For perons who have made primary and secondary freeradius with proxy radius
hello i have do that : Proxy freeradius --> Primary Freeradius | --> Secondary Freeradius i want to put on the same pc primary radius and proxy freeradius ? is it possible ? if yes, how i can do that please ? My first idea was to run two freeradius services on the same pc ? but i don't know how i can do that ? thank you Nans ___[ Pub ] Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com _ Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Copy Request Attribute Values to Reply using MySQL DB
All, I read the HowTos on http://www.frontios.com/freeradius.html and the FAQ, but couldn't find any infomation, on how to put Request Attributes/Values into the Reply, using MySQL instaed of users file. Is there an example to read? Thanks. Stefan > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Stefan > Sent: Monday, January 17, 2005 3:59 PM > To: freeradius-users@lists.freeradius.org > Subject: Copy Request Attribute Values to Reply using MySQL DB > > > Gurus, > > In the users file, I can have the following line to copy the > framed-ip-address from the request into the reply: > > Framed-IP-Address == `%{Request:Framed-IP-Address}` > > Doing this with MySQL as user data base, Freeradius allways puts a > framed-ip-address of 255.255.255.255 into the reply. > > What will be the exact notation of the reply attributes value for this > purpose? > > Thank you. > > > > Stefan > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pix and radius authentication
Hello list, i want to set up a pix 525 with Cisco PIX Firewall Version 6.3(4) to authenticate vpn-users against a freebsd-radius. This step already works fine, the users get authenticated. Now we want to give the user via radius an ip-address, but this doesnt work. At this moment i only can login via vpn-client if i have a local ip pool configured on the pix. The Framed-IP-Address = "10.106.4.5" entry in the radius-users file doesnt work. Has somebody a solution for this problem or isn't it possible? Also we want to send an access-list to the user via radius... But in this case i dont have any idea to solve the problem. Thank you very much Volker Lieder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is it possible to run two freeradius services at the same time ?
hello, i want to run two daemon (sercice) freeradius on the same pc in order to have one who plays proxy freeradius and the second who plays primary freeradius ? is it possuble ? if yes , how ? thanks ___[ Pub ] Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com _ Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems using Freeradius whith PEAP authentication (fwd)
Hi. I'm a student of the Polytechnic Instituite of Tomar, and i am working in one project with PEAP authentication over 802.11b wireless LANS. One of my cenarios to test the authentication, result in one error reported by the RADIUS server (in this case FreeRadius 1.0.1). I don't know how i resolve this problem. The problem returned by the debug mode of freeradius was: radiusd: relocation error: /usr/local/lib/rlm_eap_tls-1.0.1.so: undefined symbol: SSL_set_msg_callback In the logs files i see the packets recived by the freeradius and the debug mode show the same information (when recive the packet from the NAS), but the server when recive this packet dosen't response to the NAS and report the error mentioned above. The cenario used in this situation was: wireless || 192.168.2.0/24 | |++| || - |***| |++||| | |***| || | | Supplicant NAS| RADIUS Server (WinXPPro 1sp) (Access Point) | (FreeRadius) | ( ) ( ) ( ) Network Resources In this cenario the supplicant must gain authorization from the radius server to access the resources of the network (192.168.2.0/24) like http server and dhcp, etc. I'm using the supplicant of the winxp to use PEAP in this authorization. The radius server and the NAS (AP) are in the same network of the resources (192.168.2.0/24). I thank you for any help you could provide. You can see the confs used in this cenario bellow. -- Attatchments--- My conf files used in this cenario was: <--radiusd.conf-> prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = clear } chap { authtype = CHAP } pam { pam_auth = radiusd } eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = yes tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } ttls { copy_request_to_tunnel = yes use_tunneled_reply = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } mschap { authtype = MS-CHAP use_mppe = yes } realm suffix { format = suffix delimiter = "@" } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/detail detailperm = 0600 } detail auth_log { detailfile = ${radacctdir}/auth-detail detailperm = 0600 } detail reply_log { detailfile = ${radacctdir}/reply-detail detailperm = 0600 } detail pre_proxy_log { detailfile = ${radacctdir}/pre-proxy-detail } detai
Proxy reply and attr_filter
