ippool
Hi All, I have successful configure freeradius using ippool. But only for one nas. How to configure freeradius that will assign different ippool for different nas? Thanks. -- Muhammad Rully Sumbayak PT. Media Antar Nusa smime.p7s Description: S/MIME cryptographic signature
(no subject)
i want to know how to use accounting and billing for the freeradius eap-tls thing.ive already installed it. srinivasan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using EAP-TTLS with LDAP
I'm trying to get EAP-TTLS working on an Avaya WPA WLAN network, using LDAP as the user/password database. I'm running FreeRadius version 1.0.0. In an older version of the doc/rlm_eap documentation, it seems to imply that you can use both EAP and LDAP, but newer documentation states that because the LDAP module requires the "User-Password" attribute, that when LDAP is on that EAP won't work. Is it possible to accomplish what I'm trying to do? I want to use TTLS as the tunnel transport for the EAP stuff, but have FreeRadius send the client username/password to the back-end LDAP server for authorization and authentication. Any help is greatly appreciated! Regards, -- David Sotnick Pixar Animation Studios Emeryville, CA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
complexed conf failover?
Hi If I want to do something like 1) ldapsearch for a-table 1-1) if the user exists in a-table, do pap or chap 2) if any of above fails, ldapsearch for b-table 2-1) if the user exists in b-table, do chap or pap 3) if any of above fails, ldapsearch for c-table 3-1) if the user exists in c-table, do chap or pap Is this possible? I think if 1-1) fails it cannot reach 2) if 2-1) fails it cannot reach 3). Am I wrong? If this is possible, how should I configure this in radiusd.conf? Thanks, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting Up a Freeradius server
At least it works! :-) Ciao, Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hi all
just squid would be enouth. jassim El-mansori wrote: hi i've doubt about using freeradius, actually i have this model (win2k)-(RH9+radius)(Internet) I'm wondering if radius implementing freeradius will be enough I'm using freeradius as an authentication point that forces users to login against it and once he is allowed he can get the Internet I'm not sure but i think i need to make use of squid or something similar any advice please thanks in advance ___ Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now. http://promotions.yahoo.com/goldrush - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi all
hi i've doubt about using freeradius, actually i have this model (win2k)-(RH9+radius)(Internet) I'm wondering if radius implementing freeradius will be enough I'm using freeradius as an authentication point that forces users to login against it and once he is allowed he can get the Internet I'm not sure but i think i need to make use of squid or something similar any advice please thanks in advance ___ Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now. http://promotions.yahoo.com/goldrush - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to exclude default attributes from a reject packet
kevin J wrote: > Thor, can you show me your auth.pl? It's a perl script. This is the reject subroutine, which can be called anywhere in the script to reject the user with a message: sub auth_reject { my ($message) = @_; print LOG "Rejecting login: $message\n"; print "Reply-Message := \"$message\"\n"; print LOG "\n"; close LOG; exit 1; } As for accepting the user, the script collects attributes in a hash and then finishes with: foreach (keys %attr) { $output .= "$_ := $attr{$_},\n"; } print $output; exit 0; -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Hints file "Strip-User-Name == No" problem. Is there an explanation for this?
