Huntgroup-Name
Is it possible to specify multiple huntgroup names in sql? Lets say sqlgroup IT can connect to devices in the huntgroup vpn and ras (something like Huntgroup-Name == vpn,ras in sql??) J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
About update of CRL
Hi, all! I use FreeRADIUS-1.0.4 and OpenSSL on cygwin in Windows XP for EAP-TLS. I want to ask a question about the specification of FreeRADIUS. If CRL is updated, FreeRADIUS should be rebooted? When CRL was updated, I executed c_rehash command only. But the new CRL's information was not updated for FreeRADIUS. Or is there any other method? Please help me. Best regards, amemiya - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius timeout
Below is the logs on my cisco router as well as the radius server. = PRI-CAN-GW1#sh radi stat Auth. Acct. Both Maximum inQ length: NA NA 20 Maximum waitQ length: NA NA 457 Maximum doneQ length: NA NA 4 Total responses seen: 0 38384 38384 Packets with responses: 0 38384 38384 Packets without responses: 0 146768 146768 Average response delay(ms): 0516 516 Maximum response delay(ms): 0 57760 57760 Number of Radius timeouts: 0 293969 293966 Duplicate ID detects: 0 0 0 Buffer Allocation Failures: 0 0 0 Maximum Buffer Size (bytes): 0 1409 1409 Source Port Range: (full range) 21645 - 21844 Last used Source Port/Identifier: 21685/242 Elapsed time since counters last cleared: 3d13h36m = radius.log ==start Thu Sep 8 16:55:14 2005 : Error: rlm_sql (pgsql-voip): failed after re-connect Thu Sep 8 16:55:14 2005 : Error: rlm_sql (pgsql-voip): Couldn't update SQL accounting STOP record - ERROR: duplicate key violates unique constraint stoptelephonycombo Thu Sep 8 16:55:14 2005 : Error: rlm_sql (pgsql-voip): failed after re-connect Thu Sep 8 16:55:14 2005 : Error: rlm_sql (pgsql-voip): Couldn't update SQL accounting STOP record - ERROR: duplicate key violates unique constraint stoptelephonycombo Thu Sep 8 16:55:14 2005 : Error: rlm_sql (pgsql-voip): failed after re-connect Thu Sep 8 16:55:14 2005 : Error: rlm_sql (pgsql-voip): Couldn't update SQL accounting STOP record - ERROR: duplicate key violates unique constraint stoptelephonycombo ===stop The duplicate records increase to the extent that it sometimes kills my radius server. What could be the cause of the timeout. On Thu, 8 Sep 2005 15:27:34 +0200 Nicolas Baradakis [EMAIL PROTECTED] wrote: Callis wrote: I see a lot of radius timeout on my cisco router while the ping times is 10ms and my radius timeout is set to 50. Is there any error message in file radius.log ? -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need to conditionally update user data in authentication process (mysql) - Clues?
Hi I need to conditionally update some user data whilst in the authentication process - I'm looking for clues as how to do this. Background: I'm providing vouchers with a username and password on them. The first time the voucher details are used - I need to update that users details (change their group, add an expiry date - etc). All my users are in groups and its only users in a particular group that I want this to happen too... Everything is in MySQL. Sort of... pre_authorize_check = UPDATE useracct SET groupname='newgroup', expireaccount='now() + 30 days' IF (SELECT groupname FROM useracct WHERE Username='%{Stripped-User-Name}' AND realm='%{Realm}' ) == 'voucher_group'; ie - If the person trying to login is a member of my 'voucher_group', make some changes to their SQL details first then authenticate them as normal... How would I do something like this? This process would only ever happen once to a user in the lifetime of their account, unlike repetitively logging in and using the service afterwards. ps - I also want to send them some welcoming e-mail at the same time and as their [EMAIL PROTECTED] is actually their e-mail address .. the address is easy...but the process of doing so? -- . . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready /| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius timeout
