Problems with 1.0.2

[Paul Seaman]

Hey, I'm trying to compile 1.0.2, and I get the following errors (snipped at 
the end for brevity) - it seems to be related to EAP, is the simple way to 
fix this or maybe an easy way to tell it I'm not interested in the EAP 
module?

Thanks,
Paul
(cd .libs && rm -f libeap.la && ln -s ../libeap.la libeap.la)
gmake[7]: Leaving directory 
`/usr/src/RPM/BUILD/freeradius-1.0.2/src/modules/rlm_eap/libeap'
gcc  -O2 -fomit-frame-pointer -pipe -march=i586 -mtune=pentiumpro  -fpic -D_REENTRANT 
-D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5   -Wall -D_GNU_SOURCE -DNDEBUG 
 -I../../include  -I./libeap  -o radeapclient 
radeapclient.o -Llibeap -leap -L../../lib -lradius -lnsl -lresolv  -lpthread 
-lcrypto -lssl  -lcrypt
radeapclient.o(.text+0x2d3): In function `cleanresp':
: undefined reference to `pairdelete'
radeapclient.o(.text+0x2e4): In function `cleanresp':
: undefined reference to `pairdelete'
radeapclient.o(.text+0x31e): In function `cleanresp':
: undefined reference to `pairbasicfree'
radeapclient.o(.text+0x365): In function `process_eap_start':
: undefined reference to `pairfind'
radeapclient.o(.text+0x485): In function `process_eap_start':
: undefined reference to `pairfind'
radeapclient.o(.text+0x49a): In function `process_eap_start':
: undefined reference to `pairfind'
radeapclient.o(.text+0x4b4): In function `process_eap_start':
: undefined reference to `pairfind'
radeapclient.o(.text+0x5ed): In function `process_eap_start':

 etc .. 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Upgrading freeradius 1.0.2 with freeradius-snapshot-20050502

[Alan DeKok]

[EMAIL PROTECTED] (Paul Hampson) wrote:
> Well, I've just been handed some rlm_sql (possible) security bugs,
> which I'm going to look hard at this weekend. Then we can release
> 1.0.3.

  Ok.  I think they should be fixed, but I don't think they're
critical.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Questions and feature request...

[Alan DeKok]

"Lucas Aimaretto" <[EMAIL PROTECTED]> wrote:
> This is interesting. How can I use Reply-Messages?. In the radreply
> table ??? I believe this table is only used if user got an
> access-accept, is it true ?

  No.  It's used during authorization, before the server has decided
if the user is accepted or rejected.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: (no subject)

[Alan DeKok]

Babar Shafiq <[EMAIL PROTECTED]> wrote:
> I know i can see the reject cause while running in debug mode but I
> want to store the reject causes in database or logs it. so it will
> be helpful in future for support people,customer support etc, so
> they can inform users what is the exact cause of the rejection !!

  Then always run the server in debugging mode.

  Or, write scripts to log reasons for failure.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Exec-Program-Wait vs rlm_exec

[mmiranda]

[EMAIL PROTECTED] wrote:
> On Thu, May 05, 2005 at 08:22:44AM -0600, [EMAIL PROTECTED]
> wrote: 
>> [EMAIL PROTECTED] wrote:
>>> On Tue, May 03, 2005 at 10:23:05AM -0600, [EMAIL PROTECTED]
>>> wrote:
 Hi, what do you consider the best solution wheen you need to run an
 external program to make aditional checks when an access request in
 received, exec-program-wait or rlm_exec, im using
 exec-program-wait, sould i use rlm_exec instead, the script check
 some item like credit amount and returns 0 or 1 if success or fail
 , thanks 
>>> 
> I do this with Post-Auth-Type.

How do you filter by groupname?

I check the groupname vs the radgroupreply, everygroup has diferent
Exec-Program-Wait.