"David Mifsud" <[EMAIL PROTECTED]> wrote: > We are currently setting up freeradius-1.0.0 on fedora core 2 to > act as a proxy server. > We found a problem with the hints file. The basic Hints file syntax that > used to work on a previous version of freeradius (on freeradius 0.8.1 it > worked fine) was :- That's weird. The code was touched in 1.0.0, but the intent wasn't to break anything. > What was happening was that the Strip-User-Name == No was not being > processed correctly and the default value of "Yes" was being used which > results in proxying not functioning > Setting to "N" fixed the problem. I discovered this by trial and error. That would explain why some people are having issues with hints in 1.0.0. I'll take a look. In the mean time, please submit a bug report to bugs.freeradius.org. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Process huntgrounts during pre-accounting
"Mitchell, Michael" <[EMAIL PROTECTED]> wrote: > Is there a reason that the preprocess module doesn't do any huntgroup > processing during the pre-accounting stage of a request? Not really. > I need to do some accounting processing based on huntgroup, and if there > is no particular reason for not doing it, I will most likely make a > local modification to get the preprocess module to add the > Huntgroup-Name attribute to the incoming accounting request, as per > access requests. Sure, submit a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to exclude default attributes from a reject packet
Alan DeKok wrote: kevin J <[EMAIL PROTECTED]> wrote: I am resending this because I still don't know how to configure two different DEFAULT lists for accept and reject. As my original message said, the "users" file isn't really designed to do that. When I add "DEFAULT Auth-Type == Reject" on the top of DEAULT lists, it just fails everything. Exactly. I suggest using Perl to edit the reply attributes. Could you give me an example? Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius deployment question
at the database level you can create a database user and GRANT them rights on the users table. That would, howeer, allow them to mess with users of other external customrs. If you tag vpn users so you can identify to whom the user belongs, you can use an application which authenticates the customer and allows control only over custoers tagged appreioately. Anohter possibilty I suppose would be a per-customer schema over whcih ty have rights but otherc customer's users are in their own respetive schemas and unafected. this would irequire ajdustments on the user auth side, you'd need to add explicit schema support. On Wed, 25 Aug 2004, Maqbool Hashim wrote: > I'd like to know if it is possible to allow external customers limited > access to add users to our RADIUS configuration. We manage many > firewalls for different customers. VPN users on the firewalls can be > authenticated via our Freeradius server. So when another VPN needs to > be setup on the firewall, we add a user into the users file or the SQL > table. Is it possible to for us to allow customers to be able to add > users to the SQL table, without these users being authenticated for all > of the other customers firewalls? > > So we want customer A to be able to add users which are to be > authenticated on Firewall A without, these users being able to be > authenticated on Firewalls B, C and D. > > Is this possible? I know this will involve realms, but how can we get > the customer to update the RADIUS configuration without giving them too > much access to the RADIUS files? > > Has anyone got a similar setup or know how this can be achieved? > > Regards > > Maqbool > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to exclude default attributes from a reject packet
Thanks Alan and Thor, Thor, can you show me your auth.pl? Kevin Thor Spruyt wrote: kevin J wrote: I am resending this because I still don't know how to configure two different DEFAULT lists for accept and reject. When I add "DEFAULT Auth-Type == Reject" on the top of DEAULT lists, it just fails everything. I have radius server that gets the user's password from a postgresql database. If it's a valid user, then an external script is executed which can either accept or reject the user with whatever attributes. If it's not a valid user, then a reject is sent with a specific Reply-Message. I only configured this in the users file: DEFAULT Auth-Type := Reject Reply-Message = "Invalid Account", Fall-Through = Yes DEFAULT Auth-Type := Local Exec-Program-Wait = "/opt/radius1/bin/auth.pl" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius deployment question
Maqbool Hashim <[EMAIL PROTECTED]> wrote: > I'd like to know if it is possible to allow external customers limited > access to add users to our RADIUS configuration. Yes, but it's probably a bad idea. > Is this possible? I know this will involve realms, but how can we get > the customer to update the RADIUS configuration without giving them too > much access to the RADIUS files? You would be better of having the customers manage their own RADIUS servers, and having you just proxy to those servers. If the customers don't want to manage their own servers, you can still have a server locally, per-customer. That way, you can give each customer limited access to the SQL database, and be guaranteed that they can't affect other customers. Put a proxying server in front of these other servers, and proxy based on realms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to exclude default attributes from a reject packet
