Re: Problem with sending challenge response
=?iso-8859-1?q?SANDEEP=20KHANNA?= [EMAIL PROTECTED] wrote: Now I want to know how this freh request will be sent .If I sent it the same way , server takes it as a normal password and send me a challenge again. Please read the RADIUS RFC's. Specifically, the use of the State attribute. http://www.freeradius.org/rfc/attributes.html You need to include the State in the response to the challenge. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with dhcp
ro0ot [EMAIL PROTECTED] wrote: Can I configure the system to let freeradius works with dhcp? No, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Segmentation Fault on LDAP Bind
Paul Bender [EMAIL PROTECTED] wrote: However, I use OpenLDAP as a central store for account information for all other services (unix, samba, email, etc). Therefore, I would like freeradius to get account information from the LDAP server as well. However, when I configure freeradius to use the LDAP server, the freeradius server segfaults rlm_ldap attempts to bind to my LDAP server. Don't use TLS to connect to the LDAP server. For some reason, PEAP and LDAP+TLS don't like each other. The reason is buried inside of the OpenSSL code, which is a bit of a problem to debug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: missing radius.log file
On Fri, 14 May 2004 13:38:01 -0600 Evan Stenmark [EMAIL PROTECTED] wrote: yes, I did a locate radius.log (with a current locate database) as well as a root directory find but nothing comes up This is very strange you have to enable it in the configuration file for FreeRADIUS. Graeme Evan Stenmark -- Original Message -- From: Anson Rinesmith [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 14 May 2004 12:47:37 -0500 I have two radius servers, one stores them in /usr/local/var/log and the other in /var/log Just depends on what version of FR you are using and/or how you set it up in radiusd.conf Try doing a find / -name radius.log that should help you find your log file. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of stenmark Sent: Friday, May 14, 2004 1:38 PM To: [EMAIL PROTECTED] Subject: missing radius.log file (This should be pretty simple) I can not find a radius.log file Is there a setting (maybe in the radiusd.conf) that I missed? What I can find are these log files: /usr/local/var/log/radius/radacct/[IP-ADDRESS]/detail-[DATE] for example: /usr/local/var/log/radius/radacct/127.0.0.1/detail-20040513 Are these log files the same as the radius.log except broken up into dates? Thanks, Evan Stenmark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Graeme Hinchliffe (BSc) Core Internet Systems Designer Zen Internet (http://www.zen.co.uk/) ICQ 3842605 (link) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access to multiple subdomains via radius apache module
Hi, I need to provide access to several web sites on our Intranet to traveling users on the Internet. I have set up a reverse proxy (Apache) and I use the radius module to authenticate users coming from the Internet. The radius module is great, becuase upon successful authentication it puts a cookie into the browser, so it also works with dynamic passwords as the radius server is not consulted again. My problem is that I have several web sites in the same domain, and the user should be able to move hence and forth among these servers without being required to reauthenticate. To this end I need to set the domain of the cookie generated by the radius module to the top level domain of our company so that it is sent by the browser to all the websites. Can I do it with the radius module as it is, or do I have to hack it somehow? Robert Szelepcsenyi -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with dhcp
Why not ? My university implements something that looks like that. A laptop first gets a DHCP lease, and can address a single IP which is presumably the address of the server. Then I fire up the Cisco VPN client that authenticates via an encryption algorithm and then the laptop can access the internet. What kind of a server do you think my university is using ? Alan DeKok wrote: ro0ot [EMAIL PROTECTED] wrote: Can I configure the system to let freeradius works with dhcp? No, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with dhcp
M Singh [EMAIL PROTECTED] wrote: Why not ? Because freeradius working with dhcp means freeradius knows about dhcp. My university implements something that looks like that. A laptop first gets a DHCP lease, and can address a single IP which is presumably the address of the server. Then I fire up the Cisco VPN client that authenticates via an encryption algorithm and then the laptop can access the internet. In that case, the dhcp server and FreeRADIUS don't talk to each other, and don't know that the other one exists. What kind of a server do you think my university is using ? Two independent servers, which don't communicate. The original poster was asking about making FreeRADIUS talk to a DHCP server, in order to allocate IP addresses it would give out in RADIUS packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wireless card 802.1x-capable well supported under Linux?
Hi list, I'm trying to set up a wireless network based on radius authentication for my enterprise. I've successfully tested freeradius with a windows XP client, now I'd like to test it with a Linux client. Could you suggest me a 802.1x-capable wireless card with *stable* drivers under Linux. Thank you for your help, Giuliano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Moving away from Safeword
Due to licensing policy of Secure Computing, which forced me to upgrade to deploy a separate machine running just their AAA server, I have decided to move away from their product Safeword Premier Access. I am looking for some replacement for their system of dynamic passwords and tokens. Freeradius supports several systems of dynamic passwords. An ideal solution would be to have some sort of a software token that I could install into a mobile phone or a PDA. Is there such an aption with freeradius? Any suggestions are very welcome, Robert Szelepcsenyi -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with sending challenge response
Sir thanks ver much for your response, but I have already read the rfc before sending my question. Could u please tell me the exact syntax on sending request with State attribute like I am using radtest username password server ip:port NAS port shared secret key to send the original request . thanks --- Alan DeKok [EMAIL PROTECTED] wrote: =?iso-8859-1?q?SANDEEP=20KHANNA?= [EMAIL PROTECTED] wrote: Now I want to know how this freh request will be sent .If I sent it the same way , server takes it as a normal password and send me a challenge again. Please read the RADIUS RFC's. Specifically, the use of the State attribute. http://www.freeradius.org/rfc/attributes.html You need to include the State in the response to the challenge. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yahoo! India Matrimony: Find your partner online. http://yahoo.shaadi.com/india-matrimony/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with sending challenge response
Sir thanks very much for your response, but I have already read the rfc before sending my question. Could u please tell me the exact syntax on sending request with State attribute like I am using radtest username password server ip:port NAS port shared secret key to send the original request . thanks --- Alan DeKok [EMAIL PROTECTED] wrote: =?iso-8859-1?q?SANDEEP=20KHANNA?= [EMAIL PROTECTED] wrote: Now I want to know how this freh request will be sent .If I sent it the same way , server takes it as a normal password and send me a challenge again. Please read the RADIUS RFC's. Specifically, the use of the State attribute. http://www.freeradius.org/rfc/attributes.html You need to include the State in the response to the challenge. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yahoo! India Matrimony: Find your partner online. http://yahoo.shaadi.com/india-matrimony/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with sending challenge response
=?iso-8859-1?q?SANDEEP=20KHANNA?= [EMAIL PROTECTED] wrote: Could u please tell me the exact syntax on sending request with State attribute like I am using radtest Don't use radtest. Use radclient. READ radtest. It's just a shell script. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reg configuring challenge response
Hi, How to configure the free RADIUS server to send an Challenge response to an access request. In other words, what are the configurations to be done on the free RADIUS server such that it sends an challenge response to an access request. By default, will the free RADIUS server send an challenge response ? or any special configurations needs to be done for the same. Regards, Barath Kumar. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Moving away from Safeword
Robert Szelepcsenyi [EMAIL PROTECTED] wrote: Due to licensing policy of Secure Computing, which forced me to upgrade to deploy a separate machine running just their AAA server, I have decided to move away from their product Safeword Premier Access. I am looking for some replacement for their system of dynamic passwords and tokens. Freeradius supports several systems of dynamic passwords. An ideal solution would be to have some sort of a software token that I could install into a mobile phone or a PDA. Is there such an aption with freeradius? It's more of a client side issue than a server side. FreeRADIUS does include an X9.9 module, which will do DES-based challenge/response. It's been tested to work with CRYPTOCard's tokens, which include a software-based token. See http:/www.cryptocard.com for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reg configuring challenge response