---
Miguel

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

what's going foobar

[Chris Knipe]

Lo all,
FreeBSD 5.4-STABLE... and uhm ja...
Accounting WHERE UserName=LOWER('%{SQL-User-Name}') AND AcctStopTime = 0"
sql: postauth_table = "radpostauth"
sql: postauth_query = ""
sql: safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to
[EMAIL PROTECTED]:/CENERGY
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1 (LWP 100853)]
0x2831b010 in memset () from /lib/libc.so.5
(gdb) back
#0  0x2831b010 in memset () from /lib/libc.so.5
#1  0x5f6c7173 in ?? ()
#2  0x28560b51 in sql_init_socket (sqlsocket=0x9072540, config=0x8eda000) at
sql_mysql.c:71
#3  0x2855bf6c in connect_single_socket (sqlsocket=0x9072540,
inst=0x9072440) at sql.c:70
#4  0x2855c0c4 in sql_init_socketpool (inst=0x9072440) at sql.c:130
#5  0x2855a4c7 in rlm_sql_instantiate (conf=0x85234e8, instance=0x0) at
rlm_sql.c:699
#6  0x08054b9d in find_module_instance ()
#7  0x08055d86 in modcall ()
#8  0x08055312 in setup_modules ()
#9  0x0804cdc0 in main ()
Is this rlm_sql that is going foobar?  Another possibility (I just feel it
in my guts) is that it may be threads... whilst I did not
specify --with-threads at compile time, I saw compile still used
POSIX_THREADS.  Anyway to force FR not to use threads??  This is FR 1.0.2
Thanks allot.
--
Chris. 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Questions and feature request...

[Lucas Aimaretto]

> > 2) Reject Cause (feature request)
> > Free radius is not informing when it rejects any user if found a 
> > condition false in radgroupcheck or in radcheck only send reject 
> > (reply:Packet-Type), is it possible to give reject with 
> attributes so 
> > we will know which attribute is the cause of reject,
> 
>   No.  Even if you did that, the user being rejected wouldn't 
> see the information.  The RADIUS clients won't show it to 
> them.  Also, showing this information to a user is a 
> potential security risk.
> 
>   You can use Reply-Message to give the users a message, but 
> you can't use any other attribute.

This is interesting. How can I use Reply-Messages?. In the radreply
table ??? I believe this table is only used if user got an
access-accept, is it true ?

Regards,

Lucas

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.11.5 - Release Date: 04/05/2005
 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

NAS-IP member of multiple huntgroups?

[Wolfgang Hottgenroth]

Hi,


I'm wondering why it is prohibited to have a particular NAS-IP-Address
in more than one huntgroup.

I want to use huntgroups for roaming blocking:

huntgroups:

DE.HDN  NAS-IP-Address == 10.0.0.1
DE  NAS-IP-Address == 10.0.0.1
EMEANAS-IP-Address == 10.0.0.1

DE.FRM  NAS-IP-Address == 10.0.0.2
DE  NAS-IP-Address == 10.0.0.2
EMEANAS-IP-Address == 10.0.0.2

DE.DTM  NAS-IP-Address == 10.0.0.3
DE  NAS-IP-Address == 10.0.0.3
EMEANAS-IP-Address == 10.0.0.3

UK.LND  NAS-IP-Address == 10.0.1.1
UK  NAS-IP-Address == 10.0.1.1
EMEANAS-IP-Address == 10.0.1.1

UK.CBG  NAS-IP-Address == 10.0.1.2
UK  NAS-IP-Address == 10.0.1.2
EMEANAS-IP-Address == 10.0.1.2

BE.BRU  NAS-IP-Address == 10.0.2.1
BE  NAS-IP-Address == 10.0.2.1
EMEANAS-IP-Address == 10.0.2.1



users:

user1   User-Password == "test", Huntgroup-Name == "EMEA"
...
...

user2   User-Password == "test", Huntgroup-Name == "DE"
...
...

user3   User-Password == "test", Huntgroup-Name == "DE.FRM"
...
...



But this doesn't work, since only the first huntgroup name for a
particular IP is considered.

