Re: any help with this please..!!

2004-08-18 Thread Tacio Santos 
Here is an implementation of that:
http://nocat.net/
http://nocat.net/wiki/index.cgi?Radius
HTH,
Tacio
On Thursday 19 August 2004 00:21, Thor Spruyt wrote:
> jassim El-mansori wrote:
> > (WIN2000)<-eth1>(RH9+freeradius)[Internet]
> > now what i'm after is how can the user who on the
> > WIN2k can gain acces to the Internet when he is
> > authentic.
>
> You could setup a webserver on the router, which redirects the user to a
> page where he can login and/or logout.
> The webapplication can tell a custom access control application to change
> firewall rules for this user.
> The access control application can optionally do user authentication at the
> radius server.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access-Accept attributes problem

2004-08-18 Thread Thor Spruyt 
[EMAIL PROTECTED] wrote:
> Initially, I was accessing it through http://x.x.x.x -> didn't work
> However, accessing it through http://x.x.x.x/index.html DOES work!
> 
> Do u know why this is so?
> And is there any ways to fix this so it's also accessible via
> http://x.x.x.x alone, without having to explicitly specifying
> /index.html? 

In case of Apache look for a configuration item called "DirectoryIndex"

-- 
Regards,

Thor Spruyt
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com
M: +32 (0)475 67 22 65


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Bypass SQL socket reservation with Acct-Session-Time = 0 (Stop-Only)

2004-08-18 Thread ROY 
Hi,

I've tried doing a tweak on rlm_sql.c to bypass reserving a socket for
sessions with "0" duration on the stop packets. This is to minimize
active sockets which may be used for the non-zero calls. Hoping that the
server would scale up with rapid accounting (stop-only) data that is
pouring in.

I have attached here the diff from the cvs version.

Is there another way of doing this? Have I overlooked something? The
tweak seems to run good overnight (500k+ stop records at the moment).

Thanks,

roy
--- rlm_sql.c   2004-08-18 15:36:25.0 +0800
+++ rlm_sql.cvs.c   2004-08-18 15:07:17.0 +0800
@@ -932,7 +932,7 @@
}
(inst->module->sql_finish_query)(sqlsocket, 
inst->config);
}
-   sql_release_socket(inst, sqlsocket);
+
break;
 
/*
@@ -983,7 +983,6 @@
}
(inst->module->sql_finish_query)(sqlsocket, 
inst->config);
}
-   sql_release_socket(inst, sqlsocket);
break;
 
/*
@@ -1028,7 +1027,6 @@
}
(inst->module->sql_finish_query)(sqlsocket, 
inst->config);
}
-   sql_release_socket(inst, sqlsocket);
break;
 
/*
@@ -1044,13 +1042,10 @@
radius_xlat(querystr, sizeof(querystr), 
inst->config->accounting_stop_query, request, sql_escape_func);
query_log(request, inst, querystr);
 
-   pair = pairfind(request->packet->vps, PW_ACCT_SESSION_TIME);
-   acctsessiontime = pair->lvalue;
-
-   if ((*querystr) && (acctsessiontime > 0)) { /* non-empty query 
*/
-   sqlsocket = sql_get_socket(inst);
-   if (sqlsocket == NULL)
-   return(RLM_MODULE_FAIL);
+   sqlsocket = sql_get_socket(inst);
+   if (sqlsocket == NULL)
+   return(RLM_MODULE_FAIL);
+   if (*querystr) { /* non-empty query */
if (rlm_sql_query(sqlsocket, inst, querystr)) {
radlog(L_ERR, "rlm_sql (%s): Couldn't update 
SQL accounting STOP record - %s",
   inst->config->xlat_name,
@@ -1099,7 +1094,6 @@
}
}
(inst->module->sql_finish_query)(sqlsocket, 
inst->config);
-   sql_release_socket(inst, sqlsocket);
}
break;
 
@@ -1109,11 +1103,11 @@
default:
radlog(L_INFO, "rlm_sql (%s): Unsupported Acct-Status-Type = 
%d", inst->config->xlat_name, acctstatustype);
return RLM_MODULE_NOOP;
-   sql_release_socket(inst, sqlsocket);
break;
 
}
 
+   sql_release_socket(inst, sqlsocket);
 
return ret;
 }

Re: CHAP not working with ldap

2004-08-18 Thread kevin J 

Alan DeKok wrote:
kevin J <[EMAIL PROTECTED]> wrote:
 

I found the line 1441 of rlm_ldap.c returns RLM_MODULE_INVALID if the 
password is not pap:
   

...
 What you're missing is that's the *authentication* function.  The
LDAP database doesn't know how to do CHAP, it only knows how to do
PAP.  So the rlm_ldap module can send ONLY a PAP password to an LDAP
database.
Thanks Alan.  CHAP is working with ldap now.
I have two more questions though.
1) I found that PAP is not working with ldap.  RADIUS just tried ldap 
authentication.  I don't know why.  Is there anything that I have to do 
for PAP?
2) It looks that ldap connection is not persistant which mean re-bind 
ldap per authentication.  Is this true or am I missing something?

Thanks,
Kevin
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access-Accept attributes problem

2004-08-18 Thread Alan DeKok 
[EMAIL PROTECTED] wrote:
> Initially, I was accessing it through http://x.x.x.x -> didn't work
> However, accessing it through http://x.x.x.x/index.html DOES work!