Barath kumar [EMAIL PROTECTED] wrote: How to configure the free RADIUS server to send an Challenge response to an access request. In other words, what are the configurations to be done on the free RADIUS server such that it sends an challenge response to an access request. By default, will the free RADIUS server send an challenge response ? or any special configurations needs to be done for the same. The server will send a challenge when the protocol demands it. e.g. EAP. If you don't know what the challenge will be, or why the server should send a challenge, you probably don't want challenge-response. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Moving away from Safeword
Hi, Sorry, I was not precise enough in my query. I am looking for a system of *synchronous* dynamic passwords, which use tokens with an internal counter without any chalenge. The password has to be entered before a call is made (either VPN or dialup), so there is no opportunity to recieve a chalnge and act upon it. Moreover, X9.9 is insecure. I did some research some time ago, andif I remember correctly, freeradius support at least one such a system. Robert Szelepcsenyi On Mon, May 17, 2004 at 05:44:05AM -0400, Alan DeKok wrote: Robert Szelepcsenyi [EMAIL PROTECTED] wrote: Due to licensing policy of Secure Computing, which forced me to upgrade to deploy a separate machine running just their AAA server, I have decided to move away from their product Safeword Premier Access. I am looking for some replacement for their system of dynamic passwords and tokens. Freeradius supports several systems of dynamic passwords. An ideal solution would be to have some sort of a software token that I could install into a mobile phone or a PDA. Is there such an aption with freeradius? It's more of a client side issue than a server side. FreeRADIUS does include an X9.9 module, which will do DES-based challenge/response. It's been tested to work with CRYPTOCard's tokens, which include a software-based token. See http:/www.cryptocard.com for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with dhcp
Yep, thats what I mean...thanks Alan DeKok, :) Probabily I have to find another solution, :-( Regards, ro0ot Alan DeKok wrote: M Singh [EMAIL PROTECTED] wrote: Why not ? Because freeradius working with dhcp means freeradius knows about dhcp. My university implements something that looks like that. A laptop first gets a DHCP lease, and can address a single IP which is presumably the address of the server. Then I fire up the Cisco VPN client that authenticates via an encryption algorithm and then the laptop can access the internet. In that case, the dhcp server and FreeRADIUS don't talk to each other, and don't know that the other one exists. What kind of a server do you think my university is using ? Two independent servers, which don't communicate. The original poster was asking about making FreeRADIUS talk to a DHCP server, in order to allocate IP addresses it would give out in RADIUS packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Moving away from Safeword
Robert Szelepcsenyi [EMAIL PROTECTED] wrote: Sorry, I was not precise enough in my query. I am looking for a system of *synchronous* dynamic passwords, which use tokens with an internal counter without any chalenge. The password has to be entered before a call is made (either VPN or dialup), so there is no opportunity to recieve a chalnge and act upon it. Moreover, X9.9 is insecure. X9.9 is insecure? How? In any case, CRYPTOCard does offer a synchronous mode for their tokens. As for any othe synchronous token method, I'm not aware of it being implemented in the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
About Radius Attributes
Hello, I need some information about the following 'service-type' attribute: - Outbound - Administrative - NAS Prompt - Call Check - Callback NAS Prompt 1. In which case will a radius client request for the above service type or which radius clients usually request for the above service-type ? 2. What attributes are usually returned in the access-accept packet for the above service type ? For Service-type PPP / SLIP requested, is there any MANDATORY attributes that need to be returned by the radius server in the access-accept packet (Framed-IP-Address, Framed-MTU, etc) ? If the Framed-IP-Address is not a mandatory attribute to be returned for service-type PPP, how will the NAS decide the IP Address assigned to the user ? Thank you for any replies, lara = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? SBC Yahoo! - Internet access at a great low price. http://promo.yahoo.com/sbc/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with MySQL and Exec-Program-Wait
Hi, Im in the process of seeting up a new RADIUS server using Freeradius. I intend using MySQL for Authorisation and Accounting. As a result, I will not be making use of the users file (since MySQL is configured for use in Radiusd.conf, thereby bypassing the use of the users file). My problem is that I would like to make use of Exec-Program-Wait to execute a script in order to process some additional authentication parameters. Is there anyway I can do this since Im using MySQL for authorisation? Thanks, Joe
Re: Freeradius with MySQL and Exec-Program-Wait
On Mon, May 17, 2004 at 12:14:40PM +0200, Joe Borg wrote: I'm in the process of seeting up a new RADIUS server using Freeradius. I intend using MySQL for Authorisation and Accounting. As a result, I will not be making use of the 'users' file (since MySQL is configured for use in Radiusd.conf, thereby bypassing the use of the users file). My problem is that I would like to make use of Exec-Program-Wait to execute a script in order to process some additional authentication parameters. Is there anyway I can do this since I'm using MySQL for authorisation? You can use Exec-Program-Wait just like you would in a users file, as a reply attribute in mySQL. Or consider its successor, rlm_exec. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: About Radius Attributes
Lara Adianto [EMAIL PROTECTED] wrote: 1. In which case will a radius client request for the above service type or which radius clients usually request for the above service-type ? http://www.freeradius.org/rfc/attributes.html Click on Service-Type, and it will tell you what those values mean, and when they're used. 2. What attributes are usually returned in the access-accept packet for the above service type ? It depends on your local configuration. For Service-type PPP / SLIP requested, is there any MANDATORY attributes that need to be returned by the radius server in the access-accept packet (Framed-IP-Address, Framed-MTU, etc) ? See the RFC's, and your NAS vendor documentation. If the Framed-IP-Address is not a mandatory attribute to be returned for service-type PPP, how will the NAS decide the IP Address assigned to the user ? See the NAS documentation. It depends on the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pool with two ranges
Juan [EMAIL PROTECTED] wrote: i have freeradius with various pools, but now i need that one Pool have two diffrents ranges. Can i do it with freeradius? Yes and no. Each pool can have only one range. But you can create use two pools, and fail over to the secon done if the first one is full. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pool with two ranges
Hello, i have freeradius with various pools, but now i need that one Pool have two diffrents ranges. Can i do it with freeradius? ippool main_pool { range-start = X.X.X.128 range-stop = X.X.X.151 netmask = 255.255.255.255 cache-size = 23 session-db = ${raddbdir}/db.main ip-index = ${raddbdir}/db.maindindex override = yes } I need that main_pool have too this range : range-start = X.X.X.200 range-stop = X.X.X.251 Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius with MySQL and Exec-Program-Wait
Hi Paul, Thanks for the tip. By any chance, would you be able to refer me to some documentation/information on how to go about doing this? I'm still somewhat green to MySQL. Thanks. Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Hampson Sent: 17 May 2004 12:36 To: [EMAIL PROTECTED] Subject: Re: Freeradius with MySQL and Exec-Program-Wait On Mon, May 17, 2004 at 12:14:40PM +0200, Joe Borg wrote: I'm in the process of seeting up a new RADIUS server using Freeradius. I intend using MySQL for Authorisation and Accounting. As a result, I will not be making use of the 'users' file (since MySQL is configured for use in Radiusd.conf, thereby bypassing the use of the users file). My problem is that I would like to make use of Exec-Program-Wait to execute a script in order to process some additional authentication parameters. Is there anyway I can do this since I'm using MySQL for authorisation? You can use Exec-Program-Wait just like you would in a users file, as a reply attribute in mySQL. Or consider its successor, rlm_exec. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with MySQL and Exec-Program-Wait
- Original Message - Hi, Im in the process of seeting up a new RADIUS server using Freeradius. I intend using MySQL for Authorisation and Accounting. As a result, I will not be making use of the users file (since MySQL is configured for use in Radiusd.conf, thereby bypassing the use of the users file). My problem is that I would like to make use of Exec-Program-Wait to execute a script in order to process some additional authentication parameters. Is there anyway I can do this since Im using MySQL for authorisation? YES
Re: pool with two ranges
Hello, i have freeradius with various pools, but now i need that one Pool have two diffrents ranges. Can i do it with freeradius? YES - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql_escape_func not reversible?
