Howto for EAP-TTLS/PEAP?
Hi, I want to setup EAP-TTLS/PEAP for my wlan. I can find lots of howtos for setting up EAP-TLS with freeradius. But is there any howto for EAP-TTLS or PEAP? -- Regards Christoph Christoph Litauer [EMAIL PROTECTED] Uni Koblenz, Rechenzentrum,http://www.uni-koblenz.de/~litauer Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311 PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ntlm_auth how-to
Does this mean I don't have to edit the config files for winbindd and nmbd? The freeradius server is not on the same subnet as the domain controller (NT4), and neither are my clients, and the clients locate the domain controller via WINS. Don't I need to configure the freeradius server with WINS too, then? Thanks, Øystein Gåsdal -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: 1. oktober 2004 16:38 To: [EMAIL PROTECTED] Subject: Re: Ntlm_auth how-to =?iso-8859-1?Q?=D8ystein_G=E5sdal?= [EMAIL PROTECTED] wrote: Anybody got a step by step guide how to set up freeradius to work with authentication against a nt-domain? raddb/radiusd.conf, see ntlm_auth. Or, if your users are only using PAP passwords, not MS-CHAP, see rlm_smb, and experimental.conf. It should take only a few minutes to set up rlm_smb, it's pretty simple. It seems to me that it should be enough just to un-comment a few lines = in radiusd.conf, and provide the domain name, but how does the freeradius server know *where* to find the domain, for example? It's often in the User-Name attribute. I will provide debug logs and everything i anyone is willing to help (or maybe anyone has already written a guide for this? :) There are very few guides for the server. Most configuration is documented in the configuration files, leaving the administrator to figure it out for himself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Digest auth against LDAP
Hi Freeradius Users, I want digest auths to be validiated against an LDAP Database and I get the error: rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 2 modcall: group Auth-Type returns invalid for request 2 auth: Failed to validate the user. When testing the ldap module with radtest user password localhost 1 sharedsecret Everything works fine. I get rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 3 rlm_ldap: - authenticate rlm_ldap: login attempt by username with password xx radius_xlat: '(cn=username)' radius_xlat: 'dc=yy,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=yy,dc=de, with filter (cn=user) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: user DN: CN=username,OU=User,DC=user,DC=de rlm_ldap: (re)connect to ldap:389, authentication 1 rlm_ldap: bind as CN=username,OU=User,DC=yy,DC=de/xx to ldap:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user username authenticated succesfully modcall[authenticate]: module ldap returns ok for request 3 modcall: group Auth-Type returns ok for request 3 Sending Access-Accept of id 242 to 127.0.0.1:32823 Finished request 3 Is there a problem of translating the digest password into an LDAP password or something like that? I really don't understand what's going on :( Jan Jankowski - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
**SPAM** user auth with cisco 350 ap
hi all, i would know if is it possible using cisco ap350 to authenticate a user by radius using a login and password i've try to use mac authentication and i haven't any problem, but i have trouble to use a simple authentication with login and passwd. anyone can help me? regards, gio
Re: Kill online user
Hello, RouterOS will have such a feature that you can kick user from radius server off while he is online. Edgars Nurul Faizal Bin M.Shukeri wrote: Hi again, How am I going to kill online users other than radkill, may be ucd-snmp. Anyone can help me.. **Nurul Faizal Bin M.Shukeri** Pusat Komputer, Universiti Sains Malaysia. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program help
Hi all, I have a problem using Exec-Program. I've put the line in radreply table (4,'test1','Exec-Program',':=','/path/script') but the script was not executed. Can anybody tell me why? script : #!/bin/bash ps aux | grep radiusd result When I executed the script from the shell(Linux) it works but nothing hapens when it is called from radiusd. And the radiusd tells the following when run in debug mode: radius_xlat: '/path/script' Exec-Program: /path/script Thank in advance. Ivo Petrov ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and iproute2
On Sun, Oct 03, 2004 at 02:22:17AM -0700, Ivo Petrov wrote: Hi all, I'm trying to shape ppp+ interfaces after successful authentication using Exec-Program. radiusd runs as root, in mysql radreply table the last row for the user contains: Exec-Program = '/etc/ppp/shd %f'. Freeradius version is 1.0.1,MySQL 4.0.21, Slackware 10, pptpd 1.2.1, iproute2(ip, tc). When user connects to the pptpd everythink is OK, link goes up, but the ppp interface is not shaped. If I run shaping script outside the radius it works. In radius.log the stage of executing the script is noted with correctly transfered value of attribute %f, script is owned by root(same as radiusd), there isnn't an error of any kind, but this automation doesn't work. radiusd may be owned by root, but FreeRADIUS may be set to drop permissions. I'd suggest a wrapper script that logs calls so you can see what's happening or not happening. Can anyone tell me where could the mistake or my misunderstanding in implementing Exec-Program attribute. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-users@lists.freeradius.org
Title: [EMAIL PROTECTED] Hi 10x for your help.. I just wondering about the vendor dictionaries you told about i will be glad if you can be more specific . 10x again Elad
Re: Exec-Program help
Hello, see what's written in logs. Try Exec-Program-Wait instead. Edgars Ivo Petrov wrote: Hi all, I have a problem using Exec-Program. I've put the line in radreply table (4,'test1','Exec-Program',':=','/path/script') but the script was not executed. Can anybody tell me why? script : #!/bin/bash ps aux | grep radiusd result When I executed the script from the shell(Linux) it works but nothing hapens when it is called from radiusd. And the radiusd tells the following when run in debug mode: radius_xlat: '/path/script' Exec-Program: /path/script Thank in advance. Ivo Petrov ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program help
On Mon, Oct 04, 2004 at 02:20:49AM -0700, Ivo Petrov wrote: I have a problem using Exec-Program. I've put the line in radreply table (4,'test1','Exec-Program',':=','/path/script') but the script was not executed. Can anybody tell me why? script : #!/bin/bash ps aux | grep radiusd result When I executed the script from the shell(Linux) it works but nothing hapens when it is called from radiusd. Are you sure it didn't run... Try redirecting to an absolute path rather than relative... Somewhere the user FreeRADIUS is running as has permission to use. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin - RADIUS Clients. Nothing showing...?