kevin J wrote: > I am resending this because I still don't know how to configure two > different DEFAULT lists > for accept and reject. When I add "DEFAULT Auth-Type == Reject" > on > the top of DEAULT lists, > it just fails everything. I have radius server that gets the user's password from a postgresql database. If it's a valid user, then an external script is executed which can either accept or reject the user with whatever attributes. If it's not a valid user, then a reject is sent with a specific Reply-Message. I only configured this in the users file: DEFAULT Auth-Type := Reject Reply-Message = "Invalid Account", Fall-Through = Yes DEFAULT Auth-Type := Local Exec-Program-Wait = "/opt/radius1/bin/auth.pl" -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to exclude default attributes from a reject packet
kevin J <[EMAIL PROTECTED]> wrote: > I am resending this because I still don't know how to configure two > different DEFAULT lists for accept and reject. As my original message said, the "users" file isn't really designed to do that. > When I add "DEFAULT Auth-Type == Reject" on the top of DEAULT > lists, it just fails everything. Exactly. I suggest using Perl to edit the reply attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius deployment question
I'd like to know if it is possible to allow external customers limited access to add users to our RADIUS configuration. We manage many firewalls for different customers. VPN users on the firewalls can be authenticated via our Freeradius server. So when another VPN needs to be setup on the firewall, we add a user into the users file or the SQL table. Is it possible to for us to allow customers to be able to add users to the SQL table, without these users being authenticated for all of the other customers firewalls? So we want customer A to be able to add users which are to be authenticated on Firewall A without, these users being able to be authenticated on Firewalls B, C and D. Is this possible? I know this will involve realms, but how can we get the customer to update the RADIUS configuration without giving them too much access to the RADIUS files? Has anyone got a similar setup or know how this can be achieved? Regards Maqbool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to exclude default attributes from a reject packet
I am resending this because I still don't know how to configure two different DEFAULT lists for accept and reject. When I add "DEFAULT Auth-Type == Reject" on the top of DEAULT lists, it just fails everything. Kevin Kevin J wrote: Alan DeKok wrote: kevin J <[EMAIL PROTECTED]> wrote: I just found that all reject packets include DEFAULT attributes as well. If I don't want to include these DEFAULT attributes from a reject packet, what do I need to do? I tried the following but I don't think this is correct. It's a little difficult to remove attributes from a packet. Perhaps what the server should do is to maintain *two* lists of attributes, one for an Access-Accept, and another for Access-Reject. Alternately, it could "wipe out" all of the attributes in the reply, as soon as it sees a reject. Could you explain how to make two different lists for accept and reject? Thanks for your help. Kevin The problem is that the "users" file isn't really designed to do that kind of thing. To do it properly, we'll probably need a new configuration file, with a more complicated language. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + per session WEP
On Wed, 2004-08-25 at 11:52, Alan DeKok wrote: > Artur Hecker <[EMAIL PROTECTED]> wrote: > > > the values in MS-MPPE-Recv-Key and MS-MPPE-Send-Key change in every PEAP > > > request... > > > > what do you mean by this statement? these attributes are only present in > > the Access-Accept message sent by the radius server to the NAS. > > He means that at the end of every PEAP session, the keys are unique. Yeah, actually, after I sent the message, I realized that it should be: the values in MS-MPPE-Recv-Key and MS-MPPE-Send-Key change in evere successful PEAP request... Ok, now every thing is fully understood, and now I have a running setup with Proxim cards + Foundry IronPoint 200 + Freeradius 1.0.0 + Postgresql... thanks! regards, ivan > Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + per session WEP
ok, whatever a PEAP request means in the original mail :-) it would be crazy to constantly deliver the same value, what would it be good for? that's why it's called "dynamic WEP"... ciao artur Alan DeKok wrote: Artur Hecker <[EMAIL PROTECTED]> wrote: the values in MS-MPPE-Recv-Key and MS-MPPE-Send-Key change in every PEAP request... what do you mean by this statement? these attributes are only present in the Access-Accept message sent by the radius server to the NAS. He means that at the end of every PEAP session, the keys are unique. They're supposed to be. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + per session WEP
Artur Hecker <[EMAIL PROTECTED]> wrote: > > the values in MS-MPPE-Recv-Key and MS-MPPE-Send-Key change in every PEAP > > request... > > what do you mean by this statement? these attributes are only present in > the Access-Accept message sent by the radius server to the NAS. He means that at the end of every PEAP session, the keys are unique. They're supposed to be. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + per session WEP