Hi, I am trying to assign different VLANs based on realms. I use rlm_attr_filter and attrs file to acomplish this. I have done the following setting in attrs file labtest.de Tunnel-Type:1 := VLAN Tunnel-Medium-Type:1 := IEEE-802 Tunnel-Private-Group-Id:1 := "labtest" it works perfectly and I receive access accept from radius server with following message sent to my NAS rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 22 to 129.69.1.50:1812 Tunnel-Type:1 := VLAN Tunnel-Medium-Type:1 := IEEE-802 Tunnel-Private-Group-Id:1 := "labtest" but the NAS which is cisco Catalyst 2970 switch doesn't open the port. Additionally It doesn't understand the Tunnel attributes. But when I try for a local user defined in users file testuser User-Password =="test" Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 =IEEE-802, Tunnel-Private-Group-Id:1 = labtest I see this message in radius debug mode Sending Access-Accept of id 29 to 129.69.1.50:1812 Tunnel-Type:1 = VLAN Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Private-Group-Id:1 = "labtest" MS-MPPE-Recv-Key = 0x82d2b417e4803da1402b6b6e09ea33d9a17e7831ab9f4e72168f71e35948c625 MS-MPPE-Send-Key = 0x0f4e0d86d24e2ae90704293d7f1d4e780e5d7fd506339548117e239582d2e91f EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = "testuser" now the only difference I see when Tunnel attributes are passed to NAS is the operators ":=" for realm and "=" for local user. Can any body suggest that what is wrong with my settings to make attr_filter work fine with post proxy or I have done something wrong in my settings. I will be very thankful. Regards, Raza. __ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. http://info.mail.yahoo.com/mail_250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
exclude certain IP address in the IP Pool
Hi, I'm wondering whether we can exclude certain IP addresses from an IP POOL to be assigned to the client ? for example, the ippool in radiusd.conf has been defined as following: range-start = 192.168.167.90 range-stop = 192.168.167.100 This means that IP address between 192.168.167.90 to 192.168.167.100 can be assigned to a client. However, we wish to exclude IP address 192.168.167.94. Can we do so ? Thank you, lara = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_expr error
does someone figured this error out? radiusd.conf[1191] Failed to link to module 'rlm_expr': /usr/local/lib/rlm_expr.a: invalid ELF header After commenting that expr module in the radiusd.conf, got the following: ERROR: Cannot find a configuration entry for module "expr". Any suggestions on this? Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to create certificate for winxpsp2
Look at http://campuswide.cofc.edu/PEAP%20with%20Windows%20XP%20Service%20Pack%202.pdf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP addres on EAP/TLS session
Yes. On Tue, 18 Jan 2005 12:14:17 +1100, Paul Hampson <[EMAIL PROTECTED]> wrote: > On Mon, Jan 17, 2005 at 09:49:48AM -0600, Justin Guidroz wrote: > > I'm running Freeradius on the same server that also serves as my LDAP > > server, DHCP server, and DNS server, and I have had no problems > > getting DHCP addresses using EAP-TTLS or EAP-TLS. > > Does the EAP gateway thingy relay DHCP requests to your FreeRADIUS > box? > > -- > Paul "TBBle" Hampson, on an alternate email client. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Justin Guidroz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
poptop +freeradius+ passwd
Hi, I would like to authenticate poptop users in /etc/passwd ..is it possible? [ ] 's Bruno Ricci []'s Bruno Ricci smime.p7s Description: S/MIME Cryptographic Signature
more radwtmp troubles
Hi Everyone I'm still struggling with radwtmp. I wouldn't worry so much about it but it's critical for my business. Hopefully someone has seen this before, as Googling isn't being real productive. On Redhat ES 3, Freeradius 1.0.1 is producing the radwtmp file, but as best I can tell, isn't putting it in a format that neither last nor radlast can view. If I do a radlast -o -f radwtmp the output looks like this: [EMAIL PROTECTED] radius]# radlast -o -f radwtmp |more ialup* Wed Apr 5 07:58 still logged in -dialup * Mon Dec 4 18:05 - 07:58 (-243+-11:-7 alup * Sun Jan 11 17:08 - 18:05 (-768+-23:-2 alup * Sun Jan 11 17:08 - 17:08 (00:00) alup * Sun Jan 11 17:08 - 17:08 (00:00) alup * Sun Jan 11 17:08 - 17:08 (00:00) alup * Sun Jan 11 17:08 - 17:08 (00:00) alup * Sun Jan 11 17:08 - 17:08 (00:00) etc. The output is the same for last and radlast. If I do not put the -o on the command line, the output is empty. Other than this one issue, it's working great. I'd really appreciate it if someone is able to help me with this. I can post or email radiusd.conf or users, or whatever files may be helpful. Thanks a ton in advance, Sam -- Sam Morris, Owner Loganet Internet Service Logan IA, United States of America 712-644-3578 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: is it possible to run two freeradius services at the same time ?
