Postgresql Authentication How to
Hi All, I am using Freeradius 0.9.1. How to configure Freeradius to do authentication using Postgresql database. I have a running database. I have included Postgresql.conf file in radiusd.conf file. But exactly how to configure radiusd.conf and postgresql.conf file so that it will do the authentication from the database ? Anyone please help me in this regard. Thank u in advance Jagan = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in Accounting Port
Your client is sending accounting packets to the port on which freeRADIUS is listening for proxy responses. Configure the client to send accounting packets to the correct port (probably 1646), and you should be good... Emman S. Loloy wrote: Hi guys, anyone knows how to solve this problem? Sat Feb 5 12:19:04 2005 : Error: Accounting-Request packet sent to a non-accounting port from client server:1647 - ID 0 : IGNORED Thanks, Emman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem in Accounting Port
Hi guys, anyone knows how to solve this problem? Sat Feb 5 12:19:04 2005 : Error: Accounting-Request packet sent to a non-accounting port from client server:1647 - ID 0 : IGNORED Thanks, Emman ** This message was sent through GLOBALink Webmail Service. If you are a GLOBALink Internet subscriber or among its affiliates, go to http://webmail.globalink.net.ph to check emails. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: high cpu
Try running with LD_ASSUME_KERNEL=2.4.19. This will force runtime linking against the standard libc libs instead of the thread-local storage (tls) libs. So, on the command line, run "LD_ASSUME_KERNEL=2.4.19 radiusd -X" and see if that segfaults. --Mike Alan DeKok wrote: Daniel J McDonald <[EMAIL PROTECTED]> wrote: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1076829024 (LWP 17140)] 0x40079e54 in pthread_mutex_lock () from /lib/tls/libpthread.so.0 (gdb) bt #0 0x40079e54 in pthread_mutex_lock () from /lib/tls/libpthread.so.0 #1 0x406215dd in ldap_pvt_thread_mutex_lock () from /usr/lib/libldap_r.so.2 #2 0x40628443 in ldap_pvt_sasl_mutex_lock () from /usr/lib/libldap_r.so.2 #3 0x4042028e in sasl_dispose () from /usr/lib/libsasl2.so.2 Sounds like a library conflict to me. I'm not sure what to suggest... Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Firewall Issue
"Leon" <[EMAIL PROTECTED]> wrote: > I was finally able to track down the problem using the debug setting on the > RADIUS server. Apparently, while the server receives requests for > authenication on port 1812 it sends the "accept" message on port 1036. Uh, no. FreeRADIUS doesn't do that. > Anybody know what the story with port 1036? I'll bet that the firewall is doing the port mapping. Use tcpdump to look at the packets sent out by FreeRADIUS, they WILL be sent from port 1812. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: high cpu
Daniel J McDonald <[EMAIL PROTECTED]> wrote: > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread 1076829024 (LWP 17140)] > 0x40079e54 in pthread_mutex_lock () from /lib/tls/libpthread.so.0 > (gdb) bt > #0 0x40079e54 in pthread_mutex_lock () from /lib/tls/libpthread.so.0 > #1 0x406215dd in ldap_pvt_thread_mutex_lock () > from /usr/lib/libldap_r.so.2 > #2 0x40628443 in ldap_pvt_sasl_mutex_lock () > from /usr/lib/libldap_r.so.2 > #3 0x4042028e in sasl_dispose () from /usr/lib/libsasl2.so.2 Sounds like a library conflict to me. I'm not sure what to suggest... Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Firewall Issue
I was finally able to track down the problem using the debug setting on the RADIUS server. Apparently, while the server receives requests for authenication on port 1812 it sends the "accept" message on port 1036. Once I had my ISP pipe that thru the client worked GREAT!. Anybody know what the story with port 1036? Leon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: high cpu
