Divide Proxy-Authentication [virengepr?ft]
Hi list, I can proxy [EMAIL PROTECTED] to [EMAIL PROTECTED] and [EMAIL PROTECTED] to [EMAIL PROTECTED] But is there a way to only authenticate the user there and deliver some other stuff (vlan, etc) from the local database? Thanks and greetings from Germany Norbert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate extensions
Hi, I have question regarding the following line in the CA.all script: openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem Does the use of the switch "-extensions" here (implying extended key usage), overrides some other key usages of the key? I ask this because when I print out the purpose of the certificate generated by CA.all script, it does not show the key usages such as Digital Signature etc and only shows TLS Web Server authentication. Whereas when I take -extensions part out, I get a whole list of key usages. Thanks, Bilal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem authenticating to passwd/shadow files
I am using freeradius (or trying) to authenticate my poptop (pptpd) clients. the configuration is as follows fedora core 2 freeradius 1.0.1 pptpd-1.2.1-1 and pppd 2.4.3 (compiled with radius plugin) I can use ntradping to authenticate just fine, but when my client tries it fails. there appears,from the debug logs, to be a problem in the encryption of the client mschapv2 and of radiusd.conf which says mschap but that it can handle mschapv2. scenario 1. when I do not have the radius plugin in my options.pptpd file, I can authenticate to the chap-secrets file (i.e. not using radius, my pptpd config works) scenario 2. when I do have the radius plugin in the options.pptpd file, but turn off pap/chap/mschap req's in the same file. I can authenticate to radius. scenario 3. when I have the radius plugin in the options.pptpd file, refuse pap/chap/mschap, require mschapv2 and mppe-128. authentication fails, with the following error from debug. ++ modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "unix" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. ++ before I attach a bunch of log files and config files I would like to know 1. if I am combining things that would prefer not to go together (i.e. this won' work!) or 2. if there is a drop in config that some one can point me towards (no reason to recreate the wheel). any help would be greatly appreciated! cb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
D-Link DWL-2700AP Enterprise Access Point
I have two questions: 1. I have recently completed a freeradius install and tested it using NTradping. Everything looks good. My access point is a D-Link DWL-2700AP outdoor access point. It supports (among other things) WPA-RADIUS and 802.1x. The AP is configured to use 802.1x on port 1812 for auth and 1813 for acctg. When I do a test with NTradping I can watch the requests come in. When I try to connect to AP I don't see any auth requests on the server. D-Link says the device is fully radius compliant. In the clients.conf I have the NAS configured as a type other since D-Link isn't in the list with the other vendor's. I would like to know at least where I can get started troubleshooting the issue. Is there a Windows software utility that will let me read the info coming out of the NAS to see what it is sending? If more info is needed let me know so that I can forward it to the list. 2. This is possibly a dumb question. I apologize in advance if it is. We want to control upload and download bandwidth with the radius box. In order to do this does the radius server need to physically be connected between the NAS and internet router? Gene - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: setting User-Name to 'modified' mac address(continued)
Alan, "" Perl supports "\w" in regular expressions. Posix expressions (which the libraries from your system the server uses) do not support "\w"."" how do I tell which 'libraries' are being used hence the supported regex syntax/capabilities? Thanks, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Guevarra Sent: Monday, October 18, 2004 4:31 PM To: [EMAIL PROTECTED] Subject: RE: setting User-Name to 'modified' mac address Ok Posix expressions are supported here then shouldn't putting parenthases around the hex characters give me groups %{1}...%{6}? I do this DEFAULT Calling-Station-Id =~ "([a-fA-F0-9][a-fA-F0-9])-([a-fA-F0-9][a-fA-F0-9])-([a-fA-F0-9][a-fA-F0-9])- ([a-fA-F0-9][a-fA-F0-9])-([a-fA-F0-9][a-fA-F0-9])-([a-fA-F0-9][a-fA-F0-9])" User-Name := `%{1}%{2}%{3}%{4}%{5}%{6}` Instead of getting a mac address with no '-' I get a long weird combination of hex and '-'. I mapped out the ${x} groups and they are not what I expect for example: 11-c0-4f-40-47-b4 becomes groups %{1} = 11 %{2} = c0-4f %{3} = 4f-40-47 %{4} = 40-47-b4 %{5} = 47-b4 %{6} = b4 Is my regex wrong or what? Thanks, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, October 18, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: Re: setting User-Name to 'modified' mac address Jose Guevarra <[EMAIL PROTECTED]> wrote: > In my hints file i have > > DEFAULT Calling-Station-Id =~ "(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)" > User-Name := `%{0}` > > This should set the User Name to the hex characters in the mac address > or 'something' at least Or something... And if you're going to use %{0}, you don't need regular expressions. Just use "%{Calling-Station-Id}" > However, in debug mode I can see that User-Name is not modified. > > In perl i can use the regex below and it seems to work Perl supports "\w" in regular expressions. Posix expressions (which the libraries from your system the server uses) do not support "\w". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: setting User-Name to 'modified' mac address