I would think so. You'll need them to have different installation directories. And of course they need to be configured to use different ports. One should use 1812, the other 1645 (i think) On Jan 18, 2005, at 7:04 AM, Nans Delrieu wrote: hello, i want to run two daemon (sercice) freeradius on the same pc in order to have one who plays proxy freeradius and the second who plays primary freeradius ? is it possuble ? if yes , how ? thanks ___[ Pub ] Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com _ Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy reply and attr_filter
Hi, I have figured out the real problem was. Actually the attr_filter not consider all other a/v pairs from proxy request and just builts a new proxy reply containing only the tunnel attributes I have set in attrs file. Now the question arises if it is possible to let attr_filter add required a/v pairs keeping the a/v pairs came in the proxy reply?( means just addition of Tunnel a/v pairs in proxy reply) if possible how? Regards, Raza.Cool Man <[EMAIL PROTECTED]> wrote: Hi, I am trying to assign different VLANs based on realms.I use rlm_attr_filter and attrs file to acomplishthis. I have done the following setting in attrs file labtest.deTunnel-Type:1 := VLANTunnel-Medium-Type:1 := IEEE-802Tunnel-Private-Group-Id:1 := "labtest"it works perfectly and I receive access accept fromradius serverwith following message sent to my NAS rad_check_password: Auth-Type = Accept, accepting theuserSending Access-Accept of id 22 to 129.69.1.50:1812Tunnel-Type:1 := VLANTunnel-Medium-Type:1 := IEEE-802Tunnel-Private-Group-Id:1 := "labtest"but the NAS which is cisco Catalyst 2970 switchdoesn't open the port. Additionally It doesn'tunderstand the Tunnel attributes. But when I try for a local user defined in users filetestuser User-Password =="test"Tunnel-Type:1 = VLAN,Tunnel-Medium-Type:1 =IEEE-802,Tunnel-Private-Group-Id:1 = labtestI see this message in radius debug modeSending Access-Accept of id 29 to 129.69.1.50:1812Tunnel-Type:1 = VLANTunnel-Medium-Type:1 = IEEE-802Tunnel-Private-Group-Id:1 = "labtest"MS-MPPE-Recv-Key =0x82d2b417e4803da1402b6b6e09ea33d9a17e7831ab9f4e72168f71e35948c625MS-MPPE-Send-Key =0x0f4e0d86d24e2ae90704293d7f1d4e780e5d7fd506339548117e239582d2e91fEAP-Message = 0x03060004Message-Authenticator =0xUser-Name = "testuser"now the only difference I see when Tunnel attributesare passed to NAS is the operators ":=" for realm and"=" for local user. Can any body suggest that what is wrong with mysettings to make attr_filter work fine with post proxyor I have done something wrong in my settings.I will be very thankful.Regards,Raza.__ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more.http://info.mail.yahoo.com/mail_250- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard.
Re: Problems using Freeradius whith PEAP authentication (fwd)
Paulo Alexandre Caceres Ferreira <[EMAIL PROTECTED]> wrote: > radiusd: relocation error: /usr/local/lib/rlm_eap_tls-1.0.1.so: undefined > symbol: SSL_set_msg_callback You are using an old version of OpenSSL. Use a newer version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exclude certain IP address in the IP Pool
Lara Adianto <[EMAIL PROTECTED]> wrote: > I'm wondering whether we can exclude certain IP > addresses from an IP POOL to be assigned to the client No, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time Attribute
Lara Adianto <[EMAIL PROTECTED]> wrote: > Does it mean FreeRadius read the Login-Time attribute in users file, > then calculate the time left based on current time and set the value > in the session-timeout attribute ? Yes, that's what the text says. > If that's the case what happens if the users file contains both > login-time attribute and session-timeout attribute ? The smaller value is used. > I read somewhere that login-time is an RFC defined attribute...which > RFC defines it ? I can't find any info on the net It's not an RFC attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ascend-data-filter info not returned with radtest?
I'm attempting to do a global dial-up solution and they're requiring me to use the ascend-data-filter to open up outbound port 25. Simple enough. I've configured my users file to include the attributes they provided and it seems to be accepting the data. However when I query the radius with radtest it returns odd results. In my users file I have four ADF lines, but only three are returned after the query. Also, some of the lines that are returned contain a trailing 0. I'm new to this "abinary" type so I'm not sure if this is expected behaviour or not. -- users -- bakers User-Password = "passwd" Fall-Through = Yes DEFAULT X-Ascend-Data-Filter += "ip in forward tcp est", X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", X-Ascend-Data-Filter += "ip in drop tcp dstport=25", X-Ascend-Data-Filter += "ip in forward", Simultaneous-Use = 1, Session-Timeout = 28800, Idle-Timeout = 3600, Framed-Compression = Van-Jacobson-TCP-IP, Service-Type = Framed-User, Framed-Protocol = PPP, Propel-Accelerate = 0, Framed-MTU = 576 -- radtest output -- [EMAIL PROTECTED] ~]# !radte radtest bakers scottb localhost 10 localhost Sending Access-Request of id 128 to 127.0.0.1:1812 User-Name = "bakers" User-Password = "scottb" NAS-IP-Address = snikt NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=128, length=170 X-Ascend-Data-Filter = "ip in forward tcp est" X-Ascend-Data-Filter = "ip in forward dstip 65.182.224.0/26 0" X-Ascend-Data-Filter = "ip in forward 0" Session-Timeout = 28800 Idle-Timeout = 3600 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Propel-Accelerate = 0 Framed-MTU = 576 -- Scott Baker Canby Telephone - Network Administrator - RHCE Ph: 503.266.8253 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Custom attributes in dictionary...
