Re: more detailed sql logging
Guy, Thanks for the response. But, according to the sql.conf... "authcheck_table = 'radcheck' " I am simply trying to log who is trying to auth against the rad server, valid or not. Right now only postauth is being logged to sql and I'm trying to rectify that. I would assume that someone trying to check authentic credentials would be logged to the 'authcheck_table' but feel free to correct that assumption. I already have a 'sql' directive under the accounting block in radiusd.conf (line 1906). Currently the only table that has _anything_ is radpostauth. Any ideas? k. Guy Fraser <[EMAIL PROTECTED]> wrote: I am not exactly sure what you are trying to do, but you should never need to have the server write to radcheck. The table you are probably looking for is radacct.radcheck is equivalent to the first line of the users file.radacct is equivalent to the detail file.You likely want to add sql to the accounting section.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Frame-IP-Address in SQL?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greeting, I've the freeradius, ippool with mysql running however in the database this fields is always blank. Is that my configuration problem or there is some special requirement to get this working? Regards, Chan Min Wai -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCKRzuV0p9slMZLW4RAoSQAJ4jutwBkqaDI9xXigNLnlQluyU+mACfQvfE 9TTyY1r3U1JF1qUbuUYWpLA= =3Htn -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius logging lots of duplicates?
I have three different modem banks that are all logging duplicate stuff. I have a Portmaster 3, Max 4000, and two Max TNTS. All of which are logging things 100 times. If I tcpdump while it's repeating the logging the NAS box is repeat sending a bunch of the requests. So I'm guessing it's never hearing back "I got your Accounting packet" even though the server is logging it. Do the accounting packets require an acknowledge? Scott Scott Baker wrote: That would make sense, except every packet or session or whatever you wanna call each entry in the logfile for each session has the same "Acct-Session-Time" I would expect it to increment if it was doing interval accounting? Stephen D. Bechard wrote: Sounds like your NAS is sending Acct Interim Interval packets, mine is configured to send them every 5-10 minutes during an active session. You should be able to configure your NAS to only send this information during Start/Stop. Enjoy, Steve - Original Message - From: "Scott Baker" <[EMAIL PROTECTED]> To: Sent: Friday, March 04, 2005 3:00 PM Subject: FreeRadius logging lots of duplicates? I just noticed that in the detail log files I'm seeing LOTS of duplicates of sessions. If I grep the log files for a specific "Acct-Unique-Session-Id" it's showing up 72 times!!! Even assuming one for start and one for stop it's still logging each entry rougly 36 times. The weird part is that the times for all these entries are spread across the WHOLE day. So if the sessions occured at 10am, it will log it them, and randomly throughout the next 24 hours log them over and over. I haven't checked if it logs the same entry over a couple of days. I'm assuming this is because the NAS box is sending the same accounting packet over and over again, but I don't know why it would be doing that. Does the radius need to acknowledge to the NAS box that it received the packet? What would cause the radius server not to do that? Where can I start to troubleshoot this? -- Scott Baker Canby Telephone - Network Administrator - RHCE Ph: 503.266.8253 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Scott Baker Canby Telephone - Network Administrator - RHCE Ph: 503.266.8253 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Learning?
On Fri, 2005-03-04 at 16:35, Dustin Doris wrote:
> On Wed, 2 Mar 2005, Nick Bright wrote:
>
> > Although I just had a thought. I can put the unix Crypt()'d password in
> > the database if I use Password-Crypt (I think that's the flag, I'll look
> > in the docs, I know I've seen it).
> >
>
> If you have access to the /etc/passwd and can get the crypt passwords that
> should work. In sql just set the attribute as Crypt-Password. If you are
> using ldap, just prefix the password with {crypt} (added that in case
> anyone searches the archives looking for something similar but w/ ldap).
>
> That would be the easiest way to go.
Yeah, I figured that out. . . Have that set up and working (some of my
recent posts have been dealing with that)
>
> Otherwise, you could use an external script. If you know perl, look into
> rlm_perl. You can call it at any point in the authentication process and
> you could create the sql calls to insert the username/password during
> auth. Or you could just write a script in another language. The benefit
> of the perl module is that its persistant. Check out the exec echo part
> of radiusd.conf if you want to use another language.
>
I'll probably end up using a script to convert peoples passwords when
they log in, or just do it with a query (since I'm logging the plain
text password to SQL anyways) later.
> I think they also have rlm_python if you know python, which will also
> provide a persistant connection to the script (I believe).
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
- Nick Bright
Terraworld, Inc
888-332-1616 x315
http://home.terraworld.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-auth
On Wed, 2 Mar 2005, Chan Min Wai wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Chan Min Wai wrote:
> > Dustin Doris wrote:
> >
> >
> the variable for this script is
> 1) the NAS ip (the dhcp object class)
> 2) the Client MAC address
> 3) the ip address from ippool
> 4) the subnet from the ippool
> >
>
> Strange ... I've it solved by this way...
>
> exec test {
> wait = yes
> program = "/bin/bash /usr/local/bin/test %{Calling-Station-id}
> %{Nas-Ip-Address}"
> input_pairs = reply
> output_pairs = reply
> }
>
> /usr/local/bin/test
> # !/usr/bin/bash
> #testing script
> printenv > /tmp/exec-program-wait
> echo $FRAMED_IP_ADDRESS $FRAMED_IP_NETMASK > /tmp/radtest
> echo $1 >> /tmp/radtest
> echo $2 >> /tmp/radtest
> exit
>
> cat /tmp/radtest
> 192.168.0.206 255.255.255.0
> 00-11-09-5f-a9-8b
> 192.168.0.16
>
> Interesting :)
>
>
> Is this the right way?
