How to authenticate Mac users

[Amit Gupta]

Hi,

I wish to authenticate user laptops (coming in our network) by Radius server on 
basis of MAC addresses. I am using SQL authentication and accounting. How can I 
achieve it?
Please help.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

one day accounts

[Carl Peterson]

I am currently using freeradius as the authentication method for a chilli 
hotspot.  I use a Max-All-Session attribute to give prepaid users X amount of 
discontinuous time.  One of the users of some software I wrote to create and 
monitor prepaid cards would like a daily card feature that will give a user 
24 hours of continuous access from first use.  Is there already an attribute 
for this or an easy way to enable this feature?

Carl Peterson

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Compile trouble on RH AS 2.1

[Bruce Garlock]

I am trying to compile freeradius 1.0.1 on RH AS 2.1, and it seems to 
die out with make on something to do with unixodbc:

Making static in rlm_sql_unixodbc...
gmake[10]: Entering directory 
`/usr/src/freeradius-1.0.1/src/modules/rlm_sql/drivers/rlm_sql_unixodbc'
gcc  -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 
-I../.. -I../../../../include  -c sql_unixodbc.c -o sql_unixodbc.o
sql_unixodbc.c: In function `sql_init_socket':
sql_unixodbc.c:69: `SQL_NULL_HANDLE' undeclared (first use in this function)
sql_unixodbc.c:69: (Each undeclared identifier is reported only once
sql_unixodbc.c:69: for each function it appears in.)
sql_unixodbc.c:75: `SQL_ATTR_ODBC_VERSION' undeclared (first use in this 
function)
sql_unixodbc.c:75: `SQL_OV_ODBC3' undeclared (first use in this function)
gmake[10]: *** [sql_unixodbc.o] Error 1
gmake[10]: Leaving directory 
`/usr/src/freeradius-1.0.1/src/modules/rlm_sql/drivers/rlm_sql_unixodbc'
gmake[9]: *** [common] Error 1
gmake[9]: Leaving directory 
`/usr/src/freeradius-1.0.1/src/modules/rlm_sql/drivers'
gmake[8]: *** [static] Error 2
gmake[8]: Leaving directory 
`/usr/src/freeradius-1.0.1/src/modules/rlm_sql/drivers'
gmake[7]: *** [common] Error 1
gmake[7]: Leaving directory `/usr/src/freeradius-1.0.1/src/modules/rlm_sql'
gmake[6]: *** [static] Error 2
gmake[6]: Leaving directory `/usr/src/freeradius-1.0.1/src/modules/rlm_sql'
gmake[5]: *** [common] Error 1
gmake[5]: Leaving directory `/usr/src/freeradius-1.0.1/src/modules'
gmake[4]: *** [all] Error 2
gmake[4]: Leaving directory `/usr/src/freeradius-1.0.1/src/modules'
gmake[3]: *** [common] Error 1
gmake[3]: Leaving directory `/usr/src/freeradius-1.0.1/src'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/usr/src/freeradius-1.0.1/src'
gmake[1]: *** [common] Error 1
gmake[1]: Leaving directory `/usr/src/freeradius-1.0.1'
make: *** [all] Error 2
[EMAIL PROTECTED] freeradius-1.0.1]#

I have searched the email list archives, and cannot seem to find 
anything regarding this issue.  I would think someone out there must 
have got freeradius compiled and working on RedHat AS 2.1

Thanks for any help,
Bruce
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Server crashes at high load situations

[Alan DeKok]

Stephan Jaeger <[EMAIL PROTECTED]> wrote:
> I'm still experiencing server crashes under some high load situations.
> 
> "Error: Assertion failed in threads.c, line 285"

  What's probably happening is that the server is CPU starved, and the
request is being deleted after "cleanup_delay", even though the server
hasn't processed it yet.

  The solution is to re-write some of the code for handling requests
&& timeouts.  I've been looking at it recently, and have decided that
it could use some updates for other issues, and now this, too.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authorizing user to assign a particular VLAN

[Zoltan A. Ori]

On Thursday 23 December 2004 12:41, Cool Man wrote:
> Hi all,
>
> I have successfully setup freeradius (version 1.0.1) auhentication. Now at
> the second step I want to limit the user activities in my network. In other
> words I want to authorize the users. Depending upon their authorization
> level I want to assign them a different VLAN.
>
> Now my question is how can I define the authorization levels in Freeradius
> server. Moreover, how can I establish which Authorization level will be
> assigned to  which VLAN.

