RE: How to add a field to the reply that contains data from the request?
Could you share your config with us?
-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Namens Peter T. Breuer
Verzonden: zaterdag 4 december 2004 4:38
Aan: [EMAIL PROTECTED]
Onderwerp: Re: How to add a field to the reply that contains data from the
request?
"Also sprach Alan DeKok:"
> "Peter T. Breuer" <[EMAIL PROTECTED]> wrote:
> > I don't presently know where all this stuff should go, since I have
> > only been using the server for 30 mins, and am pleased to be able to
> > get it to work and respond! (I tried gnu-radius and gave up in horror).
>
> Any particular reason why?
The configuration was relatively painful! I actually liked freeradius's
config. I had great trouble with gnu-radius. It may be the emacs/vi
users divide.
> > >If the request packet contains the attributes Service-Type and
> > >Framed-Protocol, with the given values,
> >
> > WHAT "given values"? Only one of them has a "given value" in the
> > example above. Framed-Protocol.
>
> I'm not sure why you would think that.
Because the other is in capital letters, called PPP, and does not begin
with an "x" or contain a "-", all things which would indicate
variables. It looks like a constant. PPP. If it is a variable, then it
does not look like one. It's the name of a well known protocol.
That's why I think that.
OTOH you have things that are obviously field names, because they
contain "-". Field names have been used forever as variables. They
are pointers to a value - i.e., variables. When you read
"Colour-Spectrum" you do not expect it to mean the string "Colour-Spectrum",
but instead a vector of real numbers.
> > Yecch. I hate bad writing. It's annoying.
>
> As always, patches are welcome.
Well, I'll do my best.
> > Etc. Unfortunately, failure to define Value ... the only hint that one
> > may use field names as Values is in the examples section.
>
> The values are up to you. The type of value which is permitted is
> defined in the RADIUS RFC's, as each attribute is given a type. See:
>
> http://www.freeradius.org/rfc/attributes.html
Sorry - failed writing. Reference out of immediate context. Use of term
before definition, etc.
In technical writing one must define every special technical usęge
("jargon")
immediately efore its first use.
In this case, now I have a little experience, I GUESS:
Values on the rhs of an = may be either constants (strings in quotes)
or variables (names which have been introduced before that point on
the rhs of an ==).
Values on the rhs of an == may be either constants (...) or
variables (names which have NOT been intrduced before that point
on the rhs of an =Æ or appeared in an = ...).
However, all my experiments failed to confirm that. What I finally had
success with was
foo bar =~ "^(.+)"
gum = `%{0}`
Yay! Found in doc/variables.* !
> The "field names" you're talking about are also defined in the
> RFC's.
Tough - if I have to read the rfc why should I read your manual page?
You can jolly well define what you are talking about! Writing is about
putting yourself in the shoes of your reader and guiding them to a
semantic understanding that matches yours. Anything else is arrogance -
i.e. a failure to take into account the other person.
> So "Framed-Protocol = PPP" is referencing two things:
> attribute, and value, both defined in the RFC's.
^ "variable" (not value).
^ respectively.
If you are going to start using the term "value" to mean a "variable",
then you are going to confuse everyone else in the world. Please stop
this private little joke now.
The proper linguistic name for the rhs of your "=" sign is a "term",
not surprisingly! You seem to allow terms that are either constants
(you may call THOSE "values"!) or variables.
Well, that the RHS _is_ a variable is not clear to me - what makes it so?
The lexical structure of the name (all caps? No "-"?)? Or the fact that
it has not yet appeared before on the rhs of a =? Or of a ==? Which?
> Things like the proper value for IP addresses, or user names, aren't
> defined in any of the documentation, because they're up to you to
> determine.
You are using the word "value" in some way that I have never seen used
before. I think you mean that the values taken by your variables may be
anything more or less, and you have set no restrictions beyond something
like "it's a string of no more than 256 chars". Yes. Well?
Why is that statement of interest?
> > No, I got the same response, but I really have no indication of what
> > reply is going out or if my new users entry matched anything. How does
> > one turn on some sort of debugging of the OUTGOING data?
>
> $ radiusd -X
It doesn't show the reply. All that shows up is:
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [ptb/cacsd1] (from client localhost port 0)
Sending Access-Accept of id 10 to 1.
Re: How to add a field to the reply that contains data from the request?
"Also sprach David Luyens:" > Could you share your config with us? I'm sure I could - but please note that I would be very grateful if you did NOT quote a 200 line mail of mine (or someone elses) without commenting on a word of it! What was the point of attaching the stuff below (apart from browning me off, showing your subtle disdain for what had been written, etc? :( )? The above 6 words of yours are sufficient and complete in themselves, surely! Don't you trust them? > -Oorspronkelijk bericht- > "Also sprach Alan DeKok:" > > "Peter T. Breuer" <[EMAIL PROTECTED]> wrote: > > > get it to work and respond! (I tried gnu-radius and gave up in horror). > > > > Any particular reason why? > > The configuration was relatively painful! I actually liked freeradius's > config. I had great trouble with gnu-radius. It may be the emacs/vi > users divide. I recall now that gnu-radius didn't tell me HOW to configure it. While freeradius nicely put a radiusd.conf file in a etc/raddb directory, gnu-radius didn't - I had to trace it to see what it was looking for (etc/raddb/config, if I recall), and then there was nothing anywhere in the source called *conf* to try and construct a working example from! The only thing I could see that looked likely was examples/config.syntax. And that says up top: ## -*- radconf -*- ## This file is intended to be an explanation on configuration syntax ## issues. It cannot possibly be used as a configuration file. Nevertheless, I used it quite happily. The only thing was that it complained about this line in the example: # DBM handling. Can be one of # no - Never to use DBM database # yes - Use only DBM database and ignore users usedbm no; ^^ saying that the syntax was illegal. Shrug. Also it seemed to be connected with something called guile, which I didn't really want to get closer than a bargepole to. There was a whole section devoted to it. Here's my search for config info: src/radius-1.3% find . -name \*conf\* ./doc/man/config.so.in ./doc/man/config.so ./doc/texinfo/config.texi ./doc/texinfo/configure.texi ./intl/config.charset ./raddb/client.conf.in ./raddb/config.in ./raddb/client.conf ./raddb/config ./tests/raddb/client.conf.in ./tests/raddb/config.in ./tests/proxy/client.conf.in ./tests/proxy/config.in ./tests/atconfig ./configure.ac ./config.h.in ./configure ./scripts/config.guess ./scripts/config.rpath ./scripts/config.sub ./scripts/config-conv ./scripts/config-conv.awk ./radiusd/config.c ./radiusd/config.y ./radiusd/.deps/config.Po ./radiusd/config.o ./elisp/radconf-mode.el ./db/config.m4 ./examples/config.syntax ./examples/pam.conf ./contrib/radsend/paquetes.conf ./configure.lineno ./config.log ./config.status ./config.h Then gnu-radius seemed to somehow pick up the dictionary definitions from freeradius, possibly through some shared config file. It looked like gnu-radius perhaps uses all the config file names that are "deprecated" (but still exist) in freeradius. Anyway, it di8dn't like any of freeradius' dictionary file syntax, having gone to the trouble of finding and understanding the pointers to them! What *is* a dictionary file, anyway? All in all, a thoroughly nasty experience of incomprehension and guesswork followed by refuted hypotheses. It took me about an hour of struggle before I hit "make uninstall". Freeradius, OTOH, comformed to preexisting biases and convictions about how configuration should be done quite nicely. All that I have a problem with is the incomplete writing in the radiusd.conf file (which, however, I *LIKE*, and I like the writing there is! It's simply incomplete). Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add a field to the reply that contains data from the request?