>
That will work, good idea.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dhcpd + omshell + freeradius
> > I would like to ask for you help just to clarify a few problem that I'm > not too sure of. > > If you don't mind. > 1) Can omshell list the old or current least or config? > 2) If no, What need to be done if we want to know some of the old Group > Config? > I believe it can list if there is a current lease for that mac. I don't remember the command though because its been a long time since I've played with omshell. There should be a manpage on it, though. I think that's were I got everything that I used before to write that expect script. > > > Dustin Doris wrote: > >>Hello all, > >> > >>Recently I found that omshell can be use to control the dhcpd server > >>without restarting the server. > >>So I'm thinking would there be a way to ask the freeradius to "Talk" to > >>omshell when a users auth and assign an ip though omshell. > >>When the users request the ip from dhcpd server, he will get the one > >>that freeradius assign. > >> > >>Nice idea? :) > >> > >>Any Though. > >> > >>Thank You > >>Chan Min Wai > >> > > > > > > Thats an interesting idea. A long time ago I wrote an expect script to > > change the IP address of a user. This had nothing to do with freeradius, > > but it could help. This will basically just help you with the syntax that > > omshell uses. You would need to pull out the variables from freeradius > > somewhere and execute this script with those variables. I was just > > setting the client name to the mac address, which is why both name and mac > > pull from the same argv. You would run the script like this (saying its > > named something like dhcp.expect) > > > > dhcp.expect 192.168.0.5 0:60:1d:f1:75:d > > > > Hope this helps in getting you on your way. > > > > #!/usr/local/bin/expect -df > > > > set name [lindex $argv 1] > > set mac [lindex $argv 1] > > set ip [lindex $argv 0] > > > > spawn /usr/local/bin/omshell > > expect ">" > > send "connect\r" > > expect ">" > > send "new host\r" > > expect ">" > > send "set name = \"$name\"\r" > > expect ">" > > send "set hardware-address = $mac\r" > > expect ">" > > send "set hardware-type = 1\r" > > expect ">" > > send "set ip-address = $ip\r" > > expect ">" > > send "create\r" > > expect ">" > > > > exit > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFCJm66V0p9slMZLW4RAj+uAKDgiFzfbMfJ0CCj07V09a6/BTpMgQCeMxXh > naJwjsYBA0e+ckZ5LLS5QZ4= > =2Gw3 > -END PGP SIGNATURE- > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Learning?
On Wed, 2 Mar 2005, Nick Bright wrote:
> Although I just had a thought. I can put the unix Crypt()'d password in
> the database if I use Password-Crypt (I think that's the flag, I'll look
> in the docs, I know I've seen it).
>
If you have access to the /etc/passwd and can get the crypt passwords that
should work. In sql just set the attribute as Crypt-Password. If you are
using ldap, just prefix the password with {crypt} (added that in case
anyone searches the archives looking for something similar but w/ ldap).
That would be the easiest way to go.
Otherwise, you could use an external script. If you know perl, look into
rlm_perl. You can call it at any point in the authentication process and
you could create the sql calls to insert the username/password during
auth. Or you could just write a script in another language. The benefit
of the perl module is that its persistant. Check out the exec echo part
of radiusd.conf if you want to use another language.
I think they also have rlm_python if you know python, which will also
provide a persistant connection to the script (I believe).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x/EAP-MD5 against OpenLDAP HOWTO
Zoltan Ori wrote:
Is the extra entry for LDAP in authenticate necessary? Mine looks like this
and works fine for both MD5 and PEAP.
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
You are likely right that that may be unnecessary for EAP. We do
Chillispot (Wireless hotspot) authentication via the same RADIUS server
and I believe that one requires the authenticate section. I'll test.
Vladimir
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius logging lots of duplicates?
That would make sense, except every packet or session or whatever you wanna call each entry in the logfile for each session has the same "Acct-Session-Time" I would expect it to increment if it was doing interval accounting? Stephen D. Bechard wrote: Sounds like your NAS is sending Acct Interim Interval packets, mine is configured to send them every 5-10 minutes during an active session. You should be able to configure your NAS to only send this information during Start/Stop. Enjoy, Steve - Original Message - From: "Scott Baker" <[EMAIL PROTECTED]> To: Sent: Friday, March 04, 2005 3:00 PM Subject: FreeRadius logging lots of duplicates? I just noticed that in the detail log files I'm seeing LOTS of duplicates of sessions. If I grep the log files for a specific "Acct-Unique-Session-Id" it's showing up 72 times!!! Even assuming one for start and one for stop it's still logging each entry rougly 36 times. The weird part is that the times for all these entries are spread across the WHOLE day. So if the sessions occured at 10am, it will log it them, and randomly throughout the next 24 hours log them over and over. I haven't checked if it logs the same entry over a couple of days. I'm assuming this is because the NAS box is sending the same accounting packet over and over again, but I don't know why it would be doing that. Does the radius need to acknowledge to the NAS box that it received the packet? What would cause the radius server not to do that? Where can I start to troubleshoot this? -- Scott Baker Canby Telephone - Network Administrator - RHCE Ph: 503.266.8253 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Scott Baker Canby Telephone - Network Administrator - RHCE Ph: 503.266.8253 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius logging lots of duplicates?