This one is a bit above my head, trying to set up accelleration and our vendor has advised that I need to do the following... "your radius must be setup with the custom authentication reply. Defining this attribute in your dictionary may vary depending on your radius software. The attribute is: VENDORATTR 7000 Slipstream-Auth 1 string The value must be set as true" How would I set that up in Freeradius... would I create a dictionary.slipstream containing the following??? VENDOR slipstream7000 BEGIN-VENDOR slipstream ATTRIBUTESlipstream-Auth 1 string END-VENDOR slipstream then add a "Slipstream-Auth = false" in the main "default" section of users so it is off by default, and then turn it on thusly in the users file for the users in the slipstream group? DEFAULT Group == "slipstream" Slipstream-Auth = true, Fall-Through = 1 Thanks much for any pointers! Cheers, > Mike < - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x+wet11+ethertype Unknown
Hi! I have configured my wlan in this way: ethernet card- - >access point client - - > Authenticator - - > Freeradius Server 1.0.0-1 I am trying to validate with EAP-TLS, but the requests never reach the server. When I sniff on the client side(Windows 2000) with windump, I have the following: 15:46:50.969958 00:02:6f:22:17:da > 00:11:11:12:b4:41, ethertype Unknown (0x888e), length 60: 0x: 0100 0005 011e 0005 0100 0x0010: 0x0020: .. 15:47:20.969826 00:02:6f:22:17:da > 00:11:11:12:b4:41, ethertype Unknown (0x888e), length 60: 0x: 0100 0005 011f 0005 0100 0x0010: 0x0020: .. 15:47:20.970572 00:02:6f:22:17:da > 00:11:11:12:b4:41, ethertype Unknown (0x888e), length 60: 0x: 0100 0005 011f 0005 0100 0x0010: 0x0020: .. 15:47:20.980317 00:11:11:12:b4:41 > 01:80:c2:00:00:03, ethertype Unknown (0x888e), length 37: 0x: 0100 0013 021f 0013 0143 6c69 656e 7465 .Cliente 0x0010: 2057 6879 4e6f 74.WhyNot 15:47:20.980333 00:11:11:12:b4:41 > 01:80:c2:00:00:03, ethertype Unknown (0x888e), length 37: 0x: 0100 0013 021f 0013 0143 6c69 656e 7465 .Cliente 0x0010: 2057 6879 4e6f 74.WhyNot 15:47:20.981143 00:11:11:12:b4:41 > 01:80:c2:00:00:03, ethertype Unknown (0x888e), length 37: 0x: 0100 0013 021f 0013 0143 6c69 656e 7465 .Cliente 0x0010: 2057 6879 4e6f 74.WhyNot 15:47:20.981150 00:11:11:12:b4:41 > 01:80:c2:00:00:03, ethertype Unknown (0x888e), length 37: 0x: 0100 0013 021f 0013 0143 6c69 656e 7465 .Cliente 0x0010: 2057 6879 4e6f 74.WhyNot Some aclarations: 00:11:11:12:b4:41 is my ethernet card 00:02:6f:22:17:da is the access point (Senao) The access Point Client is a LinkSys Wet11 Cliente WhyNot is the name of the client on the certificate Do you have any idea of what's going on? Thanks! Victoria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ascend-data-filter info not returned with radtest?
On Tue, 18 Jan 2005, Scott Baker wrote: I'm attempting to do a global dial-up solution and they're requiring me to use the ascend-data-filter to open up outbound port 25. Simple enough. I've configured my users file to include the attributes they provided and it seems to be accepting the data. However when I query the radius with radtest it returns odd results. In my users file I have four ADF lines, but only three are returned after the query. Also, some of the lines that are returned contain a trailing 0. I'm new to this "abinary" type so I'm not sure if this is expected behaviour or not. -- users -- bakers User-Password = "passwd" Fall-Through = Yes DEFAULT X-Ascend-Data-Filter += "ip in forward tcp est", X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", X-Ascend-Data-Filter += "ip in drop tcp dstport=25", X-Ascend-Data-Filter += "ip in forward", Simultaneous-Use = 1, Session-Timeout = 28800, Idle-Timeout = 3600, Framed-Compression = Van-Jacobson-TCP-IP, Service-Type = Framed-User, Framed-Protocol = PPP, Propel-Accelerate = 0, Framed-MTU = 576 -- radtest output -- [EMAIL PROTECTED] ~]# !radte radtest bakers scottb localhost 10 localhost Sending Access-Request of id 128 to 127.0.0.1:1812 User-Name = "bakers" User-Password = "scottb" NAS-IP-Address = snikt NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=128, length=170 X-Ascend-Data-Filter = "ip in forward tcp est" X-Ascend-Data-Filter = "ip in forward dstip 65.182.224.0/26 0" X-Ascend-Data-Filter = "ip in forward 0" Session-Timeout = 28800 Idle-Timeout = 3600 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Propel-Accelerate = 0 Framed-MTU = 576 Have you tried running freeradius in debug mode to see what the server is spitting out as well? Is it possible that a few of the attributes you are trying to send are not defined in the dictionary file and the radius server is ignoring those statements? -j - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration pb
Hi all, I've well read the doc/rlm_expiration and I applied it but it doesn't work anymore... So why could I solve it ? I tried all of those syntaxes : Expiration := 2004-01-01 Expiration := 01-01-2004 Expiration := 1 Jan 2004 Expiration := 1 January 2004 Anyone ? Any idea ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration pb
On Tue, 18 Jan 2005, EROS wrote: Hi all, I've well read the doc/rlm_expiration and I applied it but it doesn't work anymore... So why could I solve it ? I tried all of those syntaxes : Expiration := 2004-01-01 Expiration := 01-01-2004 Expiration := 1 Jan 2004 Expiration := 1 January 2004 You don't use double quotes. Try Expiration := "1 Jan 2004" also run the server in debug mode to see exactly what happens. Anyone ? Any idea ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom attributes in dictionary...
