Cisco-AVPair SQL accounting (attr. not duplicated)

2005-12-14 Thread James Wakefield (Sunet Sysadmin)

G'day,

Sorry if this has been covered already, as I imagine it's a common 
issue, but I haven't been able to rustle any working answers up after a 
long time googling and grepping $FR/src.


I've got an AS5300 that sends a few attributes, with accounting stop, 
encapsulated in Cisco-AVPair eg: Cisco-AVPair = "nas-tx-speed=53300" and 
the VSA hack doesn't appear to let me refer to that value in my SQL 
statements with either the %{nas-tx-speed} or %{Cisco-AVPair[index]} 
syntaxes I've seen suggested for Cisco VSAs in various places.  rlm_sql 
complains of an unknown xlat function or non-existent attribute.


Has anyone managed to do this?  If so, what is the correct syntax to use 
these in SQL accounting statements?


Cheers,

--
James Wakefield
Systems Administrator
+61 03 5227 6888

We have now moved head office to 8-12 Pakington Street,
Geelong West.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: Flexible clients' addresses?

2005-12-14 Thread Mike Mitchell
Hi Martin, 

> 
> reply from "Mitchell, Michael J" <[EMAIL PROTECTED]>:
> > I've actually been looking at this over the weekend. Have 
> written some 
> > code, but haven't tested it yet. I'm hoping to get to that today 
> > sometime. I based it largely on what was done in the sql 
> module, so it 
> > may need a bit of refinement.
> > 
> > I believe Kostas has it on his todo list also. I'm happy to 
> submit a 
> > "draft patch" for review and comment if it helps get this completed.
> 
> Has there been any progress on that? I quick look at 
> src/main/client.c has revealed nothing so far.
> 

I don't think I ever submitted a formal patch. I think I gave Kostas a patch
of what I had done though. The patch is to the ldap module itself though,
and is similar to the way the sql module reads the clients.

I still haven't run this code in a production type environment to date, so
I'm not sure how reliable or stable it is.

I may be able to easily produce a diff against the latest code - I'm not
sure how much the LDAP module has changed since version 1.0.1.

regards,
Mike

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Forwarding Accounting Requests

2005-12-14 Thread David Bickle
Hi,
I am looking to have FreeRadius forward accounting stop/start packets to a
third party device. I understand this can be done by configuring the proxy
.conf. The problem has to do with how the accounting requests are forwarded.
In other versions of Radius it is possible to forward accounting packets
with an attribute setting that ensures the forwarding server doesn't listen
for a response. I would like to set this same configuration in FreeRadius
but it doesn't appear that this functionality.

Is there a way to forward accounting request packets (start/stop) without
requiring the forwarding server to listen for responses?

Thanks in advance.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: help on rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

2005-12-14 Thread Jie Yang
Hi, 
I removed "@domain", but still the same error.
I also run an AEGIS v.2.0.5 (a very old version though) with same supplicant configuration, which also gave me the same error. It seems to me there might be something wrong at the server side. But I don't know where. my freeradius version is 
1.0.1.  
thanks for your suggestion though.
Jie 
On 12/14/05, Phil Mayers <[EMAIL PROTECTED]> wrote:
Jie Yang wrote:> Hi, All,> When I tried to develop PEAP at client side, i found I am always rejected by
> the server. The following is the log. what might be wrong?You almost certainly need to strip the "@domain" off the username beforemschap sees it - the username is used in calculating the challenge response.
See the "realms" module, specifically you'll want the "suffix" instancein authorize, "spirentcom.com" as a LOCAL realm in proxy.conf andproxying turned on.
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Multiple Home Servers

2005-12-14 Thread maxim maxime
Hello,
I have a 0.9.2 server working as a proxy to three
ISPs. Since they've just decided to work together,
they still have some dial-up users. Their new users
will be generated with a proper prefix, but all of the
old users (with no prefix/suffix) will go through NULL
realm. Although I can have multiple NULL realms, but
only if one server replies with reject, it will not go
through other realms (it will fail-over if no answer).
How can I tell freeradius to go to next server if the
username was not found in the previous home server?
It is possible with modules as mentioned in
configurable_failover and changing "action on
results". How about in proxy?

Thanks.

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Freeradius and LDAP : to be continued

2005-12-14 Thread Alan DeKok
<[EMAIL PROTECTED]> wrote:
> rlm_ldap: Adding userPassword as User-Password, value { & op=11

  That's better.

> modcall: group authorize returns ok for request 0
>   rad_check_password:  Found Auth-Type LDAP

  Yuck.

  My quick answer is to edit rlm_ldap.c to have it *never* set
Auth-Type to LDAP.  That would solve a lot of problems.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: LDAP: Variables in "identity" setting

2005-12-14 Thread Phil Mayers

Derrick Woo wrote:

Hello Phil,

I've removed "ldap" from the authorize section now, but now it's not 
even connecting to the ldap server.  Am I overlooking something?