Sounds like your NAS is sending Acct Interim Interval packets, mine is configured to send them every 5-10 minutes during an active session. You should be able to configure your NAS to only send this information during Start/Stop. Enjoy, Steve - Original Message - From: "Scott Baker" <[EMAIL PROTECTED]> To: Sent: Friday, March 04, 2005 3:00 PM Subject: FreeRadius logging lots of duplicates? > I just noticed that in the detail log files I'm seeing LOTS of > duplicates of sessions. If I grep the log files for a specific > "Acct-Unique-Session-Id" it's showing up 72 times!!! Even assuming > one for start and one for stop it's still logging each entry rougly > 36 times. The weird part is that the times for all these entries are > spread across the WHOLE day. So if the sessions occured at 10am, it > will log it them, and randomly throughout the next 24 hours log them > over and over. I haven't checked if it logs the same entry over a > couple of days. > > I'm assuming this is because the NAS box is sending the same > accounting packet over and over again, but I don't know why it would > be doing that. Does the radius need to acknowledge to the NAS box > that it received the packet? What would cause the radius server not > to do that? > > Where can I start to troubleshoot this? > > -- > Scott Baker > Canby Telephone - Network Administrator - RHCE > Ph: 503.266.8253 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin, general questions [customization]
Thanks for the reply, some of this I figured out, and some I have more questions on. . . comments below. On Fri, 2005-03-04 at 12:32, Kostas Kalevras wrote: > On Fri, 4 Mar 2005, Nick Bright wrote: > > > So now I've moved on to setting up Dialup Admin for my freeradius > > server, and it doesn't do things quite how I expected. Is there any > > additional documentation besides the README file? I see nothing in > > /usr/share/docs/freeradius about it. Also, I have a few questions that > > may or may not make sense: > > dialup_admin includes a doc folder, which contains a HOWTO file. It should be > listed in the help page. admin.conf also includes *A LOT* of comments about > each > directive. > I'm blind or something, didn't see it before, I will read through it. > Also, try using the latest cvs version of dialupadmin Is it much different than the version from the latest distribution package? > > > > > 1) When adding a user, I'm prompted for all the radius attributes for > > each user. Isn't this what radgroupreply is for? If I leave them blank, > > it puts it into radreply anyways. > > Puts what exactly? The stuff from user_edit.attrs :) Got this one figured out. . . Just comment out what you don't want to show up. > > > I want to use radgroupreply for > > everyone that doesn't have custom radius replys (which will be virtually > > no one) to save database space. How can I do that? > > You create groups. You then specify the group the user will belong to when > creating him. Ok, I see where to create them (I didn't before, blind again I guess), but how does this correspond to things I've got in radgroupcheck? When I try to add a new user, not all of my groups from radgroupcheck show up. The custom radius replies only show up when those items are uncommented in user_edit.attrs, however there is a PHP error if that whole file is commented out. Answer to my own question: The group must already have a user assigned to show up in the "show groups" or "new user" pages. However, you can type in the group name and directly edit the group, to add the fist user. Then it shows up everywhere it should. By disabling everything but "Simultanious-Use" from user_edit.attrs, I got resolved the problem of putting all the useless attributes into SQL when they aren't necessary, oddly if I leave it blank, it doesn't insert a row into radcheck (which is perfectly fine) - though the other things in user_edit.attrs were inserting rows even when blank. Perhaps it depends on the attribute. > > > > > 2) User "Profiles", we do 'unlimited' dialup, but everything in here is > > talking about "4 hours per day" and "20 hours per week"?? I don't even > > see where to change those settings at. > > See at the end of admin.conf. Currently unlimited counters are not supported > in > dialupadmin (yet). admin.conf says for "The value should be in seconds or none for nothing" so I'll try "none" out and see how it works. Seems to work well. > > > > > 3) I can't edit anything in NAS Administration. I presume I should be > > able to add/change/remove NAS units from here? When I click a unit, the > > info comes up, but it is read only. I can DELETE the NAS, but not add > > new ones or change existing information. This section just generally > > doesn't work right. > > Enable sql debug to see exactly what's happening. What's the error message? Well, I wasn't looking at it in depth enough. I can't change the IP address, but I /can/ change anything else. However, I still can't *add* a new NAS. Am I missing something, or is the function not there? > > > > > 4) I've got multiple realms loggin in to one NAS unit, I notice that in > > the statistics, there is no differentiation between realms. Can I make > > that happen? One realm is NULL & @psctelcom.net and the other is > > @terraworld.net > > Most probably patches will be needed. Well I'll just have to see what I can do to fix that or get around it. > > > > > 5) online users: I'm using a usrhiper, and max40xx for NAS units. I > > notice only cisco is supported? I set my finger_type in nastlist.conf to > > database for both NAS units, since it said only cisco is supported. > > However, snmp_finger would be better if it can be made to work. Can it? > > No. Patches are welcome. You can set the online users page to just use > radacct > directly without querying the nas first. In the docs folder it mentions that "cisco" and "lucent" are support. What does it mean by Lucent? Lucent makes a lot of gear, Portmasters, and Maxes among other things. I see specific mention of MAX 3000, so I'm going to try it with my 40xx's and see what happens. I'll also see about writing a patch to support usrhiper, though I am not very confident in my ability to do so - in otherwords, it might not happen ;) > > > > > 6) "Find User" function doesn't work. At all - it returns no results for > > all searches. what's up with that? > > Again, enable sql_debug. "Find User" doesn't searc
RE: variables in ppp 2.4.3
Hi, Ive already did that, but still no response. I also though this might be a freeradius district ;) dictionary.microsoft is a part of freeradius package, right? Who actually defines the types in dictionary files? Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Freitag, 04. März 2005 20:45 To: freeradius-users@lists.freeradius.org Subject: Re: variables in ppp 2.4.3 "Seferovic Edvin" <[EMAIL PROTECTED]> wrote: > ORIGINAL POST TO linux-ppp list ! > > Ive installed ppp-2.4.3 to use it with Poptop ( VPN server ) and freeRadius. > Because I need the dictionary.microsoft for the MS-CHAP specific attributes > - Ive includes this file into dictionary file in radiusclient directory. This is not a FreeRADIUS question. Ask the PPP people. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius logging lots of duplicates?
