Realmbased Relaying
Hello again, i have question about Relaying Accounting Data. We have a customer, which want to have all related accounting data of his realm. Is there a way to relay the accounting data of his realm to his radiusserver? i thought about creating a seperate detail logfile and then setting up a seperate radrelay which works on the file and relay the data to him. Are there other kinds of solution to solve this scenario? When not, how can i create a seperate logfile with only his realm related data in it? Thanks for any hints! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help groups and LDAP
Hello all, I've spent quite a long time trying to understand how freeradius works and trying to get everything I want working. I am using Openldap since 2001 and I've no problems to understand LDAP as I wrote many programs around LDAP. In fact I don't understand how groups are working under radius. My aim: I would like to distribute different IP pool for users. The best for me: In the users DN, we already have an attribute for a laboratory, ie u2labo I would like to say: 1. authenticate the user in ldap (works ok) 2. Get the attribute u2labo 3 use that value to get the ip range (somewhere even outside ldap (users)) to distribute the IP. I've tried many configurations without success. The debugging of ldap show me just bind successfull without search for groups. I tried to add radiusprofile Objectclass without success. So what is the meaning of groups in radius?. can we say: user fred attributes XXX member of group test group test the rest of attributes. Could you give me the minimum to set in conf files to get it working? Thanks Dom -- Dominique LALOT Ingénieur Système Réseau CISCAM Pole Réseau Université de la Méditerranée http://annuaire.univ-mrs.fr/showuser.php?uid=lalot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with freeradius - ldap - peap
I have a problem i cant seem to figure out, so i wondered if any of you have a suggestion. It looks like everything is working as intended, the ldap finds the account, and authorize the client, but then it sends Access-Reject. [EMAIL PROTECTED] log]# /usr/sbin/radiusd -x -A Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded detail Module: Instantiated detail (auth_log) Module: Loaded LDAP rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x97ac438 Module: Instantiated ldap (ldap) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type tls rlm_eap: Loaded and initialized type peap rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Initializing the thread pool... Listening on authentication *:1645 Listening on accounting *:1646 Listening on proxy *:1647 Ready to process requests. rad_recv: Access-Request packet from host 158.36.80.3:1645, id=33, length=125 User-Name = pmyklebu Framed-MTU = 1400 Called-Station-Id = 0040.96a0.1b31 Calling-Station-Id = 000e.3526.4533 Message-Authenticator = 0xaf9422f5561d549ae6f7be33b6c134ef EAP-Message = 0x0202000d01706d796b6c656275 NAS-Port-Type = Virtual NAS-Port = 339 NAS-IP-Address = 158.36.80.3 NAS-Identifier = ap01 rlm_ldap: - authorize rlm_ldap: performing user authorization for pmyklebu rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to ldap.mf.no:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=mf,dc=no/MF1d4p to
Re: acct_users - Exec-Program not working
I seem to have the same problem here, also with version 1.0.1 (haven't tried it with 1.0 though...) Regards, Evert Mike O'Connor wrote: Hi All I have been using freeradius 0.9.3 for a long time and the acct_users file below has all ways work well (did have a problem where it would just stop running the script sometimes) I upgraded be 1.0.1 because I was having trouble with the ippool code not sending a Framed-IP-Address every time. (This seems to be fixed in this version) But now I'm have a problem where my script never gets run, even thought the log below shows it being run. All the file permission are set with ownership by the freeradius user. Any ideas would be great. Thanks Mike acct_user --- # # $Id: acct_users,v 1.3.4.1 2003/08/26 17:41:48 phampson Exp $ # # This is like the 'users' file, but it is processed only for # accounting packets. # DEFAULT Acct-Status-Type == Start Exec-Program = /usr/sbin/set_filter.php # Exec-Program = /usr/bin/php4 -q /usr/sbin/set_filter.php # DEFAULT Acct-Status-Type == Stop Exec-Program = /usr/sbin/set_filter.php # #DEFAULT Acct-Status-Type == Alive # Exec-Program = printenv /tmp/alive-env.dump # # For information on how the attributes from the request are passed # to the program, see 'doc/variables.txt' # -- Exec-Program Running (maybe) --- rlm_sql (sql): Reserving sql socket id: 10 rlm_sql_postgresql: query: UPDATE radacct ??SET AcctStopTime = (now() - '0'::interval), AcctSessionTime = '701', ??AcctInputOctets = (('0'::bigint 32) + '183922'::bigint), ??AcctOutputOctets = (('0'::bigint 32) + '755249'::bigint), ??AcctTerminateCause = 'User-Request', AcctStopDelay = '0', ??FramedIPAddress = NULLIF('202.xx.xx.xx', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '001E64D7' AND UserName = 'gcrispin' ??AND NASIPAddress = '202.xx.xx.xx' AND AcctStopTime IS NULL rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: affected rows = 1 rlm_sql (sql): Released sql socket id: 10 rlm_ippool: Searching for an entry for nas/port: 202.xx.xx.xx/152 rlm_ippool: Deallocated entry for ip/port: 202.xx.xx.xx/152 rlm_ippool: num: 0 Exec-Program: /usr/sbin/set_filter.php Sending Accounting-Response of id 110 to 202.xx.xx.xx:39753 -- Exec-Program Running with -xx -- radius_xlat: '/tmp/sqltrace.sql' rlm_sql (sql): Reserving sql socket id: 31 rlm_sql_postgresql: query: UPDATE radacct ??SET AcctStopTime = (now() - '0'::interval), AcctSessionTime = '48', ??AcctInputOctets = (('0'::bigint 32) + '16176'::bigint), ??AcctOutputOctets = (('0'::bigint 32) + '45690'::bigint), ??AcctTerminateCause = 'User-Request', AcctStopDelay = '0', ??FramedIPAddress = NULLIF('202.xx.xx.xx', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '001E651E' AND UserName = 'matt' ??AND NASIPAddress = '202.xx.xx.xx' AND AcctStopTime IS NULL rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: affected rows = 1 rlm_sql (sql): Released sql socket id: 31 modcall[accounting]: module sql returns ok for request 0 rlm_ippool: Searching for an entry for nas/port: 202.xx.xx.xx/308 rlm_ippool: Deallocated entry for ip/port: 202.xx.xx.xx/308 rlm_ippool: num: 0 modcall[accounting]: module main_pool returns ok for request 0 modcall: group accounting returns ok for request 0 radius_xlat: '/usr/sbin/set_filter.php' Exec-Program: /usr/sbin/set_filter.php Sending Accounting-Response of id 116 to 202.xx.xx.xx:39753 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Daily/Monthly limit
is there any way to get rid of those values ? my users have unlimited access and it is disturbing to see that they overpassed the values? current values are: 4 hours daily and 20 hours weekly Thank You - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Secure TLS connection between Freeradius and Openldap