Weee... I must be honest, I've never actually used it myself (ducks 
:o) but that's certainly what the source and docs imply.


(goes off to try)

Ah, the users file *actually* needs to be:

DEFAULT Auth-Type := LDAP, Ldap-UserDN := `uid=%{User-Name},RESTOFDN`

...because the authenticate section has ldap as a conditional module:

authenticate {
  Auth-Type LDAP {
ldap
  }
}

With the final above fixe, this definitely works for me. However, you 
should be aware of the implications of setting (forcing) Auth-Type in 
the users file - by forcing it to LDAP unconditionally you will prevent 
e.g. mschap, eap, etc. working at a later date (this is why it's 
generally not recommended, but for specific and limited circumstances 
where you're sure this is what you want, I guess it's ok)


You could put the "files" module last in the authorize section, and use:

DEFAULT Auth-Type = LDAP, Ldap-...

...which will only set the Auth-Type if it's not already set - then if 
e.g. mschap or eap match first, ldap won't attempt to sieze the request.


[Perhaps someone else could chip in with info about the implications of 
putting the "ldap" module as a non-conditional in "authenticate" - I was 
under the impression that all the modules in authenticate should be 
conditional because only one was ever called, but e.g. digest, pam, 
unix, eap don't seem to be?]
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Freeradius and LDAP : to be continued

2005-12-14 Thread christophe.gravier
> Christophe Gravier <[EMAIL PROTECTED]>wrote:
>> Removing the ldap entry, radtest no longer works of course.
>
>  Did you put "ldap" in the "authorize" section?  That would allow
> radtest to work, as I said.

Yes, I did like we said:
- did put ldap (it was already indeed) in authorize section.
- did remove ldap from authenticate (since ldap will only be a "password
storage").
>
>> rlm_ldap: looking for check items in directory...
>
>  Can you say which LDAP server you're using?

ist-guizay:/root# /usr/sbin/slapd -V
@(#) $OpenLDAP: slapd 2.2.26 (Oct 31 2005 09:10:53) $

This is slapd package on current debian testing tree. This is a v3
openldap server, if I am right.
If I make slapd log things and then observe I've got on a freeradius request:
Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 fd=10 ACCEPT from
IP=161.3.50.125:1490 (IP=0.0.0.0:389)Dec 14 21:48:03 ist-guizay slapd[31741]: 
conn=2 op=0 BIND dn="" method=128
Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=0 RESULT tag=97 err=0
text=Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=1 SRCH
base="ou=person,o=istase,c=fr" scope=2 deref=0
filter="(uid=gravier.christophe)"Dec 14 21:48:03 ist-guizay slapd[31741]: 
conn=2 op=1 SRCH
attr=radiusExpiration acctFlags ntPassword lmPassword
radiusCallingStationId radiusCalledStationId radiusSimultaneousUse eap
userPassword radiusCheckItem radiusLoginLATPort radiusPortLimit
radiusFramedAppleTalkZone radiusFramedAppleTalkNetwork
radiusFramedAppleTalkLink radiusLoginLATGroup radiusLoginLATNode
radiusLoginLATService radiusTerminationAction radiusIdleTimeout
radiusSessionTimeout radiusClass radiusFramedIPXNetwork radiusCallbackId
radiusCallbackNumber radiusLoginTCPPort radiusLoginService
radiusLoginIPHost radiusFramedCompression radiusFramedMTU radiusFilterId
radiusFramedRouting radiusFramedRoute radiusFramedIPNetmask
radiusFramedIPAddress radiusFramedProtocol radiusServiceType
radiusReplyItem userPasswordDec 14 21:50:47 ist-guizay slapd[31741]: <= 
bdb_equality_candidates: (uid)
index_param failed (18)Dec 14 21:50:47 ist-guizay slapd[31741]: conn=2 op=2 
SEARCH RESULT tag=101
err=0 nentries=1 text=

Whaou .. person doesn't have all those attributes on my schema.
(note that this search got a result: nentries = 1 !)

I edited /etc/freeradius/ldap.attr, so that now the trace is a little more
correct:
Dec 14 21:55:27 ist-guizay slapd[31741]: conn=76 op=2 SRCH
base="ou=person,o=istase,c=fr" scope=2 deref=0
filter="(uid=gravier.christophe)"Dec 14 21:55:27 ist-guizay slapd[31741]: 
conn=76 op=2 SRCH attr=userPassword
Dec 14 21:55:27 ist-guizay slapd[31741]: <= bdb_equality_candidates: (uid)
index_param failed (18)Dec 14 21:55:27 ist-guizay slapd[31741]: conn=76 op=2 
SEARCH RESULT
tag=101 err=0 nentries=1 text=
(please ignore the bdb_equality_candidates).

