Re: 1.0.5 + rlm_sql_mysql: Segmentation fault
Hi Alan, Alan DeKok schrieb: "Thomas Krause (Webmatic)" <[EMAIL PROTECTED]> wrote: I've followed the instructions in the bugs file, but I'm not a programmer (so the output doesn't really helps me): ... #0 0x282f8550 in memset () from /lib/libc.so.5 (gdb) bt #0 0x282f8550 in memset () from /lib/libc.so.5 #1 0x0001 in ?? () #2 0x283d1b64 in sql_init_socket (sqlsocket=0x8080020, config=0x8067500) at sql_mysql.c:71 It looks like the same bug reported previously for FreeBSD. It's specific to FreeBSD, too, as no other OS has that problem. I found what I *thought* were problems, that *should* have fixed it for all OS's, but it doesn't appear to work on FreeBSD. Are you running FreeRADIUS 1.0.5? I tried both, version 1.0.4 (from ports) and 1.0.5 - and both crashed. Also I tried with mysql 4.0.26 with the same result. Kind regards, Thomas. -- Thomas Krause Webmatic Kommunikations GmbH Tel: +49 345 777 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging accouting data to SQL
Ben Dowling <[EMAIL PROTECTED]> wrote: > I am using freeradius 1.0.4. I have enabled the 'sql' module in the > accouting section of radiusd.conf but the accouting data is logged > to /var/log/radius/radacct and not to mysql. How do I configure this? Run the server in debugging mode, send it accounting packets, and look for the word "sql" in the debug output. There's also an "sqltrace" file (see sql.conf) which logs SQL queries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mssql and authenticate_query
"Duane Cox" <[EMAIL PROTECTED]> wrote: > There is an "authenticate_query" variable defined in the stock mssql.conf If it's there, it's a big. > I am beginning to think this entry is defunct or never implemented. > Am I right? If so, then I could remove that entry from my mssql.conf. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
/local/dialup page will not display for dialupadmin
Hey gus I am new to this and usually I follow evey step to make it work, and do try hard (I have had my had on this for a week now). I have read the readme file the 'How to" document and upto the point where I have to get the dialupadmin page displayed on the browser it does not happen :-( well I have tried on SuSe 9.0 server and Fedora Core 3 and 4 I get to make the installer for radius source and Date::Manip PerlModule and they seam to get install ok. I know this type of things is like finding a needle in a histack, but I am running out of patience, please help me!, thanks now can someone please give me some clues - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL replacement for clients.conf?
On Thu, 2005-15-09 at 15:08 -0400, Alan DeKok wrote: > > Am I to take it that it is not possible to use SQL for the clients.conf > > file? And if that it the case could someone please explain what the nas > > table is for in the database schema? > > It's possible. You do need at least one entry in "clients.conf", > though. I suggest "127.0.0.1" > > Then, read "sql.conf", and set "readclients=yes" > > Alan DeKok. Cool. I am working with FreeBSD and the updates for 1.0.5 are not in the cvsup repository yet, so my comment is in regards to 1.0.4, but may apply to 1.0.5. I to a look at the postgresql stuff and it appears as though the schema will need a little tweak in order to be compitible with "rlm_sql.c"'s requirements. A "SERIAL" column named Id will need to be added. This will make it compatible : -- SQL clients table CREATE TABLE nas ( id SERIAL PRIMARY KEY, nasname VARCHAR(128), shortname VARCHAR(32) NOT NULL, typeVARCHAR(30), ports int4, secret VARCHAR(60) NOT NULL, community VARCHAR(50), description TEXT ); This is not required, but this info used to be in the nas table in the postgresql schema. -- additional nas info table included in previous nas table CREATE TABLE nas ( id int4 NOT NULL, ipaddr INET PRIMARY KEY, snmpVARCHAR(10), naslocation VARCHAR(32) ); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging accouting data to SQL
Hi, I am using freeradius 1.0.4. I have enabled the 'sql' module in the accouting section of radiusd.conf but the accouting data is logged to /var/log/radius/radacct and not to mysql. How do I configure this? Cheers, Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mssql and authenticate_query
List: There is an "authenticate_query" variable defined in the stock mssql.conf I can not get freeradius to run this query when authenticating users; and when I add the 'sql' module in the authenticate section of radius.conf, freeradius stops with the following error... Module: Instantiated sql (sql) radiusd.conf: "SQL" modules aren't allowed in 'authenticate' sections -- they have no such method. I am beginning to think this entry is defunct or never implemented. Am I right? If so, then I could remove that entry from my mssql.conf. Thanks Duane Cox - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Proxying and Message-Authenticator
Alan DeKok wrote: > "Paolo Rotela" <[EMAIL PROTECTED]> wrote: >> So you are implementing YOUR radius to support YOUR PROPOSED >> method... well it seems some propietary... If one wants control over a project, one should start his own project. It's clear to everybody that FreeRadius is widely used because it's strong and serves a general purpose (not to mention that it's free). So if one needs something specific to one's needs, one should contribute and hope that the project coordinators will see a general benefit. Please do not reply... I just wanted to give Alan some credit, so that the FreeRadius project will continue to evolve like it has before. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two different sources, one with a single value
[EMAIL PROTECTED] wrote:
> Using the above example, the system that passes the MAC
> address in to find out if it's valid passes the MAC address in both the
> User-Name and User-Password fields.