how connections to the database do you have in your pgsql-voip.conf? --- Callis [EMAIL PROTECTED] wrote: Below is the logs on my cisco router as well as the radius server. = PRI-CAN-GW1#sh radi stat Auth. Acct. Both Maximum inQ length: NA NA 20 Maximum waitQ length: NA NA 457 Maximum doneQ length: NA NA 4 Total responses seen: 0 38384 38384 Packets with responses: 0 38384 38384 Packets without responses: 0 146768 146768 Average response delay(ms): 0516 516 Maximum response delay(ms): 0 57760 57760 Number of Radius timeouts: 0 293969 293966 Duplicate ID detects: 0 0 0 Buffer Allocation Failures: 0 0 0 Maximum Buffer Size (bytes): 0 1409 1409 Source Port Range: (full range) 21645 - 21844 Last used Source Port/Identifier: 21685/242 Elapsed time since counters last cleared: 3d13h36m = radius.log ==start Thu Sep 8 16:55:14 2005 : Error: rlm_sql (pgsql-voip): failed after re-connect Thu Sep 8 16:55:14 2005 : Error: rlm_sql (pgsql-voip): Couldn't update SQL accounting STOP record - ERROR: duplicate key violates unique constraint stoptelephonycombo Thu Sep 8 16:55:14 2005 : Error: rlm_sql (pgsql-voip): failed after re-connect Thu Sep 8 16:55:14 2005 : Error: rlm_sql (pgsql-voip): Couldn't update SQL accounting STOP record - ERROR: duplicate key violates unique constraint stoptelephonycombo Thu Sep 8 16:55:14 2005 : Error: rlm_sql (pgsql-voip): failed after re-connect Thu Sep 8 16:55:14 2005 : Error: rlm_sql (pgsql-voip): Couldn't update SQL accounting STOP record - ERROR: duplicate key violates unique constraint stoptelephonycombo ===stop The duplicate records increase to the extent that it sometimes kills my radius server. What could be the cause of the timeout. On Thu, 8 Sep 2005 15:27:34 +0200 Nicolas Baradakis [EMAIL PROTECTED] wrote: Callis wrote: I see a lot of radius timeout on my cisco router while the ping times is 10ms and my radius timeout is set to 50. Is there any error message in file radius.log ? -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Click here to donate to the Hurricane Katrina relief effort. http://store.yahoo.com/redcross-donate3/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl / rlm_python
Hi there, Could someone tell me what versions of freeradius have rlm_perl? I have a fedora box with freeradius 1.0.1 installed, I have downloaded the 1.0.4 version and it has references to rlm_perl in it. Do I have to install the 1.0.4 version to get rlm_perl? A very subjective question here... what is better to use rlm_perl or rlm_python? I would have to learn python, but if the general concensus is to go with python I'll do it. TIA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ascend-Data-Filter replies sent, but something amiss
Greetings. I've got freeradius (radiusd: FreeRADIUS Version 1.0.2, for host , built on Sep 7 2005 at 14:10:37) running, and authenticating well. My user names, passwords, and nas's are stored in a MySQL database. I have a user of name, say, justin belonging to group dialin. The radgroupreply table has four rows of data like this: id GroupName Attribute op Value prio 1 dialin Ascend-Data-Filter += ip in forward est 0 2 dialin Ascend-Data-Filter += ip in forward dst ip x.x.x.x/32 0 3 dialin Ascend-Data-Filter += ip in drop tcp dstport = 25 0 4 dialin Ascend-Data-Filter += ip in forward 0 Here's what wvdial does with the Ascend-Data-Filters in place: -- WvDial: Internet dialer version 1.54.0 -- Initializing modem. -- Sending: ATZ ATZ OK -- Sending: ATQ0 V1 E1 S0=0 C1 D2 +FCLASS=0 W2 ATQ0 V1 E1 S0=0 C1 D2 +FCLASS=0 W2 OK -- Modem initialized. -- Sending: ATDTnumber -- Waiting for carrier. ATDTnumber CONNECT 50666 -- Carrier detected. Waiting for prompt. login prompt -- Looks like a login prompt. -- Sending: [EMAIL PROTECTED] Password: -- Looks like a password prompt. -- Sending: (password) Remote Authentication server timeout. login prompt -- Looks like a login prompt. -- Sending: [EMAIL PROTECTED] Password: -- Looks like a password prompt. -- Sending: (password) ** Bad Password login prompt -- Looks like a login prompt. -- Sending: [EMAIL PROTECTED] -- Don't know what to do! Starting pppd and hoping for the best. -- Starting pppd at Fri Sep 9 12:45:58 2005 -- pid of pppd: 11381 -- Using interface ppp0 -- Disconnecting at Fri Sep 9 12:46:02 2005 -- The PPP daemon has died: Authentication error. -- We failed to authenticate ourselves to the peer. -- Maybe bad account or password? (exit code = 19) -- man pppd explains pppd error codes in more detail. -- I guess that's it for now, exiting -- The PPP daemon has died. (exit code = 19) There's an awful lot of output from radius -X running while I attempt to auth, but here's something that