I thought this has to do with the policy regarding access to userPassword
field, so I gave full rights for a test via slapd.access.con: still not
good. (that sounds ok since if it was a read/write/search/auth problem, I
would had seen it in the slapd logging).
I think it is OK with ldap because "nentries = 1" for the search (it
finnds me). The problem should be for freeradius to use that password to
match it against the one given by the user.

For autorize and authenticate I have:

authorize {
preprocess
chap
mschap
suffix
files
ldap
}


authenticate {
Auth-Type PAP {
   pap
}
unix
eap
}

As I said, I think this is freeradius related since openldap log that it
finds the userPassword for the given user and scope.
But I can't set freeradius in a more verbose mode to understand the problem.

I still receive:
(...)
rlm_ldap: - authorize
rlm_ldap: performing user authorization for gravier.christophe
radius_xlat:  '(uid=gravier.christophe)'
radius_xlat:  'ou=person,o=istase,c=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0
rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter
(uid=gravier.christophe)rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding userPassword as User-Password, value { & op=11
rlm_ldap: user gravier.christophe authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  ERROR: Unknown value specified for Auth-Type.  Cannot perform requested
  action.auth: Failed to validate the user.

When running /usr/sbin/freeradius -X -f

>
>  It is NOT returning the User-Password attribute.  My previous
> message said that the goal was for the ldap module to return the
> password in the "authorize" section.
>
>  Make that work.  rad

Re: bandwidth per user (pppoe)

2005-12-14 Thread TwoMan

Julius Igugu írta:


http://underlinux.com.br/modules.php?name=News&file=article&sid=4447

 



oh, that looks great! I don't speak brasilian, but this doc is almost 
self explanatory... :)

thx a lot!!

TM
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: bandwidth per user (pppoe)

2005-12-14 Thread TwoMan

Seferovic Edvin írta:


Do you talk about current bandwidth like 1 MBit/sec or are you refering to
traffic limitations i.e. 20 GB per month ???

 


I mean the current bandwidth, no more and no less then eg. 1MBit/sec

TM
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: bandwidth per user (pppoe)

2005-12-14 Thread Julius Igugu
http://underlinux.com.br/modules.php?name=News&file=article&sid=4447

--- TwoMan <[EMAIL PROTECTED]> wrote:

> Hi All,
> 
> I have successfully set up freeradius with mysql backend, rp-pppoe
> concentrator, and pppd. Bandwidth control also working, but every pppd
> connection have the same bandwidth, because I cannot determine which
> user has benn connected. I use the ppp/ip-up script to control the
> bandwidth. The desired bandwidth is in the mysql database too, for each
> user.
> Could You help me find a way how to use different badwidth to each user?
> 
> thx in advance
> 
> TM
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 


Julius Igugu
SouthWork Co. Ltd.

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Freeradius and LDAP : to be continued

2005-12-14 Thread Alan DeKok
Christophe Gravier <[EMAIL PROTECTED]>wrote:
> Removing the ldap entry, radtest no longer works of course.

  Did you put "ldap" in the "authorize" section?  That would allow
radtest to work, as I said.

> rlm_ldap: looking for check items in directory...

  Can you say which LDAP server you're using?

  It is NOT returning the User-Password attribute.  My previous
message said that the goal was for the ldap module to return the
password in the "authorize" section.

  Make that work.  radtest will work, and then everything else will
work.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: bandwidth per user (pppoe)

2005-12-14 Thread Seferovic Edvin
Do you talk about current bandwidth like 1 MBit/sec or are you refering to
traffic limitations i.e. 20 GB per month ???

Regards,

Edvin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TwoMan
Sent: Mittwoch, 14. Dezember 2005 18:43
To: freeradius-users@lists.freeradius.org
Subject: bandwidth per user (pppoe)

Hi All,

I have successfully set up freeradius with mysql backend, rp-pppoe
concentrator, and pppd. Bandwidth control also working, but every pppd
connection have the same bandwidth, because I cannot determine which
user has benn connected. I use the ppp/ip-up script to control the
bandwidth. The desired bandwidth is in the mysql database too, for each
user.
Could You help me find a way how to use different badwidth to each user?

thx in advance

TM

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Freeradius and LDAP : to be continued

2005-12-14 Thread Christophe Gravier

Alan DeKok wrote:


Christophe Gravier <[EMAIL PROTECTED]> wrote:
 


auth: type "LDAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication. 
Cannot use "CHAP-Password".
   



