Realmbased Relaying

[jesk]

Hello again,
i have question about Relaying Accounting Data. We have a customer, which 
want to have all related accounting data of his realm.
Is there a way to relay the accounting data of his realm to his 
radiusserver? i thought about creating a seperate detail logfile and then 
setting up a seperate radrelay which works on the file and relay the data 
to him. Are there other kinds of solution to solve this scenario? When not, 
how can i create a seperate logfile with only his realm related data in it?

Thanks for any hints!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

help groups and LDAP

[LALOT Dominique]

Hello all,
I've spent quite a long time trying to understand how freeradius works 
and trying to get everything I want working.
I am using Openldap since 2001 and I've no problems to understand LDAP 
as I wrote many programs around LDAP. In fact I don't understand how 
groups are working under radius.

My aim: I would like to distribute different IP pool for users.
The best for me: In the users DN, we already have an attribute for a 
laboratory, ie u2labo
I would like to say:
1. authenticate the user in ldap (works ok)
2. Get the attribute u2labo
3 use that value to get the ip range (somewhere even outside ldap 
(users)) to distribute the IP.

I've tried many configurations without success. The debugging of ldap 
show me just bind successfull without search for  groups. I tried to 
add  radiusprofile Objectclass without success. So what  is the meaning 
of groups in radius?.
can we say:
user fred  attributes XXX member of group test
group test the rest of attributes.

Could you give me the minimum to set in conf files to get it working?
Thanks
Dom
--
Dominique LALOT 
Ingénieur Système Réseau CISCAM Pole Réseau
Université de la Méditerranée http://annuaire.univ-mrs.fr/showuser.php?uid=lalot

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

problem with freeradius - ldap - peap

[Pål Hjelmeseth Myklebust]

I have a problem i cant seem to figure out, so i wondered if any of you 
have a suggestion. It looks like everything is working as intended, the 
ldap finds the account, and authorize the client, but then it sends 
Access-Reject.

[EMAIL PROTECTED] log]# /usr/sbin/radiusd -x -A
Starting - reading configuration files ...
Using deprecated naslist file.  Support for this will go away soon.
Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
Module: Instantiated unix (unix)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
Module: Instantiated detail (auth_log)
Module: Loaded LDAP
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS 
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
conns: 0x97ac438
Module: Instantiated ldap (ldap)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded files
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Instantiated detail (detail)
Module: Loaded radutmp
Module: Instantiated radutmp (radutmp)
Module: Loaded eap
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type tls
rlm_eap: Loaded and initialized type peap
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Initializing the thread pool...
Listening on authentication *:1645
Listening on accounting *:1646
Listening on proxy *:1647
Ready to process requests.
rad_recv: Access-Request packet from host 158.36.80.3:1645, id=33, length=125
User-Name = pmyklebu
Framed-MTU = 1400
Called-Station-Id = 0040.96a0.1b31
Calling-Station-Id = 000e.3526.4533
Message-Authenticator = 0xaf9422f5561d549ae6f7be33b6c134ef
EAP-Message = 0x0202000d01706d796b6c656275
NAS-Port-Type = Virtual
NAS-Port = 339
NAS-IP-Address = 158.36.80.3
NAS-Identifier = ap01
rlm_ldap: - authorize
rlm_ldap: performing user authorization for pmyklebu
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: (re)connect to ldap.mf.no:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=mf,dc=no/MF1d4p to 

Re: acct_users - Exec-Program not working

[Evert Meulie]

I seem to have the same problem here, also with version 1.0.1 (haven't 
tried it with  1.0 though...)

Regards,
   Evert
Mike O'Connor wrote:
Hi All
I have been using freeradius 0.9.3 for a long time and the acct_users 
file below has all ways work well (did have a problem where it would 
just stop running the script sometimes)

I upgraded be 1.0.1 because I was having trouble with the ippool code 
not sending a Framed-IP-Address every time. (This seems to be fixed in 
this version)

But now I'm have a problem where my script never gets run, even thought 
the log below shows it being run. All the file permission are set with 
ownership by the freeradius user.

Any ideas would be great.
Thanks
Mike

 acct_user ---
#
# $Id: acct_users,v 1.3.4.1 2003/08/26 17:41:48 phampson Exp $
#
# This is like the 'users' file, but it is processed only for
# accounting packets.
#
DEFAULT Acct-Status-Type == Start
 Exec-Program = /usr/sbin/set_filter.php
# Exec-Program = /usr/bin/php4 -q /usr/sbin/set_filter.php
#
DEFAULT Acct-Status-Type == Stop
 Exec-Program = /usr/sbin/set_filter.php
#
#DEFAULT Acct-Status-Type == Alive
#  Exec-Program = printenv  /tmp/alive-env.dump
#
#  For information on how the attributes from the request are passed
#  to the program, see 'doc/variables.txt'
#
-- Exec-Program Running (maybe) ---
rlm_sql (sql): Reserving sql socket id: 10
rlm_sql_postgresql: query: UPDATE radacct ??SET AcctStopTime = (now() - 
'0'::interval), AcctSessionTime = '701', ??AcctInputOctets = 
(('0'::bigint  32) + '183922'::bigint), ??AcctOutputOctets = 
(('0'::bigint  32) + '755249'::bigint), ??AcctTerminateCause = 
'User-Request', AcctStopDelay = '0', ??FramedIPAddress = 
NULLIF('202.xx.xx.xx', '')::inet, ConnectInfo_stop = '' ??WHERE 
AcctSessionId = '001E64D7' AND UserName = 'gcrispin' ??AND NASIPAddress 
= '202.xx.xx.xx' AND AcctStopTime IS NULL
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: affected rows = 1
rlm_sql (sql): Released sql socket id: 10
rlm_ippool: Searching for an entry for nas/port: 202.xx.xx.xx/152
rlm_ippool: Deallocated entry for ip/port: 202.xx.xx.xx/152
rlm_ippool: num: 0
Exec-Program: /usr/sbin/set_filter.php
Sending Accounting-Response of id 110 to 202.xx.xx.xx:39753

-- Exec-Program Running with -xx --
radius_xlat:  '/tmp/sqltrace.sql'
rlm_sql (sql): Reserving sql socket id: 31
rlm_sql_postgresql: query: UPDATE radacct ??SET AcctStopTime = (now() - 
'0'::interval), AcctSessionTime = '48', ??AcctInputOctets = 
(('0'::bigint  32) + '16176'::bigint), ??AcctOutputOctets = 
(('0'::bigint  32) + '45690'::bigint), ??AcctTerminateCause = 
'User-Request', AcctStopDelay = '0', ??FramedIPAddress = 
NULLIF('202.xx.xx.xx', '')::inet, ConnectInfo_stop = '' ??WHERE 
AcctSessionId = '001E651E' AND UserName = 'matt' ??AND NASIPAddress = 
'202.xx.xx.xx' AND AcctStopTime IS NULL
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: affected rows = 1
rlm_sql (sql): Released sql socket id: 31
 modcall[accounting]: module sql returns ok for request 0
rlm_ippool: Searching for an entry for nas/port: 202.xx.xx.xx/308
rlm_ippool: Deallocated entry for ip/port: 202.xx.xx.xx/308
rlm_ippool: num: 0
 modcall[accounting]: module main_pool returns ok for request 0
modcall: group accounting returns ok for request 0
radius_xlat:  '/usr/sbin/set_filter.php'
Exec-Program: /usr/sbin/set_filter.php
Sending Accounting-Response of id 116 to 202.xx.xx.xx:39753

- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Daily/Monthly limit

[Samareanu Florin]

is there any way to get rid of those values ? my users have unlimited 
access and it is disturbing to see that they overpassed the values?
current values are: 4 hours daily and 20 hours weekly
Thank You

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Secure TLS connection between Freeradius and Openldap

[Konstantin KABASSANOV]

Well, finally I succeeded to do what I want... The reason of the failure
was too stupid: In the radiusd.conf file, I've put the LDAP server address
in ipv4 dotted address form. Of course, freeradius does not try to resolve
it and of course the address obtained from the LDAP server certificate
does not match...

Thanks all who tried to help me.

Konstantin

-Original Message-
From: Konstantin KABASSANOV [mailto:[EMAIL PROTECTED]
Sent: mardi 16 novembre 2004 15:46
To: '[EMAIL PROTECTED]'
Subject: Secure TLS connection between Freeradius and Openldap

Hello,

I'm trying to establish a secure TLS connection between a Freeradius and
an Openldap server.