Ok Posix expressions are supported here then shouldn't putting parenthases around the hex characters give me groups %{1}...%{6}? I do this DEFAULT Calling-Station-Id =~ "([a-fA-F0-9][a-fA-F0-9])-([a-fA-F0-9][a-fA-F0-9])-([a-fA-F0-9][a-fA-F0-9])- ([a-fA-F0-9][a-fA-F0-9])-([a-fA-F0-9][a-fA-F0-9])-([a-fA-F0-9][a-fA-F0-9])" User-Name := `%{1}%{2}%{3}%{4}%{5}%{6}` Instead of getting a mac address with no '-' I get a long weird combination of hex and '-'. I mapped out the ${x} groups and they are not what I expect for example: 11-c0-4f-40-47-b4 becomes groups %{1} = 11 %{2} = c0-4f %{3} = 4f-40-47 %{4} = 40-47-b4 %{5} = 47-b4 %{6} = b4 Is my regex wrong or what? Thanks, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, October 18, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: Re: setting User-Name to 'modified' mac address Jose Guevarra <[EMAIL PROTECTED]> wrote: > In my hints file i have > > DEFAULT Calling-Station-Id =~ "(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)" > User-Name := `%{0}` > > This should set the User Name to the hex characters in the mac address > or 'something' at least Or something... And if you're going to use %{0}, you don't need regular expressions. Just use "%{Calling-Station-Id}" > However, in debug mode I can see that User-Name is not modified. > > In perl i can use the regex below and it seems to work Perl supports "\w" in regular expressions. Posix expressions (which the libraries from your system the server uses) do not support "\w". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with client certificates
Khurram Jahangir <[EMAIL PROTECTED]> wrote: > You mean that EAP-TLS inside of EAP-PEAP is not > possible at all and is wrong or it is correct and > freeradius might support this in future. FreeRADIUS does not support this. It may in the future, if someone supplies a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more info, radtest/NTRadPing users/passwd
Alan DeKok wrote: Paul <[EMAIL PROTECTED]> wrote: Well, that seems to indicate that radtest is not sending the password in the form of CHAP. As a result, it looks like the server is trying to use /etc/passwd to validate a user that is actually in raddb/users. So edit raddb/users to set "Auth-Type := Local", or "Auth-Type := PAP" for that user. Thanks! "Auth-Type := Local" made it work consistently. "Auth-Type := PAP" didn't work for me at all. Now to see if everything works with an XP client. The only options in XP are MSCHAPv2 and certs. I guess that's another mini-adventure for me. ^_^ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with client certificates
Hi Again, Correct me if I misunderstood you. You mean that EAP-TLS inside of EAP-PEAP is not possible at all and is wrong or it is correct and freeradius might support this in future. Regards Khurram --- Alan DeKok <[EMAIL PROTECTED]> wrote: > Khurram Jahangir <[EMAIL PROTECTED]> wrote: > > I think the problem lies in the following part of > the > > Radiusd log > > > > Processing the authenticate section of > radiusd.conf > > modcall: entering group authenticate for request 6 > > rlm_eap: Request found, released from the list > > rlm_eap: EAP NAK > > rlm_eap: EAP-NAK asked for EAP-Type/tls > > rlm_eap: Unable to tunnel TLS inside of TLS > > So... you're trying to use EAP-TLS inside of > EAP-PEAP. As the error > message says, you can't do that. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with client certificates
Khurram Jahangir <[EMAIL PROTECTED]> wrote: > I think the problem lies in the following part of the > Radiusd log > > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 6 > rlm_eap: Request found, released from the list > rlm_eap: EAP NAK > rlm_eap: EAP-NAK asked for EAP-Type/tls > rlm_eap: Unable to tunnel TLS inside of TLS So... you're trying to use EAP-TLS inside of EAP-PEAP. As the error message says, you can't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible bug with redundant code in accounting module
Rick Macdougall <[EMAIL PROTECTED]> wrote: > In our configuration and testing we came across one small bug in the > accounting module. > > accounting { > detail # always log to detail, stopping if it fails > redundant { > sql1 # try module sql1 > sql2 # if that's down, try module sql2 > handled # otherwise drop the request as > # it's been "handled" by the "always" > # module (see doc/rlm_always) > } > } > > Does not work, it logs to both servers. Hmm... that's odd. It should only do so if the first returns fail. > group { > sql1 { > fail = 1 > notfound = 2 ... > Does work correctly, only logging to the second server when the first > server is down or other wise has an error. I don't see why, the "accounting" function in rlm_sql *never* returns "notfound". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: UDPFROMTO and Proxy Problem
"Raimund Sacherer" <[EMAIL PROTECTED]> wrote: > There where two problems with proxying, first, i listen to 2 ip > addresses, if those where on different interfaces (eth0/eth1) it is not > working, the problem is, the packet is sent to the roamingpartner, but > the response is not recognized by freeradius (where a local test with > netcat is recognized), but i can see it clearly with tcpdump. ... Please submit the patch to bugs.freeradius.org. That way it won't get forgotten. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie question SQL-freeradius testing tools
Dirk Enrique Seiffert - CaribeNet <[EMAIL PROTECTED]> wrote: > > It's included with the server. www.freeradius.org says so. > But www.freeradius.org is not the bible: Huh? www.freeradius.org is the DEFINITIVE place to find FreeRADIUS. We include dialup_admin in our releases. If Suse doesn't, that's their issue. > At least my distribution (SuSE) includes freeradius, but no dialup > admin. So why should ther be a link? Ask Suse. www.freeradius.org makes it clear that diaup_admin is included with the server. > You might want to add some FAQs: > > Freeside and SQL: > 1) Where can I find Dialup Admin? > > The server comes with a PHP-based web user administration tool, called > dialupadmin. You also can download dialupadmin on > http://sourceforge.net/projects/dialup-admin/ No. dialup_admin is included with the server. That sourceforge page is no longer active. > 2) Were can I find documentaion on HowTo setup MySQL Accounting with > freeradius? The server comes with documentation on how to do this. > If you think these questions are exotic or covered already: Read the Mailing > List Archives and the FAQ, ... but read it. I've read it. My conclusion is that for most people, the documentation which comes with the server answers these questions. For others, it doesn't. For a small number of people, no amount of documentation is good enough. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setting User-Name to 'modified' mac address