 You're using LDAP as an authentication server.  Don't do that.  Use
LDAP to store passwords.

 i.e. remove the "ldap" entry from the "authenticate" section.  Get
radtest to work.  Once that works, Chillispot will work, too.

 Alan DeKok.

 



That makes sense indeed.

Removing the ldap entry, radtest no longer works of course.

But as you already said
there : 
http://lists.cistron.nl/pipermail/freeradius-users/2004-October/037625.html
and there: 
http://lists.cistron.nl/pipermail/freeradius-users/2004-September/036629.html 
:


 List "ldap" in the "authorize" section.  It's already there, just
un-comment it.

 And DON'T set "Aut-Type := LDAP".


So I did
   #  The ldap module will set Auth-Type to LDAP if it has not
   #  already been set
   ldap
and comment set "Aut-Type := LDAP"

But it's just not working !

The trace interesting:
[...]
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0
rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter 
(uid=gravier.christophe)

rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gravier.christophe authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
 modcall[authorize]: module "ldap" returns ok for request 0
 modcall[authorize]: module "chap" returns noop for request 0
 modcall[authorize]: module "mschap" returns noop for request 0
   rlm_realm: No '@' in User-Name = "gravier.christophe", looking up 
realm NULL

   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop for request 0
 rlm_eap: No EAP-Message, not doing EAP
 modcall[authorize]: module "eap" returns noop for request 0
   users: Matched entry DEFAULT at line 153
   users: Matched entry DEFAULT at line 157
 modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for gravier.christophe
radius_xlat:  '(uid=gravier.christophe)'
radius_xlat:  'ou=person,o=istase,c=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter 
(uid=gravier.christophe)

rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gravier.christophe authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
 modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
 rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"

 ERROR: Unknown value specified for Auth-Type.  Cannot perform 
requested action.

auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
[...]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 




--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


bandwidth per user (pppoe)

2005-12-14 Thread TwoMan
Hi All,

I have successfully set up freeradius with mysql backend, rp-pppoe
concentrator, and pppd. Bandwidth control also working, but every pppd
connection have the same bandwidth, because I cannot determine which
user has benn connected. I use the ppp/ip-up script to control the
bandwidth. The desired bandwidth is in the mysql database too, for each
user.
Could You help me find a way how to use different badwidth to each user?

thx in advance

TM

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: LDAP: Variables in "identity" setting

2005-12-14 Thread Derrick Woo
Hello Phil,

I've removed "ldap" from the authorize section now, but now it's not
even connecting to the ldap server.  Am I overlooking something?

Thank you for your help.  It's greatly appreciated.

DerrickOn 12/13/05, Phil Mayers <[EMAIL PROTECTED]> wrote:
Derrick Woo wrote:> Hello Phil,>> Thanks for your response.  However as I had mentioned in my post, this> particular LDAP server uses a person's username and password for> binding.  There is no service account and anonymous binds are not
> allowed.  Commenting out identity and password did not work.>> Am I out of luck here?Ah, you don't want to search *at all*. Remove "ldap" from the authorizesection, leave it in the "authenticate" section, and set:
DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com`...in the users file. (Adding the Ldap-UserDN is basically what the ldapmodule *does* in the authorize section). This is documented in doc/rlm_ldap
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius and LDAP : to be continued

2005-12-14 Thread Alan DeKok
Christophe Gravier <[EMAIL PROTECTED]> wrote:
> auth: type "LDAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "User-Password" is required for authentication. 
> Cannot use "CHAP-Password".

  You're using LDAP as an authentication server.  Don't do that.  Use
LDAP to store passwords.

  i.e. remove the "ldap" entry from the "authenticate" section.  Get
radtest to work.  Once that works, Chillispot will work, too.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Freeradius and LDAP : to be continued

2005-12-14 Thread Christophe Gravier

Hello,

From the last things settled today about ldap support for freeradius on 
the list, I succeeded in configuring the ldap backend for freeradius.


At least, radtest provides me an Accept response !

Nevertheless, with the front chillispot, I can't login, freeradius tells:

rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0
rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter 
(uid=gravier.christophe)

rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gravier.christophe authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
 modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
 rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication. 
Cannot use "CHAP-Password".

 modcall[authenticate]: module "ldap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.


That's pretty strange since it does work with radtest (But I see a plain 
text password being sent to openldap :s).


Anyway, the problem comes from : rlm_ldap: Attribute "User-Password" is 
required for authentication. Cannot use "CHAP-Password".

But I DO have told:
password_attribute = "userPassword"
for my ldap server in /etc/freeradius/radiusd.conf

I mean, there's no configuration in chillispot expect the radius server 
IP to match users against.


What's the difference between a radtest and a authentification via 
chillispot ?


Apart from this chilli-freeradius problem (towards radtest), how can I 
make freeradius sent a hash as password ? (my userPassword is hash using 
SHA).