"Also sprach David Luyens:"
> Could you share your config with us?
Here is radiusd.conf. I have stripped every line that begins with " *#",
and every empty line.
---
prefix = /usr/home/ptb
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 1812
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = yes
nospace_pass = yes
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 60
passwd = /etc/passwd
group = /etc/group
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = no
with_ntdomain_hack = no
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
a
Re: Using external program for authentication
Alan DeKok wrote: But in this case freeradius will fork process on every request. Yes. It's not good, fork very slow. Can freeradius fork external script at startup and send attributes to him through pipe w/o forking ? (as in openradius) -- TARANTUL - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add a field to the reply that contains data from the request?
"Peter T. Breuer" <[EMAIL PROTECTED]> wrote:
> Because the other is in capital letters, called PPP, and does not begin
> with an "x" or contain a "-", all things which would indicate
> variables. It looks like a constant. PPP. If it is a variable, then it
> does not look like one. It's the name of a well known protocol.
Ah. That's why you're confused. You're thinking "value ==
variable", when you should be thinking "attribute name = name of
variable, and values is the value of the variable."
I can honestly say in nearly a decade of RADIUS work, this is the
first time I've seen someone make that confusion.
> OTOH you have things that are obviously field names, because they
> contain "-".
Your assumptions are incorrect. The "-" character is just another
character, and has no special meaning of "field name". I have no idea
why you think it means a field name, but it doesn't mean that in
RADIUS.
> Field names have been used forever as variables. They
> are pointers to a value - i.e., variables. When you read
> "Colour-Spectrum" you do not expect it to mean the string "Colour-Spectrum",
> but instead a vector of real numbers.
Your expectations are wrong. Please correct them.
> In this case, now I have a little experience, I GUESS:
>
> Values on the rhs of an = may be either constants (strings in quotes)
> or variables (names which have been introduced before that point on
> the rhs of an ==).
Your guess is wrong. The values on the RHS are not variables, and
cannot be variables. They are *values*. They may be pre-defined
names, numbers, fixed strings, or references to variables. But they
are NOT variables in and of themselves.
> However, all my experiments failed to confirm that.
Because it's not true.
> What I finally had success with was
>
>
> foo bar =~ "^(.+)"
>gum = `%{0}`
Exactly. The string in "gum" is a reference to a variable. It is
not itself a variable. "gum" is the name of a variable.
Have you *ever* done any programming? I have no idea why you would
make this elementary mistake.
> Tough - if I have to read the rfc why should I read your manual page?
You're obviously confused about the difference between a
specification and an implementation. The RFC's are the specification
of RADIUS, they define attribute names and values. The FreeRADIUS
manuals describe one implementation of RADIUS, they reference the
RFC's.
Are you really telling me that you expect us to copy all of the
RFC's into the FreeRADIUS manuals, and that you refuse to read the
RFC's because they're not in the FreeRADIUS manuals? That's nonsense.
It's a ridiculous attitude, and doubly so because the "doc"
directory in FreeRADIUS contains the RFC's.
> You can jolly well define what you are talking about! Writing is about
> putting yourself in the shoes of your reader and guiding them to a
> semantic understanding that matches yours. Anything else is arrogance -
> i.e. a failure to take into account the other person.
The documentation in FreeRADIUS assumes that the reader is willing
to read the documentation and the RFC's. It doesn't try to refute
every readers pre-defined notions about "field names", because that
would involve writing infinite amounts of documentation.
> > So "Framed-Protocol =3D PPP" is referencing two things:
> > attribute, and value, both defined in the RFC's.
> ^ "variable" (not value).
>^ respectively.
Read the RFC's. The correct term is "value". If you don't like it,
or you're unwilling to read the RFC's, I suggest you learn to deal
with the world not matching your expectations.
> If you are going to start using the term "value" to mean a "variable",
> then you are going to confuse everyone else in the world. Please stop
> this private little joke now.
In almost a decade of working with RADIUS, you are the first person
to be confused about the difference between "value" and "variable".
> The proper linguistic name for the rhs of your "=" sign is a "term",
> not surprisingly! You seem to allow terms that are either constants
> (you may call THOSE "values"!) or variables.
Well thank you ever so much for permission to call constants "values".
But your assertion that the RHS can be a variable is simply wrong.
> > $ radiusd -X
>
> It doesn't show the reply. All that shows up is:
>
> auth: type Local
> auth: user supplied User-Password matches local User-Password
> Login OK: [ptb/cacsd1] (from client localhost port 0)
> Sending Access-Accept of id 10 to 1.2.3.4:4196
> Finished request 0
It's showing the reply. If you don't understand what the reply is,
that's your problem.
> Now - I eventually managed to find out that was because there
> was NO (extra?) reply data going back.
So you don't know that RADIUS is composed of packets containing
attributes. You call it "extra" reply data.
Geez, no wonder you're confused. You're unwilling to read the
existing d
Re: Using external program for authentication
Nick 'TARANTUL' Novikov <[EMAIL PROTECTED]> wrote: > It's not good, fork very slow. Yes. > Can freeradius fork external script at startup and send attributes to > him through pipe w/o forking ? (as in openradius) No. Feel free to write a module which implements that, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WRT54G and Freeradius
Hi i want to configure freeradius and Linksys WRT54G . I want EAP-MD5 authentication but as fas as i have seen this AP has WPA authentication(WPA/Radius). It seems to me very strange that i cannt use EAP so do i miss something? Can i use freeradius with WPA-AES or WPA_TKIP? thanks _ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to proxy authentication requests to simple radius?
Alan DeKok wrote:
>
> [EMAIL PROTECTED] wrote:
> > Otherwise, it should theoretically be possible to "translate"
> > PEAP-MSCHAPv2 to plain MSCHAPv2 and use that for
> > communication with your "simple radius" server - however,
> > that still requires writing suitable code
>
> In eap.conf, peap{} subsection, set
>
> proxy_tunneled_request_as_eap = no
>
> and the server will proxy the inner tunnel EAP-MSCHAPv2 as normal
> MS-CHAPv2.
>
> It's not widely tested, which is why it's not documented as working.
Is it available in 1.0.x or CVS only?
> > I'm currently working at "translating" EAP-MD5 to CHAP).
>
> Follow the magic code above. A patch would be welcome.
It will take some time as I'm just spending the time on it I manage to
"steal" elsewhere, but if you're patient, I will submit a patch.
Thanks for the hint about the "magic code", that will certainly simplify
things for me. :-)
Regards,
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add a field to the reply that contains data from the request?