On Fri, 2005-02-04 at 18:15 -0500, Alan DeKok wrote: > Daniel J McDonald <[EMAIL PROTECTED]> wrote: > > Following up to myself, I just compiled 1.0.1 and had the same issues - > > 97% cpu and does not send the authentication response, radiusd -X > > generates a segmentation fault. > > That's very weird. I've never seen that myself... > > > I changed radiusd.conf to allow corefiles, but it did not produce one > > that I could find. I tried to use gdb to get a stack dump, but radiusd > > -X wouldn't respond to radius queries while running gdb. > > Try: > > $ gdb radiusd > (gdb) set args -X . > (gdb) run ok... rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user mcdonalddj authenticated succesfully Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1076829024 (LWP 17140)] 0x40079e54 in pthread_mutex_lock () from /lib/tls/libpthread.so.0 (gdb) bt #0 0x40079e54 in pthread_mutex_lock () from /lib/tls/libpthread.so.0 #1 0x406215dd in ldap_pvt_thread_mutex_lock () from /usr/lib/libldap_r.so.2 #2 0x40628443 in ldap_pvt_sasl_mutex_lock () from /usr/lib/libldap_r.so.2 #3 0x4042028e in sasl_dispose () from /usr/lib/libsasl2.so.2 #4 0x406277bb in ldap_int_sasl_close () from /usr/lib/libldap_r.so.2 #5 0x40633c8c in ldap_free_connection () from /usr/lib/libldap_r.so.2 #6 0x4062a7d9 in ldap_ld_free () from /usr/lib/libldap_r.so.2 #7 0x4062aa74 in ldap_unbind_ext () from /usr/lib/libldap_r.so.2 #8 0x4062abd9 in ldap_unbind_s () from /usr/lib/libldap_r.so.2 #9 0x40604acd in ?? () from /usr/lib/freeradius/rlm_ldap.so #10 0x0818f6a8 in ?? () #11 0x0818e80c in ?? () #12 0xbfffce7c in ?? () #13 0x0611487b in ?? () #14 0xbfffcee8 in ?? () #15 0x40007930 in _dl_lookup_symbol_x (undef_name=0x0, undef_map=0x1, ref=0x0, symbol_scope=0x81868c8, version=0x818e308, type_class=-1073752104, flags=134547776, skip_map=0x1) at dl-lookup.c:246 #16 0x08056958 in modcall () #17 0x08056aa9 in modcall () #18 0x08055e38 in find_module_instance () #19 0x08052b4a in rad_check_password () #20 0x08052fdf in rad_authenticate () ---Type to continue, or q to quit--- #21 0x0804c515 in rad_respond () #22 0x0804dd86 in main () -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: high cpu
Daniel J McDonald <[EMAIL PROTECTED]> wrote: > Following up to myself, I just compiled 1.0.1 and had the same issues - > 97% cpu and does not send the authentication response, radiusd -X > generates a segmentation fault. That's very weird. I've never seen that myself... > I changed radiusd.conf to allow corefiles, but it did not produce one > that I could find. I tried to use gdb to get a stack dump, but radiusd > -X wouldn't respond to radius queries while running gdb. Try: $ gdb radiusd (gdb) set args -X . (gdb) run and you should see any error there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Disabling radwtmp/radutmp For Some Clients
I was wondering if there was a way I could disable writing to radutmp and radwtmp for some clients, or whether this is an all or nothing proposition. -- A. Clausen [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: high cpu
On Fri, 2005-02-04 at 14:42 -0600, Daniel J McDonald wrote: > I have an instance of freeradius 1.0.0 that is consuming 60-100% of a > cpu (I have a two-processor box, so I can watch it do this). I am using > ldap for the backend database. > Following up to myself, I just compiled 1.0.1 and had the same issues - 97% cpu and does not send the authentication response, radiusd -X generates a segmentation fault. I changed radiusd.conf to allow corefiles, but it did not produce one that I could find. I tried to use gdb to get a stack dump, but radiusd -X wouldn't respond to radius queries while running gdb. Environment is Mandrake 10.1 - Linux ldap2.austin-energy.net 2.6.8.1-24mdksmp #1 SMP Thu Jan 13 23:11:43 MST 2005 i686 Intel(R) Pentium(R) III CPU - S 1400MHz unknown GNU/Linux -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: database/ldap for configuration?