There is a porposal here : 
http://lists.cistron.nl/pipermail/freeradius-users/2002-October/012169.html, 
but I don't want to use CHAP since my userPassword in SHA encrypted.
I tried to comment in authorize section the chap and mschap part (I'll 
never use it). (same error).


(I must say I followed 
http://www.linuxhomenetworking.com/linux-adv/ldap.htm#_Toc92561284 howto 
for configuring ldap for freeradius).


Please, feel free to point me some directions to search.

Best regards,


Christophe.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: allowed characters in User-Password?

2005-12-14 Thread Alan DeKok
Nils-Henner Krueger <[EMAIL PROTECTED]> wrote:
> I miss something obvious, but although I printed out variables.txt
> and read it several times I still don't get the point.

  '%' is a special character.

> From variables.txt I understand that variables are referred to
> by %{name}.

  Or, % followed by one character.

> Do I get it right, I put "34fgT\%45" instead of "34fgT%45"
> in the users file?

  Yes.

> Which other special chars need to be treated this way?

  None.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Help me configure freeradius

2005-12-14 Thread thgjerde

This is what i whant to do:

I have a wireless AP and and a linux server connected with a cat5 cable.
I then have a number of diffrenet wireless users that should be able to 
talk to the linux server

But they should not be able to listen in on each other.
they should not need a password or certificates

So what i was thinking about was to get freeradius to just allow all 
users to connect without checking for passwords and such.


Any tips on how to do this?

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Freeradius-Users Digest, Vol 8, Issue 57

2005-12-14 Thread Sean
Hi,

I have written written a howto that explains how to setup FreeRadius and
Chillispot here http://swarmhotspots.com/faq.html. If you need any help
you will find contact details on the site.

Regards,

Sean Bracken
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Proxying based on substring in username

2005-12-14 Thread markcapelle

I am currently knee deep in an Active Directory domain collapse and need to figure out how to get FreeRADIUS to authenticate users as they are moved between domains.  During the AD migration process users accounts are disabled in the source domain(where FreeRADIUS currently points) and enabled in the target domain.  What I need to do is figure out a way to determine if a user has been moved and if they have, proxy the requests to the new domain.  

I see two possible ways to do this -

1 - If the user is in AD group "X" proxy the request

2 - If the username has string "m_", then remove the "m_" string and proxy the request

My questions are these:  which is the easiest to implement and how do I implement each?

I have looked at rlm_attr_rewrite a bit and think this may be the module for the second situation.  I have googled and searched the lists, unable to find anything of much help.
 CONFIDENTIALITY NOTICE:  This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation.- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authenticate users for a hotel through webpage?

2005-12-14 Thread Gunther
mfred wrote:
> maybe someone can point me to the right direction as it seems I use 
> wrong keywords for my search in the list and on google.
> I am trying to use freeradius with wlan to authenticate hotel guests 
> that need i-net access.
>
> They would prefer that the customer could visit a webpage entering the 
> username / password combination they got at hotel-reception. Would 
> this be a authentication methode which freeradius can handle or do I 
> have to use other authentication modules for such a purpose?
>
> The most important thing is: Easy to use for the hotel staff at 
> registering / deleting guests and easy to use for the guests at login.
>
> TIA and br,
>
> mfred

Hi, we build a complete solution for Internet access for hotel guests,
marinas etc. using FreeRadius.
With a web-based control panel, different staff permission levels, custom
defined access packages etc.
No server at the hotel required, we operate them centrally on the Internet
... www.pointHotspot.com
Individual hotel login page pops up when guest/user goes to any website,
they type in username and password and
can then use the Internet as long as they are allowed.

Gunther


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Authenticate users for a hotel through webpage?

2005-12-14 Thread Lewis Bergman

Christophe Gravier wrote:

Hello mfred,

It is just the same things I want to achieve here in my university. This 
is captive portal (hope this is good translation)


For that, I had to use chillispot, apache2, freeradius and ldap.
I think, please correct me if freeradius is only able to do the whole 
thing ..., Freeradius is just a piece of the puzzle.


- apache2 host the webpage for authentification (a cgi script) (using ssl)
- chilispot use vtun in order to take control of your network interface 
plug to your wireless area (and thus redirect you to the apache page for 
authentification if you're not !)
- freeradius handle the authentification and accounting using our 
pre-existing ldap directory listing all the users (teachers, students ...).


I have written a complete howto that I'll post this afternoon or 
tomorrow (needs typo correction) to chillispot forum.
I can send you the draft if you need. (I hope freeradius can't do the 
stuff so that I'm not making ads for anotyher system :D).

Don't forget the wiki.freeradius.org site.