"Also sprach Alan DeKok:" > "Peter T. Breuer" <[EMAIL PROTECTED]> wrote: > > Because the other is in capital letters, called PPP, and does not begin > > with an "x" or contain a "-", all things which would indicate > > variables. It looks like a constant. PPP. If it is a variable, then it > > does not look like one. It's the name of a well known protocol. > > Ah. That's why you're confused. You're thinking "value == > variable", when you should be thinking "attribute name = name of No I am not. I am thinking x = 1 where x is "Whatever-It-Is" and 1 is "PPP", in this case. > variable, and values is the value of the variable." I have no idea why you think that is not what I am thinking of! It is perfectly simple: PPP is written in all caps. That makes it a literal constant in almost all languages known to mankind. What's more, it IS a literal constant! PPP IS the name of a well known portocol. You would get the same instinctive response out of me if you wrote Person = PETER !! > I can honestly say in nearly a decade of RADIUS work, this is the > first time I've seen someone make that confusion. What confusion? I really don't see why you don't see it .. You write somthing that looks like "x = 1" and now ask me to believe that "1" is a variable? > > OTOH you have things that are obviously field names, because they > > contain "-". > > Your assumptions are incorrect. The "-" character is just another I am not assuming anything, I am _telling_ you that about the only place anyone uses - signs in identifiers is in cobol and jcl record field names, and other languages which share portions of the same evolutionary history. > character, and has no special meaning of "field name". Oh yes it does. I'm afraid the rest of the universe disagrees with you! We use conventions for a reasonm, no? > I have no idea > why you think it means a field name, but it doesn't mean that in > RADIUS. Will you PLEASE step outside of the tiny universe you have built for youself, in which some things are upside down, and instead COMMUNICATE? Communication involves using a standard language, with standard semantics. If you don't don't use it, YOU are in the wrong, not the rest of the universe. To the rest of the universe, Foo-Bar-Gum is a field name, and I see no reason to suppose from what you say that that is not its semantics here! Field name is a perfectly good name for it! What else are you suggesting it is? Does it not appear in the records that are send to and fro by the protocol? Does it not bind a value at runtime? Well, then it is a field name. > > Field names have been used forever as variables. They > > are pointers to a value - i.e., variables. When you read > > "Colour-Spectrum" you do not expect it to mean the string "Colour-Spectrum", > > but instead a vector of real numbers. > > Your expectations are wrong. Please correct them. I don't know know what you mean. But ONE of us is the author of several languages, and the other is not. > > In this case, now I have a little experience, I GUESS: > > > > Values on the rhs of an = may be either constants (strings in quotes) > > or variables (names which have been introduced before that point on > > the rhs of an ==). > > Your guess is wrong. The values on the RHS are not variables, and > cannot be variables. They are *values*. Will you please stop using that word? They are TERMs! Just as they have always been in computing languages. Your terms may be either literal constants or variables, it appears. That's fine. Now please stop calling them "values"! That you don't define what you mean by "value" is part of the trouble! It's a meaningless word as you use it. To the rest of the universe, a value is what you find as an element of a domain. The domain of real numbers has values that are real numbers. A variable that ranges across the domain of reals will have value that is a real number, etc. I suspect that your computational domain is "strings". I suspect that the TERMS on the right hand side of your = signs may be either literal constants with VALUE a string, or VARIABLES with VALUE a string. Or compund terms. There's no need for mystery! It just takes a simple yes or no from you. But if you were to explain yourself clearly then you would save other people hours of time. > They may be pre-defined > names, numbers, fixed strings, or references to variables. But they > are NOT variables in and of themselves. And nobody said they were. Unless you want to redefine "is"! Because A IS a B does not imply that B IS an A! That PPP is a variable does not imply that whatever is on the rhs of an == must be a variable, just as I said, as you can read above. > > However, all my experiments failed to confirm that. > > Because it's not true. It is true, according to what the docs eem to say and other participants in this thread. Are you suggesting that PPP is instead a constant (as I believed)? Not that I am interested, bu
Re: WRT54G and Freeradius
On Saturday 04 December 2004 13:19, Panagiotis Mavros wrote: > Hi > i want to configure freeradius and Linksys WRT54G . I want EAP-MD5 > authentication but as fas as i have seen this AP has WPA > authentication(WPA/Radius). EAP-MD5 is not offered for wireless ports on any equipment of which I am aware. Your supplicant will probably not give you the option either. You may use it for wired ports, though probably not on your Linksys. >It seems to me very strange that i cannt use > EAP so do i miss something? Can i use freeradius with WPA-AES or WPA_TKIP? Yes, you've missed something. Read the documentation of the AP and freeradius. Freeradius works fine for this and will most likely work immediately upon install after only some very small configuration. Whether you use WPA AES or TKIP is between your AP and supplicant. Radius doesn't care about that. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication Problem
Everytime an user tries to connect the answer is the following rad_recv: Access-Request packet from host 209.127.82.2:1645, id=189, length=94 NAS-IP-Address = 209.127.82.2 NAS-Port = 40 NAS-Port-Type = Virtual User-Name = "rgomez" Called-Station-Id = "9933" Calling-Station-Id = "2122852879" User-Password = "zqn58ifm" Service-Type = Framed-User Framed-Protocol = PPPrlm_eap: EAP-Message not foundrlm_sql (sql): Reserving sql socket id: 0rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'rgomez' ORDER BY idrlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'rgomez' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.idrlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'rgomez' ORDER BY idrlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'rgomez' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.idrlm_sql (sql): Released sql socket id: 0Login OK: [rgomez/zqn58ifm] (from client cantv port 40 cli 2122852879)Sending Access-Accept of id 189 to 209.127.82.2:1645 Framed-Protocol := PPP Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Idle-Timeout = 62000 As you can see there is not a accountiong answer. In the user's computer the access is denied I don´t know why. I test the radius server with radtest localy and ntradping remotely. Both ofthem work well. The problems is when I try to dial and authenticate via that server. I installed another server and I have the same. Anyone who can help?. Thanks in advance Rafael Gomez CCOM Venezuela [EMAIL PROTECTED] tel: fax: 58-212-286.06.6358-212-286.17.19 -- This message has been scanned for viruses and dangerous content and is believed to be clean.
Re: WRT54G and Freeradius
Yes, you've missed something. Read the documentation of the AP and freeradius. Freeradius works fine for this and will most likely work immediately upon install after only some very small configuration. Whether you use WPA AES or TKIP is between your AP and supplicant. Radius doesn't care about that. AP and freeradius use EAP over Radius when i configure the AP to use WPA-Radius authentication ?I dont get it. I have windows XP as client , WRT54G as AP and freeradius as AAA server. I want to use 8021X authentication with EAP. The AP gives me WAP-radius with TKIP or AES. XP client supports WPA. What about freeradius?What authentication scheme must i use in radius conf? EAP? Soory to bother you but i am very confused _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add a field to the reply that contains data from the request?
