For perons who have made primary and secondary freeradius with proxy radius
hello i have do that : Proxy freeradius --> Primary Freeradius | --> Secondary Freeradius i want to put on the same pc primary radius and proxy freeradius ? is it possible ? if yes, how i can do that please ? My first idea was to run two freeradius services on the same pc ? but i don't know how i can do that ? thank you Nans ___[ Pub ] Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com _ Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Copy Request Attribute Values to Reply using MySQL DB
All,
I read the HowTos on http://www.frontios.com/freeradius.html and the FAQ,
but couldn't find any infomation, on how to put Request Attributes/Values
into the Reply, using MySQL instaed of users file.
Is there an example to read?
Thanks.
Stefan
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Stefan
> Sent: Monday, January 17, 2005 3:59 PM
> To: freeradius-users@lists.freeradius.org
> Subject: Copy Request Attribute Values to Reply using MySQL DB
>
>
> Gurus,
>
> In the users file, I can have the following line to copy the
> framed-ip-address from the request into the reply:
>
> Framed-IP-Address == `%{Request:Framed-IP-Address}`
>
> Doing this with MySQL as user data base, Freeradius allways puts a
> framed-ip-address of 255.255.255.255 into the reply.
>
> What will be the exact notation of the reply attributes value for this
> purpose?
>
> Thank you.
>
>
>
> Stefan
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pix and radius authentication
Hello list, i want to set up a pix 525 with Cisco PIX Firewall Version 6.3(4) to authenticate vpn-users against a freebsd-radius. This step already works fine, the users get authenticated. Now we want to give the user via radius an ip-address, but this doesnt work. At this moment i only can login via vpn-client if i have a local ip pool configured on the pix. The Framed-IP-Address = "10.106.4.5" entry in the radius-users file doesnt work. Has somebody a solution for this problem or isn't it possible? Also we want to send an access-list to the user via radius... But in this case i dont have any idea to solve the problem. Thank you very much Volker Lieder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is it possible to run two freeradius services at the same time ?
hello, i want to run two daemon (sercice) freeradius on the same pc in order to have one who plays proxy freeradius and the second who plays primary freeradius ? is it possuble ? if yes , how ? thanks ___[ Pub ] Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com _ Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems using Freeradius whith PEAP authentication (fwd)
Hi.
I'm a student of the Polytechnic Instituite of Tomar, and i am
working in one project with PEAP authentication over 802.11b wireless
LANS. One of my cenarios to test the authentication, result in one error
reported by the RADIUS server (in this case FreeRadius 1.0.1). I don't
know how i resolve this problem. The problem returned by the debug mode of
freeradius was:
radiusd: relocation error: /usr/local/lib/rlm_eap_tls-1.0.1.so: undefined
symbol: SSL_set_msg_callback
In the logs files i see the packets recived by the freeradius and the
debug mode show the same information (when recive the packet from the
NAS), but the server when recive this packet dosen't response to the NAS
and report the error mentioned above.
The cenario used in this situation was:
wireless || 192.168.2.0/24 |
|++| || - |***|
|++||| | |***|
|| | |
Supplicant NAS| RADIUS Server
(WinXPPro 1sp) (Access Point) | (FreeRadius)
|
( )
( )
( )
Network Resources
In this cenario the supplicant must gain authorization from the radius
server to access the resources of the network (192.168.2.0/24) like http server
and dhcp, etc. I'm using the supplicant of the winxp to use PEAP in this
authorization. The radius server and the NAS (AP) are in the same network
of the resources (192.168.2.0/24).
I thank you for any help you could provide. You can see the confs used in
this cenario bellow.
-- Attatchments---
My conf files used in this cenario was:
<--radiusd.conf->
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = clear
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = yes
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
ttls {
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
authtype = MS-CHAP
use_mppe = yes
}
realm suffix {
format = suffix
delimiter = "@"
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/detail
detailperm = 0600
}
detail auth_log {
detailfile = ${radacctdir}/auth-detail
detailperm = 0600
}
detail reply_log {
detailfile = ${radacctdir}/reply-detail
detailperm = 0600
}
detail pre_proxy_log {
detailfile = ${radacctdir}/pre-proxy-detail
}
detai
Proxy reply and attr_filter