--
Lewis Bergman
Texas Communications
4309 Maple St.
Abilene, TX 79602-8044
Off. 325-691-1301
Cell 325-439-0533
fax  325-695-6841
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: rlm_ldap.so not found, Freeradius 1.0.5

2005-12-14 Thread Christophe Gravier

Nicolas Baradakis wrote:


Christophe Gravier wrote:

 


I installed freeradius on a fresh debian etch (testing) machine.
( FreeRADIUS Version 1.0.5 as it is package in debian etch tree ).

I want my radius being able to authenticate users against an external 
LDAP source.
   



apt-get install freeradius-ldap

 


I have no excuse, apologize.

(writing this reply from deep under my desk).

Thank you for pointing it to me !

--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: rlm_ldap.so not found, Freeradius 1.0.5

2005-12-14 Thread Nicolas Baradakis
Christophe Gravier wrote:

> I installed freeradius on a fresh debian etch (testing) machine.
> ( FreeRADIUS Version 1.0.5 as it is package in debian etch tree ).
>
> I want my radius being able to authenticate users against an external 
> LDAP source.

apt-get install freeradius-ldap

-- 
Nicolas Baradakis

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Authenticate users for a hotel through webpage?

2005-12-14 Thread mfred

>how do you do accounting in this case? Does the user has to go to the same
web
>site again and to say good-bye? Or don't you do time-based accounting? What
>else? Accounting flat per room number, per traffic? I think there are
better
>solutions than that.

AFAIK they only sell it in daily units but sure the accounting would be a
nice thing.

Open to any better suggestions (as far as they stay simple for the guests).

br & grüsse nach D

mfred

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Authenticate users for a hotel through webpage?

2005-12-14 Thread Christophe Gravier

Hello mfred,

It is just the same things I want to achieve here in my university. This 
is captive portal (hope this is good translation)


For that, I had to use chillispot, apache2, freeradius and ldap.
I think, please correct me if freeradius is only able to do the whole 
thing ..., Freeradius is just a piece of the puzzle.


- apache2 host the webpage for authentification (a cgi script) (using ssl)
- chilispot use vtun in order to take control of your network interface 
plug to your wireless area (and thus redirect you to the apache page for 
authentification if you're not !)
- freeradius handle the authentification and accounting using our 
pre-existing ldap directory listing all the users (teachers, students ...).


I have written a complete howto that I'll post this afternoon or 
tomorrow (needs typo correction) to chillispot forum.
I can send you the draft if you need. (I hope freeradius can't do the 
stuff so that I'm not making ads for anotyher system :D).


HTH,

Regards,

Christophe.

mfred wrote:


Hi,

maybe someone can point me to the right direction as it seems I use wrong
keywords for my search in the list and on google.
I am trying to use freeradius with wlan to authenticate hotel guests that
need i-net access.

They would prefer that the customer could visit a webpage entering the
username / password combination they got at hotel-reception. Would this be a
authentication methode which freeradius can handle or do I have to use other
authentication modules for such a purpose?

The most important thing is: Easy to use for the hotel staff at registering
/ deleting guests and easy to use for the guests at login.

TIA and br,

mfred

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 




--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Authenticate users for a hotel through webpage?

2005-12-14 Thread Michael Schwartzkopff
Am Mittwoch, 14. Dezember 2005 12:30 schrieb mfred:
> Hi,
>
> maybe someone can point me to the right direction as it seems I use wrong
> keywords for my search in the list and on google.
> I am trying to use freeradius with wlan to authenticate hotel guests that
> need i-net access.
>
> They would prefer that the customer could visit a webpage entering the
> username / password combination they got at hotel-reception. Would this be
> a authentication methode which freeradius can handle or do I have to use
> other authentication modules for such a purpose?
>
> The most important thing is: Easy to use for the hotel staff at registering
> / deleting guests and easy to use for the guests at login.
>
> TIA and br,
>
> mfred

hi,

how do you do accounting in this case? Does the user has to go to the same web 
site again and to say good-bye? Or don't you do time-based accounting? What 
else? Accounting flat per room number, per traffic? I think there are better 
solutions than that.

Greetings,

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42


pgpy8rqhCx0S1.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_ldap.so not found, Freeradius 1.0.5

2005-12-14 Thread Christophe Gravier



First, Hello to the mailing ! ;-)

I installed freeradius on a fresh debian etch (testing) machine.
( FreeRADIUS Version 1.0.5 as it is package in debian etch tree ).

I want my radius being able to authenticate users against an external LDAP 
source.

