Extracting attributes from Cisco-AVPair
Hi, I'm a radius newbie having difficulty extracting the Calling-Station-Id from this attribute coming from the user request: Cisco-AVPair = h323-ivr-out=terminal-alias:1234,joe; How can I extract the 1234 from this attribute into a Calling-Station-Id variable? Any help will be most appreciated. Evans __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
manage more ip pools with mysql tables
Thanks to doris. How can i modify sql tables to enable ippools function with only connection to mysql db and radiusd.conf file?? Thanks a lot -Messaggio originale- Da: Simone Giovanardi Inviato: venerdì 20 agosto 2004 16.21 A:'[EMAIL PROTECTED]' Oggetto: manage more ip pools Is it possible manage more thn one ippool in radiusd.conf?? I' ve tried to make this but doesn't work properly Is there an example of radiusd.conf and users file to consulting? Thanks a lot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct-Unique-Session-ID length
hi, how can Acct-Unique-Session-ID length be increased to 16 bytes? i'm no C guru, but, from rlm_acct_unique, seems like there's just room for 8 bytes. thanks in advance, roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius EAP/TLS - Revoke a Certificate
Hi everyone, i'm trying to lay out a wireless LAN with EAP/TLS Certificate-Authentication. For this pupose i use a Gentoo-Box with FreeRADIUS Version 0.9.3 and OpenSSL 0.9.7d. The Authentication works so far. My question now is, if it is possible to lock out a single given, valid (not expired) certificate? Scenario would be that a Notebook has been stolen so the User-Certificate on that Notebook should be maked invalid while the User himself would get a new Certificate. In this case, a simple Username-based lockout does not work. I looked for some docs on FreeRADIUS CLR - maybe a howto or similar, but did not find any. Does this mean it is not possible? Thank you in advance for your help. Best regeards, Hendrik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Extracting attributes from Cisco-AVPair
Evans Chisanga [EMAIL PROTECTED] wrote:
Cisco-AVPair = h323-ivr-out=terminal-alias:1234,joe;
How can I extract the 1234 from this attribute into a Calling-Station-Id
variable?
Regular expressions.
DEFAULT Cisco-AVPair =~ ^.*alias:([0-9]+
Reply-Message = Caller-ID is %{1}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Unique-Session-ID length
ROY [EMAIL PROTECTED] wrote: how can Acct-Unique-Session-ID length be increased to 16 bytes? i'm no C guru, but, from rlm_acct_unique, seems like there's just room for 8 bytes. There's room for lots more. Just edit the module to print more bytes to the buffer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup-admin: bug or feature?
Dear List, I've played around with dialup-admin and now I've got some Q's: When I create a new user like [EMAIL PROTECTED] the user cannot be edited cause of the #. Is there a workaround? I can find the user with edit user, and when I click DELETE it says: Are you sure you want to delete user user1 Yes shows me: User user1 deleted successfully But the created user is in the DB. I'm sure that will all work correctly when it accepts the #. Second one must be a bug: When I create a new group it says created successfully, but when I want to add a new user I cannot select any group. I can only do that when I add a user initially when creating the group. Any hints? Thanks, Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius EAP/TLS - Revoke a Certificate
[EMAIL PROTECTED] wrote: I looked for some docs on FreeRADIUS CLR - maybe a howto or similar, but did not find any. Does this mean it is not possible? See raddb/eap.conf. Look for crl Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile problem - cannot find -lz
SPROUSE Troy F [EMAIL PROTECTED] wrote: OK, I have fixed my problem that started this thread below by installing zlib-devel but now I am getting the following while running 'make'. Making static dynamic in rlm_x99_token... If you're not using rlm_x99_token, just delete the directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP not working with ldap
Quoting kevin J [EMAIL PROTECTED]:
Thanks Alastair,
But, I just want to do ldap-athorize and pap-authenticate. So, I
uncommented only ldap in authorize
and uncommented only pap in authenticate. I am using clear-txt so I put
{clear} in module def.
What I do for authentication is have LDAP do a bind to the directory with the user-name
and password. I guess what you want though is to have the authorize get the password
from the directory and then have PAP authenticate this password against the user's
credentials. This could be done by adding the user-password as a check item. That
way, the item will be retrieved from the directory and checked against the value passed
from the supplicant. To do this, uncomment passwordAttribute in the ldap section and
set it's value to the name of the user password attribute (typically User-Password) in
the directory.
I am not too sure of what settings you will need in autorize and authenticate since I
never had a chance to test this method (we use encrypted passwords) but I would guess
you would need ldap in authorize and nothing in authenticate (if you can leave that
block empty). Just play around with it.