The openssl s_client -connect command successfully establishes a
connection to the openldap server on the mentioned port with the
following
certificates, but when trying to bind from freeradius I have the
following
error message:

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.0.3.2:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/openssl/certs/root.pem
rlm_ldap: setting TLS CACert File to /etc/openssl/certs/
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: setting TLS Cert File to /etc/openssl/certs/cert.pem
rlm_ldap: setting TLS Key File to /etc/openssl/certs/key.pem
rlm_ldap: setting TLS Key File to /etc/openssl/certs/random
rlm_ldap: bind as cn=Manager,dc=MYDOMAIN,dc=COM/password t
o 10.0.3.2:636
rlm_ldap: cn=Manager,dc=MYDOMAIN,dc=COM bind to 10.0.3.2:636 fail
ed: Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed

Of course if I don't set the tls mode, the connection is ok.

Any hints?


Thanks.

Konstantin

_

Konstantin K. KABASSANOV

LIP6/CNRS
8, rue du Capitaine Scott
75015 Paris, France

Phone: +33 (0) 1 44 27 71 26
Fax:   +33 (0) 1 44 27 74 95

E-mail: [EMAIL PROTECTED]
Web: http://www.kabassanov.com
_


IMPORTANT! If you have tried to reply to this mail and you received a
stupid message, announcing that the mail had been rejected as spam,
please, resend your reply to the address above.

The certificate used to sign this e-mail can be verified at:
http://igc.services.cnrs.fr/CNRS-Standard/recherche.html

Too much is never enough. ( Me ;) )



smime.p7s
Description: S/MIME cryptographic signature

rlm_python with cx_Oracle

[Nick 'TARANTUL' Novikov]

Hello!
I have some troubles with import cx_Oracle python module. After add 
import string to I see this in debug:

Module: Loaded python
python: mod_instantiate = freeradius
python: func_instantiate = instantiate
python: mod_authorize = freeradius
python: func_authorize = authorize
python: mod_authenticate = (null)
python: func_authenticate = (null)
python: mod_preacct = freeradius
python: func_preacct = preacct
python: mod_accounting = freeradius
python: func_accounting = accounting
python: mod_checksimul = (null)
python: func_checksimul = (null)
python: mod_detach = freeradius
python: func_detach = detach
exceptions.ImportError: /usr/lib/python2.3/site-packages/cx_Oracle.so: 
undefined symbol: PyExc_RuntimeError
Failed to import python module freeradius
radiusd.conf[1502]: python: Module instantiation failed.

What I can fix this problem?
--
TARANTUL
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

strip domain

[Samareanu Florin]

any ideea how i can strip the domain?
my win98 box sends the username as DOMAIN\\USERNAME
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxied EAP authentication

[jh vg]

My thesi is the implementation for a proposed framework of lightweight 
WLAN Roaming. So we are  trying to reduce the number of messages so as to 
provide faster roaming. They have given me a diagram with the exchange of 
messages which i must implement. The diagram is like the one in RFCs(which 
decribes authentication with EAP) but some messages are passed to home 
server from foreign server(proxy) and are identical with these that are 
passed from access point to proxy server(in normal procedure). In this 
diagram there arent any State or Proxy-State attributes. Its possible that i 
may have to modify the procedure of radius protocol, but i am not sure if 
the protocol can work without the exchange of State and Proxy-Sate  
attributes. As far i have seen these 2 attributes dont affect EAP protocol 
.Is that correct?
Thanks

From: Alan DeKok [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Proxied EAP authentication Date: Tue, 16 Nov 2004 17:25:06 
-0500

jh vg [EMAIL PROTECTED] wrote:
 I am working my university thesis using Freeradius. Its about WLAN 
Roaming.
 We want to reduce the messages that are sent during an EAP 
authentication
 between the foreign and home server( so we use  proxy ).

  I'm not sure that's possible.
 No matter how i have searched i cannt find an rfc describing the
 sequence of messages between 2 servers (i looked at RFC 3579,3580
 and generally all RFCs in radius docs).
  T2a
RADIUS server which passes requests to a RADIUS client.
   proxy
 +---+
  client | server client | server
 +---+
  A proxy acts like a server to it's clients, and as a client to it's
servers.  There is no extra document needed because the documents
already describe how clients and servers interact.
 So the question is are there any RFC decribing the procedure? I would 
also
 like to know if i can alter freeradius source code so as to cut some
 attributes it sents. These attributes are probably State and 
Proxy-State.

  Uh... why?  Those attributes have very well-defined meanings.
They're needed.  If you don't have them, EAP  RADIUS stop working.
Read the RFC's to see why.
  Perhaps you could say WHY you're trying to reduce the messages.  Is
it the number of messages?  The size?
  I don't think you'll be able to reduce either unless you define your
own version of EAP  RADIUS.
  Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
_
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_eap runtime link failure on FreeRADIUS 1.0.1 under Cygwin

[Mark Pollard]

Please confirm that this is possible!

I've been able to configure, make and install the product with little to
no problem.  However, execution aborts when rlm_eap is loaded:

...
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = (null)
 unix: shadow = (null)
 unix: group = (null)
 unix: radwtmp = /usr/local/var/log/radius/radwtmp
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
radiusd.conf[9] Failed to link to module 'rlm_eap': unknown error

Line 9 (of eap.conf) is where the eap module is loaded:

...
   eap {
...

I configured FR to build with static libraries:

  $ ./configure --without-snmp --disable-shared --enable-static

As you'll see below, everything is linked with '-dlpreopen'.
radiusd.exe is 1251KB making me think that everything did in fact
statically link.

Have you run into this problem?  Thank you for any time you put into
responding.

Regards,

Mark
--
/usr/tmp/freeradius-1.0.1/libtool --mode=link gcc -export-dynamic
-dlopen self \

 -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS
-DOPENSSL_NO_KRB5   -Wal
l -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align
-Wwrite-str ings -Wstrict-prototypes -Wmissing-prototypes
-Wmissing-declarations -Wnested-ex terns -W -Wredundant-decls -Wundef
-I../include  -DHOSTINFO=\\ -DRADIUSD_VERS
ION=\1.0.1\-L../lib -o radiusd \
radiusd.o files.o util.o acct.o nas.o log.o valuepair.o
version.o proxy.
o exec.o auth.o timestr.o conffile.o modules.o modcall.o session.o
xlat.o thread s.o smux.o radius_snmp.o client.o request_list.o
mainconfig.o -lcrypt  -dlpreope n
../modules/rlm_acct_unique/rlm_acct_unique.la -dlpreopen
../modules/rlm_always /rlm_always.la -dlpreopen
../modules/rlm_attr_filter/rlm_attr_filter.la -dlpreop en
../modules/rlm_attr_rewrite/rlm_attr_rewrite.la -dlpreopen
../modules/rlm_cha p/rlm_chap.la -dlpreopen
../modules/rlm_counter/rlm_counter.la -dlpreopen ../mod
ules/rlm_dbm/rlm_dbm.la -dlpreopen ../modules/rlm_detail/rlm_detail.la
-dlpreope n ../modules/rlm_digest/rlm_digest.la -dlpreopen
../modules/rlm_eap/rlm_eap.la - dlpreopen
../modules/rlm_exec/rlm_exec.la -dlpreopen ../modules/rlm_expr/rlm_exp
r.la -dlpreopen ../modules/rlm_fastusers/rlm_fastusers.la -dlpreopen
../modules/ rlm_files/rlm_files.la -dlpreopen
../modules/rlm_ippool/rlm_ippool.la -dlpreopen
../modules/rlm_mschap/rlm_mschap.la -dlpreopen
../modules/rlm_ns_mta_md5/rlm_ns _mta_md5.la -dlpreopen
../modules/rlm_pap/rlm_pap.la -dlpreopen ../modules/rlm_p
asswd/rlm_passwd.la -dlpreopen
../modules/rlm_preprocess/rlm_preprocess.la -dlpr eopen
../modules/rlm_radutmp/rlm_radutmp.la -dlpreopen
../modules/rlm_realm/rlm_ realm.la -dlpreopen
../modules/rlm_sql/rlm_sql.la -dlpreopen ../modules/rlm_unix
/rlm_unix.la -dlpreopen ../modules/rlm_x99_token/rlm_x99_token.la
-dlpreopen ../ modules/rlm_checkval/rlm_checkval.la -dlpreopen
../modules/rlm_eap/types/rlm_eap _md5/rlm_eap_md5.la -dlpreopen
../modules/rlm_eap/types/rlm_eap_leap/rlm_eap_lea
p.la -dlpreopen ../modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.la
-dlpreopen .
./modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.la -dlpreopen
../modules/rlm_e ap/types/rlm_eap_sim/rlm_eap_sim.la -dlpreopen
../modules/rlm_eap/types/rlm_eap_ peap/rlm_eap_peap.la -dlpreopen
../modules/rlm_eap/types/rlm_eap_mschapv2/rlm_ea
p_mschapv2.la -dlpreopen
../modules/rlm_eap/types/rlm_eap_gtc/rlm_eap_gtc.la  -l pthread -lcrypto
-lssl  -lradius  \
 /usr/tmp/freeradius-1.0.1/libltdl/libltdl.la -lcrypt rm -f
.libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT creating
.libs/radiusdS.c generating symbol list for `radiusd.exe'
extracting global C symbols from `radiusd.o'
extracting global C symbols from `files.o'
extracting global C symbols from `util.o'
extracting global C symbols from `acct.o'
extracting global C symbols from `nas.o'
extracting global C symbols from `log.o'
extracting global C symbols from `valuepair.o'
extracting global C symbols from `version.o'
extracting global C symbols from `proxy.o'
extracting global C symbols from `exec.o'
extracting global C symbols from `auth.o'
extracting global C symbols from `timestr.o'
extracting global C symbols from `conffile.o'
extracting global C symbols from `modules.o'
extracting global C symbols from `modcall.o'
extracting global C symbols from `session.o'
extracting global C symbols from `xlat.o'
extracting global C symbols from `threads.o'
extracting global C symbols from `smux.o'
extracting global C symbols from `radius_snmp.o'
extracting global C symbols from `client.o'
extracting global C symbols from `request_list.o'
extracting global C symbols from `mainconfig.o'
extracting global C symbols from
`../modules/rlm_acct_unique/.libs/rlm_acct_uniq
ue.a'
extracting global C symbols from
`../modules/rlm_always/.libs/rlm_always.a'
extracting global C symbols from
`../modules/rlm_attr_filter/.libs/rlm_attr_filt
er.a'
extracting global C symbols from
`../modules/rlm_attr_rewrite/.libs/rlm_attr_rew