Peter T. Breuer" <[EMAIL PROTECTED]> wrote: > I am not assuming anything, I am _telling_ you that about the only place > anyone uses - signs in identifiers is in cobol and jcl record field > names, and other languages which share portions of the same evolutionary > history. RADIUS isn't a language. It's a protocol. > I don't know know what you mean. But ONE of us is the author of several > languages, and the other is not. One of us knows something about RADIUS. The other does not. I don't care what Cobol or JCL does. They're not RADIUS. > I expect variable names in lower case, always - "ppp" would be a > variable. Your expectations are wrong. In many computer languages, upper-case words are perfectly valid variable names. Lower-case words are perfectly valid constants. > You are supplying the implementation, therefore we need to know how > to deal with your tool, not how to deal with the RFC. The RFC's define the terms under discussion. If you do not understand the terms under discussion, you will not understand FreeRADIUS. The FreeRADIUS documentation does not re-define the terms under discussion, because it can simply reference the RFC's. > No - I am expecting you to behave less like a hot headed obstinate dummy > and more like the intelligent human being that I expect and fully > believe that you are. If *I* say that your documentation is > incomprehensible in parts, it *is*. Perhaps you missed my point where I said you were the only person I've come across who's had this particular problem. > I have no idea what it contains, since I have not looked. Are you > seriously suggesting that I should take some hours (well minutes) > out of my life to make up for the lack of explanation in your docs? If you are not willing to read the RFC's learn the concepts implemented in FreeRADIUS, you will never succeed in configuring it to do anything. > I am not confused, thank you, you are. And the reason is probably that > you have been working with radius for a decade. I can believe you, or I can believe the RADIUS specification. The RADIUS specification describes RADIUS. If you don't like it, complain to the authors of the RFC's. But the terms defined in the specifications are the terms everyone uses when discussing RADIUS. Your opinions in the matter are less than relevant. > My experiment seems to show that the rhs of a = sign is a constant, > which has a value of course, when it is interpreted by radius. But > your examples in the docs seem to show the opposite. You are confused as to what the docs say. You are interpreting them in the most imaginative possible way. No amount of documentation can fix that particular problem. > > It's showing the reply. If you don't understand what the reply is, > > that's your problem. > > Then why is it showing a different reply below? > > Because it is NOT saying "I sent no response" here! It should. When you don't get mail, does the post office send you a letter saying "you didn't get mail today?" Please stop trying to change the RADIUS specification. You can't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WRT54G and Freeradius
On Saturday 04 December 2004 14:33, Panagiotis Mavros wrote: > AP and freeradius use EAP over Radius when i configure the AP to use > WPA-Radius authentication ?I dont get it. Check the documentation on the AP to be sure, but that's usually the way it is. > I have windows XP as client , WRT54G as AP and freeradius as AAA server. I > want to use 8021X authentication with EAP. The AP gives me WAP-radius with > TKIP or AES. XP client supports WPA. What about freeradius?What > authentication scheme must i use in radius conf? EAP? > Soory to bother you but i am very confused > You will use EAP-TLS, MSCHAP, PEAP and MSCHPv2 in the radiusd.conf, WPA TKIP (or AES) on the AP, and WPA TKIP (or AES) along with PEAP and MSCHAPv2 on the XP supplicant. This link is on freeradius.org. It explains it much better than I am able. The supplicant is linux but everything works the same. http://tldp.org/HOWTO/8021X-HOWTO/index.html Regards, Zoltan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Still problems with usernames containing "%" ?
Alan DeKok wrote: Gerald Krause <[EMAIL PROTECTED]> wrote: Are there still problems in v1.0.1, when using usernames like "user1%test": I've put a fix into CVS, and will also put it into 1.0.2. It's not *perfect*, but it will now avoid 99.999% of the cases people care about. Ok, I'll try it. Thx Alan! -- Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add a field to the reply that contains data from the request?
Hi,
> > character, and has no special meaning of "field name".
>
> Oh yes it does. I'm afraid the rest of the universe disagrees with you!
> We use conventions for a reasonm, no?
Right. Notice however, that there are many different and sometimes
contracdicting
conventions. Would you agree that it is perfectly reasonable for a RADIUS
implementation (and its documentation) to use the conventions that are detailed
in
the RADIUS RFC and not some other arbitrary set of conventions?
> Will you PLEASE step outside of the tiny universe you have built for
> youself, in which some things are upside down, and instead COMMUNICATE?
That's what he is trying to do. However, you refuse to have a look at the
about fifty pages which exactly define the conventions to be used when talking
about RADIUS (namely the RFC). Yes, personally I also found the terminology
somewhat confusing initially, but it will certainly start to be much more
confusing
if every implementor (or even every user) starts to insist on its own
conventions.
That's a guaranteed way to make communication impossible.
> Communication involves using a standard language, with standard
> semantics. If you don't don't use it, YOU are in the wrong, not the
> rest of the universe.
Sorry, in that case, it's YOU who is trying to use a private language unrelated
to RADIUS. The rest of the universe, when talking about RADIUS is using the
words
defined in the RADIUS RFC. You're making up your own ones based on your
"superior
intuition". Sorry, but I feel like you're trying to use PASCAL syntax and
complaining
about a C compiler rejecting stuff as invalid.
> To the rest of the universe, Foo-Bar-Gum is a field name, and I see no
> reason to suppose from what you say that that is not its semantics here!
RADIUS (i.e. the RFC) defines dozens, probably even hundreds of values which do
look like this. PPP, Framed-User, Session-Timeout, etc., all those are so called
values. And e.g. User-Name, Framed-IP-Adress, NAS-Port are so called attributes.
And the only way to find out which one is which one is to either know everything
relevant for you by heart, or to look it up in the so called dictionaries.
Yes, all this is "ugly", but it also is _very_ flexible, which obviously was a
key point to the people who invented the RADIUS protocol and wrote the RFC.
> Field name is a perfectly good name for it!
Except that no one uses it when talking about RADIUS. There are "attributes" and
"values", nothing else.
> I don't know know what you mean. But ONE of us is the author of several
> languages, and the other is not.
That probably explains why you're trying to insist on using your own language
in a context where everybody else is using the language described in the
RADIUS RFC.
> > Your guess is wrong. The values on the RHS are not variables, and
> > cannot be variables. They are *values*.
>
> Will you please stop using that word? They are TERMs!
Will YOU please accept that in RADIUS, the things on the right hand side are
called values and nothing else? That's how the inventors of the protocol choose
to name those things. Would you tell my parents (and everybody else) to please
not call me Stefan because all male kids should be named Peter? I guess not..
> That you don't define what you mean by "value"
> is part of the trouble!
Could you please have a look at the simple introduction to "the RADIUS
language",
i.e. the RFC? It's going through dozens of pages and samples to define the
meaning
of "attribute" and "value".
> It's a meaningless word as you use it.
It's well defined in the context of RADIUS (contrary to "TERM","Field name" and
various other words you mentioned which you left completely unclear).
> To the rest of the universe, a value is what you find as an element of a
> domain. The domain of real numbers has values that are real numbers.
Exactly. And e.g. the RADIUS attribute Service-Type has values that are in
{ Login-User, Framed-User, Dialback-Login-User, Dialback-Framed-User,
Dialout-Framed-User, Outbound-User, Shell-User}.
I might have missed other possible values. Do you see, how the term value
is completely justified?
> I suspect that your computational domain is "strings".
No, it's rather "elements defined in the dictionary".
> I suspect that
> the TERMS on the right hand side of your = signs may be either literal
> constants with VALUE a string, or VARIABLES with VALUE a string. Or
> compund terms.
>
> There's no need for mystery! It just takes a simple yes or no from you.