  Ah.  So you're not using a normal NAS, you're using a web server.

> Do u know why this is so?

  If you would describe WHAT you're using as a RADIUS client, someone
may be able to help you.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Load balancing accounting best practice?

2004-08-18 Thread ROY 

> What I am looking for is to be able to distribute load across a number
> of radius boxes and to be able to easily take some nodes out of
> rotation, or add to the rotation without needing to reconfigure all of
> the nas servers.

If you've got Cisco NASes, you may want to try 
'radius-server retry method reorder'

After the pre-configuration, everything is automatic.

HTH,
roy


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Cisco VoIP

2004-08-18 Thread Juan Carlos Ocasio 








Greg,

 

    I
have been searching for the same information and have not found much…If I
could get pointed in the right direction or get it
working, I don’t have a problem with documenting…

 

Good Luck,

 

JC

 

-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gregory D. Burns
Sent: Wednesday, August 18, 2004
10:01 AM
To: [EMAIL PROTECTED]
Subject: Cisco VoIP

 

Group, 

 

I have used
freeradius for to collect CDR’s from Cisco before. But I want to learn
how much can really be done, and also wanted to allow my customers to do some
config changes (like adding new gateways) from an web interface. At this point
I’m doing a lot of reading and testing, but I notice a lot of what
I’m reading does not apply to using it for Cisco voip CDRS. 

 

So my question is
does anyone know of a good web page, news group, IRC, or what every; that talks
about using freeradius on VOIP gateways? 


 

 

-Greg

Re: Access-Accept attributes problem

2004-08-18 Thread plam017 
Quoting Thor Spruyt <[EMAIL PROTECTED]>:

> [EMAIL PROTECTED] wrote:
> > Hi,
> >
> > What are the "must-have" attributes for Access-accept?
> > According to RFC2865 all attributes are optional, so I thought just
> > sending  the headers (code, identifier, length, response
> > authenticator) should do the job, but when I tried it, it doesn't
> > wanna acknowledge my access-accept packets.
>
> Maybe according to the RFC they're all optional, but your NAS might require
> certain attributes in the Access-Accept! Check your NAS' documentation.
>
> --
> Regards,
>
> Thor Spruyt
> E: [EMAIL PROTECTED]
> W: www.thor-spruyt.com
> M: +32 (0)475 67 22 65
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


Hi Thor,

Thanks for your help, it is accepting normal Access-Accept packet with no
attributes now.

Initially, I was accessing it through http://x.x.x.x -> didn't work
However, accessing it through http://x.x.x.x/index.html DOES work!

Do u know why this is so?
And is there any ways to fix this so it's also accessible via http://x.x.x.x
alone, without having to explicitly specifying /index.html?

Thanks again :)


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access-Accept attributes problem

2004-08-18 Thread Thor Spruyt 
[EMAIL PROTECTED] wrote:
> Hi,
>
> What are the "must-have" attributes for Access-accept?
> According to RFC2865 all attributes are optional, so I thought just
> sending  the headers (code, identifier, length, response
> authenticator) should do the job, but when I tried it, it doesn't
> wanna acknowledge my access-accept packets.

Maybe according to the RFC they're all optional, but your NAS might require
certain attributes in the Access-Accept! Check your NAS' documentation.

-- 
Regards,

Thor Spruyt
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com
M: +32 (0)475 67 22 65


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: any help with this please..!!

2004-08-18 Thread Thor Spruyt 
jassim El-mansori wrote:
> (WIN2000)<-eth1>(RH9+freeradius)[Internet]
> now what i'm after is how can the user who on the
> WIN2k can gain acces to the Internet when he is
> authentic.

You could setup a webserver on the router, which redirects the user to a
page where he can login and/or logout.
The webapplication can tell a custom access control application to change
firewall rules for this user.
The access control application can optionally do user authentication at the
radius server.

-- 
Regards,

Thor Spruyt
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com
M: +32 (0)475 67 22 65


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

converting to mysql.. any help?

2004-08-18 Thread histar2 
I have a .9.7 version of freeradius running with flatfile
configs and using eap-tls w/certs of course. This works
fine. I want to convert this all over to 1.0 with mysql as
the storage. I was wondering if you might have some tips? I
don't want to lose the configs I have. Is there an easy way
to do this? Are there any examples/tips/gotchas for doing
something like this, or is it so simple, I am just
over-thinking things?

thanks
Kat

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Failed to link to module 'rlm_exec' (et al)

2004-08-18 Thread Leland V. Lammert 
Is anyone using freeradius on OpenBSD (3.3)? It seems like there is 
something findamentally wrong with config:

1) make did not find krb.h, even though it is in what I assume is a 
standard location:

/usr/include/kerberosV/krb5.h
Not a big problem, however, I just configured with Kerberos (I am including 
this as it might be related to the major problem below):