RE: Proxied EAP authentication

[Guy Davies]

It is possible to reduce the number of messages for reauthentication by
implementing what is variously known as Fast Roaming, Fast
Reauthentication and Session Resumption.  This doesn't have any impact
on the initial authentication exchange.  However, once both parties
(supplicant and authenticator) know the master password, then the fact
that each party knows the master password is considered sufficient to
authenticate the supplicant and authenticator to each other.  Generally,
this is only applied for a fixed period/fixed number of
reauthentications before a complete reauthentication involving the
RADIUS server is required.

IIUC, FreeRADIUS implements this in the EAP-TLS module that is used by
EAP-TTLS and PEAP so probably Session Resumption will be supported in
those EAP types at the minimum.

Regards,

Guy

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On 
 Behalf Of jh vg
 Sent: 17 November 2004 11:40
 To: [EMAIL PROTECTED]
 Subject: Re: Proxied EAP authentication
 
 
 My thesi is the implementation for a proposed framework of 
 lightweight 
 WLAN Roaming. So we are  trying to reduce the number of 
 messages so as to 
 provide faster roaming. They have given me a diagram with the 
 exchange of 
 messages which i must implement. The diagram is like the one 
 in RFCs(which 
 decribes authentication with EAP) but some messages are 
 passed to home 
 server from foreign server(proxy) and are identical with 
 these that are 
 passed from access point to proxy server(in normal 
 procedure). In this 
 diagram there arent any State or Proxy-State attributes. Its 
 possible that i 
 may have to modify the procedure of radius protocol, but i am 
 not sure if 
 the protocol can work without the exchange of State and Proxy-Sate  
 attributes. As far i have seen these 2 attributes dont affect 
 EAP protocol 
 .Is that correct?
 Thanks
 
 From: Alan DeKok [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: Re: Proxied EAP authentication Date: Tue, 16 Nov 
 2004 17:25:06
 -0500
 
 jh vg [EMAIL PROTECTED] wrote:
   I am working my university thesis using Freeradius. Its about WLAN
 Roaming.
   We want to reduce the messages that are sent during an EAP
 authentication
   between the foreign and home server( so we use  proxy ).
 
I'm not sure that's possible.
 
   No matter how i have searched i cannt find an rfc describing the 
   sequence of messages between 2 servers (i looked at RFC 3579,3580 
   and generally all RFCs in radius docs).
 
T2a
 RADIUS server which passes requests to a RADIUS client.
 
 proxy
   +---+
client | server client | server
   +---+
 
A proxy acts like a server to it's clients, and as a 
 client to it's 
 servers.  There is no extra document needed because the documents 
 already describe how clients and servers interact.
 
   So the question is are there any RFC decribing the procedure? I 
   would
 also
   like to know if i can alter freeradius source code so as to cut 
   some attributes it sents. These attributes are probably State and
 Proxy-State.
 
Uh... why?  Those attributes have very well-defined meanings. 
 They're needed.  If you don't have them, EAP  RADIUS stop working. 
 Read the RFC's to see why.
 
 
Perhaps you could say WHY you're trying to reduce the 
 messages.  Is 
 it the number of messages?  The size?
 
I don't think you'll be able to reduce either unless you 
 define your 
 own version of EAP  RADIUS.
 
Alan DeKok.
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 _
 Express yourself instantly with MSN Messenger! Download today 
 it's FREE! 
 http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
 
 
 - 
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
 

This e-mail is private and may be confidential and is for the intended 
recipient only.  If misdirected, please notify us by telephone and confirm that 
it has been deleted from your system and any copies destroyed.  If you are not 
the intended recipient you are strictly prohibited from using, printing, 
copying, distributing or disseminating this e-mail or any information contained 
in it.  We use reasonable endeavours to virus scan all e-mails leaving the 
Company but no warranty is given that this e-mail and any attachments are virus 
free.  You should undertake your own virus checking.  The right to monitor 
e-mail communications through our network is reserved by us. 



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

eap-tls auth: access accept is sent but xp client keeps resending access-req

[Lara Adianto]

Hi list,

I have a strange problem with EAP/TLS authentication.

I have done thesetup with the guide from Ken Roser's howtoprovided in freeradius site:
- The client is XP, wirelesscard: linksys WPC54G
- The freeradius server is installed in linux
- The access point is linksys WRT54G
- The certificates (with enhanced key usage for server and client authentication) for server and client are generated using openssl installed in freeradius server

The log file of freeradius shows that the authentication is successful, with access-accept being sent. I use tcpdump to confirm that access-accept is indeed sent and received by the access-point. However, after about 1 minute, the client will resend an access-request. And thiskeeps repeating...and the client seemsto fail the authentication thoughthe radius server keeps sending access-accept:


Sending Access-Accept of id 23 to 192.168.168.60:1232MS-MPPE-Recv-Key = 0xeb0e81327b50c60eb6bd54a9a02da65bcc87136bfdf0d0708f9be01db4078473MS-MPPE-Send-Key = 0xb01787160d97e7cf0ac614e56479ee7870a6068f142a2279b71e5d3894225f72EAP-Message = 0x03150004Message-Authenticator = 0x

No session-timeout attribute is sent though, like in ken roser's log file. Could this be a problem ?

The eapol.log shows : [1648] 15:45:13:583: ElWriteCompletionRoutine sent out 0 bytes with error -1073741823, but I'm not quite sure what it means. 

The only error log I can suspect from event viewer is this:

Event Type:ErrorEvent Source:AutoEnrollmentEvent Category:NoneEvent ID:15Date:17-Nov-04Time:7:50:04 PMUser:N/AComputer:LAR4SDescription:Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Anyone can help me ? please ? I really need to solve this ASAP...