Hopefully this is a bit more of what you want. Let me know how it works out for you.
-Al
It looks like that pap is not found for auth-type.
:
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
ERROR: Unknown value specified for Auth-Type. Cannot perform
requested action.
auth: Failed to validate the user.
I guess this is authorize issue and chap or eap can work because they
have authorize function. I guess radius does not run a module in
authenticate if it is not identified in authorize. Give me an advice
if I am wrong.
Thanks,
Kevin
Alastair Grant wrote:
Kevin,
I have it working. Well I use EAP-TTLS to create a secure tunnel between
RADIUS and my supplicant first but then I send the data from supplicant to
Radius via PAP and do LDAP authentication. In this case it is alfa-ariss on
Windows 2000. I am at home and won't be back at the office until monday but
I'll do my best to explain my set up.
RADIUS:
my default_eap_type in the eap module is TTLS
in my authorize section I have preprocess, eap and ldap uncommented.
Everything else is commented out.
in my authenticate section I have the LDAP block and eap uncommented.
Everything else is commented out even the PAP stuff.
Supplicant
I use an anonymous outer identity
My inner authentication method is PAP.
Basically this allows the client to send a clear text password to the
server (even though it is encrypted in the tunnel) and the server can then
use this clear text password to do an LDAP bind for authentication.
This might not seem very clear but I am doing it all from memory. If
this is at all waht you are trying to do, send me an email monday and I'll
send you some documentation I have on the actual setup. Good luck.
-Al
- Original Message -
From: kevin J [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, August 19, 2004 5:50 PM
Subject: Re: PAP not working with ldap
kevin J wrote:
Alan DeKok wrote:
kevin J [EMAIL PROTECTED] wrote:
Is it true? So, PAP and some other module can't work with
ldap-authorize???
No.
CHAP worked but PAP did not work.
What configuration should I check? RADIUS did not bring PAP but tried
LDAP for authentication.
Kevin
I am still having this problem. Anybody who had worked for PAP with LDAP?
Kevin
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
more ippools in the same groups
is it possible manage more different small ippools for the same user groups using mysql database? I need this because i want to manage more efficiently the ip (few) avaiable. Thanks a lot -Messaggio originale- Da: Simone Giovanardi Inviato: lunedì 23 agosto 2004 12.11 A:'[EMAIL PROTECTED]' Oggetto: manage more ip pools with mysql tables Thanks to doris. How can i modify sql tables to enable ippools function with only connection to mysql db and radiusd.conf file?? Thanks a lot -Messaggio originale- Da: Simone Giovanardi Inviato: venerdì 20 agosto 2004 16.21 A:'[EMAIL PROTECTED]' Oggetto: manage more ip pools Is it possible manage more thn one ippool in radiusd.conf?? I' ve tried to make this but doesn't work properly Is there an example of radiusd.conf and users file to consulting? Thanks a lot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Unique-Session-ID length
There's room for lots more. Just edit the module to print more bytes to the buffer. Alan DeKok. done. once again, thanks alan for pointing it out. used up 16 elements of md5_buf[0..15]. i hope nothing bad comes with the new mod. -roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more ippools in the same groups
sure you can have as many ip pools as you want . remember that the rest of your network has to have a route to the particular NAS for a particular IP address range. On Mon, 23 Aug 2004, Simone Giovanardi wrote: is it possible manage more different small ippools for the same user groups using mysql database? I need this because i want to manage more efficiently the ip (few) avaiable. Thanks a lot -Messaggio originale- Da: Simone Giovanardi Inviato:lunedì 23 agosto 2004 12.11 A: '[EMAIL PROTECTED]' Oggetto:manage more ip pools with mysql tables Thanks to doris. How can i modify sql tables to enable ippools function with only connection to mysql db and radiusd.conf file?? Thanks a lot -Messaggio originale- Da: Simone Giovanardi Inviato:venerdì 20 agosto 2004 16.21 A: '[EMAIL PROTECTED]' Oggetto:manage more ip pools Is it possible manage more thn one ippool in radiusd.conf?? I' ve tried to make this but doesn't work properly Is there an example of radiusd.conf and users file to consulting? Thanks a lot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attribute correct execution
Hi all! for example, i have such a sittuation. Have NAS, have one PPTP client which is connecting to this NAS. i'm giving attributes to this client using freeradius+postgresql radreply table. I want to give this NAS client, for example, total session timeout to 30min (after this time radius server should reject requests for this user). So here is the problem which i still can't solve - after each 30min client is being disconnected and the next second agasin it's connected for 30min. So how to tell radius server that the timeout is completely out and it should not reauthenticate the user? Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Extracting attributes from Cisco-AVPair
Cheers Alan!