How you define authorization levels is determined by you and the users 
database you have to work with. The method for assigning a VLAN is dependent 
on how you have defined the levels, your NAS configuration and what the NAS 
will accept from RADIUS (ie, Tunnel-Type, Filter-ID, etc). You will want to 
read up on "users", possibly "huntgroups" and other docs, and the manual for 
your NAS then decide what is appropriate for your situation.

Zoltan Ori




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authorization Process?

[Alan DeKok]

"Chris Wolf" <[EMAIL PROTECTED]> wrote:
> I was wondering where at in the code are the value pairs entered into the
> packet.  E.G.  If I send a packet where the User-Name is "blah" and the
> Calling-Station-Id is "blah2", when can I first use the method pairfind(vp,
> paired) to find the valuepair.  Any help would be great.

  The VALUE_PAIR's exist when a module is called.

  If you're trying to look at them from outside of a module, I would
have to ask "Why?"

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS, EAP-TTLS with LDAP

[Alan DeKok]

Tomasz Wolniewicz <[EMAIL PROTECTED]> wrote:
>   could you be a LITTLE bit more specific about that? Its Christmas :).
> How can I tell define conditions which will notice that it is the EAP-TTLS
> case and not EAP/TLS? Perhaps there is no way, as at the beginning it is
> simply an EAP message, so the server has no way of telling which way to go?

  The "FreeRADIUS-Proxied-To" attribute is added to the session inside
of the tunnel.  See debugging mode for examples, it *will* print this
out.

  In the "users" file, you can put:

DEFAULT  FreeRADIUS-Proxied-To == 127.0.0.1, Autz-Type := ldap

  and it will call the LDAP module only inside of the tunnel.

  You will also have to set up an Autz-Type block in the "authorize"
section.  See doc/Autz-Type.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: session timeout?

[Alan DeKok]

Sven Juergensen <[EMAIL PROTECTED]> wrote:
> could someone enlighten me about how exactly
> the Session-Timeout value within the users
> file works?

  If you see the Session-Timeout in the Access-Accept, then the NAS
should use it.  If the NAS doesn't obey Session-Timeout, then there's
little you can do on the RADIUS server to fix the NAS.

  Try setting the Session-Timeout to something like an hour or two.
Some NASes silently ignore small values of Session-Timeout.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: that is what i had done

[Alan DeKok]

zack musa <[EMAIL PROTECTED]> wrote:
> OK...it's seems that I'm not good in explaning this.. 

  Your explanation was clear.  The response to your explanation was
also clear.

>  realm 200.200.230.136 {
> type= radius
> authhost= radius.200.200.230.136:1812
> accthost= radius.200.200.230.136:1813
> secret  = amin
>  }
> 
> Is the IP of the authhost and the accthost is the IP
> of the REMOTE SERVER?Correct me please..

  "radius.200.200.230.136" is not a DNS name or an IP address.

  Use an IP address or a DNS name.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 1.0.1 build problems on RH9

[L.C. (Laurentiu C. Badea)]

Install zlib-devel
If you are building vanilla 1.0.1 you should instead rebuild it from Fedora 3 
src rpm. Just download freeradius-1.0.1-1.src.rpm and

rpmbuild --rebuild freeradius-1.0.1-1.src.rpm
--
L.C. (Laurentiu C. Badea)
[EMAIL PROTECTED] wrote:
I am attempting to build FR 1.0.1 on a RH9 system and receive the 
following error:

/usr/bin/ld: cannot find -lz

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 1.0.1 build problems on RH9

[Pete Conkin]

- Original Message - 
From: <[EMAIL PROTECTED]>


> I am attempting to build FR 1.0.1 on a RH9 system and receive the 
> following error:
> 
> -lmysqlclient -lz -lcrypt -lnsl -lm  -Wl,-soname 
> -Wl,rlm_sql_mysql-1.0.1.so -o .libs/rlm_sql_mysql-1.0.1.so
> /usr/bin/ld: cannot find -lz

  Looks like you need zlib-devel package.