Thank you,
Lara

eapol.log:
[2952] 15:45:09:848: ElMediaEventsHandler entered -- EventType=6[2952] 15:45:09:868: ElMediaEventsHandler: Calling ElMediaSenseCallback [2952] 15:45:09:868: ElMediaSenseCallback: Entered[2952] 15:45:09:868: ElMediaSenseCallbackWorker: For interface (Wireless-G Notebook Adapter with SpeedBooster), GUID ({CCB5C4C2-79EB-4414-A58B-6382051C13F6}), length of block = 90[2952] 15:45:09:868: ElMediaSenseCallbackWorker: Callback for sense disconnect[2952] 15:45:09:868: FSMDisconnected entered for port Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport[2952] 15:45:09:868: Setting state DISCONNECTED for port Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport[2952] 15:45:09:868: FSMDisconnected completed for port Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport[2952] 15:45:09:868: ElMediaSenseCallbackWorker: Port marked disconnected Wireless-G Notebook Adapter with
 SpeedBooster[2952] 15:45:09:868: ElMediaSenseCallbackWorker: processed, RetCode = 0[1648] 15:45:13:583: ElMediaEventsHandler entered -- EventType=7[1648] 15:45:13:583: ElMediaEventsHandler: Calling ElZeroConfigEvent [1648] 15:45:13:583: ElGetInterfaceParams: SsidLength=7, Found EapTypeId=13, SSIDLen=7[1648] 15:45:13:583: ElEnumAndOpenInterfaces: DeviceDesc = , GUID = {CCB5C4C2-79EB-4414-A58B-6382051C13F6}[1648] 15:45:13:583: ElNdisuioEnumerateInterfaces: Opening handle[1648] 15:45:13:583: NdisuioEnumerateInterfaces: NDISUIO bound to: (0) \DEVICE\{1A918A7C-F63C-4EF3-B6AD-12C1DFC6A4A1} - Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
[1648] 15:45:13:583: NdisuioEnumerateInterfaces: NDISUIO bound to: (1) \DEVICE\{CCB5C4C2-79EB-4414-A58B-6382051C13F6} - Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport
[1648] 15:45:13:583: ElNdisuioEnumerateInterfaces: DeviceIoControl IOCTL_NDISUIO_QUERY_BINDING has no more entries[1648] 15:45:13:583: Device: \DEVICE\{1A918A7C-F63C-4EF3-B6AD-12C1DFC6A4A1}[1648] 15:45:13:583: Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport[1648] 15:45:13:583: Device: \DEVICE\{CCB5C4C2-79EB-4414-A58B-6382051C13F6}[1648] 15:45:13:583: Description: Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport[1648] 15:45:13:583: ElEnumAndOpenInterfaces: Found interface after enumeration \DEVICE\{CCB5C4C2-79EB-4414-A58B-6382051C13F6}[1648] 15:45:13:583: ElEnumAndOpenInterfaces: Found PCB already existing for interface[1648] 15:45:13:583: ElCreatePort: Entered for Handle=(0D8C), GUID=({CCB5C4C2-79EB-4414-A58B-6382051C13F6}), Name=(Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport), ZCId=(1150), UserData=(033B961C) Notification=4[1648] 15:45:13:583:
 ElGetInterfaceNdisStatistics: pwszDeviceInterfaceName = (\Device\{CCB5C4C2-79EB-4414-A58B-6382051C13F6})[1648] 15:45:13:583: ElCreatePort: PCB found for {CCB5C4C2-79EB-4414-A58B-6382051C13F6}[1648] 15:45:13:583: ElReStartPort: Entered: 

debian with freeradius and securid PAM Module

[Markus.Wintruff]

Hello,

i want to use securid with freeradius on my debian.
I have choosen and installed the pam_securid.so Module from RSA und set up pam 
and freeradius.

if a make a radtest everytime a get the following errors in syslog:
Nov 17 14:31:49 abrakadabra freeradius: PAM unable to 
dlopen(/lib/security/pam_securid.so)
Nov 17 14:31:49 abrakadabra freeradius: PAM [dlerror: 
/lib/security/pam_securid.so: undefined symbol: pam_get_item]
Nov 17 14:31:49 abrakadabra freeradius: PAM adding faulty module: 
/lib/security/pam_securid.so

when i use the module with ssh it works quite well.

Has anybody some ideas? is there anybody who is using securid with freeradius?

Regads

Markus Wintruff

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem with freeradius - ldap - peap

[Alan DeKok]

=?iso-8859-1?Q?P=E5l?= Hjelmeseth Myklebust [EMAIL PROTECTED] wrote:
 [EMAIL PROTECTED] log]# /usr/sbin/radiusd -x -A

  Please run the server as /usr/sbin/radiusd -X.  You will get MUCH
more debugging information, which will help you solve your problem.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: strip domain

[Alan DeKok]

Samareanu Florin [EMAIL PROTECTED] wrote:
 any ideea how i can strip the domain?
 my win98 box sends the username as DOMAIN\\USERNAME

  Read radiusd.cond.  Look for the word ntdomain, an dthe realms module.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Server is being hit by requests as old as one week..... how to stop?

[Alan DeKok]

Prabhdeep [EMAIL PROTECTED] wrote:
 It seems that by solving this problem we had taken on
 a bigger problem. Because server is now returning
 error for any duplicate accounting record,

  There are no error accounting packets.  The server just doesn't
respond.

 clients are
 submitting the request again and again  we are
 being hit by requests as old as one week.

  That's dumb.

 I guess, my question is that if there is any way to
 stop this requests. 

  Reboot the client, or configure the server to respond to duplicate
accounting requests.  Use doc/configurable_failover to tell the
server if SQL returns a problem, just respond always OK.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Bandwidth management Cisco

[EROS]

Hi,

I would like to set up a max bandwidth over my cisco 1200AP (ios v12). 
My question is : what attribute I should use in radius to set the max
download and upload for the client ?

thx

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Alan
DeKok
Envoyé : mercredi 17 novembre 2004 15:17
À : [EMAIL PROTECTED]
Objet : Re: problem with freeradius - ldap - peap 


=?iso-8859-1?Q?P=E5l?= Hjelmeseth Myklebust [EMAIL PROTECTED]
wrote:
 [EMAIL PROTECTED] log]# /usr/sbin/radiusd -x -A

  Please run the server as /usr/sbin/radiusd -X.  You will get MUCH
more debugging information, which will help you solve your problem.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Daily/Monthly limit

[Alan DeKok]

Samareanu Florin [EMAIL PROTECTED] wrote:
 is there any way to get rid of those values ? my users have unlimited 
 access and it is disturbing to see that they overpassed the values?
 current values are: 4 hours daily and 20 hours weekly

  Those values aren't configured in the default installation of
FreeRADIUS.  If your system has them, it's because you added hem.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Tcpdump Attribute Question

[Dustin Doris]

It means its being truncated.  Try adjusting the snaplen.  You should be
able to do -s 0 to make sure you capture the entire packet or you can
specify a length such as -s 1024.  Do a man tcpdump and search for
snaplen.

ie: tcpdump -i fxp0 -s 0 udp port 1812

-Dusty Doris

On Tue, 16 Nov 2004, jesk wrote:

 I have a question to tcpdumping FreeRADIUS.
 in some auth-replies there a missing some attributes but instead of them i
 can see at the end of a tcpdump line the following:
 [|radius]

 what does this exactly mean?

 f.e.:
 ---
 12:58:05.215548 x.x.x.x.1645  x.x.x.x.1645:  rad-access-accept 217 [id 14]
 Attr[  Framed_ipaddr{10.10.10.10} [|radius]
 ---

 normaly i can see a lot of more output:
 ---
 13:14:56.867709 x.x.x.x.1645  x.x.x.x.1645:  rad-access-accept 38 [id 37]
 Attr[  Framed_ipaddr{11.1.1.11} Framed_proto{PPP} Service_type{Framed} ]
 ---

 does somebody have an idea?



 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxied EAP authentication

[Alan DeKok]

jh vg [EMAIL PROTECTED] wrote:
 My thesi is the implementation for a proposed framework of lightweight 
 WLAN Roaming. So we are  trying to reduce the number of messages so as to 
 provide faster roaming. They have given me a diagram with the exchange of 
 messages which i must implement.

  Are you implementing an existing protocol?  If so, you must follow
the protocol spec, in order to be inter-operable with other
implementations.  This means that you must implement the number, and
order of messages as defined in the spec.

  The end result is that you can't reduce the number of messages.

 The diagram is like the one in RFCs(which decribes authentication
 with EAP) but some messages are passed to home server from foreign
 server(proxy) and are identical with these that are passed from
 access point to proxy server(in normal procedure).

  Yes, that's called proxying.

 In this diagram there arent any State or Proxy-State attributes.

  Then the diagram is wrong.  End of story.

 Its possible that i may have to modify the procedure of radius
 protocol, but i am not sure if the protocol can work without the
 exchange of State and Proxy-Sate attributes.

  It can't.

 As far i have seen these 2 attributes dont affect EAP protocol .Is
 that correct?

  If you're doing proxying, you're required to use Proxy-State.

  If you're using EAP, you're required to use State.

  The diagram is wrong.  What you are trying to do is impossible.
It's impossible because if you remove State  Proxy-State, then what
you're trying to do won't work.

  I suggest finding out why the diagram is wrong, and who created it.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxied EAP authentication

[Alan DeKok]

Guy Davies [EMAIL PROTECTED] wrote:
 IIUC, FreeRADIUS implements this in the EAP-TLS module that is used by
 EAP-TTLS and PEAP so probably Session Resumption will be supported in
 those EAP types at the minimum.

  FreeRADIUS doesn't implement fast reconnect for session resumption.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap-tls auth: access accept is sent but xp client keeps resending access-req

[Alan DeKok]

Lara Adianto [EMAIL PROTECTED] wrote:
 
 The log file of freeradius shows that the authentication is
 successful, with access-accept being sent. I use tcpdump to confirm
 that access-accept is indeed sent and received by the
 access-point. However, after about 1 minute, the client will resend
 an access-request. And this keeps repeating...