Kostas Kalevras wrote: On Mon, 13 Sep 2004, Evert Meulie wrote: Hi everyone! When I go into dialup_admin and then click on RADIUS clients, no clients are showing, even though I know that one/more clients are active. How do I fix this...? Enable sql_debug. Also do you have clients configured in sql or in the clients.conf? The RADIUS Client page will work with sql based client info. Which table is being used for this data? Regards, Evert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin - RADIUS Clients. Nothing showing...?
On Mon, 4 Oct 2004, Evert Meulie wrote: Kostas Kalevras wrote: On Mon, 13 Sep 2004, Evert Meulie wrote: Hi everyone! When I go into dialup_admin and then click on RADIUS clients, no clients are showing, even though I know that one/more clients are active. How do I fix this...? Enable sql_debug. Also do you have clients configured in sql or in the clients.conf? The RADIUS Client page will work with sql based client info. Which table is being used for this data? The nas table. It can be configured from the sql_nas_table directive. Regards, Evert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Define Vendor-Specific Attribute in MYSql freeradius with vendor dictionaries how?
Title: Define Vendor-Specific Attribute in MYSql freeradius with vendor dictionaries how? Hi Alan DeKok 10x for the help I just wondering about the vendor dictionaries you told about i will be glad if you can be more specific . 10x again Elad
Re: Digest auth against LDAP
On Mon, 4 Oct 2004, Jankowski, Jan wrote: Hi Freeradius Users, I want digest auths to be validiated against an LDAP Database and I get the error: rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 2 modcall: group Auth-Type returns invalid for request 2 auth: Failed to validate the user. You don't use ldap for authentication, but digest. Put that module in the authenticate section. Just configure the ldap module to extract the user password during authorization to be used by the digest module (I would also suggest placing the digest module before ldap in the authorize section). When testing the ldap module with radtest user password localhost 1 sharedsecret Everything works fine. I get rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 3 rlm_ldap: - authenticate rlm_ldap: login attempt by username with password xx radius_xlat: '(cn=username)' radius_xlat: 'dc=yy,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=yy,dc=de, with filter (cn=user) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: user DN: CN=username,OU=User,DC=user,DC=de rlm_ldap: (re)connect to ldap:389, authentication 1 rlm_ldap: bind as CN=username,OU=User,DC=yy,DC=de/xx to ldap:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user username authenticated succesfully modcall[authenticate]: module ldap returns ok for request 3 modcall: group Auth-Type returns ok for request 3 Sending Access-Accept of id 242 to 127.0.0.1:32823 Finished request 3 Is there a problem of translating the digest password into an LDAP password or something like that? I really don't understand what's going on :( Jan Jankowski - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : radgroupreply
On Sun, 3 Oct 2004, EROS wrote: I'm still trying to make the radgroupreply work but it doesn't want Is somebody has it working (which freeradius version...) and how do I do to succeed ? thx modcall: entering group redundant for request 0 radius_xlat: 'test001' rlm_sql (sql1): sql_set_user escaped user -- 'test001' rlm_sql (sql1): Reserving sql socket id: 3 radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test001' ORDER BY id' rlm_sql (sql1): User found in radcheck table radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'test001' ORDER BY id' rlm_sql (sql1): Released sql socket id: 3 The group queries don't seem to be called at all. What do you have in your sql.conf? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin - RADIUS Clients. Nothing showing...?