Uh, no.
> >> passwd mac_address {
> >> filename = /var/mac_addresses
> >> format = "*User-Name"
There's no "User-Password" field there, so it can't check that. And
the passwd module doesn't do enforcement checking, it's just a lookup
table.
> I was hoping to be able to get away with just authenticating against
> the User-Name and having just one field in the table,
Sure, but then you've got to set Auth-Type := Accept.
> As for authorizing, surely for the MAC address checking I don't need
> to have an authorize section, the authenticate section verifies if
> the MAC address is in the table or not and if it is, it passes it
> in?
No. The "passwd" module runs in the authorization section.
> Then again, if I am authenticating against the MAC address and then
> authorizing against the unix login ID and password, does this mean a given
> user has to be in BOTH tables to gain access?
You have "authorization" and "authentiction" inverted in the above example.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about freeradius, ntlm_auth and windows groups
Claudio <[EMAIL PROTECTED]> wrote: > Tnx for the advice...but there is no way to do it with ntlm and not LDAP No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: crash in 1.0.5
Norbert Wegener <[EMAIL PROTECTED]> wrote: > > Does it work in 1.0.4? > > > Yes. Dang. I'm not sure what to suggest, other than gdb. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Documentation
Sean <[EMAIL PROTECTED]> wrote:
> In particular I want to use the following in my radiusd.conf.
>
> counter daily{
That module doesn't interact with SQL. I have no idea why you think
it does.
> What I need to know is do I have to add extra fields to my radius
> database and if so which tables need to be changed and how to address
> them from sql.conf.
You don't.
See "sqlcounter". It interacts with SQL, because it's name &
examples say so.
"counter" does not.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Let's share photos
Aguirre wants to share photos with you. Get Aguirre's latest photos in your email. Go to Aguirre's Photo Address Book If you can't click on the link above please copy/paste the link below: http://www.ringo.com/i.html?i=119599134x886574&homeEmail=freeradius-users%40lists.freeradius.org&firstName=freeradius-users&lastName= This invitation was sent to freeradius-users@lists.freeradius.org on behalf of Aguirre ([EMAIL PROTECTED]) If you do not wish to receive invitations from this Ringo member, click here. To stop receiving invitations from all Ringo members, click here.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL replacement for clients.conf?
> Am I to take it that it is not possible to use SQL for the clients.conf > file? And if that it the case could someone please explain what the nas > table is for in the database schema? It's possible. You do need at least one entry in "clients.conf", though. I suggest "127.0.0.1" Then, read "sql.conf", and set "readclients=yes" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Proxying and Message-Authenticator
"Paolo Rotela" <[EMAIL PROTECTED]> wrote: > So you are implementing YOUR radius to support YOUR PROPOSED method... well > it seems some propietary... And the discussion ends there. You don't understand my points, and you have conspiracy theories about my behavior. Here's a conspiracy: Go away. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: 12077 error???
I build the deb Files out of the source. -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von King, Michael Gesendet: Donnerstag, 15. September 2005 16:50 An: FreeRadius users mailing list Betreff: RE: 12077 error??? > -Original Message- > From: [EMAIL PROTECTED] > Behalf Of Armin Krämer > > Hi, I set up freeradius with eap-tls and after I generated my > certificates with TinnyCA and configured it in eap.conf File > I get this error message...Does anyone knows what causes this error? > Thanks Armin > > debian:~# freeradius -X -A Did you install FreeRadius via Apt (aptitude) or compile from source? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL replacement for clients.conf?
On Wed, 2005-09-14 at 22:42 +0100, Ben Dowling wrote: > Hi, > > Is it possible to replace clients.conf with an SQL table? I assume that > is what the NAS table is for in the schema, but I have seen no mention > of it being used, or any documentation, for it on the web. > > If it is possible could you please provide me with an example setup. > > Cheers, Ben > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL replacement for clients.conf?
Hi, Am I to take it that it is not possible to use SQL for the clients.conf file? And if that it the case could someone please explain what the nas table is for in the database schema? Cheers, Ben On Wed, 2005-09-14 at 22:42 +0100, Ben Dowling wrote: > Hi, > > Is it possible to replace clients.conf with an SQL table? I assume that > is what the NAS table is for in the schema, but I have seen no mention > of it being used, or any documentation, for it on the web. > > If it is possible could you please provide me with an example setup. > > Cheers, Ben > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Proxying and Message-Authenticator
- Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Thursday, September 15, 2005 2:50 PM Subject: Re: FreeRadius Proxying and Message-Authenticator "Paolo Rotela" <[EMAIL PROTECTED]> wrote: ... I don't think this discussion is useful. You have your opinions, but you're not responsible for server development. I toutght that discussion was the main purpose of an "open" community... because this way all people benefits with the opinions and views of other people. On the other hand, what's the security difference between accepting Accounting-Response packets without a Message-Authenticator because there is no standard, and accepting Accounting-Response packets with an non-recognized value of Message-Authenticator because there is no standard about how to calculate it? The most reasonable thing to do, I think, is to simply ignore the Attribute as it were not there. Accounting-Response packets are signed, even without a Message-Authenticator. This is required in the RFC's. This discussion is NOT about "Response-Authenticator", wich is highly documented in the RFC... this is about Message-Authenticator in Accounting packets, wich is not well documented. As for what's reasonable to do,m please feel free to patch your local copy of FreeRADIUS to behave however you want. Yes, I know... > The packet is not a valid one, because there is no valid method of > calculating Message-Authenticator. Therefore, it is an invalid packet. If there is no valid method of calculating MA, how can you know that it's invalid? Maybe you misunderstood me. There is NO VALID VALUE for Message-Authenticator in Accounting-Response packet In the same file, at line 1203, you are using this calculated value, again without regarding packet code, to decide if continue or exit with error status. Again, why, if there is no valid method? Because I updated the code to implement the new proposed method of calculating valid Message-Authenticators. So you are implementing YOUR radius to support YOUR PROPOSED method... well it seems some propietary... Please stop arguing about this. If you feel strongly, patch your local server. That's why you have source. Yes, but I'm trying to keep a good product like FreeRADIUS interoperating with some known and well-distributed products, wich doesn't estrictly violates RFCs... Know that FreeRADIUS will not interoperate this way with Cisco. The main FreeRADIUS distribution, however, WILL NOT be patched to do anything other than what I have described. OK - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: custom variable in config files
"Tariq Rashid" <[EMAIL PROTECTED]> wrote:
> thanks for the suggestion and clarification. trying what you suggested gives
> me ...