I just noticed that in the detail log files I'm seeing LOTS of duplicates of sessions. If I grep the log files for a specific "Acct-Unique-Session-Id" it's showing up 72 times!!! Even assuming one for start and one for stop it's still logging each entry rougly 36 times. The weird part is that the times for all these entries are spread across the WHOLE day. So if the sessions occured at 10am, it will log it them, and randomly throughout the next 24 hours log them over and over. I haven't checked if it logs the same entry over a couple of days. I'm assuming this is because the NAS box is sending the same accounting packet over and over again, but I don't know why it would be doing that. Does the radius need to acknowledge to the NAS box that it received the packet? What would cause the radius server not to do that? Where can I start to troubleshoot this? -- Scott Baker Canby Telephone - Network Administrator - RHCE Ph: 503.266.8253 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: variables in ppp 2.4.3
"Seferovic Edvin" <[EMAIL PROTECTED]> wrote: > ORIGINAL POST TO linux-ppp list ! > > Ive installed ppp-2.4.3 to use it with Poptop ( VPN server ) and freeRadius. > Because I need the dictionary.microsoft for the MS-CHAP specific attributes > - Ive includes this file into dictionary file in radiusclient directory. This is not a FreeRADIUS question. Ask the PPP people. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x/EAP-MD5 against OpenLDAP HOWTO
On Friday 04 March 2005 13:37, Vladimir Vuksan wrote:
> I promised I would write a HOWTO to 802.1x/EAP-MD5 authentication using
> LDAP. Here it is :-)
>
> http://vuksan.com/linux/dot1x/802-1x-LDAP.html
>
> Let me know if you have corrections or additions.
>
> Vladimir
>
>
Is the extra entry for LDAP in authenticate necessary? Mine looks like this
and works fine for both MD5 and PEAP.
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
I believe I used to get an error or warning when I had LDAP here. I'm using
version 1.0.1 of freeRADIUS and do not have radiusprofile in openLDAP. Only
usernames, passwords and a few other check-items for use in the users file.
Does that make a difference.
Zoltan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
variables in ppp 2.4.3
Hi list ;) ORIGINAL POST TO linux-ppp list ! Ive installed ppp-2.4.3 to use it with Poptop ( VPN server ) and freeRadius. Because I need the dictionary.microsoft for the MS-CHAP specific attributes - Ive includes this file into dictionary file in radiusclient directory. When I start the pptpd deamon and fire up the connection - my pppd reports following : schueler pppd[27456]: rc_read_dictionary: invalid type on line 12 of dictionary /etc/radiusclient/dictionary.microsoft schueler pppd[27456]: RADIUS: Can't read dictionary file /etc/radiusclient/dictionary Then I looked at the dictionary file where only following types are accepted: # string - 0-253 octets # ipaddr - 4 octets in network byte order # integer - 32 bit value in big endian order (high byte first) # date - 32 bit value in big endian order - seconds since But dictionary.microsoft also has "octets" as variable type! Is it possible that pppd doesnt understand this type or should I ask this question on the freeRadius mailing list? Thank you for hints or help. Regards, Edvin Seferovic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x/EAP-MD5 against OpenLDAP HOWTO
I promised I would write a HOWTO to 802.1x/EAP-MD5 authentication using LDAP. Here it is :-) http://vuksan.com/linux/dot1x/802-1x-LDAP.html Let me know if you have corrections or additions. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin, general questions [customization]
On Fri, 4 Mar 2005, Nick Bright wrote: So now I've moved on to setting up Dialup Admin for my freeradius server, and it doesn't do things quite how I expected. Is there any additional documentation besides the README file? I see nothing in /usr/share/docs/freeradius about it. Also, I have a few questions that may or may not make sense: dialup_admin includes a doc folder, which contains a HOWTO file. It should be listed in the help page. admin.conf also includes *A LOT* of comments about each directive. Also, try using the latest cvs version of dialupadmin 1) When adding a user, I'm prompted for all the radius attributes for each user. Isn't this what radgroupreply is for? If I leave them blank, it puts it into radreply anyways. Puts what exactly? I want to use radgroupreply for everyone that doesn't have custom radius replys (which will be virtually no one) to save database space. How can I do that? You create groups. You then specify the group the user will belong to when creating him. 2) User "Profiles", we do 'unlimited' dialup, but everything in here is talking about "4 hours per day" and "20 hours per week"?? I don't even see where to change those settings at. See at the end of admin.conf. Currently unlimited counters are not supported in dialupadmin (yet). 3) I can't edit anything in NAS Administration. I presume I should be able to add/change/remove NAS units from here? When I click a unit, the info comes up, but it is read only. I can DELETE the NAS, but not add new ones or change existing information. This section just generally doesn't work right. Enable sql debug to see exactly what's happening. What's the error message? 4) I've got multiple realms loggin in to one NAS unit, I notice that in the statistics, there is no differentiation between realms. Can I make that happen? One realm is NULL & @psctelcom.net and the other is @terraworld.net Most probably patches will be needed. 5) online users: I'm using a usrhiper, and max40xx for NAS units. I notice only cisco is supported? I set my finger_type in nastlist.conf to database for both NAS units, since it said only cisco is supported. However, snmp_finger would be better if it can be made to work. Can it? No. Patches are welcome. You can set the online users page to just use radacct directly without querying the nas first. 6) "Find User" function doesn't work. At all - it returns no results for all searches. what's up with that? Again, enable sql_debug. I'm sorry about these silly questions, really they are things that should be covered by the (nearly nonexistent) documentation. Again, I will suggest that the FreeRADIUS project needs a wiki to do this with :) I will continue investigating these questions, but I would appreciate any comments or suggestions on solving the niggles above. Thanks for your time, guys & gals. -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dialup Admin, general questions [customization]