./configure --with-rlm_mysql --without-rlm_krb5
2) Make and installed next successfully, .. however the built modules DNW.
starting radiusd with -X:
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
radiusd.conf[1367] Failed to link to module 'rlm_exec': No such file or 
directory
The install created files that *look* to be correct:
lrwxr-xr-x  1 root  wheel 11 Aug 18 16:02 
/usr/local/lib/rlm_exec-1.0.0.la -> rlm_exec.la
-rw-r--r--  1 root  wheel  21318 Aug 18 16:02 /usr/local/lib/rlm_exec.a
-rwxr-xr-x  1 root  wheel690 Aug 18 16:02 /usr/local/lib/rlm_exec.la

BUT none of them will link. Could this problem be related to these linker 
warnings:

*** Warning: This library needs some functionality provided by -lresolv.
*** I have the capability to make that library automatically link in when
*** you link to this library.  But I can only do this if you have a
*** shared version of the library, which you do not appear to have.
*** Warning: libtool could not satisfy all declared inter-library
*** dependencies of module rlm_files.  Therefore, libtool will create
*** a static module, that should work as long as the dlopening
*** application is linked with the -dlopen flag.
Any suggestions would be greatly appreciated, .. I can also send the logs 
from configure & make, if it would help.

TIA,
Lee
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Access-Accept attributes problem

2004-08-18 Thread plam017 
Hi,

What are the "must-have" attributes for Access-accept?
According to RFC2865 all attributes are optional, so I thought just sending  the
headers (code, identifier, length, response authenticator) should do the job,
but when I tried it, it doesn't wanna acknowledge my access-accept packets.

Currently, in the Access-Request, it includes these attributes:

User-Name (1): xxx
User-Password (2): xxx
Service-Type (6): Authenticate-only
NAS-Identifier (32): localhost
NAS-IP-Address: 127.0.0.1

In my Access-Accept packet, I'm sending:
| code | id | length | response authenticator |

where code = 2
  id = (same id as access-request's id)
  length = 20
  response authenticator = MD5(code, id, length, request authenticator,
shared secret)

Am I missing something?

Thanks for your help

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP not working with ldap

2004-08-18 Thread Alan DeKok 
kevin J <[EMAIL PROTECTED]> wrote:
> I found the line 1441 of rlm_ldap.c returns RLM_MODULE_INVALID if the 
> password is not pap:
...

  What you're missing is that's the *authentication* function.  The
LDAP database doesn't know how to do CHAP, it only knows how to do
PAP.  So the rlm_ldap module can send ONLY a PAP password to an LDAP
database.

> Should I change the line if I want to make ldap working with CHAP?

  No.

  Do not set "Auth-Type := LDAP".

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP not working with ldap

2004-08-18 Thread kevin J 
kevin J wrote:
Our ldap has USER-CTPASSWORD for clear-text.  I properly modified 
ldap.attrmap and dictionary.  I put password_header = "{clear}" in 
ldap of module (radiusd.conf) but I got

rlm_ldap: Attribute: "User-Password" is required for authentication.  
Cannot use "CHAP-Password"

Anybody know how to do CHAP with a password which is extracted from ldap?
Kevin 
I found the line 1441 of rlm_ldap.c returns RLM_MODULE_INVALID if the 
password is not pap:

   if(request->password->attribute != PW_PASSWORD) {
   radlog(L_AUTH, "rlm_ldap: Attribute \"User-Password\" is 
required for \
 authentication. Cannot use \"%s\".", 
request->password->name);
   return RLM_MODULE_INVALID;
   }

Should I change the line if I want to make ldap working with CHAP?
Another question is if I want to use a persistant connection to ldap 
then what should I do?
It looks that radius binds ldap per authentication.

Thanks,
Kevin
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: require valid-user

2004-08-18 Thread Rangel, Luciano 
I solved my problem...

The correct in .htaccess file is :

require user teste


Thanks 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco VoIP

2004-08-18 Thread Amedzekor Kafui 
I am also trying to achieve something similar. I have
quintum gateways included as well.

I notice that there is not information on the subject.
You have to use your understanding of the radius
protocol to do this.

Incase you find a site let me know.

Thanks.

Kafui Amedzekor.

--- "Gregory D. Burns" <[EMAIL PROTECTED]> wrote:

> Group, 
>  
> I have used freeradius for to collect CDR's from
> Cisco before. But I
> want to learn how much can really be done, and also
> wanted to allow my
> customers to do some config changes (like adding new
> gateways) from an
> web interface. At this point I'm doing a lot of
> reading and testing, but
> I notice a lot of what I'm reading does not apply to
> using it for Cisco
> voip CDRS. 
>  
> So my question is does anyone know of a good web
> page, news group, IRC,
> or what every; that talks about using freeradius on
> VOIP gateways?  
>  
>  
> -Greg
> 




__
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

require valid-user

2004-08-18 Thread Rangel, Luciano 
Hello,

I´m trying to use the function require valid-user in the .htaccess
file but it not function. When I try to access with other user I obtain.  