Evans
--- Alan DeKok [EMAIL PROTECTED] wrote:
Evans Chisanga [EMAIL PROTECTED] wrote:
Cisco-AVPair = h323-ivr-out=terminal-alias:1234,joe;
How can I extract the 1234 from this attribute into a Calling-Station-Id
variable?
Regular expressions.
DEFAULT Cisco-AVPair =~ ^.*alias:([0-9]+
Reply-Message = Caller-ID is %{1}
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
subscribe
subscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Extracting attributes from Cisco-AVPair
Evans Chisanga [EMAIL PROTECTED] wrote:
Cheers Alan!
Thanks. One tyo:
DEFAULT Cisco-AVPair =~ ^.*alias:([0-9]+
Reply-Message = Caller-ID is %{1}
That should be ...([0-9]+)
The %{1} comes from the grouping of round brackets. See
doc/variables.text
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attribute correct execution
Edgars [EMAIL PROTECTED] wrote: I want to give this NAS client, for example, total session timeout to 30min (after this time radius server should reject requests for this user). See rlm_sqlcounter. It uses fields in SQL to enforce time limits. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Unique-Session-ID length
Nope. It was made 8 bytes only because some system don't like session Id's of more than 8 bytes. If your system is fine with 16, don't worry about it. Seems to be running fine on simulated setup. I needed the extra bits to have (as they say) a hopefully unique column on my accounting table. But then again, many thanks. Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Acct-Unique-Session-ID length
I am looking for software packages that help to monitor CPU usage, memory, etc., on Radius boxes. Any software out there that can do this? Thanks Jerry Lee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: when is group_membership_query used ?
MINODIER David RD-RESA-LAN [EMAIL PROTECTED] wrote: could someone tell me when the group_membership_query is called ? For the SQL-Group attribute. And no, I don't think it's documented anywhere. DEFAULT Group == GroupA Auth-Type = EAP That should be: DEFAULT SQL-Group == GroupA, Auth-Type := EAP Congrads to all the developpers who made the v1.0.0 ! Thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Acct-Unique-Session-ID length
I am looking for software packages that help to monitor CPU usage, memory, etc., on Radius boxes. Any software out there that can do this? I have been using Nagios and Cacti with good results. You will need to have snmp support installed. I have used BigBrother and MRTG in the past, which work well. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Unique-Session-ID length
Definitely not within the scope of this list. However, you can use Cacti to monitor your machine. Regards, Richardg; - Original Message - From: JLee [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 23, 2004 1:09 PM Subject: RE: Acct-Unique-Session-ID length I am looking for software packages that help to monitor CPU usage, memory, etc., on Radius boxes. Any software out there that can do this? Thanks Jerry Lee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary.propel
Hi, I noticed that FreeRadius 1.0.0 included dictionary.propel. Nice surprise. Just an FYI, with the release of Propel's latest server software they have added yet another VSA. ATTRIBUTE Propel-Content-Filter-ID 6 integer Not a big deal, but if time permits you may want to add it to dictionary.propel. Thanks, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Unique-Session-ID length
ROY [EMAIL PROTECTED] wrote: Seems to be running fine on simulated setup. I needed the extra bits to have (as they say) a hopefully unique column on my accounting table. I don't see why you need the extra bits. The purpose of the attribute is to create an 8-octet unique session Id. Adding another 8 octets shouldn't make much difference. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
I am trying to set up 802.1x on our network and I would like the users
to be able to use their current Active Directory credentials.
I need the AD domain to be stripped from the username so that I can feed
it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003
server.
Here is part of my config file.
Modules {
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
authtype = MS-CHAP
with_ntdomain_hack = no
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MI /
--username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} /
--nt-response=%{mschap:NT-Response:-00}
}
}
authorize {
preprocess
ntdomain
eap
files
}
authenticate {
Auth-Type MS-CHAP {
Mschap
}
eap
}
From the debug output:
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
If I try ntlm_auth manually, it works fine:
[EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI /
--username=chand
password:
NT_STATUS_OK: Success (0x0)
Has anyone successfully used freeradius to authenticate against Active
Directory (Windows 2003)?
Chris Hand
Network Engineer
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Did you cut and paste or type the lines from your config file? According
the the config file ntlm_auth has the argument '--challence', but the
debug output has the argument '--challenge'.