Jose Guevarra <[EMAIL PROTECTED]> wrote: > In my hints file i have > > DEFAULT Calling-Station-Id =~ "(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)" > User-Name := `%{0}` > > This should set the User Name to the hex characters in the mac address > or 'something' at least Or something... And if you're going to use %{0}, you don't need regular expressions. Just use "%{Calling-Station-Id}" > However, in debug mode I can see that User-Name is not modified. > > In perl i can use the regex below and it seems to work Perl supports "\w" in regular expressions. Posix expressions (which the libraries from your system the server uses) do not support "\w". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setting User-Name to 'modified' mac address
Hmmm, I've been been trying to use regex to get the 12 hex characters in the Calling-Station-Id but, I must be doing something wrong. In my hints file i have DEFAULT Calling-Station-Id =~ "(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)" User-Name := `%{0}` This should set the User Name to the hex characters in the mac address or 'something' at least However, in debug mode I can see that User-Name is not modified. In perl i can use the regex below and it seems to work PERL -=-=-=-=-==-==-=-=-=-=-==-=- my $string = '23-00-ab-fa-ee-23'; if( $string =~ /(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)/ ) { print $1,$2,$3,$4,$5,$6; } -=-=-=-=-==-==-=-=-=-=-==-=- What am I doing wrong? How do I fix it? Thanks, On Fri, 2004-10-15 at 09:03, Alan DeKok wrote: > Jose Guevarra <[EMAIL PROTECTED]> wrote: > > I have freeradius authenticating mac addresses listed in a MySQL > > database. It works! But, the mac address passed by the client(hp 2650) > > is in the form 00-00-00-00-00-00. I set the 'user name' to the 'calling > > station id' in the 'hints' file like so > > > > User-Name := "%i" > > > > Is it possible to filter out the "-" or ":" or put it into any format I > > like? > > Yes. Use regular expressions. See doc/variables.txt > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Installing freeRadius on RH Linux 9.0
Hi, > I did post the errors. Below is the message I sent on 10/15/2004. Just wanted to point out that you did post the errors of "make install" (or maybe a second call to make), which was not helpful at all in diagnosing the error. The errors generated by "make" (or even of the first run of it) would have been needed... > Two extremely > helpful members of the Linux community contacted me off-list and we compared > their Linux installations with mine and found I was missing the mysql-devel > package. That's a slightly harder way of doing things... Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius accounting issue
"Russell Premont" <[EMAIL PROTECTED]> wrote: > Then I see the following: > > rad_recv: Accounting-Request packet from host 192.168.1.14:1027, id=176, > length=210 > Ignoring request from unknown home server 192.168.1.14:1027 Why do you have the client sending packets to port 1027? The debug log of the server, and /etc/services, shows that accounting packets should be sent to port 1646. > What do I need to do to get accounting to start working? What RADIUS client are you using? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more info, radtest/NTRadPing users/passwd
Paul <[EMAIL PROTECTED]> wrote: > Well, that seems to indicate that radtest is not sending the password in > the form of CHAP. As a result, it looks like the server is trying to > use /etc/passwd to validate a user that is actually in raddb/users. So edit raddb/users to set "Auth-Type := Local", or "Auth-Type := PAP" for that user. > So, is radtest incapable of sending a proper CHAP password, or am I > doing something wrong? (This test is successful using NTRadPing.) radtest is just a shell script wrapper around radclient. radtest can't send a CHAP password, because it takes the password you give it, and puts it into a "User-Password" attribute. Edit the script to see. radclient can send a CHAP-Password. Just put the clear-text password into the CHAP-Password attribute, and radtest will do the right thing before sending the RADIUS packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius accounting issue
I cannot get Radius accounting to work. I am running Freeradius 0.9.3 on Solaris 9. Authentication works fine. When I start radius in debug mode I see processing the config file with no errors and listening on the proper ports that I have set in the /etc/services file. /etc/services excerpt radius 1645/udpradius #radius radius-acct 1646/udpradius-acct #radius accounting radius-proxy1649/udpradius-proxy#radius proxy radiusd.conf excerpt Listening on IP address *, ports 1645/udp and 1646/udp, with proxy on 1647/udp. Ready to process requests. Then I see the following: rad_recv: Accounting-Request packet from host 192.168.1.14:1027, id=176, length=210 Ignoring request from unknown home server 192.168.1.14:1027 --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. rad_recv: Accounting-Request packet from host 192.168.1.14:1027, id=177, length=241 Ignoring request from unknown home server 192.168.1.14:1027 --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. rad_recv: Accounting-Request packet from host 192.168.1.14:1027, id=178, length=239 Ignoring request from unknown home server 192.168.1.14:1027 --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. rad_recv: Accounting-Request packet from host 192.168.1.14:1027, id=179, length=211 Ignoring request from unknown home server 192.168.1.14:1027 What do I need to do to get accounting to start working? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more info, radtest/NTRadPing users/passwd
Alan DeKok wrote: Paul <[EMAIL PROTECTED]> wrote: rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 modcall[authenticate]: module "unix" returns notfound for request 2 Ok... what part of that message is not clear? Thanks for replying. Well, that seems to indicate that radtest is not sending the password in the form of CHAP. As a result, it looks like the server is trying to use /etc/passwd to validate a user that is actually in raddb/users. So, is radtest incapable of sending a proper CHAP password, or am I doing something wrong? (This test is successful using NTRadPing.) Output from radiusd -X using NTRadPing: rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 14 rlm_chap: login attempt by "kiko" with CHAP password rlm_chap: Using clear text password testing for user kiko authentication. rlm_chap: chap user kiko authenticated succesfully Output from radiusd -X using radtest: rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 15 modcall[authenticate]: module "unix" returns notfound for request 15 modcall: group authenticate returns notfound for request 15 auth: Failed to validate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more info, radtest/NTRadPing users/passwd