hi When you say "freeradius delivers the necessary keying data", do you mean these two following keys? MS-MPPE-Recv-Key = 0xc0eb6159c1ccc924b524d39c21f3c41588c60dd41945a1480b9119ef809c3060 MS-MPPE-Send-Key = 0xd9e5ca0d05d2430c4e8abea402d47d742bf80ff361945a76f0d0b14e6b84a656 that's exact. the values in MS-MPPE-Recv-Key and MS-MPPE-Send-Key change in every PEAP request... what do you mean by this statement? these attributes are only present in the Access-Accept message sent by the radius server to the NAS. ciao artur it's a function of your access point. freeradius delivers the necessary keying data. your access point (authenticator) has to use it to produce the wep keys. similarly, your wireless client (supplicant) produces its keying data and the both latter can negotiate the wep keys together. thus, _both_ link partners have to support the dynamic wep keying and be compatible in this regard. under ms-windows you say "the key is delivered by the network" or something like this in the wireless network settings. ciao artur Ivan Hernández Serrano wrote: Hi, I am using freeradius 1.0.0, at this moment it uses PEAP and everything goes fine. Now, I would like to generate a dynamic WEP key per client, but I have no clue how to do it, I has been searching in the mail archives, and in the docs without any results. I will appreciate if anyone can either give me a hint or give me the location of some references. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + per session WEP
When you say "freeradius delivers the necessary keying data", do you mean these two following keys? MS-MPPE-Recv-Key = 0xc0eb6159c1ccc924b524d39c21f3c41588c60dd41945a1480b9119ef809c3060 MS-MPPE-Send-Key = 0xd9e5ca0d05d2430c4e8abea402d47d742bf80ff361945a76f0d0b14e6b84a656 the values in MS-MPPE-Recv-Key and MS-MPPE-Send-Key change in every PEAP request... ivan On Wed, 2004-08-25 at 03:41, Artur Hecker wrote: > it's a function of your access point. freeradius delivers the necessary > keying data. your access point (authenticator) has to use it to produce > the wep keys. similarly, your wireless client (supplicant) produces its > keying data and the both latter can negotiate the wep keys together. > thus, _both_ link partners have to support the dynamic wep keying and be > compatible in this regard. > > under ms-windows you say "the key is delivered by the network" or > something like this in the wireless network settings. > > > ciao > artur > > > Ivan Hernández Serrano wrote: > > Hi, I am using freeradius 1.0.0, at this moment it uses PEAP and > > everything goes fine. Now, I would like to generate a dynamic WEP key > > per client, but I have no clue how to do it, I has been searching in the > > mail archives, and in the docs without any results. I will appreciate if > > anyone can either give me a hint or give me the location of some > > references. > > > > Thanks in advance, > > ivan > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about logging facilities
Anders Karlsson <[EMAIL PROTECTED]> wrote: > I'm wondering if there's a way to log all the "error" logs ( like failed > logins and so on ) into a mysql table instead of the standard radius > logfile ? Not at this time. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How set different reply for same user/pass request, coming from different computers,
=?iso-8859-1?q?jeff=20x?= <[EMAIL PROTECTED]> wrote: > If different computer send the same request(same > user/pass) to the radius server, I would like it to > reply differently. Ok... > Is it possible using the shortname, or anything else? Client-IP-Address Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting Up a Freeradius server
[EMAIL PROTECTED] wrote: > Using XP supplicant I install cert-clt.p12 and root.der on the client, and > trying to use Odissey as client. But the authentication never go on. In fact > does not start EAP conversation, in spite of a request in received by server. So... run the server in debugging mode to see why. If you don't understand debugging mode, mail the results to the list, as suggested in the FAQ, README, and multiple other places. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault
SPROUSE Troy F <[EMAIL PROTECTED]> wrote: > Okay, this may be a configuration problem but I cannot seem to find it. > When I run radiusd in debug mode, I get a segmentation fault. Please see > below. Ok... try this: $ gdb /usr/local/sbin/radiusd ... (gdb) set args -X (gdb) run ... (gdb) bt and mail it to the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Segmentation Fault
What version of freeradius are you using? I am using freeradius 1.0.0 on FreeBSD 4.10 with MySQL 4.0.20 and I get the following debug output on startup (see segfault at the bottom): Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/adm/freeradius/etc/raddb/clients.conf Config: including file: /usr/local/adm/freeradius/etc/raddb/snmp.conf Config: including file: /usr/local/adm/freeradius/etc/raddb/sql.conf main: prefix = "/usr/local/adm/freeradius" main: localstatedir = "/usr/local/adm/freeradius/var" main: logdir = "/usr/local/adm/freeradius/var/log/radius" main: libdir = "/usr/local/adm/freeradius/lib" main: radacctdir = "/usr/local/adm/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1645 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/adm/freeradius/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/adm/freeradius/var/run/radiusd/radiusd.pid" main: bind_address = 192.168.10.3 IP address [192.168.10.3] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "after" main: lower_pass = "no" main: nospace_user = "after" main: nospace_pass = "after" main: checkrad = "/usr/local/adm/freeradius/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/adm/freeradius/lib Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/adm/freeradius/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/adm/freeradius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/adm/freeradius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = yes preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded SQL sql: driver = "rlm_sql_mysql" sql: server = "localhost" sql: port = "" sql: login = "freeradius" sql: password = "pw" sql: radius_db = "freeradius" sql: acct_table = "radacct" sql: acct_table2 = "radacct" sql: authcheck_table = "radcheck" sql: authreply_table = "radreply" sql: groupcheck_table = "radgroupcheck" sql: groupreply_table = "radgroupreply" sql: usergroup_table = "usergroup" sql: nas_table = "nas" sql: dict_table = "dictionary" sql: sqltrace = no sql: sqltracefile = "/usr/local/adm/freeradius/var/log/radius/sqltrace.sql" sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 20 sql: sql_user_name = "%{Stripped-User-Name:-%{User-Name:-none}}" sql: default_user_profile = "" sql: query_on_not_found = no sql: authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" sql: authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" sql: authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupchec k.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id" sql: authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprepl y.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id" sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = %{Acct-Delay-Time} WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'" sql: accounting_update_query = "UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}
Segmentation Fault
Title: Segmentation Fault Okay, this may be a configuration problem but I cannot seem to find it. When I run radiusd in debug mode, I get a segmentation fault. Please see below. [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 10 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 3 proxy: retry_count = 2 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = no radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Segmentation fault I have played with the configuration file for a while to correct this. Any help would be appreciated. Thank you, Troy
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
"Hand, Chris" <[EMAIL PROTECTED]> wrote: > I'm still not seeing it. If it's listed in the "authorize" section, it will be printed out in debugging mode. Are you willing to provide debug logs? > Let's start over. What is the best way of authenticating users to an > NT domain over PEAP? Am I even on the right track? ntlm_auth. It works, and other people have gotten it to work. The issue now becomes poking your configuration so that it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How set different reply for same user/pass request, coming from different computers,
Hi, Here is my problem: If different computer send the same request(same user/pass) to the radius server, I would like it to reply differently. More precisly I'd like to assign Ip to a specifyed group, so if the request came from a computer of a group or another one, the radius server would reply with the appropriate message. Is it possible using the shortname, or anything else? Thanks for your useful help. bye, Vous manquez despace pour stocker vos mails ? Yahoo! Mail vous offre GRATUITEMENT 100 Mo ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting Up a Freeradius server
Subject: Setting Up a Freeradius Server Date: Wednesday 25 August 2004 16:17 From: Marco Garro <[EMAIL PROTECTED]> To: FreeRadius <[EMAIL PROTECTED]> Hi all, i'm new to freeradius world. I'm trying to set up a FreeRadius server because I need eap-tls authentication in my WLAN. I'm using a BUFFALO WBR-G54 AP that support Radius Auth. I build my freeradius server so: First I build openssl 0.9.7-stable-SNAP-20040819 ./config shared --prefix=/usr/local/openssl make make install and then i Build FreeRadius so: ./configure --with-openssl-include=/usr/local/openssl/include --with-openssl-libraries=/usr/local/openssl/lib --prefix=/usr/local/radius make make install Done this, i produce my certificate using script/CA.all Now i should configure freeradius. I edit eap.conf to say to freeradius where are the certificates: eap{ default_eap_type = tls ... } tls{ private_key_password = whatever private_key_file = /usr/local/radius/etc/1x/cert-srv.pem certificate_file = /usr/local/radius/etc/1x/cert-srv.pem CA_file = /usr/local/radius/etc/1x/root.pem dh_file = /usr/local/radius/etc/1x/dh random_file = /usr/local/radius/etc/1x/random fragment_size = 1024 include_length = yes } I do dh and random files so: date > dh; date > random At this time, following an web document by Raymond McKay, I write a wrapper for radiusd: #!/bin/sh -x LD_LIBRARY_PATH=/usr/local/openssl/lib LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so export LD_LIBRARY_PATH LD_PRELOAD /usr/local/radius/sbin/radiusd $@ Using XP supplicant I install cert-clt.p12 and root.der on the client, and trying to use Odissey as client. But the authentication never go on. In fact does not start EAP conversation, in spite of a request in received by server. I need help. Please help me. Bye, Marco GARRO http://www.garro.biz/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
client date for auth. are not taken fron postgre
still the subj. is the problem for me. maybe there is already some doc ready to understand where to put what to get this to work? I put readclients=yes and nas_table parameters respectively in radiusd.conf and postgresql.conf. The table structure also seems to be correct. But when connecting, the client which is in this table, are named as 'unknown client'. The same in the debugging mode. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WG: mod_auth_radius: error - no user file?
