although they have a correct cert? sotty to insist but could you tell me how to do this exactly? you should add a default behaviour which is reject, ie. a DEFAULT entry with Auth-Type = Reject e.g. and see the Fall-Through variable for a proper usage. logically, you will have to explicitly add _every_ user which is "known". now, for every pre-configured user, you can reject his access equally by adding an Auth-Type = Reject to his entry. there are examples in the 'users' file. attention though: the denial of users will be solely based on the User-Name content. strictly spoken, this is *not* what is certified in the certificate, it is merely data copied from the EAP-Identity field by the NAS. thus, if your wireless client decides to write a name of an authorized user into the EAP-Identity Response, he will be granted to access the system. to my knowledge, patches are needed to stop this (something has to check whether the User-Name equals something (CN?) in the certificate). ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting in freeradius - logging callback string
Robert Szelepcsenyi <[EMAIL PROTECTED]> wrote: > Most of these users are from other subsidiares. We need to calculate > the corresponding phone costs in order to charge them > appropriately. For this purpose I need to log the callback dialup > string (the phone number called). If the NAS sends it, FreeRADIUS will log it. > However, in radius I do not see anything like callback-dialstring. I > thought that "Called-Station-Id" was the attribute, but this atribute > is empty. When I tried to log radius packets exchanged between the > dialup server and the radius server, I did not see this information. > > So, the question is: How can I log callback dialstring in radius? If the NAS doesn't send it, there's nothing you can do to the RADIUS server to make it log the data. You may want to see 'tacp2rad' (I think). It converts tacacs+ accounting to RADIUS packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP failure
hi do you have files in your authorization section of radiusd.conf? the lines for itself look correct to me but the debug log says clearly that something is wrong since mschap can't find the password. ciao artur Manuel Sánchez Cuenca wrote: Alan DeKok escribió: =?ISO-8859-1?Q?Manuel_S=E1nchez_Cuenca?= <[EMAIL PROTECTED]> wrote: rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: doing MS-CHAPv2 for lolo with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. PEAP (and mschap) needs access to a "good" clear-text password, or an nt-password to compare against the request. I have this in my users configuratin file: lolo User-Password == "entrar" Reply-Message = "Hola, lolo" ¿Is this correct? If the server doesn't have a password for the user, then it can't check the password the user supplied. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for eap/tls
> > is there any way that I can control this > > access of users with the users file although they have a correct > > cert? > > Yes. Tell the server to reject the user. sotty to insist but could you tell me how to do this exactly? bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting in freeradius - logging callback string
Hi, We are running a Cisco dial-up server. Users have either static or dynamic passwords. Upon login users with dynamic passwords are allowed to enter a callback number, or to cancel the callback completely and establish a session without any callback. Most of these users are from other subsidiares. We need to calculate the corresponding phone costs in order to charge them appropriately. For this purpose I need to log the callback dialup string (the phone number called). In tacacs this is not a problem. I get log entries like this: Wed Feb 12 21:24:59 2003dialup.swh.sk hanus Async34 async stop task_id=16258 timezone=UTCservice=ppp disc-cause=1 disc-cause-ext=1045 service=ppp callback-dialstring=0,63833910 pre-bytes-in=75 pre-bytes-out=92 pre-paks-in=3 pre-paks-out=4 bytes_in=26 bytes_out=74paks_in=3 paks_out=7 pre-session-time=5 elapsed_time=10 nas-rx-speed=0 nas-tx-speed=0 However, in radius I do not see anything like callback-dialstring. I thought that "Called-Station-Id" was the attribute, but this atribute is empty. When I tried to log radius packets exchanged between the dialup server and the radius server, I did not see this information. So, the question is: How can I log callback dialstring in radius? Robert Szelepcsenyi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP failure
=?ISO-8859-1?Q?Manuel_S=E1nchez_Cuenca?= <[EMAIL PROTECTED]> wrote: > I have this in my users configuratin file: > > lolo User-Password == "entrar" >Reply-Message = "Hola, lolo" > > Is this correct? Apparently not. Read the debug log to see why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP failure
Alan DeKok escribió: =?ISO-8859-1?Q?Manuel_S=E1nchez_Cuenca?= <[EMAIL PROTECTED]> wrote: rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: doing MS-CHAPv2 for lolo with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. PEAP (and mschap) needs access to a "good" clear-text password, or an nt-password to compare against the request. I have this in my users configuratin file: lolo User-Password == "entrar" Reply-Message = "Hola, lolo" ¿Is this correct? If the server doesn't have a password for the user, then it can't check the password the user supplied. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- == Manuel Sanchez Cuenca Dept. Ingenieria de la Informacion y las Comunicaciones Universidad de Murcia - Espana Tlf: +34 968364311 - Fax: 968364151 email: [EMAIL PROTECTED] www: http://skywalker.dif.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: shared secret length limitation
Lara Adianto <[EMAIL PROTECTED]> wrote: > What is the common practice used by radius servers and > clients ? Not too short, not too long. 16 is a very common length. > But Freeradius limits the shared-secret to 32. What is > the rational behind this ? Any longer than that, and it starts becoming unmanagable. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for eap/tls
BLANCA FERRERO RODRIGUEZ <[EMAIL PROTECTED]> wrote: > so if a user with a correct certificate tries to authenticate > against radius although it is not in the users file will it have > access to teh network? That's what I said. > is there any way that I can control this > access of users with the users file although they have a correct > cert? Yes. Tell the server to reject the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm question
hi again, i got a username with realms like this: realm1/foobar%realm2 is there a way to use realm2 as proxy realm local and get realm1 stripped away? i dont want realm1 for authorizing, authentication and accounting. thanks in advance, christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for eap/tls
so if a user with a correct certificate tries to authenticate against radius although it is not in the users file will it have access to teh network? is there any way that I can control this access of users with the users file although they have a correct cert? thaks bfr - Mensaje original - De: Alan DeKok <[EMAIL PROTECTED]> Fecha: Miércoles, Mayo 12, 2004 10:34 am Asunto: Re: access for eap/tls > BLANCA FERRERO RODRIGUEZ <[EMAIL PROTECTED]> wrote: > > I'm tryng authentication with eap/tls. It works propertly but my > > doubt is: if I try to connect with a user called 'proof' for example > > and it is not included in my users file, should it be allowed to > > connect to the network despite having a correct certificate? > > Yes. The "users" file is just one form of controlling user access. > You can store users in SQL, LDAP, or in signed certificates. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
shared secret length limitation
Hello, Is there any limitation on the max length of the shared secret ? I can't find any information from RFC2865. It is only stated that the shared secret MUST not be empty (length 0) to prevent packets from being forged easily, but it is not stated what the max length is. What is the common practice used by radius servers and clients ? Some implementations limit the shared secret to be between 1 - 128 characters. But Freeradius limits the shared-secret to 32. What is the rational behind this ? regards, lara = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? Yahoo! Movies - Buy advance tickets for 'Shrek 2' http://movies.yahoo.com/showtimes/movie?mid=1808405861 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