My .htaccess file

##
#
#  A sample per-directory access-control configuration, to be used
#  as a '.htacces' file.
#

#
# Use basic password authentication.
# AuthType Digest won't work with RADIUS authentication.
#
AuthType Basic

#
# Tell the user the realm to which they're authenticating.
# This string should be configured for your site.
#
AuthName "RSA Authentication"

#
# don't use 'mod_auth'.
# You might want to disable other authentication types here.
# You can get a similar effect by commenting out the
# 'AddModule mod_auth_*' lines, previously in httpd.conf
#
AuthAuthoritative off

#
# Use mod_auth_radius for all authentication, and make the responses
# from it authoritative.
#
AuthRadiusAuthoritative on

#
# Make a local variation of AddRadiusCookieValid.  The server will choose
# the MINIMUM of the two values.
#
# AuthRadiusCookieValid 
#
AuthRadiusCookieValid 5

#
# Set the use of RADIUS authentication at this "
#
# Locally set the RADIUS authentication active.

#
# If there is a directory which you do NOT want to have RADIUS
# authentication for, then use a  directive, and
# set "AuthRadiusActive Off"
#
AuthRadiusActive On

#
# require that mod_auth_radius return a valid user, otherwise
# access is denied.
#
require valid-user teste




Thanks.

Luciano


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

any help with this please..!!

2004-08-18 Thread jassim El-mansori 
hello, 
hey all of u i'm wondering if there is some thing
wrong with my question, therefore they were ignored.

i have some thing like this "below" to implemnt and
i'm running out of time its my final year project.

(WIN2000)<-eth1>(RH9+freeradius)[Internet]

i've download freeradius as well as thr NTPingrad, i
tested the freeradius and it works perfect.
now what i'm after is how can the user who on the
WIN2k can gain acces to the Internet when he is
authentic.
i sat up a firewall and its fine as wel as a dhscp
on eth1..
Bhusan suggest to use pGINA+RADIUS plugin..
i did, and what happend is the WIN2k has crashed,
there is an error message saying warining WINLOG.exe
has generateerror and will be shutdowan by closed by
widows and u will need to restart the program...and
keep restarting by itself

Milver suggests that i point the IE to use radius for
authentication..sound good
but i can't find any post about this in the mailing
list...please i'm beging u guys if any one of u have a
solution for this or has got the posts that talk about
the IE and freeradius pleasee
mail it to me on
[EMAIL PROTECTED]
many thanks in davance..







__
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ppp doesn't work

2004-08-18 Thread Thor Spruyt 
John Wry wrote:
> yes, but how do I configure my NAS?
> I would like to configure pppd to authenticate with radius...

http://www.google.com/search?q=pppd+radius

-- 
Regards,

Thor Spruyt
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com
M: +32 (0)475 67 22 65


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Cisco VoIP

2004-08-18 Thread Gregory D. Burns 








Group, 

 

I have used freeradius
for to collect CDR’s from Cisco before. But I
want to learn how much can really be done, and also wanted to allow my
customers to do some config changes (like adding new
gateways) from an web interface. At this point I’m
doing a lot of reading and testing, but I notice a lot of what I’m
reading does not apply to using it for Cisco voip CDRS. 

 

So my question is does anyone know
of a good web page, news group, IRC, or what every; that talks about using freeradius on VOIP gateways?  

 

 

-Greg

RE: mod_auth_radius and ACE/Server

2004-08-18 Thread Rangel, Luciano 
I used this documentation and I solved my problem. Thanks for your help
Alan.


Luciano


Some caveats
  

  This works fine for static passwords (i.e. "user", "password"), but needs
  a bit more attention for one-time passwords.  All of the browsers I've
  tested don't use the cookie immediately if you're accessing a directory
  as:

  http://www.example.com/

  What's hidden here is that the following files are checked for:

  http://www.example.com/
  http://www.example.com/home.html
  http://www.example.com/home.cgi
  http://www.example.com/index.cgi
  http://www.example.com/index.html

  etc., all in sequence.  This module does a 'stat', and returns "NOT FOUND"
  when anyone tries to access a file which doesn't exist.  However,
  it WILL authenticate for a file which does exists, but the browser may
  not use the returned cookie when accessing a different page.

  The way to fix this is to point the browser at a specific page. i.e.

  http://www.example.com/
 says "connect to our _secure_ site",  where _secure_ is a link to

  http://www.example.com/secure/index.html


  People using static passwords don't need to do this, but if they don't,
  they'll notice that their RADIUS server is getting 1-4 hits for every web
  authentication request.


  Some browsers (I.E.) have a problem with sending cookies on initial
  requests. If you have a file index.html which includes img/foo.gif
  in the same directory.  The user authenticates, reads index.html
  (with the cookie in the request header), BUT on reading the gifs,
  the cookie is NOT included.

  This problem can be avoided by EITHER putting the gifs in the same
  directory as the index.html file, or putting moving the entire tree
  down a node, and having a NEW index.html which points to
./moved/index.html
  This is ridiculously ugly, but it seems to work.


