Re: not to return reply-attributes in reject?
kevin wrote: How can I return Reject-Packet without default attributes? It seems that the default attributes in the users file are returned regardless of Accept or Reject. I don't want to give a hint to hacker who can try a lot of rejects. Is there a way? Somebody suggested Exec-Program-Wait = reject.sh before. But, it didn't work for me. rlm_exec -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius proxy question
[EMAIL PROTECTED] wrote: People might be able to do more if they had configs and debug output (-X) -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
Armin, At 15:40 24/08/05, you wrote: Ok, the hole day i tried to get it to work but this time when i install the certificate as a machine zertifikate the radius authentifikation log ends up with this log below. The Certificates where generated with openssl and all works fine as User certificates but not as computer zertificate. I set the Registry Patch which was diescribed in the mailing list to a value of 2. As Ben has suggested in another email, there are some required extensions to the certificates to enable Windows to authenticate. How did you make your certificates, I followed the instructions in http://www.linuxjournal.com/article/8095. Steve Atkinson Fallibroome High School Priory Lane Macclesfield Cheshire SK10 4AF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fw: FreeRadius 1.0.4
- Original Message - From: Madhvi Gokool [EMAIL PROTECTED] To: freeradius-users@lists.cistron.nl Sent: Thursday, August 25, 2005 10:37 AM Subject: FreeRadius 1.0.4 Hello We have planned to replace our cistron radius servers with Freeradius. We have the following setup :- 1. Users dial in to access their mail and internet or work on an application server 2. Users dial in to access a specific server and nothing else. After they are authenticated , users get a static IP address . We populate the users file manually and do not create unix users?? Can we use huntgroups to group say mail users, internet users, if they are not unix users? What attribute(s) should I use to allow the users in Scenario 2 access to their server? The NAS will either be a 3Com TCM or a Cisco access server On the access server, we can implement access-lists to allow/deny access based on the assigned Ip addresses, but we'd prefer using RADIUS attributes to do so. Tank you in advance for your help. Madhvi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usage of exec to get LDAP value..
Dear all, I've configured my radius to load value of timeout based on NAS-Port-Type.. Using LDAP for user's entry.. In LDAP.. user's entry will have additional 2 attributes TimeoutPSTN: 4000 TimeoutISDN: 1000 then in users file.. using exec to run small script to get correct value of sessiontimeout based on NAS-Port-Type DEFAULT NAS-Port-Type == Sync, Autz-Type := DIALUP, Auth-Type := DIALUP Session-Timeout = `%{exec:/usr/local/etc/raddb/timeout.pl %U ISDN}` DEFAULT NAS-Port-Type == Async, Autz-Type := DIALUP, Auth-Type := DIALUP Session-Timeout = `%{exec:/usr/local/etc/raddb/timeout.pl %U PSTN}` And its works... But my question is there any better way to do this?? Maybe directly get value from LDAP thanks.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
salt-encrypted VSAs?