Sorry, I'm lost in your wording and can't answer the question. :-(
> It is true, according to what the docs eem to say and other participants
> in this thread. Are you suggesting that PPP is instead a constant (as I
> believed)?
Yes. It's a value. If it helps to clarify things, on the byte level, "PPP" is
represented by a 32-bit-integer with value 0x0001 (in network byte order).
> Not that I am interested, but here is what your docs say:
>
>
> DEFA
Re: WRT54G and Freeradius
I have had success with EAP-TLS and EAP-TTLS with a Linksys WRT54G and Mac OS X Server backend and Mac OS X client. For the WRT54G, set it to WPA-Radius, and put in your radius server IP along with passphrase. On your radius server, add an entry in the clients.conf file for your router with ip and the secret you put in the router. This will let your AP talk to the Radius server. In radiusd.conf, just set up what type of EAP authentication you want to use. It's very well documented. On Sat, 4 Dec 2004 15:21:59 -0500, Zoltan A. Ori <[EMAIL PROTECTED]> wrote: > On Saturday 04 December 2004 14:33, Panagiotis Mavros wrote: > > > AP and freeradius use EAP over Radius when i configure the AP to use > > WPA-Radius authentication ?I dont get it. > > Check the documentation on the AP to be sure, but that's usually the way it > is. > > > I have windows XP as client , WRT54G as AP and freeradius as AAA server. I > > want to use 8021X authentication with EAP. The AP gives me WAP-radius with > > TKIP or AES. XP client supports WPA. What about freeradius?What > > authentication scheme must i use in radius conf? EAP? > > Soory to bother you but i am very confused > > > You will use EAP-TLS, MSCHAP, PEAP and MSCHPv2 in the radiusd.conf, WPA TKIP > (or AES) on the AP, and WPA TKIP (or AES) along with PEAP and MSCHAPv2 on the > XP supplicant. > > This link is on freeradius.org. It explains it much better than I am able. The > supplicant is linux but everything works the same. > > http://tldp.org/HOWTO/8021X-HOWTO/index.html > > Regards, > Zoltan > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Justin Guidroz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add a field to the reply that contains data from the request?
"Also sprach [EMAIL PROTECTED]:"
> Right. Notice however, that there are many different and sometimes
> contracdicting
> conventions. Would you agree that it is perfectly reasonable for a RADIUS
> implementation (and its documentation) to use the conventions that are
> detailed in
> the RADIUS RFC and not some other arbitrary set of conventions?
If those are in contradiction with the normal usage of the word in
question in the rest of the intellectual universe, no, most definitely
and absolutely not. You should resist and oppose the use of speech
that is at variance with normal understanding (or find out next time
that you receive a goverment letter that by "date of reception" they
mean the date THEY sent it, not the date you received it ...).
But is it the case?
I don't know it is, and I really don't plan on reading the rfc to find
out. I haven't been able to make much sense of what has been said in
the thread so far, as it seems wildly inconsistent. Oh, OK, I'll read
just a little ... mmmmmma. You have included 32 rfc's!
Are you kidding?
Hmmm ... 2058 might be it.
Well, as everyone could have guessed, they talk aboout "fields".
A summary of the RADIUS data format is shown below. The fields
are transmitted from left to right.
They then switch to calling them "attributes", for no good reason.
Many Attributes may have multiple instances, in such a case the
I presume that is because attributes are what is called "variable type"
fields. That is, the kind is designated by a code at the start of the
field. However, it is undefined. The very first use of the word
"attribute" in the file is:
All transactions are comprised of variable length Attribute-
Length-Value 3-tuples. New attribute values can be added without
disturbing existing implementations of the protocol.
So there is right there a use of an undefined term. Fail.
The second use of the word is:
Once the client has obtained such information, it may choose to
authenticate using RADIUS. To do so, the client creates an "Access-
Request" containing such Attributes as the user's name, the user's
password, ...
So again, use without definition. This is very poorly written.
I particularly like this one (at end of 4.3):
Attributes
The Attribute field is variable in length, and contains a list
of zero or more Attributes.
!!! Yeah. Are they trying to make a pastiche comedy sketch takeoff of
themselves?
What they MEAN is that there is a contiguous (trailing) area of a packet
called the AttributeS (note the S) "field". And unsurprisingly it
contains a contiguous sequence of areas each of which they describe as
"an Attribute". The number of those is not fixed from packet to packet,
and I presume there are as many in each packet as will fit in the length
stated via the contents of a certain fixed earlier field of the packet.
Hic.
Doesn't it make a difference when somebody writes properly?
I still don't know the on-the-wire format of "an Attribute", though!
Aha ...
A summary of the Attribute format is shown below
About time! Page 17!
A 1 one-byte type field. So there are only certain fixed field-names?
Up to 256 of them. Only 63 are defined. There's a 1-byte length
follwing the type, so the field can be a string of up to 256 chars
(well, 253, I suppose). Well, it appears the values in the "Attributes"
can come from a union type of strings (yes, 253), ip addresses, 32 bit
ints, and time. They don't say if the int is signed, or indeed
how its bits are ordered within a byte.
So indeed, I was right, you do have "field names". They are precisely
the ones I thought they were:
1 User-Name
2 User-Password
3 CHAP-Password
4 NAS-IP-Address
5 NAS-Port
...
So I guess you can have variables that simply have any name except
those, if you have variables. Do you?
Gawd ... then there is an extremely boring listing of the packet layout
of each of the kinds of field!
Let me skip.
Uhhh .. I think it stps around page 58.
Now I still don't know anything about your use of the words value and
variable and so on, or what you have in your little language, but I can
tell you taht what I saw in the RFC was entirely standard and had
NOTHING WHATSOEVER TO DO with your language, except for he ome point:
that you seem to have preserved the field names ("attribute type" names)
used in the RFC in your language.
That's all, and you didn't have to.
Anyway, I can say that their usages are fairly normal. The rfc is about
normal for an rfc - it's fairly badly written, but that is the norm for
such things.
Now I still don't know what your terminology is or where it cmes from,
and I am not going to read the other 31 rfcs to find out. You can
describe your configuration language.
Why should *I* do this work for you?
Do you want me to look for uses of the word "value" in the rfc?
>
Re: How to add a field to the reply that contains data from the request?