"Mike Cisar" <[EMAIL PROTECTED]> wrote: > How would I set that up in Freeradius... would I create a > dictionary.slipstream containing the following??? > > VENDOR slipstream7000 > BEGIN-VENDOR slipstream > ATTRIBUTESlipstream-Auth 1 string > END-VENDOR slipstream Pretty much, yes. > then add a "Slipstream-Auth = false" in the main "default" section of users > so it is off by default, and then turn it on thusly in the users file for > the users in the slipstream group? > > DEFAULT Group == "slipstream" > Slipstream-Auth = true, > Fall-Through = 1 You have to define what "true" is. Or, just do "Slipstream-Auth = 1" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ascend-data-filter info not returned with radtest?
It's only one attribute "X-Ascend-Data-Filter" and it's defined just fine. I turned on debugging mode and this is what I get. It doesn't really tell me what I didn't already know. There has to be some configuration error in my users file? I'm just not sure where to start looking. ** rad_recv: Access-Request packet from host 127.0.0.1:41445, id=13, length=58 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) User-Name = "bakers" User-Password = "scottb" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "bakers", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched bakers at 1 users: Matched DEFAULT at 4 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 13 to 127.0.0.1:41445 X-Ascend-Data-Filter += "ip in forward tcp est" X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26 0" X-Ascend-Data-Filter += "ip in forward 0" Session-Timeout = 28800 Idle-Timeout = 3600 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Propel-Accelerate = 0 Framed-MTU = 576 Finished request 0 Going to the next request Thread 1 waiting to be assigned a request James Feger wrote: On Tue, 18 Jan 2005, Scott Baker wrote: I'm attempting to do a global dial-up solution and they're requiring me to use the ascend-data-filter to open up outbound port 25. Simple enough. I've configured my users file to include the attributes they provided and it seems to be accepting the data. However when I query the radius with radtest it returns odd results. In my users file I have four ADF lines, but only three are returned after the query. Also, some of the lines that are returned contain a trailing 0. I'm new to this "abinary" type so I'm not sure if this is expected behaviour or not. -- users -- bakers User-Password = "passwd" Fall-Through = Yes DEFAULT X-Ascend-Data-Filter += "ip in forward tcp est", X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", X-Ascend-Data-Filter += "ip in drop tcp dstport=25", X-Ascend-Data-Filter += "ip in forward", Simultaneous-Use = 1, Session-Timeout = 28800, Idle-Timeout = 3600, Framed-Compression = Van-Jacobson-TCP-IP, Service-Type = Framed-User, Framed-Protocol = PPP, Propel-Accelerate = 0, Framed-MTU = 576 -- radtest output -- [EMAIL PROTECTED] ~]# !radte radtest bakers scottb localhost 10 localhost Sending Access-Request of id 128 to 127.0.0.1:1812 User-Name = "bakers" User-Password = "scottb" NAS-IP-Address = snikt NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=128, length=170 X-Ascend-Data-Filter = "ip in forward tcp est" X-Ascend-Data-Filter = "ip in forward dstip 65.182.224.0/26 0" X-Ascend-Data-Filter = "ip in forward 0" Session-Timeout = 28800 Idle-Timeout = 3600 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Propel-Accelerate = 0 Framed-MTU = 576 Have you tried running freeradius in debug mode to see what the server is spitting out as well? Is it possible that a few of the attributes you are trying to send are not defined in the dictionary file and the radius server is ignoring those statements? -j - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Scott Baker Canby Telephone - Network Administrator - RHCE Ph: 503.266.8253 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ascend-data-filter info not returned with radtest?