So I think I've made the right changes (in particular, I modified the 
/etc/freeradius/radiusd.conf), but when I launch the freeradius server, I 
received:
Wed Dec 14 14:23:36 2005 : Info: Using deprecated naslist file.  Support for 
this will go away soon.
Wed Dec 14 14:23:36 2005 : Info: rlm_exec: Wait=yes but no output defined. Did 
you mean output=none?
Wed Dec 14 14:23:36 2005 : Error: radiusd.conf[724] Failed to link to module 
'rlm_ldap': rlm_ldap.so: cannot open shared object file: No such file or 
directory

Hummm, I don't think it'll work as it is :)

I have search for rlm_ldap.so, I have no such library in my 
/usr/lib/freeradius/ directory (there I've got stuff for mysql and so on). I 
have try the achieve mailing list and googling, but there's just questions and 
so few answers 

Does anyone could enventually point me a clue please ?
Or a link to the howto he followed for freeradius using ldap ?


Best regards,

--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Authenticate users for a hotel through webpage?

2005-12-14 Thread Stefan Winter
Hi!

> it seems I use wrong keywords for my search in the list and on google.

Have you tried the keyword "Captive Portal" yet? It leads for example to a 
very nice Wikipedia entry:

http://en.wikipedia.org/wiki/Captive_portal

Greetings,

Stefan Winter

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


rlm_ldap.so not found, Freeradius 1.0.5

2005-12-14 Thread Christophe Gravier

First, Hello to the mailing ! ;-)

I installed freeradius on a fresh debian etch (testing) machine.
( FreeRADIUS Version 1.0.5 as it is package in debian etch tree ).

I want my radius being able to authenticate users against an external 
LDAP source.


So I think I've made the right changes (in particular, I modified the 
/etc/freeradius/radiusd.conf), but when I launch the freeradius server, 
I received:
Wed Dec 14 14:23:36 2005 : Info: Using deprecated naslist file.  Support 
for this will go away soon.
Wed Dec 14 14:23:36 2005 : Info: rlm_exec: Wait=yes but no output 
defined. Did you mean output=none?
Wed Dec 14 14:23:36 2005 : Error: radiusd.conf[724] Failed to link to 
module 'rlm_ldap': rlm_ldap.so: cannot open shared object file: No such 
file or directory


Hummm, I don't think it'll work as it is :)

I have search for rlm_ldap.so, I have no such library in my 
/usr/lib/freeradius/ directory (there I've got stuff for mysql and so 
on). I have try the achieve mailing list and googling, but there's just 
questions and so few answers 


Does anyone could enventually point me a clue please ?
Or a link to the howto he followed for freeradius using ldap ?


Best regards,

--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Authenticate users for a hotel through webpage?

2005-12-14 Thread mfred
Hi,

maybe someone can point me to the right direction as it seems I use wrong
keywords for my search in the list and on google.
I am trying to use freeradius with wlan to authenticate hotel guests that
need i-net access.

They would prefer that the customer could visit a webpage entering the
username / password combination they got at hotel-reception. Would this be a
authentication methode which freeradius can handle or do I have to use other
authentication modules for such a purpose?

The most important thing is: Easy to use for the hotel staff at registering
/ deleting guests and easy to use for the guests at login.

TIA and br,

mfred

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: help on rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

2005-12-14 Thread Phil Mayers

Jie Yang wrote:

Hi, All,
When I tried to develop PEAP at client side, i found I am always rejected by
the server. The following is the log. what might be wrong?


You almost certainly need to strip the "@domain" off the username before 
mschap sees it - the username is used in calculating the challenge response.


See the "realms" module, specifically you'll want the "suffix" instance 
in authorize, "spirentcom.com" as a LOCAL realm in proxy.conf and 
proxying turned on.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Flexible clients' addresses?

2005-12-14 Thread Martin Pauly
Hi,

I have some 150 new radius clients waiting at my doorstep.
Unfortuantely their IP addresses are _not_ within a single
Subnet. Most of them are, however grouped into a bunch of 
25 pseudo-subnets of the following kind:

client 192.168..240/28 {
   secret  = somesecret
   shortname   = somename
}

with n between 0 and 254.

Rather than putting 25+ entries of this kind into clients.conf,
I am looking for a more flexible way of client specification.

I have two ways in mind to approach the problem:

Approach 1:
Specify a subnet mask with a "hole":
client 192.168.0.240/255.255.0.28 {
   secret  = somesecret
   shortname   = somename
}
describes what I need when interpreted with bitwise netmask semantics.
This is currently not supported, but for what reason --
considererd insane or simply not desired by anyone yet?

Approach 2 (more general):
Store the property of being a radius client in my LDAP database.
I found some older postings related to this:

On Jan 30, 2005, Alan walters wrote:
> > We have free radius working with ldap I have been looking for a way 
> > to add our clients files o our ldap has anyone had any success with this 

reply from "Mitchell, Michael J" <[EMAIL PROTECTED]>:
> I've actually been looking at this over the weekend. Have written some
> code, but haven't tested it yet. I'm hoping to get to that today
> sometime. I based it largely on what was done in the sql module, so it
> may need a bit of refinement.
> 
> I believe Kostas has it on his todo list also. I'm happy to submit a
> "draft patch" for review and comment if it helps get this completed.