"Stephan Pfeiffer" <[EMAIL PROTECTED]> wrote: > If i connect now to the server it asked me for user and passwort, but > after press enter i get the default error page. The apache2 log writes: > > configuration error: couldn't check user. no user file?: /index.shtml You haven't told Apache *when* to use the module. Keep reading the documentation that comes with the module. It includes examples of controlling directory access, by using the modules directives. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use recovery after NAS crash
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Fritz, Look at checkrad. It's mentioned several times in doc/Simultaneous-Use. - - Kevin On Wednesday 25 August 2004 07:54, Fritz Reichmann wrote: > Hello, > > I have set up Freeradius to authenticate against LDAP and with a > Simultaneous-Use:=1 check item. That works just fine, access is rejected if > I send an accounting-start packet for an LDAP entered user first, and > granted again if I sent the appropriate accounting-stop. > > However the Freeradius stores information about the users being logged in > into its own database. If the NAS crashes silently without sending > accounting-stop packets for the users currently logged on, then these users > cannot log in after NAS recovery because of Freeradius still believing they > would already be logged in. > > How can I make sure that Freeradius senses the fact that the users are not > logged in anymore, despite an Accounting-Stop was never sent ? Can I use > interim accounting with an appropriate timeout ? > > I could not find it on the web, so either I am blind or its not in the FAQ > yet ... > > Fritz -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBLJ4B/9i/ml3OBYMRAuGyAJ97+qv8WL+N7pEubWZ34Jnvv+WotgCglyG/ AhnMrmgGD+BR5k7xv/KcbFc= =9M25 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WG: mod_auth_radius: error - no user file?
[EMAIL PROTECTED], i´ve download and compile the "mod_auth_radius-2.0.c" how is described here http://www.freeradius.org/mod_auth_radius/ with "apxs -i -a -c mod_auth_radius.c". All finished and the httpd.conf has my entries: <> LoadModule radius_auth_module modules/mod_auth_radius-2.0.so .. AddRadiusAuth m.y.i.p:1812 testsecret 5:3 <.> and apachectl configtest put all ok. If i connect now to the server it asked me for user and passwort, but after press enter i get the default error page. The apache2 log writes: configuration error: couldn´t check user. no user file?: /index.shtml and on the radius server i can´t see any request. whats wrong? Info: * apache 2.0.50 * last mot_auth_radius module * debian 3.0 with kernel 2.2.20 regards... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Send back attribute values with response
Manjunath M Prabhu <[EMAIL PROTECTED]> wrote: > I want to access this AcctSeesionTime on my NAS box. > Preferably i would want this attribute to be sent with the accounting > response. Accounting responses don't contain any attributes. See the RFC's. > Can someone tell me how we can send back attributes from the radserver to > the radclient?? First, I would check that the RADIUS client *can* understand attributes in the accounting response. If it can't, there's no point in adding the attributes to that packet. Second, sending the accounting session time back to the NAS is pointless. If the NAS can't keep track of the session time, it's severely broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid sigature
=?iso-8859-1?q?oulaika=20abdelfattah?= <[EMAIL PROTECTED]> wrote: > and i make one user in the users file : > "mobile" Auth-Type := EAP > "test" Auth-Type := Local, User-Password =="test" > > but when i try to connect as user "test" i have this > message : invalid sigature > > what can i do Post debug logs to the list, and describe which client you're using. Without that information, your message is essentially "stuff went wrong, how do I fix it?" There is no meaningfull answer possible to such a question. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap2 with encryption problem
Edgars <[EMAIL PROTECTED]> wrote: > When the user is connecting using mschapv2 without encryption everything > is fine but as soon as the encryption is enabled following errors appear > in the logs: > > Wed Aug 25 10:06:05 2004 : Error: No memory If the server is running out of memory, that's completely independent of MS-CHAP. Add more memory to the machine. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cable modems