-Original Message-
From: Alan DeKok [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 18, 2004 12:15 PM
To: [EMAIL PROTECTED]
Subject: Re: mod_auth_radius and ACE/Server 


"Rangel, Luciano" <[EMAIL PROTECTED]> wrote:
> I'm using Freeradius as a Proxy Radius to the ACE/Server. When I try
> to authenticate in the Apache Server it execute several requests of
> user and password in the Proxy Radius causing PASSCODE REUSE ATTACK
> detect in the ACE/Server.
>
>   How can execute only one request to the Proxy Freeradius 

  Read the documentation which comes with mod_auth_radius, and the
comments at the start of the C file.  It describes when the module
sends multiple requests, why, and how to fix it.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ppp doesn't work

2004-08-18 Thread John Wry 
yes, but how do I configure my NAS?
I would like to configure pppd to authenticate with radius...
On Tuesday, August 17, 2004, at 08:34  PM, Dana Hudes wrote:
On Tue, 17 Aug 2004, John Wry wrote:
but, when my users dial in (over modem ttys0) freeradius is 
bypassed
Thanks.
John Wry
NAS configuration problem. If you don't tell the NAS to use RADIUS and
tell it where to find the server

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Creating Groups

2004-08-18 Thread Ryan Moreton 
Sorry Alan I didn't mean to offend, 

Although I must admit that I did wonder if you had missed it as I did state
that they were declared in the users file.

Am I right in thinking that I also need to declare the groups elsewhere,
such as my MySQL backend or the local passwd file? Is it enough to simply
declare them in the user file the same way that users are created?

I have also tried creating the groups in the huntgroup file but the same
issue happened where only the superuser can authenticate successfully.

Can you confirm if my declaration of groups is correct are can I assist by
providing any more debug output?

DEFAULT Group == "Read-Access"
Cisco-AVPair == 'shell:priv-lvl=7',
User-Name = user1,
User-Name = user2

DEFAULT Group == "Full-Access"
Cisco-AVPair == 'shell:priv-lvl=15',
User-Name = user1,
User-Name = user2

Many thanks in advance,

Ryan


 





-Original Message-
From: Alan DeKok [mailto:[EMAIL PROTECTED]
Sent: 18 August 2004 16:12
To: [EMAIL PROTECTED]
Subject: Re: Creating Groups 


Ryan Moreton <[EMAIL PROTECTED]> wrote:
> sorry, I've added the following into the users file.
...

  That's nice.  You already posted it.  Did you think I didn't read it?

  As I said before, you didn't say where you created the groups.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Load balancing accounting best practice?

2004-08-18 Thread David Stanaway 
Hi,

I was wondering what was the best practice for load balancing radius
accounting across multiple radius servers with freeradius?

Does it make sense to have a couple of freeradius proxy servers for each
NAS (Default/Failover) and the proxies distribute load to the
freeradius/accounting servers. It seems that proxies are mostly intended
for different auth realms being handled by different servers.

What I am looking for is to be able to distribute load across a number
of radius boxes and to be able to easily take some nodes out of
rotation, or add to the rotation without needing to reconfigure all of
the nas servers.

-- 
David Stanaway <[EMAIL PROTECTED]>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mod_auth_radius and ACE/Server

2004-08-18 Thread Alan DeKok 
"Rangel, Luciano" <[EMAIL PROTECTED]> wrote:
> I'm using Freeradius as a Proxy Radius to the ACE/Server. When I try
> to authenticate in the Apache Server it execute several requests of
> user and password in the Proxy Radius causing PASSCODE REUSE ATTACK
> detect in the ACE/Server.
>
>   How can execute only one request to the Proxy Freeradius 

  Read the documentation which comes with mod_auth_radius, and the
comments at the start of the C file.  It describes when the module
sends multiple requests, why, and how to fix it.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Creating Groups

2004-08-18 Thread Alan DeKok 
Ryan Moreton <[EMAIL PROTECTED]> wrote:
> sorry, I've added the following into the users file.
...

  That's nice.  You already posted it.  Did you think I didn't read it?

  As I said before, you didn't say where you created the groups.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

mod_auth_radius and ACE/Server

2004-08-18 Thread Rangel, Luciano 
Hello,

I´m having problem when I use the Apache authentication module
"mod_auth_radius" with Freeradis and ACE/Server

I´m using Freeradius as a Proxy Radius to the ACE/Server. When I try to
authenticate in the Apache Server it execute several requests of user and
password in the Proxy Radius causing PASSCODE REUSE ATTACK detect in the
ACE/Server.

How can execute only one request to the Proxy Freeradius 

Thanks for help.

Luciano 
 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Creating Groups

2004-08-18 Thread Ryan Moreton 
sorry, I've added the following into the users file.

Users File
DEFAULT Group == "Read-Access"
Cisco-AVPair == 'shell:priv-lvl=7',
User-Name = user1,
User-Name = user2

DEFAULT Group == "Full-Access"
Cisco-AVPair == 'shell:priv-lvl=15',
User-Name = user1,
User-Name = user2

user1 Auth-Type := Local, User-Password == "user1"
Service-Type = Framed-User,
Framed-Protocol = None

user2 Auth-Type := Local, User-Password == "user2"
Service-Type = Framed-User,
Framed-Protocol = None

superuser Auth-Type := Local, User-Password == "superuser"
Service-Type = Framed-User,
Cisco-AVPair = 'shell:priv-lvl=15',
Framed-Protocol = None


-Original Message-
From: Alan DeKok [mailto:[EMAIL PROTECTED]
Sent: 18 August 2004 15:42
To: [EMAIL PROTECTED]
Subject: Re: Creating Groups 


Ryan Moreton <[EMAIL PROTECTED]> wrote:
> I've created a superuser login, which works fine, but it doesn't recognise
> any user in the groups I've created. Can somebody tell me what I've done
> wrong?