There is currently support to read the clients from the sql module. In addition, I've been working on the same for LDAP... just waiting on some feedback from Kostas regarding the "draft patch" I submitted a week or so ago to the freeradius-devel list... so it should be coming... regards, Mike Daniel J McDonald wrote: I use freeradius to manage administrative sessions on a large number of routers and switches. For redundancy, I have two boxes. I'd like to use some sort of a database or directory to configure all of the clients devices rather than the flatfile clients.conf. Is that on the roadmap anywhere? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Firewall Issue
"Leon" <[EMAIL PROTECTED]> wrote: > Trying to authenicate thru firwalls on client and Server side. I can > authenicate inside the server firewall with out problem. I can authenicate > outside the server firewall from a dialup account. So no firewall there. > When I try to authenicate from inside my client firewall though I get > nothing. RADIUS depends on the client IP. With a firewall, you probably have to list the IP of the firewall. > I have the proper IP's configured in clients.conf. I know this because I get > an "Ignoring request from unknown client" error in the radius log with the > entry out. Ok... if you list that IP in "clients.conf" it should work. > I have tried both Solaris (java) clients and Windows clients. Both get no > response from server and no entries in the server log. If the server prints *nothing* in debugging mode, then it isn't seeing the request. If it does print something, then running it in debugging mode will tell you what went wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
database/ldap for configuration?
I use freeradius to manage administrative sessions on a large number of routers and switches. For redundancy, I have two boxes. I'd like to use some sort of a database or directory to configure all of the clients devices rather than the flatfile clients.conf. Is that on the roadmap anywhere? -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
high cpu
I have an instance of freeradius 1.0.0 that is consuming 60-100% of a cpu (I have a two-processor box, so I can watch it do this). I am using ldap for the backend database. clients.conf has about 160 devices in it, but this is the secondary box, and there are only a few of us who use the radius system. running radiusd -X, I get a segmentation fault: [EMAIL PROTECTED] radius]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radius" main: group = "radius" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "ldap2.austin-energy.net" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "dc=austin-energy,dc=net" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "dialupAccess" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member= %{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember= %{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLo
Firewall Issue
Just installed FreeRadius 1.0.1 on Redhat FC2. Trying to authenicate thru firwalls on client and Server side. I can authenicate inside the server firewall with out problem. I can authenicate outside the server firewall from a dialup account. So no firewall there. When I try to authenicate from inside my client firewall though I get nothing. I have the ISP, where the client is, allow port 1812 (and later 1813), protocol UDP, to and from the server firewall. I have the proper IP's configured in clients.conf. I know this because I get an "Ignoring request from unknown client" error in the radius log with the entry out. my entry looks like: client xxx.xxx.xxx.xxx/32 { secret = secret shortname = my-network } I have tried both Solaris (java) clients and Windows clients. Both get no response from server and no entries in the server log. What should I be doing with the ckient firewall that I am not? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAP V2 local
"DeYoung, Brandon" <[EMAIL PROTECTED]> wrote: > I've tried this and a few other things in the users file. > test Auth-Type = Local, Password = "testing" Don't set Auth-Type. > Authentication against the AD backend works from my clients with mschap v2. > But my local users still don't work when sent through mschap. Because the mschap module is calling ntlm_auth. > Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=AM > --username=test --challenge=4cd9c1a15948bb64 > --nt-response=0f8afe37aac4a6d8c1f42aae8f2c4582f90e8f33e07877cd > Exec-Program output: Account locked out (0xc234) > Exec-Program-Wait: plaintext: Account locked out (0xc234) > Exec-Program: returned: 1 > rlm_mschap: External script failed. Hmm... looking at the module source, it could be a little more forgiving. In the mean time, try: #--- test User-Password == "testing", MS-CHAP-Use-NTLM-Auth = No #--- Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Authentication problem with SER
"M.V. Jaga Mohan" <[EMAIL PROTECTED]> wrote: > I have downloaded freeradius 0.9.1 Why? You should be using 1.0.1. > when I am trying to run ser I am getting error called > : > init_mod() : Error while initializing module. Please ask the SER people. They should have a list. This is the FreeRADIUS list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about upgrading from 0.9.3 to 1.0.1