Hi, I am trying to assign different VLANs based on realms. I use rlm_attr_filter and attrs file to acomplish this. I have done the following setting in attrs file labtest.de Tunnel-Type:1 := VLAN Tunnel-Medium-Type:1 := IEEE-802 Tunnel-Private-Group-Id:1 := "labtest" it works perfectly and I receive access accept from radius server with following message sent to my NAS rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 22 to 129.69.1.50:1812 Tunnel-Type:1 := VLAN Tunnel-Medium-Type:1 := IEEE-802 Tunnel-Private-Group-Id:1 := "labtest" but the NAS which is cisco Catalyst 2970 switch doesn't open the port. Additionally It doesn't understand the Tunnel attributes. But when I try for a local user defined in users file testuser User-Password =="test" Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 =IEEE-802, Tunnel-Private-Group-Id:1 = labtest I see this message in radius debug mode Sending Access-Accept of id 29 to 129.69.1.50:1812 Tunnel-Type:1 = VLAN Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Private-Group-Id:1 = "labtest" MS-MPPE-Recv-Key = 0x82d2b417e4803da1402b6b6e09ea33d9a17e7831ab9f4e72168f71e35948c625 MS-MPPE-Send-Key = 0x0f4e0d86d24e2ae90704293d7f1d4e780e5d7fd506339548117e239582d2e91f EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = "testuser" now the only difference I see when Tunnel attributes are passed to NAS is the operators ":=" for realm and "=" for local user. Can any body suggest that what is wrong with my settings to make attr_filter work fine with post proxy or I have done something wrong in my settings. I will be very thankful. Regards, Raza. __ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. http://info.mail.yahoo.com/mail_250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
exclude certain IP address in the IP Pool
Hi, I'm wondering whether we can exclude certain IP addresses from an IP POOL to be assigned to the client ? for example, the ippool in radiusd.conf has been defined as following: range-start = 192.168.167.90 range-stop = 192.168.167.100 This means that IP address between 192.168.167.90 to 192.168.167.100 can be assigned to a client. However, we wish to exclude IP address 192.168.167.94. Can we do so ? Thank you, lara = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_expr error
does someone figured this error out? radiusd.conf[1191] Failed to link to module 'rlm_expr': /usr/local/lib/rlm_expr.a: invalid ELF header After commenting that expr module in the radiusd.conf, got the following: ERROR: Cannot find a configuration entry for module "expr". Any suggestions on this? Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to create certificate for winxpsp2
Look at http://campuswide.cofc.edu/PEAP%20with%20Windows%20XP%20Service%20Pack%202.pdf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP addres on EAP/TLS session
Yes. On Tue, 18 Jan 2005 12:14:17 +1100, Paul Hampson <[EMAIL PROTECTED]> wrote: > On Mon, Jan 17, 2005 at 09:49:48AM -0600, Justin Guidroz wrote: > > I'm running Freeradius on the same server that also serves as my LDAP > > server, DHCP server, and DNS server, and I have had no problems > > getting DHCP addresses using EAP-TTLS or EAP-TLS. > > Does the EAP gateway thingy relay DHCP requests to your FreeRADIUS > box? > > -- > Paul "TBBle" Hampson, on an alternate email client. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Justin Guidroz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
poptop +freeradius+ passwd
Hi, I would like to authenticate poptop users in /etc/passwd ..is it possible? [ ] 's Bruno Ricci []'s Bruno Ricci smime.p7s Description: S/MIME Cryptographic Signature
more radwtmp troubles
Hi Everyone I'm still struggling with radwtmp. I wouldn't worry so much about it but it's critical for my business. Hopefully someone has seen this before, as Googling isn't being real productive. On Redhat ES 3, Freeradius 1.0.1 is producing the radwtmp file, but as best I can tell, isn't putting it in a format that neither last nor radlast can view. If I do a radlast -o -f radwtmp the output looks like this: [EMAIL PROTECTED] radius]# radlast -o -f radwtmp |more ialup* Wed Apr 5 07:58 still logged in -dialup * Mon Dec 4 18:05 - 07:58 (-243+-11:-7 alup * Sun Jan 11 17:08 - 18:05 (-768+-23:-2 alup * Sun Jan 11 17:08 - 17:08 (00:00) alup * Sun Jan 11 17:08 - 17:08 (00:00) alup * Sun Jan 11 17:08 - 17:08 (00:00) alup * Sun Jan 11 17:08 - 17:08 (00:00) alup * Sun Jan 11 17:08 - 17:08 (00:00) etc. The output is the same for last and radlast. If I do not put the -o on the command line, the output is empty. Other than this one issue, it's working great. I'd really appreciate it if someone is able to help me with this. I can post or email radiusd.conf or users, or whatever files may be helpful. Thanks a ton in advance, Sam -- Sam Morris, Owner Loganet Internet Service Logan IA, United States of America 712-644-3578 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: is it possible to run two freeradius services at the same time ?