>
> Config: including file: /opt/freeradius102/etc/raddb/proxy.conf
> config: No such entry network_address for string
> ${network_address}.126:1812
> Errors reading radiusd.conf
Ah... I ran into that the other day. Expanding configuration
variables in $INCLUDE'd files may not work, and I'm not sure why.
It's a bug.
Alan deKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Intel PEAP client "Roaming Identity"
Ben Thompson <[EMAIL PROTECTED]> wrote:
> Could anyone advise me whether it is possible to configure my server so
> that the actual username used get's logged in the accounting records
> instead of this roaming identity string?
Configure peap{} & ttls{} with "use_tunneled_reply = yes".
Add the following to the top of the "users" file:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name = "%{User-Name}",
Fall-Through = Yes
This will send the inner tunnel user name back to the AP, which is
*supposed* to then use it in accounting packets.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Proxying and Message-Authenticator
"Paolo Rotela" <[EMAIL PROTECTED]> wrote: ... I don't think this discussion is useful. You have your opinions, but you're not responsible for server development. > On the other hand, what's the security difference between accepting > Accounting-Response packets without a Message-Authenticator because there is > no standard, and accepting Accounting-Response packets with an > non-recognized value of Message-Authenticator because there is no standard > about how to calculate it? The most reasonable thing to do, I think, is to > simply ignore the Attribute as it were not there. Accounting-Response packets are signed, even without a Message-Authenticator. This is required in the RFC's. As for what's reasonable to do,m please feel free to patch your local copy of FreeRADIUS to behave however you want. > > The packet is not a valid one, because there is no valid method of > > calculating Message-Authenticator. Therefore, it is an invalid packet. > > If there is no valid method of calculating MA, how can you know that it's > invalid? Maybe you misunderstood me. There is NO VALID VALUE for Message-Authenticator in Accounting-Response packet > In the same file, at line 1203, you are using this calculated value, again > without regarding packet code, to decide if continue or exit with error > status. Again, why, if there is no valid method? Because I updated the code to implement the new proposed method of calculating valid Message-Authenticators. Please stop arguing about this. If you feel strongly, patch your local server. That's why you have source. The main FreeRADIUS distribution, however, WILL NOT be patched to do anything other than what I have described. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Intel PEAP client "Roaming Identity"
On Thursday 15 September 2005 12:25, Ben Thompson wrote: > Hi > > We have a 802.1x/PEAP wireless network using freeRADIUS 1.0.1 on RedHat > AS 4. It is important for us to know who is using the network at any > given time so the accounting logs are very useful to us. The other day > someone came along with a laptop using an Intel wireless adapter and > client software. In the configuration settings for this program there > was a place to enter a username and password for PEAP authentication and > there was also a field named "Roaming Identity" which as default was set > to "[EMAIL PROTECTED]". The client conected up fine, but when I > checked the RADIUS accounting logs I noticed that the username for that > client was listed as [EMAIL PROTECTED] instead of the one I expected. > After a bit of googling in found this link on the Dell website which > describes that the roaming identity is only required for MS RADIUS > servers :- > http://support.dell.com/support/edocs/network/P72721/en/UtilAdv.htm > Could anyone advise me whether it is possible to configure my server so > that the actual username used get's logged in the accounting records > instead of this roaming identity string? > I couldn't think of a good way to deal with this on our site. I ended up putting the roaming identity in the users files to reject it. The owner of the device has to reconfigure their supplicant to fix the roaming identity. This can probably be handled a bit more elegantly and user friendly in radiusd.conf but I haven't really had time to work on it. Zoltan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Receivin a full DN in a radius request
Oh ... Ok ... I was not requesting a patch, I just wanted to know if there was a possibility to "forward the string without parsing/escaping". And BTW, you can stop the condescending air ... jF On Thu, 15 Sep 2005, Alan DeKok wrote: Nicolas Baradakis <[EMAIL PROTECTED]> wrote: rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with filter (uid\3dP06227\2cou\3dpeople\2co\3dnrb\2cc\3dbe) This is not a bug: user supplied strings are escaped from unsafe characters. Oh, I missed *that*. He's trying to pass an LDAP dn in a User-Name attribute? The answer is "edit the source code yourself". We will *not* be accepting patches for something like this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Jean-Francois Gobin - Administrateur gobinjf.be http://www.gobinjf.be mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: custom variable in config files
thanks for the suggestion and clarification. trying what you suggested gives me
...
