RE: RE: Install problems on Solaris 8
[EMAIL PROTECTED] wrote:
>
>
>The problem seems to be, again, that even one adds
>> >--with-ltdl-lib=/opt/csw/share/libtool/libltdl
>> >--with-ltdl-include=/opt/csw/share/libtool/libltdl
>"make" does not seem to care about it.
I've found this to be the case with several (if not all) of the
--with-BLAH-lib and with --with-BLAH-include options.
What I've found today, is that in the configure script where it reads
the --with options (around line ~560), if I remove the with_ part of the
resulting variable, it does a little better.
-eval "with_${ac_package}='$ac_optarg'" ;;
+eval "${ac_package}='$ac_optarg'" ;;
Not sure if this is an overall solution though, or what else it might
break. Still investigating, but Solaris seems to have definite trouble
with this. Making this change certainly helped configure find ucd-snmp
on my system though...
What I wonder is that if others haven't noticed this because they have
all their software installed in the default locations (eg "/usr/local"),
which is generally explicitly specified during the configure test
steps...
Please let me know if you find out anything more...
Regards,
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WG: RE: Install problems on Solaris 8
Thank you. Good point. Anyway, editing necessary. Looking more into Make.inc I found a few strange things: freeradius 1.0.1 compiles fine, but pre1.0.2 does not. Especially those lib (libltdl and such) are defined different in pre1.0.2 compared to 1.0.1 ... and again the only way out seems to edit the Makefile. Any suggestions? ... so far I only know the path to libltdl is wrong but have not found a "once for all" working solution. The problem seems to be, again, that even one adds > >--with-ltdl-lib=/opt/csw/share/libtool/libltdl > >--with-ltdl-include=/opt/csw/share/libtool/libltdl "make" does not seem to care about it. Matthias Rumitz TC Unix / Netzwerke ADIVA Computertechnologie GmbH Norsk-Data-Str. 1 D-61352 Bad Homburg v.d.H. Fon: +49(0) 61 72 / 48 61 - 0 Fax: +49(0) 61 72 / 48 61 - 700 Web: http://www.adiva.de eMail: [EMAIL PROTECTED] Diese E-Mail Nachricht enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. This e-mail message may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. - Originalnachricht - Von: "Mitchell, Michael J" <[EMAIL PROTECTED]> Datum: Dienstag, Februar 1, 2005 11:38 pm Betreff: RE: Install problems on Solaris 8 > You shouldn't have to edit rlm_ldap.c to get it to compile. The > problem I had (Solaris 9) was that the configure script did not > add the path to the ldap headers in the rlm_ldap Makefile, even > though I had specified --with-rlm-ldap-include-dir=blah to the > configure script. > > If you add the relevant -I and -L flags to the rlm_ldap Makefile, > it should compile... > > > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf > >Of [EMAIL PROTECTED] > >Sent: Wednesday, 2 February 2005 6:05 AM > >To: freeradius-users@lists.freeradius.org > >Subject: WG: Install problems on Solaris 8 > > > >somehow two lines did not make it into the doc: > >./configure.sh > >should contain two more entries: > >--with-ltdl-lib=/opt/csw/share/libtool/libltdl > >--with-ltdl-include=/opt/csw/share/libtool/libltdl > > > >or wherever "find / -name ltdl.*" finds the ".h" file. > > > >Matthias Rumitz > >TC Unix / Netzwerke > > > >ADIVA Computertechnologie GmbH > >Norsk-Data-Str. 1 > >D-61352 Bad Homburg v.d.H. > >Fon: +49(0) 61 72 / 48 61 - 0 > >Fax: +49(0) 61 72 / 48 61 - 700 > >Web: http://www.adiva.de eMail: [EMAIL PROTECTED] > > > >Diese E-Mail Nachricht enthält vertrauliche und/oder rechtlich > >geschützte Informationen. > >Wenn Sie nicht der richtige Adressat sind oder diese E-Mail > >irrtümlich erhalten haben, informieren Sie bitte sofort den > >Absender und vernichten Sie diese Mail. > > > >This e-mail message may contain confidential and/or privileged > >information. > >If you are not the intended recipient (or have received this > >e-mail in error) please notify the sender immediately and > >destroy this e-mail. > > > >- Originalnachricht - > >Von: <[EMAIL PROTECTED]> > >Datum: Dienstag, Februar 1, 2005 5:51 pm > >Betreff: WG: Install problems on Solaris 8 > > > >> Do you know how to compile pre 1.0.2? (I really do have > problems!) > >> Here is how to get 1.0.0 and 1.0.1 to work on Sol 8 / 9. > >> > >> Requirements: > >> gcc, gdbm, gmake, libiconv, openssh, openssl, tcp_wrappers, zlib > >> pkg_get (for openldap) > >> /etc/profile or /.profile > >> PATH=/opt/csw/bin:$PATH > >> > >> > >PATH=$PATH:/usr/local/bin:/usr/ccs/bin:/usr/sfw/bin:/usr/openwi > >n/bin > >> > >LD_LIBRARY_PATH=/opt/csw/lib:$LD_LIBRARY_PATH:/opt/csw/lib/sasl 2 > >> > >> > >LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib:/usr/local/lib:/usr/loca l/ > >> ssl/lib > >> LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/openwin/lib > >> MANPATH=/usr/man:/usr/local/man > >> export PATH LD_LIBRARY_PATH MANPATH > >> > >> Blastwave: > >> pkg-get > >> pkgadd -d pkg_get.pkg > >> If not Solaris9 (/usr/sfw/bin): > >> wget-i386.bin / wget-sparc.bin > >> chmod 0755 wget > >> $PATH: wget, gzip, /opt/csw/bin > >> URL in /opt/csw/etc/pkg-get.conf > >> > >> GPG: > >> pkg-get install textutils (extra install) > >> pkg-get install gnupg > >> gnupg installs: bdb4, bzip2, common, expat, gettext, gsed > >> libiconv, libtool, openldap, openssl, > >> sasl, textutils, zlib > >> > >> Key for GPG: > >> wget http://www.blastwave.org/mirrors.html > >> gpg --import mirrors.html > >> pkg-get -U (now without errors) > >> pkg-get -c (list s. gunpg) > >> > >> OpenLDAP: > >> pkg-get install openldap-2.1.22 (s.o. should be installed > already)>> > >> Perl: > >> pkg-get install perl > >> > >> LDAP Fix: > >> ./src
RE: configure script nightmare with ucd-snmp
Ahh brilliant! Didn't find that in my searches! Thanks Kevin! > >This is probably what you're looking for: > >http://lists.freeradius.org/archives/freeradius-users/2004/10/f rm00210.html > >Kevin Bonner > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure script nightmare with ucd-snmp
On Tuesday 01 February 2005 17:28, Mitchell, Michael J wrote: > >FreeRADIUS 1.1.0 supports net-snmp in ucd-compatibility mode. > >If you want to patch 1.0.1 to also support this, I've got > >patches in the Debian release of FreeRADIUS 1.0.1 which I > >could split out if you like. > >I don't recall if they made it into 1.0.2 though. > > ooo, if you could easily dig those patches out that would be fantastic! > > > Thanks again for your help, > Mike This is probably what you're looking for: http://lists.freeradius.org/archives/freeradius-users/2004/10/frm00210.html Kevin Bonner pgpyFAlzI32Az.pgp Description: PGP signature
Re: Anyone tried using MaxDB?