I would think so. You'll need them to have different installation directories. And of course they need to be configured to use different ports. One should use 1812, the other 1645 (i think) On Jan 18, 2005, at 7:04 AM, Nans Delrieu wrote: hello, i want to run two daemon (sercice) freeradius on the same pc in order to have one who plays proxy freeradius and the second who plays primary freeradius ? is it possuble ? if yes , how ? thanks ___[ Pub ] Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com _ Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy reply and attr_filter
Hi, I have figured out the real problem was. Actually the attr_filter not consider all other a/v pairs from proxy request and just builts a new proxy reply containing only the tunnel attributes I have set in attrs file. Now the question arises if it is possible to let attr_filter add required a/v pairs keeping the a/v pairs came in the proxy reply?( means just addition of Tunnel a/v pairs in proxy reply) if possible how? Regards, Raza.Cool Man <[EMAIL PROTECTED]> wrote: Hi, I am trying to assign different VLANs based on realms.I use rlm_attr_filter and attrs file to acomplishthis. I have done the following setting in attrs file labtest.deTunnel-Type:1 := VLANTunnel-Medium-Type:1 := IEEE-802Tunnel-Private-Group-Id:1 := "labtest"it works perfectly and I receive access accept fromradius serverwith following message sent to my NAS rad_check_password: Auth-Type = Accept, accepting theuserSending Access-Accept of id 22 to 129.69.1.50:1812Tunnel-Type:1 := VLANTunnel-Medium-Type:1 := IEEE-802Tunnel-Private-Group-Id:1 := "labtest"but the NAS which is cisco Catalyst 2970 switchdoesn't open the port. Additionally It doesn'tunderstand the Tunnel attributes. But when I try for a local user defined in users filetestuser User-Password =="test"Tunnel-Type:1 = VLAN,Tunnel-Medium-Type:1 =IEEE-802,Tunnel-Private-Group-Id:1 = labtestI see this message in radius debug modeSending Access-Accept of id 29 to 129.69.1.50:1812Tunnel-Type:1 = VLANTunnel-Medium-Type:1 = IEEE-802Tunnel-Private-Group-Id:1 = "labtest"MS-MPPE-Recv-Key =0x82d2b417e4803da1402b6b6e09ea33d9a17e7831ab9f4e72168f71e35948c625MS-MPPE-Send-Key =0x0f4e0d86d24e2ae90704293d7f1d4e780e5d7fd506339548117e239582d2e91fEAP-Message = 0x03060004Message-Authenticator =0xUser-Name = "testuser"now the only difference I see when Tunnel attributesare passed to NAS is the operators ":=" for realm and"=" for local user. Can any body suggest that what is wrong with mysettings to make attr_filter work fine with post proxyor I have done something wrong in my settings.I will be very thankful.Regards,Raza.__ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more.http://info.mail.yahoo.com/mail_250- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard.
Re: Problems using Freeradius whith PEAP authentication (fwd)
Paulo Alexandre Caceres Ferreira <[EMAIL PROTECTED]> wrote: > radiusd: relocation error: /usr/local/lib/rlm_eap_tls-1.0.1.so: undefined > symbol: SSL_set_msg_callback You are using an old version of OpenSSL. Use a newer version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exclude certain IP address in the IP Pool
Lara Adianto <[EMAIL PROTECTED]> wrote: > I'm wondering whether we can exclude certain IP > addresses from an IP POOL to be assigned to the client No, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time Attribute
Lara Adianto <[EMAIL PROTECTED]> wrote: > Does it mean FreeRadius read the Login-Time attribute in users file, > then calculate the time left based on current time and set the value > in the session-timeout attribute ? Yes, that's what the text says. > If that's the case what happens if the users file contains both > login-time attribute and session-timeout attribute ? The smaller value is used. > I read somewhere that login-time is an RFC defined attribute...which > RFC defines it ? I can't find any info on the net It's not an RFC attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ascend-data-filter info not returned with radtest?
I'm attempting to do a global dial-up solution and they're requiring me to use the ascend-data-filter to open up outbound port 25. Simple enough. I've configured my users file to include the attributes they provided and it seems to be accepting the data. However when I query the radius with radtest it returns odd results. In my users file I have four ADF lines, but only three are returned after the query. Also, some of the lines that are returned contain a trailing 0. I'm new to this "abinary" type so I'm not sure if this is expected behaviour or not. -- users -- bakers User-Password = "passwd" Fall-Through = Yes DEFAULT X-Ascend-Data-Filter += "ip in forward tcp est", X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", X-Ascend-Data-Filter += "ip in drop tcp dstport=25", X-Ascend-Data-Filter += "ip in forward", Simultaneous-Use = 1, Session-Timeout = 28800, Idle-Timeout = 3600, Framed-Compression = Van-Jacobson-TCP-IP, Service-Type = Framed-User, Framed-Protocol = PPP, Propel-Accelerate = 0, Framed-MTU = 576 -- radtest output -- [EMAIL PROTECTED] ~]# !radte radtest bakers scottb localhost 10 localhost Sending Access-Request of id 128 to 127.0.0.1:1812 User-Name = "bakers" User-Password = "scottb" NAS-IP-Address = snikt NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=128, length=170 X-Ascend-Data-Filter = "ip in forward tcp est" X-Ascend-Data-Filter = "ip in forward dstip 65.182.224.0/26 0" X-Ascend-Data-Filter = "ip in forward 0" Session-Timeout = 28800 Idle-Timeout = 3600 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Propel-Accelerate = 0 Framed-MTU = 576 -- Scott Baker Canby Telephone - Network Administrator - RHCE Ph: 503.266.8253 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Custom attributes in dictionary...