Kostas Kalevras wrote: On Mon, 4 Oct 2004, Evert Meulie wrote: Kostas Kalevras wrote: On Mon, 13 Sep 2004, Evert Meulie wrote: Hi everyone! When I go into dialup_admin and then click on RADIUS clients, no clients are showing, even though I know that one/more clients are active. How do I fix this...? Enable sql_debug. Also do you have clients configured in sql or in the clients.conf? The RADIUS Client page will work with sql based client info. Which table is being used for this data? The nas table. It can be configured from the sql_nas_table directive. OK. Thanks for all the quick help! :) One more question though... What is the correct format for the nas-table? :-) Regards, Evert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installation problem in Solaris 2.6 error: AF_INET undeclared
Hi, thanks for the answer. Which config.h file? The find command show me 13 config.h files: bash-3.00# find . -name config.h -print ./libltdl/config.h ./src/modules/rlm_attr_rewrite/config.h ./src/modules/rlm_checkval/config.h ./src/modules/rlm_counter/config.h ./src/modules/rlm_eap/types/rlm_eap_peap/config.h ./src/modules/rlm_eap/types/rlm_eap_sim/config.h ./src/modules/rlm_eap/types/rlm_eap_tls/config.h ./src/modules/rlm_eap/types/rlm_eap_ttls/config.h ./src/modules/rlm_ippool/config.h ./src/modules/rlm_pam/config.h ./src/modules/rlm_radutmp/config.h ./src/modules/rlm_sql/drivers/rlm_sql_mysql/config.h ./src/modules/rlm_unix/config.h Also ./configure show this: checking whether we are using GNU C... (cached) yes checking whether gcc accepts -g... (cached) yes checking how to run the C preprocessor... (cached) gcc -E checking for regex.h... (cached) yes creating ./config.status creating Makefile creating config.h config.h is unchanged Thanks in advance. HC Hernan Cortez [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent by:cc: [EMAIL PROTECTED]Subject: Installation problem in Solaris 2.6 error: AF_INET undeclared eradius.org 01-10-2004 23:26 Please respond to freeradius-users Hi, i'm trying to install freeradius v1.0.1 in solaris 2.6, however when i try to compile it shows the following errors: misc.c:355: error: `AF_INET6' undeclared (first use in this function) misc.c:355: error: (Each undeclared identifier is reported only once misc.c:355: error: for each function it appears in.) I see this message in a previous post, however I can't find the solution. Could anybody help me? Thanks, Hernán Cortez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installation problem in Solaris 2.6 error: AF_INET undeclared
Sorry, i didn't post the answer in the last reply. Hi, thanks for the answer. Which config.h file? The find command show me 13 config.h files: bash-3.00# find . -name config.h -print ./libltdl/config.h ./src/modules/rlm_attr_rewrite/config.h ./src/modules/rlm_checkval/config.h ./src/modules/rlm_counter/config.h ./src/modules/rlm_eap/types/rlm_eap_peap/config.h ./src/modules/rlm_eap/types/rlm_eap_sim/config.h ./src/modules/rlm_eap/types/rlm_eap_tls/config.h ./src/modules/rlm_eap/types/rlm_eap_ttls/config.h ./src/modules/rlm_ippool/config.h ./src/modules/rlm_pam/config.h ./src/modules/rlm_radutmp/config.h ./src/modules/rlm_sql/drivers/rlm_sql_mysql/config.h ./src/modules/rlm_unix/config.h Also ./configure show this: checking whether we are using GNU C... (cached) yes checking whether gcc accepts -g... (cached) yes checking how to run the C preprocessor... (cached) gcc -E checking for regex.h... (cached) yes creating ./config.status creating Makefile creating config.h config.h is unchanged Thanks in advance. HC [EMAIL PROTECTED] Sent by:To: [EMAIL PROTECTED] [EMAIL PROTECTED]cc: eradius.org Subject: Re: Installation problem in Solaris 2.6 error: AF_INET undeclared 02-10-2004 09:55 Please respond to freeradius-users Hi, Hi, i'm trying to install freeradius v1.0.1 in solaris 2.6, however when i try to compile it shows the following errors: misc.c:355: error: `AF_INET6' undeclared (first use in this function) misc.c:355: error: (Each undeclared identifier is reported only once misc.c:355: error: for each function it appears in.) What I have been doing is manually undefining HAVE_INET_PTON and HAVE_INET_NTOP in the configure-generated config.h after running configure. The proper fix probably would be to replace the check for the availability of inet_pton by testing compilation of a dummy main involving both inet_pton and AF_INET6 (and similar for inet_ntop), however, since I don't have AF_INET6, I can't really test if the trivial modification that I'd do locally does break compilation on systems which do support IPv6 (e.g. thanks to a typing error on my part), so I can't submit a patch... HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap/tls question
We are using freeradius 1.0.1 for eap/tls authentication with no problems so far. One of our customers has has a pki infrastructure, where some employees have the same name and therefore the same CN in their certificate. To distinguish between them, we would like to use the certificate's subject, which is unique, and which in principal is available during negotiation, as can be seen in ./src/modules/rlm_eap/types/rlm_eap_tls/cb.c. My question is: Would it be possible to introduce a configuration paramater check_cert_subject similar to check_cert_cn, which checks the subject instead of the CN? The CN seems to be transmitted as User-Name in the beginning of the communication process, where the certificate's subject is hidden somewhere deep in EAP messages and transmitted at a later point of the communication(too late??) If yes: What would be the best way to implement this functionality? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP+MS-CHAP+freeRADIUS
Mahesh S Kudva [EMAIL PROTECTED] wrote: I did the same: username Auth-Type:= CHAP, CHAP-Password == test Service-Type = Framed-User, Framed-Protocol = PPP But still the server rejects the user. sigh Configure a CLEAR-TEXT password for the user, using the User-Password attribute. DO NOT set Auth-Type. The server will figure it out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto for EAP-TTLS/PEAP?