Well, finally I succeeded to do what I want... The reason of the failure was too stupid: In the radiusd.conf file, I've put the LDAP server address in ipv4 dotted address form. Of course, freeradius does not try to resolve it and of course the address obtained from the LDAP server certificate does not match... Thanks all who tried to help me. Konstantin -Original Message- From: Konstantin KABASSANOV [mailto:[EMAIL PROTECTED] Sent: mardi 16 novembre 2004 15:46 To: '[EMAIL PROTECTED]' Subject: Secure TLS connection between Freeradius and Openldap Hello, I'm trying to establish a secure TLS connection between a Freeradius and an Openldap server. The openssl s_client -connect command successfully establishes a connection to the openldap server on the mentioned port with the following certificates, but when trying to bind from freeradius I have the following error message: rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.3.2:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/openssl/certs/root.pem rlm_ldap: setting TLS CACert File to /etc/openssl/certs/ rlm_ldap: setting TLS Require Cert to never rlm_ldap: setting TLS Cert File to /etc/openssl/certs/cert.pem rlm_ldap: setting TLS Key File to /etc/openssl/certs/key.pem rlm_ldap: setting TLS Key File to /etc/openssl/certs/random rlm_ldap: bind as cn=Manager,dc=MYDOMAIN,dc=COM/password t o 10.0.3.2:636 rlm_ldap: cn=Manager,dc=MYDOMAIN,dc=COM bind to 10.0.3.2:636 fail ed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed Of course if I don't set the tls mode, the connection is ok. Any hints? Thanks. Konstantin _ Konstantin K. KABASSANOV LIP6/CNRS 8, rue du Capitaine Scott 75015 Paris, France Phone: +33 (0) 1 44 27 71 26 Fax: +33 (0) 1 44 27 74 95 E-mail: [EMAIL PROTECTED] Web: http://www.kabassanov.com _ IMPORTANT! If you have tried to reply to this mail and you received a stupid message, announcing that the mail had been rejected as spam, please, resend your reply to the address above. The certificate used to sign this e-mail can be verified at: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html Too much is never enough. ( Me ;) ) smime.p7s Description: S/MIME cryptographic signature
rlm_python with cx_Oracle
Hello! I have some troubles with import cx_Oracle python module. After add import string to I see this in debug: Module: Loaded python python: mod_instantiate = freeradius python: func_instantiate = instantiate python: mod_authorize = freeradius python: func_authorize = authorize python: mod_authenticate = (null) python: func_authenticate = (null) python: mod_preacct = freeradius python: func_preacct = preacct python: mod_accounting = freeradius python: func_accounting = accounting python: mod_checksimul = (null) python: func_checksimul = (null) python: mod_detach = freeradius python: func_detach = detach exceptions.ImportError: /usr/lib/python2.3/site-packages/cx_Oracle.so: undefined symbol: PyExc_RuntimeError Failed to import python module freeradius radiusd.conf[1502]: python: Module instantiation failed. What I can fix this problem? -- TARANTUL - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
strip domain
any ideea how i can strip the domain? my win98 box sends the username as DOMAIN\\USERNAME - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxied EAP authentication
My thesi is the implementation for a proposed framework of lightweight WLAN Roaming. So we are trying to reduce the number of messages so as to provide faster roaming. They have given me a diagram with the exchange of messages which i must implement. The diagram is like the one in RFCs(which decribes authentication with EAP) but some messages are passed to home server from foreign server(proxy) and are identical with these that are passed from access point to proxy server(in normal procedure). In this diagram there arent any State or Proxy-State attributes. Its possible that i may have to modify the procedure of radius protocol, but i am not sure if the protocol can work without the exchange of State and Proxy-Sate attributes. As far i have seen these 2 attributes dont affect EAP protocol .Is that correct? Thanks From: Alan DeKok [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Proxied EAP authentication Date: Tue, 16 Nov 2004 17:25:06 -0500 jh vg [EMAIL PROTECTED] wrote: I am working my university thesis using Freeradius. Its about WLAN Roaming. We want to reduce the messages that are sent during an EAP authentication between the foreign and home server( so we use proxy ). I'm not sure that's possible. No matter how i have searched i cannt find an rfc describing the sequence of messages between 2 servers (i looked at RFC 3579,3580 and generally all RFCs in radius docs). T2a RADIUS server which passes requests to a RADIUS client. proxy +---+ client | server client | server +---+ A proxy acts like a server to it's clients, and as a client to it's servers. There is no extra document needed because the documents already describe how clients and servers interact. So the question is are there any RFC decribing the procedure? I would also like to know if i can alter freeradius source code so as to cut some attributes it sents. These attributes are probably State and Proxy-State. Uh... why? Those attributes have very well-defined meanings. They're needed. If you don't have them, EAP RADIUS stop working. Read the RFC's to see why. Perhaps you could say WHY you're trying to reduce the messages. Is it the number of messages? The size? I don't think you'll be able to reduce either unless you define your own version of EAP RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap runtime link failure on FreeRADIUS 1.0.1 under Cygwin
Please confirm that this is possible! I've been able to configure, make and install the product with little to no problem. However, execution aborts when rlm_eap is loaded: ... Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) radiusd.conf[9] Failed to link to module 'rlm_eap': unknown error Line 9 (of eap.conf) is where the eap module is loaded: ... eap { ... I configured FR to build with static libraries: $ ./configure --without-snmp --disable-shared --enable-static As you'll see below, everything is linked with '-dlpreopen'. radiusd.exe is 1251KB making me think that everything did in fact statically link. Have you run into this problem? Thank you for any time you put into responding. Regards, Mark -- /usr/tmp/freeradius-1.0.1/libtool --mode=link gcc -export-dynamic -dlopen self \ -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wal l -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-str ings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-ex terns -W -Wredundant-decls -Wundef -I../include -DHOSTINFO=\\ -DRADIUSD_VERS ION=\1.0.1\-L../lib -o radiusd \ radiusd.o files.o util.o acct.o nas.o log.o valuepair.o version.o proxy. o exec.o auth.o timestr.o conffile.o modules.o modcall.o session.o xlat.o thread s.o smux.o radius_snmp.o client.o request_list.o mainconfig.o -lcrypt -dlpreope n ../modules/rlm_acct_unique/rlm_acct_unique.la -dlpreopen ../modules/rlm_always /rlm_always.la -dlpreopen ../modules/rlm_attr_filter/rlm_attr_filter.la -dlpreop en ../modules/rlm_attr_rewrite/rlm_attr_rewrite.la -dlpreopen ../modules/rlm_cha p/rlm_chap.la -dlpreopen ../modules/rlm_counter/rlm_counter.la -dlpreopen ../mod ules/rlm_dbm/rlm_dbm.la -dlpreopen ../modules/rlm_detail/rlm_detail.la -dlpreope n ../modules/rlm_digest/rlm_digest.la -dlpreopen ../modules/rlm_eap/rlm_eap.la - dlpreopen ../modules/rlm_exec/rlm_exec.la -dlpreopen ../modules/rlm_expr/rlm_exp r.la -dlpreopen ../modules/rlm_fastusers/rlm_fastusers.la -dlpreopen ../modules/ rlm_files/rlm_files.la -dlpreopen ../modules/rlm_ippool/rlm_ippool.la -dlpreopen ../modules/rlm_mschap/rlm_mschap.la -dlpreopen ../modules/rlm_ns_mta_md5/rlm_ns _mta_md5.la -dlpreopen ../modules/rlm_pap/rlm_pap.la -dlpreopen ../modules/rlm_p asswd/rlm_passwd.la -dlpreopen ../modules/rlm_preprocess/rlm_preprocess.la -dlpr eopen ../modules/rlm_radutmp/rlm_radutmp.la -dlpreopen ../modules/rlm_realm/rlm_ realm.la -dlpreopen ../modules/rlm_sql/rlm_sql.la -dlpreopen ../modules/rlm_unix /rlm_unix.la -dlpreopen ../modules/rlm_x99_token/rlm_x99_token.la -dlpreopen ../ modules/rlm_checkval/rlm_checkval.la -dlpreopen ../modules/rlm_eap/types/rlm_eap _md5/rlm_eap_md5.la -dlpreopen ../modules/rlm_eap/types/rlm_eap_leap/rlm_eap_lea p.la -dlpreopen ../modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.la -dlpreopen . ./modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.la -dlpreopen ../modules/rlm_e ap/types/rlm_eap_sim/rlm_eap_sim.la -dlpreopen ../modules/rlm_eap/types/rlm_eap_ peap/rlm_eap_peap.la -dlpreopen ../modules/rlm_eap/types/rlm_eap_mschapv2/rlm_ea p_mschapv2.la -dlpreopen ../modules/rlm_eap/types/rlm_eap_gtc/rlm_eap_gtc.la -l pthread -lcrypto -lssl -lradius \ /usr/tmp/freeradius-1.0.1/libltdl/libltdl.la -lcrypt rm -f .