Re: [radius] Re: Dialup admin FAQ and question for Kostas
- Original Message -
From: Stuart Harris [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Sunday, January 02, 2005 10:07 AM
Subject: RE: [radius] Re: Dialup admin FAQ and question for Kostas
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Nick Marino
Sent: 02 January 2005 15:03
To: freeradius-users@lists.freeradius.org
Subject: Re: [radius] Re: Dialup admin FAQ and question for Kostas
- Original Message -
From: Kostas Kalevras [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Sunday, January 02, 2005 6:50 AM
Subject: [radius] Re: Dialup admin FAQ and question for Kostas
On Sun, 2 Jan 2005, Nick Marino wrote:
Where is the lastest version of the dialup admin faq located?
cvs:dialup_admin/doc
And what would cause the Find User function to only return
10 in the list
no matter what you
set MAX RESULTS for in the form?
You 're probably using spaces in the max results number. If
the number is
not numeric, it will be set automatically to 10. It works
just fine here.
Nope no spaces in the max result,
Appearntly it is failing this test in find.php3 in the lib folder:
$link = @da_sql_pconnect($config);
if ($link){
$search = da_sql_escape_string($search);
if (!is_int($max_results))
$max_results = 10;
What makes $link true?
This is a guess, but when da_sql_pconnect is being called because of the @
it's not throwing out it's error, thus causing da_sql_pconnect to return
false, making $link false :)
it's probably no the best idea to use is_int on a numeric response to a
hidden call either..
Yeah Kostas posted that I was using an old version and the newest version
used is_numeric, if thats the case then an old version is being distributed
with FR 1.0.1 because that is all I have downloaded and thats what I got.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Saving missed accounting records.
Alan DeKok wrote:
Thor Spruyt [EMAIL PROTECTED] wrote:
It's a pitty, but radrelay can't be used for proxied packets.
Reason is that if the packets are relayed to the backup server, the
backup doesn't know it has already been proxied and will thus proxy
it again. The homeserver should only receive the packet once of
course!
Can you suggest a fix?
Well... I've given it some thinking and guess what...
Suppose you have a realm with 2 homeservers for redundancy:
realm NULL {
type= radius
authhost= 10.10.10.10:1812
accthost= 10.10.10.10:1813
secret = testing123
}
realm NULL {
type= radius
authhost= 20.20.20.20:1812
accthost= 20.20.20.20:1813
secret = testing123
}
Suppose the primary server receives an acct packets, and proxies it to
20.20.20.20:1813
Then Freeradius-Proxied-To = 20.20.20.20 will be added in the detail file
and relayed to the backup server.
Then the backup server will compare 20.20.20.20 with 10.10.10.10 and will
again proxy the packet to the homeserver (10.10.10.10).
Suggested solution 1: let the primary server add multiple
Freeradius-Proxied-To attributes (one for each server configured for that
realm)
Suggested solution 2: let the backup server check the Freeradius-Proxied-To
attribute against all servers configured for that realm
Suggested solution 3: add a Freeradius-Proxied-Realm attribute, which the
backup server could check against
--
Regards,
Thor Spruyt
What if you just set it up so that it only proxied the auth to the home
server and stored the accounting locally? Then you use radrelay to send
all accounting packets over?
realm NULL {
type= radius
authhost= 20.20.20.20:1812
accthost= LOCAL
secret = testing123
}
That could work, couldn't it?
-Dusty Doris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add attribute in post-proxy?
Pasi Kärkkäinen wrote:
I need to add Post-Proxy-Type based on realm of the proxied
request.
I can't figure out how to express this with the sql tables:
DEFAULT Realm == foo.net, Post-Proxy-Type := post.proxy.foo
There's no Realm field in the sql..
I don't understand why you absolutely want to manage the settings for
the realm in a SQL database. (although it is possible) The home server
does SQL requests because it authenticates the users and stores
accounting tickets, but the proxy usually doesn't do SQL at all.
Unless you have many realms and they often change and you can't afford
to add/remove a realm from your configuration without restarting
radiusd, your proxy doesn't need to do SQL requests. Moreover,
querying the SQL server for each request costs a big performance
penalty, therefore you should put the Post-Proxy-Type in the users
file unless you have good reasons.
If you really want to add the Post-Proxy-Type attribute from a
database, below is the main idea of how to do this. (I didn't test
it and perhaps you'll need some minor changes)
You change UserName by Realm in the SQL schema.
CREATE TABLE radcheck (
id int(11) unsigned NOT NULL auto_increment,
Realm varchar(64) NOT NULL default '',
Attribute varchar(32) NOT NULL default '',
op char(2) NOT NULL DEFAULT '==',
Value varchar(253) NOT NULL default '',
PRIMARY KEY (id),
KEY UserName (UserName(32))
) ;
Then you insert the Post-Proxy-Type definition in the radcheck table:
INSERT INTO radcheck (Realm,Attribute,op,Value) VALUES ('foo.net',
'Post-Proxy-Type', '=', 'post.proxy.foo');
INSERT INTO radcheck (Realm,Attribute,op,Value) VALUES ('bar.com',
'Post-Proxy-Type', '=', 'post.proxy.bar');
Finally you write the adequate query in sql.conf. (and comment other
auth queries)
authorize_check_query = SELECT id,Realm,Attribute,Value,op FROM radcheck WHERE
Realm = '%{Realm}'
Could I use rlm_attr_filter to add Post-Proxy-Type? rlm_attr_filter is
processed for the proxy replies and you can match realms there.. so it
seems like a right place to do this.. I'll try this and see what happens.
You can't add a check item with this module, so there is no way you
can set Post-Proxy-Type there. However, perhaps you can try to add the
Pool-Name attribute in the attrsfile:
foo.net
Pool-Name := foo_ippool,
Fall-Through = Yes
bar.com
Pool-Name := bar_ippool,
Fall-Through = Yes
DEFAULT
Put here all other attributes you need otherwise they'll
be removed from the packet
This is an alternate approach. It may work, too. And finally you will
get not one, but two solutions to setup you FreeRADIUS proxy !
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I use just Password for RADIUS authentication?
Why not try different usernames with the same password? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Block users based on mac address using External Exec program
Hi, I had setup Freeradius on FC2 and its working fine. I want to block the users based on MAC address. Is it possible to do external verification of the UserName , Mac address of a particular user using Exec in Radius configuration. Please can anybody suugest me with an example of doing the above task. Thank In advance Phani Kumar IIIT-Hyd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP
Hello All I'm new on free radius and I want to configure to enable EAP authentication. Someone can tell me how ? Thanks Jacques VUVANT
md5-hash stored passwords
I use the freeradius for EAP-MD5 in a wired lan. I know that the client (supplicant) send a hash (is it a md5 hash???) to the RADIUS-Server. The RADIUS-Server have the plaintext password so it can perform the same hash to determine that the password is correct. Now i want to store the passwords as a md5-hash in the users file. Is it possible to authenticate against a md5-hash database? How can i say the RADIUS-Server that the password is already a MD5-Hash??Verschicken Sie romantische, coole und witzige Bilder per SMS!Jetzt neu bei WEB.DE FreeMail: http://freemail.web.de/?mc=021193 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