Hand, Chris wrote:
I am trying to set up 802.1x on our network and I would like the users
to be able to use their current Active Directory credentials.
I need the AD domain to be stripped from the username so that I can feed
it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003
server.
Here is part of my config file.
Modules {
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
authtype = MS-CHAP
with_ntdomain_hack = no
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MI /
--username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} /
--nt-response=%{mschap:NT-Response:-00}
}
}
authorize {
preprocess
ntdomain
eap
files
}
authenticate {
Auth-Type MS-CHAP {
Mschap
}
eap
}
From the debug output:
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
If I try ntlm_auth manually, it works fine:
[EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI /
--username=chand
password:
NT_STATUS_OK: Success (0x0)
Has anyone successfully used freeradius to authenticate against Active
Directory (Windows 2003)?
Chris Hand
Network Engineer
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
I retyped the config. That is a typo. It should be '--challenge'.
-Chris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
Bender
Sent: Monday, August 23, 2004 4:01 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client
Did you cut and paste or type the lines from your config file? According
the the config file ntlm_auth has the argument '--challence', but the
debug output has the argument '--challenge'.
Hand, Chris wrote:
I am trying to set up 802.1x on our network and I would like the users
to be able to use their current Active Directory credentials.
I need the AD domain to be stripped from the username so that I can
feed
it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003
server.
Here is part of my config file.
Modules {
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
authtype = MS-CHAP
with_ntdomain_hack = no
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MI /
--username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} /
--nt-response=%{mschap:NT-Response:-00}
}
}
authorize {
preprocess
ntdomain
eap
files
}
authenticate {
Auth-Type MS-CHAP {
Mschap
}
eap
}
From the debug output:
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
If I try ntlm_auth manually, it works fine:
[EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI /
--username=chand
password:
NT_STATUS_OK: Success (0x0)
Has anyone successfully used freeradius to authenticate against Active
Directory (Windows 2003)?
Chris Hand
Network Engineer
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
raddb/users, having OR conditions
Hi List I'm sorry if this is a basic question here. I just set up freeradius, using it to authenticate to network devices (instead local auth). I got it up almost fine. In my raddb/users file, i have the following: test Auth-Type := Local, User-Password == test, Simultaneous-Use := 10, Calling-Station-Id == 10.19.5.1 Service-Type = Login, cisco-avpair=shell:priv-lvl=15 I understand that in the first line i can set up conditions, separated by commas which all have to be true to permit login. How can i set up an OR condition? I'm thinking about letting more IP-s in via radius, not only allowing login from ip 10.19.5.1. Currently i duplicated the test user and the second entry has another IP - this way i can login from both IP-s. But i don't like that i had to duplicate the password, and every setting. But being new to freeradius i know no more ways. I'd be greatful if one could describe a solution. Thanks Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Normal one-time password at the same time
Hi, I currently have my user's password stored in a postgresql database. For each user there's a record in radcheck with the User-Password attribute. I would like to implement OTP (one-time password) and I tried to add a seconds record with the User-Password attribute for each user in radcheck. It seems that FreeRadius only allows the user if he enters the password from the record with the highest id. Are there any possibilities to do such thing for OTPs, so that the user can either login with his real password or with his OTP? -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI --username= --challenge=3d66c96d9aa150e6 --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 Exec-Program-Wait: plaintext: Logon failure (0xc06d) Where's the username? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dialup Admin Find
Dialup Admin is working great... I noticed though when you try to search you can only search by full name, dept , or radius attribute. Is their a way to add USERNAME as a searchable option... This is what is in the php currently ?php echo EOM select name=search_IN editable onChange=this.form.submit(); option $selected[name] value=nameUser Full Name option $selected[ou] value=ouUser Department option $selected[radius] value=radiusUser Radius Attribute EOM; ? I tried adding this line option $selected[username] value=usernameUsername It shows in the form although it doesnt work still I suspect someone already thought of this so I figured I'de ask.. Thanx Cris --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.737 / Virus Database: 491 - Release Date: 8/11/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Exactly... The username is not getting fed into ntlm_auth. It seems that
the stripping of the domain from the username is not working. If I use
--username=%{User-Name}, then it feeds 'MI\\chand' to ntlm_auth.