On Tue, 01 Feb 2005 23:15:01 +0100, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Jorge Cuevas wrote: > > Has anyone tried to use MaxDB with freeradius? There was another post from a few days ago mentioning that MaxDB works as-is without any need to change anything. Just recompile after MaxDB is installed. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More complex "or" logic within check-attribute processing
Alan DeKok wrote: [EMAIL PROTECTED] wrote: It is easy to check multiple values for the same attribute type (e.g. using regexp's with "=~") but how can I check if a certain check-attribute has a certain value and then ignore the remaining check-attributes? I've read processing_users_file and thought about using hints and/or huntgroups but this seems not be the right way. In the CVS snapshot, rlm_policy. There's a "man" page. Nice feature - this is very useful in many environments I would say! -- Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Install problems on Solaris 8
You shouldn't have to edit rlm_ldap.c to get it to compile. The problem I had (Solaris 9) was that the configure script did not add the path to the ldap headers in the rlm_ldap Makefile, even though I had specified --with-rlm-ldap-include-dir=blah to the configure script. If you add the relevant -I and -L flags to the rlm_ldap Makefile, it should compile... >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf >Of [EMAIL PROTECTED] >Sent: Wednesday, 2 February 2005 6:05 AM >To: freeradius-users@lists.freeradius.org >Subject: WG: Install problems on Solaris 8 > >somehow two lines did not make it into the doc: >./configure.sh >should contain two more entries: >--with-ltdl-lib=/opt/csw/share/libtool/libltdl >--with-ltdl-include=/opt/csw/share/libtool/libltdl > >or wherever "find / -name ltdl.*" finds the ".h" file. > >Matthias Rumitz >TC Unix / Netzwerke > >ADIVA Computertechnologie GmbH >Norsk-Data-Str. 1 >D-61352 Bad Homburg v.d.H. >Fon: +49(0) 61 72 / 48 61 - 0 >Fax: +49(0) 61 72 / 48 61 - 700 >Web: http://www.adiva.de eMail: [EMAIL PROTECTED] > >Diese E-Mail Nachricht enthält vertrauliche und/oder rechtlich >geschützte Informationen. >Wenn Sie nicht der richtige Adressat sind oder diese E-Mail >irrtümlich erhalten haben, informieren Sie bitte sofort den >Absender und vernichten Sie diese Mail. > >This e-mail message may contain confidential and/or privileged >information. >If you are not the intended recipient (or have received this >e-mail in error) please notify the sender immediately and >destroy this e-mail. > >- Originalnachricht - >Von: <[EMAIL PROTECTED]> >Datum: Dienstag, Februar 1, 2005 5:51 pm >Betreff: WG: Install problems on Solaris 8 > >> Do you know how to compile pre 1.0.2? (I really do have problems!) >> Here is how to get 1.0.0 and 1.0.1 to work on Sol 8 / 9. >> >> Requirements: >> gcc, gdbm, gmake, libiconv, openssh, openssl, tcp_wrappers, zlib >> pkg_get (for openldap) >> /etc/profile or /.profile >> PATH=/opt/csw/bin:$PATH >> >> >PATH=$PATH:/usr/local/bin:/usr/ccs/bin:/usr/sfw/bin:/usr/openwi >n/bin >> >LD_LIBRARY_PATH=/opt/csw/lib:$LD_LIBRARY_PATH:/opt/csw/lib/sasl2 >> >> >LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib:/usr/local/lib:/usr/local/ >> ssl/lib >> LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/openwin/lib >> MANPATH=/usr/man:/usr/local/man >> export PATH LD_LIBRARY_PATH MANPATH >> >> Blastwave: >> pkg-get >> pkgadd -d pkg_get.pkg >> If not Solaris9 (/usr/sfw/bin): >> wget-i386.bin / wget-sparc.bin >> chmod 0755 wget >> $PATH: wget, gzip, /opt/csw/bin >> URL in /opt/csw/etc/pkg-get.conf >> >> GPG: >> pkg-get install textutils (extra install) >> pkg-get install gnupg >> gnupg installs: bdb4, bzip2, common, expat, gettext, gsed >> libiconv, libtool, openldap, openssl, >> sasl, textutils, zlib >> >> Key for GPG: >> wget http://www.blastwave.org/mirrors.html >> gpg --import mirrors.html >> pkg-get -U (now without errors) >> pkg-get -c (list s. gunpg) >> >> OpenLDAP: >> pkg-get install openldap-2.1.22 (s.o. should be installed already) >> >> Perl: >> pkg-get install perl >> >> LDAP Fix: >> ./src/modules/rlm_ldap/rlm_ldap.c >> unterhalb #define TIMELIMIT 5 >> /* Anpassungen fuer OpenLDAP */ >> #define LDAP_OPT_SUCCESS0 >> #define LDAP_OPT_DEBUG_LEVEL0x5001 /* debug >> level */ >> #define LDAP_OPT_NETWORK_TIMEOUT0x5005 /* socket >> level timeout */ >> #define LDAP_OPT_X_TLS 0x6000 >> #define LDAP_OPT_X_TLS_CACERTFILE 0x6002 >> #define LDAP_OPT_X_TLS_CACERTDIR0x6003 >> #define LDAP_OPT_X_TLS_CERTFILE 0x6004 >> #define LDAP_OPT_X_TLS_KEYFILE 0x6005 >> #define LDAP_OPT_X_TLS_RANDOM_FILE 0x6009 >> #define LDAP_OPT_X_TLS_HARD 1 >> >> LTDL Fix: >> ./src/modules/rlm_sql/rlm_sql.h >> ./src/include/modpriv.h >> >> LibTool: copied created libtool from 1.0.1 to 1.0.2s: >> ./libltdl: make seems ok >> ./ make breaks at rlm_eap >> >> Alan DeKok wrote in response to [EMAIL PROTECTED]: >> There are known problems with 1.0.1 on Solaris. >> $ cvs -d :pserver:[EMAIL PROTECTED]:/source login >> >> $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout - r >> release_1_0 radiusd >> OR: ftp cvs.freeradius.org anonymous email mget >pub/radius/CVS.../* >> Might work, but does not compile, yet! >> >> Compiling: >> freeradius: cd ./libltdl: ./configure --enable-ltdl-install >> freeradius: cd ./libltdl: make (erzeugt Fehler, Ursache unklar) >> freeradius: cd ./src: CONFIGURE nicht nötig (?) >> freeradius: cd ./src: make >> freeradius: ./configure.sh >> # cd ./libltdl >> # ./configure --enable-ltdl-install >> # make >> # cd ../src >> # make >> # cd .. >> ./con
Re: More complex "or" logic within check-attribute processing
Chris Parker wrote: On Feb 1, 2005, at 3:58 PM, [EMAIL PROTECTED] wrote: What is the best way to accomplish something like that: (I hope this pseudocode is understandable) If Username == "bob" and Password == "test" and ( Calling-Station-Id == "123" or NAS-IP-Address == "1.2.3.4" or Another-Check-Attribute == "foo" ) Then Reply-Value = foo ... Else Reject 4 Entries in the users file. bobPassword == "test", Calling-Station == "123" Reply-Items = blah, ..., Fall-Through = no bob Password == "test", NAS-IP-Address = "1.2.3.4" Reply-Items = blah, ..., Fall-Through = no bob Password == "test", Another-Check-Attribute == "foo" Reply-Items = blah, ..., Fall-Through = no DEFAULT Auth-Type := Reject Ah, ok. This make sense when using a users file. At the moment I use SQL authentication, but because of the missing DEFAULT-record feature I have the migration to a flat users file in my mind for a long time. This is the last kick to going on with it. Thx Chris! -- Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: configure script nightmare with ucd-snmp
Thanks for the reply Paul! > >The (undocumented, as it happens) --with-snmp-include-dir and >--with-snmp-lib-dir options should be able to take care of >having build ucd-snmp in your home directory. Yep, I tried them... sadly, they don't seem to work for me. I had the same problem with the LDAP module. I'll have to investigate this further when I have more time to find out why our system doesn't seem to like these. For now I added appropriate lines to set the appropriate variables at the top of the configure script. > >However, it doesn't (currently) try libkstat or libscrypto... >I guess it wouldn't be hard to add another iteration to >aclocal.m4 to try with libcrypto _and_ libkstat. Is libscrypto >a typo? I assume you meant libsnmp unless your ucd-snmp Oops, yep, libscrypto was a type. Should have been libcrypto. > >Let us know if this works, since it looks like a fairly safe >change which could make 1.0.2 if you're quick. ^_^ Thanks for the suggestions, I've been using config.log to work out why and where its failing. Just don't know enough about configure scripts, etc to know how to fix it properly :) I'll try your suggestions and report back how it goes. >FreeRADIUS 1.1.0 supports net-snmp in ucd-compatibility mode. >If you want to patch 1.0.1 to also support this, I've got >patches in the Debian release of FreeRADIUS 1.0.1 which I >could split out if you like. >I don't recall if they made it into 1.0.2 though. ooo, if you could easily dig those patches out that would be fantastic! Thanks again for your help, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing and/or monitoring freeradius with PEAP
Bob McCormick <[EMAIL PROTECTED]> wrote: > I'd love to know that myself. It was my understanding also that > radeapclient could only do EAP-MD5. I'd desperately love to find a > command line peap or EAP-TTLS client. The closest thing is xsupplicant. It should be *possible* to hack it to turn it into a command-line client, but I don't know how much work it is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More complex "or" logic within check-attribute processing
[EMAIL PROTECTED] wrote: > It is easy to check multiple values for the same attribute type (e.g. > using regexp's with "=~") but how can I check if a certain > check-attribute has a certain value and then ignore the remaining > check-attributes? > > I've read processing_users_file and thought about using hints and/or > huntgroups but this seems not be the right way. In the CVS snapshot, rlm_policy. There's a "man" page. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS+TLS
I have a problema with RADIUS+TLS to access LDAP+TLS. Does someone culd
help me?
My test with ldapsearch+tls to access ldap server+tls is OKAY but the
RADIUS+TLS is not okay.
Look my config in radius:
ldap {
server="teste.com"
identity="cn=root,dc=com"
password=teste
basedn="ou=users,dc=com"
filter = (uid=%{Stripped-User-Name:-{User-Name}})
base_filter = "(objectclass=radiusprofile)"
password_attribute = userPassword
dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap_cache_timeout = 320
ldap_cache_size = 0
ldap_connections_number = 10
timeout = 3
timelimit = 5
net_timeout = 1
compare_check_items = no
port=636
start_tls = no
tls_mode = no
tls_cacertfile = /usr/var/openldap-data/cacert.pem
tls_certfile = /usr/var/opendalp-data/ldap.client.pem
tls_keyfile = /usr/var/openldap-data/ldap.client.key.pem
tls_require_cert = "demand"
}
---
Look my debug:
User-Name = "digo"
CHAP-Password = 0x35a7441d3124adc1718fe869aa81b073e3
NAS-IP-Address = x.y.z.5
NAS-Identifier = "UFRJGK"
NAS-Port-Type = Virtual
Service-Type = Login-User
CHAP-Challenge = 0x41fd554e
Framed-IP-Address = x.y.z.8
Cisco-AVPair = "h323-ivr-out=terminal-alias:"
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anderson
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: (re)connect to xxx.com:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /usr/var/openldap-data/cacert.pem
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: setting TLS Cert File to /usr/var/opendalp-data/ldap.client.pem
rlm_ldap: setting TLS Key File to
/usr/var/openldap-data/ldap.client.key.pem
rlm_ldap: bind as cn=root,dc=com/xxx.com:636
rlm_ldap: cn=root,dc=com bind to xxx.com:636 failed:
Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Anyone tried using MaxDB?
Jorge Cuevas wrote: Has anyone tried to use MaxDB with freeradius? On a older box I have mysql-max-3.23.53a + freeradius up and runnning and I can not remember that I have to change something to get this working. -- Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing and/or monitoring freeradius with PEAP
I'd love to know that myself. It was my understanding also that radeapclient could only do EAP-MD5. I'd desperately love to find a command line peap or EAP-TTLS client. On Tue, 25 Jan 2005 15:06:33 +0100 (CET), [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Ron Wahler schrieb: > > There is a test tool to send an eap request to the > > radius Server with a test user. > > You could send a test authentication > > Off every so often with a script to monitor it's status. > > Is that "radeapclient" you're referring to? > Well, I understood how to make it send an EAP-MD5 > request ... > > > I've got freeradius setup to authenticate wireless > > clients with > > PEAP/MSCHAP (to an Active Directory backend) and now I'm > > looking for a > > way to test/monitor the radius server. > > ... but how would you get it to do PEAP/somehing or > EAP-TTLS/something? > > Regards, > Stefan > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
check-radiusd-config problem in freeradius-1.0.0 and 1.0.1
freeradius users,
We noticed that as of in freeradius-1.0.0 and again in 1.0.1 that the
check-radiusd-config script is broken. This is because it used the
"-p " option of radiusd, which is deprecated and ignored as of
freeradius-1.0.0.