Paul <[EMAIL PROTECTED]> wrote: >rad_check_password: Found Auth-Type System > auth: type "System" >Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 2 >modcall[authenticate]: module "unix" returns notfound for request 2 Ok... what part of that message is not clear? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radtest/NTRadPing users/passwd
Paul <[EMAIL PROTECTED]> wrote: > A failed test against a username in raddb/users looks like this: > radtest -d /usr/local/etc/raddb/ kiko testing 127.0.0.1 10 testing123 ... Why are you looking at the output from radclient when the README, FAQ, "man" pages, and other places say to run the server in debugging mode and to read it's output? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems configuring on Solaris
Hennie Rautenbach <[EMAIL PROTECTED]> wrote: > I have "grepped" the errors from the config.log file: > > configure:7947: error: dereferencing pointer to incomplete type Those errors are part of the "configure" process, as it tries to figure out what to do. Since the "configure" process didn't stop with an error, those lines in "config.log" should be ignored. > There are a number of warnings during configure and a "make" > also bombs. So... what warnings are there during configure? What goes wrong during the "make" process? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting VPN User
"Mahesh S Kudva" <[EMAIL PROTECTED]> wrote: > I have a VPN Server which redirects all the authentication to > freeRADIUS1.0.1. My question is how do I restrict the VPN User to a > particular host in the network ... For what? > depriving him of all the resources and hosts in the network. In > short I want to restrict the VPN user to One and Only One Network > Server.? I'm not sure what you mean by a "network server". I think if you give the user a private IP, and then tell your VPN not to route that IP, that might work... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TLS login fails after creation of new certs
"Beekmann (EXT), Lars" <[EMAIL PROTECTED]> wrote: > Now I tried to write a script for creating the Certs myself - without > obvious problems. > > But after I installed the Certs on the Radius Server and the Windows XP > Client, the Client doesn't Login anymore. Run the server in debugging mode to see what's going wrong, and why. > Can anyone tell me what I've done wrong with the Certs?! Why are you writing your own script? Just edit the CA.certs file to have your own information, and then use the script to create new certificates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [ Tagged - SPAM ? ] Restricting VPN User
Title: RE: [ Tagged - SPAM ? ] Restricting VPN User The group policy on my VPN server dictates the accessible networks. I have several setups that only allow one specific IP address with a 255.255.255.255 subnet. Brent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mahesh S Kudva Sent: Monday, October 18, 2004 2:14 AM To: [EMAIL PROTECTED] Subject: [ Tagged - SPAM ? ] Restricting VPN User Importance: Low Hi All I have a VPN Server which redirects all the authentication to freeRADIUS1.0.1. My question is how do I restrict the VPN User to a particular host in the network depriving him of all the resources and hosts in the network. In short I want to restrict the VPN user to One and Only One Network Server.? Thanks in advance.. Regards & Thanks Mahesh S Kudva Robosoft Technologies System Administration Department Phone: 0820-2535458 Extn: 205, 244 http://www.robosoftin.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html * Mueller Industries, Inc. - CONFIDENTIAL INFORMATION This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom it is addressed. This communication may contain privileged material. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail and any file attachments is not authorized by the sender of this e-mail or Mueller Industries, Inc. If you have received this e-mail in error, please immediately notify us by telephone at 1-800-348-8464 (or 901-753-3200) or reply by e-mail to the sender. If you are not the intended recipient, please destroy the original transmission and its contents.
Re: Restricting VPN User
Dear All The setup is straight. I just want to restrict one server of my internal network to the VPN user. Web port in the application port, but I need the users to be able to access the entire server. Regards & Thanks Mahesh S Kudva Original Message- cheers, Can u plz give more details about u r setup reason u want to restrict one server but can u tell me what ports wise so i will get more idea give most of thing specific.like Vpn user is connected and user may be used intranet / File server so please specify what u want to do extact. why i m asking reason u can use some radius attribute to used for u can block ports.. On Mon, 18 Oct 2004 12:44:10 +0530, Mahesh S Kudva <[EMAIL PROTECTED]> wrote: > Hi All > > I have a VPN Server which redirects all the authentication to > freeRADIUS1.0.1. My question is how do I restrict the VPN User to a > particular host in the network depriving him of all the resources and > hosts in the network. In short I want to restrict the VPN user to One and > Only One Network Server.? > > Thanks in advance.. > > Regards & Thanks > > Mahesh S Kudva > Robosoft Technologies > System Administration Department > Phone: 0820-2535458 Extn: 205, 244 > http://www.robosoftin.com > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Regards Vipul Ramani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd seg faulting