Hi, I found that sql_escape_func in rlm_sql.c does not encode the '=' character. That makes it impossible later to decode the string correctly again. If you are looking at e.g. an encoded username =3B, you don't know whether the unencoded original was ; or =3B. Would it be possible to change that in the next release? While I am already at it, I am under the impression that this function only deals with US-ASCII characters correctly. Can anybody confirm that? Fabian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pool with two ranges (Alan DeKok)
Hello Allan DeKok, but failover where, my users are defined like this: nameuser User-Password == passowrd, Pool- Name := main_pool Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = 0, Port-Limit = 1, Idle-Timeout = 0, Session-Timeout = 0 main_pool range-start = X.X.X.128 range-stop = X.X.X.151 second_pool range-start = X.X.X.200 range-stop = X.X.X.251 i have tried failover in radius.conf, post-auth { redundant{ main_pool second_pool } } But i must be doing something bad. Thank you - Original Message - From : [EMAIL PROTECTED] To : [EMAIL PROTECTED] Date : Monday, 17 May, 2004 01:41 PM Sub : Freeradius-Users digest, Vol 1 #3220 - 12 msgs Send Freeradius-Users mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/fre eradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Reg configuring challenge response (Alan DeKok) 2. Re: Moving away from Safeword (Robert Szelepcsenyi) 3. Re: freeradius with dhcp (ro0ot) 4. Re: Moving away from Safeword (Alan DeKok) 5. About Radius Attributes (Lara Adianto) 6. Freeradius with MySQL and Exec-Program-Wait (Joe Borg) 7. Re: Freeradius with MySQL and Exec-Program-Wait (Paul Hampson) 8. Re: About Radius Attributes (Alan DeKok) 9. pool with two ranges (Juan) 10. Re: pool with two ranges (Alan DeKok) 11. RE: Freeradius with MySQL and Exec-Program-Wait (Joe Borg) 12. Re: Freeradius with MySQL and Exec-Program-Wait (Milver S. Nisay) --__--__-- Message: 1 From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Reg configuring challenge response Date: Mon, 17 May 2004 05:45:13 -0400 Reply-To: [EMAIL PROTECTED] Barath kumar [EMAIL PROTECTED] wrote: How to configure the free RADIUS server to send an Challenge response to an access request. In other words, what are the configurations to be done on the free RADIUS server such that it sends an challenge response to an access request. By default, will the free RADIUS server send an challenge response ? or any special configurations needs to be done for the same. The server will send a challenge when the protocol demands it. e.g. EAP. If you don't know what the challenge will be, or why the server should send a challenge, you probably don't want challenge-response. Alan DeKok. --__--__-- Message: 2 Date: Mon, 17 May 2004 11:48:04 +0200 From: Robert Szelepcsenyi [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Moving away from Safeword Reply-To: [EMAIL PROTECTED] Hi, Sorry, I was not precise enough in my query. I am looking for a system of *synchronous* dynamic passwords, which use tokens with an internal counter without any chalenge. The password has to be entered before a call is made (either VPN or dialup), so there is no opportunity to recieve a chalnge and act upon it. Moreover, X9.9 is insecure. I did some research some time ago, andif I remember correctly, freeradius support at least one such a system. Robert Szelepcsenyi On Mon, May 17, 2004 at 05:44:05AM -0400, Alan DeKok wrote: Robert Szelepcsenyi [EMAIL PROTECTED] wrote: Due to licensing policy of Secure Computing, which forced me to upgrade to deploy a separate machine running just their AAA server, I have decided to move away from their product Safeword Premier Access. I am looking for some replacement for their system of dynamic passwords and tokens. Freeradius supports several systems of dynamic passwords. An ideal solution would be to have some sort of a software token that I could install into a mobile phone or a PDA. Is there such an aption with freeradius? It's more of a client side issue than a server side. FreeRADIUS does include an X9.9 module, which will do DES-based challenge/response. It's been tested to work with CRYPTOCard's tokens, which include a software-based token. See http:/www.cryptocard.com for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --__--__-- Message: 3 Date: Mon, 17 May 2004 17:54:01 +0800 From: ro0ot [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: freeradius with dhcp Reply-To: [EMAIL PROTECTED] Yep, thats what I mean...thanks Alan DeKok, :) Probabily I have to find another solution, :-( Regards, ro0ot Alan DeKok wrote: M Singh [EMAIL PROTECTED] wrote: Why not ? Because
Re: Freeradius-Users digest, Vol 1 #3220 - 12 msgs
Hello Allan DeKok, but failover where, my users are defined like this: nameuser User-Password == passowrd, Pool- Name := main_pool Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = 0, Port-Limit = 1, Idle-Timeout = 0, Session-Timeout = 0 main_pool range-start = X.X.X.128 range-stop = X.X.X.151 second_pool range-start = X.X.X.200 range-stop = X.X.X.251 i have tried failover in radius.conf, post-auth { redundant{ main_pool second_pool } } But i must be doing something bad. Thank you - Original Message - From : [EMAIL PROTECTED] To : [EMAIL PROTECTED] Date : Monday, 17 May, 2004 01:41 PM Sub : Freeradius-Users digest, Vol 1 #3220 - 12 msgs Send Freeradius-Users mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/fre eradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Reg configuring challenge response (Alan DeKok) 2. Re: Moving away from Safeword (Robert Szelepcsenyi) 3. Re: freeradius with dhcp (ro0ot) 4. Re: Moving away from Safeword (Alan DeKok) 5. About Radius Attributes (Lara Adianto) 6. Freeradius with MySQL and Exec-Program-Wait (Joe Borg) 7. Re: Freeradius with MySQL and Exec-Program-Wait (Paul Hampson) 8. Re: About Radius Attributes (Alan DeKok) 9. pool with two ranges (Juan) 10. Re: pool with two ranges (Alan DeKok) 11. RE: Freeradius with MySQL and Exec-Program-Wait (Joe Borg) 12. Re: Freeradius with MySQL and Exec-Program-Wait (Milver S. Nisay) --__--__-- Message: 1 From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Reg configuring challenge response Date: Mon, 17 May 2004 05:45:13 -0400 Reply-To: [EMAIL PROTECTED] Barath kumar [EMAIL PROTECTED] wrote: How to configure the free RADIUS server to send an Challenge response to an access request. In other words, what are the configurations to be done on the free RADIUS server such that it sends an challenge response to an access request. By default, will the free RADIUS server send an challenge response ? or any special configurations needs to be done for the same. The server will send a challenge when the protocol demands it. e.g. EAP. If you don't know what the challenge will be, or why the server should send a challenge, you probably don't want challenge-response. Alan DeKok. --__--__-- Message: 2 Date: Mon, 17 May 2004 11:48:04 +0200 From: Robert Szelepcsenyi [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Moving away from Safeword Reply-To: [EMAIL PROTECTED] Hi, Sorry, I was not precise enough in my query. I am looking for a system of *synchronous* dynamic passwords, which use tokens with an internal counter without any chalenge. The password has to be entered before a call is made (either VPN or dialup), so there is no opportunity to recieve a chalnge and act upon it. Moreover, X9.9 is insecure. I did some research some time ago, andif I remember correctly, freeradius support at least one such a system. Robert Szelepcsenyi On Mon, May 17, 2004 at 05:44:05AM -0400, Alan DeKok wrote: Robert Szelepcsenyi [EMAIL PROTECTED] wrote: Due to licensing policy of Secure Computing, which forced me to upgrade to deploy a separate machine running just their AAA server, I have decided to move away from their product Safeword Premier Access. I am looking for some replacement for their system of dynamic passwords and tokens. Freeradius supports several systems of dynamic passwords. An ideal solution would be to have some sort of a software token that I could install into a mobile phone or a PDA. Is there such an aption with freeradius? It's more of a client side issue than a server side. FreeRADIUS does include an X9.9 module, which will do DES-based challenge/response. It's been tested to work with CRYPTOCard's tokens, which include a software-based token. See http:/www.cryptocard.com for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --__--__-- Message: 3 Date: Mon, 17 May 2004 17:54:01 +0800 From: ro0ot [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: freeradius with dhcp Reply-To: [EMAIL PROTECTED] Yep, thats what I mean...thanks Alan DeKok, :) Probabily I have to find another solution, :-( Regards, ro0ot Alan DeKok wrote: M Singh [EMAIL PROTECTED] wrote: Why not ? Because
Re: Freeradius with MySQL and Exec-Program-Wait
On Mon, May 17, 2004 at 01:40:08PM +0200, Joe Borg wrote: Thanks for the tip. By any chance, would you be able to refer me to some documentation/information on how to go about doing this? I'm still somewhat green to MySQL. Thanks. If you already understand how to use the users file, then the SQL stuff is similar. Put the check pairs in radcheck, reply pairs in radreply. The difference is there's no 'fallthrough' as such. For groups stuff or more esoteric setups, have a look at the sql.conf file, and work out what the queries do. As far as documentation, you'd have to google around for it, as I can't think of anywhere off hand. The obvious keywords freeradius, mysql and howto should do the trick. As for rlm_exec, the documentation's all in radius.conf. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_escape_func not reversible?