Thanks everyone for your responses to my questions and thanks to Greg for the valuable links he provided. After some more research I decided that I would use mpthrill as I don't have the time for extensive development. Also, I appologize to the list for the digital sig... I forgot to turn it off. Regards -- ~ (o-Doug Lewis, IT Manager -o) //\S&T Telephone /\\ V_/_ WWW.ST-TEL.NET_\_V ~ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlcouner related problem
i folloed the steps written isn the rlm_sqlcounter doc file (using freeradius 1.0.0 with postgre). Inserted in the radreply table entry which is giving some user the total session time to 60s. But in the logs i received such an error: Error: rlm_sql: unknown attribute Max-All-Session Wed Aug 25 16:06:07 2004 : Error: rlm_sql (sql): Error getting data from database What should i do in this case? Please advice! Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Send back attribute values with response
hi all, i am using freeradius-1.0 version. I connect to the Rad server from my NAS,which has a radclient. I begin with a accounting start request. With the accounting stop request the AcctStopTime and AcctSessionTime are updated in Mysql and the response is sent back to my NAS. I want to access this AcctSeesionTime on my NAS box. Preferably i would want this attribute to be sent with the accounting response. Can someone tell me how we can send back attributes from the radserver to the radclient?? thanks a lot, regards, manjunath - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use recovery after NAS crash
Hello, I have set up Freeradius to authenticate against LDAP and with a Simultaneous-Use:=1 check item. That works just fine, access is rejected if I send an accounting-start packet for an LDAP entered user first, and granted again if I sent the appropriate accounting-stop. However the Freeradius stores information about the users being logged in into its own database. If the NAS crashes silently without sending accounting-stop packets for the users currently logged on, then these users cannot log in after NAS recovery because of Freeradius still believing they would already be logged in. How can I make sure that Freeradius senses the fact that the users are not logged in anymore, despite an Accounting-Stop was never sent ? Can I use interim accounting with an appropriate timeout ? I could not find it on the web, so either I am blind or its not in the FAQ yet ... Fritz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
invalid sigature
i have instaled freeradius1.0.0.0 and configure my localhost as a client (just to test): client 127.0.0.1 { secret = test shortname = localhost } and i make one user in the users file : "mobile" Auth-Type := EAP "test" Auth-Type := Local, User-Password =="test" but when i try to connect as user "test" i have this message : invalid sigature what can i do Vous manquez despace pour stocker vos mails ? Yahoo! Mail vous offre GRATUITEMENT 100 Mo ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: raddb/users, having OR conditions
I'm sorry if this is a basic question here. I just set up freeradius, using it to authenticate to network devices (instead local auth). I got it up almost fine. In my raddb/users file, i have the following: test Auth-Type := Local, User-Password == "test", Simultaneous-Use := 10, Calling-Station-Id == "10.19.5.1" Service-Type = Login, cisco-avpair="shell:priv-lvl=15" I understand that in the first line i can set up conditions, separated by commas which all have to be true to permit login. How can i set up an OR condition? I'm thinking about letting more IP-s in via radius, not only allowing login from ip 10.19.5.1. You can use regular expressions. The =~ operator indicates this. For example: test Auth-Type := Local, User-Password == "test", Simultaneous-Use := 10, Calling-Station-Id =~ "(10.19.5.1|10.19.5.2)" Service-Type = Login, cisco-avpair="shell:priv-lvl=15" Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question about logging facilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I'm wondering if there's a way to log all the "error" logs ( like failed logins and so on ) into a mysql table instead of the standard radius logfile ? I have googled around a bit, but haven't found anything useful yet :( Cheers Anders - -- [EMAIL PROTECTED] Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. - Rich Cook -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBLIjb71qqbpXaXUgRAvGaAJ42646rV1aBHbwQTfVBVBMuPj3EGwCcC+6e PoyngobgwTlKDb/fOLKd2MQ= =OXor -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: raddb/users, having OR conditions