  Pete

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius 1.0.1 build problems on RH9

[bdehn]

I am attempting to build FR 1.0.1 on a RH9 system and receive the 
following error:

/usr/bin/libtool --mode=link gcc -release 1.0.1 \
-module -export-dynamic  -O2 -g -march=i386 -mcpu=i686 -D_REENTRANT 
-D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5   -Wall -D_GNU_SOURCE -g 
-Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings 
-Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations 
-Wnested-externs -W -Wredundant-decls -Wundef  -I../.. 
-I../../../../include \
-I'/usr/include/mysql' -I/usr/src/redhat/BUILD/freeradius-1.0.1/libltdl -o 
rlm_sql_mysql.la -rpath /usr/lib sql_mysql.lo -L'/usr/lib/mysql' 
-lmysqlclient -lz -lcrypt -lnsl -lm
rm -fr .libs/rlm_sql_mysql.la .libs/rlm_sql_mysql.* 
.libs/rlm_sql_mysql-1.0.1.*
i386-redhat-linux-gcc -shared  sql_mysql.lo  -L/usr/lib/mysql 
-lmysqlclient -lz -lcrypt -lnsl -lm  -Wl,-soname 
-Wl,rlm_sql_mysql-1.0.1.so -o .libs/rlm_sql_mysql-1.0.1.so
/usr/bin/ld: cannot find -lz
collect2: ld returned 1 exit status
gmake[10]: *** [rlm_sql_mysql.la] Error 1
gmake[10]: Leaving directory 
`/usr/src/redhat/BUILD/freeradius-1.0.1/src/modules/rlm_sql/drivers/rlm_sql_mysql'
gmake[9]: *** [common] Error 1
gmake[9]: Leaving directory 
`/usr/src/redhat/BUILD/freeradius-1.0.1/src/modules/rlm_sql/drivers'
gmake[8]: *** [dynamic] Error 2
gmake[8]: Leaving directory 
`/usr/src/redhat/BUILD/freeradius-1.0.1/src/modules/rlm_sql/drivers'
gmake[7]: *** [common] Error 1
gmake[7]: Leaving directory 
`/usr/src/redhat/BUILD/freeradius-1.0.1/src/modules/rlm_sql'
gmake[6]: *** [dynamic] Error 2
gmake[6]: Leaving directory 
`/usr/src/redhat/BUILD/freeradius-1.0.1/src/modules/rlm_sql'
gmake[5]: *** [common] Error 1
gmake[5]: Leaving directory 
`/usr/src/redhat/BUILD/freeradius-1.0.1/src/modules'
gmake[4]: *** [all] Error 2
gmake[4]: Leaving directory 
`/usr/src/redhat/BUILD/freeradius-1.0.1/src/modules'
gmake[3]: *** [common] Error 1
gmake[3]: Leaving directory `/usr/src/redhat/BUILD/freeradius-1.0.1/src'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/usr/src/redhat/BUILD/freeradius-1.0.1/src'
gmake[1]: *** [common] Error 1
gmake[1]: Leaving directory `/usr/src/redhat/BUILD/freeradius-1.0.1'
make: *** [all] Error 2
error: Bad exit status from /var/tmp/rpm-tmp.84027 (%build)

I believe I have all devel packages installed. Can anyone provide me with 
any clues as to what I am doing wrong? I have built the same FR version on 
RH 7.3 and things went smoothly. Any help would be greatly appreciated!!

Thank you in advance.

Bob Dehn

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Authorizing user to assign a particular VLAN

[Cool Man]

Hi all, 
 
I have successfully setup freeradius (version 1.0.1) auhentication. Now at the second step I want to limit the user activities in my network. In other words I want to authorize the users. Depending upon their authorization level I want to assign them a different VLAN. 
 
Now my question is how can I define the authorization levels in Freeradius server. Moreover, how can I establish which Authorization level will be assigned to  which VLAN.
 
Best Regards,
Raza.
 