If you ran check-radiusd-config while radiusd is running (which is
the only useful time to run it, otherwise you might as well just
attempt to start radiusd), it would report this error:
Ignoring deprecated command-line option -pStarting - reading configuration
files ...
[...]
There appears to be another RADIUS server running on the authentication port
1812
I've attached a modified check-radiusd-config script which fixes
this problem and also a diff file suitable for use with patch(1).
This patched check-radiusd-config will report the following if it
doesn't find errors:
Killed
Radius server configuration looks OK.
Dave
P.S. You can also find these files and an explanation of the change here:
http://net.doit.wisc.edu/~plonka/radiusd/
* check-radiusd-config
check-radiusd-config_port_fix.diff
This is a replacement and patch for the check-radiusd-config script
supplied with freeradius-1.0.0 and freeradius-1.0.1.
In freeradius-1.0.0, radiusd's "-p" option (to specify the port number)
was removed (or rather ignored) in favor of the "port" configuration
directive in radiusd.conf. This broke the check-radius-config script
which used the "-p" option to temporarily run radiusd on port 32768.
This patched version copies the radiusd.conf and there-in uses the
"port" configuration directive to specify port 32768.
--
[EMAIL PROTECTED] http://net.doit.wisc.edu/~plonka ARS:N9HZF Madison, WI
#! /bin/ksh
#
# Check the RADIUS server configuration files.
#
# If everything is OK, this script exits without an error.
#
# If there was an error parsing the configuration files, this script
# prints the errors to the screen, and exits with an error.
#
# This process presumes, of course, that there weren't any DNS
# problems causing the server to wait forever on startup.
#
# AUTHOR: Alan DeKok <[EMAIL PROTECTED]>
# Wed Apr 12 15:21:51 EDT 2000
#
# Used the "port" configuration item in radiusd.conf rather than radiusd's
# "-p" option, which is no longer supported as of freeradius-1.0.0.
# Without apologies, this script requires ksh and perl. It is a hack on
# a hack, and not worth more effort since a proper configuration file
# checking option for radiusd (such as "-C") would probably be the best
# solution.
# - Dave Plonka , Feb 1, 2005
prefix=/usr/local
exec_prefix=${prefix}
sbindir=${exec_prefix}/sbin
sysconfdir=${prefix}/etc
raddbdir=${sysconfdir}/raddb
if [ "$1" = "-h" ]; then
echo
echo Usage: check-radiusd-config
echo
echo Checks the radius daemon server configuration for errors.
exit 0
fi
#
# Run the server as a background process, picking a high port
# that (we hope) no one else is using.
#
script=${0##*/}
tmpraddir=/tmp/.${script?}.$$
trap "rm -rf ${tmpraddir?}" EXIT
trap "rm -rf ${tmpraddir?}; exit 1" INT
# duplicate raddbdir to a temporary working directory:
if mkdir ${tmpraddir?} && \
cp -rp ${raddbdir?} ${tmpraddir?} && \
cd ${tmpraddir?}
then
:
else
exit 1
fi
# since radiusd's "-p" option is no longer supported as of freeradius-1.0.0,
# edit lines that look like "port = n" to test radiusd on port 32768 instead:
perl -pi -e 's/(port\s*=\s*)\d+/${1}32768/' ${raddbdir##*/}/radiusd.conf
$sbindir/radiusd -X -d ${tmpraddir?}/${raddbdir##*/} > startup.log 2>&1 &
#
# Remember what it's process ID was.
#
RADIUSD_PID=$!
#
# The server will run in the background until it's killed, so
# we need another background job to kill it, after it's read
# the configuration files, and is (possibly) running in debug mode.
#
(sleep 2 && kill -9 $RADIUSD_PID) > /dev/null 2>&1 &
#
# Wait for it to exit with an error (1), or from being killed (137)
#
wait $RADIUSD_PID
RADIUSD_STATUS=$?
#
# If the server died with an error, then show the startup error log.
#
if test "$RADIUSD_STATUS" = "1"; then
cat startup.log
exit 1
fi
echo Radius server configuration looks OK.
exit 0
--- check-radiusd-config2004-08-16 15:05:28-05 1.1
+++ check-radiusd-config2005-02-01 10:15:37-06 1.2
@@ -1,4 +1,4 @@
-#!/bin/sh
+#! /bin/ksh
#
# Check the RADIUS server configuration files.
#
@@ -13,6 +13,13 @@
# AUTHOR: Alan DeKok <[EMAIL PROTECTED]>
# Wed Apr 12 15:21:51 EDT 2000
#
+# Used the "port" configuration item in radiusd.conf rather than radiusd's
+# "-p" option, which is no longer supported as of freeradius-1.0.0.
+# Without apologies, this script requires ksh and perl. It is a hack on
+# a hack, and not worth more effort since a proper configuration file
+# checking option for radiusd (such as "-C") would probably be the best
+# solution.
+# - Dave Plonka , Feb 1, 2005
prefix=/usr/local
exec_prefix=${prefix}
@@ -32,10 +39,28 @@
# Run
Re: More complex "or" logic within check-attribute processing
On Feb 1, 2005, at 3:58 PM, [EMAIL PROTECTED] wrote: What is the best way to accomplish something like that: (I hope this pseudocode is understandable) If Username == "bob" and Password == "test" and ( Calling-Station-Id == "123" or NAS-IP-Address == "1.2.3.4" or Another-Check-Attribute == "foo" ) Then Reply-Value = foo ... Else Reject 4 Entries in the users file. bob Password == "test", Calling-Station == "123" Reply-Items = blah, ..., Fall-Through = no bob Password == "test", NAS-IP-Address = "1.2.3.4" Reply-Items = blah, ..., Fall-Through = no bob Password == "test", Another-Check-Attribute == "foo" Reply-Items = blah, ..., Fall-Through = no DEFAULT Auth-Type := Reject -Chris -- Chris Parker Director, Engineering StarNet A Service of US LEC (888)212-0099 Fax (847)963-1302 Wholesale Internet Services http://www.megapop.net VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com NOTICE: Message is sent IN CONFIDENCE to addressees. It may contain information that is privileged, proprietary or confidential. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More complex "or" logic within check-attribute processing
What is the best way to accomplish something like that: (I hope this pseudocode is understandable) If Username == "bob" and Password == "test" and ( Calling-Station-Id == "123" or NAS-IP-Address == "1.2.3.4" or Another-Check-Attribute == "foo" ) Then Reply-Value = foo ... Else Reject It is easy to check multiple values for the same attribute type (e.g. using regexp's with "=~") but how can I check if a certain check-attribute has a certain value and then ignore the remaining check-attributes? I've read processing_users_file and thought about using hints and/or huntgroups but this seems not be the right way. Maybe someone can adjust my brain a little bit :). -- Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Huntgroup "GROUP"?
Does this mean... the client ip has to be 1.2.3.4 if not reject Or if the client ip is this reject? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, January 31, 2005 5:14 PM To: freeradius-users@lists.freeradius.org Subject: Re: Huntgroup "GROUP"? "Cris Boisvert" <[EMAIL PROTECTED]> wrote: > Is their a way to do that to keep users from authenticating from other nas's > Other than adding all the users to the appropriate huntgroup? userClient-IP-Address != 1.2.3.4, Auth-Type := Reject ... For multiple NASes, the huntgroups are the simplest way (for now). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.3 - Release Date: 1/31/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-??put-Gigawords
On Feb 1, 2005, at 2:08 PM, Steve Cole wrote: It appears that Acct-Output-Gigawords and Acct-Input-Gigawords still don't exist in MySQL and other drivers in Freeradius. Is this accurate? Has anyone got any recommendations for a radius server that supports these without using PostgresSQL (very difficult for me at present)? Really, no 1999->present server should be without this capability and it severely limits the usefulness of freeradius. :( Any attribute that is defined in the dictionaries can be used in any module. Simply edit your sql table definitions, and update your sql.conf file to include your updated query with the additional attributes and columns. They are not hardcoded in the modules. -Chris -- \\\|||/// \ StarNet - A US LEC Company \ Chris Parker \ ~ ~ / \ Wholesale Internet\ Director, Engineering | @ @ |\ http://www.megapop.net \ (847) 963-0116 x321 oOo---(_)---oOo--\-- VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange script issues
Hi all,
I am having a strange issue after upgrading my radius servers from
0.9.3 to 1.0.1. I am running on Redhat and as such have the following
init.d script:
-
#!/bin/sh
#
# radiusd Start the radius daemon.
#
#This program is free software; you can redistribute it and/or modify
#it under the terms of the GNU General Public License as published by
#the Free Software Foundation; either version 2 of the License, or
#(at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program; if not, write to the Free Software
#Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA
#
#Copyright (C) 2001-2002 The FreeRADIUS Project
http://www.freeradius.org
prefix=/usr/local
exec_prefix=${prefix}
sbindir=${exec_prefix}/sbin
localstatedir=${prefix}/var
logdir=/usr/local/var/log/radius2
rundir=${localstatedir}/run/radiusd
sysconfdir=${prefix}/etc
RADIUSD=$sbindir/radiusd2
RADDBDIR=/usr/local/etc/raddb2
DESC="FreeRADIUS"
#
# See 'man radiusd' for details on command-line options.
#
ARGS="-d /usr/local/etc/raddb2 -p 1822 -A -y"
test -f $RADIUSD || exit 0
test -f $RADDBDIR/radiusd.conf || exit 0
case "$1" in
start)
echo -n "Starting $DESC:"
$RADIUSD $ARGS
echo "radiusd2"
;;
stop)
[ -z "$2" ] && echo -n "Stopping $DESC: "
[ -f $rundir/radiusd2.pid ] && kill -TERM `cat
$rundir/radiusd2.pid`
[ -z "$2" ] && echo "radiusd2."