So now I've moved on to setting up Dialup Admin for my freeradius server, and it doesn't do things quite how I expected. Is there any additional documentation besides the README file? I see nothing in /usr/share/docs/freeradius about it. Also, I have a few questions that may or may not make sense: 1) When adding a user, I'm prompted for all the radius attributes for each user. Isn't this what radgroupreply is for? If I leave them blank, it puts it into radreply anyways. I want to use radgroupreply for everyone that doesn't have custom radius replys (which will be virtually no one) to save database space. How can I do that? 2) User "Profiles", we do 'unlimited' dialup, but everything in here is talking about "4 hours per day" and "20 hours per week"?? I don't even see where to change those settings at. 3) I can't edit anything in NAS Administration. I presume I should be able to add/change/remove NAS units from here? When I click a unit, the info comes up, but it is read only. I can DELETE the NAS, but not add new ones or change existing information. This section just generally doesn't work right. 4) I've got multiple realms loggin in to one NAS unit, I notice that in the statistics, there is no differentiation between realms. Can I make that happen? One realm is NULL & @psctelcom.net and the other is @terraworld.net 5) online users: I'm using a usrhiper, and max40xx for NAS units. I notice only cisco is supported? I set my finger_type in nastlist.conf to database for both NAS units, since it said only cisco is supported. However, snmp_finger would be better if it can be made to work. Can it? 6) "Find User" function doesn't work. At all - it returns no results for all searches. what's up with that? I'm sorry about these silly questions, really they are things that should be covered by the (nearly nonexistent) documentation. Again, I will suggest that the FreeRADIUS project needs a wiki to do this with :) I will continue investigating these questions, but I would appreciate any comments or suggestions on solving the niggles above. Thanks for your time, guys & gals. -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Include perl file in redreply
Hi guys, I wanted to include my own perl file for the attribute of h323-credit-time. So my script will be able to check the balance from the user balance and return it the maximum h323-credit-time for the dame user. I tried like h323-credit-time = "h323-credit-time=10" it is working successfull but instead of "h323-credit-time=10" i want to call my own perl function so the function will be able to find the remaining balance for the same user and return the maximum time. If any one can share his idea i will be really approciate. Thank YOu Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web
Re: more detailed sql logging
On Thu, 2005-03-03 at 13:54 -0800, Kris Efland wrote: > Excuse me if this has already been discussed but I couldnt find > anything after searching... > > I have FR successfully up and running. I have it "logging" through > sql, and authenticating through ldap. How do I go about getting more > detailed logs out of FR through sql? Currently it is only logging to > postauth_table and is therefore only showing successful logins. I > need it to log to authcheck_table (radcheck) to see if people are > failing to login properly. These are being sent to the logfile but > not to sql. I have broken down the sql config files but they dont > seem to have any insert statements into the radcheck sql table. Do I > have to write these myself? or is it more simplistic than that? Can > you do this when seperating the authentication mechanism from sql? > Thanks in advance. > > Kris I am not exactly sure what you are trying to do, but you should never need to have the server write to radcheck. The table you are probably looking for is radacct. radcheck is equivalent to the first line of the users file. radacct is equivalent to the detail file. You likely want to add sql to the accounting section. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool From the Connecting NAS
Alan DeKok wrote: > Chan Min Wai <[EMAIL PROTECTED]> wrote: > >>I've a few ip pool, and for a better control I would like to know if >>there is a way to assign Ip address according tot he NAS connected. >>What is the correct way todo it? > > > How do you want to assign the IP address? > > You can set up a separate IP pool for each NAS. That's problably > the easiest way. Yea, that is what I'm thinking off... NAS A using pool 1 NAS B+C+D using pool 2 NAS E using pool 3 Then how would I configure the sparate? using huntgroup? Regards, Thank You - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No User-Password configured.
=?ISO-8859-1?Q?Ra=FAl_Tamayo_Fern=E1ndez?= <[EMAIL PROTECTED]> wrote: > Why do I get the "rlm_mschap: No User-Password configured. Cannot > create LM(or NT)-Password..." message? What does it means? It means that you didn't tell the server what the user's correct password is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_mschap: No User-Password configured.
Any ideas about this?
I want to use FreeRadius to authenticate wireless users against an
OpenLDAP database running in the same server that Freeradius, I want to
use PEAP with mschapv2 (default EAP method for Windows XP).
However I got the following (complete log at the end of message):
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 7
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for luisvi with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 7
modcall: group Auth-Type returns reject for request 7
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 7
modcall: group authenticate returns reject for request 7
auth: Failed to validate the user.