On Mon, May 17, 2004 at 02:41:57PM +0300, Fabian Ritzmann wrote: I found that sql_escape_func in rlm_sql.c does not encode the '=' character. That makes it impossible later to decode the string correctly again. If you are looking at e.g. an encoded username =3B, you don't know whether the unencoded original was ; or =3B. Would it be possible to change that in the next release? Indeed. Fixed in CVS. (rlm_sql 1.129, sql.conf 1.41). This's however the default, local configs that are using safe-characters will need fixing. While I am already at it, I am under the impression that this function only deals with US-ASCII characters correctly. Can anybody confirm that? The data is treated as a stream of bytes, so it depends on what you mean by correctly. It should be possible to recover the original data, but as far as being an intelligible of non-ASCII data it's not spectacular. :-) -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Class attributes on Access-Accept
Hi, Please, can you indicate me how I can configure Freeradius to send more than one Class attribute on Access-Accept messages ? or simply if Freeradius supports such a configuration ? I am using the local users file authentication method. The following is an example of my users config file: usernameAuth-Type := Local, Password == pasword Class = 2, Class = 3, Class = 1, Reply-Message = Bingo !!!, MS-primary-DNS-Server = 172.22.1.21, MS-secondary-DNS-Server = 172.22.1.31, Framed-IP-Address = 10.200.42.50 Actually, when I test using radclient, only the first Class attribute is used and sent back in the access-accept. This is confirmed with Ethereal. It looks like RFC 2865 states that multiple Class attributes is a valid situation. However, I am not a Radius expert, so I don't know if this could be a valid configuration. I am using Freeradius 0.9.2. Thanks for your help, Claude. Claude LeFrançois Global Services Delivery - LMC/YNA Ericsson Canada Inc. Phone: +1 (514) 345-7900 x7579 Mobile: +1 (514) 823-3895 Pager: +1 (514) 330-8661 Fax: +1 (514) 345-6110 Mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_escape_func not reversible?
Paul Hampson wrote: On Mon, May 17, 2004 at 02:41:57PM +0300, Fabian Ritzmann wrote: I found that sql_escape_func in rlm_sql.c does not encode the '=' character. That makes it impossible later to decode the string correctly again. If you are looking at e.g. an encoded username =3B, you don't know whether the unencoded original was ; or =3B. Would it be possible to change that in the next release? Indeed. Fixed in CVS. (rlm_sql 1.129, sql.conf 1.41). This's however the default, local configs that are using safe-characters will need fixing. Thanks. While I am already at it, I am under the impression that this function only deals with US-ASCII characters correctly. Can anybody confirm that? The data is treated as a stream of bytes, so it depends on what you mean by correctly. It should be possible to recover the original data, but as far as being an intelligible of non-ASCII data it's not spectacular. :-) I guess I meant independent from whatever locale FreeRADIUS happens to run with. I was dealing with the User-Name and was probably too emerged in my platform-independent Java world. :-) Just took another look at RFCs 2865 and 2486. The NAI may only contain US-ASCII characters, no problem there. In theory, the User-Name might also contain UTF-8 or ASN.1 encoded data. Since I (and presumably everybody else) have to deal only with NAIs, US-ASCII is good enough for me. :-) Fabian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS Access-Request and Access-Chalenge questions/problems
[First, I'm a newcomer to this list. If this was already answered before (although I search through the archives before posting) please appologize and point me to the appropriate resorce] Dear all, Here's yet another new bee biting the EAP-TLS dust (tm). My set-up: - Authenticating server: * Debian/Unstable w. 2.6.5 vanilla kernel * freeradius-snapshot-20040513 * openssl-0.9.7-stable-SNAP-20040513. Side note: Stock Debian openssl, libssl and libssl-dev packages were removed i.e. this is the only SSL on my system (in case you'd ask). - Authenticator: Ethernet switch Netgear FSM 726S with 2.3.2 firmware. For the purpose of this mail it has the IP addie 192.168.0.1 and hostname netgear-switch.domain.com - Supplicant: WinXP Pro. SP1 + usual cruft. Documentation Sources: [1] FreeRADIUS/WinXP Authentication Setup from http://www.dslreports.com/forum/remark,9286052~mode=flat [2] FreeRADIUS EAP/TLS - WinXP HOWTO from http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm My problem: After following the EAP-TLS mantra at [1], generating certificates and installing them successfully (AFAICT) EAP-TLS doesn't work. After carefully combing through the logs and comparing w/ the ones given [2] it seems that the EAP-TLS authentication doesn't succeed as I do not even reach the TLS handshake phase: The only thing the (freeradius) server does is it receives Access-Request, answers back w/ an Access-Challenge, receives a new Accesss-Request to which it answers w/ a new Access-Challenge, and so on, in an infinite loop, with no TLS establish and no EAP transaction peformed beyond the above steps. At the end of this mail I'll attach a sever debug output (the output is cropped for bervity purposes to leave only the relevant parts. Of course the full monty is avail on request ;). My questions: 1) All Access-Challenge messages rightfully (?) have the same id as the triggering Access-Request. However, the latter are non-sequential. If this is supposed to be a 3-way handshake of sorts (is it ?) than in response to the server's Access-Challenge I should get an Access-Request with the id incremented ? In other words, how do I get to distiguish btw. new Access-Requests and the ones that should (??) come in response to server's own Access-Challenge ? The reason I'm asking is that in the logs at [2] the second Access-Request received from the client has an id incremented w.r.t previous one, making me suspecting that this is how the server detects the previous request and consequently reports in the log: [...] rlm_eap: Request found, released from the list. [...] OTOH in my own server logs I never find smth similar. 2) After processing each Access-Request, my server always reports: [...] rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 [...] but never any TLS handske appears to be starting. IAny idea what/where to look for ? Thanks for any help and/or pointers to relevent info, Florian P.S. Here is the server log describing message exchange. I left aside the blurb printed out by the server before the Listening on ports... line (there's no suspicious message there anyways). IP addies/hostnames changed to protect the innocent :) [...] Starting - reading configuration files ... trimmed Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.1:1027, id=1, length=167 User-Name = 802.1x client (i.e. supplicant) NAS-IP-Address = 192.168.0.1 NAS-Port = 1 State = 0x300257fa5ecadec2b33ab1cc00d55927 NAS-Identifier = netgear-switch.domain.com NAS-Port-Type = Ethernet EAP-Message = 0x02010024013830322e317820636c69656e742028692e652e20737570706c6963616e7429 Message-Authenticator = 0x1f90d93abedd0aa9c21f7e1c7e3d7ba0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = 802.1x client (i.e. supplicant), looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 36 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched 802.1x client (i.e. supplicant) at 65 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP
Re: Freeradius Segmentation Fault on LDAP Bind