;;
reload|force-reload)
echo "Reloading $DESC configuration files."
[ -f $rundir/radiusd2.pid ] && kill -HUP `cat $rundir/radiusd2.pid`
;;
restart)
sh $0 stop quiet
sleep 3
sh $0 start
;;
*)
echo "Usage: /etc/init.d/$RADIUS {start|stop|reload|restart}"
exit 1
esac
exit 0
-
The issue is that this script no longer works as it did in the past. When
running the script I get the following errors in the log:
Tue Feb 1 13:36:03 2005 : Error: Errors reading dictionary: dict_init:
/usr/local/share/freeradius/dictionary.3gpp[29]: invalid type "ipv6addr"
Tue Feb 1 13:36:03 2005 : Error: Errors reading
/usr/local/var/log/radius2/radiusd.conf: For more information, please read
the tail end of /usr/local/var/log/radius2/radius.log
If I run the radius server from the bash prompt with the following,
everything works as expected:
radiusd -d /usr/local/etc/raddb2 -p 1822 -A -y
What am I missing?
Mark Capelle
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct-??put-Gigawords
It appears that Acct-Output-Gigawords and Acct-Input-Gigawords still don't exist in MySQL and other drivers in Freeradius. Is this accurate? Has anyone got any recommendations for a radius server that supports these without using PostgresSQL (very difficult for me at present)? Really, no 1999->present server should be without this capability and it severely limits the usefulness of freeradius. :( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WG: Install problems on Solaris 8
somehow two lines did not make it into the doc: ./configure.sh should contain two more entries: --with-ltdl-lib=/opt/csw/share/libtool/libltdl --with-ltdl-include=/opt/csw/share/libtool/libltdl or wherever "find / -name ltdl.*" finds the ".h" file. Matthias Rumitz TC Unix / Netzwerke ADIVA Computertechnologie GmbH Norsk-Data-Str. 1 D-61352 Bad Homburg v.d.H. Fon: +49(0) 61 72 / 48 61 - 0 Fax: +49(0) 61 72 / 48 61 - 700 Web: http://www.adiva.de eMail: [EMAIL PROTECTED] Diese E-Mail Nachricht enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. This e-mail message may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. - Originalnachricht - Von: <[EMAIL PROTECTED]> Datum: Dienstag, Februar 1, 2005 5:51 pm Betreff: WG: Install problems on Solaris 8 > Do you know how to compile pre 1.0.2? (I really do have problems!) > Here is how to get 1.0.0 and 1.0.1 to work on Sol 8 / 9. > > Requirements: > gcc, gdbm, gmake, libiconv, openssh, openssl, tcp_wrappers, zlib > pkg_get (for openldap) > /etc/profile or /.profile > PATH=/opt/csw/bin:$PATH > > PATH=$PATH:/usr/local/bin:/usr/ccs/bin:/usr/sfw/bin:/usr/openwin/bin > LD_LIBRARY_PATH=/opt/csw/lib:$LD_LIBRARY_PATH:/opt/csw/lib/sasl2 > > LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib:/usr/local/lib:/usr/local/ > ssl/lib > LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/openwin/lib > MANPATH=/usr/man:/usr/local/man > export PATH LD_LIBRARY_PATH MANPATH > > Blastwave: > pkg-get > pkgadd -d pkg_get.pkg > If not Solaris9 (/usr/sfw/bin): > wget-i386.bin / wget-sparc.bin > chmod 0755 wget > $PATH: wget, gzip, /opt/csw/bin > URL in /opt/csw/etc/pkg-get.conf > > GPG: > pkg-get install textutils (extra install) > pkg-get install gnupg > gnupg installs: bdb4, bzip2, common, expat, gettext, gsed > libiconv, libtool, openldap, openssl, > sasl, textutils, zlib > > Key for GPG: > wget http://www.blastwave.org/mirrors.html > gpg --import mirrors.html > pkg-get -U (now without errors) > pkg-get -c (list s. gunpg) > > OpenLDAP: > pkg-get install openldap-2.1.22 (s.o. should be installed already) > > Perl: > pkg-get install perl > > LDAP Fix: > ./src/modules/rlm_ldap/rlm_ldap.c > unterhalb #define TIMELIMIT 5 > /* Anpassungen fuer OpenLDAP */ > #define LDAP_OPT_SUCCESS0 > #define LDAP_OPT_DEBUG_LEVEL0x5001 /* debug > level */ > #define LDAP_OPT_NETWORK_TIMEOUT0x5005 /* socket > level timeout */ > #define LDAP_OPT_X_TLS 0x6000 > #define LDAP_OPT_X_TLS_CACERTFILE 0x6002 > #define LDAP_OPT_X_TLS_CACERTDIR0x6003 > #define LDAP_OPT_X_TLS_CERTFILE 0x6004 > #define LDAP_OPT_X_TLS_KEYFILE 0x6005 > #define LDAP_OPT_X_TLS_RANDOM_FILE 0x6009 > #define LDAP_OPT_X_TLS_HARD 1 > > LTDL Fix: > ./src/modules/rlm_sql/rlm_sql.h > ./src/include/modpriv.h > > LibTool: copied created libtool from 1.0.1 to 1.0.2s: > ./libltdl: make seems ok > ./ make breaks at rlm_eap > > Alan DeKok wrote in response to [EMAIL PROTECTED]: > There are known problems with 1.0.1 on Solaris. > $ cvs -d :pserver:[EMAIL PROTECTED]:/source login > > $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout - > r > release_1_0 radiusd > OR: ftp cvs.freeradius.org anonymous email mget pub/radius/CVS.../* > Might work, but does not compile, yet! > > Compiling: > freeradius: cd ./libltdl: ./configure --enable-ltdl-install > freeradius: cd ./libltdl: make (erzeugt Fehler, Ursache unklar) > freeradius: cd ./src: CONFIGURE nicht nötig (?) > freeradius: cd ./src: make > freeradius: ./configure.sh > # cd ./libltdl > # ./configure --enable-ltdl-install > # make > # cd ../src > # make > # cd .. > ./configure > \ > --without-rlm_krb5 > \ > --without-rlm_sql_iodbc --without-rlm_sql_mysql > \ > --without-rlm_sql_postgresql > \ > --without-rlm_sql_oracle --without- > rlm_sql_unixodbc \ > --with-include-dir=/opt/csw/include > \ > --with-rlm-sql-include-dir=/opt/csw/include > \ > --with-rlm-ldap-include-dir=/opt/csw/include > \ > --with-openssl-includes=/usr/local/ssl/include > \ > --with-openssl-libraries=/usr/local/ssl/lib > > > ../conf
Anyone tried using MaxDB?
Has anyone tried to use MaxDB with freeradius? Are the MySQL drivers the same? Thanks, -- Jorge - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
fastuser module
If I am using the fastusers module and I place a new user record in the users_fast file do I need to execute a SIGHUP in order for the radiusd process to load the modified file? I saw that there was a reload paramater in the fastusers seciton of the radiusd.conf file. Chris Price Information Facilities Technician Olivet Nazarene University [EMAIL PROTECTED] (815)928-5523 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CVS 1.0.2 PEAP MSCHAPv2
[EMAIL PROTECTED] wrote: > We have been unsuccessful in integrating a wireless environment utilizing a > Windows XP SP2 supplicant, a Cisco 1100 AP, and a freeradius server running > on Solaris 2.8. Specifically, we have been testing the developmental > version 1.0.2 after using the CVS snapshot suggested by Alan. That *should* solve MD4 related problems in 1.0.1. > The expectation of running the developmental 1.0.2 build was to > correct the errors we experienced. Is there any way we can assist > debugging this error efficiently? Try logging in as a simple user *without* a domain name. If that works, then the problem is the domain name. The issue is that MSCHAP depends on the "username". For XP, it sends "DOMAIN\username" in the User-Name attribute. The MSCHAP module uses the whole User-Name to calculate MSCHAP data, and decides that the data doesn't match what you sent, so you can't log in. > rlm_mschap: NT Domain delimeter found, should we have enabled > with_ntdomain_hack? Try this suggestion. The rlm_mschap module has the "with_ntdomain_hack" configuration entry for precisely this situation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius crashing
"Craig Spiers" <[EMAIL PROTECTED]> wrote: > 0x400ec3e1 in sql_userparse (first_pair=0xbfffc83c, row=0x818ae48, > querymode=1) at sql.c:370 > > 370 if (((row[3][0] == '\'') || That's bad. I assume that row[3] is NULL. This says to me that the schema you're using is not the schema the SQL module expects. Also, the module *shouldn't* die, but that's another story. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access request with no User-Name
Alexander Serkin <[EMAIL PROTECTED]> wrote: > I need to build a username from CLID + some realm before authentication. > I.e. if no username - add attribute > User-Name = "[EMAIL PROTECTED]" > to the request and authenticate it then. > > Please point me out to the appropriate module if its possible. If you use the CVS snapshot, then rlm_policy can help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does freeradius support IAPP ?