This one is a bit above my head, trying to set up accelleration and our vendor has advised that I need to do the following... "your radius must be setup with the custom authentication reply. Defining this attribute in your dictionary may vary depending on your radius software. The attribute is: VENDORATTR 7000 Slipstream-Auth 1 string The value must be set as true" How would I set that up in Freeradius... would I create a dictionary.slipstream containing the following??? VENDOR slipstream7000 BEGIN-VENDOR slipstream ATTRIBUTESlipstream-Auth 1 string END-VENDOR slipstream then add a "Slipstream-Auth = false" in the main "default" section of users so it is off by default, and then turn it on thusly in the users file for the users in the slipstream group? DEFAULT Group == "slipstream" Slipstream-Auth = true, Fall-Through = 1 Thanks much for any pointers! Cheers, > Mike < - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x+wet11+ethertype Unknown
Hi! I have configured my wlan in this way: ethernet card- - >access point client - - > Authenticator - - > Freeradius Server 1.0.0-1 I am trying to validate with EAP-TLS, but the requests never reach the server. When I sniff on the client side(Windows 2000) with windump, I have the following: 15:46:50.969958 00:02:6f:22:17:da > 00:11:11:12:b4:41, ethertype Unknown (0x888e), length 60: 0x: 0100 0005 011e 0005 0100 0x0010: 0x0020: .. 15:47:20.969826 00:02:6f:22:17:da > 00:11:11:12:b4:41, ethertype Unknown (0x888e), length 60: 0x: 0100 0005 011f 0005 0100 0x0010: 0x0020: .. 15:47:20.970572 00:02:6f:22:17:da > 00:11:11:12:b4:41, ethertype Unknown (0x888e), length 60: 0x: 0100 0005 011f 0005 0100 0x0010: 0x0020: .. 15:47:20.980317 00:11:11:12:b4:41 > 01:80:c2:00:00:03, ethertype Unknown (0x888e), length 37: 0x: 0100 0013 021f 0013 0143 6c69 656e 7465 .Cliente 0x0010: 2057 6879 4e6f 74.WhyNot 15:47:20.980333 00:11:11:12:b4:41 > 01:80:c2:00:00:03, ethertype Unknown (0x888e), length 37: 0x: 0100 0013 021f 0013 0143 6c69 656e 7465 .Cliente 0x0010: 2057 6879 4e6f 74.WhyNot 15:47:20.981143 00:11:11:12:b4:41 > 01:80:c2:00:00:03, ethertype Unknown (0x888e), length 37: 0x: 0100 0013 021f 0013 0143 6c69 656e 7465 .Cliente 0x0010: 2057 6879 4e6f 74.WhyNot 15:47:20.981150 00:11:11:12:b4:41 > 01:80:c2:00:00:03, ethertype Unknown (0x888e), length 37: 0x: 0100 0013 021f 0013 0143 6c69 656e 7465 .Cliente 0x0010: 2057 6879 4e6f 74.WhyNot Some aclarations: 00:11:11:12:b4:41 is my ethernet card 00:02:6f:22:17:da is the access point (Senao) The access Point Client is a LinkSys Wet11 Cliente WhyNot is the name of the client on the certificate Do you have any idea of what's going on? Thanks! Victoria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ascend-data-filter info not returned with radtest?
On Tue, 18 Jan 2005, Scott Baker wrote: I'm attempting to do a global dial-up solution and they're requiring me to use the ascend-data-filter to open up outbound port 25. Simple enough. I've configured my users file to include the attributes they provided and it seems to be accepting the data. However when I query the radius with radtest it returns odd results. In my users file I have four ADF lines, but only three are returned after the query. Also, some of the lines that are returned contain a trailing 0. I'm new to this "abinary" type so I'm not sure if this is expected behaviour or not. -- users -- bakers User-Password = "passwd" Fall-Through = Yes DEFAULT X-Ascend-Data-Filter += "ip in forward tcp est", X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", X-Ascend-Data-Filter += "ip in drop tcp dstport=25", X-Ascend-Data-Filter += "ip in forward", Simultaneous-Use = 1, Session-Timeout = 28800, Idle-Timeout = 3600, Framed-Compression = Van-Jacobson-TCP-IP, Service-Type = Framed-User, Framed-Protocol = PPP, Propel-Accelerate = 0, Framed-MTU = 576 -- radtest output -- [EMAIL PROTECTED] ~]# !radte radtest bakers scottb localhost 10 localhost Sending Access-Request of id 128 to 127.0.0.1:1812 User-Name = "bakers" User-Password = "scottb" NAS-IP-Address = snikt NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=128, length=170 X-Ascend-Data-Filter = "ip in forward tcp est" X-Ascend-Data-Filter = "ip in forward dstip 65.182.224.0/26 0" X-Ascend-Data-Filter = "ip in forward 0" Session-Timeout = 28800 Idle-Timeout = 3600 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Propel-Accelerate = 0 Framed-MTU = 576 Have you tried running freeradius in debug mode to see what the server is spitting out as well? Is it possible that a few of the attributes you are trying to send are not defined in the dictionary file and the radius server is ignoring those statements? -j - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration pb
Hi all, I've well read the doc/rlm_expiration and I applied it but it doesn't work anymore... So why could I solve it ? I tried all of those syntaxes : Expiration := 2004-01-01 Expiration := 01-01-2004 Expiration := 1 Jan 2004 Expiration := 1 January 2004 Anyone ? Any idea ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration pb
On Tue, 18 Jan 2005, EROS wrote: Hi all, I've well read the doc/rlm_expiration and I applied it but it doesn't work anymore... So why could I solve it ? I tried all of those syntaxes : Expiration := 2004-01-01 Expiration := 01-01-2004 Expiration := 1 Jan 2004 Expiration := 1 January 2004 You don't use double quotes. Try Expiration := "1 Jan 2004" also run the server in debug mode to see exactly what happens. Anyone ? Any idea ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom attributes in dictionary...