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT creating .libs/radiusdS.c generating symbol list for `radiusd.exe' extracting global C symbols from `radiusd.o' extracting global C symbols from `files.o' extracting global C symbols from `util.o' extracting global C symbols from `acct.o' extracting global C symbols from `nas.o' extracting global C symbols from `log.o' extracting global C symbols from `valuepair.o' extracting global C symbols from `version.o' extracting global C symbols from `proxy.o' extracting global C symbols from `exec.o' extracting global C symbols from `auth.o' extracting global C symbols from `timestr.o' extracting global C symbols from `conffile.o' extracting global C symbols from `modules.o' extracting global C symbols from `modcall.o' extracting global C symbols from `session.o' extracting global C symbols from `xlat.o' extracting global C symbols from `threads.o' extracting global C symbols from `smux.o' extracting global C symbols from `radius_snmp.o' extracting global C symbols from `client.o' extracting global C symbols from `request_list.o' extracting global C symbols from `mainconfig.o' extracting global C symbols from `../modules/rlm_acct_unique/.libs/rlm_acct_uniq ue.a' extracting global C symbols from `../modules/rlm_always/.libs/rlm_always.a' extracting global C symbols from `../modules/rlm_attr_filter/.libs/rlm_attr_filt er.a' extracting global C symbols from `../modules/rlm_attr_rewrite/.libs/rlm_attr_rew
RE: Proxied EAP authentication
It is possible to reduce the number of messages for reauthentication by implementing what is variously known as Fast Roaming, Fast Reauthentication and Session Resumption. This doesn't have any impact on the initial authentication exchange. However, once both parties (supplicant and authenticator) know the master password, then the fact that each party knows the master password is considered sufficient to authenticate the supplicant and authenticator to each other. Generally, this is only applied for a fixed period/fixed number of reauthentications before a complete reauthentication involving the RADIUS server is required. IIUC, FreeRADIUS implements this in the EAP-TLS module that is used by EAP-TTLS and PEAP so probably Session Resumption will be supported in those EAP types at the minimum. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of jh vg Sent: 17 November 2004 11:40 To: [EMAIL PROTECTED] Subject: Re: Proxied EAP authentication My thesi is the implementation for a proposed framework of lightweight WLAN Roaming. So we are trying to reduce the number of messages so as to provide faster roaming. They have given me a diagram with the exchange of messages which i must implement. The diagram is like the one in RFCs(which decribes authentication with EAP) but some messages are passed to home server from foreign server(proxy) and are identical with these that are passed from access point to proxy server(in normal procedure). In this diagram there arent any State or Proxy-State attributes. Its possible that i may have to modify the procedure of radius protocol, but i am not sure if the protocol can work without the exchange of State and Proxy-Sate attributes. As far i have seen these 2 attributes dont affect EAP protocol .Is that correct? Thanks From: Alan DeKok [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Proxied EAP authentication Date: Tue, 16 Nov 2004 17:25:06 -0500 jh vg [EMAIL PROTECTED] wrote: I am working my university thesis using Freeradius. Its about WLAN Roaming. We want to reduce the messages that are sent during an EAP authentication between the foreign and home server( so we use proxy ). I'm not sure that's possible. No matter how i have searched i cannt find an rfc describing the sequence of messages between 2 servers (i looked at RFC 3579,3580 and generally all RFCs in radius docs). T2a RADIUS server which passes requests to a RADIUS client. proxy +---+ client | server client | server +---+ A proxy acts like a server to it's clients, and as a client to it's servers. There is no extra document needed because the documents already describe how clients and servers interact. So the question is are there any RFC decribing the procedure? I would also like to know if i can alter freeradius source code so as to cut some attributes it sents. These attributes are probably State and Proxy-State. Uh... why? Those attributes have very well-defined meanings. They're needed. If you don't have them, EAP RADIUS stop working. Read the RFC's to see why. Perhaps you could say WHY you're trying to reduce the messages. Is it the number of messages? The size? I don't think you'll be able to reduce either unless you define your own version of EAP RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-tls auth: access accept is sent but xp client keeps resending access-req
Hi list, I have a strange problem with EAP/TLS authentication. I have done thesetup with the guide from Ken Roser's howtoprovided in freeradius site: - The client is XP, wirelesscard: linksys WPC54G - The freeradius server is installed in linux - The access point is linksys WRT54G - The certificates (with enhanced key usage for server and client authentication) for server and client are generated using openssl installed in freeradius server The log file of freeradius shows that the authentication is successful, with access-accept being sent. I use tcpdump to confirm that access-accept is indeed sent and received by the access-point. However, after about 1 minute, the client will resend an access-request. And thiskeeps repeating...and the client seemsto fail the authentication thoughthe radius server keeps sending access-accept: Sending Access-Accept of id 23 to 192.168.168.60:1232MS-MPPE-Recv-Key = 0xeb0e81327b50c60eb6bd54a9a02da65bcc87136bfdf0d0708f9be01db4078473MS-MPPE-Send-Key = 0xb01787160d97e7cf0ac614e56479ee7870a6068f142a2279b71e5d3894225f72EAP-Message = 0x03150004Message-Authenticator = 0x No session-timeout attribute is sent though, like in ken roser's log file. Could this be a problem ? The eapol.log shows : [1648] 15:45:13:583: ElWriteCompletionRoutine sent out 0 bytes with error -1073741823, but I'm not quite sure what it means. The only error log I can suspect from event viewer is this: Event Type:ErrorEvent Source:AutoEnrollmentEvent Category:NoneEvent ID:15Date:17-Nov-04Time:7:50:04 PMUser:N/AComputer:LAR4SDescription:Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Anyone can help me ? please ? I really need to solve this ASAP... Thank you, Lara eapol.log: [2952] 15:45:09:848: ElMediaEventsHandler entered -- EventType=6[2952] 15:45:09:868: ElMediaEventsHandler: Calling ElMediaSenseCallback [2952] 15:45:09:868: ElMediaSenseCallback: Entered[2952] 15:45:09:868: ElMediaSenseCallbackWorker: For interface (Wireless-G Notebook Adapter with SpeedBooster), GUID ({CCB5C4C2-79EB-4414-A58B-6382051C13F6}), length of block = 90[2952] 15:45:09:868: ElMediaSenseCallbackWorker: Callback for sense disconnect[2952] 15:45:09:868: FSMDisconnected entered for port Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport[2952] 15:45:09:868: Setting state DISCONNECTED for port Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport[2952] 15:45:09:868: FSMDisconnected completed for port Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport[2952] 15:45:09:868: ElMediaSenseCallbackWorker: Port marked disconnected Wireless-G Notebook Adapter with SpeedBooster[2952] 15:45:09:868: ElMediaSenseCallbackWorker: processed, RetCode = 0[1648] 15:45:13:583: ElMediaEventsHandler entered -- EventType=7[1648] 15:45:13:583: ElMediaEventsHandler: Calling ElZeroConfigEvent [1648] 15:45:13:583: ElGetInterfaceParams: SsidLength=7, Found EapTypeId=13, SSIDLen=7[1648] 15:45:13:583: ElEnumAndOpenInterfaces: DeviceDesc = , GUID = {CCB5C4C2-79EB-4414-A58B-6382051C13F6}[1648] 15:45:13:583: ElNdisuioEnumerateInterfaces: Opening handle[1648] 15:45:13:583: NdisuioEnumerateInterfaces: NDISUIO bound to: (0) \DEVICE\{1A918A7C-F63C-4EF3-B6AD-12C1DFC6A4A1} - Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport [1648] 15:45:13:583: NdisuioEnumerateInterfaces: NDISUIO bound to: (1) \DEVICE\{CCB5C4C2-79EB-4414-A58B-6382051C13F6} - Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport [1648] 15:45:13:583: ElNdisuioEnumerateInterfaces: DeviceIoControl IOCTL_NDISUIO_QUERY_BINDING has no more entries[1648] 15:45:13:583: Device: \DEVICE\{1A918A7C-F63C-4EF3-B6AD-12C1DFC6A4A1}[1648] 15:45:13:583: Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport[1648] 15:45:13:583: Device: \DEVICE\{CCB5C4C2-79EB-4414-A58B-6382051C13F6}[1648] 15:45:13:583: Description: Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport[1648] 15:45:13:583: ElEnumAndOpenInterfaces: Found interface after enumeration \DEVICE\{CCB5C4C2-79EB-4414-A58B-6382051C13F6}[1648] 15:45:13:583: ElEnumAndOpenInterfaces: Found PCB already existing for interface[1648] 15:45:13:583: ElCreatePort: Entered for Handle=(0D8C), GUID=({CCB5C4C2-79EB-4414-A58B-6382051C13F6}), Name=(Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport), ZCId=(1150), UserData=(033B961C) Notification=4[1648] 15:45:13:583: ElGetInterfaceNdisStatistics: pwszDeviceInterfaceName = (\Device\{CCB5C4C2-79EB-4414-A58B-6382051C13F6})[1648] 15:45:13:583: ElCreatePort: PCB found for {CCB5C4C2-79EB-4414-A58B-6382051C13F6}[1648] 15:45:13:583: ElReStartPort: Entered:
debian with freeradius and securid PAM Module
Hello, i want to use securid with freeradius on my debian. I have choosen and installed the pam_securid.so Module from RSA und set up pam and freeradius. if a make a radtest everytime a get the following errors in syslog: Nov 17 14:31:49 abrakadabra freeradius: PAM unable to dlopen(/lib/security/pam_securid.so) Nov 17 14:31:49 abrakadabra freeradius: PAM [dlerror: /lib/security/pam_securid.so: undefined symbol: pam_get_item] Nov 17 14:31:49 abrakadabra freeradius: PAM adding faulty module: /lib/security/pam_securid.so when i use the module with ssh it works quite well. Has anybody some ideas? is there anybody who is using securid with freeradius? Regads Markus Wintruff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with freeradius - ldap - peap
=?iso-8859-1?Q?P=E5l?= Hjelmeseth Myklebust [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] log]# /usr/sbin/radiusd -x -A Please run the server as /usr/sbin/radiusd -X. You will get MUCH more debugging information, which will help you solve your problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strip domain
Samareanu Florin [EMAIL PROTECTED] wrote: any ideea how i can strip the domain? my win98 box sends the username as DOMAIN\\USERNAME Read radiusd.cond. Look for the word ntdomain, an dthe realms module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server is being hit by requests as old as one week..... how to stop?
Prabhdeep [EMAIL PROTECTED] wrote: It seems that by solving this problem we had taken on a bigger problem. Because server is now returning error for any duplicate accounting record, There are no error accounting packets. The server just doesn't respond. clients are submitting the request again and again we are being hit by requests as old as one week. That's dumb. I guess, my question is that if there is any way to stop this requests. Reboot the client, or configure the server to respond to duplicate accounting requests. Use doc/configurable_failover to tell the server if SQL returns a problem, just respond always OK. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bandwidth management Cisco
Hi, I would like to set up a max bandwidth over my cisco 1200AP (ios v12). My question is : what attribute I should use in radius to set the max download and upload for the client ? thx -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : mercredi 17 novembre 2004 15:17 À : [EMAIL PROTECTED] Objet : Re: problem with freeradius - ldap - peap =?iso-8859-1?Q?P=E5l?= Hjelmeseth Myklebust [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] log]# /usr/sbin/radiusd -x -A Please run the server as /usr/sbin/radiusd -X. You will get MUCH more debugging information, which will help you solve your problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Daily/Monthly limit
Samareanu Florin [EMAIL PROTECTED] wrote: is there any way to get rid of those values ? my users have unlimited access and it is disturbing to see that they overpassed the values? current values are: 4 hours daily and 20 hours weekly Those values aren't configured in the default installation of FreeRADIUS. If your system has them, it's because you added hem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tcpdump Attribute Question
It means its being truncated. Try adjusting the snaplen. You should be able to do -s 0 to make sure you capture the entire packet or you can specify a length such as -s 1024. Do a man tcpdump and search for snaplen. ie: tcpdump -i fxp0 -s 0 udp port 1812 -Dusty Doris On Tue, 16 Nov 2004, jesk wrote: I have a question to tcpdumping FreeRADIUS. in some auth-replies there a missing some attributes but instead of them i can see at the end of a tcpdump line the following: [|radius] what does this exactly mean? f.e.: --- 12:58:05.215548 x.x.x.x.1645 x.x.x.x.1645: rad-access-accept 217 [id 14] Attr[ Framed_ipaddr{10.10.10.10} [|radius] --- normaly i can see a lot of more output: --- 13:14:56.867709 x.x.x.x.1645 x.x.x.x.1645: rad-access-accept 38 [id 37] Attr[ Framed_ipaddr{11.1.1.11} Framed_proto{PPP} Service_type{Framed} ] --- does somebody have an idea? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxied EAP authentication
jh vg [EMAIL PROTECTED] wrote: My thesi is the implementation for a proposed framework of lightweight WLAN Roaming. So we are trying to reduce the number of messages so as to provide faster roaming. They have given me a diagram with the exchange of messages which i must implement. Are you implementing an existing protocol? If so, you must follow the protocol spec, in order to be inter-operable with other implementations. This means that you must implement the number, and order of messages as defined in the spec. The end result is that you can't reduce the number of messages. The diagram is like the one in RFCs(which decribes authentication with EAP) but some messages are passed to home server from foreign server(proxy) and are identical with these that are passed from access point to proxy server(in normal procedure). Yes, that's called proxying. In this diagram there arent any State or Proxy-State attributes. Then the diagram is wrong. End of story. Its possible that i may have to modify the procedure of radius protocol, but i am not sure if the protocol can work without the exchange of State and Proxy-Sate attributes. It can't. As far i have seen these 2 attributes dont affect EAP protocol .Is that correct? If you're doing proxying, you're required to use Proxy-State. If you're using EAP, you're required to use State. The diagram is wrong. What you are trying to do is impossible. It's impossible because if you remove State Proxy-State, then what you're trying to do won't work. I suggest finding out why the diagram is wrong, and who created it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxied EAP authentication
Guy Davies [EMAIL PROTECTED] wrote: IIUC, FreeRADIUS implements this in the EAP-TLS module that is used by EAP-TTLS and PEAP so probably Session Resumption will be supported in those EAP types at the minimum. FreeRADIUS doesn't implement fast reconnect for session resumption. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls auth: access accept is sent but xp client keeps resending access-req