Christoph Litauer [EMAIL PROTECTED] wrote: I want to setup EAP-TTLS/PEAP for my wlan. I can find lots of howtos for setting up EAP-TLS with freeradius. But is there any howto for EAP-TTLS or PEAP? Nope. Configure EAP-TLS, and then the ttls{} and peap{} subsections of the eap{} configuration. Configure a user clear-text password. If EAP-TLS works, then EAP-TTLS will work. There's no HOWTO for TTLS or PEAP because 99.9% of the work of setting them up is getting EAP-TLS to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ntlm_auth how-to
=?iso-8859-1?Q?=D8ystein_G=E5sdal?= [EMAIL PROTECTED] wrote: Does this mean I don't have to edit the config files for winbindd and nmbd? I have no idea. The freeradius server is not on the same subnet as the domain controller (NT4), and neither are my clients, and the clients locate the domain controller via WINS. So? Can the machine running FreeRADIUS send packets to the domain controller? Get ntlm_auth working on the command line, by hand, from the machine running FreeRADIUS. Once that works, it will work in FreeRADIUS, too. Don't I need to configure the freeradius server with WINS too, then? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Digest auth against LDAP
Jankowski, Jan [EMAIL PROTECTED] wrote: Is there a problem of translating the digest password into an LDAP password or something like that? I really don't understand what's going on :( The default configuration for the digest module in the server is commented out, but correct. Uncomment it, and configure a clear-text password for the user in LDAP. It will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: **SPAM** user auth with cisco 350 ap
Giovanni Torrisi [EMAIL PROTECTED] wrote: i would know if is it possible using cisco ap350 to authenticate a user = by radius using a login and password Using EAP, yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, Cisco Catalyst 2950, Windwos Domain
M.Cerqui - PUBLISHERIA [EMAIL PROTECTED] wrote: 1. How do I have to configure the Windows XP Client? I found out, that the only setup that tries to authenticate before the users logs in is PEAP with Authenticate as computer when information is available. Is that correct? Yes. Is there a possibility to send user name and password of the user before the domain login? That will happen automatically when you use PEAP. 2.How do I configure the FreeRadius server? I tried it with PEAP and host/myhostname.mydomain.com but I got an error (see below). Who do I have to specify the password for this? ... rlm_eap_peap: Had sent TLV failure, rejecting. sigh If you're only going to read the last few lines of the debug log, then there's no point in running the server in debugging mode. Please either read, or post, the rest of the debug log. It WILL tell you what's going wrong, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Define Vendor-Specific Attribute in MYSql freeradius with vendor dictionaries how?