Config: including file: /opt/freeradius102/etc/raddb/proxy.conf
config: No such entry network_address for string
${network_address}.126:1812
Errors reading radiusd.conf
i'll keep trying and report back anything that works.
tariq
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Alan
DeKok
Sent: 15 September 2005 17:18
To: FreeRadius users mailing list
Subject: Re: custom variable in config files
"Tariq Rashid" <[EMAIL PROTECTED]> wrote:
> i'd like to do something like ...
>
> realm abc.def {
> type= radius
> authhost= `%{config:network_address}`.126:1812
The expansion of configuration-file variables is not the same as the
expansion of run-time variables. See other examples in the
configuration.
What *could* work is:
authhost = ${network_address}.126:1812
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two different sources, one with a single value
Alan DeKok wrote:
>[EMAIL PROTECTED] wrote:
>> For the MAC address I want a flat file with just the MAC addresses in
it. I
>> have tried using the passwd module and just ignoring the User-Password
>> attribute like so:
>>
>> passwd mac_address {
>> filename = /var/mac_addresses
>> format = "*User-Name"
>> }
>
> You're also ignoring the authentication method. I suggest adding a
>User-Password to that table.
I think I'm missing something here between the use of the authenticate and
authorize sections. Using the above example, the system that passes the MAC
address in to find out if it's valid passes the MAC address in both the
User-Name and User-Password fields. I was hoping to be able to get away
with just authenticating against the User-Name and having just one field in
the table, however if I can't then I can't. As for authorizing, surely for
the MAC address checking I don't need to have an authorize section, the
authenticate section verifies if the MAC address is in the table or not and
if it is, it passes it in?
Then again, if I am authenticating against the MAC address and then
authorizing against the unix login ID and password, does this mean a given
user has to be in BOTH tables to gain access?
|\/|artin
--
Senior Network Administrator, NEC (Europe) Ltd.
Acton extension: 3379
NEC*Net: 800-44-21-3379
Direct: +44 20 8752 3379
Fax: +44 20 8752 3389
Mobile: +44 7721 869 356
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Intel PEAP client "Roaming Identity"
Hi We have a 802.1x/PEAP wireless network using freeRADIUS 1.0.1 on RedHat AS 4. It is important for us to know who is using the network at any given time so the accounting logs are very useful to us. The other day someone came along with a laptop using an Intel wireless adapter and client software. In the configuration settings for this program there was a place to enter a username and password for PEAP authentication and there was also a field named "Roaming Identity" which as default was set to "[EMAIL PROTECTED]". The client conected up fine, but when I checked the RADIUS accounting logs I noticed that the username for that client was listed as [EMAIL PROTECTED] instead of the one I expected. After a bit of googling in found this link on the Dell website which describes that the roaming identity is only required for MS RADIUS servers :- http://support.dell.com/support/edocs/network/P72721/en/UtilAdv.htm Could anyone advise me whether it is possible to configure my server so that the actual username used get's logged in the accounting records instead of this roaming identity string? Many Thanks Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.0.5 + rlm_sql_mysql: Segmentation fault
"Thomas Krause (Webmatic)" <[EMAIL PROTECTED]> wrote: > I've followed the instructions in the bugs file, but > I'm not a programmer (so the output doesn't really helps > me): ... > #0 0x282f8550 in memset () from /lib/libc.so.5 > (gdb) bt > #0 0x282f8550 in memset () from /lib/libc.so.5 > #1 0x0001 in ?? () > #2 0x283d1b64 in sql_init_socket (sqlsocket=0x8080020, > config=0x8067500) at sql_mysql.c:71 It looks like the same bug reported previously for FreeBSD. It's specific to FreeBSD, too, as no other OS has that problem. I found what I *thought* were problems, that *should* have fixed it for all OS's, but it doesn't appear to work on FreeBSD. Are you running FreeRADIUS 1.0.5? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Small patch for proxy code - listen.c
Nicolas Baradakis <[EMAIL PROTECTED]> wrote:
> Thanks for spotting this. This is a problem indeed. Can you please
> fill a bug report on the bugzilla, so your patch doesn't get lost?
For 2.0, I'd like to fix the realm handling, to separate realms from
home servers. e.g.
realm foo.com {
nostrip
home_server = radius-for-foo.com
}
home_server radius-for-foo.com {
type = acct
host = ...
port = ...
secret = ...
}
That will fix a number of issues in the code, and enable multiple
realms to share a fail-over list of home servers, without the current
problem of typing in the same home server multiple times.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Receivin a full DN in a radius request
Nicolas Baradakis <[EMAIL PROTECTED]> wrote: > rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with > filter (uid\3dP06227\2cou\3dpeople\2co\3dnrb\2cc\3dbe) > > This is not a bug: user supplied strings are escaped from unsafe > characters. Oh, I missed *that*. He's trying to pass an LDAP dn in a User-Name attribute? The answer is "edit the source code yourself". We will *not* be accepting patches for something like this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: custom variable in config files
"Tariq Rashid" <[EMAIL PROTECTED]> wrote:
> i'd like to do something like ...