Joe Meslovich <[EMAIL PROTECTED]> wrote: > What should my entry look like in the users file to get this to > authenticate. When I tried running 1.0.1 last night I was getting an error > about Auth-Type of EAP being an unknown Auth-Type. Hmm... be sure that 1.0.1 is using the dictionaries from 1.0.1, and not the 0.9.3 dictionaries. > We used the full domain name for the CN in the certificates. I see in the > eap.conf for 1.0.1 that setting Auth-Type to EAP is not recommended. This > entry in question is for a computer that is doing machine authentication. If you know what you're doing, and it works, setting "Auth-Type = EAP" is OK. In general, though, most people get it wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help appreciated (accounting only data)
Johnny Chavez <[EMAIL PROTECTED]> wrote: > Hello I am new to this list and I wondering if a topic has been > touched on yet or if anyone can help with a question. Has anyone > setup radiator Huh? You are subscribed to the wrong list. > Thank you for your help on this topic. If I am missing important > information that is needed to help please let me know and I will > update my post. Thank you. If you using Radiator, you shouldn't post to this list again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attributes Remain Empty in radacct
zack musa <[EMAIL PROTECTED]> wrote: > values like ... > are still unavailable both in radacct and detail file. Fix the NAS. See the FAQ. > Do we need to enable any scripts through some > configuration file to write it in radacct or detail > log files? There is nothing you can do to the server to log data it doesn't have. Read the FAQ. > From the dictionary, some of the attributes have many > value, and how is the value being recorded to radacct? > Is it automatically detected (intelligently) by > dedicated NAS machine The NAS sends data to the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius for redhat 9
Try compile and install the freeradius-1.0.1.tar.gz package in your Redhat 9 system. I use this version of freeradius to test cenarious whith yours R2 AP, and work whith PEAP and MS-CHAPv2 authentication. Regards caceres Schoggins, George wrote: >Can anyone tell me where I can find binaries for FreeRadius for Redhat 9 > >George Schoggins >Enterasys Networks >Phone: 407-268-9894 >FAX: 407-268-9881 >Cell: 407-808-6013 >Email: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] >www: http://www.enterasys.com http://www.enterasys.com >cid:[EMAIL PROTECTED] > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help appreciated (accounting only data)
Hello I am new to this list and I wondering if a topic has been touched on yet or if anyone can help with a question. Has anyone setup radiator to only receive accounting data from multiple locations? We are currently running Radiator 3.3.1, I know its old but for the time being we need this version. We need to accept accounting data from about 8 different locations. I am looking for an example config if anyone has one. We are currently logging our accounting data to an SQL server remote from the actual radius servers. Has anyone setup radiator to send accounting data to two different locations? This will also help as I know a few of these other locations are currently using radiator. Thank you for your help on this topic. If I am missing important information that is needed to help please let me know and I will update my post. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
handling of sql accounting stop queries (main and alternate)
Hi, We are having difficulty making FreeRadius efficient in our environment because we cannot reliably attempt to insert records in the SQL database prior to attempting an update. In one environment, our NAS'es are sending STOP accounting requests only (no START and UPDATE). In such a case, it is much more efficient to use this in sql.conf: accounting_stop_query = "INSERT into ${acct_table1} [...] accounting_stop_query_alt = "UPDATE ${acct_table1} [...] than the inverse, because most (99.9%) of the time, a record will not be there. But there's a functional problem with the above order. The current rlm_sql implementation (rlm_sql.c) assumes that the first stop query (accounting_stop_query) will be an SQL UPDATE query, and will not attempt the accounting_stop_query_alt query if it fails. It will only attempt the alternate query if the first query succeeds, but with 0 affected rows. However, an SQL INSERT fails if there was already a record, so the alternate query is not attempted. This would not be a problem when we receive Radius packets from a normal client, but with RadRelay (which we also use for replication across two FreeRadius servers), this sometimes causes problems. If a packet is correctly inserted into the database but the acknowledgment of a packet is lost, RadRelay will (correctly) retransmit the packet, but this will fail because the record is effectively already in the SQL database, causing the INSERT to fail. The alternate query, which would be an update, is thus not attempted. RadRelay then hangs there forever, retransmitting the same packet over and over. To work around this, we have to set sql.conf to do the SQL UPDATE before the INSERT, reducing the FreeRadius server throughput considerably. Would it be possible to always (perhaps this needs to be configurable) attempt the accounting_stop_query_alt query, even if the accounting_stop_query fails (rather than only on success with 0 affected rows)? That is, make the logic of the stop query like the logic of, e.g., the start query. PS: I think I never updated you after I tried the "load-balance" in the accounting section back in early December - well, it was working perfectly well... Bruno Lague - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Web interface similar to Dialup Admin but for dialup users to change their login passwords.