Madhu Dubey <[EMAIL PROTECTED]> wrote: > Is IAPP (AP registration in ESS etc.) really suppported in Freeradius ? No. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setup apache2 with pam_radius_auth on Debain
Rizwan Khan schrieb: > A user gets authenticated for the first time (just once) > and then the > Auth_info(Cookie) is passed on to other files accessed > under the same > directory/subdir's until the session remains (i.e browser > window is > closed) > > I hope ur question was answered!!! Yes, many thanks. Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WG: Install problems on Solaris 8
Do you know how to compile pre 1.0.2? (I really do have problems!) Here is how to get 1.0.0 and 1.0.1 to work on Sol 8 / 9. Requirements: gcc, gdbm, gmake, libiconv, openssh, openssl, tcp_wrappers, zlib pkg_get (for openldap) /etc/profile or /.profile PATH=/opt/csw/bin:$PATH PATH=$PATH:/usr/local/bin:/usr/ccs/bin:/usr/sfw/bin:/usr/openwin/bin LD_LIBRARY_PATH=/opt/csw/lib:$LD_LIBRARY_PATH:/opt/csw/lib/sasl2 LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib:/usr/local/lib:/usr/local/ ssl/lib LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/openwin/lib MANPATH=/usr/man:/usr/local/man export PATH LD_LIBRARY_PATH MANPATH Blastwave: pkg-get pkgadd -d pkg_get.pkg If not Solaris9 (/usr/sfw/bin): wget-i386.bin / wget-sparc.bin chmod 0755 wget $PATH: wget, gzip, /opt/csw/bin URL in /opt/csw/etc/pkg-get.conf GPG: pkg-get install textutils (extra install) pkg-get install gnupg gnupg installs: bdb4, bzip2, common, expat, gettext, gsed libiconv, libtool, openldap, openssl, sasl, textutils, zlib Key for GPG: wget http://www.blastwave.org/mirrors.html gpg --import mirrors.html pkg-get -U (now without errors) pkg-get -c (list s. gunpg) OpenLDAP: pkg-get install openldap-2.1.22 (s.o. should be installed already) Perl: pkg-get install perl LDAP Fix: ./src/modules/rlm_ldap/rlm_ldap.c unterhalb #define TIMELIMIT 5 /* Anpassungen fuer OpenLDAP */ #define LDAP_OPT_SUCCESS0 #define LDAP_OPT_DEBUG_LEVEL0x5001 /* debug level */ #define LDAP_OPT_NETWORK_TIMEOUT0x5005 /* socket level timeout */ #define LDAP_OPT_X_TLS 0x6000 #define LDAP_OPT_X_TLS_CACERTFILE 0x6002 #define LDAP_OPT_X_TLS_CACERTDIR0x6003 #define LDAP_OPT_X_TLS_CERTFILE 0x6004 #define LDAP_OPT_X_TLS_KEYFILE 0x6005 #define LDAP_OPT_X_TLS_RANDOM_FILE 0x6009 #define LDAP_OPT_X_TLS_HARD 1 LTDL Fix: ./src/modules/rlm_sql/rlm_sql.h ./src/include/modpriv.h LibTool: copied created libtool from 1.0.1 to 1.0.2s: ./libltdl: make seems ok ./ make breaks at rlm_eap Alan DeKok wrote in response to [EMAIL PROTECTED]: There are known problems with 1.0.1 on Solaris. $ cvs -d :pserver:[EMAIL PROTECTED]:/source login $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r release_1_0 radiusd OR: ftp cvs.freeradius.org anonymous email mget pub/radius/CVS.../* Might work, but does not compile, yet! Compiling: freeradius: cd ./libltdl: ./configure --enable-ltdl-install freeradius: cd ./libltdl: make (erzeugt Fehler, Ursache unklar) freeradius: cd ./src: CONFIGURE nicht nötig (?) freeradius: cd ./src: make freeradius: ./configure.sh # cd ./libltdl # ./configure --enable-ltdl-install # make # cd ../src # make # cd .. ./configure \ --without-rlm_krb5 \ --without-rlm_sql_iodbc --without-rlm_sql_mysql\ --without-rlm_sql_postgresql\ --without-rlm_sql_oracle --without-rlm_sql_unixodbc \ --with-include-dir=/opt/csw/include \ --with-rlm-sql-include-dir=/opt/csw/include \ --with-rlm-ldap-include-dir=/opt/csw/include\ --with-openssl-includes=/usr/local/ssl/include \ --with-openssl-libraries=/usr/local/ssl/lib > ../config.050118.log # # Without LDAP support: # # ./configure --without-rlm_ldap \ # --with-openssl-includes=/usr/local/ssl/include \ # --with-openssl-libraries=/usr/local/ssl/lib > config.041203.log freeradius: make freeradius: make install freeradius: vi /usr/local/ssl/misc/CA.pl: #!/opt/csw/bin/perl freeradius: vi scripts/certs.sh (Zufalls-Zeichenfolge eintragen, kein " !) freeradius: scripts/certs.sh (Syntax Error beheben) freeradius: scripts/CA.certs: PASSWORD = eap.conf (s.n.Zeile) /usr/local/etc/raddb/eap.conf: private_key_password Add user: /usr/local/etc/raddb/users Configure server: /usr/local/etc/raddb/radiusd.conf /usr/local/etc/raddb/clients.conf Configure proxy: /usr/local/etc/raddb/proxy.conf Start freeradius in debug mode: /usr/local/sbin/radiusd -sfxxyz -l stdout /usr/local/sbin/radiusd -X Test freeradius: /usr/local/bin/radtest bob bob localhost 0 testing123 After changes: freeradius CTRL-C and restart MS-Chapv2: EAP-TLS requires certificates path to openssl and CA.pl Certificates: /usr/local/radius/certs.sh cp -r /usr/local/radius/certs /etc/raddb/ Cisco Setup: Express
WG: Install problems on Solaris 8
Do you know how to compile pre 1.0.2? (I really have problems!) Here is how to get 1.0.0 and 1.0.1 to work on Sol 8 / 9. Requirements: gcc, gdbm, gmake, libiconv, openssh, openssl, tcp_wrappers, zlib pkg_get (for openldap) /etc/profile or /.profile PATH=/opt/csw/bin:$PATH PATH=$PATH:/usr/local/bin:/usr/ccs/bin:/usr/sfw/bin:/usr/openwin/bin LD_LIBRARY_PATH=/opt/csw/lib:$LD_LIBRARY_PATH:/opt/csw/lib/sasl2 LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib:/usr/local/lib:/usr/local/ ssl/lib LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/openwin/lib MANPATH=/usr/man:/usr/local/man export PATH LD_LIBRARY_PATH MANPATH Blastwave: pkg-get pkgadd -d pkg_get.pkg If not Solaris9 (/usr/sfw/bin): wget-i386.bin / wget-sparc.bin chmod 0755 wget $PATH: wget, gzip, /opt/csw/bin URL in /opt/csw/etc/pkg-get.conf GPG: pkg-get install textutils (extra install) pkg-get install gnupg gnupg installs: bdb4, bzip2, common, expat, gettext, gsed libiconv, libtool, openldap, openssl, sasl, textutils, zlib Key for GPG: wget http://www.blastwave.org/mirrors.html gpg --import mirrors.html pkg-get -U (now without errors) pkg-get -c (list s. gunpg) OpenLDAP: pkg-get install openldap-2.1.22 (s.o. should be installed already) Perl: pkg-get install perl LDAP Fix: ./src/modules/rlm_ldap/rlm_ldap.c unterhalb #define TIMELIMIT 5 /* Anpassungen fuer OpenLDAP */ #define LDAP_OPT_SUCCESS0 #define LDAP_OPT_DEBUG_LEVEL0x5001 /* debug level */ #define LDAP_OPT_NETWORK_TIMEOUT0x5005 /* socket level timeout */ #define LDAP_OPT_X_TLS 0x6000 #define LDAP_OPT_X_TLS_CACERTFILE 0x6002 #define LDAP_OPT_X_TLS_CACERTDIR0x6003 #define LDAP_OPT_X_TLS_CERTFILE 0x6004 #define LDAP_OPT_X_TLS_KEYFILE 0x6005 #define LDAP_OPT_X_TLS_RANDOM_FILE 0x6009 #define LDAP_OPT_X_TLS_HARD 1 LTDL Fix: ./src/modules/rlm_sql/rlm_sql.h ./src/include/modpriv.h LibTool: copied created libtool from 1.0.1 to 1.0.2s: ./libltdl: make seems ok ./ make breaks at rlm_eap Alan DeKok wrote in response to [EMAIL PROTECTED]: There are known problems with 1.0.1 on Solaris. $ cvs -d :pserver:[EMAIL PROTECTED]:/source login $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r release_1_0 radiusd OR: ftp cvs.freeradius.org anonymous email mget pub/radius/CVS.../* Might work, but does not compile, yet! Compiling: freeradius: cd ./libltdl: ./configure --enable-ltdl-install freeradius: cd ./libltdl: make (erzeugt Fehler, Ursache unklar) freeradius: cd ./src: CONFIGURE nicht nötig (?) freeradius: cd ./src: make freeradius: ./configure.sh # cd ./libltdl # ./configure --enable-ltdl-install # make # cd ../src # make # cd .. ./configure \ --without-rlm_krb5 \ --without-rlm_sql_iodbc --without-rlm_sql_mysql\ --without-rlm_sql_postgresql\ --without-rlm_sql_oracle --without-rlm_sql_unixodbc \ --with-include-dir=/opt/csw/include \ --with-rlm-sql-include-dir=/opt/csw/include \ --with-rlm-ldap-include-dir=/opt/csw/include\ --with-openssl-includes=/usr/local/ssl/include \ --with-openssl-libraries=/usr/local/ssl/lib > ../config.050118.log # # Without LDAP support: # # ./configure --without-rlm_ldap \ # --with-openssl-includes=/usr/local/ssl/include \ # --with-openssl-libraries=/usr/local/ssl/lib > config.041203.log freeradius: make freeradius: make install freeradius: vi /usr/local/ssl/misc/CA.pl: #!/opt/csw/bin/perl freeradius: vi scripts/certs.sh (Zufalls-Zeichenfolge eintragen, kein " !) freeradius: scripts/certs.sh (Syntax Error beheben) freeradius: scripts/CA.certs: PASSWORD = eap.conf (s.n.Zeile) /usr/local/etc/raddb/eap.conf: private_key_password Add user: /usr/local/etc/raddb/users Configure server: /usr/local/etc/raddb/radiusd.conf /usr/local/etc/raddb/clients.conf Configure proxy: /usr/local/etc/raddb/proxy.conf Start freeradius in debug mode: /usr/local/sbin/radiusd -sfxxyz -l stdout /usr/local/sbin/radiusd -X Test freeradius: /usr/local/bin/radtest bob bob localhost 0 testing123 After changes: freeradius CTRL-C and restart MS-Chapv2: EAP-TLS requires certificates path to openssl and CA.pl Certificates: /usr/local/radius/certs.sh cp -r /usr/local/radius/certs /etc/raddb/ Cisco Setup: Express Set
Re: Setup apache2 with pam_radius_auth on Debain
> Does the setup via PAM als support one-time > passwords (i.e. when the user has a > token/chipcard generating new passwords for > every log-in)? I haven't tried it using one time passwords but since mod_auth_radius evolved from pam_radius_auth module, so it should work fine. Or do you have to authenticate > anew for every file (icon/html/picture) that's > downloaded? mod_auth_radius does some magic > with cookies to solve that problem ... A user gets authenticated for the first time (just once) and then the Auth_info(Cookie) is passed on to other files accessed under the same directory/subdir's until the session remains (i.e browser window is closed) > Regards, > Stefan > I hope ur question was answered!!! Rizwan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail_over mysql again!