"Mike Cisar" <[EMAIL PROTECTED]> wrote: > How would I set that up in Freeradius... would I create a > dictionary.slipstream containing the following??? > > VENDOR slipstream7000 > BEGIN-VENDOR slipstream > ATTRIBUTESlipstream-Auth 1 string > END-VENDOR slipstream Pretty much, yes. > then add a "Slipstream-Auth = false" in the main "default" section of users > so it is off by default, and then turn it on thusly in the users file for > the users in the slipstream group? > > DEFAULT Group == "slipstream" > Slipstream-Auth = true, > Fall-Through = 1 You have to define what "true" is. Or, just do "Slipstream-Auth = 1" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ascend-data-filter info not returned with radtest?
It's only one attribute "X-Ascend-Data-Filter" and it's defined just fine. I turned on debugging mode and this is what I get. It doesn't really tell me what I didn't already know. There has to be some configuration error in my users file? I'm just not sure where to start looking. ** rad_recv: Access-Request packet from host 127.0.0.1:41445, id=13, length=58 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) User-Name = "bakers" User-Password = "scottb" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "bakers", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched bakers at 1 users: Matched DEFAULT at 4 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 13 to 127.0.0.1:41445 X-Ascend-Data-Filter += "ip in forward tcp est" X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26 0" X-Ascend-Data-Filter += "ip in forward 0" Session-Timeout = 28800 Idle-Timeout = 3600 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Propel-Accelerate = 0 Framed-MTU = 576 Finished request 0 Going to the next request Thread 1 waiting to be assigned a request James Feger wrote: On Tue, 18 Jan 2005, Scott Baker wrote: I'm attempting to do a global dial-up solution and they're requiring me to use the ascend-data-filter to open up outbound port 25. Simple enough. I've configured my users file to include the attributes they provided and it seems to be accepting the data. However when I query the radius with radtest it returns odd results. In my users file I have four ADF lines, but only three are returned after the query. Also, some of the lines that are returned contain a trailing 0. I'm new to this "abinary" type so I'm not sure if this is expected behaviour or not. -- users -- bakers User-Password = "passwd" Fall-Through = Yes DEFAULT X-Ascend-Data-Filter += "ip in forward tcp est", X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", X-Ascend-Data-Filter += "ip in drop tcp dstport=25", X-Ascend-Data-Filter += "ip in forward", Simultaneous-Use = 1, Session-Timeout = 28800, Idle-Timeout = 3600, Framed-Compression = Van-Jacobson-TCP-IP, Service-Type = Framed-User, Framed-Protocol = PPP, Propel-Accelerate = 0, Framed-MTU = 576 -- radtest output -- [EMAIL PROTECTED] ~]# !radte radtest bakers scottb localhost 10 localhost Sending Access-Request of id 128 to 127.0.0.1:1812 User-Name = "bakers" User-Password = "scottb" NAS-IP-Address = snikt NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=128, length=170 X-Ascend-Data-Filter = "ip in forward tcp est" X-Ascend-Data-Filter = "ip in forward dstip 65.182.224.0/26 0" X-Ascend-Data-Filter = "ip in forward 0" Session-Timeout = 28800 Idle-Timeout = 3600 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Propel-Accelerate = 0 Framed-MTU = 576 Have you tried running freeradius in debug mode to see what the server is spitting out as well? Is it possible that a few of the attributes you are trying to send are not defined in the dictionary file and the radius server is ignoring those statements? -j - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Scott Baker Canby Telephone - Network Administrator - RHCE Ph: 503.266.8253 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ascend-data-filter info not returned with radtest?