  Ok...

 The only error log I can suspect from event viewer is this:
...
 Automatic certificate enrollment for local system failed to contact the 
 active directory (0x8007054b).  The specified domain either does not exist or 
 could not be contacted.
   Enrollment will not be performed.
 For more information, see Help and Support Center at 
 http://go.microsoft.com/fwlink/events.asp.

  That looks like the problem to me.  Fix that, and the machine should
stay on the network.

  And no, there's nothing you can do to FreeRADIUS to fix that problem.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: debian with freeradius and securid PAM Module

[Alan DeKok]

[EMAIL PROTECTED] wrote:
 i want to use securid with freeradius on my debian.
 I have choosen and installed the pam_securid.so Module from RSA und set
 up pam and freeradius.

  PAM may have memory leaks.  If at all possible, I would suggest
using a command-line tool from SecurID to do the authentication.

 if a make a radtest everytime a get the following errors in syslog:
 Nov 17 14:31:49 abrakadabra freeradius: PAM unable to
 dlopen(/lib/security/pam_securid.so)

  It's probably not in the default library path.  See /etc/ld.so.conf,
or edit radiusd.conf, and add ':/lib/security' to the end of the
'libdir' directive.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem with freeradius - ldap - peap

[Michael Griego]

For some reason, you have the LDAP module set up to pull an MD5-hashed
password from your LDAP tree and add it as the NT-Password attribute. 
This won't work.  In order to use PEAP, you have to have either a
clear-text password or an NT-hashed password.

--Mike



On Wed, 2004-11-17 at 03:44, Pål Hjelmeseth Myklebust wrote:
 I have a problem i cant seem to figure out, so i wondered if any of you 
 have a suggestion. It looks like everything is working as intended, the 
 ldap finds the account, and authorize the client, but then it sends 
 Access-Reject.
 
 [EMAIL PROTECTED] log]# /usr/sbin/radiusd -x -A
 Starting - reading configuration files ...
 Using deprecated naslist file.  Support for this will go away soon.
 Module: Loaded exec
 rlm_exec: Wait=yes but no output defined. Did you mean output=none?
 Module: Instantiated exec (exec)
 Module: Loaded expr
 Module: Instantiated expr (expr)
 Module: Loaded MS-CHAP
 Module: Instantiated mschap (mschap)
 Module: Loaded System
 Module: Instantiated unix (unix)
 Module: Loaded preprocess
 Module: Instantiated preprocess (preprocess)
 Module: Loaded detail
 Module: Instantiated detail (auth_log)
 Module: Loaded LDAP
 rlm_ldap: Registering ldap_groupcmp for Ldap-Group
 rlm_ldap: Registering ldap_xlat with xlat_name ldap
 rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap
 rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
 rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
 rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
 rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
 rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
 rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
 rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password
 rlm_ldap: LDAP userPassword mapped to RADIUS NT-Password
 rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
 rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
 rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
 rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
 rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
 rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
 rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
 rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
 rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
 rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
 rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
 rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
 rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
 rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
 rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
 rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
 rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
 rlm_ldap: LDAP radiusClass mapped to RADIUS Class
 rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
 rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
 rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
 rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
 rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
 rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
 rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS 
 Framed-AppleTalk-Link
 rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS 
 Framed-AppleTalk-Network
 rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS 
 Framed-AppleTalk-Zone
 rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
 rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
 conns: 0x97ac438
 Module: Instantiated ldap (ldap)
 Module: Loaded realm
 Module: Instantiated realm (suffix)
 Module: Loaded files
 Module: Instantiated files (files)
 Module: Loaded Acct-Unique-Session-Id
 Module: Instantiated acct_unique (acct_unique)
 Module: Instantiated detail (detail)
 Module: Loaded radutmp
 Module: Instantiated radutmp (radutmp)
 Module: Loaded eap
 rlm_eap: Loaded and initialized type md5
 rlm_eap: Loaded and initialized type leap
 rlm_eap: Loaded and initialized type gtc
 rlm_eap: Loaded and initialized type tls
 rlm_eap: Loaded and initialized type peap
 rlm_eap: Loaded and initialized type mschapv2
 Module: Instantiated eap (eap)
 Initializing the thread pool...
 Listening on authentication *:1645
 Listening on accounting *:1646
 Listening on proxy *:1647
 Ready to process requests.
 rad_recv: Access-Request packet from host 158.36.80.3:1645, id=33, length=125
  User-Name = pmyklebu
  Framed-MTU = 1400
  Called-Station-Id = 0040.96a0.1b31
  Calling-Station-Id = 000e.3526.4533
  Message-Authenticator = 0xaf9422f5561d549ae6f7be33b6c134ef
 

Re: Daily/Monthly limit

[Samareanu Florin]

--__--__--
Message: 7
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Daily/Monthly limit 
Date: Wed, 17 Nov 2004 09:28:43 -0500
Reply-To: [EMAIL PROTECTED]

Samareanu Florin [EMAIL PROTECTED] wrote:
 

is there any way to get rid of those values ? my users have unlimited 
access and it is disturbing to see that they overpassed the values?
current values are: 4 hours daily and 20 hours weekly
   

 Those values aren't configured in the default installation of
FreeRADIUS.  If your system has them, it's because you added hem.
 

i got them after i imported the sql scripts from dialup admin shipped with freeradius. where can i edit those values?
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Daily/Monthly limit

[Samareanu Florin]

where are those values located in the mysql db?
is it safe to delete them?
Samareanu Florin wrote:

--__--__--
Message: 7
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Daily/Monthly limit Date: Wed, 17 Nov 2004 09:28:43 -0500
Reply-To: [EMAIL PROTECTED]
Samareanu Florin [EMAIL PROTECTED] wrote:
 

is there any way to get rid of those values ? my users have 
unlimited access and it is disturbing to see that they overpassed 
the values?
current values are: 4 hours daily and 20 hours weekly
  

 Those values aren't configured in the default installation of
FreeRADIUS.  If your system has them, it's because you added hem.
 

i got them after i imported the sql scripts from dialup admin shipped 
with freeradius. where can i edit those values?
 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Daily/Monthly limit

[Kostas Kalevras]

On Wed, 17 Nov 2004, Samareanu Florin wrote:
where are those values located in the mysql db?
is it safe to delete them?
Samareanu Florin wrote:
See at the end of conf/admin.conf in dialupadmin


--__--__--
Message: 7
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Daily/Monthly limit Date: Wed, 17 Nov 2004 09:28:43 -0500
Reply-To: [EMAIL PROTECTED]
Samareanu Florin [EMAIL PROTECTED] wrote:
is there any way to get rid of those values ? my users have unlimited 
access and it is disturbing to see that they overpassed the values?
current values are: 4 hours daily and 20 hours weekly


 Those values aren't configured in the default installation of
FreeRADIUS.  If your system has them, it's because you added hem.
i got them after i imported the sql scripts from dialup admin shipped with 
freeradius. where can i edit those values?



- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help groups and LDAP

[Dustin Doris]

 Hello all,

 I've spent quite a long time trying to understand how freeradius works
 and trying to get everything I want working.
 I am using Openldap since 2001 and I've no problems to understand LDAP
 as I wrote many programs around LDAP. In fact I don't understand how
 groups are working under radius.

 My aim: I would like to distribute different IP pool for users.

 The best for me: In the users DN, we already have an attribute for a
 laboratory, ie u2labo
 I would like to say:
 1. authenticate the user in ldap (works ok)
 2. Get the attribute u2labo
 3 use that value to get the ip range (somewhere even outside ldap
 (users)) to distribute the IP.

 I've tried many configurations without success. The debugging of ldap
 show me just bind successfull without search for  groups. I tried to
 add  radiusprofile Objectclass without success. So what  is the meaning
 of groups in radius?.
 can we say:
 user fred  attributes XXX member of group test
 group test the rest of attributes.

 Could you give me the minimum to set in conf files to get it working?

 Thanks

 Dom


You can modify the groupname attribute to be the lab attribute and then
use that to hand out the pools.

So in radiusd.conf in the ldap section, change groupname_attribute to
groupname_attribute = laboratory (or whatever that attribute name is)

Then you create an ippool config for each lab.  Say you have one called
u2labo and one called u3labo.

ipppol u2labo {
  configure this...
}

ipppol u3labo {
  configure this...
}

Then in the users file, you add something like this

DEFAULT Ldap-Group == u2labo, Pool-Name := u2labo
Fall-Through = no

DEFAULT Ldap-Group == u3labo, Pool-Name := u3labo
Fall-Through = no


I think that should do it.