When i only connect freeradius to the slave db it works great! Same on only master db! I think there is a radiusd.conf problem i find on google more configs old/and very old but not a working solution. The fail-over document on the own radius directory is very old from 2000. Okay thank you for the radrelay tip. Is there i example or document for this? And when i use radrelay is there a option to set only master db to write sessions on finisch sessions? Or radrelay working only for account reading? Thanks for the help! Michel - Original Message - From: "Dustin Doris" <[EMAIL PROTECTED]> To: Sent: Tuesday, February 01, 2005 4:08 PM Subject: Re: Fail_over mysql again! Hello, I have problems on FC1 freeradius 0.9.3 on failover and mysql db's. I use two mysql db's replication. One master db and slave db. So when master is down freeradius server go on on the second slave db whit accounting. So i think there is a bug in version 0.9.3 or sql/driver/module. Now i install two machines FC2 whit: freeradius-1.0.1-0.FC2 and freeradius-mysql-1.0.1-0.FC2 But same problems on fail_over on sql1 and sql2. Sql1 is down and second db, sql2 is up. Start slow and user request hi give every 240 second a good replay. When i start the first db everithing works!!! ? So can some one send me good sample or tips how to use fail_over mysql on 2 db's. It's only for accounting so users get a replay when masterdb is down. Michel How does it perform when you have it only talking to the slave server? For example, if you just take out the redundancy and setup to only use the slave/failover server for sql? Is it fast then or do you see a similar slow startup and query issues? Another option, is what I do, is use radrelay to send the accounting packets to the sql database. That way the radius server just logs to a detail file, which is quick, and the accounting packet is done. Then radrelay constantly tries to send those accounting packets over to our sql server for storage. With that you can afford some downtime on the sql server, because as soon as it comes back up, radrelay will send over all the missed packets. When everything is up, the accounting packets are pretty close to real-time in the sql server. I guess it depends how close to real-time you need in the sql database. BTW. I'm not saying to stop trying to make failover work, just offering another option to it, if you can't get it to work. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WG: CVS 1.0.2 PEAP MSCHAPv2
sorry for starting a sidetrack, but you implicitly indicate that you compiled CVS pre 1.0.2 successfully under Solaris, especially the libltdl directory. Well, we tried several pre-1.0.2 and I think several others, too and it seems many got into the same trouble with libltdl. I think some people would be highly interested to learn what you did to compile it successfully, including libltdl. Checked your output: If I remember correctly the 1.0.1 failed at decoding the tunnel; this seems is entirely related to the NT password itself. > rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? > rlm_mschap: Told to do MS-CHAPv2 for EI2F-ENDL1\Tech_Support with NT-Password > rlm_mschap: FAILED: MS-CHAP2-Response is incorrect --with_ntdomain_hack necessary ? Matthias Rumitz TC Unix / Netzwerke ADIVA Computertechnologie GmbH Norsk-Data-Str. 1 D-61352 Bad Homburg v.d.H. Fon: +49(0) 61 72 / 48 61 - 0 Fax: +49(0) 61 72 / 48 61 - 700 Web: http://www.adiva.de eMail: [EMAIL PROTECTED] Diese E-Mail Nachricht enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. This e-mail message may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. - Originalnachricht - Von: [EMAIL PROTECTED] Datum: Dienstag, Februar 1, 2005 2:52 pm Betreff: CVS 1.0.2 PEAP MSCHAPv2 --- Begin Message --- We have been unsuccessful in integrating a wireless environment utilizing a Windows XP SP2 supplicant, a Cisco 1100 AP, and a freeradius server running on Solaris 2.8. Specifically, we have been testing the developmental version 1.0.2 after using the CVS snapshot suggested by Alan. This version was being tested because of initial Windows NT password issues experienced during the rlm_mschap module execution. The security environment we are using is PEAP/MSCHAPv2 using the root certificate that comes with the freeRadius software. The specific error in MSCHAPv2 has to do with the Windows NT password and is identical to the error we received when using 1.0.1. Alan stated there are known issues using the 1.0.1 release on a Solaris platform. The expectation of running the developmental 1.0.2 build was to correct the errors we experienced. Is there any way we can assist debugging this error efficiently? In addition, has anyone determined specifically which module receives the NT_Password from the supplicant before it is packaged in the VALUE_PAIR structure? We have been spending time trying to determine the problem and any further assistance would be helpful. Here is a log output of the latest run. Thanks Chris Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: L
Re: Freeradius hangs after a HUP
I was tired of trying to find a quick way to fix this so I ended up basically formatting the box and reinstalling. Everything works fine now. Not sure what the problem was but it's now resolved. Joe H. On Fri, 28 Jan 2005, Joe H wrote: > On Thu, 27 Jan 2005, Alan DeKok wrote: > > > Joe H <[EMAIL PROTECTED]> wrote: > > > I am new to using gdb so if I did something wrong let me know. > > > > See doc/bugs > I did read the bugs and it looked like it was only for core files, this > doesn't generate a core file. > > > > > Type 'bt' in gdb, which will tell you where in the code it's > > currently executing. > > > After your suggestion, I ran a bt on the radiusd process before and after > the restart and both showed: > > #0 0x10250654 in __sys_poll () from /usr/lib/libc_r.so.4 > #1 0x1024fb39 in _thread_kern_sched_state_unlock () from /usr/lib/libc_r.so.4 > #2 0x1024f4ee in _thread_kern_scheduler () from /usr/lib/libc_r.so.4 > #3 0x0 in ?? () > > Joe H. > > > Alan DeKok. > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
need help! mod_auth_radius module crash under EAPI
Hi all, [EMAIL PROTECTED] root]# cd /usr/local/apache/bin[EMAIL PROTECTED] bin]# ./apachectl start[Tue Feb 1 23:43:39 2005] [warn] Loaded DSO libexec/mod_auth_radius.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI)./apachectl start: httpd started Consequently, i cant login the dialup admin. from new user, Siang Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term'
Re: Setup apache2 with pam_radius_auth on Debain
Rizwan Khan schrieb: > Thanks Toby, but using mod_auth_radius is not > an option since it is > specifically designed for Apache Webserver, > but we are looking for a > general way of connecting to any webserver. Does the setup via PAM als support one-time passwords (i.e. when the user has a token/chipcard generating new passwords for every log-in)? Or do you have to authenticate anew for every file (icon/html/picture) that's downloaded? mod_auth_radius does some magic with cookies to solve that problem ... Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail_over mysql again!
> Hello, > > I have problems on FC1 freeradius 0.9.3 on failover and mysql db's. I use two > mysql db's replication. One master db and slave db. > So when master is down freeradius server go on on the second slave db whit > accounting. > > So i think there is a bug in version 0.9.3 or sql/driver/module. > > Now i install two machines FC2 whit: > freeradius-1.0.1-0.FC2 and freeradius-mysql-1.0.1-0.FC2 > But same problems on fail_over on sql1 and sql2. Sql1 is down and second db, > sql2 is up. > Start slow and user request hi give every 240 second a good replay. > When i start the first db everithing works!!! ? > > So can some one send me good sample or tips how to use fail_over mysql > on 2 db's. It's only for accounting so users get a replay when masterdb > is down. > > Michel > How does it perform when you have it only talking to the slave server? For example, if you just take out the redundancy and setup to only use the slave/failover server for sql? Is it fast then or do you see a similar slow startup and query issues? Another option, is what I do, is use radrelay to send the accounting packets to the sql database. That way the radius server just logs to a detail file, which is quick, and the accounting packet is done. Then radrelay constantly tries to send those accounting packets over to our sql server for storage. With that you can afford some downtime on the sql server, because as soon as it comes back up, radrelay will send over all the missed packets. When everything is up, the accounting packets are pretty close to real-time in the sql server. I guess it depends how close to real-time you need in the sql database. BTW. I'm not saying to stop trying to make failover work, just offering another option to it, if you can't get it to work. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fail_over mysql again!