You need a space in the destination port value line. i.e. >>X-Ascend-Data-Filter += "ip in forward tcp est", >>X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", >>X-Ascend-Data-Filter += "ip in drop tcp dstport = 25", >>X-Ascend-Data-Filter += "ip in forward", instead of... >>X-Ascend-Data-Filter += "ip in forward tcp est", >>X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", >>X-Ascend-Data-Filter += "ip in drop tcp dstport=25", >>X-Ascend-Data-Filter += "ip in forward", Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scott Baker Sent: Tuesday, January 18, 2005 4:21 PM To: freeradius-users@lists.freeradius.org Subject: Re: ascend-data-filter info not returned with radtest? It's only one attribute "X-Ascend-Data-Filter" and it's defined just fine. I turned on debugging mode and this is what I get. It doesn't really tell me what I didn't already know. There has to be some configuration error in my users file? I'm just not sure where to start looking. ** rad_recv: Access-Request packet from host 127.0.0.1:41445, id=13, length=58 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) User-Name = "bakers" User-Password = "scottb" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "bakers", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched bakers at 1 users: Matched DEFAULT at 4 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 13 to 127.0.0.1:41445 X-Ascend-Data-Filter += "ip in forward tcp est" X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26 0" X-Ascend-Data-Filter += "ip in forward 0" Session-Timeout = 28800 Idle-Timeout = 3600 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Propel-Accelerate = 0 Framed-MTU = 576 Finished request 0 Going to the next request Thread 1 waiting to be assigned a request James Feger wrote: > On Tue, 18 Jan 2005, Scott Baker wrote: > >> I'm attempting to do a global dial-up solution and they're requiring >> me to use the ascend-data-filter to open up outbound port 25. Simple >> enough. >> >> I've configured my users file to include the attributes they provided >> and it seems to be accepting the data. However when I query the radius >> with radtest it returns odd results. In my users file I have four ADF >> lines, but only three are returned after the query. Also, some of the >> lines that are returned contain a trailing 0. I'm new to this >> "abinary" type so I'm not sure if this is expected behaviour or not. >> >> -- users -- >> >> bakers User-Password = "passwd" >>Fall-Through = Yes >> >> DEFAULT >>X-Ascend-Data-Filter += "ip in forward tcp est", >>X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", >>X-Ascend-Data-Filter += "ip in drop tcp dstport=25", >>X-Ascend-Data-Filter += "ip in forward", >>Simultaneous-Use = 1, >>Session-Timeout = 28800, >>Idle-Timeout = 3600, >>Framed-Compression = Van-Jacobson-TCP-IP, >>Service-Type = Framed-User, >>Framed-Protocol = PPP, >>Propel-Accelerate = 0, >>Framed-MTU = 576 >> >> -- radtest output -- >> [EMAIL PROTECTED] ~]# !radte >> radtest bakers scottb localhost 10 localhost >> Sending Access-Request of id 128 to 127.0.0.1:1812 >>User-Name = "bakers" >>User-Password = "scottb" >>NAS-IP-Address = snikt >>NAS-Port = 10 >> rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=128, >> length=170 >>X-Ascend-Data-Filter = "ip in forward tcp est" >>X-Ascend-Data-Filter = "ip in forward dstip 65.182.224.0/26 0" >>X-Ascend-Data-Filter = "ip in forward 0" >>Session-Timeout = 28800 >>Idle-Timeout = 3600 >>Framed-Compression = Van-Jacobson-TCP-IP >>Service-Type = Framed-User >>
RE : Expiration pb
Yep I have tried this with and without "" and this is the same In debug mode I don't see some expiration lines in log I've compiled freeradius with experimental modules... Is this something to do in some *.conf files ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Kostas Kalevras Envoyé : mardi 18 janvier 2005 21:16 À : freeradius-users@lists.freeradius.org Objet : Re: Expiration pb On Tue, 18 Jan 2005, EROS wrote: > Hi all, > > I've well read the doc/rlm_expiration and I applied it but it doesn't > work anymore... > > So why could I solve it ? > > I tried all of those syntaxes : > > Expiration := 2004-01-01 > Expiration := 01-01-2004 > Expiration := 1 Jan 2004 > Expiration := 1 January 2004 You don't use double quotes. Try Expiration := "1 Jan 2004" also run the server in debug mode to see exactly what happens. > > > Anyone ? Any idea ? > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ascend-data-filter info not returned with radtest?
Excellent! It's returning all the data I expected now! I'm still getting that trailling 0 on the "ip in forward dstip" and "ip in forward." Is that normal? Some fluke in radtest? - [EMAIL PROTECTED] ~]$ radtest bakers scottb localhost 10 localhost Sending Access-Request of id 93 to 127.0.0.1:1812 User-Name = "bakers" User-Password = "scottb" NAS-IP-Address = snikt NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=93, length=204 X-Ascend-Data-Filter = "ip in forward tcp est" X-Ascend-Data-Filter = "ip in forward dstip 65.182.224.0/26 0" X-Ascend-Data-Filter = "ip in drop tcp dstport = 25" X-Ascend-Data-Filter = "ip in forward 0" Session-Timeout = 28800 Idle-Timeout = 3600 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Propel-Accelerate = 0 Framed-MTU = 576 Brian Fennimore wrote: You need a space in the destination port value line. i.e. X-Ascend-Data-Filter += "ip in forward tcp est", X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", X-Ascend-Data-Filter += "ip in drop tcp dstport = 25", X-Ascend-Data-Filter += "ip in forward", instead of... X-Ascend-Data-Filter += "ip in forward tcp est", X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", X-Ascend-Data-Filter += "ip in drop tcp dstport=25", X-Ascend-Data-Filter += "ip in forward", Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scott Baker Sent: Tuesday, January 18, 2005 4:21 PM To: freeradius-users@lists.freeradius.org Subject: Re: ascend-data-filter info not returned with radtest? It's only one attribute "X-Ascend-Data-Filter" and it's defined just fine. I turned on debugging mode and this is what I get. It doesn't really tell me what I didn't already know. There has to be some configuration error in my users file? I'm just not sure where to start looking. ** rad_recv: Access-Request packet