Hello, Somehow I have been able to get radiusd to seg fault. I am not sure exactly what to provide - so if there is something someone needs to further diagnose, let me know. Details of the issue: If I authenticate 1 time, access-accept. Same for time #2. Third time is not so good - it seg-faults the daemon. I am not sure if this is an issue with requesting kerb tickets to quickly or not. When I looked at the strace output there was no indication of this being the problem as it failed at the opening/writing to a log file. I have an strace file which details out the issue to a point. Compressed it is ~60k but it de-compresses to ~13meg. For the sake of not sending this to people who do not want it, I will only provide it to those who ask ( and not send it to the list of course ... ) Here are the Details of my configuration: ( the following are just the things I have messed with which apply to the configuration ... If the full configs are desired, let me know ) authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. # Auth-Type PAP { # pap # } # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. # Auth-Type CHAP { # chap # } # # MSCHAP authentication. # Auth-Type MS-CHAP { # mschap # } # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line. # digest # # Pluggable Authentication Modules. # # un-comment to re-enable # - bilsch #pam # # krb5 / kerberos # krb5 # # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # #unix # Uncomment it if you want to use ldap for authentication # Auth-Type LDAP { # ldap # } # # Allow EAP authentication. # eap } ( more modules are configured - they should have no bearing as best I can tell ) modules { krb5 { service_principal = SITE.NET } } ( changed my ip's and realm for security ) # cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log default = SYSLOG kdc = FILE:/var/log/krb5kdc.log kdc = SYSLOG admin_server = FILE:/var/log/kadmind.log admin_server = SYSLOG [libdefaults] ticket_lifetime = 24000 default_realm = SITE.NET dns_lookup_realm = false dns_lookup_kdc = false [realms] SITE.NET = { kdc = 1.2.3.20:88 admin_server = 1.2.3.20 } [domain_realm] .telsource.net = SITE.NET telsource.net = SITE.NET [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = true ticket_lifetime = 86500 #renew_lifetime = 36000 renew_lifetime = 86500 forwardable = true krb4_convert = false addressless = true } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Installing freeRadius on RH Linux 9.0
Yes, and you received a response telling you that mysql_devel was missing: You need to get your lies straightened out. Gene .. I had the same type errors until I made sure the mysql_devel RPM was installed .. Even then my make process completed with messages such as sql_mysql.o sql_mysql.c:39:20: errmsg.h: No such file or directory sql_mysql.c:40:19: mysql.h: No such file or directory sql_mysql.c:47: parse error before "MYSQL" sql_mysql.c:47: warning: no semicolon at end of struct or union sql_mysql.c:48: warning: type defaults to `int' in declaration of sock' sql_mysql.c:48: warning: data definition has no type or storage class sql_mysql.c:49: parse error before '*' token sql_mysql.c:49: warning: type defaults to `int' in declaration of result' sql_mysql.c:49: warning: data definition has no type or storage class sql_mysql.c:51: parse error before '}' token sql_mysql.c:51: warning: type defaults to `int' in declaration of `rlm_sql_mysql_sock' sql_mysql.c:51: warning: data definition has no type or storage class sql_mysql.c: In function `sql_init_socket': My testing looks to be working but I am just not getting the other .conf files tailored. Brent Berry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, October 15, 2004 3:04 PM To: [EMAIL PROTECTED] Subject: Re: Installing freeRadius on RH Linux 9.0 "Gene Rouse" <[EMAIL PROTECTED]> wrote: > Below I have included the error messages. I get. > > gmake[11]: Entering directory > `/root/freeradius-1.0.1/src/modules/rlm_sql/drivers/rlm_sql_mysql' > [ "xrlm_sql_mysql" = "x" ] || /root/freeradius-1.0.1/libtool --mode=install > /root/freeradius-1.0.1/install-sh -c -c rlm_sql_mysql.la > /usr/local/lib/rlm_sql_mysql.la > libtool: install: `rlm_sql_mysql.la' is not a valid libtool archive Did the "make" process succeeed? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html * Mueller Industries, Inc. - CONFIDENTIAL INFORMATION This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom it is addressed. This communication may contain privileged material. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail and any file attachments is not authorized by the sender of this e-mail or Mueller Industries, Inc. If you have received this e-mail in error, please immediately notify us by telephone at 1-800-348-8464 (or 901-753-3200) or reply by e-mail to the sender. If you are not the intended recipient, please destroy the original transmission and its contents. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gene Rouse Sent: Monday, October 18, 2004 12:58 AM To: [EMAIL PROTECTED] Subject: FW: Installing freeRadius on RH Linux 9.0 I did post the errors. Below is the message I sent on 10/15/2004. It's a non-issue now, because I found out what the problem was. Two extremely helpful members of the Linux community contacted me off-list and we compared their Linux installations with mine and found I was missing the mysql-devel package. Once installed it went great. I now have not one but two functional freeRADIUS boxes. Just so everyone knows, I am a MS MCSE and this is a major departure from what I've spent the last 20 years using. I'm not just running Linux on the server side. It's on every box in our office. I'm not saying I'm abandoning Windows. This particular solution called for something a little more secure, less prone to virus attacks and a heck of a lot cheaper. My total software cost for this WISP is $3000.00 which is for the billing software and its options. Considering I'm used to a point and click world, I don't think I'm doing too bad. Thanks Paul and Bruce, Gene > -Original Message- > From: Gene Rouse [mailto:[EMAIL PROTECTED] > Sent: Friday, October 15, 2004 3:32 PM > To: '[EMAIL PROTECTED]' > Subject: Installing freeRadius on RH Linux 9.0 > > Below I have included the error messages. I get. > > gmake[11]: Entering directory `/root/freeradius- > 1.0.1/src/modules/rlm_sql/drivers/rlm_sql_mysql' > [ "xrlm_sql_mysql" = "x" ] || /root/freeradius-1.0.1/libtool -- > mode=install /root/freeradius-1.0.1/install-sh -c -c rlm_sql_mysql.la > /usr/local/lib/rlm_sql_mysql.la > libtool: install: `rlm_sql_mysql.la' is not a valid libtool archive > Try `libtool --help --mode=install' for more information. > gmake[11]: *** [install] Error 1 > gmake[11]: Leaving directory `/root/freeradius- > 1.0.1/src/modules/rlm_sql/drivers/rlm_sql_mysql' > gmake[10]: *** [common] Error 1 > gmake[10]: Leaving directory `/root/freeradius- > 1.0.1/src/modules/rlm_sql/driv
more info, radtest/NTRadPing users/passwd