-Chris Hand
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Monday, August 23, 2004 4:36 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client
Hand, Chris [EMAIL PROTECTED] wrote:
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Where's the username?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin Find
On Mon, 23 Aug 2004 16:31:11 -0400, Cris Boisvert [EMAIL PROTECTED] wrote: Dialup Admin is working great... I noticed though when you try to search you can only search by full name, dept , or radius attribute. Is their a way to add USERNAME as a searchable option... Looks like Dialup Admin in 1.0.0 has this feature already. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dialup Admin Find
Actually I'm running the dialup_admin that came with the Freeradius 1.0 .. Its not their .. unless I got a early version? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hall Sent: Monday, August 23, 2004 4:36 PM To: [EMAIL PROTECTED] Subject: Re: Dialup Admin Find On Mon, 23 Aug 2004 16:31:11 -0400, Cris Boisvert [EMAIL PROTECTED] wrote: Dialup Admin is working great... I noticed though when you try to search you can only search by full name, dept , or radius attribute. Is their a way to add USERNAME as a searchable option... Looks like Dialup Admin in 1.0.0 has this feature already. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.737 / Virus Database: 491 - Release Date: 8/11/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.737 / Virus Database: 491 - Release Date: 8/11/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redundant SQL authorize not working
I've sent this a couple times until I figured out my outgoing email
address wasn't what I signed up with...
Anyway...
I'm attempting to set up redundant authorization using postgres database
back end and I'm running into a bit of a jam with it
I setup the following lines in radiusd.conf (after adding in the include
statements)
redundant {
sql1
sql2
}
I also set this, just to make it timeout faster while testing:
max_request_time = 6
And I can see the successful connect in the log and everything works as
expected... until I shutdown the 1st database.
Then when I make a request (using radclient) I see this: bash-2.05#
/usr/local/bin/radclient -f /usr/local/bin/test xxx.xxx.xxx.xxx auth
yak1234567
radclient: no response from server for ID 60
radiusd.log:
Wed Aug 18 15:46:03 2004 : Error: Discarding duplicate request from
client test:32971 - ID: 60 due to unfinished request 72 Wed Aug 18
15:46:06 2004 : Error: Discarding duplicate request from client
test:32971 - ID: 60 due to unfinished request 72 Wed Aug 18 15:46:09
2004 : Error: Discarding duplicate request from client test:32971 - ID:
60 due to unfinished request 72 Wed Aug 18 15:46:09 2004 : Error:
WARNING: Unresponsive child (id 4) for request 72 Wed Aug 18 15:46:12
2004 : Error: Discarding duplicate request from client test:32971 - ID:
60 due to unfinished request 72 Wed Aug 18 15:46:15 2004 : Error:
Discarding duplicate request from client test:32971 - ID: 60 due to
unfinished request 72
It seems that radiusd isn't marking the attempt at an sql query as a
failure and trying the 2nd sql. Now, if I restart the radius server with
the 1st database being down I see it notice that it can't connect to the
1st database and the redundancy works as expected.
Here's my version:
bash-2.05# /usr/local/sbin/radiusd -v
radiusd: FreeRADIUS Version 1.0.0-pre3, for host x, built on Aug 10
2004 at 15:27:49
If I run the server in do not spawn child processes mode, everything
works, but I'd imagine the throughput is limited.
/usr/local/sbin/radiusd -s /var/log/radius/radius.log 21
Any ideas on what the problem is?
James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: Exactly... The username is not getting fed into ntlm_auth. It seems that the stripping of the domain from the username is not working. Are you using the ntdomain realm, as given in radiusd.conf? Are you running it in debugging mode, to see that the ntdomain realm is working? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Yes, I am using the ntdomain realm. However, I do not see it show up in the debugging output. Do I need to do anything other than list ntdomain in the 'authorize' section to make freeradius use it? Chris Hand -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, August 23, 2004 5:19 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client Hand, Chris [EMAIL PROTECTED] wrote: Exactly... The username is not getting fed into ntlm_auth. It seems that the stripping of the domain from the username is not working. Are you using the ntdomain realm, as given in radiusd.conf? Are you running it in debugging mode, to see that the ntdomain realm is working? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Unique-Session-ID length
I don't see why you need the extra bits. The purpose of the attribute is to create an 8-octet unique session Id. Adding another 8 octets shouldn't make much difference. Alan DeKok. I see your point that it shouldn't make such a big difference. 8-octets shouldn't be a problem, though I'm just trying to make the chances of having dups down to a minimum as I'm hitting ~30k-60k records/hr/server. Thanks Alan! Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : when is group_membership_query used ?
Yes it does work ! So many thx Alan. David. For the SQL-Group attribute. And no, I don't think it's documented anywhere. DEFAULT Group == GroupA Auth-Type = EAP That should be: DEFAULT SQL-Group == GroupA, Auth-Type := EAP Congrads to all the developpers who made the v1.0.0 ! Thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