from host 127.0.0.1:41445, id=13, length=58 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) User-Name = "bakers" User-Password = "scottb" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "bakers", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched bakers at 1 users: Matched DEFAULT at 4 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 13 to 127.0.0.1:41445 X-Ascend-Data-Filter += "ip in forward tcp est" X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26 0" X-Ascend-Data-Filter += "ip in forward 0" Session-Timeout = 28800 Idle-Timeout = 3600 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Propel-Accelerate = 0 Framed-MTU = 576 Finished request 0 Going to the next request Thread 1 waiting to be assigned a request James Feger wrote: On Tue, 18 Jan 2005, Scott Baker wrote: I'm attempting to do a global dial-up solution and they're requiring me to use the ascend-data-filter to open up outbound port 25. Simple enough. I've configured my users file to include the attributes they provided and it seems to be accepting the data. However when I query the radius with radtest it returns odd results. In my users file I have four ADF lines, but only three are returned after the query. Also, some of the lines that are returned contain a trailing 0. I'm new to this "abinary" type so I'm not sure if this is expected behaviour or not. -- users -- bakers User-Password = "passwd" Fall-Through = Yes DEFAULT X-Ascend-Data-Filter += "ip in forward tcp est", X-Ascend-Data-Filter += "ip in forward dstip 65.182.224.0/26", X-Ascend-Data-Filter += "ip in drop tcp dstport=25", X-Ascend-Data-Filter += "ip in forward", Simultaneous-Use = 1, Session-Timeout = 28800, Idle-Timeout = 3600, Fram
Acct-Status-Type = 15
hello, I have a NAS witch sends an accounting request with Acct-Status-Type = 15 and the sql module says: "rlm_sql (sql): Unsupported Acct-Status-Type = 15" is it possible to send this type of requests to the sql server ? thanks Razvan Radu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radtest only works from localhost
I am having problems authenticating to my freeradius server remotely. Here is my current configuration: SuSE 9.1 default rpm-based install and then an upgrade through YOU to freeradius-0.9.3-106.6 Files modified: /etc/raddb/radiusd.conf: Around line 720: ldap { # server = "ldap.your.domain" server = "127.0.0.1" # identity = "cn=admin,o=My Org,c=UA" # password = mypass # basedn = "o=My Org,c=UA" basedn = "ou=Users,dc=mydomain,dc=com" # filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" filter = "(objectClass=posixAccount)(uid=%u)" In the authorize section around line 1448 uncommented: ldap Around line 1511 uncommented: Auth-Type LDAP { ldap } /etc/raddb/users: Around line 152: #DEFAULTAuth-Type = System DEFAULT Auth-Type = LDAP The server is on 192.168.0.2 and my external client is on 192.168.0.3. All system-based firewalls are shutdown. Client is SuSE 9.2 with these packages: freeradius-1.0.0-5 radiusclient-0.3.2-142 The /etc/raddb/clients.conf is (with comments removed): client 127.0.0.1 { secret = test shortname = localhost nastype = other } client 192.168.0.2 { secret = test shortname = mail nastype = other } client 192.168.0.3 { secret = test shortname = suse nastype = other } The 192.168.0.3 entry was created with vi by utilizing 5yy and then a p so there are no hidden characters in the secret line. When running radtest from the server itself the following commands succeed: radtest myuser secret localhost:1812 10 test radtest myuser secret 127.0.0.1:1812 10 test radtest myuser secret 192.168.0.2:1812 10 test When running radtest from the 192.168.0.3 client the following command fails: radtest myuser secret 192.168.0.2 10 test Here are the obvious errors: From the server: Ready to process requests. Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/ udp. Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.3:1024, id=244, length=61 User-Name = "myuser" User-Password = "A\317\324\013\367G\325Rbf\342'?n~\246" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: No '@' in User-Name = "myuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 153 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for myuser radius_xlat: '(objectClass=posixAccount)(uid=myuser)' radius_xlat: 'ou=Users,dc=mydomain,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as / to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in ou=Users,dc=mydomain,dc=com, with filter (objectClass=posixAccount)(uid=myuser) rlm_ldap: checking if remote access for myuser is allowed by dialupAccess rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user myuser authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "myuser" with password "Aï?ïïbfï?n~" rlm_ldap: user DN: uid=myuser,ou=Users,dc=mydomain,dc=com rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 rlm_ldap: bind as uid=myuser,ou=Users,dc=mydomain,dc=com/Aï?ïïbfï?n~ to 127.0.0.1:389 rlm_ldap: waiting for bind result ... modcall[authenticate]: module "ldap" returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 244 to 192.168.221.125:1024 Waking up in 4 seconds... From the client: Sending Access-Request of id 244 to 192.168.0.2:1812 User-Name = "myuser" User-Password = "secret" N
Re: Autz-Type, auth without passwords
On Mon, 17 Jan 2005, Robert Tarrall wrote: HOWEVER - we're now accepting everyone, even when the authorize module returns notfound. That's not what we want. From radiusd.conf: authorize { preprocess suffix autztype ecentralldap { ecentralldap } autztype exampleldap { exampleldap } files } authenticate { } From users: DEFAULT Realm == "ecentral.com", Autz-Type := ecentralldap, Auth-Type := Accept Fall-Through = Yes DEFAULT Realm == "example.com", Autz-Type := exampleldap, Auth-Type := Accept Fall-Through = Yes And from the log: modcall[authorize]: module "ecentralldap" returns notfound modcall: group autztype returns notfound rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Is there a way to ensure that Auth-Type is set to 'Accept' ONLY if authorize returns 'ok'? Or some other way of accomplishing what I'm after? In recent freeradius versions you can use: autztype ecentralldap { ecentralldap{ notfound = reject } } -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple script to check user authentication from a script.