  You didn't say where you created the groups.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Creating Groups

2004-08-18 Thread Alan DeKok 
Ryan Moreton <[EMAIL PROTECTED]> wrote:
> I've created a superuser login, which works fine, but it doesn't recognise
> any user in the groups I've created. Can somebody tell me what I've done
> wrong?

  You didn't say where you created the groups.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius port 1814

2004-08-18 Thread Thor Spruyt 
[EMAIL PROTECTED] wrote:
> does anybody know why freeradius opens a Port 1814(tdp-suite)?

I might be wrong, but I think it's as follows:

When you have realms configured to be proxied to other radius servers, your
radius server will be the "client" and the other radius servers will be the
"servers".
Port 1814 is thus the source port freeradius uses as a client to send
packets to the servers it proxies to.

-- 
Regards,

Thor Spruyt
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com
M: +32 (0)475 67 22 65


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius v1.0 under Fedore Core2

2004-08-18 Thread Paul Bender 
Øystein Gåsdal wrote:
Anyone tried this?
Last time i installed was on a RedHat v7.2 installaton, and the file
installed them selves nicely in /usr/local/etc/raddb, but when I try the
same thing on Fedore Core2, that dir is empty. 

And when I run updatedb, and write locate radiusd.conf, the only file I find
is in the installdir. So it seems to me it is not installed at all.
But it's very possible i'm doing something wrong, since this whole linux /
freeradius thing is new ground to me :)
Any tips?
I suggest that you download, rebuild and install the FreeRADIUS 1.0.0 
source RPM from Fedora Core development 
. 
I am running it on Fedora Core 2 without any problems.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius v1.0 under Fedore Core2

2004-08-18 Thread Graeme Hinchliffe 
On Wed, 2004-08-18 at 14:49, Ãystein GÃsdal wrote:
> Last time i installed was on a RedHat v7.2 installaton, and the file
> installed them selves nicely in /usr/local/etc/raddb, but when I try the
> same thing on Fedore Core2, that dir is empty. 
> 
> And when I run updatedb, and write locate radiusd.conf, the only file I find
> is in the installdir. So it seems to me it is not installed at all.

/etc/freeradius ?

where it appears on Debian, and makes sense to me.

no idea why updatedb wouldn't find it.. does the freeradius daemon start
up?  if you run freeradius -X does the startup tell you where it is
getting it's config from?

(you did do the install as root yeah?)

hope thats of some help.

-- 
-
Graeme Hinchliffe (BSc)
Core Internet Systems Designer
Zen Internet (http://www.zen.co.uk/)

Direct: 0845 058 9074
Main  : 0845 058 9000
Fax   : 0845 058 9005



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL STOP with no START

2004-08-18 Thread Simon Bryden 
> hi,
>
> maybe because accounting_stop_query is set to an 'UPDATE' statement and
> not an 'INSERT' statement.
>
> roy
>

No - with no START message, the accounting_stop_query_alt is used instead of 
the accounting_stop_query, which does an INSERT.
Regards,
Simon.
---

> On Wed, 2004-08-18 at 21:46, Simon Bryden wrote:
> > Does anyone know why the default sql.conf file with freeradius 1.0
> > doesn't write the value of Client-IP-Address to the database in the case
> > whwere a STOP is received with no START (i.e. using
> > accounting_stop_query_alt)?
> >
> > I am about to change this behaviour, since I need the to know the
> > Client-IP-Address, but wanted to check if this might be omitted for a
> > good reason.
> >
> > Thanks,
> > Simon.
> > ---
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius v1.0 under Fedore Core2

2004-08-18 Thread Simon Bryden 
> Last time i installed was on a RedHat v7.2 installaton, and the file
> installed them selves nicely in /usr/local/etc/raddb, but when I try the
> same thing on Fedore Core2, that dir is empty.
>
Most dists put the config files in /usr/etc

The easiest way to find them is to look for the executables (e.g. "which 
radclient"), then the prefix will usually be the same.

e.g. if "which radclient" returns "/usr/bin/radclient" then the prefix is 
"/usr" and you will normally find your config files in "/usr/etc/raddb"

Simon.
---

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL STOP with no START

2004-08-18 Thread ROY 
hi,

maybe because accounting_stop_query is set to an 'UPDATE' statement and
not an 'INSERT' statement.

roy

On Wed, 2004-08-18 at 21:46, Simon Bryden wrote:
> Does anyone know why the default sql.conf file with freeradius 1.0 doesn't 
> write the value of Client-IP-Address to the database in the case whwere a 
> STOP is received with no START (i.e. using accounting_stop_query_alt)?
> 
> I am about to change this behaviour, since I need the to know the 
> Client-IP-Address, but wanted to check if this might be omitted for a good 
> reason.
> 
> Thanks,
> Simon.
> ---
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: "how to authenticate IE from freeradius"

2004-08-18 Thread Jeff Green 
 
Hi,


Simon's correct, you need a firewall to control access to the
resource
(in this case the internet). You can then configure the firewall to use
a RADIUS server for
Authentication/authorisation.

I know the Cisco PIX range support this ("cut-through proxy"), I'm sure
other
firewalls do something similar.