You need a space in the destination port value line. i.e. >>X-Ascend-Data-Filter += "ip in forward tcp est", >>X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", >>X-Ascend-Data-Filter += "ip in drop tcp dstport = 25", >>X-Ascend-Data-Filter += "ip in forward", instead of... >>X-Ascend-Data-Filter += "ip in forward tcp est", >>X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", >>X-Ascend-Data-Filter += "ip in drop tcp dstport=25", >>X-Ascend-Data-Filter += "ip in forward", Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scott Baker Sent: Tuesday, January 18, 2005 4:21 PM To: freeradius-users@lists.freeradius.org Subject: Re: ascend-data-filter info not returned with radtest? It's only one attribute "X-Ascend-Data-Filter" and it's defined just fine. I turned on debugging mode and this is what I get. It doesn't really tell me what I didn't already know. There has to be some configuration error in my users file? I'm just not sure where to start looking. ** rad_recv: Access-Request packet from host 127.0.0.1:41445, id=13, length=58 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) User-Name = "bakers" User-Password = "scottb" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "bakers", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched bakers at 1 users: Matched DEFAULT at 4 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 13 to 127.0.0.1:41445 X-Ascend-Data-Filter += "ip in forward tcp est" X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26 0" X-Ascend-Data-Filter += "ip in forward 0" Session-Timeout = 28800 Idle-Timeout = 3600 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Propel-Accelerate = 0 Framed-MTU = 576 Finished request 0 Going to the next request Thread 1 waiting to be assigned a request James Feger wrote: > On Tue, 18 Jan 2005, Scott Baker wrote: > >> I'm attempting to do a global dial-up solution and they're requiring >> me to use the ascend-data-filter to open up outbound port 25. Simple >> enough. >> >> I've configured my users file to include the attributes they provided >> and it seems to be accepting the data. However when I query the radius >> with radtest it returns odd results. In my users file I have four ADF >> lines, but only three are returned after the query. Also, some of the >> lines that are returned contain a trailing 0. I'm new to this >> "abinary" type so I'm not sure if this is expected behaviour or not. >> >> -- users -- >> >> bakers User-Password = "passwd" >>Fall-Through = Yes >> >> DEFAULT >>X-Ascend-Data-Filter += "ip in forward tcp est", >>X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", >>X-Ascend-Data-Filter += "ip in drop tcp dstport=25", >>X-Ascend-Data-Filter += "ip in forward", >>Simultaneous-Use = 1, >>Session-Timeout = 28800, >>Idle-Timeout = 3600, >>Framed-Compression = Van-Jacobson-TCP-IP, >>Service-Type = Framed-User, >>Framed-Protocol = PPP, >>Propel-Accelerate = 0, >>Framed-MTU = 576 >> >> -- radtest output -- >> [EMAIL PROTECTED] ~]# !radte >> radtest bakers scottb localhost 10 localhost >> Sending Access-Request of id 128 to 127.0.0.1:1812 >>User-Name = "bakers" >>User-Password = "scottb" >>NAS-IP-Address = snikt >>NAS-Port = 10 >> rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=128, >> length=170 >>X-Ascend-Data-Filter = "ip in forward tcp est" >>X-Ascend-Data-Filter = "ip in forward dstip 65.182.224.0/26 0" >>X-Ascend-Data-Filter = "ip in forward 0" >>Session-Timeout = 28800 >>Idle-Timeout = 3600 >>Framed-Compression = Van-Jacobson-TCP-IP >>Service-Type = Framed-User >>
RE : Expiration pb
Yep I have tried this with and without "" and this is the same In debug mode I don't see some expiration lines in log I've compiled freeradius with experimental modules... Is this something to do in some *.conf files ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Kostas Kalevras Envoyé : mardi 18 janvier 2005 21:16 À : freeradius-users@lists.freeradius.org Objet : Re: Expiration pb On Tue, 18 Jan 2005, EROS wrote: > Hi all, > > I've well read the doc/rlm_expiration and I applied it but it doesn't > work anymore... > > So why could I solve it ? > > I tried all of those syntaxes : > > Expiration := 2004-01-01 > Expiration := 01-01-2004 > Expiration := 1 Jan 2004 > Expiration := 1 January 2004 You don't use double quotes. Try Expiration := "1 Jan 2004" also run the server in debug mode to see exactly what happens. > > > Anyone ? Any idea ? > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ascend-data-filter info not returned with radtest?
Excellent! It's returning all the data I expected now! I'm still getting that trailling 0 on the "ip in forward dstip" and "ip in forward." Is that normal? Some fluke in radtest? - [EMAIL PROTECTED] ~]$ radtest bakers scottb localhost 10 localhost Sending Access-Request of id 93 to 127.0.0.1:1812 User-Name = "bakers" User-Password = "scottb" NAS-IP-Address = snikt NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=93, length=204 X-Ascend-Data-Filter = "ip in forward tcp est" X-Ascend-Data-Filter = "ip in forward dstip 65.182.224.0/26 0" X-Ascend-Data-Filter = "ip in drop tcp dstport = 25" X-Ascend-Data-Filter = "ip in forward 0" Session-Timeout = 28800 Idle-Timeout = 3600 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Propel-Accelerate = 0 Framed-MTU = 576 Brian Fennimore wrote: You need a space in the destination port value line. i.e. X-Ascend-Data-Filter += "ip in forward tcp est", X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", X-Ascend-Data-Filter += "ip in drop tcp dstport = 25", X-Ascend-Data-Filter += "ip in forward", instead of... X-Ascend-Data-Filter += "ip in forward tcp est", X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", X-Ascend-Data-Filter += "ip in drop tcp dstport=25", X-Ascend-Data-Filter += "ip in forward", Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scott Baker Sent: Tuesday, January 18, 2005 4:21 PM To: freeradius-users@lists.freeradius.org Subject: Re: ascend-data-filter info not returned with radtest? It's only one attribute "X-Ascend-Data-Filter" and it's defined just fine. I turned on debugging mode and this is what I get. It doesn't really tell me what I didn't already know. There has to be some configuration error in my users file? I'm just not sure where to start looking. ** rad_recv: Access-Request packet from host 127.0.0.1:41445, id=13, length=58 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) User-Name = "bakers" User-Password = "scottb" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "bakers", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched bakers at 1 users: Matched DEFAULT at 4 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 13 to 127.0.0.1:41445 X-Ascend-Data-Filter += "ip in forward tcp est" X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26 0" X-Ascend-Data-Filter += "ip in forward 0" Session-Timeout = 28800 Idle-Timeout = 3600 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Propel-Accelerate = 0 Framed-MTU = 576 Finished request 0 Going to the next request Thread 1 waiting to be assigned a request James Feger wrote: On Tue, 18 Jan 2005, Scott Baker wrote: I'm attempting to do a global dial-up solution and they're requiring me to use the ascend-data-filter to open up outbound port 25. Simple enough. I've configured my users file to include the attributes they provided and it seems to be accepting the data. However when I query the radius with radtest it returns odd results. In my users file I have four ADF lines, but only three are returned after the query. Also, some of the lines that are returned contain a trailing 0. I'm new to this "abinary" type so I'm not sure if this is expected behaviour or not. -- users -- bakers User-Password = "passwd" Fall-Through = Yes DEFAULT X-Ascend-Data-Filter += "ip in forward tcp est", X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", X-Ascend-Data-Filter += "ip in drop tcp dstport=25", X-Ascend-Data-Filter += "ip in forward", Simultaneous-Use = 1, Session-Timeout = 28800, Idle-Timeout = 3600, Fram
Acct-Status-Type = 15
hello, I have a NAS witch sends an accounting request with Acct-Status-Type = 15 and the sql module says: "rlm_sql (sql): Unsupported Acct-Status-Type = 15" is it possible to send this type of requests to the sql server ? thanks Razvan Radu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radtest only works from localhost
I am having problems authenticating to my freeradius server remotely. Here is
my current configuration:
SuSE 9.1 default rpm-based install and then an upgrade through YOU to
freeradius-0.9.3-106.6
Files modified:
/etc/raddb/radiusd.conf:
Around line 720:
ldap {
# server = "ldap.your.domain"
server = "127.0.0.1"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
# basedn = "o=My Org,c=UA"
basedn = "ou=Users,dc=mydomain,dc=com"
# filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
filter = "(objectClass=posixAccount)(uid=%u)"
In the authorize section around line 1448 uncommented:
ldap
Around line 1511 uncommented:
Auth-Type LDAP {
ldap
}
/etc/raddb/users:
Around line 152:
#DEFAULTAuth-Type = System
DEFAULT Auth-Type = LDAP
The server is on 192.168.0.2 and my external client is on 192.168.0.3. All
system-based firewalls are shutdown. Client is SuSE 9.2 with these packages:
freeradius-1.0.0-5
radiusclient-0.3.2-142
The /etc/raddb/clients.conf is (with comments removed):
client 127.0.0.1 {
secret = test
shortname = localhost
nastype = other
}
client 192.168.0.2 {
secret = test
shortname = mail
nastype = other
}
client 192.168.0.3 {
secret = test
shortname = suse
nastype = other
}
The 192.168.0.3 entry was created with vi by utilizing 5yy and then a p so
there are no hidden characters in the secret line.
When running radtest from the server itself the following commands succeed:
radtest myuser secret localhost:1812 10 test
radtest myuser secret 127.0.0.1:1812 10 test
radtest myuser secret 192.168.0.2:1812 10 test
When running radtest from the 192.168.0.3 client the following command fails:
radtest myuser secret 192.168.0.2 10 test
Here are the obvious errors:
From the server:
Ready to process requests.
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/
udp.
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.3:1024, id=244, length=61
User-Name = "myuser"
User-Password = "A\317\324\013\367G\325Rbf\342'?n~\246"
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "myuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 153
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for myuser
radius_xlat: '(objectClass=posixAccount)(uid=myuser)'
radius_xlat: 'ou=Users,dc=mydomain,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as / to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=Users,dc=mydomain,dc=com, with filter
(objectClass=posixAccount)(uid=myuser)
rlm_ldap: checking if remote access for myuser is allowed by dialupAccess
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user myuser authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "myuser" with password "Aï?ïïbfï?n~"
rlm_ldap: user DN: uid=myuser,ou=Users,dc=mydomain,dc=com
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1
rlm_ldap: bind as uid=myuser,ou=Users,dc=mydomain,dc=com/Aï?ïïbfï?n~ to
127.0.0.1:389
rlm_ldap: waiting for bind result ...
modcall[authenticate]: module "ldap" returns reject for request 0
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
WARNING: Unprintable characters in the password. ? Double-check the shared
secret on the server and the NAS!
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 244 to 192.168.221.125:1024
Waking up in 4 seconds...
From the client:
Sending Access-Request of id 244 to 192.168.0.2:1812
User-Name = "myuser"
User-Password = "secret"
N
Re: Autz-Type, auth without passwords
On Mon, 17 Jan 2005, Robert Tarrall wrote:
HOWEVER - we're now accepting everyone, even when the authorize
module returns notfound. That's not what we want.
From radiusd.conf:
authorize {
preprocess
suffix
autztype ecentralldap {
ecentralldap
}
autztype exampleldap {
exampleldap
}
files
}
authenticate {
}
From users:
DEFAULT Realm == "ecentral.com", Autz-Type := ecentralldap, Auth-Type := Accept
Fall-Through = Yes
DEFAULT Realm == "example.com", Autz-Type := exampleldap, Auth-Type := Accept
Fall-Through = Yes
And from the log:
modcall[authorize]: module "ecentralldap" returns notfound
modcall: group autztype returns notfound
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Is there a way to ensure that Auth-Type is set to 'Accept' ONLY if
authorize returns 'ok'? Or some other way of accomplishing what I'm
after?