A page with one option to change password would be great. Apache could authenticate off the radius server for access. Then pass the user attribute to php and bring up the page for the correct user. Letting them submit a new password. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kostas Kalevras Sent: Friday, February 04, 2005 10:21 AM To: freeradius-users@lists.freeradius.org Subject: Re: Web interface similar to Dialup Admin but for dialup users to change their login passwords. On Fri, 4 Feb 2005, Shannon Sariman wrote: > Hi All, > > I am using freeradius with mysql and dialup admin. Is there any open source > solution out there that can cater for dialup users to manually change their > password using a similar web interface like dialup admin? Please help. Not that i know of. dialupadmin will be extended at some point to provide this type of functionality. > > Regards, > > Shannon -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.5 - Release Date: 2/3/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Web interface similar to Dialup Admin but for dialup users to change their login passwords.
On Fri, 4 Feb 2005, Shannon Sariman wrote: Hi All, I am using freeradius with mysql and dialup admin. Is there any open source solution out there that can cater for dialup users to manually change their password using a similar web interface like dialup admin? Please help. Not that i know of. dialupadmin will be extended at some point to provide this type of functionality. Regards, Shannon -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
Anderson Alves de Albuquerque schrieb: > After I need that RADIUS use crypt or DES to have > password in clean txt. It's impossible. Once you have the password crypted, you cannot get the clear text from it anymore. It's like making an omelette. You can make one from eggs, but you can't get the eggs back from the omelette. > How could I tell RADIUS use crypt or DES to have clean > TXT? How can you tell your cook to turn the omelette back into eggs? > If RADIUS know like have original password is stored in > LDAP the RADIUS > could done the HASH. Then RADIUS could know if this hash > is like of the > hash that RADIUS receive of the [aplication]. No. If you create two hashes from the same password, they are different. Just looking at the two, nobody can tell if they were created from the same password or not. HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question about upgrading from 0.9.3 to 1.0.1
I am trying to upgrade our freeradius server from 0.9.3 to 1.0.1. We are doing some EAP-TLS authentication for an 802.1x deployment. In 0.9.3 we have entries in the users file for these 802.1x systems like this writingcart1.bridgewater.eduAuth-Type := EAP We used the full domain name for the CN in the certificates. I see in the eap.conf for 1.0.1 that setting Auth-Type to EAP is not recommended. This entry in question is for a computer that is doing machine authentication. What should my entry look like in the users file to get this to authenticate. When I tried running 1.0.1 last night I was getting an error about Auth-Type of EAP being an unknown Auth-Type. Joe Meslovich [EMAIL PROTECTED] Network/Systems EngineerIT Center Tel: (540) 828 - 5343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with ttls using SecureW2
Thanks for the suggestions, I'll look into them. Again, thank you for your help. > -Original Message- > From: Rok Papez [mailto:[EMAIL PROTECTED] > Sent: 4. februar 2005 14:56 > To: freeradius-users@lists.freeradius.org > Subject: Re: Problems with ttls using SecureW2 > > Hello Øystein. > > Dne petek 04 februar 2005 08:37 je Øystein Gåsdal napisal(a): > > > I think Alan wrote that the job with getting ttls to work > was to set > > up tls properly... Freeradius works with the built-in 802.1x > > supplicant, so I guess that tls is in fact set up properly? > > > > In eap.conf i have unchecked these lines: > > > > ttls { > > > > default_eap_type = md5 > > > >copy_request_to_tunnel = yes > > > > use_tunneled_reply = no > > } > > > > Anyone else having this problem, or at least knows what i'm doing > > wrong? :) > > No, EAP-TTLS is working just fine for me (FreeRADIUS and SecureW2) :). > This is my eap.conf: > > eap { > default_eap_type = ttls > timer_expire = 60 > ignore_unknown_eap_types = no > # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given > # a User-Name attribute in an Access-Accept, it copies one > # more byte than it should. > # > # We can work around it by configurably adding an extra > # zero byte. > cisco_accounting_username_bug = yes > tls { > private_key_file = /etc/ssl/key.pem > certificate_file = /etc/ssl/cert.pem > CA_file = /etc/ssl/cacert.pem > dh_file = /etc/ssl/dh > random_file = /dev/urandom > fragment_size = 1024 > include_length = yes > } > ttls { > use_tunneled_reply = yes > } > } > > And here are the instructions how to set-up the SecureW2 > client (they are in Slovenian language, but screenshots are > from an English Windows XP): > http://www.arnes.si/bio/nastavitve/nastavitve_secure_w2_sp2.html > > -- > lep pozdrav, > Rok Papež. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how can freeradius log the transaction and failed logins?