Hello, I have problems on FC1 freeradius 0.9.3 on failover and mysql db's. I use two mysql db's replication. One master db and slave db. So when master is down freeradius server go on on the second slave db whit accounting. So i think there is a bug in version 0.9.3 or sql/driver/module. Now i install two machines FC2 whit: freeradius-1.0.1-0.FC2 and freeradius-mysql-1.0.1-0.FC2 But same problems on fail_over on sql1 and sql2. Sql1 is down and second db, sql2 is up. Start slow and user request hi give every 240 second a good replay. When i start the first db everithing works!!! ? So can some one send me good sample or tips how to use fail_over mysql on 2 db's. It's only for accounting so users get a replay when masterdb is down. Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: fedora core 3 "make" error
I agree - I use Fedora Core and had problems compiling it - if you use 'yum' to install the rpm package you should be fine. Cheers Mike From: [EMAIL PROTECTED] on behalf of Cris Boisvert Sent: Tue 01/02/2005 13:34 To: freeradius-users@lists.freeradius.org Subject: RE: fedora core 3 "make" error FYI Fedora core 3 already has an rpm for freeradius it may be easier than the config'ing yourself.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sun Shung Sent: Tuesday, February 01, 2005 4:33 AM To: freeradius-users@lists.freeradius.org Subject: Re: fedora core 3 "make" error Thanx alot. I already solve the 1st prob but now there is another prob. It's wrote there x99_rlm.c:550: error: label at end of compound statement Cheers, sunshung >From: Sebastian Wild <[EMAIL PROTECTED]> >Reply-To: freeradius-users@lists.freeradius.org >To: freeradius-users@lists.freeradius.org >Subject: Re: fedora core 3 "make" error >Date: Tue, 01 Feb 2005 09:39:22 +0100 > >rlm_krb5.c:40:21: com_err.h: No such file or directory > >looks like u're missing some header files... >Did you install all required devel packages? > >cheers >Sebastian > >- List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.3 - Release Date: 1/31/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <>
Re: Setup apache2 with pam_radius_auth on Debain
Thanks Toby, but using mod_auth_radius is not an option since it is specifically designed for Apache Webserver, but we are looking for a general way of connecting to any webserver. Anyways, I finally succeeded in making freeradius authenticate properly with apache2. Here goes the correct scenario alongwith the configuration for those curious minds out there. APACHE<-->mod_auth_pam<-->PAM<-->pam_radius_auth<-->RADIUS Supposingly, both Apache and Freeradius are up and running on different machines with user accounts configured with Radius apt-get mod-auth-pam (or compile it on the webserver) Then, add following line to to /etc/apache2/httpd.conf in order to load this module with apache2. (this installs AuthPAM_Enabled support to apache) LoadModule auth_pam_module /usr/lib/apache2/modules/mod_auth_pam.so Make a file at some location in webserver e.g /tmp/radius and add the address of the radius server for apache to locate ipaddress.of.radius.server testing123 3 now to connect the apache pam with radius, add following to /etc/pam.d/apache2 auth required pam_radius_auth.so conf=/tmp/radius debug auth required pam_radius_auth.so conf=/tmp/radius debug (conf tells the location of the file containing the address of the authentication server, while debug will write error logs and syslog) Next, we use .htaccess for authentication since it is a cleaner way to do it. Add the directory information to the main /etc/apache2/apache2.conf file AllowOverride AuthConfig (This tells the Apache server to look for the .htaccess file) Finally, add the following code to .htaccess file in the same protected folder AuthType "basic" AuthName "Radius Authentication" AuthPAM_Enabled on require valid-user P.S. it is handy to make use of debugging at all times the relevant log files are: /var/log/syslog /var/log/apache2/error.log Also, it's good to have the Radius server running in Debug mode to know what's happening, you can do this by starting the server with #freeradius -X Cheers, Rizwan - God must love crazy people.He created so many of them!!! On Fri, 28 Jan 2005 10:45:27 -0800, Toby Zimmerer <[EMAIL PROTECTED]> wrote: > Use mod_auth_radius. That's how I got Apache to talk to RADIUS. > Mod_auth_PAM doesn't seem to work with the RADIUS package. > > >From: Rizwan Khan <[EMAIL PROTECTED]> > >Reply-To: freeradius-users@lists.freeradius.org > >To: freeradius-users@lists.freeradius.org > >Subject: Re: Setup apache2 with pam_radius_auth on Debain > >Date: Thu, 27 Jan 2005 16:05:51 +0100 > > > >Thanks Raza, > >But I tried 'AuthRadiusAuthoritative On' too and it does not recognize > >this syntax either. > >My extensive search brought me a new scenario possible, i.e, we need a > >specific module for Apache2 to talk to PAM and later PAM will talk to > >freeradius. e.g. > > > >APACHE2 <-->mod_auth_pam<-->PAM<-->pam_radius_auth<-->RADIUS > > > >is that what should be done...and how (I have been tryin to > >Goglize and test a lotta crap already :-P but no use)??? > > > >OR, were we right earlier i.e. > > > >APACHE2<-->pam_radius_auth<-->RADIUS > > > >what configuration is to be used with anyone of these to get the > >authentication running with FreeRadius. > >Help plzzz ANYONE > > > >Regards, > >Rizwan > > > > > > > > > >On Wed, 26 Jan 2005 08:30:34 -0800 (PST), Cool Man > ><[EMAIL PROTECTED]> wrote: > > > Hi Rizwan, > > > > > > You could replace AuthPAM_Enabled with AuthRadiusAuthoritative and try. > > > > > > Regards, > > > Raza. > > > > > > Rizwan Khan <[EMAIL PROTECTED]> wrote: > > > Hi all, > > > I am trying to configure pam_radius_auth module with apache2 > > > on Debian (why not mod_auth_radius specially made for apache? > > > because if this works then eventually I plan to setup the PAM module > > > with BOA-Webserver used at my company). > > > I have the Radius server up and running on ServerA and apache running > > > on the NAS. Then I built the pam_radius_auth module that exists under > > > /lib/security/, The module works fine with remote console login on the > > > NAS using remote Radius Auth (/etc/pam.d/login) > > > Eventually, I created a file /etc/pam.d/httpd for use by Apache server > > > on the NAS and added the entry: > > > auth required pam_radius_auth.so (so that Apache can use > > > the PAM module) > > > Then, I added the following entries to /etc/apache2/apache2.conf > > > > > > AuthType Basic > > > AuthName "Radius Authentication" > > > AuthAuthoritative off > > > AuthPAM_Enabled on > > > AuthRadiusCookieValid 5 > > > AuthRadiusActive On > > > #require valid-user (optional) > > > > > > > > > But, when I start apache server..if gives the following warning: > > > > > > Invalid Command 'AuthPAM_Enabled' > > > > > > Which means that the command is not recognizedand I don't get any > > > password prompt to access the secure html page!!! > > > Can anyone kindly tell me the right command set to be added to > > > apache2.conf
CVS 1.0.2 PEAP MSCHAPv2
We have been unsuccessful in integrating a wireless environment utilizing a
Windows XP SP2 supplicant, a Cisco 1100 AP, and a freeradius server running
on Solaris 2.8. Specifically, we have been testing the developmental
version 1.0.2 after using the CVS snapshot suggested by Alan. This version
was being tested because of initial Windows NT password issues experienced
during the rlm_mschap module execution. The security environment we are
using is PEAP/MSCHAPv2 using the root certificate that comes with the
freeRadius software. The specific error in MSCHAPv2 has to do with the
Windows NT password and is identical to the error we received when using
1.0.1. Alan stated there are known issues using the 1.0.1 release on a
Solaris platform. The expectation of running the developmental 1.0.2 build
was to correct the errors we experienced. Is there any way we can assist
debugging this error efficiently? In addition, has anyone determined
specifically which module receives the NT_Password from the supplicant
before it is packaged in the VALUE_PAIR structure? We have been spending
time trying to determine the problem and any further assistance would be
helpful. Here is a log output of the latest run. Thanks
Chris
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = yes
tls: check_cert_cn = "%{User-N
RE: fedora core 3 "make" error
FYI Fedora core 3 already has an rpm for freeradius it may be easier than the config'ing yourself.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sun Shung Sent: Tuesday, February 01, 2005 4:33 AM To: freeradius-users@lists.freeradius.org Subject: Re: fedora core 3 "make" error Thanx alot. I already solve the 1st prob but now there is another prob. It's wrote there x99_rlm.c:550: error: label at end of compound statement Cheers, sunshung >From: Sebastian Wild <[EMAIL PROTECTED]> >Reply-To: freeradius-users@lists.freeradius.org >To: freeradius-users@lists.freeradius.org >Subject: Re: fedora core 3 "make" error >Date: Tue, 01 Feb 2005 09:39:22 +0100 > >rlm_krb5.c:40:21: com_err.h: No such file or directory > >looks like u're missing some header files... >Did you install all required devel packages? > >cheers >Sebastian > >- List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.3 - Release Date: 1/31/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure script nightmare with ucd-snmp