"Also sprach Alan DeKok:" > > Then why is it showing a different reply below? > > > > Because it is NOT saying "I sent no response" here! It should. > > When you don't get mail, does the post office send you a letter > saying "you didn't get mail today?" If I ask them to tell me when I get a reply, yes, I DO expect them to say "you did not get a reply". Or in this case - "you sent out a reply with no attribute fields in it" (which is what I presume happened). > Please stop trying to change the RADIUS specification. You can't. I'm not. Please stop trying to use a very inappropriate excuse that does you no favours. Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with FreeRadius
When starting radius, i get the following...any ideas? radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = yes unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 HASH: Reinitializing hash structures and lists for caching... HASH: user root found in hashtable bucket 11726 HASH: user bin found in hashtable bucket 86651 HASH: user daemon found in hashtable bucket 11668 HASH: user adm found in hashtable bucket 26466 HASH: user lp found in hashtable bucket 54068 HASH: user sync found in hashtable bucket 42895 HASH: user shutdown found in hashtable bucket 71746 HASH: user halt found in hashtable bucket 7481 HASH: user mail found in hashtable bucket 79471 HASH: user news found in hashtable bucket 5375 HASH: user uucp found in hashtable bucket 38541 HASH: user operator found in hashtable bucket 21748 HASH: user games found in hashtable bucket 47657 HASH: user gopher found in hashtable bucket 47357 HASH: user ftp found in hashtable bucket 56226 HASH: user nobody found in hashtable bucket 99723 HASH: user rpm found in hashtable bucket 72383 HASH: user vcsa found in hashtable bucket 25959 HASH: user nscd found in hashtable bucket 36306 HASH: user sshd found in hashtable bucket 71560 HASH: user rpc found in hashtable bucket 72373 HASH: user rpcuser found in hashtable bucket 552 HASH: user nfsnobody found in hashtable bucket 51830 HASH: user pcap found in hashtable bucket 55326 HASH: user mailnull found in hashtable bucket 78086 HASH: user smmsp found in hashtable bucket 13600 HASH: user apache found in hashtable bucket 26582 HASH: user squid found in hashtable bucket 62826 HASH: user webalizer found in hashtable bucket 3037 HASH: user dbus found in hashtable bucket 68880 HASH: user xfs found in hashtable bucket 17213 HASH: user ntp found in hashtable bucket 21418 HASH: user gdm found in hashtable bucket 50360 HASH: user carl found in hashtable bucket 91900 HASH: user engt found in hashtable bucket 38574 HASH: user mailman found in hashtable bucket 53563 HASH: user www found in hashtable bucket 30987 HASH: user radiusd found in hashtable bucket 55046 HASH: Stored 38 entries from /etc/passwd HASH: Stored 46 entries from /etc/group Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 tls: rsa_key_exchange = no tls: dh_key_exchange
RE: How to add a field to the reply that contains data from the request?
>Well, as everyone could have guessed, they talk aboout "fields". > A summary of the RADIUS data format is shown below. The fields > are transmitted from left to right. >They then switch to calling them "attributes", for no good reason. If you were REALLY comprehending the document, then you would have realized that fields are used to describe parts of an attribute. This is even under the description of ATTRIBUTES! ATTRIBUTE 5.1 USERNAME has 3 fields - Type, Length and String Description This Attribute indicates the name of the user to be authenticated. It is only used in Access-Request packets. A summary of the User-Name Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type |Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Type 1 for User-Name. Length >= 3 String The String field is one or more octets. The NAS may limit the maximum length of the User-Name but the ability to handle at least 63 octets is recommended. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to add a field to the reply that contains data from the request?
>I particularly like this one (at end of 4.3): > Attributes > The Attribute field is variable in length, and contains a list > of zero or more Attributes. >!!! Yeah. Are they trying to make a pastiche comedy sketch takeoff of >themselves? Section 4 is clearly describing PACKETS, a packet has fields. A field in packet that is transmitted, can be an ATTRIBUTE. True, it is a recursive definition, but this is not a difficult concept. Like an element in an ARRAY containing and ARRAY that has elements. Did you actually read the whole RFC, or just search for the word field and attribute, and go from there? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add a field to the reply that contains data from the request?
"Also sprach Anson Rinesmith:"
> >Well, as everyone could have guessed, they talk aboout "fields".
>
> > A summary of the RADIUS data format is shown below. The fields
> > are transmitted from left to right.
>
>
> >They then switch to calling them "attributes", for no good reason.
>
> If you were REALLY comprehending the document, then you would have realized
> that fields are used to describe parts of an attribute. This is even under
Thanks, but I know what fields are. Yes, they "are" parts of an
attribute too. Just as cows are animals. But that does not make
animals into cows.
"Fields" are areas of a record. Since attributes are implemented as a
variable type value, that value needs to have space for two things:
1) a type designator ("int", "char", "string253", etc.), that
specifies how the data area should be interpreted
2) a datum.
So you can see that attributes are values that themselves are records
with two fields in them. Nevertheless, they (attributes) are (comprise)
fields in a record - the packet sent in the protocol.
What is the problem? You can have a record with fields that hold complex
values. Those complex values are records with two fields in them - they
hold a real value and a imaginary value, respectively. Nobody is
confused by the idea that a field has fields. That does not make that
field stop being a field!
So what are you shouting about?
My point was only that they started talking about "attributes" without
defining what they meant by the term. I presume they meant "named
field of a record", from what I saw they had been talking about until
then. But perhaps they meant something else. Whatever they meant, they
did not say.
> the description of ATTRIBUTES!
Please - do not mistake your problems for mine!
Peter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add a field to the reply that contains data from the request?
"Also sprach Anson Rinesmith:" > > >I particularly like this one (at end of 4.3): > > > Attributes > > > The Attribute field is variable in length, and contains a list > > of zero or more Attributes. > > >!!! Yeah. Are they trying to make a pastiche comedy sketch takeoff of > >themselves? > > Section 4 is clearly describing PACKETS, a packet has fields. A field in > packet that is transmitted, can be an ATTRIBUTE. True, it is a recursive > definition, but this is not a difficult concept. Like an element in an ARRAY No it is not a recursive definition. They, like you, have confused themselves between Attribute without an s and Attributes with an s. Read more carefully. They have written it wrongly. They MEANT to write: Attributes The "Attributes" field is variable in length, and contains a list of zero or more "Attribute" fields. See the difference? I won't explain it again. > containing and ARRAY that has elements. Did you actually read the whole RFC, > or just search for the word field and attribute, and go from there? I actually read the whole rfc, unlike some people. But I don't see why you should think I should! Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with FreeRadius
Yes, -X is telling you that TLS is configured incorrectly. Read the documentation on TLS and you will find out exactly where your problem is. On Dec 4, 2004, at 7:52 PM, Carl wrote: tls: certificate_file = "(null)" ... ... ... rlm_eap_tls: Error reading certificate file - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add a field to the reply that contains data from the request?
Peter, All I have to say is that your attitude normally determines the response you get. You came in here telling many people who have worked with RADIUS for a long time how the specs are wrong and how you are much better than they. This is a fatally flawed approach when trying to learn something. Now you are simply arguing semantics with people in an attempt to save face. RADIUS is truly not a complicated protocol. Why are you arguing over things that truly don't matter in the grand scheme? You started out by making assumptions based on previous experience that were not correct. You then attempted to blast RADIUS when your assumptions turned out to be incorrect. Poor etiquette. Based on your original message, you still have a lot of reading and understanding to do before making any more posts to this list. I would imagine that you have already taken a look at the users file and the "man 5 users" page, however assumptions are what got you in the position you are in now. So, start there, attempt to understand what it is you're dealing when, and come back to us when you have something more intelligent to contribute or ask. --Mike On Sat, 2004-12-04 at 19:41, Peter T. Breuer wrote: > "Also sprach Anson Rinesmith:" > > > > >I particularly like this one (at end of 4.3): > > > > > Attributes > > > > > The Attribute field is variable in length, and contains a list > > > of zero or more Attributes. > > > > >!!! Yeah. Are they trying to make a pastiche comedy sketch takeoff of > > >themselves? > > > > Section 4 is clearly describing PACKETS, a packet has fields. A field in > > packet that is transmitted, can be an ATTRIBUTE. True, it is a recursive > > definition, but this is not a difficult concept. Like an element in an ARRAY > > No it is not a recursive definition. They, like you, have confused > themselves between Attribute without an s and Attributes with an s. > Read more carefully. They have written it wrongly. They MEANT to > write: > > Attributes > > The "Attributes" field is variable in length, and contains a list > of zero or more "Attribute" fields. > > See the difference? I won't explain it again. > > > containing and ARRAY that has elements. Did you actually read the whole RFC, > > or just search for the word field and attribute, and go from there? > > I actually read the whole rfc, unlike some people. But I don't see why > you should think I should! > > Peter > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add a field to the reply that contains data from the request?