Lara Adianto [EMAIL PROTECTED] wrote: The log file of freeradius shows that the authentication is successful, with access-accept being sent. I use tcpdump to confirm that access-accept is indeed sent and received by the access-point. However, after about 1 minute, the client will resend an access-request. And this keeps repeating... Ok... The only error log I can suspect from event viewer is this: ... Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. That looks like the problem to me. Fix that, and the machine should stay on the network. And no, there's nothing you can do to FreeRADIUS to fix that problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian with freeradius and securid PAM Module
[EMAIL PROTECTED] wrote: i want to use securid with freeradius on my debian. I have choosen and installed the pam_securid.so Module from RSA und set up pam and freeradius. PAM may have memory leaks. If at all possible, I would suggest using a command-line tool from SecurID to do the authentication. if a make a radtest everytime a get the following errors in syslog: Nov 17 14:31:49 abrakadabra freeradius: PAM unable to dlopen(/lib/security/pam_securid.so) It's probably not in the default library path. See /etc/ld.so.conf, or edit radiusd.conf, and add ':/lib/security' to the end of the 'libdir' directive. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with freeradius - ldap - peap
For some reason, you have the LDAP module set up to pull an MD5-hashed password from your LDAP tree and add it as the NT-Password attribute. This won't work. In order to use PEAP, you have to have either a clear-text password or an NT-hashed password. --Mike On Wed, 2004-11-17 at 03:44, Pål Hjelmeseth Myklebust wrote: I have a problem i cant seem to figure out, so i wondered if any of you have a suggestion. It looks like everything is working as intended, the ldap finds the account, and authorize the client, but then it sends Access-Reject. [EMAIL PROTECTED] log]# /usr/sbin/radiusd -x -A Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded detail Module: Instantiated detail (auth_log) Module: Loaded LDAP rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x97ac438 Module: Instantiated ldap (ldap) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type tls rlm_eap: Loaded and initialized type peap rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Initializing the thread pool... Listening on authentication *:1645 Listening on accounting *:1646 Listening on proxy *:1647 Ready to process requests. rad_recv: Access-Request packet from host 158.36.80.3:1645, id=33, length=125 User-Name = pmyklebu Framed-MTU = 1400 Called-Station-Id = 0040.96a0.1b31 Calling-Station-Id = 000e.3526.4533 Message-Authenticator = 0xaf9422f5561d549ae6f7be33b6c134ef
Re: Daily/Monthly limit
--__--__-- Message: 7 From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Daily/Monthly limit Date: Wed, 17 Nov 2004 09:28:43 -0500 Reply-To: [EMAIL PROTECTED] Samareanu Florin [EMAIL PROTECTED] wrote: is there any way to get rid of those values ? my users have unlimited access and it is disturbing to see that they overpassed the values? current values are: 4 hours daily and 20 hours weekly Those values aren't configured in the default installation of FreeRADIUS. If your system has them, it's because you added hem. i got them after i imported the sql scripts from dialup admin shipped with freeradius. where can i edit those values? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Daily/Monthly limit
where are those values located in the mysql db? is it safe to delete them? Samareanu Florin wrote: --__--__-- Message: 7 From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Daily/Monthly limit Date: Wed, 17 Nov 2004 09:28:43 -0500 Reply-To: [EMAIL PROTECTED] Samareanu Florin [EMAIL PROTECTED] wrote: is there any way to get rid of those values ? my users have unlimited access and it is disturbing to see that they overpassed the values? current values are: 4 hours daily and 20 hours weekly Those values aren't configured in the default installation of FreeRADIUS. If your system has them, it's because you added hem. i got them after i imported the sql scripts from dialup admin shipped with freeradius. where can i edit those values? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Daily/Monthly limit
On Wed, 17 Nov 2004, Samareanu Florin wrote: where are those values located in the mysql db? is it safe to delete them? Samareanu Florin wrote: See at the end of conf/admin.conf in dialupadmin --__--__-- Message: 7 From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Daily/Monthly limit Date: Wed, 17 Nov 2004 09:28:43 -0500 Reply-To: [EMAIL PROTECTED] Samareanu Florin [EMAIL PROTECTED] wrote: is there any way to get rid of those values ? my users have unlimited access and it is disturbing to see that they overpassed the values? current values are: 4 hours daily and 20 hours weekly Those values aren't configured in the default installation of FreeRADIUS. If your system has them, it's because you added hem. i got them after i imported the sql scripts from dialup admin shipped with freeradius. where can i edit those values? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help groups and LDAP
Hello all, I've spent quite a long time trying to understand how freeradius works and trying to get everything I want working. I am using Openldap since 2001 and I've no problems to understand LDAP as I wrote many programs around LDAP. In fact I don't understand how groups are working under radius. My aim: I would like to distribute different IP pool for users. The best for me: In the users DN, we already have an attribute for a laboratory, ie u2labo I would like to say: 1. authenticate the user in ldap (works ok) 2. Get the attribute u2labo 3 use that value to get the ip range (somewhere even outside ldap (users)) to distribute the IP. I've tried many configurations without success. The debugging of ldap show me just bind successfull without search for groups. I tried to add radiusprofile Objectclass without success. So what is the meaning of groups in radius?. can we say: user fred attributes XXX member of group test group test the rest of attributes. Could you give me the minimum to set in conf files to get it working? Thanks Dom You can modify the groupname attribute to be the lab attribute and then use that to hand out the pools. So in radiusd.conf in the ldap section, change groupname_attribute to groupname_attribute = laboratory (or whatever that attribute name is) Then you create an ippool config for each lab. Say you have one called u2labo and one called u3labo. ipppol u2labo { configure this... } ipppol u3labo { configure this... } Then in the users file, you add something like this DEFAULT Ldap-Group == u2labo, Pool-Name := u2labo Fall-Through = no DEFAULT Ldap-Group == u3labo, Pool-Name := u3labo Fall-Through = no I think that should do it. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[FreeRadius] rlm_postgresql cannot link driver
Hello Gang, I just installed the 1.01 on my red hat, but having problems with the pgsql-voip module. I did what the doc says, but ended up with this error rlm_sql (pgsql-voip): Could not link driver rlm_sql_postgresql: file not found rlm_sql (pgsql-voip): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. radiusd.conf[9]: pgsql-voip: Module instantiation failed. can someone shed some light? -apu __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_python for client/nas list
Hello, I'd like to move client.conf to something that works through rlm_python. Looking at rlm_sql, this appears possible. I'm willing to update rlm_python to support this, but I can't seem to find how it binds this functionality in rlm_sql. Anyone ever try this more? James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help groups and LDAP