Elad Kugman [EMAIL PROTECTED] wrote: I just wondering about the vendor dictionaries you told about i will be glad if you can be more specific . About what? You haven't said what you want to do. Read your NAS documentation to see what vendor attributes it expects. Read through the vendor dictionaries to see if those attributes are defined in FreeRADIUS. Then, use those attributes just like any other attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls question
On Mon, 4 Oct 2004, Norbert Wegener wrote: We are using freeradius 1.0.1 for eap/tls authentication with no problems so far. One of our customers has has a pki infrastructure, where some employees have the same name and therefore the same CN in their certificate. To distinguish between them, we would like to use the certificate's subject, which is unique, and which in principal is available during negotiation, as can be seen in ./src/modules/rlm_eap/types/rlm_eap_tls/cb.c. My question is: Would it be possible to introduce a configuration paramater check_cert_subject similar to check_cert_cn, which checks the subject instead of the CN? As far as i know, there's no CN in a certificate, just the Subject Name. So you can use the check_cert_cn to check exactly that. The CN seems to be transmitted as User-Name in the beginning of the communication process, where the certificate's subject is hidden somewhere deep in EAP messages and transmitted at a later point of the communication(too late??) No. A User-Name attribute is transmitted along with the EAP TLS data but that has nothing to do with the certificate. If yes: What would be the best way to implement this functionality? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, Cisco Catalyst 2950, Windwos Domain
" That will happen automatically when you use PEAP. ..." Are you sure with this? The catalyst and Freeradius don't even move a bit before a successful windows login if I only use this "use user information from windows login" option. Only when I activate "Authenticate as computer when information is available" the Freeradius Server "does something" before a successful login. Thanks Marco Alan DeKok wrote: "M.Cerqui - PUBLISHERIA" [EMAIL PROTECTED] wrote: 1. How do I have to configure the Windows XP Client? I found out, that the only setup that tries to authenticate before the users logs in is PEAP with "Authenticate as computer when information is available". Is that correct? Yes. Is there a possibility to send user name and password of the user before the domain login? That will happen automatically when you use PEAP. 2.How do I configure the FreeRadius server? I tried it with PEAP and host/myhostname.mydomain.com but I got an error (see below). Who do I have to specify the password for this? ... rlm_eap_peap: Had sent TLV failure, rejecting. sigh If you're only going to read the last few lines of the debug log, then there's no point in running the server in debugging mode. Please either read, or post, the rest of the debug log. It WILL tell you what's going wrong, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius tls/peap XP
Hi everybody, I just followed the howto http://dslrcs.clanspace.com/forum/remark,9286052 + the EAPTLS howto, using the some hw as the document: AP ZyAIR B1000v2, PCMCIA XP ZyAIR G-100, I dont see any log between the AP and Freeradius... The certified were installed on XP like a charm but still I dont understand how to make something appear in the log: Cesare ~ # radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = /usr/local/radius main: localstatedir = /usr/local/radius/var main: logdir = /usr/local/radius/var/log/radius main: libdir = /usr/local/radius/lib main: radacctdir = /usr/local/radius/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/radius/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/radius/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/radius/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/radius/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /prove/SSL2/cert-srv.pem tls: certificate_file = /prove/SSL2/cert-srv.pem tls: CA_file = /prove/SSL2/demoCA/cacert.pem tls: private_key_password = porcozio tls: dh_file = /prove/SSL2/dh tls: random_file = /prove/SSL2/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/radius/etc/raddb/huntgroups preprocess: hints = /usr/local/radius/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) realm: format =
Re: eap-ttls on OS X
Philip Ershler [EMAIL PROTECTED] wrote: OK, so here is where I'm confused.Andreas Wolf put together a binary distribution of freeradius with a module for osxauth. Ah, OK. He made the statement that if one sets auth_type to system, the server would figure out which module to call. I'm suspicious it may not work. Try setting Auth-Type = osxauth. If the server accepts that, it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No memory error
Hello, i'm finding in logs such errors. But i know that there is 40MB free memory on the radius server, so how it could be explained? Mon Oct 4 17:02:58 2004 : Error: No memory Mon Oct 4 17:02:58 2004 : Auth: Login OK: [edgars/no User-Password attribute] (from client Test port 46 cli 1.1.1.2) Mon Oct 4 17:04:05 2004 : Error: No memory Mon Oct 4 17:04:05 2004 : Auth: Login OK: [edgars/no User-Password attribute] (from client Test port 47 cli 1.1.1.2) Thanks! Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP+MS-CHAP+freeRADIUS
Isn't it a seccurity problem clear tex password to permit CHAP? Le lundi 4 Octobre 2004 09:18, Alan DeKok a écrit : Mahesh S Kudva [EMAIL PROTECTED] wrote: I did the same: username Auth-Type:= CHAP, CHAP-Password == test Service-Type = Framed-User, Framed-Protocol = PPP But still the server rejects the user. sigh Configure a CLEAR-TEXT password for the user, using the User-Password attribute. DO NOT set Auth-Type. The server will figure it out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, Cisco Catalyst 2950, Windwos Domain
M.Cerqui - PUBLISHERIA [EMAIL PROTECTED] wrote: Are you sure with this? If cofnigured correctly, yes. The catalyst and Freeradius don't even move a bit before a successful windows login if I only use this use user information from windows login option. So you've configured the AP windows machine to NOT use FreeRADIUS for authentication. Only when I activate Authenticate as computer when information is available the Freeradius Server does something before a successful login. Since you're not going to post the debug log to explain what does something means, even after you were asked to post it, I really help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP+MS-CHAP+freeRADIUS