-Dusty Doris

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[FreeRadius] rlm_postgresql cannot link driver

[Apu islam]

Hello Gang,

I just installed the 1.01 on my red hat, but having
problems with the pgsql-voip module. I did what the
doc says, but ended up with this error

rlm_sql (pgsql-voip): Could not link driver
rlm_sql_postgresql: file not found
rlm_sql (pgsql-voip): Make sure it (and all its
dependent libraries!) are in the search path of your
system's ld.
radiusd.conf[9]: pgsql-voip: Module instantiation
failed.

can someone shed some light?

-apu



__ 
Do you Yahoo!? 
Meet the all-new My Yahoo! - Try it today! 
http://my.yahoo.com 
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_python for client/nas list

[James Sapara]

Hello,
I'd like to move client.conf to something that works through rlm_python. 
Looking at rlm_sql, this appears possible. I'm willing to update 
rlm_python to support this, but I can't seem to find how it binds this 
functionality in rlm_sql. Anyone ever try this more?

James
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help groups and LDAP

[LALOT Dominique]

Thanks,

I have to leave, but the quick and last test I did with your advice,
gave me bad results. See tomorrow..
Using radtest, I don't get any IP, and there is very little doc about
ippool and the way it works.

I suppose that the NAS is completely relying on radius for IP delivery.
I'm wondering what happen in case of the failure of the main radius
server.

Dom

Dustin Doris a crit:

  
Hello all,

I've spent quite a long time trying to understand how freeradius works
and trying to get everything I want working.
I am using Openldap since 2001 and I've no problems to understand LDAP
as I wrote many programs around LDAP. In fact I don't understand how
groups are working under radius.

My aim: I would like to distribute different IP pool for users.

The best for me: In the users DN, we already have an attribute for a
laboratory, ie u2labo
I would like to say:
1. authenticate the user in ldap (works ok)
2. Get the attribute u2labo
3 use that value to get the ip range (somewhere even outside ldap
(users)) to distribute the IP.

I've tried many configurations without success. The debugging of ldap
show me just bind successfull without search for  groups. I tried to
add  radiusprofile Objectclass without success. So what  is the meaning
of groups in radius?.
can we say:
user fred  attributes XXX member of group test
group test the rest of attributes.

Could you give me the minimum to set in conf files to get it working?

Thanks

Dom


  
  
You can modify the groupname attribute to be the lab attribute and then
use that to hand out the pools.

So in radiusd.conf in the ldap section, change groupname_attribute to
groupname_attribute = laboratory (or whatever that attribute name is)

Then you create an ippool config for each lab.  Say you have one called
u2labo and one called u3labo.

ipppol u2labo {
  configure this...
}

ipppol u3labo {
  configure this...
}

Then in the users file, you add something like this

DEFAULT	Ldap-Group == u2labo, Pool-Name := "u2labo"
	Fall-Through = no

DEFAULT Ldap-Group == u3labo, Pool-Name := "u3labo"
	Fall-Through = no


I think that should do it.

-Dusty Doris

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  


-- 
Dominique LALOT 
Ingnieur Systme Rseau CISCAM Pole Rseau
Universit de la Mditerrane http://annuaire.univ-mrs.fr/showuser.php?uid=lalot

Re: help groups and LDAP

[Dustin Doris]

You'll still need to configure the ippool modules and include those in the
accounting section and post-auth section.  Forgot to include that in the
last email.  A radiusd -X will show you exactly what is going on.  If it
doesn't work, please post that to the list will all output.

ie:

accounting {
 ...
 u2labo
 u3labo
 ...
}

post_auth {
 ...
 u2labo
 u3labo
 ...
}

On Wed, 17 Nov 2004, LALOT Dominique wrote:

 Thanks,

 I have to leave, but the quick and last test I did with your advice,
 gave me bad results. See tomorrow..
 Using radtest, I don't get any IP, and there is very little doc about
 ippool and the way it works.

 I suppose that the NAS is completely relying on radius for IP delivery.
 I'm wondering what happen in case of the failure of the main radius server.

 Dom

 Dustin Doris a écrit :

 Hello all,
 
 I've spent quite a long time trying to understand how freeradius works
 and trying to get everything I want working.
 I am using Openldap since 2001 and I've no problems to understand LDAP
 as I wrote many programs around LDAP. In fact I don't understand how
 groups are working under radius.
 
 My aim: I would like to distribute different IP pool for users.
 
 The best for me: In the users DN, we already have an attribute for a
 laboratory, ie u2labo
 I would like to say:
 1. authenticate the user in ldap (works ok)
 2. Get the attribute u2labo
 3 use that value to get the ip range (somewhere even outside ldap
 (users)) to distribute the IP.
 
 I've tried many configurations without success. The debugging of ldap
 show me just bind successfull without search for  groups. I tried to
 add  radiusprofile Objectclass without success. So what  is the meaning
 of groups in radius?.
 can we say:
 user fred  attributes XXX member of group test
 group test the rest of attributes.
 
 Could you give me the minimum to set in conf files to get it working?
 
 Thanks
 
 Dom
 
 
 
 
 You can modify the groupname attribute to be the lab attribute and then
 use that to hand out the pools.
 
 So in radiusd.conf in the ldap section, change groupname_attribute to
 groupname_attribute = laboratory (or whatever that attribute name is)
 
 Then you create an ippool config for each lab.  Say you have one called
 u2labo and one called u3labo.
 
 ipppol u2labo {
   configure this...
 }
 
 ipppol u3labo {
   configure this...
 }
 
 Then in the users file, you add something like this
 
 DEFAULT  Ldap-Group == u2labo, Pool-Name := u2labo
  Fall-Through = no
 
 DEFAULT Ldap-Group == u3labo, Pool-Name := u3labo
  Fall-Through = no
 
 
 I think that should do it.
 
 -Dusty Doris
 
 -
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
 
 
 
 

 --
 Dominique LALOT
 Ingénieur Système Réseau CISCAM Pole Réseau
 Université de la Méditerranée 
 http://annuaire.univ-mrs.fr/showuser.php?uid=lalot



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Daily/Monthly limit

[Samareanu Florin]

The final problem: in the dialup admin web page i press show groups, i 
chose one group name (static in my case) , select one user from Group 
Members and press the Administer Selected User button. Nothing happens, 
the page gets refreshed and i am returned to Group static administration 
index.
Where is the problem?

Message: 8
Date: Wed, 17 Nov 2004 17:00:18 +0200 (EET)
From: Kostas Kalevras [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Daily/Monthly limit
Reply-To: [EMAIL PROTECTED]
On Wed, 17 Nov 2004, Samareanu Florin wrote:
 

where are those values located in the mysql db?
is it safe to delete them?
Samareanu Florin wrote:
   

See at the end of conf/admin.conf in dialupadmin
 

-- __--__-- 

Message: 7
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Daily/Monthly limit Date: Wed, 17 Nov 2004 09:28:43 -0500
Reply-To: [EMAIL PROTECTED]
Samareanu Florin [EMAIL PROTECTED] wrote:
   

is there any way to get rid of those values ? my users have unlimited 
access and it is disturbing to see that they overpassed the values?
current values are: 4 hours daily and 20 hours weekly

 

Those values aren't configured in the default installation of
FreeRADIUS.  If your system has them, it's because you added hem.
i got them after i imported the sql scripts from dialup admin shipped with 
freeradius. where can i edit those values?

   

 

- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

   

--
Kostas Kalevras		Network Operations Center
[EMAIL PROTECTED]	National Technical University of Athens, Greece
Work Phone:		+30 210 7721861
'Go back to the shadow'	Gandalf
 


 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Patch for 0.8.1 supporting IPv6

[Shawn]

Hi, everyone

Could any one tell me how to find the patch for 0.8.1 supporting IPv6?

I've looked it up on google but didn't find any useful results about it...

Thank you very much!

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Low cost APs that support EAP/TLS Freeradius??

[Joe Matuscak]

On Tue, 16 Nov 2004, David Mitton wrote:

 I am interested in an AP that can do 802.1x (authenticator without being a 
 server) that's a bit cheaper than that.  I'd also like a firewall/NAT 
 router functions, you know, the typical Cable/DSL/router configuration.
 
 Suggestions?
 
 A Linksys WRT54GS with Sveasoft looks like a bargin functionally.
 Amazon.com has the WRT54GS for $81.99 - $10 Rebate.

Anyone try a Buffalo AirStation G54 WLA-G54C?? It claims 802.1x, WPA, TKIP 
support and is about $80. It looks like a version with a built in 4 port 
ethernet switch is around $100.


Joe Matuscak
Rohrer Corporation
717 Seville Road
Wadsworth, Ohio 44281
(330)335-1541
[EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Patch for 0.8.1 supporting IPv6

[Alan DeKok]

Shawn [EMAIL PROTECTED] wrote:
 Could any one tell me how to find the patch for 0.8.1 supporting IPv6?