Hello, I was hoping to send a few salt-encrypted VSAs to an ERX using FreeRADIUS Version 1.0.4, but I can't find any examples of how to do that. Is it possible, and if so, how? The format of the VSAs is documented on http://www.juniper.net/techpubs/software/erx/junose700/swconfig-broadband/html/radius-attributes.html#335311 My initial (far fetched) attempt was to modify dictionary.erx like this: VENDOR ERX 4874 BEGIN-VENDOR ERX ATTRIBUTE ERX-Virtual-Router-Name 1 string [..] ATTRIBUTE ERX-LI-Action 58 integer encrypt=1 ATTRIBUTE ERX-Med-Dev-Handle 59 string encrypt=1 ATTRIBUTE ERX-Med-Ip-Address 60 ipaddr encrypt=1 ATTRIBUTE ERX-Med-Port-Number 61 integer encrypt=1 END-VENDOR ERX [..] VALUE ERX-LI-Action off 0 VALUE ERX-LI-Action on 1 VALUE ERX-LI-Action noop2 I also tried the other documented encrypt-values, with no success. As probably should be expected? The ERX seems to just ignore Access-Accept packets with any of these attributes. They are not even logged as received. Not much help there. Cisco has a bit better documentation with some examples (but not for FreeRADIUS) here: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/ftencvsa.htm Does anyone have an idea of how to do this with FreeRADIUS? Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
I also found using machine certificates to be hit and miss (some machines they'd be picked up, others they wouldn't - all XP SP2 with appropriate patches). And then I stumbled on this http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html 1.3.6.1.4.1.311.17.2 After I started adding that OID to my machine certs, everything started working wonderfully. I shook my fist at Microsoft that day! Cheers, Ben On 8/25/05, Steven Atkinson [EMAIL PROTECTED] wrote: Armin, At 15:40 24/08/05, you wrote: Ok, the hole day i tried to get it to work but this time when i install the certificate as a machine zertifikate the radius authentifikation log ends up with this log below. The Certificates where generated with openssl and all works fine as User certificates but not as computer zertificate. I set the Registry Patch which was diescribed in the mailing list to a value of 2. As Ben has suggested in another email, there are some required extensions to the certificates to enable Windows to authenticate. How did you make your certificates, I followed the instructions in http://www.linuxjournal.com/article/8095. Steve Atkinson Fallibroome High School Priory Lane Macclesfield Cheshire SK10 4AF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
Hi, i found this thred yesterday and tried it out to add this OID but it had no effekt...OK maybe i made somthing wrong. Could you describe how you added this oid to your machine zertifikate? Today i built completely new root,server and client certificates depending on the article in www.linuxjournal.com/article/8095. I will post here my users file: My new generated Client Certifikates uses client10 as Client Name.Greetings Armin## Please read the documentation file ../doc/processing_users_file,# or 'man 5 users' (after installing the server) for more information.## This file contains authentication security and configuration# information for each user. Accounting requests are NOT processed# through this file. Instead, see 'acct_users', in this directory.## The first field is the ! user's name and can be up to# 253 characters in length. This is followed (on the same line) with# the list of authentication requirements for that user. This can# include password, comm server name, comm server port number, protocol# type (perhaps set by the "hints" file), and huntgroup name (set by# the "huntgroups" file).## If you are not sure why a particular reply is being sent by the# server, then run the server in debugging mode (radiusd -X), and# you will see which entries in this file are matched.## When an authentication request is received from the comm server,# these values are tested. Only the first match is used unless the# "Fall-Through" variable is set to "Yes".## A special user named "DEFAULT" matches on all usernames.# You can have several DEFAULT entries. All entries are processed# in the order they appear in this file. The first entry that# matches the login-request will stop processing unless you use# the Fall-Through variable.## If you use the databas! e support to turn this file into a .db or .dbm# file, the DEFAULT entr ies _have_ to be at the end of this file and# you can't have multiple entries for one username.## You don't need to specify a password if you set Auth-Type += System# on the list of authentication requirements. The RADIUS server# will then check the system password file.## Indented (with the tab character) lines following the first# line indicate the configuration values to be passed back to# the comm server to allow the initiation of a user session.# This can include things like the PPP configuration values# or the host to log the user onto.## You can include another `users' file with `$INCLUDE users.other'### For a list of RADIUS attributes, and links to their definitions,# see:## http://www.freeradius.org/rfc/attributes.html### Deny access for a specific user. Note that this entry MUST# be before any other 'Auth-Type' attribute which results in the user# being authenticated.