On Tue, Feb 01, 2005 at 06:59:36PM +1100, Mitchell, Michael J wrote: > I'm attempting to build freeRADIUS 1.0.1 on Solaris 9 with ucd-snmp > 4.2.6 > I've been struggling to get the configure script to successfully > recognise ucd-snmp and thus enable it for compilation in freeradius. I'm > on Solaris 9, and what I've finally had to do is "hack" the configure > script where it attempts to detect -lsnmp to include a -L flag to point > to the location of libscrypto.so, as well as include -lcrypto and > -lkstat. > I'm not sure if this is due to the way I've built ucd-snmp, or if its > because I've installed ucd-snmp in my home directory rather than the > default /usr/local, or if its just a Solaris cc peculiarity...or I'm > just plain stupid... The (undocumented, as it happens) --with-snmp-include-dir and --with-snmp-lib-dir options should be able to take care of having build ucd-snmp in your home directory. And the script tries linking against libcrypto if it can't link without. However, it doesn't (currently) try libkstat or libscrypto... I guess it wouldn't be hard to add another iteration to aclocal.m4 to try with libcrypto _and_ libkstat. Is libscrypto a typo? I assume you meant libsnmp unless your ucd-snmp depends on _other_ home-compiled libraries? You're looking for the block around line 3925 in aclocal.m4, with the following comment block: dnl # dnl # That didn't work. Try adding the '-lcrypto' line. dnl # Some SNMP libraries are linked against SSL... dnl # Copy from the next line through fi, paste below the fi, and change the line with LIBS and SNMP_LIBS to include -lkstat. Run aclocal and then autoconf (from the autotools2.13 release, not any autotools 2.5x release) and try configuring again with --with-snmp-lib-dir and --with-snmp-include-dir. It _ought_ to work. ^_^ Let us know if this works, since it looks like a fairly safe change which could make 1.0.2 if you're quick. ^_^ If you're still stuck, config.log has a wealth of information about what's going in in your configure process, including the errors from the linker. > Has anyone else experienced such configure woes on Solaris? If anyone > can offer some advice, I'd greatly appreciate it! This is all general stuff, I don't have access to a Solaris machine sadly. I hope it helps though. > I've been asked to support net-snmp with freeRADIUS - I'm not even game > to try after today's effort! FreeRADIUS 1.1.0 supports net-snmp in ucd-compatibility mode. If you want to patch 1.0.1 to also support this, I've got patches in the Debian release of FreeRADIUS 1.0.1 which I could split out if you like. I don't recall if they made it into 1.0.2 though. -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hide password
On Tue, Feb 01, 2005 at 11:07:54AM +0100, Nicolas Viers - SCI Limoges wrote: > Hello, > how to hide User-Password in radacct logs There's no standard way. You can patch rlm_detail sources or use grep -v User-Password on your detail logs. As of debug mode, there's also a lot of places in server core and modules where user-supplied password or local one is printed... -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/shadow in another server
Ok, probably the best choice is the proxy option. The only problem (because I thought about my suggestion) is disk space on server 2. The NFS solution is another possibility, but sharing that kind of files could have security problems (not theoretically, but if I forget to do something...) TECHNICAL SOLUTION: Put another HD ;) Thanks a lot, Jon On Tue, 1 Feb 2005, Stefan Winter wrote: > >___ > > > > | | HOW? | | > > > > <--> | RADIUS | ---> | /etc/shadow | > > > > |__| |_| > > > > Server 1 Server 2 > > I suppose there are always ways to achieve whatever you like. But the question > is: do you really _want_ that? > I'd rather suggest to install another RADIUS server instance on Server 2 and > let Server 1 proxy its requests to that instance. It can then talk to its > own /etc/passwd and shadow outright. > However, if you really want Server 1 to do that, you could make the file > accessible locally (via NFS or similar) and adjust the configuration of the > RADIUS Server 1 to look not in /etc but the directory where you have the > files imported into. > > Stefan Winter > > -- > Stefan WINTER > > Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de > la Recherche > Ingénieur réseau et système > > 6, rue Richard Coudenhove-Kalergi > L-1359 Luxembourg > email: [EMAIL PROTECTED] tél.: +352 424409-33 > http://www.restena.lu fax: +352 422473 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/shadow in another server
>___ > > | | HOW? | | > > <--> | RADIUS | ---> | /etc/shadow | > > |__| |_| > > Server 1 Server 2 I suppose there are always ways to achieve whatever you like. But the question is: do you really _want_ that? I'd rather suggest to install another RADIUS server instance on Server 2 and let Server 1 proxy its requests to that instance. It can then talk to its own /etc/passwd and shadow outright. However, if you really want Server 1 to do that, you could make the file accessible locally (via NFS or similar) and adjust the configuration of the RADIUS Server 1 to look not in /etc but the directory where you have the files imported into. Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius crashing
Here’s some GDB output from my redhat 8.0 box, that freeradius 1.0.1 is crashing on.. rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): starting 5 rlm_sql (sql): Attempting to connect rlm_sql_mysql #5 rlm_sql_mysql: Starting connect to MySQL server for #5 rlm_sql (sql): Connected new DB handle, #5 rlm_sql (sql): starting 6 rlm_sql (sql): Attempting to connect rlm_sql_mysql #6 rlm_sql_mysql: Starting connect to MySQL server for #6 rlm_sql (sql): Connected new DB handle, #6 rlm_sql (sql): starting 7 rlm_sql (sql): Attempting to connect rlm_sql_mysql #7 rlm_sql_mysql: Starting connect to MySQL server for #7 rlm_sql (sql): Connected new DB handle, #7 rlm_sql (sql): starting 8 rlm_sql (sql): Attempting to connect rlm_sql_mysql #8 rlm_sql_mysql: Starting connect to MySQL server for #8 rlm_sql (sql): Connected new DB handle, #8 rlm_sql (sql): starting 9 rlm_sql (sql): Attempting to connect rlm_sql_mysql #9 rlm_sql_mysql: Starting connect to MySQL server for #9 rlm_sql (sql): Connected new DB handle, #9 rlm_sql (sql): starting 10 rlm_sql (sql): Attempting to connect rlm_sql_mysql #10 rlm_sql_mysql: Starting connect to MySQL server for #10 rlm_sql (sql): Connected new DB handle, #10 rlm_sql (sql): starting 11 rlm_sql (sql): Attempting to connect rlm_sql_mysql #11 rlm_sql_mysql: Starting connect to MySQL server for #11 rlm_sql (sql): Connected new DB handle, #11 rlm_sql (sql): starting 12 rlm_sql (sql): Attempting to connect rlm_sql_mysql #12 rlm_sql_mysql: Starting connect to MySQL server for #12 rlm_sql (sql): Connected new DB handle, #12 rlm_sql (sql): starting 13 rlm_sql (sql): Attempting to connect rlm_sql_mysql #13 rlm_sql_mysql: Starting connect to MySQL server for #13 rlm_sql (sql): Connected new DB handle, #13 rlm_sql (sql): starting 14 rlm_sql (sql): Attempting to connect rlm_sql_mysql #14 rlm_sql_mysql: Starting connect to MySQL server for #14 rlm_sql (sql): Connected new DB handle, #14 rlm_sql (sql): starting 15 rlm_sql (sql): Attempting to connect rlm_sql_mysql #15 rlm_sql_mysql: Starting connect to MySQL server for #15 rlm_sql (sql): Connected new DB handle, #15 rlm_sql (sql): starting 16 rlm_sql (sql): Attempting to connect rlm_sql_mysql #16 rlm_sql_mysql: Starting connect to MySQL server for #16 rlm_sql (sql): Connected new DB handle, #16 rlm_sql (sql): starting 17 rlm_sql (sql): Attempting to connect rlm_sql_mysql #17 rlm_sql_mysql: Starting connect to MySQL server for #17 rlm_sql (sql): Connected new DB handle, #17 rlm_sql (sql): starting 18 rlm_sql (sql): Attempting to connect rlm_sql_mysql #18 rlm_sql_mysql: Starting connect to MySQL server for #18 rlm_sql (sql): Connected new DB handle, #18 rlm_sql (sql): starting 19 rlm_sql (sql): Attempting to connect rlm_sql_mysql #19 rlm_sql_mysql: Starting connect to MySQL server for #19 rlm_sql (sql): Connected new DB handle, #19 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Re
Hide password
Hello, how to hide User-Password in radacct logs -- Nicolas Viers | Service Commun Informatique Mél: [EMAIL PROTECTED]| 123, avenue Albert Thomas | 87060 Limoges cedex Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 http://www.unilim.fr/sci - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
/etc/shadow in another server
Is it possible to use with freeradius the /etc/shadow (/etc/passwd) of another server? ___ | | HOW? | | <--> | RADIUS | ---> | /etc/shadow | |__| |_| Server 1 Server 2 Thanks, Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Ascend-Data-Rate in Radgroupreply
Hi All I am having a problem setting up a TX/RX for a user using Ascend-Data-Rate in Radgroupreply. I need to set them under group if i set them up for a single user it works fine. in Table radgroupreply I have group 1 Ascend-Data-Rate := rxspeed 2 Ascend-Data-Rate := txspeed but when the user is login on i am seeing that it is restricting the user RX/TX using the RXSPEED Anyidea? Thank you Sarky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth domain nt
Hi, I would like use ntlm_auth to authenticate domain's NT users but freeradius in debug mode seems to not check or execute the command "ntlm_auth". How it works ntlm_auth? Also i don't know which line to add in users file with ntlm_auth ?? Can you help me please regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: fedora core 3 "make" error
Thanx alot. I already solve the 1st prob but now there is another prob. It's wrote there x99_rlm.c:550: error: label at end of compound statement Cheers, sunshung From: Sebastian Wild <[EMAIL PROTECTED]> Reply-To: freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: fedora core 3 "make" error Date: Tue, 01 Feb 2005 09:39:22 +0100 rlm_krb5.c:40:21: com_err.h: No such file or directory looks like u're missing some header files... Did you install all required devel packages? cheers Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: fedora core 3 "make" error
rlm_krb5.c:40:21: com_err.h: No such file or directory looks like u're missing some header files... Did you install all required devel packages? cheers Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access request with no User-Name
Hi. I need a solution to deal with access requests not containing User-Name attribute. The request is as below: 3GPP2-Correlation-Id = "768E" Calling-Station-Id = "25009769921" Framed-Protocol = PPP User-Password = "secret" Service-Type = Framed NAS-IP-Address = a.b.c.d Acct-Session-Id = "D477603FF28E" Nas-Identifier = "some.host.name" I need to build a username from CLID + some realm before authentication. I.e. if no username - add attribute User-Name = "[EMAIL PROTECTED]" to the request and authenticate it then. Please point me out to the appropriate module if its possible. -- Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configure script nightmare with ucd-snmp
Title: configure script nightmare with ucd-snmp Hi List, I'm attempting to build freeRADIUS 1.0.1 on Solaris 9 with ucd-snmp 4.2.6 I've been struggling to get the configure script to successfully recognise ucd-snmp and thus enable it for compilation in freeradius. I'm on Solaris 9, and what I've finally had to do is "hack" the configure script where it attempts to detect -lsnmp to include a -L flag to point to the location of libscrypto.so, as well as include -lcrypto and -lkstat. I'm not sure if this is due to the way I've built ucd-snmp, or if its because I've installed ucd-snmp in my home directory rather than the default /usr/local, or if its just a Solaris cc peculiarity…or I'm just plain stupid... Has anyone else experienced such configure woes on Solaris? If anyone can offer some advice, I'd greatly appreciate it! I've been asked to support net-snmp with freeRADIUS - I'm not even game to try after today's effort! Thanks for your assistance, Mike