  There is no such patch, and there will never be a patch.

  1.0.1 supports IPv6 attributes in RADIUS, but not listening on an
IPv6 socket.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

unsubscribe

[Yi Zheng]

unsubscribe

[Brian Kellogg]

can radius pass a binary file

[Marco C. Coelho]

Using freeradius 1.0.1
I need to be able to pass a binary or text file to be parsed at the 
other end  Are there any suggestions?

Marco
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Low cost APs that support EAP/TLS Freeradius??

[David Mitton]

On 11/16/2004 09:27 PM, Paul wrote:
David Mitton wrote:
A Linksys WRT54GS with Sveasoft looks like a bargin functionally.
Amazon.com has the WRT54GS for $81.99 - $10 Rebate.
Yeah, that's a good price.  I use the WRT54GS with the tinyPEAP embedded 
RADIUS server.  The firmware is based on Sveasoft's version 4.0, because 
it's freely available I guess.  Works for me.

I paid under $76 after $10 rebate and $10 gift card at Staples.
(Staples has a great return policy, just in case.)
The Amazon deal is nice because it's tax free with free shipping.  Free 
shipping can be as quick as regular shipping.
Dumb question time:
- where do you store the users?  in flash?
  is there a virtual disk system?
- Who did tinyPEAP?
Dave. 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Huntgroup problem in FreeRadius 1.0.1 at FreeBSD5.3Rel.

[Masaru Yoshihama]

Hi All

I still have problem in huntgroup with Freeradius 1.0.1 and little
investigate about it.

In the 1st, I add 'auth_log' setting at authorize section in 'radiusd.conf'
file for collect more information.

In the 2nd, I chheck current User information at our MySQL server by using
SQL Query which describe sql.conf.

|SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,
|radgroupcheck.Value,radgroupcheck.op FROM  radgroupcheck,usergroup WHERE
|usergroup.Username='test1' AND usergroup.GroupName = radgroupcheck.GroupName
|ORDER BY radgroupcheck.id;
|++---++-++
|| id | GroupName | Attribute  | Value   | op |
|++---++-++
||  2 | dynamic   | Huntgroup-Name | dynamic | == |
|++---++-++

|mysql select * from radcheck where UserName='test1';
|++--+---++---+
|| id | UserName | Attribute | op | Value |
|++--+---++---+
||  1 | test1| Password  | == | pass1 |
|++--+---++---+
|1 row in set (0.00 sec)


# /usr/local/etc/raddb/huntgroups

static  NAS-IP-Address == 127.0.0.1
dynamic NAS-IP-Address == 127.0.0.1


In the Last, I start Freeradius with debug mode (-sxxf) and query.
(But rejected)

|svr3# /usr/local/bin/radtest test1 pass1 localhost 0 secret ppp 127.0.0.1
|Sending Access-Request of id 243 to 127.0.0.1:1645
|User-Name = test1
|User-Password = pass1
|NAS-IP-Address = 127.0.0.1
|NAS-Port = 0
|Framed-Protocol = PPP
|rad_recv: Access-Reject packet from host 127.0.0.1:1645, id=243, length=20

auth-detail file says, radius treat 'test1' user as Group=static.
(Actually, 'dynamic')

|Packet-Type = Access-Request
|Thu Nov 18 11:52:22 2004
|User-Name = test1
|User-Password = pass1
|NAS-IP-Address = 127.0.0.1
|NAS-Port = 0
|Framed-Protocol = PPP
|Service-Type = Framed-User
|Client-IP-Address = 127.0.0.1
|Huntgroup-Name = static

Below is radius detail log. I hope someone's kindly help.

---
rad_recv: Access-Request packet from host 127.0.0.1:54456, id=239, length=65
User-Name = test1
User-Password = pass1
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Framed-Protocol = PPP
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module preprocess returns ok for request 0
rlm_realm: No '@' in User-Name = test1, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop for request 0
radius_xlat:  '/var/log/radacct/auth-detail-20041118'
rlm_detail: /var/log/radacct/auth-detail-%Y%m%d expands to 
/var/log/radacct/auth-detail-20041118
  modcall[authorize]: module auth_log returns ok for request 0
  modcall[authorize]: module attr_filter returns noop for request 0
  modcall[authorize]: module chap returns noop for request 0
  modcall[authorize]: module mschap returns noop for request 0
users: Matched DEFAULT at 12
users: Matched DEFAULT at 18
  modcall[authorize]: module files returns ok for request 0
radius_xlat:  'masaru1'
rlm_sql (sql): sql_set_user escaped user -- 'test1'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = 'test1' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test1' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
Username = 'test1' ORDER BY id'
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = 'test1' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): No matching entry in the database for request from user [test1]
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module sql returns notfound for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: No password configured for the user
auth: Failed to validate the user.
  Processing the post-auth section of radiusd.conf
modcall: entering group Post-Auth-Type for request 0
radius_xlat:  '/var/log/radacct/reply-detail-20041118'
---
(end)


On Mon, 15 Nov 2004 23:10:21 +0900
Masaru Yoshihama [EMAIL PROTECTED] wrote:

 Hi All,
 
 I have been to use FreeRadius 0.9.1 while a year and 

Re: General question on Radius/802.1x

[David Mitton]

On 11/17/2004 11:01 AM, Andrea G. Forte wrote:
Hi all,
I am new to WPA/802.11i and I have a few doubts. I hope you can help me.
What is not clear to me is how often a supplicant needs to authenticate to
the server...is it everytime the supplicant performs a L2 handoff?
The supplicant needs to authenticate anytime it wishes to get L2 
access.  It is an extention of the Authenticate  Associate MAC processes.

It
seems like if the supplicant does not authenticate it does not get an IP
address, so I would think that authentication would happen only when the
supplicant performs L3 and not L2 handoff. Am I right?
No. 802.1x authentication is L2 access, and has nothing to do with IP 
addressing.   If a station moves to another AP, it must become 
authenticated (somehow) at that AP.  Either by another AAA exchange, or a 
back-end protocol between AP's and maybe a AAA server (See 802.11f) or a 
central controller (see CAPWAP).
Making authentication work quickly across handoffs is a current working 
effort in several groups.
Obviously, IP topology becomes a configuration issue, but not an 
authentication problem, per se.

Another doubt I have is: if I am a malicious user and set a static IP
address and know the key, am I able to use the network or am I blocked
somehow by the authenticator? How does the authenticator know if it has to
block my ports or not when I connect to the AP?
Your port is blocked (by your MAC address and MAC state) at the AP until 
you pass authentication.  IP has nothing to do with it.  I'm not sure what 
the key you know, but session keys are derived dynamically from the 
master key.  In fact you must know your key, as it's not exchanged over 
the network. It could be your account password, or a machine 
certificate.  What's different from WEP is the master key is unique per 
user, and the derived session key is unique for every authentication instance.


Your help is very much appreciated. Thank you.
Andrea Forte
Good luck,
Dave. 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Just getting started

[Dallas Graves]

Ok, so I have looked all over the web but cant
really find any good how-to articles on freeradius
when it comes to setting up a dial-up server.
Anyone have any links or even a book that might help?








---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.788 / Virus Database: 533 - Release Date: 11/1/2004
 

Re: Just getting started

[Paul Hampson]

On Thu, Nov 18, 2004 at 12:17:28AM -0600, Dallas Graves wrote:
 Ok, so I have looked all over the web but cant really find any good
 how-to articles on freeradius when it comes to setting up a dial-up
 server.  Anyone have any links or even a book that might help?

If you're looking at setting a computer to answer modems for dial-in
use, you'll find the documentation for _that_ will usually tell you
where to use FreeRADIUS. RADIUS is a back-end protocol so it's rarely
documented in a HOWTO in it's own regard.

-- 
Paul TBBle Hampson, on an alternate email client.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: General question on Radius/802.1x

[Andrea G. Forte]

On 11/17/2004 11:01 AM, Andrea G. Forte wrote:
Hi all,
I am new to WPA/802.11i and I have a few doubts. I hope you can help me.
What is not clear to me is how often a supplicant needs to authenticate to
the server...is it everytime the supplicant performs a L2 handoff?
The supplicant needs to authenticate anytime it wishes to get L2 access. 
It is an extention of the Authenticate  Associate MAC processes.

Why the authentication is done every single time L2 handoff occurs? Usually 
for 802.11b, I can cover a building
floor with about two or three APs and for 802.11a each AP covers even a 
smaller area. This means that
I will have to authenticate even if I move from one room to another 
(exageration!).
This to me sounds like an uneccesary overhead.