Regards,


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Simon
Bryden
Sent: 18 August 2004 14:43
To: [EMAIL PROTECTED]; jassim El-mansori
Subject: Re: "how to authenticate IE from freeradius"

The problem is not pointing IE to freeradius, the problem is controlling
the access. You need to find a solution to this first, then point *that*
to freeradius.

Simon.
---

On Wednesday 18 August 2004 14:36, jassim El-mansori wrote:
> hello
> i'm looking for a way to point the IE on WIN2000 to freeradius, so 
> user can seek for authentication, and than radius allow him in to 
> browse the internet thank u all
>
>
>
> __
> Do you Yahoo!?
> Yahoo! Mail - 50x more storage than other providers!
> http://promotions.yahoo.com/new_mail
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius v1.0 under Fedore Core2

2004-08-18 Thread Øystein Gåsdal 
Anyone tried this?

Last time i installed was on a RedHat v7.2 installaton, and the file
installed them selves nicely in /usr/local/etc/raddb, but when I try the
same thing on Fedore Core2, that dir is empty. 

And when I run updatedb, and write locate radiusd.conf, the only file I find
is in the installdir. So it seems to me it is not installed at all.

But it's very possible i'm doing something wrong, since this whole linux /
freeradius thing is new ground to me :)

Any tips?

Thanks,
Øystein Gåsdal
Norway
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SQL STOP with no START

2004-08-18 Thread Simon Bryden 
Does anyone know why the default sql.conf file with freeradius 1.0 doesn't 
write the value of Client-IP-Address to the database in the case whwere a 
STOP is received with no START (i.e. using accounting_stop_query_alt)?

I am about to change this behaviour, since I need the to know the 
Client-IP-Address, but wanted to check if this might be omitted for a good 
reason.

Thanks,
Simon.
---

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: "how to authenticate IE from freeradius"

2004-08-18 Thread Simon Bryden 
The problem is not pointing IE to freeradius, the problem is controlling the 
access. You need to find a solution to this first, then point *that* to 
freeradius.

Simon.
---

On Wednesday 18 August 2004 14:36, jassim El-mansori wrote:
> hello
> i'm looking for a way to point the IE on WIN2000 to
> freeradius, so user can seek for authentication, and
> than radius allow him in to browse the internet
> thank u all
>
>
>
> __
> Do you Yahoo!?
> Yahoo! Mail - 50x more storage than other providers!
> http://promotions.yahoo.com/new_mail
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Creating Groups

2004-08-18 Thread Ryan Moreton 
Hi all,

I want to create a group with a Cisco AV Pair privilege level of seven and
another group with a privilege level of 15 within the users file.

I want the same users to be included in both groups and determine the
privilege level by the huntgroup file depending on the IP address of the NAS
server.

I've created a superuser login, which works fine, but it doesn't recognise
any user in the groups I've created. Can somebody tell me what I've done
wrong?

Many thanks in advance!

Ryan

Users File
DEFAULT Group == "Read-Access"
Cisco-AVPair == 'shell:priv-lvl=7',
User-Name = user1,
User-Name = user2

DEFAULT Group == "Full-Access"
Cisco-AVPair == 'shell:priv-lvl=15',
User-Name = user1,
User-Name = user2

user1 Auth-Type := Local, User-Password == "user1"
Service-Type = Framed-User,
Framed-Protocol = None

user2 Auth-Type := Local, User-Password == "user2"
Service-Type = Framed-User,
Framed-Protocol = None

superuser Auth-Type := Local, User-Password == "superuser"
Service-Type = Framed-User,
Cisco-AVPair = 'shell:priv-lvl=15',
Framed-Protocol = None

Huntgroup File
test1 NAS-IP-Address == 10.10.11.14
User-Name = superuser,
Group = Read-Access

test2 NAS-IP-Address == 10.10.11.15
User-Name = superuser,
Group = Full-Access




 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: 30Day Limit

2004-08-18 Thread Dustin Doris 
On Tue, 17 Aug 2004, Charles J. Boening wrote:

> That would give a user 30 days total.  They could take 6 months to use
> it right?

Oh ya, you are right.  The suggestion I gave would give 30 days total
but it could take forever to expire.

>
> If you're issuing a scratch type ticket I'm assuming it has a username
> and password on it.  So you should already have those users in your
> database.  If your accounting is working right, you could run a nightly
> query to see what accounts don't have an expiration and then if those
> accounts have ever logged in.  If they've logged in and don't have an
> expiration, set the expiration for 30 days from the initial login.
>
>
> Charlie
>
>
>
> -Original Message-
> From: Dustin Doris [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 17, 2004 6:25 AM
> To: [EMAIL PROTECTED]
> Subject: Re: 30Day Limit
>
> Check out the rlm_sqlcounter module.  Read doc/rlm_sqlcounter.  In your
> sqlcounter.conf file you can use something like this.
>
> sqlcounter poolofminutes {
> counter-name = Max-All-Session-Time
> check-name = Max-All-Session
> sqlmod-inst = sql
> key = User-Name
> reset = never
> query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE
> UserName='%{%k}'"
> }
>
> Then in your sql table, you'll add something like this for say user bob
>
> insert into radcheck set UserName = 'bob', Attribute =
> 'Max-All-Session-Time', Value = '2592000', op = ':=';
>
> This will insert the Max-All-Session-Time of 2592000 seconds
> (30*24*60*60).
>
>
> Hope that helps,
>
> -Dusty Doris
>
> On Tue, 17 Aug 2004, sarky wrote:
>
> > Hi all
> >
> > I am using Mysql to do the restrictions.
> >
> > I want to do something like this:
> > When a user logs in for the first time it will give a restriction of
> > 30days access time, i.e: logged on: 1st Jan 2004 then it expires 30th
> > Jan 2004
> >
> > Thank you
> >
> > Sarky
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: freeradius port 1814