Login incorrect: [luisvi/] (from client
localhost port 0)
Why do I get the "rlm_mschap: No User-Password configured. Cannot
create LM(or NT)-Password..." message? What does it means?
And most important how do I correct this? Is it something about
interaction between LDAP and FreeRadius?
Thanks in advance,
Raul Tamayo
Complete log:
#radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = no
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded LDAP
ldap: server = "localhost"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = ""
ldap: tls_mode = no
ldap: start_tls = yes
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = ""
ldap: basedn = "dc=cicese,dc=mx"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "{clear}"
ldap: password_attribute = "userPassword"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simul
Re: FreeRADIUS + PEAP
"Gustafson, Tim" <[EMAIL PROTECTED]> wrote: > FreeRADIUS does get the authentication requests, but it > seems that I've done something wrong and the requests are not being > authenticated properly. Here's what I get in my FreeRADIUS log: That's nice. Did you try running it in debugging mode as suggested in the README, INSTALL, FA, and daily on this list? > Fri Mar 4 13:11:41 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/ User-Password attribute>] (from client wireless.meitech.com port 9 cli > 000b7d0fa264) > > Why is there no username attribute? I have no idea why you would ask that. Perhaps you could try reading the log message again. > I have configured the Windows XP workstation to use PEAP and it asks > me for my login name and password, which I entered, but it seems > that the password attribute is not being sent to FreeRADIUS, or > maybe it's being sent in a way that FreeRADIUS isn't understanding? When PEAP is used, the password is not sent to the server directly, so the server can't print it in a log message. > My wireless users are connecting using login names and passwords, > not certificates, but I think that eap needs certificates anyhow, > correct? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool From the Connecting NAS
Chan Min Wai <[EMAIL PROTECTED]> wrote: > I've a few ip pool, and for a better control I would like to know if > there is a way to assign Ip address according tot he NAS connected. > What is the correct way todo it? How do you want to assign the IP address? You can set up a separate IP pool for each NAS. That's problably the easiest way. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reload NAS table on freeradius after record update
Chan Min Wai <[EMAIL PROTECTED]> wrote: > If the NAS list is check from time to time. The restart might not be > required... Sure. When does the server decide to re-check the NAS list? How does it reload the list without causing problems for the existing list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to set FreeRADIUS auth via POP3?
CNCA CNCA <[EMAIL PROTECTED]> wrote: > i tried to use pam_pop3 to do this, but fail. So.. what failed, and why? > please give me some advice, thanks a lot:P Please describe what you're trying to do. I'm not sure if you're using FreeRADIUS to authenticate pop3 users, or are trying to have FreeRADIUS use pop3 as an authentication method. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secondary SQL accounting instance needed
On Fri, 2005-03-04 at 16:56 +0200, Mark Elkins wrote:
> On Wed, 2005-03-02 at 13:19 +0200, Mark Elkins wrote:
>
> > I want to collect the current allocate IP address and username into a
> > separate MySql table - if it (the user (=key)) exists - update the IP,
> > if the user does not exist, add user and IP.
> >
> > I (think that I) understand that I need to have a second instance of
> > 'sql'..
>
> Phew - it works (exactly as I documented :)
Might have spoken too soon I'm getting... (in radius.log)
Error: rlm_sql (sql_catch_ip): Couldn't insert SQL accounting START
record - Duplicate entry 'mcsa' for key 2
mcsa is a username - my table looks like
CREATE TABLE dnstab (
dnsid int(10) unsigned NOT NULL auto_increment,
username varchar(64) NOT NULL default '',
realm varchar(64) NOT NULL default '',
ip varchar(16) NOT NULL default '',
dated timestamp(14) NOT NULL,
PRIMARY KEY (dnsid),
UNIQUE KEY username (username)
) TYPE=MyISAM;
Table dump includes
INSERT INTO dnstab VALUES
(4,'mcsa','myddns.com','160.160.100.100',20050304175854);
My 'sql_catch_ip' (in 'sql.conf') has two SQL statements...
accounting_start_query = "INSERT into dnstab (username, realm, ip)
values('%{Stripped-User-Name}', '%{Realm}', '%{Framed-IP-Address}')"
accounting_start_query_alt = "UPDATE dnstab SET
ip='%{Framed-IP-Address}' WHERE username='%{Stripped-User-Name}' and
realm='%{Realm}'"
My understanding is that if there is an SQL error from
accounting_start_query - that accounting_start_query_alt would be
automatically tried - without any error report - or should I be using
the username as the key instead? (or probably the username and realm
concatenated), again I could probably use one of those cute new
mysql commands that does "update" instead of "insert" if a key
exists..but what is FreeRadius meant to do?
