Re: [radius] Re: Dialup admin FAQ and question for Kostas
- Original Message - From: Stuart Harris [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Sunday, January 02, 2005 10:07 AM Subject: RE: [radius] Re: Dialup admin FAQ and question for Kostas -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Marino Sent: 02 January 2005 15:03 To: freeradius-users@lists.freeradius.org Subject: Re: [radius] Re: Dialup admin FAQ and question for Kostas - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Sunday, January 02, 2005 6:50 AM Subject: [radius] Re: Dialup admin FAQ and question for Kostas On Sun, 2 Jan 2005, Nick Marino wrote: Where is the lastest version of the dialup admin faq located? cvs:dialup_admin/doc And what would cause the Find User function to only return 10 in the list no matter what you set MAX RESULTS for in the form? You 're probably using spaces in the max results number. If the number is not numeric, it will be set automatically to 10. It works just fine here. Nope no spaces in the max result, Appearntly it is failing this test in find.php3 in the lib folder: $link = @da_sql_pconnect($config); if ($link){ $search = da_sql_escape_string($search); if (!is_int($max_results)) $max_results = 10; What makes $link true? This is a guess, but when da_sql_pconnect is being called because of the @ it's not throwing out it's error, thus causing da_sql_pconnect to return false, making $link false :) it's probably no the best idea to use is_int on a numeric response to a hidden call either.. Yeah Kostas posted that I was using an old version and the newest version used is_numeric, if thats the case then an old version is being distributed with FR 1.0.1 because that is all I have downloaded and thats what I got. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Saving missed accounting records.
Alan DeKok wrote: Thor Spruyt [EMAIL PROTECTED] wrote: It's a pitty, but radrelay can't be used for proxied packets. Reason is that if the packets are relayed to the backup server, the backup doesn't know it has already been proxied and will thus proxy it again. The homeserver should only receive the packet once of course! Can you suggest a fix? Well... I've given it some thinking and guess what... Suppose you have a realm with 2 homeservers for redundancy: realm NULL { type= radius authhost= 10.10.10.10:1812 accthost= 10.10.10.10:1813 secret = testing123 } realm NULL { type= radius authhost= 20.20.20.20:1812 accthost= 20.20.20.20:1813 secret = testing123 } Suppose the primary server receives an acct packets, and proxies it to 20.20.20.20:1813 Then Freeradius-Proxied-To = 20.20.20.20 will be added in the detail file and relayed to the backup server. Then the backup server will compare 20.20.20.20 with 10.10.10.10 and will again proxy the packet to the homeserver (10.10.10.10). Suggested solution 1: let the primary server add multiple Freeradius-Proxied-To attributes (one for each server configured for that realm) Suggested solution 2: let the backup server check the Freeradius-Proxied-To attribute against all servers configured for that realm Suggested solution 3: add a Freeradius-Proxied-Realm attribute, which the backup server could check against -- Regards, Thor Spruyt What if you just set it up so that it only proxied the auth to the home server and stored the accounting locally? Then you use radrelay to send all accounting packets over? realm NULL { type= radius authhost= 20.20.20.20:1812 accthost= LOCAL secret = testing123 } That could work, couldn't it? -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add attribute in post-proxy?
Pasi Kärkkäinen wrote: I need to add Post-Proxy-Type based on realm of the proxied request. I can't figure out how to express this with the sql tables: DEFAULT Realm == foo.net, Post-Proxy-Type := post.proxy.foo There's no Realm field in the sql.. I don't understand why you absolutely want to manage the settings for the realm in a SQL database. (although it is possible) The home server does SQL requests because it authenticates the users and stores accounting tickets, but the proxy usually doesn't do SQL at all. Unless you have many realms and they often change and you can't afford to add/remove a realm from your configuration without restarting radiusd, your proxy doesn't need to do SQL requests. Moreover, querying the SQL server for each request costs a big performance penalty, therefore you should put the Post-Proxy-Type in the users file unless you have good reasons. If you really want to add the Post-Proxy-Type attribute from a database, below is the main idea of how to do this. (I didn't test it and perhaps you'll need some minor changes) You change UserName by Realm in the SQL schema. CREATE TABLE radcheck ( id int(11) unsigned NOT NULL auto_increment, Realm varchar(64) NOT NULL default '', Attribute varchar(32) NOT NULL default '', op char(2) NOT NULL DEFAULT '==', Value varchar(253) NOT NULL default '', PRIMARY KEY (id), KEY UserName (UserName(32)) ) ; Then you insert the Post-Proxy-Type definition in the radcheck table: INSERT INTO radcheck (Realm,Attribute,op,Value) VALUES ('foo.net', 'Post-Proxy-Type', '=', 'post.proxy.foo'); INSERT INTO radcheck (Realm,Attribute,op,Value) VALUES ('bar.com', 'Post-Proxy-Type', '=', 'post.proxy.bar'); Finally you write the adequate query in sql.conf. (and comment other auth queries) authorize_check_query = SELECT id,Realm,Attribute,Value,op FROM radcheck WHERE Realm = '%{Realm}' Could I use rlm_attr_filter to add Post-Proxy-Type? rlm_attr_filter is processed for the proxy replies and you can match realms there.. so it seems like a right place to do this.. I'll try this and see what happens. You can't add a check item with this module, so there is no way you can set Post-Proxy-Type there. However, perhaps you can try to add the Pool-Name attribute in the attrsfile: foo.net Pool-Name := foo_ippool, Fall-Through = Yes bar.com Pool-Name := bar_ippool, Fall-Through = Yes DEFAULT Put here all other attributes you need otherwise they'll be removed from the packet This is an alternate approach. It may work, too. And finally you will get not one, but two solutions to setup you FreeRADIUS proxy ! -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I use just Password for RADIUS authentication?
Why not try different usernames with the same password? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Block users based on mac address using External Exec program
Hi, I had setup Freeradius on FC2 and its working fine. I want to block the users based on MAC address. Is it possible to do external verification of the UserName , Mac address of a particular user using Exec in Radius configuration. Please can anybody suugest me with an example of doing the above task. Thank In advance Phani Kumar IIIT-Hyd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP
Hello All I'm new on free radius and I want to configure to enable EAP authentication. Someone can tell me how ? Thanks Jacques VUVANT
md5-hash stored passwords
I use the freeradius for EAP-MD5 in a wired lan. I know that the client (supplicant) send a hash (is it a md5 hash???) to the RADIUS-Server. The RADIUS-Server have the plaintext password so it can perform the same hash to determine that the password is correct. Now i want to store the passwords as a md5-hash in the users file. Is it possible to authenticate against a md5-hash database? How can i say the RADIUS-Server that the password is already a MD5-Hash??Verschicken Sie romantische, coole und witzige Bilder per SMS!Jetzt neu bei WEB.DE FreeMail: http://freemail.web.de/?mc=021193 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html