## Note that there is NO 'Fall-Through' attribute, so the user will not# be given any additional r! esources.##lameuser Auth-Type := Reject# Reply-Message = "Your account has been disabled."## Deny access for a group of users.## Note that there is NO 'Fall-Through' attribute, so the user will not# be given any additional resources.##DEFAULT Group == "disabled", Auth-Type := Reject# Reply-Message = "Your account has been disabled."### This is a complete entry for "steve". Note that there is no Fall-Through# entry so that no DEFAULT entry will be used, and the user will NOT# get any attributes in addition to the ones listed here.##steve Auth-Type := Local, User-Password == "testing"# Service-Type = Framed-User,# Framed-Protocol = PPP,# Framed-IP-Address = 172.16.3.33,# Framed-IP-Netmask = 255.255.255.0,# Framed-Routing = Broadcast-Listen,# Framed-Filter-Id = "std.ppp",# Framed-MTU = 1500,# Framed-Compression = Van-Jacobsen-TCP-IP#test Auth-Type := Local, User-Password == "testing"# Service-Type = Framed-User,# Framed-Protocol = PPP,# Framed-IP-Address = 172.16.3.33,# Fra! med-IP-Netmask = 255.255.255.0,# Framed-Routing = Broadcast-Listen,# F ramed-Filter-Id = "std.ppp",# Framed-MTU = 1500,# Framed-Compression = Van-Jacobsen-TCP-IP#DEFAULT Auth-Type := EAP-TLS #Local, User-Password == "whatever"#Reply-Message = "Default Client",#Tunnel-Medium-Type = 6,#Tunnel-Private-Group-Id = 1,#Tunnel-Type = 13Client1 Auth-Type := EAP-TLS #Local, User-Password == "whatever" Reply-Message = "Hello,%u Willkommen im Netzwerk der Firma Metaldyne", Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1, Tunnel-Type = 13host/Client10 Auth-Type := EAP-TLS #Local, User-Password == "whatever" Reply-Message = "Client10", Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1, Tunnel-Type = 13Workstation3 Auth-Type := EAP-TLS #Local, User-Password == "whatever" Reply-Message = "client3", Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1, Tunnel-Type = 13## This is an entry for a user with a space in their name.# Note ! the double quotes surrounding the name.##"John Doe" Auth-Type := Local, User-Password ==
Re: Windows Client Authentification bevore Domain logon
System pocztowy Galtex S.A. informuje, iz Twoja wiadomosc zostala dostarczona Wiadomosc wygenerowana automatycznie przez system pocztowy uzytkownika belskia Prosze na ta wiadomosc nie odpowiadac. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.4: SEGMENTATION FAULT
Alan DeKok wrote: Richard Cotrina [EMAIL PROTECTED] wrote: (gdb) display mysql_sock 1: mysql_sock = (rlm_sql_mysql_sock *) 0x5f6c7173 That's bad. That's very bad. It's the ASCII string sql_, interpreted as a pointer on an x86 machine. No wonder it crashes. The short answer is that there appears to be some memory corruption. Can you print out the contents of sqlsocket, too? Both the structure contents, and the *hex* contents of that area of memory. It looks like the sqlsocket pointer that's being passed is bad. The infringing pointer mysql_sock contains the return value of a malloc three lines above. Perhaps something messed up the memory so badly that malloc returns garbage. It's not easy to find out where the problem is : on my system (Debian), I can run radiusd in valgrind with num_sql_socks = 20 and I get no errors from valgrind. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
more on server certificates
Hi Has anybody got a digital certificate (with the extended key usage attributes required for PEAP) installed on their FreeRADIUS box that has been signed by a commercial trusted CA? I have come to suspect that this is impossible due to the fact that Verisign are the only company marketing such a product and it can only be installed on a Windows server (as the online purchase system only works if done from the target machine using Internet Explorer and Xenroll). Thanks Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: salt-encrypted VSAs?
Bjørn Mork [EMAIL PROTECTED] writes: I was hoping to send a few salt-encrypted VSAs to an ERX using FreeRADIUS Version 1.0.4, but I can't find any examples of how to do that. Is it possible, and if so, how? I should have Googled a bit more before posting... I have now read the relevant part of the source and alsp this very old and expired draft: http://www.freeradius.org/rfc/draft-ietf-radius-saltencrypt-00.txt My problem seems to be that FreeRADIUS will only encrypt string or octet values, while Juniper has defined salt encrypted integer and ipaddr VSAs too. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL radacct not updated
sean [EMAIL PROTECTED] wrote: I have made no progress in resolving the radaccct problem. Radius is loading with no error messages and I've gone over the radiusd.conf and sql.conf a million times. But not the responses on this list. below is the output from Radius when a client logs in. In which there is no accounting packets. In other words, you are trying to figure out why your car makes funny noises by looking at your bicycle. See the FAQ. If the NAS doesn't send accounting information, FreeRADIUS can't log data it doesn't receive. Make the NAS send accounting data. This MAY involve reading NAS documentation, and not radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usage of exec to get LDAP value..