>
> realm abc.def {
> type= radius
> authhost= `%{config:network_address}`.126:1812
The expansion of configuration-file variables is not the same as the
expansion of run-time variables. See other examples in the
configuration.
What *could* work is:
authhost = ${network_address}.126:1812
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: custom variable in config files
i'm running into the same problem again in the clients.conf file where
variables are not visible in the "host =" entries.
i'd like to do something like ...
realm abc.def {
type= radius
authhost= `%{config:network_address}`.126:1812
accthost= `%{config:network_address}`.126:1813
secret = llustreamkey
nostrip
}
where network_address is defined in a file included in radius.cfg (which works
for the users file shown below).
any ideas? can i force the clients.conf to be xlat'ed?
tariq
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Nicolas Baradakis
Sent: 13 September 2005 18:08
To: FreeRadius users mailing list
Subject: Re: custom variable in config files
Tariq Rashid wrote:
> but this doesn't ...
>
> # local test user for monitoring and diagnostics
> [EMAIL PROTECTED]:easynet_site} User-Password ==
> "test1.proxyradius.%{config:easynet_site}"
> Reply-Message = "hello from the proxyradius layer
> %{config:easynet_site}"
>
> any ideas? i'm using version 1.0.2 on debian 3.1
It doesn't work because the name of the entry isn't xlat'ed in
src/main/files.c. Perhaps this syntax would work:
DEFAULT User-Name = "[EMAIL PROTECTED]:easynet_site}", User-Password ==
"test1.proxyradius.%{config:easynet_site}"
Reply-Message = "hello from the proxyradius layer
%{config:easynet_site}"
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segmentation fault when running radiusd -X
I am using Free Radius 1.0.1 and i get the following output when i try to run the server. Any ideias? ser:/usr/local/src# radiusd -sfxxyz -l stdout Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/postgresql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded DIGEST Module: Instantiated digest (digest) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Segmentation Fault Can it be anything within the confguration files? Regards, Jose Simoes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.0.5 + rlm_sql_mysql: Segmentation fault
Thomas Krause (Webmatic) wrote: > I want to setup a new server with FreeRadius using > MySQL as backend. OS is FreeBSD 5.4, DB Mysql 4.1.13. > I've compiled FreeRadius from source (not from ports). > Without sql all is doing fine. > With sql enabled, the daemon dies with > "Segmentation fault (core dumped)" A similar error was reported by a user who had a broken installation of MySQL on his system: the version of the hearders mismatch the binary librairies. Please check if this is your case, too. http://lists.freeradius.org/pipermail/freeradius-users/2005-September/046882.html -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Tru64 again
responding to my own post. I saw a message about looking at the core dump in another thread. So, I followed those instructions. Here is the output from gdb: This GDB was configured as "alphaev67-dec-osf5.1"... BFD: Unhandled OSF/1 core file section type 4464 BFD: Unhandled OSF/1 core file section type 528 BFD: Unhandled OSF/1 core file section type 0 BFD: Unhandled OSF/1 core file section type 7 BFD: Unhandled OSF/1 core file section type 16384 BFD: Unhandled OSF/1 core file section type 8192 BFD: Unhandled OSF/1 core file section type 0 BFD: Unhandled OSF/1 core file section type 32768 BFD: Unhandled OSF/1 core file section type 49152 BFD: Unhandled OSF/1 core file section type 49152 BFD: Unhandled OSF/1 core file section type 7 BFD: Unhandled OSF/1 core file section type 57344 BFD: Unhandled OSF/1 core file section type 49152 warning: big endian file does not match little endian target. Core was generated by ` '. Program terminated with signal 1, Hangup. warning: Couldn't find general-purpose registers in core file. warning: Couldn't find general-purpose registers in core file. #0 0x in ?? () when I did bt in gdb I got the same "#0 0x in ?? ()" response and nothing else. But, in reading the above, it seems a big endian v. little endian problem. Does this help in getting freeradius to work on Tru64? --- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 Problem replying to my email? Click the "Sign" button in the OE toolbar or, better yet, get your own FREE Personal E-Mail Digital ID: http://www.thawte.com/email/index.html > -Original Message- > From: Tim Winders [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 14, 2005 11:35 AM > To: 'freeradius-users@lists.freeradius.org' > Subject: Tru64 again > > I'm back at trying to get freeradius working under Tru64. > This time using 1.0.5. > > I have an older cvs version working, but I can't remember > what I did to make it work. :-( The working version I have > is marked 1.1.0-pre0 built on Feb 17, 2005. > > First, in src/main/radiusd.c I have commented out the OSFC2 > define. I do this because I'm not running C2, but it is > always found and enabled, which kills the make. Then, I run > configure with these options: > > CFLAGS="-I/usr/local/ssl/include -I/usr/local/include" > LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/lib" LIBS="-lssl > -lcrypto -lsecurity" ./configure \ > --disable-shared \ > --enable-ltdl-install=no \ > --with-openssl-includes=/usr/local/ssl/include \ > --with-openssl-libraries=/usr/local/ssl/lib \ > --without-mysql --disable-mysql > > radiusd seems to compile, but with many warnings. However, > when I run it, it immediately seg faults and dumps core. > Unfortunately, I am not a programmer, so I don't know how to > begin troubleshooting this and try to help get freeradius > working under Tru64. > > I remember being told that none of the development team uses > Tru64. So, it's possible this will never work "right". But, > I'm willing to help out in whatever limited capacity I can, > including CPU/shell account. > > Any useful suggestions are welcome. > > --- > > Tim Winders > Associate Dean of Information Technology > South Plains College > Levelland, TX 79336 > > Problem replying to my email? Click the "Sign" button in the > OE toolbar or, better yet, get your own FREE Personal E-Mail > Digital ID: http://www.thawte.com/email/index.html BEGIN:VCARD VERSION:2.1 N:Winders;Tim FN:Tim Winders ORG:South Plains College TITLE:Associate Dean of Information Technology TEL;WORK;VOICE:(806) 894-9611 x2369 ADR;WORK:;;1401 College Ave.;Levelland;TX;79336;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1401 College Ave.=0D=0ALevelland, TX 79336=0D=0AUnited States of America KEY;X509;ENCODING=BASE64: MIICZzCCAdCgAwIBAgIDDcuZMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYD VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNTAxMTIyMTU5MjdaFw0wNjAxMTIyMTU5 MjdaMFExHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxLjAsBgkqhkiG9w0BCQEW H3R3aW5kZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAK95IcXhktSwBA0pRzTx4UJH2ABtErVe6Uakhlzu1XeXPouDnUw21yOnAiss20D5 u0HDE7PaLimye+RFaT6JjAzuz9AheH7MX2g9B4cEVQ3+AsX+B3k9Yqef0T/H46IF306cf79g eTVXSxOQwrPQ3L+CV9QQ8tLM/62pSTYQ8V7vAgMBAAGjPDA6MCoGA1UdEQQjMCGBH3R3aW5k ZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQBQXIfReTLlLERWofc+VbGENyywIA/RvCwGrPC/ae045v3QxvXRFswePX14DRUjED9s z4/EYEMUXFr12yBMhtaBbXxZTDKchBx8RQVXi4LI1GAwb0YTSleAyN1VYzw7CtuW7bKy9yMa mihfhxfccH5TvZm6HhBX7Gqmp8geUn3tEg== EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20050112T232001Z END:VCARD smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 12077 error???
> -Original Message- > From: [EMAIL PROTECTED] > Behalf Of Armin Krämer > > Hi, I set up freeradius with eap-tls and after I generated my > certificates with TinnyCA and configured it in eap.conf File > I get this error message...Does anyone knows what causes this error? > Thanks Armin > > debian:~# freeradius -X -A Did you install FreeRadius via Apt (aptitude) or compile from source? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
12077 error???
Hi, I set up freeradius with eap-tls and after I generated my certificates with TinnyCA and configured it in eap.conf File I get this error message...Does anyone knows what causes this error? Thanks Armin debian:~# freeradius -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/freeradius/certs/cert-srv.pem" tls: certificate_file = "/etc/freeradius/certs/cert-srv.pem" tls: CA_file = "/etc/freeradius/certs/cacert.pem" tls: private_key_password = "test" tls: dh_file = "/etc/freeradius/certs/dh" tls: random_file = "/etc/freeradius/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" 12077:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:637:Expecting: CERTIFICATE 12077:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:450: 12077:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:423: 12077:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:709: rlm_eap_tls: Error reading private key file rlm_eap: Failed to initialize type tls radiusd.conf[9]: eap: Module instantiation failed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.0.5 + rlm_sql_mysql: Segmentation fault
Hello, I want to setup a new server with FreeRadius using MySQL as backend. OS is FreeBSD 5.4, DB Mysql 4.1.13. I've compiled FreeRadius from source (not from ports). Without sql all is doing fine. With sql enabled, the daemon dies with "Segmentation fault (core dumped)": rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 Segmentation fault (core dumped) I've followed the instructions in the bugs file, but I'm not a programmer (so the output doesn't really helps me): # gdb /usr/local/sbin/radiusd radiusd.core GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd"... Core was generated by `radiusd'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libcrypt.so.2...done. Loaded symbols for /lib/libcrypt.so.2 Reading symbols from /usr/local/lib/libradius-1.0.5.so...done. Loaded symbols for /usr/local/lib/libradius-1.0.5.so Reading symbols from /usr/local/lib/libltdl.so.4...done. Loaded symbols for /usr/local/lib/libltdl.so.4 Reading symbols from /usr/lib/libssl.so.3...done. Loaded symbols for /usr/lib/libssl.so.3 Reading symbols from /lib/libcrypto.so.3...done. Loaded symbols for /lib/libcrypto.so.3 Reading symbols from /usr/lib/libpthread.so.1...done. Loaded symbols for /usr/lib/libpthread.so.1 Reading symbols from /lib/libc.so.5...done. Loaded symbols for /lib/libc.so.5 Reading symbols from /usr/local/lib/rlm_exec-1.0.5.so...done. Loaded symbols for /usr/local/lib/rlm_exec-1.0.5.so Reading symbols from /usr/local/lib/rlm_expr-1.0.5.so...done. Loaded symbols for /usr/local/lib/rlm_expr-1.0.5.so Reading symbols from /usr/local/lib/rlm_pap-1.0.5.so...done. Loaded symbols for /usr/local/lib/rlm_pap-1.0.5.so Reading symbols from /usr/local/lib/rlm_chap-1.0.5.so...done. Loaded symbols for /usr/local/lib/rlm_chap-1.0.5.so Reading symbols from /usr/local/lib/rlm_mschap-1.0.5.so...done. Loaded symbols for /usr/local/lib/rlm_mschap-1.0.5.so Reading symbols from /usr/local/lib/rlm_unix-1.0.5.so...done. Loaded symbols for /usr/local/lib/rlm_unix-1.0.5.so Reading symbols from /usr/local/lib/rlm_preprocess-1.0.5.so...done. Loaded symbols for /usr/local/lib/rlm_preprocess-1.0.5.so Reading symbols from /usr/local/lib/rlm_realm-1.0.5.so...done. Loaded symbols for /usr/local/lib/rlm_realm-1.0.5.so Reading symbols from /usr/local/lib/rlm_files-1.0.5.so...done. Loaded symbols for /usr/local/lib/rlm_files-1.0.5.so Reading symbols from /usr/local/lib/rlm_sql-1.0.5.so...done. Loaded symbols for /usr/local/lib/rlm_sql-1.0.5.so Reading symbols from /usr/lib/libm.so...done. Loaded symbols for /usr/lib/libm.so Reading symbols from /usr/lib/libz.so...done. Loaded symbols for /usr/lib/libz.so Reading symbols from /usr/local/lib/mysql/libmysqlclient.so...done. Loaded symbols for /usr/local/lib/mysql/libmysqlclient.so Reading symbols from /usr/local/lib/rlm_sql_mysql-1.0.5.so...done. Loaded symbols for /usr/local/lib/rlm_sql_mysql-1.0.5.so Reading symbols from /libexec/ld-elf.so.1...done. Loaded symbols for /libexec/ld-elf.so.1 #0 0x282f8550 in memset () from /lib/libc.so.5 (gdb) bt #0 0x282f8550 in memset () from /lib/libc.so.5 #1 0x0001 in ?? () #2 0x283d1b64 in sql_init_socket (sqlsocket=0x8080020, config=0x8067500) at sql_mysql.c:71 #3 0x28348fa8 in connect_single_socket (sqlsocket=0x8080020, inst=0x8080400) at sql.c:70 #4 0x28349110 in sql_init_socketpool (inst=0x8080400) at sql.c:131 #5 0x283474eb in rlm_sql_instantiate (conf=0x8140038, instance=0x0) at rlm_sql.c:712 #6 0x0805470d in find_module_instance (instname=0x8078610 "sql") at modules.c:358 #7 0x0805596e in do_compile_modsingle (component=1, ci=0x8079400, filename=0x805f353 "radiusd.conf", grouptype=0, modname=0xbfbfdae8) at modcall.c:814 #8 0x08054e82 in setup_modules () at modules.c:568 #9 0x0804c850 in main (argc=2, argv=0xbfbfec8c) at radiusd.c:960 (gdb) (The same happens when using ver. 1.0.4 from ports). Kind regards, Thomas -- Thomas Krause Webmatic Kommunikations GmbH Tel: +49 345 777 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
Rohaizam Abu Bakar wrote: > OS: FreeBSD4.11 p10 > Freeradius: 1.0.5 from 1.0.4 > > - compilation OK.. but still to patch rlm_rewrite just like 1.0.4 > - starting radiusd seems fine > - but when trying to authenticate.. then it will core dumped.. as below > debug log.. Please post the backtrace from gdb. The following link explains how to do that. http://www.freeradius.org/radiusd/doc/bugs -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Small patch for proxy code - listen.c
Michael Mitchell wrote: > When the proxy reply comes back, only the cl->ipaddr is checked against the > reply source address, however it is possible to configure cl->acct_ipaddr > differently to cl->ipaddr (ie different auth and acct home servers for a > single realm entry), and thus the active status and last reply time may > never be updated for an accounting home server. Thanks for spotting this. This is a problem indeed. Can you please fill a bug report on the bugzilla, so your patch doesn't get lost? http://bugs.freeradius.org/enter_bug.cgi -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Receivin a full DN in a radius request
Jean-Francois Gobin wrote:
> From the preceding, preceding mail, you should have seen that %{User-Name}
> is equal to something like "uid=P0..., o=nrb, c=be" ... which is what I
> want to have checked against the LDAP.
>
> For now, when I implement your suggestion, I just come out with
> "checking for dn=o=nrb,c=be, (uid=uid)", which corresponds to the
> truncating of my requesting DN.
I indeed found a bug in function ldap_escape_func(). However, after
fixing the function I get the following line in my logs, which is
still an invalid LDAP filter.
rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with
filter (uid\3dP06227\2cou\3dpeople\2co\3dnrb\2cc\3dbe)
This is not a bug: user supplied strings are escaped from unsafe
characters.
In your case, I'd suggest to rewrite the User-Name to "P06227" with
the module rlm_attr_rewrite and use the filter "(uid=%{User-Name})"
in rlm_ldap.
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and PPPoe Server ?