In recent freeradius versions you can use:
autztype ecentralldap {
ecentralldap{
notfound = reject
}
}
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple script to check user authentication from a script.
Many times I wanted a simple script to check a users
password or to see if a radius server is working.
The output of radclient and radtest need to be parsed to
figure out what you want to know.
The script I put together provides output on stdout
for simple command line use, and also uses exit codes
so it can easily be used in shell scripts.
---radauth---
#!/bin/sh
#
# radauth
#
# Created by Guy Fraser on Jan 18 2005.
#
# This program is a quick and simple tool used to verify the
# authentication of a user on a radius server.
#
# This program requires four options ;
# 1) radius server
# 2) radius secret for the sending machine and radius server
# 3) username with realm if required
# 4) password
#
# There are three possible responces ;
# 1) If all options are presesnt and correct :
# "yes" sent to stdout and exit status is 0 {true}.
# 2) If all options are presesnt but something is incorrect :
# "no" is sent to stdout and exit status is 1 {false}.
# 3) If all options are not present :
# Usage message is displayed.
#
PREFIX=/usr/local
EXEC_PREFIX=${PREFIX}
BINDIR=${EXEC_PREFIX}/bin
ECHO=/bin/echo
RADCLIENT=$BINDIR/radclient
AWK=/usr/bin/awk
TEST=/bin/test
usage () {
$ECHO "" >&2
$ECHO "Authenticate a user on an authorized radius server." >&2
$ECHO "" >&2
$ECHO "Usage:" >&2
$ECHO "radauth radius-server[:port] secret user passwd" >&2
$ECHO "" >&2
exit 1
}
if [ $# -ne 4 ]
then
usage
fi
SERVER=$1
SECRET=$2
UNAME=$3
PASS=$4
RES=`$ECHO "User-Name=\"$UNAME\",User-Password=\"$PASS\"" \
| $RADCLIENT -q -s $SERVER auth $SECRET 2>&1 \
| $AWK '/Total approved auths/ {print $4}'`
if $TEST $RES = 1 2>/dev/null
then {
$ECHO yes
exit 0
} else {
$ECHO no
exit 1
}
fi
---radauth---
Command line use :
--
--everything correct--
$ radauth 127.0.0.1 testing123 [EMAIL PROTECTED] wilma
yes
--passord is wrong--
$ radauth 127.0.0.1 testing123 [EMAIL PROTECTED] wilm
no
--secret is wrong--
$ radauth 127.0.0.1 testing12 [EMAIL PROTECTED] wilma
no
Shell script use :
--
--everything correct--
$ if radauth 127.0.0.1 testing123 [EMAIL PROTECTED] wilma \
>/dev/null 2>&1
then echo Bonus
else echo Busted
fi
--output--
Bonus
--passord is wrong--
$ if radauth 127.0.0.1 testing123 [EMAIL PROTECTED] wilm \
>/dev/null 2>&1
then echo Bonus
else echo Busted
fi
--output--
Busted
--secret is wrong--
$ if radauth 127.0.0.1 testing12 [EMAIL PROTECTED] wilma \
>/dev/null 2>&1
then echo Bonus
else echo Busted
fi
--output--
Busted
---
Feel free to use this or add it to the CVS tree.
Have a nice day
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exclude certain IP address in the IP Pool
On Tue, 18 Jan 2005, Lara Adianto wrote: Hi, I'm wondering whether we can exclude certain IP addresses from an IP POOL to be assigned to the client ? for example, the ippool in radiusd.conf has been defined as following: range-start = 192.168.167.90 range-stop = 192.168.167.100 This means that IP address between 192.168.167.90 to 192.168.167.100 can be assigned to a client. However, we wish to exclude IP address 192.168.167.94. Can we do so ? Not really. Patches are welcome Thank you, lara = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ascend-data-filter info not returned with radtest?
Scott Baker <[EMAIL PROTECTED]> wrote: > Excellent! It's returning all the data I expected now! I'm still > getting that trailling 0 on the "ip in forward dstip" and "ip in > forward." > > Is that normal? Some fluke in radtest? It's an artifact of printing. It doesn't affect anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Status-Type = 15
"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > I have a NAS witch sends an accounting request with Acct-Status-Type = > 15 and the sql module says: > "rlm_sql (sql): Unsupported Acct-Status-Type = 15" > > is it possible to send this type of requests to the sql server ? It would appear not. What do you want done with those requests? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ascend-data-filter info not returned with radtest?
Excellent. I think I'm good then! Thanks for all the help everyone. Alan DeKok wrote: Scott Baker <[EMAIL PROTECTED]> wrote: Excellent! It's returning all the data I expected now! I'm still getting that trailling 0 on the "ip in forward dstip" and "ip in forward." Is that normal? Some fluke in radtest? It's an artifact of printing. It doesn't affect anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Scott Baker Canby Telephone - Network Administrator - RHCE Ph: 503.266.8253 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