--
. . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready
/| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secondary SQL accounting instance needed
On Wed, 2005-03-02 at 13:19 +0200, Mark Elkins wrote: > I want to collect the current allocate IP address and username into a > separate MySql table - if it (the user (=key)) exists - update the IP, > if the user does not exist, add user and IP. > > I (think that I) understand that I need to have a second instance of > 'sql'.. Phew - it works (exactly as I documented :) There are so many comments in the default radiusd.conf (and sql.conf) that it can become confusing. Better in than out though... Perhaps the default configs should use the full 'instance name' rather than just 'sql' ?? I know that then there will be even more info in the config file - but then adding multiple instances would be less dramatic and more intuitive for others to do? Someone also asked "why are you ignoring stop records",... This is for ADSL in South Africa, where our Telcom Monopoly currently refuses to give static IP's on ADSL services - and to make sure, drops all connections as soon as they get to 24hours of age, making sure that they get a new IP every 24 hours. Usually, most ADSL users who would need a DDNS service try and make sur ethat their link goes back up within seconds.. I'm intending to use the info as a 'free DDNS' for those that authenticate via me, and having a "DNS Lookup OK, route to host failed" is probably better than a "No DNS Record" - and quite often, after the 24 hour drop, the IP is the same anyway... Back to multiple instances... now I'm running another bunch of connections to the same SQL Database. perhaps a bit inefficient?? Maybe there should be some magical keyword that allows multiple instances to the same Database to use the same "connections"?? -- . . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready /| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supported password types [mysql authorization]
On Fri, 2005-03-04 at 06:35, Roger PeÃa Escobio wrote: > Mensaje citado por Alan DeKok <[EMAIL PROTECTED]>: > > > Nick Bright <[EMAIL PROTECTED]> wrote: > > > I'm having trouble coming up with anything on google about this. Does it > > > help to say that the passwords stored in /etc/shadow appear to be > > > MD5Crypt passwords? They all start with $1$ . . . > > > > Then using those passwords in Crypt-Password should work. > > and Auth-Type := PAP , that one solve the problem that we had when we migrate > from 0.9.3 > to 1.0.x ( Local insted of PAP didn't works) Great! By changing Auth-Type to PAP in radcheckgroup, I was able to copy and paste the MD5Crypt password from /etc/shadow to the Crypt-Password field in the database! For the sake of mailing list indexes, I will sum up what I had to do to get MD5-Crypt passwords from /etc/shadow to work with FreeRADIUS + MySQL: 1) Set up everything as normal to work with clear-text passwords 2) Add another group to radcheckgroup with Auth-Type := PAP 3) Add users to radcheck with Attribute Crypt-Password := Note: I did *not* have to make *any* changes to radiusd.conf to make this work. While this presents a few minor logistical problems for my application, I feel that I can work around them. This application of FreeRADIUS + MySQL + MD5 Crypt passwords should be handy for anyone that needs to migrate from passwd authorization to mysql authorization, or in a situation like mine - a user list with only encrypted passwords. Thanks for your help yesterday Alan, and thanks for the tip-off to Auth-Type := PAP Roger; I appreciate your help guys :) > > cu > roger > -- > Nodo central de la red Infomed (http://www.sld.cu) > Usuario linux: 97152 (http://counter.li.org) > Miembro del grupo de coordinacion de LinuxCuba (http://www.linux.cu) > > "Whatever you do will be insignificant, but it is very important > that you do it." >Gandhi > -- > > > - > Este mensaje fue enviado usando el servicio de correo en web de Infomed > http://webmail.sld.cu > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: "check_cert_cn" dows not work?
Manuel Schmitz wrote: Can I re-enable certs as well (with CRLs)? It *can* be done, but it's generally not advised. If you need to temporarily disable a client, then the more appropriate way would be an explicit deny for that username in the users file and make sure check_cert_cn is enabled. Where is a database of all certs which are still valid (when using CRLs) ? The CA normally keeps its on internal database of valid certs, but there's not anything that gets checked during the authentication process. The certificat is valid if its cryptographic signature checks out as correct against the correct CA. These are really more PKI questions. If you're planning on using EAP-TLS in production, you should familiarize yourself with PKI and running a CA. Does freeradius in eap-tps/eap-peap mode only check the client certs for proper signature? It has to. FreeRADIUS' PEAP implementation does not use client certs though. Only EAP-TLS uses client certs in FR. Sorry for the silly questions. I spent a whole day googeling around and reading howtos and docs. There's not too much documentation about all this. If you're serious about using EAP-TLS, then, as I said above, you need to look at documentation on running a certification authority and how PKI works. --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + PEAP
Hello Everyone! I have FreeRADIUS up and running and authenticating users who dial up into our network. FreeRADIUS is working perfectly for that purpose. I am now trying to configure FreeRADIUS to also authenticate my wireless users who connect to a Linksys WAP54G Wireless Access Point. I have configured the Linksys to authenticate against my FreeRADIUS server using WPA. FreeRADIUS does get the authentication requests, but it seems that I've done something wrong and the requests are not being authenticated properly. Here's what I get in my FreeRADIUS log: Fri Mar 4 13:11:11 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/] (from client wireless.meitech.com port 9 cli 000b7d0fa264) Fri Mar 4 13:11:41 2005 : Info: rlm_eap_tls: Length Included Fri Mar 4 13:11:41 2005 : Error: TLS_accept:error in SSLv3 read client certificate A Fri Mar 4 13:11:41 2005 : Info: rlm_eap_tls: Length Included Fri Mar 4 13:11:41 2005 : Info: (other): SSL negotiation finished successfully Fri Mar 4 13:11:41 2005 : Info: rlm_eap_tls: Received EAP-TLS ACK message Fri Mar 4 13:11:41 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/] (from client localhost port 0) Fri Mar 4 13:11:41 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/] (from client wireless.meitech.com port 9 cli 000b7d0fa264) Why is there no username attribute? I have configured the Windows XP workstation to use PEAP and it asks me for my login name and password, which I entered, but it seems that the password attribute is not being sent to FreeRADIUS, or maybe it's being sent in a way that FreeRADIUS isn't understanding? I have attached my radiusd.conf file to this e-mail as well, in case anyone wants to review it. PS - I generated the certificates I'm using for eap/tls authentication using OpenSSL for the purposes of having my own "in-house" CA, which allows my to issue certificates to customers and employees as I need to. I figured it was best to use the same certificates for my wireless authentication, no? My wireless users are connecting using login names and passwords, not certificates, but I think that eap needs certificates anyhow, correct? Tim Gustafson MEI Technology Consulting, Inc [EMAIL PROTECTED] (516) 379-0001 Office (516) 480-1870 Mobile/Emergencies (516) 908-4185 Fax http://www.meitech.com/ radiusd.conf Description: Binary data smime.p7s Description: S/MIME cryptographic signature
Re: Supported password types [mysql authorization]
Mensaje citado por Alan DeKok <[EMAIL PROTECTED]>: > Nick Bright <[EMAIL PROTECTED]> wrote: > > I'm having trouble coming up with anything on google about this. Does it > > help to say that the passwords stored in /etc/shadow appear to be > > MD5Crypt passwords? They all start with $1$ . . . > > Then using those passwords in Crypt-Password should work. and Auth-Type := PAP , that one solve the problem that we had when we migrate from 0.9.3 to 1.0.x ( Local insted of PAP didn't works) cu roger -- Nodo central de la red Infomed (http://www.sld.cu) Usuario linux: 97152 (http://counter.li.org) Miembro del grupo de coordinacion de LinuxCuba (http://www.linux.cu) "Whatever you do will be insignificant, but it is very important that you do it." Gandhi -- - Este mensaje fue enviado usando el servicio de correo en web de Infomed http://webmail.sld.cu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: "check_cert_cn" dows not work?