Alan DeKok wrote: Paul Bender [EMAIL PROTECTED] wrote: However, I use OpenLDAP as a central store for account information for all other services (unix, samba, email, etc). Therefore, I would like freeradius to get account information from the LDAP server as well. However, when I configure freeradius to use the LDAP server, the freeradius server segfaults rlm_ldap attempts to bind to my LDAP server. Don't use TLS to connect to the LDAP server. For some reason, PEAP and LDAP+TLS don't like each other. The reason is buried inside of the OpenSSL code, which is a bit of a problem to debug. Thank you for the response. I do not believe I am using TLS (or SSL) to connect to the LDAP server, since I have set start_tls=0 in my ldap module configuration and since freeradius is attempting to connect to the ldap (not the ldaps) port. In order to be sure, I disabled TLS (even commented out my certs) on my LDAP server. However, freeradius still crashes at the same point in the process. In order to check further, I decided to log the LDAP messaging over the wire using Ethereal. While the freeradius output does not show anything after the LDAP bind attempt, the Ethereal logs show that freeradius does a successful bind with the LDAP server. In addition, it does a successful LDAP search for the bind account (radiusd) and the bind account's primary group (radiusd). After that, there is no more LDAP traffic. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Access-Request and Access-Chalenge questions/problems
Florian, Do you have the icon in your task bar for you ethernet interface disabled? (The Show icon on task bar when connected option in the interface properties should be *enabled*). Windows XP pops up a bubble from that icon when it needs to communicate with the user (for things like accepting a CA certificate as trusted). If the icon is disabled, it can't pop up this bubble. I'd look there first, then double check that you've selected Smart Card or other Certificate instead of PEAP as the authentication method. If that doesn't turn up anything, run the Windows version of ethereal on that interface to see if the switch is forwarding on the EAP-TLS start packet. --Mike On Mon, 2004-05-17 at 09:21, Florian-Daniel Otel wrote: [First, I'm a newcomer to this list. If this was already answered before (although I search through the archives before posting) please appologize and point me to the appropriate resorce] Dear all, Here's yet another new bee biting the EAP-TLS dust (tm). My set-up: - Authenticating server: * Debian/Unstable w. 2.6.5 vanilla kernel * freeradius-snapshot-20040513 * openssl-0.9.7-stable-SNAP-20040513. Side note: Stock Debian openssl, libssl and libssl-dev packages were removed i.e. this is the only SSL on my system (in case you'd ask). - Authenticator: Ethernet switch Netgear FSM 726S with 2.3.2 firmware. For the purpose of this mail it has the IP addie 192.168.0.1 and hostname netgear-switch.domain.com - Supplicant: WinXP Pro. SP1 + usual cruft. Documentation Sources: [1] FreeRADIUS/WinXP Authentication Setup from http://www.dslreports.com/forum/remark,9286052~mode=flat [2] FreeRADIUS EAP/TLS - WinXP HOWTO from http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm My problem: After following the EAP-TLS mantra at [1], generating certificates and installing them successfully (AFAICT) EAP-TLS doesn't work. After carefully combing through the logs and comparing w/ the ones given [2] it seems that the EAP-TLS authentication doesn't succeed as I do not even reach the TLS handshake phase: The only thing the (freeradius) server does is it receives Access-Request, answers back w/ an Access-Challenge, receives a new Accesss-Request to which it answers w/ a new Access-Challenge, and so on, in an infinite loop, with no TLS establish and no EAP transaction peformed beyond the above steps. At the end of this mail I'll attach a sever debug output (the output is cropped for bervity purposes to leave only the relevant parts. Of course the full monty is avail on request ;). My questions: 1) All Access-Challenge messages rightfully (?) have the same id as the triggering Access-Request. However, the latter are non-sequential. If this is supposed to be a 3-way handshake of sorts (is it ?) than in response to the server's Access-Challenge I should get an Access-Request with the id incremented ? In other words, how do I get to distiguish btw. new Access-Requests and the ones that should (??) come in response to server's own Access-Challenge ? The reason I'm asking is that in the logs at [2] the second Access-Request received from the client has an id incremented w.r.t previous one, making me suspecting that this is how the server detects the previous request and consequently reports in the log: [...] rlm_eap: Request found, released from the list. [...] OTOH in my own server logs I never find smth similar. 2) After processing each Access-Request, my server always reports: [...] rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 [...] but never any TLS handske appears to be starting. IAny idea what/where to look for ? Thanks for any help and/or pointers to relevent info, Florian P.S. Here is the server log describing message exchange. I left aside the blurb printed out by the server before the Listening on ports... line (there's no suspicious message there anyways). IP addies/hostnames changed to protect the innocent :) [...] Starting - reading configuration files ... trimmed Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.1:1027, id=1, length=167 User-Name = 802.1x client (i.e. supplicant) NAS-IP-Address = 192.168.0.1 NAS-Port = 1 State = 0x300257fa5ecadec2b33ab1cc00d55927 NAS-Identifier = netgear-switch.domain.com NAS-Port-Type = Ethernet EAP-Message = 0x02010024013830322e317820636c69656e742028692e652e20737570706c6963616e7429 Message-Authenticator = 0x1f90d93abedd0aa9c21f7e1c7e3d7ba0 Processing the authorize section of radiusd.conf modcall: entering
Re: EAP-TLS Access-Request and Access-Chalenge questions/problems
Michael, First, thanks for the fast reply. Michael Griego writes: Florian, Do you have the icon in your task bar for you ethernet interface disabled? (The Show icon on task bar when connected option in the interface properties should be *enabled*). Windows XP pops up a bubble from that icon when it needs to communicate with the user (for things like accepting a CA certificate as trusted). If the icon is disabled, it can't pop up this bubble. Well, it wasn't enabled, but it shouldn't need to be since I've added the CA certificate to the Root certificates, verified that it was the right one, etc. However, I've enabled the bubble just in case. Unfortunately I get exactly the same behaviour as before. I'd look there first, then double check that you've selected Smart Card or other Certificate instead of PEAP as the authentication method. Doubled-checked. Everything as it should be (i.e. as pointed out in the HOWTOs) If that doesn't turn up anything, run the Windows version of ethereal on that interface to see if the switch is forwarding on the EAP-TLS start packet. Yeap, I was afraid you might say that :). Actually this is what I've been trying to do since my post ...;) Anyway, thanks Florian --Mike On Mon, 2004-05-17 at 09:21, Florian-Daniel Otel wrote: [First, I'm a newcomer to this list. If this was already answered before (although I search through the archives before posting) please appologize and point me to the appropriate resorce] Dear all, Here's yet another new bee biting the EAP-TLS dust (tm). My set-up: - Authenticating server: * Debian/Unstable w. 2.6.5 vanilla kernel * freeradius-snapshot-20040513 * openssl-0.9.7-stable-SNAP-20040513. Side note: Stock Debian openssl, libssl and libssl-dev packages were removed i.e. this is the only SSL on my system (in case you'd ask). - Authenticator: Ethernet switch Netgear FSM 726S with 2.3.2 firmware. For the purpose of this mail it has the IP addie 192.168.0.1 and hostname netgear-switch.domain.com - Supplicant: WinXP Pro. SP1 + usual cruft. Documentation Sources: [1] FreeRADIUS/WinXP Authentication Setup from http://www.dslreports.com/forum/remark,9286052~mode=flat [2] FreeRADIUS EAP/TLS - WinXP HOWTO from http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm My problem: After following the EAP-TLS mantra at [1], generating certificates and installing them successfully (AFAICT) EAP-TLS doesn't work. After carefully combing through the logs and comparing w/ the ones given [2] it seems that the EAP-TLS authentication doesn't