"Also sprach Michael Griego:" > All I have to say is that your attitude normally determines the response > you get. You came in here telling many people who have worked with > RADIUS for a long time how the specs are wrong and how you are much No I haven't. I'm sure radius is fine. OTOH I'm quite sure the rfc is probably a load of badly written rubbish, because they normally are. So? Is there something new? Have you read a rfc lately? I certainly haven't! ;) As to telling people? I am giving them the benefit of my judgement and appraisal. I've pointed out the things that are wrong. Now you get to act on it. That's cool. Go with it. > better than they. This is a fatally flawed approach when trying to > learn something. I'm not trying to learn anything! I would hope I never do. I hate learning anything. I avoid learning anything at all! I do it far too easily, thank you. I haveto work hard to avoid it. That's the point - I am not YOUR slave. I don't do what YOU want me to do. If you want ME to use YOUR tool then YOU must persuade ME to. And you do that by doing what *I* want, not the other way round. Got it? It's a market. You've got competition. I could have used gnu-radius. I could have used others. There has to be something about what YOU have that persuades me to use yours. As it is, I think it's a fine implementation. At least the config is good and comprehensible. Beats gnu-radius there! The weakness is clearly that it's been written by people who apparently don't know any computer science (is that true?), and who also aren't used to writing for others. That said, they've written WELL. They're just handicapped in their otherwise good and thoughtful writing by their own lack of abstract knowledge of what they're doing, so they can't explain themselves properly. That's clearly the fault, as far as I can make out. It's like watching some of those pop-artists who can make up songs but can't explain what they're doing. A musician comes along and says, oh, that's counterpoint, or something. Pling. Explanation. The concepts are lacking. Now, I've been kind enough to point out to you where the problems in the docs are. There's no need to go off the deep end - you just have to fix them. Yousay thanks, because fixing it lowers the market resistence to your tool, and enables you to make further inroads against your competitors. If I were to guess at causes, I would say it looks as though the authors didn't have the linguistic concepts in their heads with which to explain them. In particular, My Pet Theory, which is what it is, is that the authors don't understand the difference between syntax and semantics, so they keep saying VALUE when they mean TERM. Result, confusion. You try explaining grammar to a person who doesn't know that they are speaking a language. There is a difference between a THING and the NAME of a thing. Check out your Lewis Carrol. Does that bring it home? No? Then go "learn about it". > Now you are simply arguing semantics with people in an No, I'm not. They are. I _am_ a lingusitic semanticist, as you would find if you looked me up. I can't argue about it - I simply say what is right. > attempt to save face. RADIUS is truly not a complicated protocol. Why Sure - it looks easy. One packet in, one packet out, as far as I recall (and I only glanced at it). What has that got to do with anything? That's not in my competence to talk about and I've not commented on it. Nor do I care about it. > are you arguing over things that truly don't matter in the grand Because they ARE what matters. What I am interested in is the language used to describe the simple (one-action, repeated) state machine that you construct from the description. That's what *I* interface with. I give orders to freeradius. Freeradius understands and does what I mean. To do so, it constructs a state machine and runs it, thus implementing a protocol in conformance with the radius spec. Fine. Freeradius concerns itself with radius. I concern myself with the language needed to talk to freeradius. That's the idea. It doesn't take much to get it right. People have been doing this for nigh on 50 years now folks. Write the language in accordance with what people expect. > scheme? You started out by making assumptions based on previous > experience that were not correct. No, I have not! Where do you get this from? I am telling you what my expectations are, and my expectaions ARE correct, by definition. Just as my expectation that the steering wheel on a car turns the car right when you turn the wheel right are correct. Yes, there are vehicles where it works the other way round. They're wrong. > You then attempted to blast RADIUS > when your assumptions turned out to be incorrect. Poor etiquette. No, I have not! Will you stop this senseless insulting behaviour? Thank you! > Based on your original message, you still have a lot of reading and > understanding to do before making any m
RE: How to add a field to the reply that contains data from the request?
When you're given a gift for FREE do you give it back complaining that the shade of red is not quite what you wanted? Perhaps if you're not happy with freeRADIUS you should go PAY for something you like better. Then you can make demands of the people that provide the product to "fix" it. Afterall, that's their job. But when you're using a product that many people, especially Alan, have spent endless hours OF THEIR OWN TIME improving, enhancing, and most importantly supporting via this list, maybe you could spend a little more time appreciating their efforts, and attempting to understand what is given to you, rather than demanding things to be fixed because YOU deem them to be wrong. Unfortunately for you, this may involve doing a little of the work yourself... Most other people that come to this list don't seem to mind... > I _am_ a lingusitic semanticist, I'd call you something else, but that would be poor list etiquette. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add a field to the reply that contains data from the request?
"Also sprach Mitchell, Michael:" > When you're given a gift for FREE do you give it back complaining that > the shade of red is not quite what you wanted? Nobody gave me a gift - I was kind enough to evaluate your product. I didn't have to. It took time to do so. If I were paying you for it I would insist on better explanation of the configuration language. As it is, I am kind enough to point out where the explanations you give are lacking, /because/ I like the tool. It's nicely coded, and it does the right thing on installation, and the config fiel are well commeneted. I didn't bother writing to the gnu-radius people and telling them that their mess was so bad that after wastng an hour on it I uninstalled it. Do you always treat people who are nice enough to beta test your product this way? You get the benefit of my knowledge and capabilities for free. I've pointed out to you what is the matter with the docs and where. I can't be more specific. I've suggested how to improve them, even writing sentences for you at times. > Perhaps if you're not happy with freeRADIUS you should go PAY for > something you like better. Why should I? I'm not interested! It's in _your_ interest to listen to what is said to you! Do you really not get it? You don't have to listen. Fine. Go "la la la la I can't hear you". I tried. > > I _am_ a lingusitic semanticist, > > I'd call you something else, but that would be poor list etiquette. No, it would be very rude, just like you are being. Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to add a field to the reply that contains data from the request?