Thanks, I have to leave, but the quick and last test I did with your advice, gave me bad results. See tomorrow.. Using radtest, I don't get any IP, and there is very little doc about ippool and the way it works. I suppose that the NAS is completely relying on radius for IP delivery. I'm wondering what happen in case of the failure of the main radius server. Dom Dustin Doris a crit: Hello all, I've spent quite a long time trying to understand how freeradius works and trying to get everything I want working. I am using Openldap since 2001 and I've no problems to understand LDAP as I wrote many programs around LDAP. In fact I don't understand how groups are working under radius. My aim: I would like to distribute different IP pool for users. The best for me: In the users DN, we already have an attribute for a laboratory, ie u2labo I would like to say: 1. authenticate the user in ldap (works ok) 2. Get the attribute u2labo 3 use that value to get the ip range (somewhere even outside ldap (users)) to distribute the IP. I've tried many configurations without success. The debugging of ldap show me just bind successfull without search for groups. I tried to add radiusprofile Objectclass without success. So what is the meaning of groups in radius?. can we say: user fred attributes XXX member of group test group test the rest of attributes. Could you give me the minimum to set in conf files to get it working? Thanks Dom You can modify the groupname attribute to be the lab attribute and then use that to hand out the pools. So in radiusd.conf in the ldap section, change groupname_attribute to groupname_attribute = laboratory (or whatever that attribute name is) Then you create an ippool config for each lab. Say you have one called u2labo and one called u3labo. ipppol u2labo { configure this... } ipppol u3labo { configure this... } Then in the users file, you add something like this DEFAULT Ldap-Group == u2labo, Pool-Name := "u2labo" Fall-Through = no DEFAULT Ldap-Group == u3labo, Pool-Name := "u3labo" Fall-Through = no I think that should do it. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Dominique LALOT Ingnieur Systme Rseau CISCAM Pole Rseau Universit de la Mditerrane http://annuaire.univ-mrs.fr/showuser.php?uid=lalot
Re: help groups and LDAP
You'll still need to configure the ippool modules and include those in the accounting section and post-auth section. Forgot to include that in the last email. A radiusd -X will show you exactly what is going on. If it doesn't work, please post that to the list will all output. ie: accounting { ... u2labo u3labo ... } post_auth { ... u2labo u3labo ... } On Wed, 17 Nov 2004, LALOT Dominique wrote: Thanks, I have to leave, but the quick and last test I did with your advice, gave me bad results. See tomorrow.. Using radtest, I don't get any IP, and there is very little doc about ippool and the way it works. I suppose that the NAS is completely relying on radius for IP delivery. I'm wondering what happen in case of the failure of the main radius server. Dom Dustin Doris a écrit : Hello all, I've spent quite a long time trying to understand how freeradius works and trying to get everything I want working. I am using Openldap since 2001 and I've no problems to understand LDAP as I wrote many programs around LDAP. In fact I don't understand how groups are working under radius. My aim: I would like to distribute different IP pool for users. The best for me: In the users DN, we already have an attribute for a laboratory, ie u2labo I would like to say: 1. authenticate the user in ldap (works ok) 2. Get the attribute u2labo 3 use that value to get the ip range (somewhere even outside ldap (users)) to distribute the IP. I've tried many configurations without success. The debugging of ldap show me just bind successfull without search for groups. I tried to add radiusprofile Objectclass without success. So what is the meaning of groups in radius?. can we say: user fred attributes XXX member of group test group test the rest of attributes. Could you give me the minimum to set in conf files to get it working? Thanks Dom You can modify the groupname attribute to be the lab attribute and then use that to hand out the pools. So in radiusd.conf in the ldap section, change groupname_attribute to groupname_attribute = laboratory (or whatever that attribute name is) Then you create an ippool config for each lab. Say you have one called u2labo and one called u3labo. ipppol u2labo { configure this... } ipppol u3labo { configure this... } Then in the users file, you add something like this DEFAULT Ldap-Group == u2labo, Pool-Name := u2labo Fall-Through = no DEFAULT Ldap-Group == u3labo, Pool-Name := u3labo Fall-Through = no I think that should do it. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Dominique LALOT Ingénieur Système Réseau CISCAM Pole Réseau Université de la Méditerranée http://annuaire.univ-mrs.fr/showuser.php?uid=lalot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Daily/Monthly limit
The final problem: in the dialup admin web page i press show groups, i chose one group name (static in my case) , select one user from Group Members and press the Administer Selected User button. Nothing happens, the page gets refreshed and i am returned to Group static administration index. Where is the problem? Message: 8 Date: Wed, 17 Nov 2004 17:00:18 +0200 (EET) From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Daily/Monthly limit Reply-To: [EMAIL PROTECTED] On Wed, 17 Nov 2004, Samareanu Florin wrote: where are those values located in the mysql db? is it safe to delete them? Samareanu Florin wrote: See at the end of conf/admin.conf in dialupadmin -- __--__-- Message: 7 From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Daily/Monthly limit Date: Wed, 17 Nov 2004 09:28:43 -0500 Reply-To: [EMAIL PROTECTED] Samareanu Florin [EMAIL PROTECTED] wrote: is there any way to get rid of those values ? my users have unlimited access and it is disturbing to see that they overpassed the values? current values are: 4 hours daily and 20 hours weekly Those values aren't configured in the default installation of FreeRADIUS. If your system has them, it's because you added hem. i got them after i imported the sql scripts from dialup admin shipped with freeradius. where can i edit those values? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Patch for 0.8.1 supporting IPv6
Hi, everyone Could any one tell me how to find the patch for 0.8.1 supporting IPv6? I've looked it up on google but didn't find any useful results about it... Thank you very much! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Low cost APs that support EAP/TLS Freeradius??
On Tue, 16 Nov 2004, David Mitton wrote: I am interested in an AP that can do 802.1x (authenticator without being a server) that's a bit cheaper than that. I'd also like a firewall/NAT router functions, you know, the typical Cable/DSL/router configuration. Suggestions? A Linksys WRT54GS with Sveasoft looks like a bargin functionally. Amazon.com has the WRT54GS for $81.99 - $10 Rebate. Anyone try a Buffalo AirStation G54 WLA-G54C?? It claims 802.1x, WPA, TKIP support and is about $80. It looks like a version with a built in 4 port ethernet switch is around $100. Joe Matuscak Rohrer Corporation 717 Seville Road Wadsworth, Ohio 44281 (330)335-1541 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Patch for 0.8.1 supporting IPv6
Shawn [EMAIL PROTECTED] wrote: Could any one tell me how to find the patch for 0.8.1 supporting IPv6? There is no such patch, and there will never be a patch. 1.0.1 supports IPv6 attributes in RADIUS, but not listening on an IPv6 socket. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
unsubscribe
can radius pass a binary file
Using freeradius 1.0.1 I need to be able to pass a binary or text file to be parsed at the other end Are there any suggestions? Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Low cost APs that support EAP/TLS Freeradius??