Can I re-enable certs as well (with CRLs)? Where is a database of all certs which are still valid (when using CRLs) ? Does freeradius in eap-tps/eap-peap mode only check the client certs for proper signature? Sorry for the silly questions. I spent a whole day googeling around and reading howtos and docs. There's not too much documentation about all this. --Manuel > That's what CRLs are for. There is support for CRLs in FreeRADIUS now, > so you can revoke the certs you no longer want used. > > --Mike > > --- > Michael Griego > Wireless LAN Project Manager > The University of Texas at Dallas > > > > Manuel Schmitz wrote: > > Thank you very much. :-) > > I simply need a way to "turn off" certificates. Is there a possibility > to > > reject single certificates? > > I would like to provide a file containing a list of certs to deny. Is > that > > possible? > > --Manuel > > > > > > > >>No, the only thing that check_cert_cn does is make sure that the CN in > >>the certificate matches the User-Name attribute in the RADIUS request. > >>It's basically just a sanity/security check on the request itself. It > >>does *not* go looking on other autz sources for you. It is up to you to > >>decide elsewhere (users file, SQL DB, LDAP) whether or not to allow that > >>user to authenticate. If you do nothing, the user will be allowed to > >>authenticate by default. If, for some reason, you decide you don't want > >>a user to be allowed to authenticate, you must specifically reject him. > >> > >>--Mike > >> > >>--- > >>Michael Griego > >>Wireless LAN Project Manager > >>The University of Texas at Dallas > >> > >> > >> > >>Manuel Schmitz wrote: > >> > >>>Hello, > >>> > >>>as far as I have understood, the "check_cert_cn" switch in > >> > >>raddb/eap.conf > >> > >>>forces the certificate's Common Name to be in the raddb/users file. > >>>Otherwise there the request will be rejected. > >>> > >>>Now I've commented out the whole raddb/users file but the radius > doesn't > >>>reject any request. > >>> > >>>I am running a WLAN with EAP-TLS authentication and need to "switch > off" > >>>single certificates. > >>> > >>>--Manuel Schmitz > >>> > >> > >>- > >>List info/subscribe/unsubscribe? See > >>http://www.freeradius.org/list/users.html > >> > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen! AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to set FreeRADIUS auth via POP3?
HI, did anyone use freeradius with POP3? i tried to use pam_pop3 to do this, but fail. please give me some advice, thanks a lot:P - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radsqlrelay for 1.0.2
thanks Roy, is it possible to build it against the 1.0.2 tree or am I stuck with the cvs version. The libraries differ from the cvs version and the 1.0.2 version. regards, Bart -Original Message- From: ROY [mailto:[EMAIL PROTECTED] Sent: vrijdag 4 maart 2005 2:43 To: Bart Van Daal Subject: RE: radsqlrelay for 1.0.2 Hi Bart, On Thu, 2005-03-03 at 15:36 +0100, Bart Van Daal wrote: > Hi Nicolas, hi Roy, > > Nicolas I'm currently using your radsqlrelay.c with the 1.0.2 release > and I've patched the makefile. I'm very new to this whole patching and > code-hacking thing. I'm getting the following error message while > making radsqlrelay: > thanks for any pointers how to compile radsqlrelay. The patches were already committed on the current CVS. You may try building from it. I've done some stress tests on the version and it looks OK so far. Regards, Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: L2TP accounting
Hello Alan, Thanks for your help, now all I've to do it's to practice my almost forgotten C skills. Kind regards. David El Miércoles, 2 de Marzo de 2005 22:22, Alan DeKok escribió: > David Manchado <[EMAIL PROTECTED]> wrote: > > it seems freeradius does not support L2TP accounting for > > Tunnel-Start and Tunnel-Stop, it is not a problem because it works > > but I would like to know if there is any way to add support to > > account them. > > Edit src/modules/rlm_sql/* to have an SQL query for that status > type, and then do something with it. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- David Manchado System Administrator EUROCIBER e: [EMAIL PROTECTED] t: +34 902 902 997 f: +34 91 183 1109 Public PGP key available at pgp.mit.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