2005/9/13, Charles Price <[EMAIL PROTECTED]>: > > I have the same problem. I have a radius server with ldap oracle. > > I dont know how to configure freeradius to use pppoe. > > > You have to configure pppd to authenticate using freeradius. In short: > > 1. Make sure you have a recent version of ppp and rp-pppoe (getting ppp from > CVS is a good idea) ok I installed ppp and rp-pppoe > 2. Make sure that the radius plugins for pppd have been installed > in /etc/ppp/plugins and the radiusclient configuration is > in /etc/radiusclient In default, plugin radius.so wasn't there, but I found one in another dict. > 3. Enter your specific radius server details into /etc/radiusclient/servers > and /etc/radiusclient/radiusclient.conf I would like to use Windows XP as a client :) > 4. Make sure you have some user information in your freeradius backend. I am > assuming you have configured freeradius to see your LDAP server... :) yes > 5. Put 'plugin /etc/ppp/plugins/radius.so' (no quotes) > in /etc/ppp/pppoe-server-options I put this line in pppoe-server-options > 6. Start the pppoe-server process. I started the serwer > 7. pppd should now ask freeradius for authentication. And here I have problem :( My ppp server and freeradius are still not connected. Do you have any idea? Maybe this is Windows and its pppoe fault? -- Pawel volfen Malkowski - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Proxying and Message-Authenticator
From: "Alan DeKok" <[EMAIL PROTECTED]> "Paolo Rotela" <[EMAIL PROTECTED]> wrote: No. *Cisco* created it's own version of RADIUS by adding a Message-Authenticator to the Accounting-Response. You are right.. Cisco ALSO created it's own version of RADIUS with this damn thing. And it *is* legal to drop packets which don't have a valid Message-Authenticator. This is known as "security". RFC 2869, section 5.19. Table of attributes: " The following table provides a guide to which attributes may be found in which kind of packets. Acct-Input-Gigawords, Acct-Output- Gigawords, Event-Timestamp, and NAS-Port-Id may have 0-1 instances in an Accounting-Request packet. Connect-Info may have 0+ instances in an Accounting-Request packet. The other attributes added in this document must not be present in an Accounting-Request." It doesn't say a word about this being prohibited in the Accounting-Response packet. Same RFC, chapter 7. Security considerations: "The attributes other than Message-Authenticator and EAP-Message in this document have no additional security considerations beyond those already identified in [1]." [1] being RFC 2865. "security" appears to be a thing of criteria, with different ones by different people... I'm not saying that it's good to have such a hole in the RFC, but the fact is that there isn't a standard yet, and this behaviour is having compatibility issues. I'm in the way to suggest a solution so everyone can talk to each other, and I'm doing it at both sides, from my humble position. On the other hand, what's the security difference between accepting Accounting-Response packets without a Message-Authenticator because there is no standard, and accepting Accounting-Response packets with an non-recognized value of Message-Authenticator because there is no standard about how to calculate it? The most reasonable thing to do, I think, is to simply ignore the Attribute as it were not there. Think about this: can you say because this that Cisco's RADIUS implementation is not "as per RFC"? I think no... because nobody says the MA is permitted or prohibited in Accounting-Response, and nobody says how to calculate it. On the other side, can you say FreeRADIUS is not "as per RFC"? No because there is no word telling if discard or not this kind of packet. Then why the two pieces of equipment doesn't interoperate? What you are doing with this implementation is chosing a way to do a non-standard thing, and "labeling" the other's way as "invalid". The packet is not a valid one, because there is no valid method of calculating Message-Authenticator. Therefore, it is an invalid packet. If there is no valid method of calculating MA, how can you know that it's invalid? In your "radius.c" from 1.0.5, at line 1201 you calculate the MA of the packet without regarding about the packet code. Why do you do this if there is no valid method for some of these? In the same file, at line 1203, you are using this calculated value, again without regarding packet code, to decide if continue or exit with error status. Again, why, if there is no valid method? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wrong Dialins
Hello With our old Redback we have been able to see Authentication failures in den the Freeradius Detail file. At the Moment this is not logged any more in the Details file. But I don't know why. We changed the Redback some time ago. The new one uses the same config file like the old one. Is this an Option in the Freeraius config for logging Authentication failures? And is it possible to log the Passwords the users entered?. Thanks Dominik Sennfelder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about freeradius, ntlm_auth and windows groups
Alan DeKok wrote: Claudio <[EMAIL PROTECTED]> wrote: I have a freeradius 1.0.4 (upgrade to 1.0.5 is nearly coming...) with ntlm_auth on a Windows 2000 PDC. With the standard authentication with ntlm calls there is no problem. Now my question is that: is possible to assign some ip pools based on the user-group on the PDC? User group checks can be done with standard LDAP queries, which you can then tie into the IPPool. Tnx for the advice...but there is no way to do it with ntlm and not LDAP ? Is more simple, and the calls can be done with wbinfo and other tools i think is possible, but how ? Claudio. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Claudio Prono Systems Development @ Mediaservice.net Srl, Divisione Sicurezza Dati Via San Bernardino, 17 - 10141 Torino (TO) - IT Tel +39-011-32.72.100 Fax +39-011-32.46.497 PGP Fingerprint: 75C2 4049 E23D 2FBF A65F 40DB EA5C 11AC C2B0 3647 Disclaimer: http://mediaservice.net/disclaimer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: crash in 1.0.5
Alan DeKok wrote: Norbert Wegener <[EMAIL PROTECTED]> wrote: freeradius crashes in 1.0.5 with: Does it work in 1.0.4? Yes. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