On 11/16/2004 09:27 PM, Paul wrote: David Mitton wrote: A Linksys WRT54GS with Sveasoft looks like a bargin functionally. Amazon.com has the WRT54GS for $81.99 - $10 Rebate. Yeah, that's a good price. I use the WRT54GS with the tinyPEAP embedded RADIUS server. The firmware is based on Sveasoft's version 4.0, because it's freely available I guess. Works for me. I paid under $76 after $10 rebate and $10 gift card at Staples. (Staples has a great return policy, just in case.) The Amazon deal is nice because it's tax free with free shipping. Free shipping can be as quick as regular shipping. Dumb question time: - where do you store the users? in flash? is there a virtual disk system? - Who did tinyPEAP? Dave. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup problem in FreeRadius 1.0.1 at FreeBSD5.3Rel.
Hi All I still have problem in huntgroup with Freeradius 1.0.1 and little investigate about it. In the 1st, I add 'auth_log' setting at authorize section in 'radiusd.conf' file for collect more information. In the 2nd, I chheck current User information at our MySQL server by using SQL Query which describe sql.conf. |SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute, |radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE |usergroup.Username='test1' AND usergroup.GroupName = radgroupcheck.GroupName |ORDER BY radgroupcheck.id; |++---++-++ || id | GroupName | Attribute | Value | op | |++---++-++ || 2 | dynamic | Huntgroup-Name | dynamic | == | |++---++-++ |mysql select * from radcheck where UserName='test1'; |++--+---++---+ || id | UserName | Attribute | op | Value | |++--+---++---+ || 1 | test1| Password | == | pass1 | |++--+---++---+ |1 row in set (0.00 sec) # /usr/local/etc/raddb/huntgroups static NAS-IP-Address == 127.0.0.1 dynamic NAS-IP-Address == 127.0.0.1 In the Last, I start Freeradius with debug mode (-sxxf) and query. (But rejected) |svr3# /usr/local/bin/radtest test1 pass1 localhost 0 secret ppp 127.0.0.1 |Sending Access-Request of id 243 to 127.0.0.1:1645 |User-Name = test1 |User-Password = pass1 |NAS-IP-Address = 127.0.0.1 |NAS-Port = 0 |Framed-Protocol = PPP |rad_recv: Access-Reject packet from host 127.0.0.1:1645, id=243, length=20 auth-detail file says, radius treat 'test1' user as Group=static. (Actually, 'dynamic') |Packet-Type = Access-Request |Thu Nov 18 11:52:22 2004 |User-Name = test1 |User-Password = pass1 |NAS-IP-Address = 127.0.0.1 |NAS-Port = 0 |Framed-Protocol = PPP |Service-Type = Framed-User |Client-IP-Address = 127.0.0.1 |Huntgroup-Name = static Below is radius detail log. I hope someone's kindly help. --- rad_recv: Access-Request packet from host 127.0.0.1:54456, id=239, length=65 User-Name = test1 User-Password = pass1 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = test1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 radius_xlat: '/var/log/radacct/auth-detail-20041118' rlm_detail: /var/log/radacct/auth-detail-%Y%m%d expands to /var/log/radacct/auth-detail-20041118 modcall[authorize]: module auth_log returns ok for request 0 modcall[authorize]: module attr_filter returns noop for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 users: Matched DEFAULT at 12 users: Matched DEFAULT at 18 modcall[authorize]: module files returns ok for request 0 radius_xlat: 'masaru1' rlm_sql (sql): sql_set_user escaped user -- 'test1' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test1' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test1' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'test1' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test1' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): No matching entry in the database for request from user [test1] rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns notfound for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user auth: Failed to validate the user. Processing the post-auth section of radiusd.conf modcall: entering group Post-Auth-Type for request 0 radius_xlat: '/var/log/radacct/reply-detail-20041118' --- (end) On Mon, 15 Nov 2004 23:10:21 +0900 Masaru Yoshihama [EMAIL PROTECTED] wrote: Hi All, I have been to use FreeRadius 0.9.1 while a year and
Re: General question on Radius/802.1x
On 11/17/2004 11:01 AM, Andrea G. Forte wrote: Hi all, I am new to WPA/802.11i and I have a few doubts. I hope you can help me. What is not clear to me is how often a supplicant needs to authenticate to the server...is it everytime the supplicant performs a L2 handoff? The supplicant needs to authenticate anytime it wishes to get L2 access. It is an extention of the Authenticate Associate MAC processes. It seems like if the supplicant does not authenticate it does not get an IP address, so I would think that authentication would happen only when the supplicant performs L3 and not L2 handoff. Am I right? No. 802.1x authentication is L2 access, and has nothing to do with IP addressing. If a station moves to another AP, it must become authenticated (somehow) at that AP. Either by another AAA exchange, or a back-end protocol between AP's and maybe a AAA server (See 802.11f) or a central controller (see CAPWAP). Making authentication work quickly across handoffs is a current working effort in several groups. Obviously, IP topology becomes a configuration issue, but not an authentication problem, per se. Another doubt I have is: if I am a malicious user and set a static IP address and know the key, am I able to use the network or am I blocked somehow by the authenticator? How does the authenticator know if it has to block my ports or not when I connect to the AP? Your port is blocked (by your MAC address and MAC state) at the AP until you pass authentication. IP has nothing to do with it. I'm not sure what the key you know, but session keys are derived dynamically from the master key. In fact you must know your key, as it's not exchanged over the network. It could be your account password, or a machine certificate. What's different from WEP is the master key is unique per user, and the derived session key is unique for every authentication instance. Your help is very much appreciated. Thank you. Andrea Forte Good luck, Dave. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Just getting started
Ok, so I have looked all over the web but cant really find any good how-to articles on freeradius when it comes to setting up a dial-up server. Anyone have any links or even a book that might help? --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.788 / Virus Database: 533 - Release Date: 11/1/2004
Re: Just getting started
On Thu, Nov 18, 2004 at 12:17:28AM -0600, Dallas Graves wrote: Ok, so I have looked all over the web but cant really find any good how-to articles on freeradius when it comes to setting up a dial-up server. Anyone have any links or even a book that might help? If you're looking at setting a computer to answer modems for dial-in use, you'll find the documentation for _that_ will usually tell you where to use FreeRADIUS. RADIUS is a back-end protocol so it's rarely documented in a HOWTO in it's own regard. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General question on Radius/802.1x