Running "radiusd -X" produces the following during a failed radtest test: rad_recv: Access-Request packet from host 127.0.0.1:32782, id=58, length=55 User-Name = "mao" User-Password = "testing" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "mao", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 users: Matched DEFAULT at 152 users: Matched mao at 216 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 modcall[authenticate]: module "unix" returns notfound for request 2 modcall: group authenticate returns notfound for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 58 to 127.0.0.1:32782 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 58 with timestamp 4173c4cc Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radtest/NTRadPing users/passwd
Please help me make sense of inconsistent results. Using either raddest (local) or NTRadPing (remote) the tests are successful if I login as a user in /etc/passwd. In NTRadPing I must make sure CHAP is *not* selected. Using NTRadPing with CHAP selected I can login as a user in raddb/users. If I use radtest for the same test, the test fails. I'm guessing that this is a PAP vs. CHAP issue, but I'm not sure, and I'm not sure what to do about the problem. I added these entries to the bottom of the raddb/users file: mao User-Password == "testing" kikoAuth-Type = Local, Password = "testing" The only other change from defaults is this entry in raddb/clients.conf: client 192.168.0.1 { secret = testing123 shortname = kiko } A failed test against a username in raddb/users looks like this: radtest -d /usr/local/etc/raddb/ kiko testing 127.0.0.1 10 testing123 Sending Access-Request of id 181 to 127.0.0.1:1812 User-Name = "kiko" User-Password = "testing" NAS-IP-Address = cooler NAS-Port = 10 Re-sending Access-Request of id 181 to 127.0.0.1:1812 User-Name = "kiko" User-Password = "\026\262\336\000\274\353#k|W\034a\272\270$\r" NAS-IP-Address = cooler NAS-Port = 10 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=181, length=20 A successful test against a user in /etc/passwd looks like this: radtest -d /usr/local/etc/raddb/ paul changed 127.0.0.1 10 testing123 Sending Access-Request of id 193 to 127.0.0.1:1812 User-Name = "paul" User-Password = "changed" NAS-IP-Address = cooler NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=193, length=20 Any feedback would be appreciated, even if you only direct me to the relevant reading material. ^_^ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP
Hi, I tried to get freeradius to work with PEAP. I got LEAP working but I want to use PEAP because it is more secure. It seems I have some problems with the certs. I tried it with the demo certs included in the tar.gz and also with the certs made with the cert.sh in the scripts dir. I installed the cacert.pem on the client PC (it is w2k sp4 with a cisco Aironet card). The access point is a Cisco 1231. I attached a text file with the debugging information. This e-mail may contain privileged or confidential information and is intended only for use by the addressee. If you are not the addressee, we request you not to use the contents or to disclose it in any manner to third parties, and to inform us immediately by reply email and delete the email from your system. Ahrend denies any responsibility for damages resulting from the use of e-mail. Mon Oct 18 16:19:39 2004 : Info: Starting - reading configuration files ... Mon Oct 18 16:19:39 2004 : Debug: reread_config: reading radiusd.conf Mon Oct 18 16:19:39 2004 : Debug: Config: including file: /usr/local/etc/raddb/clients.conf Mon Oct 18 16:19:39 2004 : Debug: Config: including file: /usr/local/etc/raddb/snmp.conf Mon Oct 18 16:19:39 2004 : Debug: Config: including file: /usr/local/etc/raddb/eap.conf Mon Oct 18 16:19:39 2004 : Debug: main: prefix = "/usr" Mon Oct 18 16:19:39 2004 : Debug: main: localstatedir = "/var" Mon Oct 18 16:19:39 2004 : Debug: main: logdir = "/var/log/radius" Mon Oct 18 16:19:39 2004 : Debug: main: libdir = "/usr/lib" Mon Oct 18 16:19:39 2004 : Debug: main: radacctdir = "/var/log/radius/radacct" Mon Oct 18 16:19:39 2004 : Debug: main: hostname_lookups = no Mon Oct 18 16:19:39 2004 : Debug: main: max_request_time = 30 Mon Oct 18 16:19:39 2004 : Debug: main: cleanup_delay = 5 Mon Oct 18 16:19:39 2004 : Debug: main: max_requests = 1024 Mon Oct 18 16:19:39 2004 : Debug: main: delete_blocked_requests = 0 Mon Oct 18 16:19:39 2004 : Debug: main: port = 0 Mon Oct 18 16:19:39 2004 : Debug: main: allow_core_dumps = no Mon Oct 18 16:19:39 2004 : Debug: main: log_stripped_names = no Mon Oct 18 16:19:39 2004 : Debug: main: log_file = "/var/log/radius/radius.log" Mon Oct 18 16:19:39 2004 : Debug: main: log_destination = "files" Mon Oct 18 16:19:39 2004 : Debug: main: log_auth = no Mon Oct 18 16:19:39 2004 : Debug: main: log_auth_badpass = no Mon Oct 18 16:19:39 2004 : Debug: main: log_auth_goodpass = no Mon Oct 18 16:19:39 2004 : Debug: main: pidfile = "/var/run/radiusd/radiusd.pid" Mon Oct 18 16:19:39 2004 : Debug: main: user = "radiusd" Mon Oct 18 16:19:39 2004 : Debug: main: group = "radiusd" Mon Oct 18 16:19:39 2004 : Debug: main: usercollide = no Mon Oct 18 16:19:39 2004 : Debug: main: lower_user = "no" Mon Oct 18 16:19:39 2004 : Debug: main: lower_pass = "no" Mon Oct 18 16:19:39 2004 : Debug: main: nospace_user = "no" Mon Oct 18 16:19:39 2004 : Debug: main: nospace_pass = "no" Mon Oct 18 16:19:39 2004 : Debug: main: checkrad = "/usr/sbin/checkrad" Mon Oct 18 16:19:39 2004 : Debug: main: debug_level = 0 Mon Oct 18 16:19:39 2004 : Debug: main: proxy_requests = no Mon Oct 18 16:19:39 2004 : Debug: security: max_attributes = 200 Mon Oct 18 16:19:39 2004 : Debug: security: reject_delay = 1 Mon Oct 18 16:19:39 2004 : Debug: security: status_server = no Mon Oct 18 16:19:39 2004 : Debug: read_config_files: reading dictionary Mon Oct 18 16:19:39 2004 : Debug: read_config_files: reading naslist Mon Oct 18 16:19:39 2004 : Info: Using deprecated naslist file. Support for this will go away soon. Mon Oct 18 16:19:39 2004 : Debug: read_config_files: reading clients Mon Oct 18 16:19:39 2004 : Debug: read_config_files: reading realms Mon Oct 18 16:19:39 2004 : Debug: radiusd: entering modules setup Mon Oct 18 16:19:39 2004 : Debug: Module: Library search path is /usr/lib Mon Oct 18 16:19:39 2004 : Debug: Module: Loaded exec Mon Oct 18 16:19:39 2004 : Debug: exec: wait = yes Mon Oct 18 16:19:39 2004 : Debug: exec: program = "(null)" Mon Oct 18 16:19:39 2004 : Debug: exec: input_pairs = "request" Mon Oct 18 16:19:39 2004 : Debug: exec: output_pairs = "(null)" Mon Oct 18 16:19:39 2004 : Debug: exec: packet_type = "(null)" Mon Oct 18 16:19:39 2004 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Oct 18 16:19:39 2004 : Debug: Module: Instantiated exec (exec) Mon Oct 18 16:19:39 2004 : Debug: Module: Loaded expr Mon Oct 18 16:19:39 2004 : Debug: Module: Instantiated expr (expr) Mon Oct 18 16:19:39 2004 : Debug: Module: Loaded PAP Mon Oct 18 16:19:39 2004 : Debug: pap: encryption_scheme = "crypt" Mon Oct 18 16:19:39 2004 : Debug: Module: Instantiated pap (pap) Mon Oct 18 16:19:39 2004 : Debug: Module: Loaded CHAP Mon Oct 18 16:19:39 2004 : Debug: Module: Instantiated chap (chap) Mon Oct 18 16:19:39 2004 : Debug: Module: Loaded MS-CHAP Mon Oct 18 16:19:39 2004 : Debug: mschap: use_mppe = yes Mon Oct 18 16:19:39 2004 : Debug: mschap: require_encryption = no Mon Oct 1