Hi all, I use Freeradius 1.0.1 dialupadmin, and mysql under Fedora core 2, nad Using Patton 2960 as my Nas. Everything works fine, except when my user failed logging in with any reason, freeradius didnot put those failed transactions into the database. and then how can i make freeradius put any events happen into the database when a user try to dial the number, ringing, authenticating, and then online or dead the connection. Like System Log. is 'log_auth' does any good in this matter? i tried to uncomment it in radiusd.conf, but still not working Desperately needs help Thanks a lot Regards Marendra - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with ttls using SecureW2
Hello Ãystein. Dne petek 04 februar 2005 08:37 je Ãystein GÃsdal napisal(a): > I think Alan wrote that the job with getting ttls to work was to set up tls > properly... Freeradius works with the built-in 802.1x supplicant, so I guess > that tls is in fact set up properly? > > In eap.conf i have unchecked these lines: > > ttls { > > default_eap_type = md5 > >copy_request_to_tunnel = yes > > use_tunneled_reply = no > } > > Anyone else having this problem, or at least knows what i'm doing wrong? :) No, EAP-TTLS is working just fine for me (FreeRADIUS and SecureW2) :). This is my eap.conf: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given # a User-Name attribute in an Access-Accept, it copies one # more byte than it should. # # We can work around it by configurably adding an extra # zero byte. cisco_accounting_username_bug = yes tls { private_key_file = /etc/ssl/key.pem certificate_file = /etc/ssl/cert.pem CA_file = /etc/ssl/cacert.pem dh_file = /etc/ssl/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes } ttls { use_tunneled_reply = yes } } And here are the instructions how to set-up the SecureW2 client (they are in Slovenian language, but screenshots are from an English Windows XP): http://www.arnes.si/bio/nastavitve/nastavitve_secure_w2_sp2.html -- lep pozdrav, Rok PapeÅ. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attributes Remain Empty in radacct
Hi RH 8 NoCat Gateway+NocatAuthserver on linux FR 1.0.* I have some problems with my accounting data. We let the radius server to write accounting data inside the detail log files. We use RADIUS.pm to add some attributes and get their values on accounting process, and it works but not for all. values like framedipaddress stop/startconnnectioninfo terminatecause NASportType calledstationid are still unavailable both in radacct and detail file. Do we need to enable any scripts through some configuration file to write it in radacct or detail log files? Some of these attr values are available in the other table in radius db (same db for radacct).Can just the value be returned from that table (radreply) as authentication get the return value for the framedIPaddress (eg)? >From the dictionary, some of the attributes have many value, and how is the value being recorded to radacct? Is it automatically detected (intelligently) by dedicated NAS machine (since I used Linux as my RADIUS client-NAS)??Some attributes have no value such as start/stopconnectioninfo, realm and calledstationID. Is this value need to be set in any files or scripts or configuration file? I search but for now can't find where...Help please.. below are the scripts of RADIUS.pm that had being altered. critical value that we try to get is the FramedIPAddress. ++ package NoCat::Accounting::RADIUS; use NoCat::Source; use Authen::Radius; use