haizam [EMAIL PROTECTED] wrote: In LDAP.. user's entry will have additional 2 attributes TimeoutPSTN: 4000 TimeoutISDN: 1000 then in users file.. using exec to run small script to get correct value of sessiontimeout based on NAS-Port-Type See raddb/ldap.attrmap You can map those attributes to Session-Timeout, I think. If that doesn't work, map them to new attributes, and use the users file to copy those attributes to Session-Timeout. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
Ben Walding [EMAIL PROTECTED] wrote: And then I stumbled on this http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html 1.3.6.1.4.1.311.17.2 After I started adding that OID to my machine certs, everything started working wonderfully. That OID is added by the cert creation script in the scripts directory, but it should be made more prominent in eap.conf, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius EAP-TLS
Hi all, I have the following setup that I am struggling to make it work; Fedora core 3 FreeRadius 1.0.4 openssl .098 Dell TrueMobile 1170 Access Pointv2.3.3 Dell 802.11b/g cards for AP and supplicant Windows XP SP2 I have a 2 part question. 1.I recall reading on this forum that, Windows XP broke EAP-TLS, does this apply to SP2 also? 2. Would it make a difference if I have CVS verses non-CVS FreeRadius installed? Thanks Hamid. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius EAP-TLS
On Aug 25, 2005, at 10:34 AM, Hamid Salim wrote: I have a 2 part question. 1.I recall reading on this forum that, Windows XP broke EAP-TLS, does this apply to SP2 also? I've had XP SP2 EAP-TLS clients running against FR with no problems. Also, for what it's worth, I've built XP Embedded configurations (XP for embedded devices, booting compact flash), that run SP2 and work fine with FR as well. Landon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.4: SEGMENTATION FAULT
Richard Cotrina [EMAIL PROTECTED] wrote: Can you print out the contents of sqlsocket, too? Both the structure contents, and the *hex* contents of that area of memory. These values are what I've got : (gdb) display sqlsocket 1: sqlsocket = (SQLSOCK *) 0x8092720 (gdb) x 0x8092720 0x8092720: 0x0001 And the *rest* of the data? It may be easier to give me an account on the machine. Email me privately, and I'll get you a copy of my SSH key. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: not to return reply-attributes in reject?
rlm_exec what? Thor Spruyt wrote: kevin wrote: How can I return Reject-Packet without default attributes? It seems that the default attributes in the users file are returned regardless of Accept or Reject. I don't want to give a hint to hacker who can try a lot of rejects. Is there a way? Somebody suggested Exec-Program-Wait = "reject.sh" before. But, it didn't work for me. rlm_exec - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius-1.04 install seg faults after install (using EAP-TLS)
Hi, I am having problems with freeradius 1.04 on debian. I previously installed the deb package, but later found out it doesn't support EAP-TLS, so had to build from source. I built it with the following command: ./configure --with-rlm_eap_tls --disable-shared make make install I have setup eap.conf and installed the required certificates. When starting radiusd it seems to get past loading the config and then seg faults. The output is below. Can anyone let me know what is causing the crash and how to get round it? Thanks in advance, Ben bratislava:/usr/local/etc/raddb# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = TLS eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no Segmentation fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius-1.04 install seg faults after install (using EAP-TLS)
I've loaded up radiusd into gdb and the bug looks the same as http://bugs.freeradius.org/show_bug.cgi?id=98. That page says the solution is to pass configure the --disable-shared flag, which I have done, yet the bug remains. Any help would be greatly appreciated, Ben Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 22174)] 0x402a3e3a in lt_dlsym (handle=0x814ba78, symbol=0xbfffe6f8 rlm_eap_tls) at ltdl.c:3330 3330 lensym = LT_STRLEN (symbol) + LT_STRLEN (handle-loader-sym_prefix) (gdb) (gdb) where #0 0x402a3e3a in lt_dlsym (handle=0x814ba78, symbol=0xbfffe6f8 rlm_eap_tls) at ltdl.c:3330 #1 0x08061404 in eaptype_load () #2 0x40489ad7 in eap_instantiate (cs=0x809f8d8, instance=0x814b0b8) at rlm_eap.c:134 #3 0x080575ff in find_module_instance () #4 0x0805874a in modcall () #5 0x080587b3 in compile_modsingle () #6 0x080579f4 in find_module_instance () #7 0x08057e75 in setup_modules () #8 0x0804ff76 in main () #9 0x40337e36 in __libc_start_main () from /lib/libc.so.6 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius-1.04 install seg faults after install (using EAP-TLS)