Luis Daniel Lucio Quiroz schrieb: Isn't it a seccurity problem clear tex password to permit CHAP? Depending on your configuration, it may be one. Essentially, there are two possible points of attack: - the network: Try to intercept the password during transfer. - the configuration files: Try to read/modify user passwords. Now you can use either PAP (transfer clear-text password and compare it's hash value with the hash value stored on the server) - safe against stealing password from server (only hash value is stored), but risky if your network is not secure. Or you can use CHAP (get a challenge, encrypt the challenge using your password as encryption key, server needs to know the correct encryption key to verify the correctness of the clients encryption) - safe against snooping on the network, but password is stored on the server. From my point of view, if you can steal passwords from the server, you likely can steal information needed to send false accept packets as well, i.e. if an attacker can get to the CHAP passwords, your security is compromised anyway and there (usually) is more interesting stuff for the attacker than stealing passwords. OTOH, network sniffing is easily done, so PAP really isn't a good alternative, even though it's not quite as dumb as my description makes it sound (it's not really clear text, it's encrypted usind the shared RADIUS secret, but there you can try dictionary attacks and it's stored on both client and server in clear text, so if you think, CHAP is a problem, than PAP is no better than a clear-text password transfer). Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installation problem in Solaris 2.6 error: AF_INET undeclared
Hernan Cortez schrieb: Hi, thanks for the answer. Which config.h file? The find command show me 13 config.h files: Sorry, I should have mentioned I was working from memory, without access to the sources at that moment - and of course I got the name wrong: The file I modified is src/include/autoconf.h After my modification, the relevant lines look like this: /* Define if you have the inet_ntop function. */ #undef HAVE_INET_NTOP /* Define if you have the inet_pton function. */ #undef HAVE_INET_PTON HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP+MS-CHAP+freeRADIUS
I rather preffer pap, you just only put on risk one account not everibody Le lundi 4 Octobre 2004 10:59, [EMAIL PROTECTED] a écrit : Luis Daniel Lucio Quiroz schrieb: Isn't it a seccurity problem clear tex password to permit CHAP? Depending on your configuration, it may be one. Essentially, there are two possible points of attack: - the network: Try to intercept the password during transfer. - the configuration files: Try to read/modify user passwords. Now you can use either PAP (transfer clear-text password and compare it's hash value with the hash value stored on the server) - safe against stealing password from server (only hash value is stored), but risky if your network is not secure. Or you can use CHAP (get a challenge, encrypt the challenge using your password as encryption key, server needs to know the correct encryption key to verify the correctness of the clients encryption) - safe against snooping on the network, but password is stored on the server. From my point of view, if you can steal passwords from the server, you likely can steal information needed to send false accept packets as well, i.e. if an attacker can get to the CHAP passwords, your security is compromised anyway and there (usually) is more interesting stuff for the attacker than stealing passwords. OTOH, network sniffing is easily done, so PAP really isn't a good alternative, even though it's not quite as dumb as my description makes it sound (it's not really clear text, it's encrypted usind the shared RADIUS secret, but there you can try dictionary attacks and it's stored on both client and server in clear text, so if you think, CHAP is a problem, than PAP is no better than a clear-text password transfer). Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radclient disconnect
I been trying to find how to disconnect an actual logged user, radclient has a disconnect option, I wonder if anyone on the list has managed to work it out with it. The nas is a Cisco AS5300 Thanks Armando Leal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius, Cisco Catalyst 2950, Windwos Domain
Sorry for my bad english... the problem is, that I can't post any debug information because there isn't any. I start freeradius -X and turn debug radius on my catalyst on, but with the following windows xp configuration nothing occurs on the server and switch until I have logged in and the desktop is loaded. My Windows XP SP2 configuration: My Network Places / Ethernet Network Connection / Properties /Authentication: Enable IEEE 802.1y authentication for this network - SELECTED Authenticate as computer when computer information is available - NOT SELECTED Authenticate as guest when user or computer information is unavailable - NOT SELECTED EAP type: Protected EAP (PEAP) - Properties Validate server certificate - NOT SELECTED Enable Fast Reconnect - NOT SELECTED Select Authentication Method: Secured password (eap-mschap v2) - Properties Automatically use my Windows logon name and password (anddomain if any) - SELECTED Thanks for your help Marco -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Montag, 4. Oktober 2004 17:52 To: [EMAIL PROTECTED] Subject: Re: Freeradius, Cisco Catalyst 2950, Windwos Domain M.Cerqui - PUBLISHERIA [EMAIL PROTECTED] wrote: Are you sure with this? If cofnigured correctly, yes. The catalyst and Freeradius don't even move a bit before a successful windows login if I only use this use user information from windows login option. So you've configured the AP windows machine to NOT use FreeRADIUS for authentication. Only when I activate Authenticate as computer when information is available the Freeradius Server does something before a successful login. Since you're not going to post the debug log to explain what does something means, even after you were asked to post it, I really help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radclient disconnect