sticks out: rlm_sql (sql): Released sql socket id: 5 modcall[post-auth]: module sql returns ok for request 1 modcall: group post-auth returns ok for request 1 Sending Access-Accept of id 67 to ip:port Ascend-Data-Filter += 0x697020696e20666f72776172642074637020657374 Ascend-Data-Filter += 0x697020696e20666f7277617264206473746970203230382e31322e3136352e302f3234 Ascend-Data-Filter += 0x697020696e2064726f702074637020647374706f7274203d203235 Ascend-Data-Filter += 0x697020696e20666f7277617264 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 67 with timestamp 4321cf66 Nothing to do. Sleeping until we see a request. As far as radiusd knows, I logged in. Removing my user from that dialin group (and thus not sending the group's replies) allows me to login as usual. Any ideas? Do those filter replies look right? they almost look like hex to me, not binary. I've tried X-Ascend-Data-Filter and Ascend-Data-Filter. Changing the op to := sends only the first of the four replies. In the attrs file, I've added the below line to my DEFAULT set: Ascend-Data-Filter =* ANY Any replies appreciated. -justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Not going past Sending Access-Challenge
It works! I set nastype = other in the clients.conf file as per an example I saw from someone using the same WAP, and it started working after restarting Radius. I don't recall making any other changes, but something had led me to believe that other was the default nastype if not specified. I'm trying to setup RADIUS/WPA authentication using PEAP as described in - http://www.ibiblio.org/pub/Linux/docs/HOWTO/8021X-HOWTO - but I never seem to get past the Sending Access-Challenge after I enter my username and password on the client. User is simply an entry in the users file with a clear text password. I've gone over the config several times, but nothing jumps out at me as an error message. Alan DeKok wrote: The problem most likely is that the AP isn't seeing the response, or it isn't liking the response. Check the IP addresses that the packet use, via tcpdump. Okay, I've etherealled the connection and I see an Access-Request from the WAP to the RADIUS server, then an Access-Challenge from the RADIUS serve to the WAP, and nothing else. What should the WAP's response to an Access-Challenge response be? The WAP is 192.168.1.42 and the RADIUS server is 192.168.1.47 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP Authentication But LDAP Authorization?
I have CHAP (PEAP) authentication working against my Samba PDC via ntlm_auth. I want to use that authentication but have users and their parameters from an LDAP DSA (that contains the SAM Samba is using). I see that a radius schema file is included and has an auxilliary objectclass. But I can't seem to find any informaiton on using LDAP for the user database but EAP/ntlm_auth for the authentication. Is this possible? -- Adam Tauno Williams - http://www.whitemice.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ascend-Data-Filter replies sent, but something amiss
Justin M. Parker wrote: Greetings. I've got freeradius (radiusd: FreeRADIUS Version 1.0.2, for host , Belay last, grabbed the new source, recompiled, and reconfigured. Everything's peachy now. Thanks anyway! Long live FreeRadius. -justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: not to return the detault attributes in reject?
kevin wrote: Try... DEFAULT Auth-Type := Reject Reply-Message = , Fall-Through = Yes DEFAULT Service-Type == Framed-User Framed-IP-Netmask=255.255.255.255, Service-Type = Framed-User, Idle-Timeout=1800, Session-Timeout=86000, -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl / rlm_python
[EMAIL PROTECTED] wrote: Hi there, Could someone tell me what versions of freeradius have rlm_perl? All latest version have it. But it's unstable and therefore you have to compile from source using --with-experimental-modules Do I have to install the 1.0.4 version to get rlm_perl? No, but latest version is best :) A very subjective question here... what is better to use rlm_perl or rlm_python? I think that rlm_perl is likely to be supported better than rlm_python. I would have to learn python, but if the general concensus is to go with python I'll do it. Go for rlm_perl -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to add sub-attributes in a dictionary file?