If you feel so strongly about changes needing to be made, then why not make an official comment to the RFC and try to make things better? An RFC is, by the way, a Request For Clarification. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter T. Breuer Sent: Saturday, December 04, 2004 9:17 PM To: [EMAIL PROTECTED] Subject: Re: How to add a field to the reply that contains data from the request? "Also sprach Michael Griego:" > All I have to say is that your attitude normally determines the response > you get. You came in here telling many people who have worked with > RADIUS for a long time how the specs are wrong and how you are much No I haven't. I'm sure radius is fine. OTOH I'm quite sure the rfc is probably a load of badly written rubbish, because they normally are. So? Is there something new? Have you read a rfc lately? I certainly haven't! ;) As to telling people? I am giving them the benefit of my judgement and appraisal. I've pointed out the things that are wrong. Now you get to act on it. That's cool. Go with it. > better than they. This is a fatally flawed approach when trying to > learn something. I'm not trying to learn anything! I would hope I never do. I hate learning anything. I avoid learning anything at all! I do it far too easily, thank you. I haveto work hard to avoid it. That's the point - I am not YOUR slave. I don't do what YOU want me to do. If you want ME to use YOUR tool then YOU must persuade ME to. And you do that by doing what *I* want, not the other way round. Got it? It's a market. You've got competition. I could have used gnu-radius. I could have used others. There has to be something about what YOU have that persuades me to use yours. As it is, I think it's a fine implementation. At least the config is good and comprehensible. Beats gnu-radius there! The weakness is clearly that it's been written by people who apparently don't know any computer science (is that true?), and who also aren't used to writing for others. That said, they've written WELL. They're just handicapped in their otherwise good and thoughtful writing by their own lack of abstract knowledge of what they're doing, so they can't explain themselves properly. That's clearly the fault, as far as I can make out. It's like watching some of those pop-artists who can make up songs but can't explain what they're doing. A musician comes along and says, oh, that's counterpoint, or something. Pling. Explanation. The concepts are lacking. Now, I've been kind enough to point out to you where the problems in the docs are. There's no need to go off the deep end - you just have to fix them. Yousay thanks, because fixing it lowers the market resistence to your tool, and enables you to make further inroads against your competitors. If I were to guess at causes, I would say it looks as though the authors didn't have the linguistic concepts in their heads with which to explain them. In particular, My Pet Theory, which is what it is, is that the authors don't understand the difference between syntax and semantics, so they keep saying VALUE when they mean TERM. Result, confusion. You try explaining grammar to a person who doesn't know that they are speaking a language. There is a difference between a THING and the NAME of a thing. Check out your Lewis Carrol. Does that bring it home? No? Then go "learn about it". > Now you are simply arguing semantics with people in an No, I'm not. They are. I _am_ a lingusitic semanticist, as you would find if you looked me up. I can't argue about it - I simply say what is right. > attempt to save face. RADIUS is truly not a complicated protocol. Why Sure - it looks easy. One packet in, one packet out, as far as I recall (and I only glanced at it). What has that got to do with anything? That's not in my competence to talk about and I've not commented on it. Nor do I care about it. > are you arguing over things that truly don't matter in the grand Because they ARE what matters. What I am interested in is the language used to describe the simple (one-action, repeated) state machine that you construct from the description. That's what *I* interface with. I give orders to freeradius. Freeradius understands and does what I mean. To do so, it constructs a state machine and runs it, thus implementing a protocol in conformance with the radius spec. Fine. Freeradius concerns itself with radius. I concern myself with the language needed to talk to freeradius. That's the idea. It doesn't take much to get it right. People have been doing this for nigh on 50 years now folks. Write the language in accordance with what people expect. > scheme? You started out by making assumptions based on previous > experience that were not correct. No, I have not! Where do you get this from? I am telling you what my expectations are, and my expectaions ARE correct, by definition. Just as my expectation that the steering wheel on
Re: How to add a field to the reply that contains data from the request?
On Sat, 2004-12-04 at 21:16, Peter T. Breuer wrote: > No I haven't. I'm sure radius is fine. OTOH I'm quite sure the rfc is > probably a load of badly written rubbish, because they normally are. > So? Is there something new? Have you read a rfc lately? I certainly > haven't! ;) Yes, I have. As such, you'd do well to lay off trying to tell me what is and isn't when it comes to RFCs. > As to telling people? I am giving them the benefit of my judgement and > appraisal. I've pointed out the things that are wrong. Now you get to > act on it. That's cool. Go with it. You can not point out things are wrong until you understand those things. You don't, therefore you are unable to make any sort of intelligent argument. So stop trying. > I'm not trying to learn anything! I would hope I never do. I hate > learning anything. I avoid learning anything at all! I do it far too > easily, thank you. I haveto work hard to avoid it. Which is exactly why you should run away from free software. Run far away. Free software normally requires you to actually learn something about what you're trying to use it for. Most people who use free software want to learn something anyway. You have just said you do not. Therefore, do yourself and everyone on this list a favor and stay away from it. > That's the point - I am not YOUR slave. I don't do what YOU want me to > do. If you want ME to use YOUR tool then YOU must persuade ME to. And > you do that by doing what *I* want, not the other way round. > > Got it? Yes, I absolutely get that you *don't* get it. I am not YOUR slave. I use the software because it works well for me. I make it better to suite *my* needs. As such, it is honestly no skin off my back whether or not you find the product useful. I try to be wary of others needs as well so that others can make use of any modifications I make. I freely give of my time because I enjoy it, not because you tell me to. > It's a market. You've got competition. I could have used gnu-radius. > I could have used others. There has to be something about what YOU have > that persuades me to use yours. It seems to me that there already was something. You said so yourself that you found the configuration of FreeRADIUS to be much easier than that of GNU-RADIUS. However, as I commented above, I don't really care if you use it or not. What I do know is that its damn good software and that I have a much greater degree of flexibility with this package than I would have with most others. The tradeoff is that I have to actually know something. I, unlike you, actually enjoy learning new things. It keeps the mind young and fresh. It also means that if something breaks, I actually know how to fix it instead of having to pay someone a great amount of money to do it for me. I like that. You may not. That's the tradeoff involved. > Now, I've been kind enough to point out to you where the problems in > the docs are. There's no need to go off the deep end - you just have to > fix them. Yousay thanks, because fixing it lowers the market resistence > to your tool, and enables you to make further inroads against your > competitors. Oh, I'm forever in your debt. Oh wait, screw that. I'm not going to say "thanks" for you pointing something out that I didn't think was a problem before. What I will say is... If you think there's a problem, then you fix it. You can then contribute to making it better. I have already contributed to making it better, and I didn't seem to have any problem with the documentation. > You try explaining grammar to a person who doesn't know that they are > speaking a language. There is a difference between a THING and the NAME > of a thing. Check out your Lewis Carrol. > > Does that bring it home? > > No? Then go "learn about it". I am quite familiar with the grammatical constructs of the English language and how to properly convey a thought. Learning is something I do every day. You seem to be afraid of it. > No, I'm not. They are. I _am_ a lingusitic semanticist, as you would > find if you looked me up. I can't argue about it - I simply say what is > right. You say what you *think* is right. And you need to learn how to spell. > Sure - it looks easy. One packet in, one packet out, as far as I recall > (and I only glanced at it). What has that got to do with anything? > That's not in my competence to talk about and I've not commented on it. > Nor do I care about it. Then stop trying to tell experts how things should be done. > Because they ARE what matters. What I am interested in is the language > used to describe the simple (one-action, repeated) state machine that > you construct from the description. That's what *I* interface with. Yeesh. They are what matters to YOU. The rest of us seem to have gotten the picture. You're so wrapped up in the semantics that you can't figure out the big picture. You can't see the forest for the trees. > No, I have