[EMAIL PROTECTED] wrote: I been trying to find how to disconnect an actual logged user, radclient has a disconnect option, I wonder if anyone on the list has managed to work it out with it. The nas is a Cisco AS5300 Check the NAS documentation to see if it accepts disconnect packets, and what it expects to see in a disconnect packet. Then, create a packet and use radclient to send it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, Cisco Catalyst 2950, Windwos Domain
M.Cerqui - PUBLISHERIA [EMAIL PROTECTED] wrote: Sorry for my bad english... the problem is, that I can't post any debug information because there isn't any. I start freeradius -X and turn debug radius on my catalyst on, but with the following windows xp configuration nothing occurs on the server and switch until I have logged in and the desktop is loaded. If the windows box is accessing the network via wireless, without FreeRADIUS being involved, then you haven't configured the AP to require authentication. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + LDAP
Christopher Price [EMAIL PROTECTED] wrote: I am running freeradius 1.0.0 and I am attempting to configure an LDAP backend DB to authenticate Windows users. The Windows users are using PEAP with MSCHAPv2. Earlier I got the LDAP authentication working with clear passwords, but now that the passwords are being hashed. Which passwords are being hashed? Are the passwords in LDAP hashed, or clear-text? I know that LDAP stores cleartext passwords, Are you sure? If it did, then MS-CHAP would work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius, Cisco Catalyst 2950, Windwos Domain
No wireless, wired environment! Authentication is required because the port goes into unauthenticated state and I haven't got any network access. [EMAIL PROTECTED] said... -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Montag, 4. Oktober 2004 21:07 To: [EMAIL PROTECTED] Subject: Re: Freeradius, Cisco Catalyst 2950, Windwos Domain M.Cerqui - PUBLISHERIA [EMAIL PROTECTED] wrote: Sorry for my bad english... the problem is, that I can't post any debug information because there isn't any. I start freeradius -X and turn debug radius on my catalyst on, but with the following windows xp configuration nothing occurs on the server and switch until I have logged in and the desktop is loaded. If the windows box is accessing the network via wireless, without FreeRADIUS being involved, then you haven't configured the AP to require authentication. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MYSQL Accounting Table Size?
My Mysql database is about 50 megs right now.. because of the accounting table. How large does most people let it get before rolling it? I Guess other people will just roll it on a Time/Date basis in cron.. But what if I want to keep it for a year so I can pull stats out of it? Can it get to a couple of gig without problems? What is everyone else doing? Thanx Cris --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.768 / Virus Database: 515 - Release Date: 9/22/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + LDAP
Well, I had the LDAP auth working when I passed a cleartext password, so I assumed that they were stored in the clear. (I am not the administrator of the eDirectory server that I am authenticating against) I attempted to use the Microsoft built-in 802.1x client in conjunction with my wireless system, but it is not working when I use this method. The Windows clients are using PEAP-MSCHAPv2 and the authentication works if I use a local database on the freeradius server. As soon as I switch to a LDAP DB the authentication fails saying rlm_ldap: search failed. [EMAIL PROTECTED] 10/04 2:08 pm Christopher Price [EMAIL PROTECTED] wrote: I am running freeradius 1.0.0 and I am attempting to configure an LDAP backend DB to authenticate Windows users. The Windows users are using PEAP with MSCHAPv2. Earlier I got the LDAP authentication working with clear passwords, but now that the passwords are being hashed. Which passwords are being hashed?Are the passwords in LDAP hashed, or clear-text? I know that LDAP stores cleartext passwords, Are you sure?If it did, then MS-CHAP would work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + LDAP
Christopher Price [EMAIL PROTECTED] wrote: Well, I had the LDAP auth working when I passed a cleartext password, so I assumed that they were stored in the clear. No. Read the debug log to see what kind of passwords are read from LDAP. I attempted to use the Microsoft built-in 802.1x client in conjunction with my wireless system, but it is not working when I use this method. Well, yes. The Windows clients are using PEAP-MSCHAPv2 and the authentication works if I use a local database on the freeradius server. As soon as I switch to a LDAP DB the authentication fails saying rlm_ldap: search failed. And the real debug log is... ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MYSQL Accounting Table Size?
cris boisvert escreveu: My Mysql database is about 50 megs right now.. because of the accounting table. How large does most people let it get before rolling it? My radacct table is over 500 MB / 1.3 million records right now. For now I'm just letting it grow. Make sure you have plenty of RAM though. If not, the database will become slow to query / insert and radius will stop dropping packets. Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MYSQL Accounting Table Size?
I got 4 gigs of ram.. I hope its enough.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Yoder Sent: Monday, October 04, 2004 3:52 PM To: [EMAIL PROTECTED] Subject: Re: MYSQL Accounting Table Size? cris boisvert escreveu: My Mysql database is about 50 megs right now.. because of the accounting table. How large does most people let it get before rolling it? My radacct table is over 500 MB / 1.3 million records right now. For now I'm just letting it grow. Make sure you have plenty of RAM though. If not, the database will become slow to query / insert and radius will stop dropping packets. Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.768 / Virus Database: 515 - Release Date: 9/22/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.768 / Virus Database: 515 - Release Date: 9/22/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MYSQL Accounting Table Size?
cris boisvert escreveu: I got 4 gigs of ram.. I hope its enough.. I've only got 1 so you should be fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MYSQL Accounting Table Size?