2004-08-18 Thread Markus.Wintruff 
Thanks thats it ;-)

Markus Wintruff
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Graeme Hinchliffe
Gesendet: Mittwoch, 18. August 2004 14:52
An: FreeRADIUS list
Betreff: Re: freeradius port 1814


On Wed, 2004-08-18 at 13:41, [EMAIL PROTECTED] wrote:
> Hello,
> 
> does anybody know why freeradius opens a Port 1814(tdp-suite)?

proxy

1812 - RADIUS
1813 - RADACCT
1814 - ProxyRADIUS

I would believe

-- 
-
Graeme Hinchliffe (BSc)
Core Internet Systems Designer
Zen Internet (http://www.zen.co.uk/)

Direct: 0845 058 9074
Main  : 0845 058 9000
Fax   : 0845 058 9005



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius port 1814

2004-08-18 Thread Graeme Hinchliffe 
On Wed, 2004-08-18 at 13:41, [EMAIL PROTECTED] wrote:
> Hello,
> 
> does anybody know why freeradius opens a Port 1814(tdp-suite)?

proxy

1812 - RADIUS
1813 - RADACCT
1814 - ProxyRADIUS

I would believe

-- 
-
Graeme Hinchliffe (BSc)
Core Internet Systems Designer
Zen Internet (http://www.zen.co.uk/)

Direct: 0845 058 9074
Main  : 0845 058 9000
Fax   : 0845 058 9005



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius port 1814

2004-08-18 Thread Markus.Wintruff 
Hello,

does anybody know why freeradius opens a Port 1814(tdp-suite)?

Markus

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: solved Re: compile issues on solaris 7

2004-08-18 Thread Holger Steppke 
Hi Mike,

i run into same issue. How do you changed it ?
Well i could just ignore the stuff in line 355 inet_ntop with AF_INET6
but i don´t think this is smart.

Bye
Holger


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Mike
> Sent: Wednesday, July 28, 2004 2:06 PM
> To: [EMAIL PROTECTED]
> Subject: solved Re: compile issues on solaris 7
> 
> 
> Solved.  I changed the ifdef line in misc.c 
> 
> Mike
> 
> --- Mike <[EMAIL PROTECTED]> wrote:
> 
> > I am using solaris 7 with gcc.  When I try to
> > compile
> > it dies at line 381 in misc.c.  I have the 1.0.0
> > pre3
> > source code and here is my error message
> > 
> > gcc  -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS 
> -DOPENSSL_NO_KRB5 
> > -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS -I../include  
> > -DHMAC_SHA1_DATA_PROBLEMS -c misc.c -o misc.o
> > misc.c: In function `ipv6_ntoa':
> > misc.c:355: warning: implicit declaration of
> > function
> > `inet_ntop'
> > misc.c:355: error: `AF_INET6' undeclared (first use
> > in
> > this function)
> > misc.c:355: error: (Each undeclared identifier is
> > reported only once
> > misc.c:355: error: for each function it appears in.)
> > misc.c:355: warning: return makes pointer from
> > integer
> > without a cast
> > misc.c: In function `ipv6_addr':
> > misc.c:381: error: `AF_INET6' undeclared (first use
> > in
> > this function)
> > make[4]: *** [misc.o] Error 1
> > make[4]: Leaving directory
> > `/network/tmp/freeradius-1.0.0-pre3/src/lib'
> > make[3]: *** [common] Error 1
> > make[3]: Leaving directory
> > `/network/tmp/freeradius-1.0.0-pre3/src'
> > make[2]: *** [all] Error 2
> > make[2]: Leaving directory
> > `/network/tmp/freeradius-1.0.0-pre3/src'
> > make[1]: *** [common] Error 1
> > make[1]: Leaving directory
> > `/network/tmp/freeradius-1.0.0-pre3'
> > make: *** [all] Error 2
> > bash-2.05# 
> > 
> > Mike
> > 
> > 
> > 
> > 
> > __
> > Do you Yahoo!?
> > Yahoo! Mail - 50x more storage than other providers! 
> > http://promotions.yahoo.com/new_mail
> > 
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > 
> 
> 
> 
>   
>   
> __
> Do you Yahoo!?
> New and Improved Yahoo! Mail - 100MB free storage!
> http://promotions.yahoo.com/new_mail 
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 
> 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

"how to authenticate IE from freeradius"

2004-08-18 Thread jassim El-mansori 
hello
i'm looking for a way to point the IE on WIN2000 to
freeradius, so user can seek for authentication, and
than radius allow him in to browse the internet
thank u all



__
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

hi all

2004-08-18 Thread jassim El-mansori 
hi all
 
the task that is doing my head in
is how to authenticate IE from freeradius...
please adive in this in more detail asap
thank u all



__
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html