Mathias Röhl <[EMAIL PROTECTED]> wrote:
Am Mi, den 22.12.2004 schrieb Mathias Röhl um 14:51:Hi> Hi> after rebuilding openssl and fr from the sources now the radiusd -X hasno error, I don't know exactly why but it workshave a few fine days and all the best for 2005...regards[EMAIL PROTECTED]-- TANK!!! I need an exit!! FAAAST!!!-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
		Do you Yahoo!? 
Jazz up your holiday email with celebrity designs. Learn more.

Re: CHAP and PAP

[neeraj kharbanda]

Hi,
yes chap and pap are authentication protocol. To make
sure that the password is not sniifed by
sniffer.Whereas calling number is used to prevent
account being misused. As the calling stations is
unique (phone numbe or mac address)

--- prabhan <[EMAIL PROTECTED]> wrote:

> Hello,
>  What is CHAP and PAP ?
>  I know that they are mechansims to authenticate
> users.
> Since there are several ways of authenticating ...
> For eg. Calling
> number authentication , called number authentication
> (as used in terms
> of a VOIP gateway),
> how to take a decision on which authentication
> scheme to be applied ?
> 
> Thanks,
>  Prabha N
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 




__ 
Do you Yahoo!? 
Yahoo! Mail - Easier than ever with enhanced search. Learn more.
http://info.mail.yahoo.com/mail_250

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mysql seg fault

[Mathias Röhl]

Am Mi, den 22.12.2004 schrieb Mathias Röhl um 14:51:
Hi
> Hi
> 
after rebuilding openssl and fr from the sources now the radiusd -X has
no error, I don't know exactly why but it works

have a few fine days and all the best for 2005...

regards

[EMAIL PROTECTED]

-- 
TANK!!! I need an exit!! FAAAST!!!



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Authorization Process?

[Chris Wolf]

I was wondering where at in the code are the value pairs
entered into the packet.  E.G.  If I send a packet where the User-Name is “blah”
and the Calling-Station-Id is “blah2”, when can I first use the
method pairfind(vp, paired) to find the valuepair.  Any help would be great.

 

Thanks,

 

Chris

Post authorization status = FAIL

[Nagesh Boyina]

Hi,

I am not able to telnet to cisco router using cisco av pairs. I am getting
message like Access Accept in radius debug, but I am not able to login
with privilige levels.
I am using Mysql db. Pls help him out to configure AV pairs syntax in
mysql db

Can anyone help me.

thanks in advance

Nagesh


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Server crashes at high load situations

[Stephan Jaeger]

Hi,

I'm still experiencing server crashes under some high load situations.

"Error: Assertion failed in threads.c, line 285"

bt:

Program received signal SIGABRT, Aborted.
[Switching to Thread 1077318912 (LWP 29184)]
0x40254ed9 in raise () from /lib/tls/libc.so.6
(gdb) bt
#0  0x40254ed9 in raise () from /lib/tls/libc.so.6
#1  0x40362fcc in ?? () from /lib/tls/libc.so.6
#2  0x40065520 in PADDING ()
from /radius/daemon/freeradius-snapshot-20041223/lib/libradius-1.1.0-pre0.so
#3  0x40256771 in abort () from /lib/tls/libc.so.6
#4  0x in ?? ()
#5  0x0020 in ?? ()
#6  0x in ?? ()
#7  0x in ?? ()
#8  0x in ?? ()
#9  0x in ?? ()
#10 0x in ?? ()
#11 0x in ?? ()
#12 0x in ?? ()
#13 0x in ?? ()
#14 0x in ?? ()
#15 0x in ?? ()
#16 0x in ?? ()
#17 0x in ?? ()
#18 0x in ?? ()
#19 0x in ?? ()
#20 0x in ?? ()
#21 0x in ?? ()
#22 0x in ?? ()
#23 0x in ?? ()
#24 0x in ?? ()
#25 0x in ?? ()
#26 0x in ?? ()
#27 0x in ?? ()
#28 0x in ?? ()
#29 0x in ?? ()
#30 0x in ?? ()
#31 0x in ?? ()
#32 0x in ?? ()
#33 0x in ?? ()
#34 0x in ?? ()
#35 0x in ?? ()
#36 0x in ?? ()
#37 0x in ?? ()
#38 0x0001 in ?? ()
#39 0x0010 in ?? ()
#40 0xbfffe1b4 in ?? ()
#41 0x40016c00 in ?? () from /lib/ld-linux.so.2
#42 0x40016fd4 in ?? ()
#43 0xbfffe240 in ?? ()
#44 0xbfffe208 in ?? ()
#45 0x in ?? ()
#46 0x45e0 in ?? () from /lib/ld-linux.so.2
#47 0x40016c00 in ?? () from /lib/ld-linux.so.2
#48 0x0626 in ?? ()
#49 0x40016e38 in _r_debug ()
#50 0xbfffe1f0 in ?? ()
#51 0x4000ba16 in _dl_map_object_deps () from /lib/ld-linux.so.2
#52 0x0805c2dc in proxy_cmp (one=0xd6, two=0xbfffe2c0) at
request_list.c:214
#53 0x400628b3 in rbtree_find (tree=0x816b838, Data=0xbfffe2c0) at
rbtree.c:448
#54 0x0805ce40 in rl_find_proxy (packet=0x6) at request_list.c:885
#55 0x0804ca54 in proxy_ok (packet=0x4e3e58a0) at radiusd.c:478
#56 0x0804cd08 in request_ok (packet=0x4e3e58a0, secret=0x0,
listener=0x0) at radiusd.c:600
#57 0x0804d552 in main (argc=4, argv=0x0) at radiusd.c:1294