I'm wondering especially since the multiple huntgroup names for one
NAS-IP-Address are considered when the huntgroups file is read into
the data structure of rlm_preprocess, but they are not considered when
an user is checked using huntgroup_access. Accordingly simple is the
patch to achieve this MANY_HUNTGROUP_NAMES_FOR_ONE_IP "feature":

--- rlm_preprocess.c2004-10-07 22:52:31.0 +0200
+++ rlm_preprocess.c-patched2005-05-06 12:56:50.0 +0200
@@ -362,8 +362,13 @@
 *  We've matched the huntgroup, so add it in
 *  to the list of request pairs.
 */
+#define MANY_HUNTGROUP_NAMES_FOR_ONE_ADDRESS 1
+#ifndef MANY_HUNTGROUP_NAMES_FOR_ONE_ADDRESS
vp = pairfind(request_pairs, PW_HUNTGROUP_NAME);
if (!vp) {
+#else
+   {
+#endif
vp = paircreate(PW_HUNTGROUP_NAME,
PW_TYPE_STRING);
if (!vp) {
@@ -379,7 +384,9 @@
}
r = RLM_MODULE_OK;
}
+#ifndef MANY_HUNTGROUP_NAMES_FOR_ONE_ADDRESS
break;
+#endif
}
 
return r;



Wouldn't it be an useful enhancement to be able to have one
NAS-IP-Address in many huntgroups? Or is anything against the
"feature" I propose, which I do not see at the moment?



Thanks,
Wolfgang



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Authenticate just one time

[Pedro Amado]

Hi,
does anyone know how can i disable the possibility of a user login 2 
times at the same time in diferente places?

TIA
Pedro Amado
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Multiple ippools with current stable FreeRADIUS-1.0.2

[Wolfram Schlich]

Hi,

currently I'm using FreeRADIUS-1.0.2 with the rlm_sql_mysql backend
for accounting, authentication etc.
I have several users in the "radcheck" table...

--8<--[ radcheck ]--8<--
id UserName Attribute op Value
--  - -- ---
1  JohnDoe  User-Password == secret1
2  JaneDoe  User-Password == secret2
--8<--

...and two groups in the "radgroupcheck" table, one for users with static IP
addresses and one for users with dynamic IP addresses...

--8<--[ radgroupcheck ]--8<--
id GroupName Attribute   op Value
-- - --- -- ---
1  staticAuth-Type   := Local
2  staticService-Type:= Framed-User
3  staticFramed-Protocol := PPP
4  dynamic   Auth-Type   := Local
5  dynamic   Service-Type:= Framed-User
6  dynamic   Framed-Protocol := PPP
7  dynamic   Pool-Name   := ippool1
--8<--

...as well as user -> group mappings in the "usergroup" table...

--8<--[ usergroup ]--8<--
id UserName GroupName
--  -
1  JohnDoe  static
2  JaneDoe  dynamic
--8<--

...the individual user's static IP addresses...

--8<--[ radreply ]--8<--
id UserName Attribute op Value
--  - -- ---
1  JohnDoe  Framed-IP-Address =  1.2.3.1
--8<--

...and the group replies...

--8<--[ radgroupreply ]--8<--
id GroupName Attribute   op Value  prio
-- - --- -- -- 
1  staticService-Type=  Framed-User0
2  staticFramed-Protocol =  PPP0
3  staticCisco-AVPair=  ip:dns-servers=1.2.3.250 1.2.4.250 0
4  dynamic   Service-Type=  Framed-User0
5  dynamic   Framed-Protocol =  PPP0
6  dynamic   Cisco-AVPair=  ip:dns-servers=1.2.3.250 1.2.4.250 0
--8<--

Here's the interesting content of radiusd.conf:

--8<--[ radiusd.conf ]--8<--
[...]
modules {
[...]
ippool ippool1 {
range-start = 1.2.4.2
range-stop = 1.2.4.249
netmask = 255.255.255.255
cache-size = 3072
session-db = ${raddbdir}/ippool.d/ippool1.session-db
ip-index = ${raddbdir}/ippool.d/ippool1.ip-index
override = no
maximum-timeout = 0
}
ippool ippool2 {
range-start = 1.2.8.2
range-stop = 1.2.8.249
netmask = 255.255.255.255
cache-size = 3072
session-db = ${raddbdir}/ippool.d/ippool2.session-db
ip-index = ${raddbdir}/ippool.d/ippool2.ip-index
override = no
maximum-timeout = 0
}
}
accounting {
ippool1
sql
}
session {
sql
}
post-auth {
ippool1
sql
}
--8<--

Everything works fine with ippool1.

How can I make ippool2 being used by the "dynamic" usergroup as well?

I would like to keep using the stable 1.0.2 release instead of switching to
a CVS snapshot, just in case the solution is easier with a recent
snapshot.