Re: user lost connectivity
Kyriaki, your help will be gratly appreciated! Edgars Kyriaki Gali wrote: yes i think it will work. see sql.conf if you can do something like that. i don't think to have any problem if i'll try it i'll tell you. Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel & Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: "Edgars" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, October 18, 2004 11:32 AM Subject: Re: user lost connectivity i know that my nas is sending Lost_Carrier as Acct-Terminate-Cause value. So in some way i should put that stoptime in the radacct table manually when this happens. Maybe some trigger on accounting_update_query? Edgars Kyriaki Gali wrote: yes i know it is a problem and i don't know if we can do something else. I have the same problem also so if you find anything please let me know. regards, Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel & Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: "Edgars" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 15, 2004 1:39 PM Subject: [Fwd: Re: user lost connectivity] i already have such a filed in radacct and it's staying to NULL value if this happens. Edgars Kyriaki Gali wrote: This is a problem i don't know if there is a way to fix this but I suggest in radacct table to insert a field to get the disconnect cause, so if you haven't AcctStopTime you will know why. Or check for how long your cdr is without an AcctStopTime. Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel & Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: "Edgars" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 15, 2004 1:15 PM Subject: user lost connectivity Hello, is there anyway how to write acctstoptime when the user is loosing connectivity with his NAS? After this happens the user is promted to login again but the previous acctstoptime stays blank. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems configuring on Solaris
Hi there folks, I am trying to build freeradius-1.0.1 on a Sun running Solaris 9 using gcc-3.3.2 ! There are a number of warnings during configure and a "make" also bombs. I have "grepped" the errors from the config.log file: configure:7947: error: dereferencing pointer to incomplete type configure:8545: error: too many arguments to function `gethostbyaddr_r' configure:8639: error: too many arguments to function `gethostbyname_r' configure:8731: error: too many arguments to function `ctime_r' I'd be happy to post more detail, or the entire log if need be. Any suggestions on how to get past the above errors ? Kind regards, Hennie Rautenbach This transmission is for the intended addressee only and is confidential information. If you have received this transmission in error, please delete it and notify the sender. The contents of this e-mail are the opinion of the writer only and are not endorsed by Sabinet Online Limited unless expressly stated otherwise. begin:vcard fn:Hennie Rautenbach n:Rautenbach;Hennie org:Sabinet Online Ltd.;Computer Hardware and Network Infrastructure adr;dom:Centurion;;Box 9785;;;0046 email;internet:[EMAIL PROTECTED] title:Mr. tel;work:+27 12 643-9500 tel;cell:+27 82 556-1191 note:It may be that your sole purpose in life is simply to serve as a warning to others... :-) url:http://www.sabinet.co.za version:2.1 end:vcard
Who can help me with a slight re-write of user_edit.php3 ?
Hi everyone! For the setup we have here I am in need of a slight re-write of user_edit.php3, but unfortunately I don't possess adequate knowledge of PHP yet to do so... :-/ The page now shows in a drop-down the group(s) a user is a member of. What we need here is a drop-down that shows all groups, with the group(s) high-lighted of which the user is a member. This makes it a lot easier for the admin to change membership group(s) of a user. Who has enough knowledge of PHP to assist me with this? Actually I think there will be more people interested in a script like this one, so if you can assist with this, you'll probably make many people happy! ;-) Regards, Evert Meulie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user lost connectivity
yes i think it will work. see sql.conf if you can do something like that. i don't think to have any problem if i'll try it i'll tell you. Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel & Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: "Edgars" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, October 18, 2004 11:32 AM Subject: Re: user lost connectivity > i know that my nas is sending Lost_Carrier as Acct-Terminate-Cause > value. So in some way i should put that stoptime in the radacct table > manually when this happens. Maybe some trigger on accounting_update_query? > > Edgars > Kyriaki Gali wrote: > > >yes i know it is a problem and i don't know if we can do something else. I > >have the same problem also > >so if you find anything please let me know. > > > >regards, > > > >Kyriaki Gali, > >IT Applications Specialist > >Kinetix Tele.com Support Center, > >Tel & Fax: +30 2310 256140 > >GSM: +30 6947 723737 > >http://www.kinetix.gr > >e-mail: [EMAIL PROTECTED] > >- Original Message - > >From: "Edgars" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Friday, October 15, 2004 1:39 PM > >Subject: [Fwd: Re: user lost connectivity] > > > > > > > > > >>i already have such a filed in radacct and it's staying to NULL value if > >> > >>this happens. > >> > >>Edgars > >> > >>Kyriaki Gali wrote: > >> > >> > >> > >>>This is a problem i don't know if there is a way to fix this but > >>>I suggest in radacct table to insert a field to get the disconnect cause, > >>> > >>> > >so > > > > > >>>if you haven't AcctStopTime you will know why. Or check for how