Regards

Stephan Jaeger


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Authentication and accountinmg reruest details

[prabhan]

Hello,
 I am using freeradius 1.0.1 to authenticate users for a voip gateway.

Suppose voip gateway A wants to make a call to voip gateway B.
In order to authenticate A,the calling number,the details of user A has
to be listed in the users file.
Similarly if user B , the called number also needs to be authenticated ,
then user B details also need to be in the users file.

1. What authentication mechanism need s to be used ?
2. Can B also get authenticated at the local end, before even sending
setup message to B ?
3. If the above application is for prepaid / postpaid then how is the
credit amount left or the call duration details obtained from the radius
server ? Is there any specific attribute that has to be sent either in
access request or accounting request due to which the radius server
would get an indication to send the details in the respective response
packets ?
4. If radius server is used just to authenticate the calling number and
is not bothered to know about the credit amount and the duration, then
the radius server shoud not send any such details in the resposne
packets.
5. Is there any configuration to be done in the radius server so that it
could manage the users accounting details for billing or prepaid or post
paid authentication ?

Thanks,
Prabha N










- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius server + Billing server

[Josh Howlett]

--On Thursday, December 23, 2004 12:49:30 +0530 prabhan 
<[EMAIL PROTECTED]> wrote:

Hello,
 What is the protocol for communication between Radius server and
Billing server ?
How does Radius server get details from Billing server ?
Thanks,
Prabha N

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

--
---
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

CHAP and PAP

[prabhan]

Hello,
 What is CHAP and PAP ?
 I know that they are mechansims to authenticate users.
Since there are several ways of authenticating ... For eg. Calling
number authentication , called number authentication (as used in terms
of a VOIP gateway),
how to take a decision on which authentication scheme to be applied ?

Thanks,
 Prabha N



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Radius server + Billing server

[prabhan]

Hello,
 What is the protocol for communication between Radius server and
Billing server ?
How does Radius server get details from Billing server ?

Thanks,
Prabha N



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS, EAP-TTLS with LDAP

[Tomasz Wolniewicz]

Alan,
  could you be a LITTLE bit more specific about that? Its Christmas :).
How can I tell define conditions which will notice that it is the EAP-TTLS
case and not EAP/TLS? Perhaps there is no way, as at the beginning it is
simply an EAP message, so the server has no way of telling which way to go?

Tomasz

On Wed, Dec 22, 2004 at 11:14:31AM -0500, Alan DeKok wrote:
> Tomasz Wolniewicz <[EMAIL PROTECTED]> wrote:
> > Does someone have an idea how to switch off LDAP for processing of the
> > outer part of the EAP-TTLS message?
> 
>   Put ldap into an Atz-Type block, and configure the server to call
> the block only in the conditions you want it to be called.
> 
>   Alan DeKok.
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Tomasz Wolniewicz
   [EMAIL PROTECTED]http://www.uni.torun.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun   pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 fax: +48-56-622-1850   tel kom.: +48-693-032-576

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html