Thanks in advance.
-- 
Wolfram Schlich


pgpouVbwetTMt.pgp
Description: PGP signature

(no subject)

[Babar Shafiq]

Hello,

Thanks for the reply.


>You can use Reply-Message to give the users a message, but you can't
>use any other attribute.

I don't want it for user to send him any reply.

>  If you, as administrator, want to see why a user is rejected, run
>the server in debugging mode.
>
>> %{reply:Packet-Type} this give me 'reject' only but i need some
>> informative answer, how to do that thing ?
>
>  Run the server in debugging mode.
>
I know i can see the reject cause while running in debug mode but I want to 
store the reject
causes in database or logs it. so it will be helpful in future for support 
people,customer support
etc, so they can inform users what is the exact cause of the rejection !!

That will be a nice addition ? when radius sends reject like 
reject-Bad-Password or
reject-Bad-Calling-Station-Id some thing like that ??? Or same sort of thing we 
can do ? without
running in debug mode and without using external scripts !!

Thanks
Babar Shafiq.



God is a great Programmer

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: free radius + dependencies

[Jacques]

Yeah, I hate RPMs. Had that same problem on my system (fedora core 3).
Who wants to spend time hunting for each one (which each have their
own dependencies)?

Try to install apt-get then you can do a nice little: apt-get
freeradius and apt-get freeradius-mysql, Very slick

I've heard yum is good too but been trying to use it for installing
mono and so far its a POS

Hope this helps

On 5/6/05, Rupak <[EMAIL PROTECTED]> wrote:
>  
>  
> 
>   
> 
>   
> 
> Hello as you people suggested me to use free radius rpm I installed it.the
> version is freeradius-1.0.1-1.x86_64.rpm.Now when I issue
> the command rpm –ivh  freeradius-1.0.1-1.x86_64.rpm.   Then it shows me
> dependencies as following 
> 
>   
> 
> error: Failed dependencies: 
> 
> libc.so.6()(64bit) is needed by freeradius-1.0.1-1 
> 
> libc.so.6(GLIBC_2.2.5)(64bit) is needed by freeradius-1.0.1-1 
> 
> libc.so.6(GLIBC_2.3)(64bit) is needed by freeradius-1.0.1-1 
> 
> libc.so.6(GLIBC_2.3.4)(64bit) is needed by freeradius-1.0.1-1 
> 
> libcom_err.so.2()(64bit) is needed by freeradius-1.0.1-1 
> 
> libcrypt.so.1()(64bit) is needed by freeradius-1.0.1-1 
> 
> libcrypto.so.4()(64bit) is needed by freeradius-1.0.1-1 
> 
> libdl.so.2()(64bit) is needed by freeradius-1.0.1-1 
> 
> libgdbm.so.2()(64bit) is needed by freeradius-1.0.1-1 
> 
> libk5crypto.so.3()(64bit) is needed by freeradius-1.0.1-1 
> 
> libkrb5.so.3()(64bit) is needed by freeradius-1.0.1-1 
> 
> liblber-2.2.so.7()(64bit) is needed by freeradius-1.0.1-1 
> 
> libldap_r-2.2.so.7()(64bit) is needed by freeradius-1.0.1-1 
> 
> libltdl.so.3()(64bit) is needed by freeradius-1.0.1-1 
> 
> libnsl.so.1()(64bit) is needed by freeradius-1.0.1-1 
> 
> libpam.so.0()(64bit) is needed by freeradius-1.0.1-1 
> 
> libpthread.so.0()(64bit) is needed by freeradius-1.0.1-1 
> 
> libpthread.so.0(GLIBC_2.2.5)(64bit) is needed by freeradius-1.0.1-1 
> 
> libresolv.so.2()(64bit) is needed by freeradius-1.0.1-1 
> 
> libsasl2.so.2()(64bit) is needed by freeradius-1.0.1-1 
> 
> libssl.so.4()(64bit) is needed by freeradius-1.0.1-1 
> 
>   
> 
>   
> 
> Now where can I get the listed dependencies. 
> 
> thankyou
.+-ŠwèþË›±ÊâmïîžË›±Êâmäžzm§ÿðÃëyêÚv+¬¢¸?–+-þë®Èmš