succeed as I do not even reach the TLS handshake phase: The only thing the (freeradius) server does is it receives Access-Request, answers back w/ an Access-Challenge, receives a new Accesss-Request to which it answers w/ a new Access-Challenge, and so on, in an infinite loop, with no TLS establish and no EAP transaction peformed beyond the above steps. At the end of this mail I'll attach a sever debug output (the output is cropped for bervity purposes to leave only the relevant parts. Of course the full monty is avail on request ;). My questions: 1) All Access-Challenge messages rightfully (?) have the same id as the triggering Access-Request. However, the latter are non-sequential. If this is supposed to be a 3-way handshake of sorts (is it ?) than in response to the server's Access-Challenge I should get an Access-Request with the id incremented ? In other words, how do I get to distiguish btw. new Access-Requests and the ones that should (??) come in response to server's own Access-Challenge ? The reason I'm asking is that in the logs at [2] the second Access-Request received from the client has an id incremented w.r.t previous one, making me suspecting that this is how the server detects the previous request and consequently reports in the log: [...] rlm_eap: Request found, released from the list. [...] OTOH in my own server logs I never find smth similar. 2) After processing each Access-Request, my server always reports: [...] rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 [...] but never any TLS handske appears to be starting. IAny idea what/where to look for ? Thanks for any help and/or pointers to relevent info, Florian P.S. Here is the server log describing message exchange. I left aside the blurb printed out by the server before the Listening on ports... line (there's no suspicious message there anyways). IP addies/hostnames changed to protect the innocent :) [...] Starting - reading configuration files ... trimmed Listening on
mod_auth_radius-2.0+Apache2.0
Hello, I´m using SuSE Linux 9.1, FreeRadius 0.9.3 with the module mod_auth_radius-2.0 and Apache2.0. I would like to use Radius for web authentication. At first I tested the Apache 1.3 with the Radius module mod_auth_radius. I used the configuration as per description on http://www.freeradius.org/mod_auth_radius. Everything works great! But now I would like to use Apache 2.0 and the Radius module mod_auth_radius-2.0. After installation and configuration I checked the interaction between the Radius-server and the Radius-module from the Apache 2.0 with the tool ethereal. The access to the secured web area is answered by the login prompt. After entering the right user and password the Radius-module made a Access Request(1) and the Radius-server made a Access Accept (2). In actual fact I would say that the interaction is ok, or isn´t it? But the browser gives me an error message back: Error 500. Does this error come form a wrong configuration from the httpd.conf file? Is the configuration from the apache 1.3 httpd.conf file equal to the configuration file from the apache 2.0 except the entry from AddModule .../mod_auth_radius.o? May somebody help me and give me some instructions?? Thank you in advance! Greetings Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with MD5 and MySQL
Hi You don't need to change any Auth-Type settings, and it's best that you don't even use any Auth-Type settings when authenticating from MySQL. In your MySQL database you use the attribute Crypt-Password for encrypted passwords. Search the archives for MySQL schema and or Guy Fraser. I have submitted a number of responses with configuration examples including an MD5 encrypted password in MySQL. Coolins Paker wrote: Hi list, I need change auth-type in Server Freeradius, but I dont't make it. I find in archive list and i still not found. My freeradius its configured with authenticate MySQL and my passwords was MD5. How to change Auth-type for MD5 passwords. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting with Start-record missing / accounting_update_query_alt
Hi, running FreeRADIUS Version 1.0.0-pre0 (Debian-package from cvs20040421) with accounting to mysql 3.23.49. When I understood things right, the accounting_update_query_alt should come into action when accounting_update_query fails because no start-record was ever inserted, right ? However, if I'm right ;) when the start-record gets recorded, accounting including updates works fine, but when the according row is missing in table radacct (due to the start-record got lost or accounting started after the session was created - ok, this is really uncommon) then accounting_update_query_alt doens't kick in. From what I understood the problem lies in rlm_sql not reporting an error somehow when the update fails; complete debug-output from one update and the stop-record below (both with changed IP's. The stop-record finally creates a row in radacct, so accounting_stop_query_alt works fine. As soon as the according start-entry in table radacct exists also the update work fine, but I thought of this as a way to recover missing accounting packets to at least have the updates creating records when the start goes wrong. regards Michael --- cut acct-update --- rad_recv: Accounting-Request packet from host 1.2.3.46:1646, id=208, length=226 Acct-Session-Id = 0012 Cisco-AVPair = isakmp-group-id=grpname Framed-IP-Address = 1.2.3.36 Cisco-AVPair = isakmp-initator-ip=3.2.1.10 User-Name = username Cisco-AVPair = connect-progress=Auth Open Acct-Session-Time = 10785 Acct-Input-Octets = 1303176 Acct-Output-Octets = 1219984 Acct-Input-Packets = 10839 Acct-Output-Packets = 10839 Acct-Authentic = RADIUS Acct-Status-Type = Alive Cisco-NAS-Port = Dialer1 NAS-Port = 1 NAS-IP-Address = 1.2.3.46 Acct-Delay-Time = 0 rad_lowerpair: User-Name now 'username' Processing the preacct section of radiusd.conf modcall: entering group preacct for request 36 modcall[preacct]: module preprocess returns noop for request 36 rlm_realm: No '#' in User-Name = username, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module realmhash returns noop for request 36 rlm_realm: No '@' in User-Name = username, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop for request 36 modcall[preacct]: module files returns noop for request 36 modcall: group preacct returns noop for request 36 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 36 rlm_acct_unique: Hashing 'NAS-Port = 1,Client-IP-Address = 1.2.3.46,NAS-IP-Address = 1.2.3.46,Acct-Session-Id = 0012,User-Name = username' rlm_acct_unique: Acct-Unique-Session-ID = f13ebac0de4ea35c. modcall[accounting]: module acct_unique returns ok for request 36 radius_xlat: '/var/log/freeradius/radacct/1.2.3.46/detail-20040517' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/1.2.3.46/detail-20040517 modcall[accounting]: module detail returns ok for request 36 modcall[accounting]: module unix returns noop for request 36 radius_xlat: 'username' rlm_sql (sql): sql_set_user escaped user -- 'username' radius_xlat: 'UPDATE radacct ? SET FramedIPAddress = '1.2.3.36', ? AcctSessionTime = '10785', ? AcctInputOctets = '1303176', ? AcctOutputOctets = '1219984' ? WHERE AcctSessionId = '0012' ? AND UserName = 'username' ? AND NASIPAddress= '1.2.3.46'' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 modcall[accounting]: module sql returns ok for request 36 radius_xlat: '/var/log/freeradius/radutmp' radius_xlat: 'username' modcall[accounting]: module radutmp returns ok for request 36 --- cut acct-stop --- rad_recv: Accounting-Request packet from host 1.2.3.46:1646, id=230, length=264 Acct-Session-Id = 0012 Cisco-AVPair = isakmp-group-id=grpname Framed-IP-Address = 1.2.3.36 Cisco-AVPair = isakmp-initator-ip=3.2.1.10 User-Name = username Acct-Authentic = RADIUS Cisco-AVPair = connect-progress=Auth Open Acct-Session-Time = 11376 Acct-Input-Octets = 1374720 Acct-Output-Octets = 1287360 Acct-Input-Packets = 11433 Acct-Output-Packets = 11433 Acct-Terminate-Cause = 0 Cisco-AVPair = disc-cause-ext=No Reason Acct-Status-Type = Stop Cisco-NAS-Port = Dialer1 NAS-Port = 1 NAS-IP-Address = 1.2.3.46 Acct-Delay-Time = 0 rad_lowerpair: User-Name now 'username' Processing the preacct section of radiusd.conf modcall: entering group preacct for request 65 modcall[preacct]: module preprocess returns noop for request 65 rlm_realm: No '#' in User-Name = username, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module realmhash returns noop for request 65