Has there been any progress on that? I quick look at src/main/client.c
has revealed nothing so far.

Thanks, Martin

-- 
  Dr. Martin Pauly Fax:49-6421-28-26994
  HRZ Univ. MarburgPhone:  49-6421-28-23527
  Hans-Meerwein-Str.   E-Mail: [EMAIL PROTECTED]  
  D-35032 Marburg   
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: allowed characters in User-Password?

2005-12-14 Thread Nils-Henner Krueger
Alan DeKok wrote:
> Nils-Henner Krueger <[EMAIL PROTECTED]> wrote:
> 
>>At first sight everything worked fine but after following the
>>log for a while it turns out that (too) many users were rejected.
>>
>>All the rejected accounts have a "%" sign in the User-Password.
> 
>   See doc/variables.txt

I don't do freeradius administration on a regular basis, so maybe
I miss something obvious, but although I printed out variables.txt
and read it several times I still don't get the point.

>From variables.txt I understand that variables are referred to
by %{name}. But what I think I observe are acocunts like this

[EMAIL PROTECTED] Password = "34fgT%45"

which seem to be rejected because of the "%" beeing part of
the password value. 

>>How can I get around this problem? There are a few thousand
>>dialin accounts, out of them about 300 have a "%" in the password
>>so I can't simply call them and solve that directly, not speaking
>>about other chars that might make trouble, too.
> 
>   Escape the % via \%.

Do I get it right, I put "34fgT\%45" instead of "34fgT%45"
in the users file?

Which other special chars need to be treated this way?


Thanks for your help!

nils-henner
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: Two routers using the same Radius server?

2005-12-14 Thread Jonathan De Graeve
Client ip adres in combination with huntgroups if you work with a mysql
db and usergroups

-- 
Jonathan De Graeve
Network/System Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
[EMAIL PROTECTED]

-
Always read the manual for the correct way to do things because the
number of incorrect ways to do things is almost infinite
-

-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Namens Mark
Tunnell
Verzonden: woensdag 14 december 2005 1:59
Aan: FreeRadius users mailing list
Onderwerp: Re: Two routers using the same Radius server?

Nice!  That gets me almost all the way there.  I'm able to
authenticate using Auth-Type := Local.  Now I just need to figure out
how to authenticate that type of user name ([EMAIL PROTECTED]) using
Auth-Type := System.  Any ideas how to go about that?

Thanks,

Mark

Lewis Bergman wrote:
> Mark Tunnell wrote:
> 
>> Suppose I have two Cisco routers both configured to authenticate to
>> the same radius server.  How do I allow a particular user access to
>> one router but not the other?  Is there a place in the clients.conf
or
>> users file to configure this?
>>
> Oh yea, Alan gave me a trick with the hints file that adds a realm to
a
> client if one is not present that could also help.
> DEFAULT User-Name !~ ".*@", NAS-IP-Address == "ip of client"
> User-Name := "[EMAIL PROTECTED]"
> 
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: anybody installed freeradius-1.0.5 on Solaris 8 successfully?

2005-12-14 Thread Rafael Roldán



Yes, yesterday, and it works fine...

  - Original Message - 
  From: 
  Qin 
  Zhen 
  To: freeradius-users@lists.freeradius.org 
  
  Sent: Wednesday, December 14, 2005 7:57 
  AM
  Subject: anybody installed 
  freeradius-1.0.5 on Solaris 8 successfully?
  
  Hello All, 
  seems solaris 8 and freeradius-1.0.5 dont like 
  each other..
  after i installed it, it gave segmentation fault 
  when i tried to run it. 
  anybody has installed and run it successfully on 
  solaris 8? 
   
  cheers, 
  QZ
   
  
  

  - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: segmentation fault on solaris,unable to call modules

2005-12-14 Thread Alan DeKok
"Qin Zhen" <[EMAIL PROTECTED]> wrote:
> installing freeradius on Solaris is already a big headache, afterwards i
> encountered Segmentation fault as well. i am using Freeradius-1.0.5

  Please read doc/bugs, and follow it's instructions.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


anybody installed freeradius-1.0.5 on Solaris 8 successfully?

2005-12-14 Thread Qin Zhen



Hello All, 
seems solaris 8 and freeradius-1.0.5 dont like each 
other..
after i installed it, it gave segmentation fault 
when i tried to run it. 
anybody has installed and run it successfully on 
solaris 8? 
 
cheers, 
QZ
 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html