Ben Dowling [EMAIL PROTECTED] wrote: I've loaded up radiusd into gdb and the bug looks the same as http://bugs.freeradius.org/show_bug.cgi?id=98. That page says the solution is to pass configure the --disable-shared flag, which I have done, yet the bug remains. Then put the libraries some place where the run-time dynamic linker can find them. The root cause of this problem is that your linker cannot find libraries on your system. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius-1.04 install seg faults after install (using EAP-TLS)
Is this the freeradius libs it cannot find? And if so will adding the fr lib directory to /etc/ld.so.conf fix the problem? Thanks in advance, Ben Alan DeKok wrote: Ben Dowling [EMAIL PROTECTED] wrote: I've loaded up radiusd into gdb and the bug looks the same as http://bugs.freeradius.org/show_bug.cgi?id=98. That page says the solution is to pass configure the --disable-shared flag, which I have done, yet the bug remains. Then put the libraries some place where the run-time dynamic linker can find them. The root cause of this problem is that your linker cannot find libraries on your system. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius-1.04 install seg faults after install (using EAP-TLS)
Ben Dowling [EMAIL PROTECTED] wrote: Is this the freeradius libs it cannot find? And if so will adding the fr lib directory to /etc/ld.so.conf fix the problem? No, it's probably the SSL libraries. And, because libltdl is garbage, it can't handle this case. sigh Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: lowercase before domain match in users file
Tariq Rashid [EMAIL PROTECTED] wrote: can i enable a switch so that ABC.co.uk, aBc.Co.UK and so on are also matched? however, we don't want the User-Name to be rewritten as per to_lower in radiusd.conf It's hard to do on a per-attribute basis. Source code patches are pretty much the only option here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius-1.04 install seg faults after install (using EAP-TLS)
Ahh I've solved it - the library directory wasn't set correctly in the radius conf file, I updated and it worked fine. Thanks for the help, Ben Alan DeKok wrote: Ben Dowling [EMAIL PROTECTED] wrote: Is this the freeradius libs it cannot find? And if so will adding the fr lib directory to /etc/ld.so.conf fix the problem? No, it's probably the SSL libraries. And, because libltdl is garbage, it can't handle this case. sigh Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: not to return the detault attributes in reject?
Still not sure how to handle with rlm_exec. Can anybody give me more details? kevin Thor Spruyt wrote: kevin wrote: How can I return Reject-Packet without default attributes? It seems that the default attributes in the users file are returned regardless of Accept or Reject. I don't want to give a hint to hacker who can try a lot of rejects. Is there a way? Somebody suggested Exec-Program-Wait = reject.sh before. But, it didn't work for me. rlm_exec - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usage of exec to get LDAP value..
Alan, I've tried to map new attributes in ldap.attrmap but for every match in users file.. it will return both new attributes but the sessiontimeout still ruturn no value.. So at the moment i stick to use exec to run external script unless somebody can suggest better way to do it.. thanks.. --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, August 25, 2005 23:30 Subject: Re: usage of exec to get LDAP value.. haizam [EMAIL PROTECTED] wrote: In LDAP.. user's entry will have additional 2 attributes TimeoutPSTN: 4000 TimeoutISDN: 1000 then in users file.. using exec to run small script to get correct value of sessiontimeout based on NAS-Port-Type See raddb/ldap.attrmap You can map those attributes to Session-Timeout, I think. If that doesn't work, map them to new attributes, and use the users file to copy those attributes to Session-Timeout. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html