strict; use vars qw( @ISA @REQUIRED ); @ISA= qw( NoCat::Accounting ); @REQUIRED = qw( RADIUS_Host RADIUS_Secret ); sub radius { my ($self) = @_; unless ($self->{Radius}) { my $r; my $Hosts = $self->{RadiusHostsToUse}; if(! defined($Hosts)) { #This is really the first time through and I need to generate my list of servers $self->{RADIUS_Host} =~ s/,,/,/g; #just to eliminate any blank entries my(@Hosts) = split(/,/,$self->{RADIUS_Host}); if($self->{RADIUS_Order} && $self->{RADIUS_Order}) { #mix em up. my @TmpHosts; my %UsedHosts; for(my $i=0;$i <= $#Hosts; $i++) { my $TmpHost; while(! $TmpHost || ($TmpHost && $UsedHosts{$TmpHost})) { $TmpHost = $Hosts[int(rand($#Hosts + 1))]; last if ! $UsedHosts{$TmpHost}; } $UsedHosts{$TmpHost} = 1; $TmpHosts[$i] = $TmpHost; } @Hosts = @TmpHosts; } $self->{RadiusHostsToUse} = [EMAIL PROTECTED]; #List generated. } if($self->{RadiusHostsToUse}) { #go through servers one by one foreach my $Host (@{$self->{RadiusHostsToUse}}) { my $Secret = $self->{RADIUS_Secret} ? $self->{RADIUS_Secret} : ""; if($Host =~ s/\*(.*)$//) { $Secret = $1; } $self->log( 0, "Connecting to RADIUS server $Host with Timeout " . $self->{RADIUS_TimeOut} ); $r = Authen::Radius->new( Host=> $Host, Secret => $Secret, Timeout => $self->{RADIUS_TimeOut}, Accounting => 1 ); last if $r; #If we have a good connection, we're done $self->log( 0, "Failed to connect to RADIUS server $Host" ); } if ($r) { # This is almost always the case... $self->{Radius} = $r; } else { $self->log( 0, "Can't connect to RADIUS server(s) $self->{RADIUS_Host}" ); } } else { return undef; #no host for them! } } return $self->{Radius}; } sub usenextserver { #If I fail, take the most recent host out and my $self = shift; return unless $self->{RadiusHostsToUse}; #unless I've been through the radius sub above, forget it my @Hosts = @{$self->{RadiusHostsToUse}}; my $popped = shift(@Hosts); #say goodbye to the first one $self->log(0, "popped $popped in usenextserver"); undef($self->{Radius}); #so radius above will get a new one. $self->{RadiusHostsToUse} = [EMAIL PROTECTED]; } sub create_session_id { my $self = shift; return $self->radius->NewSessionID(); } sub start { my ($self, $peer, $stats) = @_; if (! $peer->session_id) { $peer->session_id($self->radius->NewSessionId()); } return $self->accounting({ Name => 1, Value => $peer->user, Type => 'string'}, # User-Name { Name => 4, Value => $self->{GatewayAddr}, Type => 'ipaddr'}, # NAS-IP-Address { Name => 5, Value => $self->{GatewayPort}, Type => 'integer'}, # NAS-Port { Name => 7, Value => '1', Type => 'integer'}, # Framed-Protocol { Name => 8, Type => 'ipaddr' , Value => $peer->id}, # Framed-IP-Address { Name => 31, Value => $peer->id, Type => 'string'}, { Name => 32, Value => $peer->{GatewayAddr}, Type => 'string'}, # Calling-Station-Id
Re: Problems with ttls using SecureW2
> Under Configure in SecureW2, under Authentication, the Authentication > Method EAP, is selected, and EAP type is PEAP. If you want to use TTLS you should not tell SecureW2 to do PEAP but TTLS. > I think Alan wrote that the job with getting ttls to work was to set up tls > properly... Freeradius works with the built-in 802.1x supplicant, so I > guess that tls is in fact set up properly? > > In eap.conf i have unchecked these lines: > > ttls { > > default_eap_type = md5 > >copy_request_to_tunnel = yes > > use_tunneled_reply = no > } If you want to use TTLS you should not comment out the ttls section. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html