-- Forwarded message -- Hello, Could you let me know how to add a sub-attributes in a dictionary file? For example, there is an attributeDIGEST_ATTRIBUTE = 207 and its sub-attribute SIP_URI = 4. How can I define this sub-attribute to the dictionary file? I'd appreciate your help. J Toyoda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to add a sub-attributes in a dictionary
Hello, I would like to know how to add a sub-attributes in a dictionary file? For example, there is an attributeDIGEST_ATTRIBUTE = 207 and its sub-attribute SIP_URI = 4. How can I define this sub-attribute to the dictionary file? I'd appreciate your help. J Toyoda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl / rlm_python
I think there's a bug in the latest perl versions. When you are running Debian 3.1 (perl 5.8.4) and want experimental package you may want to link libperl.so into freeradius, if you don't you get an error when you start the freeradius server with rlm_perl enabled Like: /usr/sbin/freeradius: relocation error: /usr/lib/perl/5.8/auto/IO/IO.so: undefined symbol: Perl_Tstack_sp_ptr (failed! run '/usr/sbin/freeradius -x' to find out why.) I solved this with recompile configure option: --with-rlm-perl-lib-dir=/usr/lib/libperl.so.5.8.4 You also can do LD_PRELOAD=/usr/lib/libperl.so freeradius but I would suggest the first option... J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Thor Spruyt Verzonden: vrijdag 9 september 2005 23:19 Aan: FreeRadius users mailing list Onderwerp: Re: rlm_perl / rlm_python [EMAIL PROTECTED] wrote: Hi there, Could someone tell me what versions of freeradius have rlm_perl? All latest version have it. But it's unstable and therefore you have to compile from source using --with-experimental-modules Do I have to install the 1.0.4 version to get rlm_perl? No, but latest version is best :) A very subjective question here... what is better to use rlm_perl or rlm_python? I think that rlm_perl is likely to be supported better than rlm_python. I would have to learn python, but if the general concensus is to go with python I'll do it. Go for rlm_perl -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one question
Please see below. Thanks # # Fortinet's VSA's # VENDOR Fortinet12356 BEGIN-VENDOR Fortinet ATTRIBUTE Fortinet-Group-Name 1 string ATTRIBUTE Fortinet-Client-IP-Address 2 ipaddr ATTRIBUTE Fortinet-Vdom-Name 3 string # # Integer Translations # END-VENDOR Fortinet - From: Alan DeKok [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: one question Date: Thu, 08 Sep 2005 16:10:33 -0400 Richie Lee [EMAIL PROTECTED] wrote: My company is a security vendor company(www.fortinet.com). How to add dictionary.fortinet to the server's list of vendor dictionaries in later freeradius version? Does anyone know it? Email it to the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSNĀ® Calendar keeps you organized and takes the effort out of scheduling get-togethers. http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=http://hotmail.com/encaHL=Market_MSNIS_Taglines Start enjoying all the benefits of MSNĀ® Premium right now and get the first two months FREE*. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl / rlm_python
Quoting Thor Spruyt [EMAIL PROTECTED]: [EMAIL PROTECTED] wrote: Hi there, Could someone tell me what versions of freeradius have rlm_perl? All latest version have it. But it's unstable and therefore you have to compile from source using --with-experimental-modules Do I have to install the 1.0.4 version to get rlm_perl? No, but latest version is best :) A very subjective question here... what is better to use rlm_perl or rlm_python? I think that rlm_perl is likely to be supported better than rlm_python. I would have to learn python, but if the general concensus is to go with python I'll do it. Go for rlm_perl -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be Thanks for the info, will do the compile route - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add sub-attributes in a dictionary file?
Toyoda [EMAIL PROTECTED] wrote: Could you let me know how to add a sub-attributes in a dictionary file? You can't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one question
Richie Lee [EMAIL PROTECTED] wrote: Please see below. Thanks Added, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html