On Mon, 4 Oct 2004, cris boisvert wrote: My Mysql database is about 50 megs right now.. because of the accounting table. How large does most people let it get before rolling it? I Guess other people will just roll it on a Time/Date basis in cron.. But what if I want to keep it for a year so I can pull stats out of it? Can it get to a couple of gig without problems? What is everyone else doing? I 've got a 2.4GB innodb file with no problems. Though i would strongly recommend against maintaining full accounting for a year on your main radacct table. You could move old accounting (a few months old) to a different radacct table if you want, or you could just keep aggregated accounting on a different table for statistical purposes. The reason is that the larger your table, the more your indexes wont work correctly (a lot of rows for the same username, sessionid etc). -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : radgroupreply
Hi, Thx for you help I've commented out the sql { } lines, causes it doesn't want to work with it. I've this line in my radiusd.conf sql sql1 { $INCLUDE ${confdir}/sql_local.conf } If I don't comment the sql { } line in sql_local.conf the debug tells me that it doesn't know the rlm_sql_sql1 driver So the now the sql_local.conf : # # Configuration for the SQL module, when using MySQL. # # The database schema is available at: # # src/radiusd/src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql # # If you are using PostgreSQL, please use 'postgresql.conf', instead. # If you are using Oracle, please use 'oracle.conf', instead. # If you are using MS-SQL, please use 'mssql.conf', instead. # # $Id: sql.conf,v 1.41.2.1 2004/06/10 00:45:01 phampson Exp $ # #sql { # Database type # Current supported are: rlm_sql_mysql, rlm_sql_postgresql, # rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds driver = rlm_sql_mysql # Connect info server = localhost login = X password = YY # Database table configuration radius_db = freeradius # If you want both stop and start records logged to the # same SQL table, leave this as is. If you want them in # different tables, put the start table in acct_table1 # and stop table in acct_table2 acct_table1 = radacct acct_table2 = radacct # Allow for storing data after authentication postauth_table = radpostauth authcheck_table = radcheck authreply_table = radreply groupcheck_table = radgroupcheck groupreply_table = radgroupreply usergroup_table = usergroup # Remove stale session if checkrad does not see a double login deletestalesessions = yes # Print all SQL statements when in debug mode (-x) sqltrace = no sqltracefile = ${logdir}/sqltrace.sql # number of sql connections to make to server num_sql_socks = 5 # number of seconds to dely retrying on a failed database # connection (per_socket) connect_failure_retry_delay = 60 # Safe characters list for sql queries. Everything else is replaced # with their mime-encoded equivalents. # The default list should be ok #safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / ### # Query config: Username ### # This is the username that will get substituted, escaped, and added # as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below # everywhere a username substitution is needed so you you can be sure # the username passed from the client is escaped properly. # # Uncomment the next line, if you want the sql_user_name to mean: # #Use Stripped-User-Name, if it's there. #Else use User-Name, if it's there, #Else use hard-coded string DEFAULT as the user name. #sql_user_name = %{Stripped-User-Name:-%{User-Name:-DEFAULT}} # sql_user_name = %{User-Name} ### # Default profile ### # This is the default profile. It is found in SQL by group membership. # That means that this profile must be a member of at least one group # which will contain the corresponding check and reply items. # This profile will be queried in the authorize section for every user. # The point is to assign all users a default profile without having to # manually add each one to a group that will contain the profile. # The SQL module will also honor the User-Profile attribute. This # attribute can be set anywhere in the authorize section (ie the users # file). It is found exactly as the default profile is found. # If it is set then it will *overwrite* the default profile setting. # The idea is to select profiles based on checks on the incoming packets, # not on user group membership. For example: # -- users file -- # DEFAULT Service-Type == Outbound-User, User-Profile := outbound # DEFAULT Service-Type == Framed-User, User-Profile := framed # # By default the default_user_profile is not set # #default_user_profile = DEFAULT # # Determines if we will query the default_user_profile or the User-Profile # if the user is not found. If the profile is found then we consider the user # found. By default this
Re: Radclient disconnect
On 4 Oct 2004 at 15:05, Alan DeKok wrote: am trying something like ./radclient -s 192.168.1.1 disconnect secret User-Name=username and on NAS: aaa pod server server-key secret but radclient, hangs, and I done on NAS a debug aaa pod but no request is being sent have you manage it to work? but it hangs there.. [EMAIL PROTECTED] wrote: I been trying to find how to disconnect an actual logged user, radclient has a disconnect option, I wonder if anyone on the list has managed to work it out with it. The nas is a Cisco AS5300 Check the NAS documentation to see if it accepts disconnect packets, and what it expects to see in a disconnect packet. Then, create a packet and use radclient to send it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html