Many times I wanted a simple script to check a users password or to see if a radius server is working. The output of radclient and radtest need to be parsed to figure out what you want to know. The script I put together provides output on stdout for simple command line use, and also uses exit codes so it can easily be used in shell scripts. ---radauth--- #!/bin/sh # # radauth # # Created by Guy Fraser on Jan 18 2005. # # This program is a quick and simple tool used to verify the # authentication of a user on a radius server. # # This program requires four options ; # 1) radius server # 2) radius secret for the sending machine and radius server # 3) username with realm if required # 4) password # # There are three possible responces ; # 1) If all options are presesnt and correct : # "yes" sent to stdout and exit status is 0 {true}. # 2) If all options are presesnt but something is incorrect : # "no" is sent to stdout and exit status is 1 {false}. # 3) If all options are not present : # Usage message is displayed. # PREFIX=/usr/local EXEC_PREFIX=${PREFIX} BINDIR=${EXEC_PREFIX}/bin ECHO=/bin/echo RADCLIENT=$BINDIR/radclient AWK=/usr/bin/awk TEST=/bin/test usage () { $ECHO "" >&2 $ECHO "Authenticate a user on an authorized radius server." >&2 $ECHO "" >&2 $ECHO "Usage:" >&2 $ECHO "radauth radius-server[:port] secret user passwd" >&2 $ECHO "" >&2 exit 1 } if [ $# -ne 4 ] then usage fi SERVER=$1 SECRET=$2 UNAME=$3 PASS=$4 RES=`$ECHO "User-Name=\"$UNAME\",User-Password=\"$PASS\"" \ | $RADCLIENT -q -s $SERVER auth $SECRET 2>&1 \ | $AWK '/Total approved auths/ {print $4}'` if $TEST $RES = 1 2>/dev/null then { $ECHO yes exit 0 } else { $ECHO no exit 1 } fi ---radauth--- Command line use : -- --everything correct-- $ radauth 127.0.0.1 testing123 [EMAIL PROTECTED] wilma yes --passord is wrong-- $ radauth 127.0.0.1 testing123 [EMAIL PROTECTED] wilm no --secret is wrong-- $ radauth 127.0.0.1 testing12 [EMAIL PROTECTED] wilma no Shell script use : -- --everything correct-- $ if radauth 127.0.0.1 testing123 [EMAIL PROTECTED] wilma \ >/dev/null 2>&1 then echo Bonus else echo Busted fi --output-- Bonus --passord is wrong-- $ if radauth 127.0.0.1 testing123 [EMAIL PROTECTED] wilm \ >/dev/null 2>&1 then echo Bonus else echo Busted fi --output-- Busted --secret is wrong-- $ if radauth 127.0.0.1 testing12 [EMAIL PROTECTED] wilma \ >/dev/null 2>&1 then echo Bonus else echo Busted fi --output-- Busted --- Feel free to use this or add it to the CVS tree. Have a nice day - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exclude certain IP address in the IP Pool
On Tue, 18 Jan 2005, Lara Adianto wrote: Hi, I'm wondering whether we can exclude certain IP addresses from an IP POOL to be assigned to the client ? for example, the ippool in radiusd.conf has been defined as following: range-start = 192.168.167.90 range-stop = 192.168.167.100 This means that IP address between 192.168.167.90 to 192.168.167.100 can be assigned to a client. However, we wish to exclude IP address 192.168.167.94. Can we do so ? Not really. Patches are welcome Thank you, lara = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ascend-data-filter info not returned with radtest?
Scott Baker <[EMAIL PROTECTED]> wrote: > Excellent! It's returning all the data I expected now! I'm still > getting that trailling 0 on the "ip in forward dstip" and "ip in > forward." > > Is that normal? Some fluke in radtest? It's an artifact of printing. It doesn't affect anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Status-Type = 15
"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > I have a NAS witch sends an accounting request with Acct-Status-Type = > 15 and the sql module says: > "rlm_sql (sql): Unsupported Acct-Status-Type = 15" > > is it possible to send this type of requests to the sql server ? It would appear not. What do you want done with those requests? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ascend-data-filter info not returned with radtest?
Excellent. I think I'm good then! Thanks for all the help everyone. Alan DeKok wrote: Scott Baker <[EMAIL PROTECTED]> wrote: Excellent! It's returning all the data I expected now! I'm still getting that trailling 0 on the "ip in forward dstip" and "ip in forward." Is that normal? Some fluke in radtest? It's an artifact of printing. It doesn't affect anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Scott Baker Canby Telephone - Network Administrator - RHCE Ph: 503.266.8253 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html