Another doubt I have is: if I am a malicious user and set a static IP
address and know the key, am I able to use the network or am I blocked
somehow by the authenticator? How does the authenticator know if it has to
block my ports or not when I connect to the AP?
Your port is blocked (by your MAC address and MAC state) at the AP until 
you pass authentication.  IP has nothing to do with it.  I'm not sure what 
the key you know, but session keys are derived dynamically from the 
master key.  In fact you must know your key, as it's not exchanged over 
the network. It could be your account password, or a machine certificate. 
What's different from WEP is the master key is unique per user, and the 
derived session key is unique for every authentication instance.


How is my port blocked?
Also, if I return to an AP I previously authenticated with, does this AP 
have some sort of
allowed MAC list without having me to start the whole authentication 
process over (i.e. with exchange
of certificates, etc.) for a second time?

Good luck,
Dave.
Thank you Dave for your precious help.
Andrea
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: General question on Radius/802.1x

[David Mitton]

On 11/18/2004 12:20 AM, Andrea G. Forte wrote:

On 11/17/2004 11:01 AM, Andrea G. Forte wrote:
Hi all,
I am new to WPA/802.11i and I have a few doubts. I hope you can help me.
What is not clear to me is how often a supplicant needs to authenticate to
the server...is it everytime the supplicant performs a L2 handoff?
The supplicant needs to authenticate anytime it wishes to get L2 access. 
It is an extention of the Authenticate  Associate MAC processes.
Why the authentication is done every single time L2 handoff occurs? 
Usually for 802.11b, I can cover a building
floor with about two or three APs and for 802.11a each AP covers even a 
smaller area. This means that
I will have to authenticate even if I move from one room to another 
(exageration!).
This to me sounds like an uneccesary overhead.
There is a fundamental authentication/security problem you are glossing 
over:
How does the AP you roam to know who you are?
How does one AP know you authenticated against another?
How does the new AP know the session key you were using with the prior one?
If it doesn't how to make a new one?
How does that AP trust the other AP?
How does it know you are really the same station?
  and not some hacker spoofing the same MAC address?
Answer those questions throughly and you will be on the way to solving the 
roaming problem.


Another doubt I have is: if I am a malicious user and set a static IP
address and know the key, am I able to use the network or am I blocked
somehow by the authenticator? How does the authenticator know if it has to
block my ports or not when I connect to the AP?
Your port is blocked (by your MAC address and MAC state) at the AP until 
you pass authentication.  IP has nothing to do with it.  I'm not sure 
what the key you know, but session keys are derived dynamically from 
the master key.  In fact you must know your key, as it's not exchanged 
over the network. It could be your account password, or a machine 
certificate. What's different from WEP is the master key is unique per 
user, and the derived session key is unique for every authentication instance.

How is my port blocked?
Until you pass authentication, only EAPOL data frames will be processed, 
all other data frames will be discarded.  This is what 802.11i and 802.1x 
standards describe.  It's part of the operation of an AP that adheres to 
those standards.

Also, if I return to an AP I previously authenticated with, does this AP 
have some sort of
allowed MAC list without having me to start the whole authentication 
process over (i.e. with exchange
of certificates, etc.) for a second time?
It might.  There is a Re-Associate control frame that can be 
used.  However, there is still the problem of proving you are whom you say 
you are.   I've forgotten how much of that process is settled.

Dave. 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PATCH: regular expression matching of realms.

[Rok Papez]

Hello!

==
Regular expression matching in proxy.conf
enables very flexible and intiutive realm
proxying. It can reduce number of
realm entries:

realm company2.com {
  regexp  = ^.*\.company2\.com$
  type= radius
  authhost= rad.company2.com
  accthost= rad.company2.com
}

==
I'm operating a TLD radius server and delegating
certain RADIUS realms to sub-node RADIUS severs.
We have built a sort of RADIUS tree structure.

For example (radiator config):
Handler Realm=/^subX\.tld$|^.*\.subX\.tld$/
AuthBy RADIUS
 [...]
/AuthBy
/Handler

The subX.org.tld are usualy freeradius servers, that
define a subX.tld and a few subsub1.subX.tld,
subsub2.subX.tld, subsub3.subX.tld.

This can be dangerous, becouse I delegate all *.subX.tld
to the organisation and they delegate DEFAULT to me.
So for a non-existant subsub4.subX.tld we create a RADIUS
loop :.

I could:
- delegate realms strictly (too much administration on my part and
too restrictive for subX operators)
- implement split horizont in TLD server (I might do this,
but I prefer to enhance free software)
- imeplement regexp realm matching in freeradius (this is this
patch)

==
proxy.conf:

# Local realms
realm subsub1.orgX.tld {
}
realm subsub2.orgX.tld {
}
realm subsub3.orgX.tld {
}
realm NULL {
}

# this realm is matched by:
#*.orgX.tld
#blackhole.orgX.tld
# blackhole is handled locally (denied)
realm blackhole.orgX.tld {
regex   = ^.*\.orgX\.tld$
}

realm DEFAULT {
type= radius
authhost= radius.tld:1812
accthost= radius.tld:1813
secret  = blah
nostrip
}
==
users:
DEFAULT Realm == blackhole.orgX.tld, Auth-Type := Reject

==
This patch is based on this regex patch:
http://projects.nuschkys.net/patches/

I've cleaned it up a bit and did some testing.
It seems to work fine and not add overhead if
no regex is used. It also makes realm proxying
in freeradius very flexible and intiutive.

Appreciate any review :).

==
diff -ur freeradius-1.0.1/raddb/proxy.conf 
freeradius-1.0.1-rlm_regexp/raddb/proxy.conf
--- freeradius-1.0.1/raddb/proxy.conf   2004-02-26 17:16:32.0 +0100
+++ freeradius-1.0.1-rlm_regexp/raddb/proxy.conf2004-11-17 
14:47:41.0 +0100
@@ -136,6 +136,22 @@
 #  secret  = testing123
 #}
 
+#  A realm containing a regular expression, matching anything like
+#  [EMAIL PROTECTED] as well as [EMAIL PROTECTED]. All 
+#  requests with this realm will be handled locally.
+#
+#  Please note that the regular expressions must be POSIX compatible
+#  and will be matched case insensitive.
+#  Additionally, the regexp should be the same on all servers of
+#  a fail-over and round-robin realm.
+# 
+#realm company2.com {
+#  regexp  = ^.*\.company2\.com$
+#  type= radius
+#  authhost= rad.company2.com
+#  accthost= rad.company2.com
+#}
+
 #  A realm entry with an optional fail-over realm.  A request from
 #  [EMAIL PROTECTED] will be sent to radius.isp2.com as [EMAIL PROTECTED],
 #  because the 'nostrip' directive is specified for this realm.
diff -ur freeradius-1.0.1/src/include/radiusd.h 
freeradius-1.0.1-rlm_regexp/src/include/radiusd.h
--- freeradius-1.0.1/src/include/radiusd.h  2004-09-09 16:31:06.0 
+0200
+++ freeradius-1.0.1-rlm_regexp/src/include/radiusd.h   2004-11-17 
14:47:41.0 +0100
@@ -35,6 +35,10 @@
 #include arpa/inet.h
 #endif
 
+#ifdef HAVE_REGEX_H
+#include regex.h
+#endif
+
 #include missing.h
 
 #define NO_SUCH_CHILD_PID (child_pid_t) (0)
@@ -139,6 +143,10 @@
int acct_active;
time_t  acct_wakeup;
int ldflag;
+#ifdef HAVE_REGEX_H
+   regex_t *regex;
+#endif
+
struct _realm   *next;
 } REALM;
 
@@ -328,6 +336,7 @@
 void   clients_free(RADCLIENT *cl);
 
 /* files.c */
+intrealm_find_cmp(const REALM *rlm, const char *realm);
 REALM  *realm_find(const char *, int);
 REALM  *realm_findbyaddr(uint32_t ipno, int port);
 void   realm_free(REALM *cl);
diff -ur freeradius-1.0.1/src/main/files.c 
freeradius-1.0.1-rlm_regexp/src/main/files.c
--- freeradius-1.0.1/src/main/files.c   2004-04-06 22:43:49.0 +0200
+++ freeradius-1.0.1-rlm_regexp/src/main/files.c2004-11-17 
14:47:41.0 +0100
@@ -33,6 +33,10 @@
 #  include netinet/in.h
 #endif
 
+#ifdef HAVE_REGEX_H
+#  include regex.h
+#endif
+
 #include stdlib.h
 #include string.h
 #include netdb.h
@@ -314,6 +318,12 @@
 
while(cl) {
next = cl-next;
+#ifdef HAVE_REGEX_H
+   if (cl-regex != NULL) {
+