unsubscribe
unsubscribe Rogelio Alvarado Anchisi Ing. de Sistemas Galaxy Communications Corp. Tel. +507-2000128 Fax.+507-2000132 Cel. +507-6744093 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Markstaller Sent: Lunes, 17 de Mayo de 2004 14:04 To: [EMAIL PROTECTED] Subject: Accounting with Start-record missing / accounting_update_query_alt Hi, running FreeRADIUS Version 1.0.0-pre0 (Debian-package from cvs20040421) with accounting to mysql 3.23.49. When I understood things right, the accounting_update_query_alt should come into action when accounting_update_query fails because no start-record was ever inserted, right ? However, if I'm right ;) when the start-record gets recorded, accounting including updates works fine, but when the according row is missing in table radacct (due to the start-record got lost or accounting started after the session was created - ok, this is really uncommon) then accounting_update_query_alt doens't kick in. From what I understood the problem lies in rlm_sql not reporting an error somehow when the update fails; complete debug-output from one update and the stop-record below (both with changed IP's. The stop-record finally creates a row in radacct, so accounting_stop_query_alt works fine. As soon as the according start-entry in table radacct exists also the update work fine, but I thought of this as a way to recover missing accounting packets to at least have the updates creating records when the start goes wrong. regards Michael --- cut acct-update --- rad_recv: Accounting-Request packet from host 1.2.3.46:1646, id=208, length=226 Acct-Session-Id = 0012 Cisco-AVPair = isakmp-group-id=grpname Framed-IP-Address = 1.2.3.36 Cisco-AVPair = isakmp-initator-ip=3.2.1.10 User-Name = username Cisco-AVPair = connect-progress=Auth Open Acct-Session-Time = 10785 Acct-Input-Octets = 1303176 Acct-Output-Octets = 1219984 Acct-Input-Packets = 10839 Acct-Output-Packets = 10839 Acct-Authentic = RADIUS Acct-Status-Type = Alive Cisco-NAS-Port = Dialer1 NAS-Port = 1 NAS-IP-Address = 1.2.3.46 Acct-Delay-Time = 0 rad_lowerpair: User-Name now 'username' Processing the preacct section of radiusd.conf modcall: entering group preacct for request 36 modcall[preacct]: module preprocess returns noop for request 36 rlm_realm: No '#' in User-Name = username, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module realmhash returns noop for request 36 rlm_realm: No '@' in User-Name = username, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop for request 36 modcall[preacct]: module files returns noop for request 36 modcall: group preacct returns noop for request 36 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 36 rlm_acct_unique: Hashing 'NAS-Port = 1,Client-IP-Address = 1.2.3.46,NAS-IP-Address = 1.2.3.46,Acct-Session-Id = 0012,User-Name = username' rlm_acct_unique: Acct-Unique-Session-ID = f13ebac0de4ea35c. modcall[accounting]: module acct_unique returns ok for request 36 radius_xlat: '/var/log/freeradius/radacct/1.2.3.46/detail-20040517' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/1.2.3.46/detail-20040517 modcall[accounting]: module detail returns ok for request 36 modcall[accounting]: module unix returns noop for request 36 radius_xlat: 'username' rlm_sql (sql): sql_set_user escaped user -- 'username' radius_xlat: 'UPDATE radacct ? SET FramedIPAddress = '1.2.3.36', ? AcctSessionTime = '10785', ? AcctInputOctets = '1303176', ? AcctOutputOctets = '1219984' ? WHERE AcctSessionId = '0012' ? AND UserName = 'username' ? AND NASIPAddress= '1.2.3.46'' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 modcall[accounting]: module sql returns ok for request 36 radius_xlat: '/var/log/freeradius/radutmp' radius_xlat: 'username' modcall[accounting]: module radutmp returns ok for request 36 --- cut acct-stop --- rad_recv: Accounting-Request packet from host 1.2.3.46:1646, id=230, length=264 Acct-Session-Id = 0012 Cisco-AVPair = isakmp-group-id=grpname Framed-IP-Address = 1.2.3.36 Cisco-AVPair = isakmp-initator-ip=3.2.1.10 User-Name = username Acct-Authentic = RADIUS Cisco-AVPair = connect-progress=Auth Open Acct-Session-Time = 11376 Acct-Input-Octets = 1374720 Acct-Output-Octets = 1287360 Acct-Input-Packets = 11433 Acct-Output-Packets = 11433 Acct-Terminate-Cause = 0 Cisco-AVPair = disc-cause-ext=No Reason Acct-Status-Type = Stop Cisco-NAS-Port = Dialer1 NAS-Port = 1 NAS-IP-Address = 1.2.3.46 Acct-Delay
Client Requesting TLS
Good Evening, I had EAP-TLS working and poked around (destroying my working TLS) :-( modcall: entering group authenticate for request 10 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/tls rlm_eap: ERROR! Our request for tls was NAK'd with a request for tls, what is the client thinking? rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 10 modcall: group authenticate returns invalid for request 10 I had this problem two days ago, but I can't remember what I did to correct it. I think it had to do something with my certificates (the client can't connect, so he retries to connect). As soon, this is working again, I will get the log for the WPA-Problem. Regards, Robert M. Albrecht - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: missing radius.log file
Yes, I have searched the radiusd.conf for anything that involves 'log' When I had the server set up on our network authenticating requests, the only log file that came out of that was: /usr/local/var/log/radius/radacct/IP-ADDRESS/detail-DATE I see that in the radiusd.conf, and it is actually commented out! I had the server set to log to radius.log but there is no radius.log file anywhere (searched with find and locate as root from root directory) Also, does the server log radtests? Evan Stenmark -- Original Message -- From: Alan DeKok [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Sat, 15 May 2004 07:03:52 -0400 stenmark [EMAIL PROTECTED] wrote: (This should be pretty simple) I can not find a radius.log file Is there a setting (maybe in the radiusd.conf) that I missed? Have you tried looking in radiusd.conf for the text radius.log? Or log_file? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting with Start-record missing / accounting_update_query_alt
On Mon, May 17, 2004 at 09:03:47PM +0200, Michael Markstaller wrote: running FreeRADIUS Version 1.0.0-pre0 (Debian-package from cvs20040421) with accounting to mysql 3.23.49. When I understood things right, the accounting_update_query_alt should come into action when accounting_update_query fails because no start-record was ever inserted, right ? However, if I'm right ;) when the start-record gets recorded, accounting including updates works fine, but when the according row is missing in table radacct (due to the start-record got lost or accounting started after the session was created - ok, this is really uncommon) then accounting_update_query_alt doens't kick in. From what I understood the problem lies in rlm_sql not reporting an error somehow when the update fails; complete debug-output from one update and the stop-record below (both with changed IP's. The stop-record finally creates a row in radacct, so accounting_stop_query_alt works fine. As soon as the according start-entry in table radacct exists also the update work fine, but I thought of this as a way to recover missing accounting packets to at least have the updates creating records when the start goes wrong. Yes, it was a mistake on my part An update that affects no rows is not an error. I took the code from the start handling, instead of from the stop handling. It should be fixed now, in rlm_sql.c 1.130. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Apache error after try to login in nocat auth web interface.