On 11/17/2004 11:01 AM, Andrea G. Forte wrote: Hi all, I am new to WPA/802.11i and I have a few doubts. I hope you can help me. What is not clear to me is how often a supplicant needs to authenticate to the server...is it everytime the supplicant performs a L2 handoff? The supplicant needs to authenticate anytime it wishes to get L2 access. It is an extention of the Authenticate Associate MAC processes. Why the authentication is done every single time L2 handoff occurs? Usually for 802.11b, I can cover a building floor with about two or three APs and for 802.11a each AP covers even a smaller area. This means that I will have to authenticate even if I move from one room to another (exageration!). This to me sounds like an uneccesary overhead. Another doubt I have is: if I am a malicious user and set a static IP address and know the key, am I able to use the network or am I blocked somehow by the authenticator? How does the authenticator know if it has to block my ports or not when I connect to the AP? Your port is blocked (by your MAC address and MAC state) at the AP until you pass authentication. IP has nothing to do with it. I'm not sure what the key you know, but session keys are derived dynamically from the master key. In fact you must know your key, as it's not exchanged over the network. It could be your account password, or a machine certificate. What's different from WEP is the master key is unique per user, and the derived session key is unique for every authentication instance. How is my port blocked? Also, if I return to an AP I previously authenticated with, does this AP have some sort of allowed MAC list without having me to start the whole authentication process over (i.e. with exchange of certificates, etc.) for a second time? Good luck, Dave. Thank you Dave for your precious help. Andrea - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General question on Radius/802.1x
On 11/18/2004 12:20 AM, Andrea G. Forte wrote: On 11/17/2004 11:01 AM, Andrea G. Forte wrote: Hi all, I am new to WPA/802.11i and I have a few doubts. I hope you can help me. What is not clear to me is how often a supplicant needs to authenticate to the server...is it everytime the supplicant performs a L2 handoff? The supplicant needs to authenticate anytime it wishes to get L2 access. It is an extention of the Authenticate Associate MAC processes. Why the authentication is done every single time L2 handoff occurs? Usually for 802.11b, I can cover a building floor with about two or three APs and for 802.11a each AP covers even a smaller area. This means that I will have to authenticate even if I move from one room to another (exageration!). This to me sounds like an uneccesary overhead. There is a fundamental authentication/security problem you are glossing over: How does the AP you roam to know who you are? How does one AP know you authenticated against another? How does the new AP know the session key you were using with the prior one? If it doesn't how to make a new one? How does that AP trust the other AP? How does it know you are really the same station? and not some hacker spoofing the same MAC address? Answer those questions throughly and you will be on the way to solving the roaming problem. Another doubt I have is: if I am a malicious user and set a static IP address and know the key, am I able to use the network or am I blocked somehow by the authenticator? How does the authenticator know if it has to block my ports or not when I connect to the AP? Your port is blocked (by your MAC address and MAC state) at the AP until you pass authentication. IP has nothing to do with it. I'm not sure what the key you know, but session keys are derived dynamically from the master key. In fact you must know your key, as it's not exchanged over the network. It could be your account password, or a machine certificate. What's different from WEP is the master key is unique per user, and the derived session key is unique for every authentication instance. How is my port blocked? Until you pass authentication, only EAPOL data frames will be processed, all other data frames will be discarded. This is what 802.11i and 802.1x standards describe. It's part of the operation of an AP that adheres to those standards. Also, if I return to an AP I previously authenticated with, does this AP have some sort of allowed MAC list without having me to start the whole authentication process over (i.e. with exchange of certificates, etc.) for a second time? It might. There is a Re-Associate control frame that can be used. However, there is still the problem of proving you are whom you say you are. I've forgotten how much of that process is settled. Dave. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PATCH: regular expression matching of realms.
Hello! == Regular expression matching in proxy.conf enables very flexible and intiutive realm proxying. It can reduce number of realm entries: realm company2.com { regexp = ^.*\.company2\.com$ type= radius authhost= rad.company2.com accthost= rad.company2.com } == I'm operating a TLD radius server and delegating certain RADIUS realms to sub-node RADIUS severs. We have built a sort of RADIUS tree structure. For example (radiator config): Handler Realm=/^subX\.tld$|^.*\.subX\.tld$/ AuthBy RADIUS [...] /AuthBy /Handler The subX.org.tld are usualy freeradius servers, that define a subX.tld and a few subsub1.subX.tld, subsub2.subX.tld, subsub3.subX.tld. This can be dangerous, becouse I delegate all *.subX.tld to the organisation and they delegate DEFAULT to me. So for a non-existant subsub4.subX.tld we create a RADIUS loop :. I could: - delegate realms strictly (too much administration on my part and too restrictive for subX operators) - implement split horizont in TLD server (I might do this, but I prefer to enhance free software) - imeplement regexp realm matching in freeradius (this is this patch) == proxy.conf: # Local realms realm subsub1.orgX.tld { } realm subsub2.orgX.tld { } realm subsub3.orgX.tld { } realm NULL { } # this realm is matched by: #*.orgX.tld #blackhole.orgX.tld # blackhole is handled locally (denied) realm blackhole.orgX.tld { regex = ^.*\.orgX\.tld$ } realm DEFAULT { type= radius authhost= radius.tld:1812 accthost= radius.tld:1813 secret = blah nostrip } == users: DEFAULT Realm == blackhole.orgX.tld, Auth-Type := Reject == This patch is based on this regex patch: http://projects.nuschkys.net/patches/ I've cleaned it up a bit and did some testing. It seems to work fine and not add overhead if no regex is used. It also makes realm proxying in freeradius very flexible and intiutive. Appreciate any review :). == diff -ur freeradius-1.0.1/raddb/proxy.conf freeradius-1.0.1-rlm_regexp/raddb/proxy.conf --- freeradius-1.0.1/raddb/proxy.conf 2004-02-26 17:16:32.0 +0100 +++ freeradius-1.0.1-rlm_regexp/raddb/proxy.conf2004-11-17 14:47:41.0 +0100 @@ -136,6 +136,22 @@ # secret = testing123 #} +# A realm containing a regular expression, matching anything like +# [EMAIL PROTECTED] as well as [EMAIL PROTECTED]. All +# requests with this realm will be handled locally. +# +# Please note that the regular expressions must be POSIX compatible +# and will be matched case insensitive. +# Additionally, the regexp should be the same on all servers of +# a fail-over and round-robin realm. +# +#realm company2.com { +# regexp = ^.*\.company2\.com$ +# type= radius +# authhost= rad.company2.com +# accthost= rad.company2.com +#} + # A realm entry with an optional fail-over realm. A request from # [EMAIL PROTECTED] will be sent to radius.isp2.com as [EMAIL PROTECTED], # because the 'nostrip' directive is specified for this realm. diff -ur freeradius-1.0.1/src/include/radiusd.h freeradius-1.0.1-rlm_regexp/src/include/radiusd.h --- freeradius-1.0.1/src/include/radiusd.h 2004-09-09 16:31:06.0 +0200 +++ freeradius-1.0.1-rlm_regexp/src/include/radiusd.h 2004-11-17 14:47:41.0 +0100 @@ -35,6 +35,10 @@ #include arpa/inet.h #endif +#ifdef HAVE_REGEX_H +#include regex.h +#endif + #include missing.h #define NO_SUCH_CHILD_PID (child_pid_t) (0) @@ -139,6 +143,10 @@ int acct_active; time_t acct_wakeup; int ldflag; +#ifdef HAVE_REGEX_H + regex_t *regex; +#endif + struct _realm *next; } REALM; @@ -328,6 +336,7 @@ void clients_free(RADCLIENT *cl); /* files.c */ +intrealm_find_cmp(const REALM *rlm, const char *realm); REALM *realm_find(const char *, int); REALM *realm_findbyaddr(uint32_t ipno, int port); void realm_free(REALM *cl); diff -ur freeradius-1.0.1/src/main/files.c freeradius-1.0.1-rlm_regexp/src/main/files.c --- freeradius-1.0.1/src/main/files.c 2004-04-06 22:43:49.0 +0200 +++ freeradius-1.0.1-rlm_regexp/src/main/files.c2004-11-17 14:47:41.0 +0100 @@ -33,6 +33,10 @@ # include netinet/in.h #endif +#ifdef HAVE_REGEX_H +# include regex.h +#endif + #include stdlib.h #include string.h #include netdb.h @@ -314,6 +318,12 @@ while(cl) { next = cl-next; +#ifdef HAVE_REGEX_H + if (cl-regex != NULL) { +