long your > >>>cdr is without an AcctStopTime. > >>> > >>> > >>> > >>>Kyriaki Gali, > >>>IT Applications Specialist > >>>Kinetix Tele.com Support Center, > >>>Tel & Fax: +30 2310 256140 > >>>GSM: +30 6947 723737 > >>>http://www.kinetix.gr > >>>e-mail: [EMAIL PROTECTED] > >>>- Original Message - > >>>From: "Edgars" <[EMAIL PROTECTED]> > >>>To: <[EMAIL PROTECTED]> > >>>Sent: Friday, October 15, 2004 1:15 PM > >>>Subject: user lost connectivity > >>> > >>> > >>> > >>> > >>> > >>> > Hello, > > is there anyway how to write acctstoptime when the user is loosing > connectivity with his NAS? After this happens the user is promted to > login again but the previous acctstoptime stays blank. > > Edgars > > > - > List info/subscribe/unsubscribe? See > > > > > >>>http://www.freeradius.org/list/users.html > >>> > >>> > >>>- > >>>List info/subscribe/unsubscribe? See > >>> > >>> > >http://www.freeradius.org/list/users.html > > > > > >>> > >>> > >>> > >>> > >>-- > >>Edgars > >> > >> > >> > >> > >>- > >>List info/subscribe/unsubscribe? See > >> > >> > >http://www.freeradius.org/list/users.html > > > > > >- > >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting VPN User
cheers, Can u plz give more details about u r setup reason u want to restrict one server but can u tell me what ports wise so i will get more idea give most of thing specific.like Vpn user is connected and user may be used intranet / File server so please specify what u want to do extact. why i m asking reason u can use some radius attribute to used for u can block ports.. On Mon, 18 Oct 2004 12:44:10 +0530, Mahesh S Kudva <[EMAIL PROTECTED]> wrote: > Hi All > > I have a VPN Server which redirects all the authentication to > freeRADIUS1.0.1. My question is how do I restrict the VPN User to a > particular host in the network depriving him of all the resources and > hosts in the network. In short I want to restrict the VPN user to One and > Only One Network Server.? > > Thanks in advance.. > > Regards & Thanks > > Mahesh S Kudva > Robosoft Technologies > System Administration Department > Phone: 0820-2535458 Extn: 205, 244 > http://www.robosoftin.com > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Regards Vipul Ramani [EMAIL PROTECTED] [EMAIL PROTECTED] ~We Know HoW NeTWoRkS ~~~ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with PEAP auth using xp clients
So you're still getting the core dump. Let me guess... you have two versions of OpenSSL installed, and you built the server without using "--disable-shared". >> Fix one of those two problems, and it will work. >> Alan DeKok. I am still getting the same dump, I have used --disable-shared while building the radius server Please find below the gdb output, would appreciate your comments: auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1076225856 (LWP 17733)] 0x401420d7 in BIO_read () from /lib/libcrypto.so.0.9.7 (gdb) bt #0 0x401420d7 in BIO_read () from /lib/libcrypto.so.0.9.7 #1 0x40290ffe in tls_handshake_send (ssn=0x40290798) at tls.c:230 #2 0x40295852 in eappeap_authenticate (arg=0x8194920, handler=0x819e4f8) at rlm_eap_peap.c:192 #3 0x4027b46d in eaptype_call (atype=0x8174b70, handler=0x819e4f8) at eap.c:170 #4 0x4027b5ce in eaptype_select (inst=0x81571b0, handler=0x819e4f8) at eap.c:353 #5 0x4027ab80 in eap_authenticate (instance=0x81571b0, request=0x81c1d80) at rlm_eap.c:289 #6 0x0805423c in call_modsingle (component=0, sp=0x8156730, request=0x81c1d80, default_result=0) at modcall.c:226 #7 0x080543a2 in modcall (component=0, c=0x8156730, request=0x81c1d80) at modcall.c:353 #8 0x0805432d in call_modgroup (component=0, g=0x57e58955, request=0x81c1d80, default_result=0) at modcall.c:261 #9 0x08054419 in modcall (component=0, c=0x8197120, request=0x81c1d80) at modcall.c:344 #10 0x08053f17 in module_authenticate (auth_type=6, request=0x81c1d80) at modules.c:907 #11 0x0805129c in rad_check_password (request=0x81c1d80) at auth.c:324 #12 0x080516af in rad_authenticate (request=0x81c1d80) at auth.c:586 #13 0x0804d17d in rad_respond (request=0x81c1d80, fun=0x80515c8 ) at radiusd.c:1555 ---Type to continue, or q to quit--- #14 0x0804cd85 in main (argc=2, argv=0x81c1d80) at radiusd.c:1327 #15 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6 _ Sports, sports and more sports! Keep up with all thats happening! http://www.msn.co.in/sports/ Stay connected with MSN Sports! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user lost connectivity
i know that my nas is sending Lost_Carrier as Acct-Terminate-Cause value. So in some way i should put that stoptime in the radacct table manually when this happens. Maybe some trigger on accounting_update_query? Edgars Kyriaki Gali wrote: yes i know it is a problem and i don't know if we can do something else. I have the same problem also so if you find anything please let me know. regards, Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel & Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: "Edgars" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 15, 2004 1:39 PM Subject: [Fwd: Re: user lost connectivity] i already have such a filed in radacct and it's staying to NULL value if this happens. Edgars Kyriaki Gali wrote: This is a problem i don't know if there is a way to fix this but I suggest in radacct table to insert a field to get the disconnect cause, so if you haven't AcctStopTime you will know why. Or check for how long your cdr is without an AcctStopTime. Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel & Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: "Edgars" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 15, 2004 1:15 PM Subject: user lost connectivity Hello, is there anyway how to write acctstoptime when the user is loosing connectivity with his NAS? After this happens the user is promted to login again but the previous acctstoptime stays blank. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restricting VPN User
Hi All I have a VPN Server which redirects all the authentication to freeRADIUS1.0.1. My question is how do I restrict the VPN User to a particular host in the network depriving him of all the resources and hosts in the network. In short I want to restrict the VPN user to One and Only One Network Server.? Thanks in advance.. Regards & Thanks Mahesh S Kudva Robosoft Technologies System Administration Department Phone: 0820-2535458 Extn: 205, 244 http://www.robosoftin.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html