Hello, i have installed freeradius + mysql and now nocat authserv and nocat gateway following this tuturial http://nocat.net/wiki/index.cgi?Radius, and it looks all run okay. When i try to access browser to authenticate, if i put a login pass correct it says login wrong or password, and in the apache log says this: [2004-05-17 21:47:16] User UNKNOWN from 10.0.0.99 requests form[2004-05-17 21:47:36] User [EMAIL PROTECTED] from 10.0.0.99 requests form[2004-05-17 21:47:36] Connecting to RADIUS server 10.0.0.2 with Timeout 5[2004-05-17 21:47:36] Use of uninitialized value in string eq at /usr/share/perl5/Authen/Radius.pm line 207, FILE line 1.[2004-05-17 21:47:36] Use of uninitialized value in string eq at /usr/share/perl5/Authen/Radius.pm line 207, FILE line 1.[2004-05-17 21:47:36] Use of uninitialized value in string eq at /usr/share/perl5/Authen/Radius.pm line 207, FILE line 1.[2004-05-17 21:47:36] Use of uninitialized value in string eq at /usr/share/perl5/Authen/Radius.pm line 207, FILE line 1.[2004-05-17 21:47:36] Use of uninitialized value in string eq at /usr/share/perl5/Authen/Radius.pm line 207, FILE line 1.[2004-05-17 21:47:36] Use of uninitialized value in string eq at /usr/share/perl5/Authen/Radius.pm line 207, FILE line 1.[2004-05-17 21:47:36] Use of uninitialized value in string eq at /usr/share/perl5/Authen/Radius.pm line 207, FILE line 1.[2004-05-17 21:47:36] Use of uninitialized value in string eq at /usr/share/perl5/Authen/Radius.pm line 207, FILE line 1.[2004-05-17 21:47:36] Use of uninitialized value in string eq at /usr/share/perl5/Authen/Radius.pm line 207, FILE line 1.[2004-05-17 21:47:36] Use of uninitialized value in string eq at /usr/share/perl5/Authen/Radius.pm line 207, FILE line 1.[2004-05-17 21:47:36] Use of uninitialized value in length at /usr/share/perl5/Authen/Radius.pm line 88, FILE line 1.[2004-05-17 21:47:36] Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/Authen/Radius.pm line 88, FILE line 1.[2004-05-17 21:47:36] Out of servers to try if i press the skip button, i receive a internal server error, and the apache error´s log is this: [2004-05-17 21:47:43] User UNKNOWN from 10.0.0.99 requests form[2004-05-17 21:47:43] gpg --sign --armor --homedir=/usr/local/nocat/authserv/cgi-bin/../pgp --keyring trustedkeys.gpg --no-tty -o- returned error message:gpg: Sorry, no terminal at all requested - can't get input[2004-05-17 21:47:43] gpg --sign --armor --homedir=/usr/local/nocat/authserv/cgi-bin/../pgp --keyring trustedkeys.gpg --no-tty -o- returned error: ( 2 )Can't call method "text" on an undefined value at ../lib//NoCat/AuthService.pm line 134.[Mon May 17 21:47:44 2004] [error] [client 10.0.0.99] Premature end of script headers: /usr/local/nocat/authserv/cgi-bin/login If someone could help-me i apreciate. Thanks Rui Oliveira Portugal IncrediMail - O mundo do correio eletrônico finalmente desenvolveu-se - Clique aqui
Re: About Radius Attributes
Hi Alan, 1. In which case will a radius client request for the above service type or which radius clients usually request for the above service-type ? http://www.freeradius.org/rfc/attributes.html Click on Service-Type, and it will tell you what those values mean, and when they're used. I actually posted the question after reading the RFC. The RFC tells you a lot about the standard, but not about the current practice. What I need is some real-case examples. For example: - Example of Radius client that asks for service-type outbound, and what kind of devices it wants to be granted access. - Similarly, example of Radius client that asks for service-type administrative, NAS Prompt, Callback NAS Prompt, Call Check, and maybe some scenarios in which they are used ? 2. What attributes are usually returned in the access-accept packet for the above service type ? It depends on your local configuration. I understand that it depends of my own configuration. But I'm interested to know about the common practice out there. Would you care to elaborate more ? I'm still new to the Radius concept. For Service-type PPP / SLIP requested, is there any MANDATORY attributes that need to be returned by the radius server in the access-accept packet (Framed-IP-Address, Framed-MTU, etc) ? See the RFC's, and your NAS vendor documentation. Can you please provide me with some links to any NAS vendor documentation ? I don't have any specific NAS in mind currently. If the Framed-IP-Address is not a mandatory attribute to be returned for service-type PPP, how will the NAS decide the IP Address assigned to the user ? See the NAS documentation. It depends on the NAS. Alan DeKok. = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? SBC Yahoo! - Internet access at a great low price. http://promo.yahoo.com/sbc/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reg configuring challenge response
Dear Alan DeKok, Could you please respond to my below query: I am using the UDP protocol as the underlying protocol and the MD5 protocol as the authentication protocol to communicate with the RADIUS server. In this case, will the protocol demand for a challenge ?. In this case, will the RADIUS server send an challenge response ?. Regards, Barath Kumar. Barath kumar wrote: Dear Alan, Thanks for your response. I am using the UDP protocol as the underlying protocol and the MD5 protocol as the authentication protocol to communicate with the RADIUS server. In this case, will the protocol demand for a challenge ?. In this case, will the RADIUS server send an challenge response ?. Regards, Barath Kumar. Alan DeKok wrote: The server will send a challenge when the protocol demands it. e.g. EAP. If you don't know what the challenge will be, or why the server should send a challenge, you probably don't want challenge-response. Alan DeKok. Barath kumar [EMAIL PROTECTED] wrote: How to configure the free RADIUS server to send an Challenge response to an access request. In other words, what are the configurations to be done on the free RADIUS server such that it sends an challenge response to an access request. By default, will the free RADIUS server send an challenge response ? or any special configurations needs to be done for the same. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with sending challenge response
Sir, I read radclient file . Its usage says Usage: radclient [options] server[:port] command [secret] and I have come to know through the rfc'c that I should include the state received from radius server as it is in my request.So how I will add this and also the encrypted password which I got from my offline client. So, could you please tell me the exact syntax I have to use for this . Thanks again --- Alan DeKok [EMAIL PROTECTED] wrote: =?iso-8859-1?q?SANDEEP=20KHANNA?= [EMAIL PROTECTED] wrote: Could u please tell me the exact syntax on sending request with State attribute like I am using radtest Don't use radtest. Use radclient. READ radtest. It's just a shell script. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yahoo! India Matrimony: Find your partner online. http://yahoo.shaadi.com/india-matrimony/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with sending challenge response
Sir, I read radclient file . Its usage says Usage: radclient [options] server[:port] command [secret] and I have come to know through the rfc'c that I should include the state received from radius server as it is in my request.So how I will add this and also the encrypted password which I got from my offline client. So, could you please tell me the exact syntax I have to use for this . Thanks again --- Alan DeKok [EMAIL PROTECTED] wrote: =?iso-8859-1?q?SANDEEP=20KHANNA?= [EMAIL PROTECTED] wrote: Could u please tell me the exact syntax on sending request with State attribute like I am using radtest Don't use radtest. Use radclient. READ radtest. It's just a shell script. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yahoo! India Matrimony: Find your partner online. http://yahoo.shaadi.com/india-matrimony/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html