On Mon, Aug 23, 2004 at 10:15:00PM +0200, Adam KOSA wrote: I had asked the same question months ago and I was told that it is not possible... > Hi List > > I'm sorry if this is a basic question here. I just set up freeradius, > using it to authenticate to network devices (instead local auth). I got > it up almost fine. In my raddb/users file, i have the following: > > test Auth-Type := Local, User-Password == "test", Simultaneous-Use := > 10, Calling-Station-Id == "10.19.5.1" > Service-Type = Login, > cisco-avpair="shell:priv-lvl=15" > > I understand that in the first line i can set up conditions, separated > by commas which all have to be true to permit login. How can i set up > an OR condition? I'm thinking about letting more IP-s in via radius, > not only allowing login from ip 10.19.5.1. > > Currently i duplicated the "test" user and the second entry has another > IP - this way i can login from both IP-s. But i don't like that i had > to duplicate the password, and every setting. But being new to > freeradius i know no more ways. > > I'd be greatful if one could describe a solution. > > Thanks > Adam > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem compiling freeradius-1.0.0
Hi, > When I try to compile freeradius, it show: (snipp) > Somebody can help me? If you provide some more information (e.g. what system are you compiling on? Which openssl version are you using?) somebody _might_ be able to help. Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Feature request/possible anyway?
Hiya having a real good go at optimising our radius servers these last few days :) I have a requirement where for a request from a particular pool of NASes I need to return 3 entries identical every time, and the 4th entry needs to be one from a list of 10, chosen randomly (or in sequence) as long as typically a different one is returned each time. At present I am achieving this by "ORDER BY rand()" in the SQL, but as there is only one set of return data typically I was wondering if it is possible to do this in the users file on the DEFAULT for the group? and if not could I request it as a feature please. Not sure how it would be implemented but I would imagine a Syntax of something like: attribute-name = rand[value1;value2;value3;value4] or something similar. -- - Graeme Hinchliffe (BSc) Core Internet Systems Designer Zen Internet (http://www.zen.co.uk/) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + per session WEP
it's a function of your access point. freeradius delivers the necessary keying data. your access point (authenticator) has to use it to produce the wep keys. similarly, your wireless client (supplicant) produces its keying data and the both latter can negotiate the wep keys together. thus, _both_ link partners have to support the dynamic wep keying and be compatible in this regard. under ms-windows you say "the key is delivered by the network" or something like this in the wireless network settings. ciao artur Ivan Hernández Serrano wrote: Hi, I am using freeradius 1.0.0, at this moment it uses PEAP and everything goes fine. Now, I would like to generate a dynamic WEP key per client, but I have no clue how to do it, I has been searching in the mail archives, and in the docs without any results. I will appreciate if anyone can either give me a hint or give me the location of some references. Thanks in advance, ivan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap2 with encryption problem
yes, machap is enabled. When the user is connecting using mschapv2 without encryption everything is fine but as soon as the encryption is enabled following errors appear in the logs: Wed Aug 25 10:06:05 2004 : Error: No memory Wed Aug 25 10:06:05 2004 : Auth: Login OK: [uldis/] Wed Aug 25 10:06:05 2004 : Error: rlm_sql: Stop packet with zero session length. Any ideas? Edgars Thor Spruyt wrote: Edgars wrote: i have problems when using PPTP connection (mschap2 with encryption). Are there any special setting to set in clients.conf file because the user side can't connect to the NAS? With PAP everythinh works perfectly. Currently in client.conf i have the following: client 10.5.8.103 { secret = xxx shortname = pptp_test } What should i add here to make mshap2 with ancryption to work? Thank you anyway! Nothing. This is only used to identify the NAS. You need to check in radiusd.conf that the mschap module is used. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html